Transcription
PRIVACY ON THE GORECOMMENDATIONS FOR THE MOBILE ECOSYSTEMJanuary 2013Kamala D. Harris, Attorney GeneralCalifornia Department of Justice
Table of ContentsMessage from the Attorney General.iExecutive Summary.1I. Introduction.3II. Recommendations for App Developers.7III. Recommendations for App Platform Providers.14IV. Recommendations for Advertising Networks.15V. Recommendations for Others.16Appendix: California Online Privacy Protection Act.17Notes.202
Message from the Attorney GeneralCalifornia is the epicenter of modern innovation. Whether in the informationtechnology sector, the entertainment industry, or the development of sustainableenergy, the technologies that we create are transforming the world. Californiahas proudly led these innovations, not just by producing new technologies, butalso by ensuring that these innovations are used responsibly. In California, wehave some of the strongest consumer protection laws in the country. Whileit is easy to conceive of innovation and regulation as mutually exclusive,California is proof that we can do both. We can innovate responsibly.The world has gone mobile. Today, 85 percent of American adults own a cellphone and over half of them use their phones to access the Internet. The mobile app marketplaceis also booming with more than 1,600 new mobile apps being introduced every day. These appsallow us to do everything from streaming movies to hailing a cab to viewing our own X-ray andultrasound images.Along with the many wonderful capabilities these apps offer, we remain mindful that the mobileenvironment also poses uncharted privacy challenges, such as the difficulty of providingconsumers with meaningful information about privacy choices on small screens and the manyplayers who may have access to sensitive user information. These are challenges that we mustconfront and that we must resolve in a way that appropriately protects privacy while not undulystifling innovation. As Attorney General, I am commited to ensuring that this balance is maintained.Last year, we took a first step in addressing these challenges with a Joint Statement of Principlesthat was adopted by the leading operators of mobile application platforms. That agreementimproves consumer privacy protections and is designed to help bring mobile apps in compliancewith the California Online Privacy Protection Act. As a result of the app platform companies’implementation of the principles, consumers can now review an app’s privacy policy in the appstore, before downloading the app.We are now offering this set of privacy practice recommendations to assist app developers,and others, in considering privacy early in the development process. We have arrived at theserecommendations after consulting a broad spectrum of stakeholders: mobile carriers, devicemanufacturers, operating system developers, app developers, app platform providers, mobile adnetworks, security and privacy professionals, technologists, academics, and privacy advocates.We are grateful for their comments and look forward to working with all stakeholders inpromoting and adopting these recommendations. It is my hope that our recommendations alongwith continued private-public collaborations will contribute to improving privacy practices in themobile marketplace.Sincerely,Attorney General Kamala D. Harrisi
This document is for informational purposes and should not be construed as legal advice or as policy of theState of California. The document may be copied, provided that (1) the meaning of the copied text is notchanged or misrepresented, (2) credit is given to the California Department of Justice, and (3) all copies aredistributed free of charge.
