Seemingly everyone today makes available a smartphone mobile application.  What information does your company’s app collect?  Does it copy the user’s address book and, if so, why?  And, importantly, has your company’s privacy policy been updated to disclose these facts to users?  Where?

Businesses should ensure that their mobile app privacy practices are reflected in a privacy policy.  And it is advisable where possible to strive for consistency between their website and mobile app policies.  Unless the mobile app has its own, readily available and conspicuous privacy policy, regulators will likely deem, as they have in cases to date, that the online privacy policy applies.

Pursuant to a 2012 agreement between the California Attorney General and the eight leading online app store platforms, the platforms must provide a means by which a prospective user may review the privacy practices of the app before it is downloaded, either through a statement or a hyperlink, if the app makes that available.  (Note that the California Attorney General has taken the position that California state law requires apps to have a privacy policy.)  Consistent with this, a company should review the accuracy of the disclosures made by the app itself and at the app store platform from which it is available for download.  And it should consider whether different versions of its apps collect, use, or share information differently, both by operating system and by iteration of the app.

Accuracy is vital.  Both federal and state regulators have brought enforcement actions against mobile app developers and owners for allegedly misleading statements in their privacy policies regarding the mobile app.  For example, last year the FTC charged Goldenshores Technologies, which offered a flashlight app, with failing to disclose in its privacy policy or end user license agreement that the app collected geo-location data and shared that information with third parties.  Last month, the FTC charged Snapchat with similar privacy violations, including sharing of geolocation information and collection of contacts information, both without notice to users.

To help companies address privacy issues arising from their mobile apps, a number of industry groups and trade associations have developed codes of conduct or best practices.  Once again the California Attorney General has expressed a view, publishing a set of “Privacy on the Go” recommendations in January 2013.  Many industry groups and think tanks have chimed in with recommended best practices as well.  All of these are sources of good advice.  Remember, however, if a company pledges to adhere to a particular code, then it should ensure that it does in fact live up to those recommendations.

In addition, in 2013 a multistakeholder group convened by the National Telecommunications and Information Administration released a draft code of conduct regarding the transparency of privacy practices in mobile apps.  That code, which will most directly affect app developers, as they actually write the app software, provides that an app present, before being downloaded, certain specified information regarding whether certain categories of personal data are collected by the app and, if so, whether those data are shared and with whom.  That code is currently undergoing evaluation by interested parties.

Related Posts: