TrustArc Blog

Moving Privacy onto the Map

December 21, 2012

Joanne McNabb
Director of Privacy Education and Policy | Office of the Attorney General |
California Department of Justice

I attended a health privacy conference recently and was surprised at how much mobile dominated the conversation, both in sessions and during breaks. Privacy officers in healthcare organizations are struggling to balance the benefits of easy, real-time smartphone consultations among docs with appropriate privacy controls. Privacy officers’ Bring Your Own Device challenge is exacerbated by the difficulty in determining what’s going on in the mobile space: many apps still don’t provide privacy policies.

Of course, I may have mobile tunnel vision, since I’ve been working intensively on mobile privacy for the past several months. As have many in the technology and privacy communities, who are building the thousand or so new apps that come onto the market each day, developing corporate policies on the use of mobile devices, or participating in the laboratory of democracy that is the National Telecommunications and Information Administrationmultistakeholder process on mobile app transparency.

As innovators in Silicon Valley and elsewhere are building out the mobile ecosystem, Attorney General Kamala Harris has seized this watershed moment to encourage them to build in privacy. This encouragement is taking several forms: enforcing privacy laws, empowering consumers with information, and educating businesses in best practices.

Our enforcement actions began not with a bang, but a tweet ( “Fabulous app, @UnitedAirlines, but where is your app’s #privacy policy?http://1.usa.gov/SWGCTm” @kamalaharris, Oct. 12). Since then approximately 100 of the most popular free apps have received a letter letting them know that we couldn’t find their privacy policy and giving them 30 days to come into compliance with the California Online Privacy Protection Act or tell us why they think the law doesn’t apply.

Our intention, of course, is to bring apps into compliance and to improve privacy practices in the mobile space. Preparing a privacy policy requires developers to think about – become aware of – their potential and actual data practices, including the practices they inherit from Software Development Kits and libraries. That’s a first step and an important one. From there, decisions have to be made. And only then can the actual drafting of the policy begin.

We want to help developers think through the privacy decision-making process. To that end, we’ve been working on a roadmap, a best practices guide on mobile privacy which we will release soon. We also plan to offer some training sessions for app developers in the new year.

I recognize that while I enjoy reading privacy policies, many people do not. And yet consumers are concerned about the privacy practices of apps. A recent study from the Pew Center on the Internet & American Life found that more than half of mobile app users uninstalled or decided not to install an app because of concerns about its privacy practices. We have some suggestions, and we look to others with a stake in the app economy to come up with privacy innovations to make apps not only useful, convenient, and fun, but also privacy-respectful.

So what is my advice to companies developing mobile apps? IANAL, but I think it would be wise to start mapping your way to a privacy policy now. Don’t wait for a letter.