Yesterday, California Attorney General Kamala Harris continued her efforts to promote privacy best practices in the mobile app ecosystem by issuing a number of recommendations in her report, “Privacy on the Go.” The report encourages app developers, platform providers, ad networks, OS developers, and even mobile carriers to incorporate privacy by design into their products and services and provides detailed suggestions on how to do so. Importantly, the report notes that its recommendations in many cases go beyond what’s currently required by law; they are, for the most part, best practices.
The report goes onto make a number of specific recommendations that build on these basic propositions. After the jump, we discuss a few that struck us as particularly noteworthy.
Transparency and Choice
- Provide “enhanced measures” if the app collects “sensitive information” or “personally identifiable data” that are “not needed for basic functionality. The report defines “personally identifiable data” and “sensitive information” more broadly than these terms are usually defined. “Personally identifiable data” is “any data linked to a person or persistently linked to a mobile device,” while “sensitive information” is “personally identifiable data about which users are likely to be concerned,” including “precise geo-location data; financial and medical information; passwords; stored information such as contacts, photos and videos; and children’s information.” Where the app collects this kind of information for purposes other than basic functionality, the report recommends either (1) providing a “special notice,” (i.e., an alert that appears at the time the data is collected) or (2) a combination of “short privacy statement” (i.e., a statement that highlights the “unexpected practices”) and privacy controls that enable the person to make choices about those unexpected practices.
Security and Accountability
- Use encryption for personally identifiable data in transit—and in storage. Encrypting certain types of PII in transit has become a common practice thanks to encryption requirements in Massachusetts and Nevada laws, while encryption of stored data, however, is significantly less common. Given the breadth of the term “personally identifiable data,” many companies may have difficulty complying with this recommendation as it applies to both transmission and storage. The recommendation that ad networks use encryption for the transmission of permanent unique device identifiers seems particularly unlikely to be adopted.
The report has already drawn criticism from ad industry groups, which have faulted the report for proposing “unworkable” solutions that could create confusion in the industry.