Executive SummaryThe pocket computers we carry with us – our cell phones, tablets and such – not onlyallow us to entertain ourselves, but with nearly a million applications available today, theyalso offer a variety of other capabilities. Mobile applications (apps) allow us not just toread books, play games, listen to music, and take photos and videos, but also to monitorour heart rate, start the car remotely on a dark night, find a nearby restaurant, and payfor purchases on-the-spot.With their expanding functionality, mobile devices are subject to the privacy risks of theonline world and to some that are unique to the mobile sphere. Their small screen sizemakes communicating privacy practices and choices to consumers especially challenging.Consumers care about mobile privacy: a recent survey found that over half of Americans haduninstalled or decided not to install an app because of concerns about its privacy practices.1As part of a larger initiative aimed at improving privacy protections in the mobile sphere,the California Attorney General began by forging an agreement with the major app platformcompanies: Amazon, Apple, Google, Hewlett-Packard, Microsoft, Research In Motion,and later Facebook.2 These app platform companies agreed to principles designed toimprove privacy protections in the mobile environment and to bring the industry in line withCalifornia law requiring mobile apps that collect personal information to have a privacypolicy. The principles include making an app’s privacy policy available to consumers on theapp platform, before they download the app.The mobile app industry is growing fast, but it is still in the early stages of development,with practitioners who are not all alert to privacy implications and how to address them. Tohelp educate the industry and promote privacy best practices, the Attorney General’s PrivacyEnforcement and Protection Unit has prepared Privacy on the Go: Recommendations for theMobile Ecosystem. The recommendations, which in many places offer greater protection thanafforded by existing law, are intended to encourage app developers and other players in themobile sphere to consider privacy at the outset of the design process.Recognizing that the legally required general privacy policy is not always the most effectiveway to get consumers’ attention, Privacy on the Go recommends a “surprise minimization”approach. This approach means supplementing the general privacy policy with enhancedmeasures to alert users and give them control over data practices that are not related to anapp’s basic functionality or that involve sensitive information.1Boyles, Jan Lauren, Aaron Smith, Mary Madden, Privacy and Data Management on Mobile Devices. Pew Internet &American Life Project, September 5, 2012, .aspx.2See ngthen-privacy.1
PRIVACY ON THE GOHighlights of RecommendationsFor App DevelopersFor Mobile Ad Networks Start with a data checklist to review thepersonally identifiable data your appcould collect and use it to make decisionson your privacy practices. Avoid using out-of-app ads that aredelivered by modifying browser settingsor placing icons on the mobile desktop. Avoid or limit collecting personallyidentifiable data not needed for yourapp’s basic functionality. Develop a privacy policy that is clear,accurate, and conspicuously accessibleto users and potential users. Use enhanced measures – “specialnotices” or the combination of a shortprivacy statement and privacy controls –to draw users’ attention to data practicesthat may be unexpected and to enablethem to make meaningful choices.For App Platform Providers Make app privacy policies accessiblefrom the app platform so that they maybe reviewed before a user downloadsan app. Use the platform to educate users onmobile privacy.2 Have a privacy policy and provide itto the app developers who will enablethe delivery of targeted ads throughyour network. Move away from the use ofinterchangeable device-specific identifiersand transition to app-specific or temporarydevice identifiers.For Operating System Developers Develop global privacy settings thatallow users to control the data and devicefeatures accessible to apps.For Mobile Carriers Leverage your ongoing relationshipwith mobile customers to educate themon mobile privacy and particularly onchildren’s privacy.
I. IntroductionThe Movement to MobileMobile Privacy IssuesMobile devices are integral to modern lifeand their use is growing rapidly. Today,85 percent of American adults have acell phone, 45 percent a smart phone,61 percent a laptop, 25 percent a tabletcomputer, and 18 percent an e-book reader.Over half of adult cell phone owners usethe Internet on their phones, twice the ratein 2009. And nearly one third of cell ownersreport that their phone is the primary, oronly, way they access the Internet.1Our smart phones and other mobiledevices are pocket computers. Theynow have the power and functionalityof desktop computers – and the privacyand security risks inherent to theInternet. Like our desktop and laptopcomputers, our mobile devices maycontain, or are capable