PSA: California's New App Privacy Policy Requirement Just Made Life Harder For Developers Everywhere, Here's What You Need To Know

agreePrivacy is a good thing in the digital world - you'll get no argument from me. I don't like my data floating around in cyberspace without my consent, but I also realize that much of what makes the internet (and computing generally) so great is that I can use my own judgment to decide who I will and will not trust with my information.

Things like app permissions, which have been a part of the Android package installation process for quite some time, are nice, but let's face it: 95% of us don't read them. And if we do, we may not even be sure what those permissions really entail, or how the app will use those permissions to gather information, or even what kind of information will actually be collected.

California's Attorney General decided he didn't like this, particularly after the whole Path debacle on iOS. So, he got Google, Apple, Microsoft, Amazon, and other mobile app providers together for a round-table discussion on the privacy of personal information gathered by apps. The end result of that meeting-of-the-minds was this agreement. The parts of importance to pull out are the following:

  1. Where applicable law so requires, an application ("app") that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app's privacy practices that provides clear and complete information regarding how personal data is collected, used and shared.
  2. ... the Mobile Apps Market companies will include, in the application submission process for new or update apps, either (a) an optional data field for a hyperlink to the app's privacy policy or a statement describing the app's privacy practices or (b) an optional data field for the text of the app's privacy policy or a statement describing the app's privacy practices.

Joint Statement of Principles

This agreement was drawn up based on (and will be enforced through) a piece of legislation that went into effect in the state of California back in 2004, called the Online Privacy Protection Act of 2003.

Basically, the act requires any online business collecting personal information to disclose the collection, the type of information collected, and any third parties it might be shared with. Here's what qualifies as "personal information:"

  1. A first and last name.
  2. A home or other physical address, including street name and name of a city or town.
  3. An email address.
  4. A telephone number.
  5. A Social Security number.
  6. Any other identifier that permits the physical or online contacting of a specific individual.
  7. Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

CA. Business and Professions Code Sec. 22577

Essentially, if your app is collecting and storing any kind of unique identifier for individual users, you now have to disclose that in a privacy policy. In addition, your app's privacy policy must also disclose, specifically, the following information:

  • Identify the categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its site or service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;
  • Describe the process by which an individual consumer may review and request changes to any personally identifiable information collected, if the operator provides such an option to consumers;
  • Describe the process by which the operator will notify consumers who use or visit its site or service of material changes to the policy; and
  • Identify its effective date

CA. Business and Professions Code Sec. 22577

The 2nd bullet is optional, if you give users an opt-out method, you need to disclose that in your privacy policy. But basically, this all means every app developer out there collecting any kind of personally identifiable information for any purpose, shared or not, must draft a privacy policy for their application. This means lawyers, which means spending money in order to get in compliance.

Now, it's possible Google may provide a draft privacy policy that is sort of a "fill in the blank," or an interactive system which allows developers to disclose to Google all the requisite information about the data their app collects, and generate a suitable generic privacy policy - but somehow I'm not so sure this is how it will play out. More likely, developers will note a new text entry or hyperlink field for a "Privacy Policy" when submitting or updating an app, and the field will be optional (in the event your app collects no personal data).

Drafting your own policy is certainly an option, but if you're a part time developer or a one-man (or woman) development team, you may not know exactly how to describe the data your app collects in a legally sufficient way. You may not know if it qualifies as "personal information." You may not know how much you need to disclose about how it is used in order to be in compliance. You also may find yourself at the wrong end of an argument on what constitutes "collection." It could all get very messy, very quickly.

In fact, it's entirely unclear to me how today's agreement with the California AG meshes with the language of the applicable statute - the statute says nothing about disclosing how information is used, merely what information is collected and who it is shared with. Yet, the AG's agreement clearly says that the policy must be one that "provides clear and complete information regarding how personal data is collected, used and shared." Talk about confusing.

Oh, and violating this little requirement? Not a good idea unless your bank account is well-padded:

Any violation of this division by any person, except as otherwise provided, is a misdemeanor. Each offense shall be punished by a fine not to exceed five thousand dollars ($5,000), or imprisonment not exceeding one year in a county jail, or both the fine and imprisonment.

CA. Business and Professions Code Sec. 22577

It appears that a "violation" is merely the failure to post a compliant privacy policy within 30 days of a complaint (Google will have to provide a mechanism for users to complain about an app's privacy policy under the joint agreement), and will not accrue for each user who downloads the allegedly offending app. However, the existence of this statute in conjunction with the new joint agreement could also open developers up to more easily asserted civil suits alleging various tort causes of action, such as negligence. There's also the fact that many developers publish more than one app, which means multiple violations could ensue. It's not exactly something to be excited about.

It's unclear when the agreement will exactly go into effect, but the parties involved have pledged to take steps to implement it over the next 6 months. So, if you're a developer, expect to be hearing from Google about this relatively soon (if you haven't already). And to clarify - you don't need to be a CA resident for this law to apply to you, it applies to all app developers who make their applications available to the US and have at least one download from a user in the state of California (this is pretty normal for any internet law, though).

What do consumers get out of all this? Privacy policies - that 99% of them will never read, but that developers will now have to publish. I'm not saying no disclosure at all is good, but when you get the government involved, it's rarely a sign that things are about to get simpler for anyone. There are better, easier ways to give users concise and understandable information about data being collected from them, without having to write a 1000-word privacy policy that no one will read, and even if they did, that they probably wouldn't understand very well (thank legal language for that).
So, let's hope Google is planning on helping developers through this, rather than simply placing this obligation on them to come up with a privacy policy out of thin air. Or worse - having to pay a lawyer to do it for them.

Source: California Office of the Attorney General Via AndroidPolice