California AG Gives App Developers 30 Days To Post Privacy Notice 108
Trailrunner7 writes "California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven't posted privacy policies, at least where users can easily find them. The attorney general is giving recipients 30 days 'to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,' according to a prepared statement. A sample letter defines the issue at hand. 'An operator of a mobile application ("app") that uses the Internet to collect PII is an "online service" within the meaning of CalOPPA. An app's commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is "reasonably accessible" to the user within the app.'"
Open source privacy policy (Score:5, Interesting)
Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?
Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.
Is it too much to ask that government take the lead in this case? I can't imagine it costs the AG anything, since that office hires a staff of lawyers.
Is this guy serious? (Score:5, Interesting)
Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?
Re:Open source privacy policy (Score:4, Interesting)
This happens anyway. I have to fight this battle every time I build an app that collects personal information. Every single time in four years of developing apps, I have been provided with the privacy policy for their website, that specifically describes things that are only applicable to their website, that doesn't account for their mobile app at all. I've got a current project hanging at the moment where we've chased them for a real privacy policy about half a dozen times. The rest of the app is finished, we're still waiting for the privacy policy, weeks later. If it wasn't for us insisting, the app would be live with a meaningless privacy policy they don't follow, and I'm certain other app developers aren't as insistent as us.
Re:Encourage them to standardize (Score:4, Interesting)
A privacy policy shouldn't just be a checkbox on a compliance procedure. Like any policy, it should only be the result of careful consideration. Yes, eventually many developers will come to broadly the same conclusions, but the process of writing (and verifying) the policy conveys the importance it should have. The privacy policy is effectively a promise of what your app will or won't do, and if that promise is made just to save time, it likely won't mean anything to the person making it.
Sure, there could be a Creative Commons-like system, where developers pick and choose what options they include. My concern is that by having an easy-to-make policy, the policy is also easy to forget. When a later version adds a new feature or advertisements, how likely is it that the long-forgotten privacy policy will be updated to match? If a legally-bulletproof blanket-permission policy can be made cheaply and easily, why not just apply that to all apps, regardless of the actual capabilities of the program?