of accessing,large amounts of personal information:contact information of our friends andassociates, family photos and videos, andour web browsing history, among otherdetails. And like personal computers,smart phones, and other mobile devicesare targets for malware and spyware.4The ever-expanding capabilities of mobiledevices have created an exploding marketfor applications (apps) that allow us notjust to read books, play games, listen tomusic, and take photos and videos, butalso to monitor our heart rate, start the carremotely on a dark night, find a nearbyrestaurant, and pay for purchases on-thespot. Recent reports estimate that thereare more than a million apps available onthe primary mobile platforms, and morethan 1,600 new apps are added daily.2Clearly, many consumers find value inmobile apps and are eager to try new onesas they are released. But many of thesesame consumers are also concernedabout privacy. A recent study found thatmore than half of mobile app users haduninstalled or decided not to install anapp because of concerns about its privacypractices.3 Addressing these concernsis essential to protect consumers and tofoster trust and confidence in this market.These always-on, always-on-us devicespose additional privacy challenges thatare unique to the mobile space. Mobiledevices may store types of user informationnot usually found on personal computers,such as telephone call logs, text messages,and a history of our location. Mobiledevices and apps are also leading tonew forms and combinations of user anddevice-related data that may pose newrisks to users’ privacy and security.Another challenge is the devices’ smallscreens, which make the effectivecommunication of privacy practicesand user choices difficult. Furthermore,although the app economy is thriving,the mobile app industry is in a relativelyearly development stage, with developersfocusing on getting new products tomarket as quickly as possible, sometimeswithout adequate consideration of privacy.Recent studies, for example, have found3
PRIVACY ON THE GOthat many mobile apps did not provideusers with privacy policy statements atall.5 This represents not just a failure intransparency, but it also suggests a lack ofattention to the apps’ privacy practices.In an important step to strengthen theprivacy protections for users of mobileapplications, the California AttorneyGeneral in early 2012 announced a JointStatement of Principles, endorsed by thecompanies whose platforms comprisethe majority of the mobile app market(Amazon, Apple, Facebook, Google,Hewlett-Packard, Microsoft, and ResearchIn Motion). The principles are intendedto ensure that mobile apps comply withapplicable privacy laws such as theCalifornia Online Privacy Protection Act,and include the conspicuous posting ofa privacy policy by mobile apps whenrequired by law, a means to make thepolicy available from the app platformbefore downloading, a way for usersto report non-compliant apps to theplatform provider, a process to respondto such reports, and a pledge to furtherwork with the Attorney General on bestpractices for mobile privacy.6 As of October2012, all the app store companies whojoined the agreement reported thatthey had implemented the principles.The agreement with the platform providershas already had an impact on privacypractices. A June 2012 study found thatthe percentage of the most popular appswith some form of access to a privacypolicy improved significantly since theirsimilar study in September 2011. In justeight months, free apps on the AppleApp Store platform with a privacy policydoubled, from 40 percent to 84 percent,and those on the Google Play platformincreased from 70 percent to 76 percent.74Recommended PracticesThe Attorney General is committed toincreasing compliance with California’sprivacy laws. In July 2012, the AttorneyGeneral created the Privacy Enforcementand Protection Unit, with the mission ofprotecting the inalienable right to privacyconferred by the California Constitution.The Privacy Unit enforces state and federalprivacy laws, and develops programs toeducate consumers and businesses onprivacy rights and best practices. Privacyon the Go is part of the effort to encouragebusinesses to adopt privacy best practices.Several respected organizations haverecently issued privacy principles andpolicies for the mobile industry.8 Theshared themes of these sets of principleshave informed our recommendedpractices: transparency about datapractices, limits on the collection andretention of data, meaningful choicesfor users, security, and accountabilityof all industry actors for privacy.We offer these privacy practicerecommendations to assist the mobileecosystem in the ongoing efforts to developprivacy standards. Our hope is that privacyrespectful practices such as those we arerecommending here will be adopted by appdevelopers and others, enabling consumersto make informed choices from the vastarray of mobile apps while maintainingthe level of privacy control they desire.Our recommendations, which in manyplaces offer greater protection than affordedby existing law, are intended to encourageall players in the mobile marketplaceto consider privacy implications at theoutset of the design process. They arealso intended to encourage the alignmentof architectural and functional decisions
