Today the California Attorney General released "Privacy on the Go," [pdf] a report of privacy recommendations for players in the smartphone ecosystem focused on mobile app developers. These guidelines continue a push from the Attorney General to extend privacy protections from the online world onto the smaller screens of our mobile devices, kicked off by an agreement last year to incorporate app privacy policies into the six largest mobile "app stores."
EFF applauds this important step forward, and congratulates the California Attorney General on a thorough and clearly written explanation of the importance of mobile privacy and how developers can deliver. It's true that as technology changes, the specific needs and guidelines for companies will need to adapt. We could well see a time when these principles do not adequately protect the rights and needs of consumers. However, right now these principles represent a huge step forward — going beyond existing law in a way that improves transparency, accountability, and choice for users of mobile devices.
From the report:
With their expanding functionality, mobile devices are subject to the privacy risks of the online world and to some that are unique to the mobile sphere. Their small screen size makes communicating privacy practices and choices to consumers especially challenging. Consumers care about mobile privacy: a recent survey found that over half of Americans had uninstalled or decided not to install an app because of concerns about its privacy practices.
This report provides recommendations that go above and beyond the California Online Privacy Protection Act (OPPA). In that sense, application developers that follow these guidelines will be providing more privacy protection to their users than those required by existing law. As the report lays out, there's a good market reason to go that extra mile: users are increasingly concerned about their privacy when installing mobile apps, which has allowed different developers to compete on privacy protections.
The recommendations advocate the sensible "surprise minimization framework," collecting only the data users would expect an application to need and providing special notices whenever it goes beyond those limits.
It's encouraging to see more support for the principles we put forth last year in our Mobile User Privacy Bill of Rights. "Privacy on the Go" acknowledges that the mobile app industry is still in the early stages of development, so privacy practices may not be as well established as in more mature fields. Still, these recommendations are well worth reading, and promise to push the field forward if taken to heart.
UPDATE: Representatives from the ad industry have responded with this letter to the Attorney General's office. They express concerns that these guidelines do not reflect "broad industry consensus" and are "unworkable." These claims are especially cynical given that the ad industry is pushing standards it has developed without consulting other stakeholders. For the reasons outlined above, we disagree.