PRIVACY ON THE GOwith the widely accepted Fair InformationPractice Principles (FIPPs). The FIPPs formthe basis for many privacy codes and lawsin different parts of the world, including thefederal Privacy Act of 1974 and the similarCalifornia Information Practices Act of 1977.Surprise MinimizationThe basic approach recommended hereis to minimize surprises to users fromunexpected privacy practices. An obviousway to avoid such unpleasant surprises isto avoid collecting personally identifiabledata from users that are not needed for anapp’s basic functionality.Another important step is to makean app’s general privacy policy easyto understand and readily availablebefore a mobile app is downloaded.It is widely recognized, however,that in order to make meaningfulchoices, consumers need clearer,shorter notices of certain privacypractices.11 This is particularly truein the small-screenmobile environment.Our recommendedapproach is tosupplement thelegally requiredgeneral privacypolicy with enhancedmeasures to alert usersand give them control overdata practices that are not relatedto an app’s basic functionality or thatinvolve sensitive information.Like many actors in the mobile ecosystem,the Attorney General is also participatingin the multi-stakeholder process facilitatedby the National Telecommunicationsand Information Administration (NTIA) todevelop an enforceable code of conducton mobile app transparency.10 While ourrecommendations engage a broader rangeof mobile privacy issues than the NTIA isexpected to address at this time, we hopethat this document will be useful in theongoing NTIA process.Such enhanced notice and control mightbe provided through “special notices,”delivered in context and just-in-time. Forexample, operating systems that uselocation data deliver a notice just beforecollecting the data and give users anopportunity to allow or prevent the practice.Another way to achieve the same end is tomake readily available from within an appboth a short privacy statement highlightingpotentially unexpected practices, andprivacy controls that allow users to make,review, and change their privacy choices.5
PRIVACY ON THE GOShared AccountabilityWe are addressing these initialrecommendations primarily to appdevelopers, but we include somerecommendations to other actors inthe ecosystem.Protecting consumer privacy is a teamsport. The decisions and actions of manyplayers, operating individually and jointly,determine privacy outcomes for users.Hardware manufacturers, operating systemdevelopers, mobile telecommunicationscarriers, advertising networks, and mobileapp developers all play a part, andtheir collaboration is crucial to enablingconsumers to enjoy mobile apps withouthaving to sacrifice their privacy.By offering consumers greater transparencyand control over how their informationis collected and used in the mobileecosystem, the industry will build the trustthat is critical for the app market to flourish.Short privacy statement is a privacypolicy designed to be read on a mobiledevice, highlighting data practices thatinvolve sensitive information or are likely tobe unexpected because they involve datanot required for an app’s basic functionality.Privacy controls are settingsavailable within an app or an operatingsystem that allow users to make orrevise choices offered in the generalprivacy policy about the collection oftheir personally identifiable data.Key TermsGeneral privacy policy is acomprehensive statement of a company’sor organization’s policies and practicesrelated to an application, covering theaccessing, collecting, using, disclosing,sharing, and otherwise handlingof personally identifiable data.The following definitions are for key termsas they are used in this document.AcknowledgementsPersonally identifiable data areany data linked to a person or persistentlylinked to a mobile device: data that canidentify a person via personal informationor a device via a unique identifier.Included are user-entered data, aswell as automatically collected data.Sensitive information is personallyidentifiable data about which users arelikely to be concerned, such as precisegeo-location; financial and medicalinformation; passwords; stored informationsuch as contacts, photos, and videos; andchildren’s information.6Special notice is a timely, contextualnotice that alerts users to a data practicethat is likely to be unexpected because itinvolves sensitive information or data notrequired for an app’s basic functionality.In developing our recommendationswe benefited from the advice of abroad spectrum of stakeholders: mobilecarriers, device manufacturers, operatingsystem developers, app developers, appplatform providers, mobile ad networks,security and privacy professionals,technologists, academics, and privacyadvocates. Their comments andcontributions are greatly appreciated.
II. Recommendations for App DevelopersThe app economy in the U.S. is estimated toaccount for 466,000 jobs, up from zeroin 2007 when the iPhone was introduced.12The burgeoning mobile app industry isprimarily made up of small businesses, oftenindividual developers, whose newly formedindustry associations have expressed acommitment to respect the privacy of theirusers.13 We offer these recommendations tohelp in the development of privacy standardsfor the mobile app industry.In this section, we discuss ways thatdevelopers can build privacy into theirapps. We begin by encouraging the useof a data checklist, which can be used inmaking decisions about privacy practices,in designing an app, and in generatingprivacy notices and statements. We go on todiscuss certain practices that are intendedto minimize unpleasant surprises for users,and we offer recommendations on thegeneral privacy policy and on enhancedprivacy measures to supplement it.Decision Path for Building Privacy intoAppsDecide what personally identifiable data your appneeds for its basic functions.Decide whether you will collect any non-essentialdata or “sensitive information.”Decide on your data use, sharing, retention, andsecurity practices.Prepare a statement of your general privacypolicy, covering your data practices includingany enhanced measures.Decide on your need for enhanced measures.If needed, decide whether to use “special notices”or the combination of a short privacy statement andprivacy controls.7
PRIVACY ON THE GOStart with a Data Checklist Photos or videosThe most efficient way to build privacyinto an app is to consider it at the outsetof the development process. Appdevelopers should also consider privacywhen making updates in technology andbusiness practices. Web browsing history Apps downloaded or usedAs a first step, create a checklist to assessyour app’s potential collection, use, anddisclosure of personally identifiable data.The checklist will facilitate design andprivacy practice decisions that reduce risksfor both you and your users. A checklist isalso useful in preparing a general privacypolicy, special notices, and privacy controls.Consider the DataConsider the personally identifiable data14your app may collect, use, or disclose tothird parties. You should also consider thedata collection and use practices of anythird-party software (such as libraries orSDKs) used in your app. This may requiretesting, as well as reading about the thirdparty software’s data collection practices.15Types or categories of personally identifiabledata include the following: Unique device identifier Geo-location (GPS, WiFi, user-entered) Mobile phone numberEmail address8 User’s name Text messages or email Call logs Contacts/address book Financial and payment information Health and medical informationCreate a ChecklistUse a checklist or matrix to record the typesor categories of personally identifiabledata collected and answer the followingquestions for each type of data: Is the data type necessary for yourapp’s basic functionality (that is, withinthe reasonably expected context of theapp’s functions as described to users)? Is the data type necessary for businessreasons (such as billing)? How will you use the data? Will it be necessary to store data off thedevice, on your servers? How long will you need to store the dataon your servers? Will you share the data with thirdparties (such as ad networks, analyticscompanies, service providers)? If so,with whom will you share it? How will third parties use the data? Who in your organization will haveaccess to user data? Is your app directed to or likely to beused by children under the age of 13? What parts of the mobile device doyou have permissions to access?Can you provide users with the abilityto modify permissions?
PRIVACY ON THE GOPrivacy PracticesOnce you have used a checklist toconsider all the personally identifiabledata that your app could collect, youare ready to make decisions about yourprivacy practices. These decisions includewhat data you will collect, how you will useit, how long you will retain it, with whomyou will share it, how you will secure it,and what choices you will give your usersabout their data.Be Transparent Make your privacy practices availableto users before the app is downloadedand any data is collected. You canaccomplish this is by making yourgeneral privacy policy available fromthe app platform. Make your general privacy policyreadily accessible from within the app. In addition, use enhanced measures todraw users’ attention to data practicesthat may be unexpected or that involvesensitive information. Keep your privacy policy communicationsup-to-date in reflecting your actual datahandling practices.Limit Data Collection Avoid or minimize the collection ofpersonally identifiable data for uses notrelated to your app’s basic functionality,and limit the retention of such data to theperiod necessary to support the intendedfunction or to meet legal requirements. If your app is directed to children underthe age of 13 or if you know that youare collecting personal information fromchildren under the age of 13, you mayhave additional obligations under federallaw.16 Use an app-specific or other nonpersistent device identifier rather thana persistent, globally unique identifier. Give users control over the collectionof any personally identifiable dataused for purposes other than the app’sbasic functions. The default settings should beprivacy protective. You may want to explain theconsequences of not allowing thecollection of the data.Limit Data RetentionDo not retain data that can be used toidentify a user or device beyond the timeperiod necessary to complete the functionfor which the data were collected or beyondwhat was disclosed to the user. Adopt procedures for deletingpersonally identifiable user datathat you no longer need.Give Users Access Develop mechanisms to give usersaccess to the personally identifiabledata that the app collects and retainsabout them. Avoid or limit the collection ofsensitive information.9
PRIVACY ON THE GOUse Security SafeguardsUse security safeguards to protect personallyidentifiable data from unauthorized access,use, disclosure, modification, or destruction.Safeguards should include, but not be limitedto, the following: Limit access to personally identified userdata by those inside your organization toa need-to-know basis. Use encryption in the transit and storageof personally identifiable data. If you collect payment card information,comply with the Payment Card IndustryData Security Standard.17 Work with others in the ecosystem toensure the application of appropriatesecurity measures to protect personallyidentifiable data.Be Accountable You are accountable for complying withapplicable laws and with your generalprivacy policy and any privacy noticesyou provide. Make someone in your organizationresponsible for reviewing your generalprivacy policy whenever the app isupdated or your business practiceschange. This person should also maintainan archive of previous versions of thepolicy, confirm your rules for limitinginternal access to personally identifiableuser data, act as the point of contactfor privacy questions and comments,and stay informed of new privacy lawsand regulations.10 Ensure that all who work in yourorganization receive training in privacyobligations and in your own policiesand practices. Such training should beprovided at least annually and to newemployees as they are hired. In addition to state and federal privacylaws, international jurisdictions have dataprotection laws that may apply to thedata collection practices of your app.General Privacy PolicyWhen you have decided on the privacypractices you will use in your app, youare ready to describe them in a generalprivacy policy. The policy should providea comprehensive overview of yourpractices, and should comply with legalrequirements for such policies.18 Thefollowing recommendations are intendedto make your general privacy policystatement more effective and meaningfulin providing transparency about yourdata practices.Make It Easy to Find Make the privacy policy conspicuouslyaccessible to users and potential users.19 Post or link the policy on the app platformpage, to make it available to users beforethe app is downloaded.20 Link to the policy within the app (forexample, on controls/settings page).Consider hosting the privacy policy inthe browser to facilitate updates in caseyour practices change.21
PRIVACY ON THE GOMake It Easy to Read Make the privacy policy clear andunderstandable by using plainlanguage and a format that isreadable on a mobile device. One format is a layered noticethat highlights the most relevantprivacy issues.22 Another format is a grid or “nutritionlabel for privacy” that displays yourprivacy practices by data type.23 Graphics or icons can help users to easilyrecognize privacy practices and settings. Privacy icons will be most effectiveif they are widely used and consumercomprehension is supported by anawareness campaign.24Describe Your PracticesThe privacy policy should describe yourpractices regarding the collection, use,sharing, disclosure, and retention ofpersonally identifiable data, includingat least the following items: Whether your app, or a third party,collects payment information forin-app purchases. The categories of third parties withwhom the app may share personallyidentifiable data.26 Such third partiesinclude advertising networks andanalytics providers. Provide a link tothird parties’ privacy policy statements,where available. The choices a user has regarding thecollection, use, and sharing of userinformation, with instructions on how toexercise those choices. The process for a user to reviewand request corrections to his or herpersonally identifiable informationmaintained by the app, if available.27 A means for users to contact the appdeveloper with questions or concerns. The effective date of the privacy policyand the process for notifying users ofmaterial ch
although the app economy is thriving, the mobile app industry is in a relatively early development stage, with developers focusing on getting new products to market as quickly as possible, sometimes without adequate consideration of privacy. Recent studies, for example, have found The Movement to M
