California AG Gives App Developers 30 Days To Post Privacy Notice 108
Trailrunner7 writes "California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven't posted privacy policies, at least where users can easily find them. The attorney general is giving recipients 30 days 'to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,' according to a prepared statement. A sample letter defines the issue at hand. 'An operator of a mobile application ("app") that uses the Internet to collect PII is an "online service" within the meaning of CalOPPA. An app's commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is "reasonably accessible" to the user within the app.'"
Mobile (Score:3)
Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.
Re: (Score:2)
Not sure, but I guess that the reason is that you have a special chapter in your lawbooks regarding mobile phones, and a separate one regarding the internet?
Even though the mobile apps are essentially just a piece of software, it needs to be put into the right lawbook to have an effect in the right way. Bureaucracy, you know.
There was a time when it was easy to distinguish between a phone and a computer, and completely different laws applied. That has changed now, but the lawbooks may still lag behind a lit
Re: (Score:2)
You could guess that, or you could RTFA -- or even RTFS -- and see that the law applies to all "online services", and the mobile apps that have been the subject of the recent round of notifications were singled out not because they were "mobile apps", but because they were online services within the meaning of the law and weren't following the rules
Re:Mobile (Score:4, Informative)
Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.
They aren't treated as special cases. The rules apply to any online applications, which includes pretty much all mobile apps. It's just that mobile app makers have been very poor at following the rules, likely because so many of them are small fly-by-night companies that don't have a legal department telling them what they are supposed to be doing. So 100 companies get notices that they need to have privacy policies posted, it gets splashed all over the news, and hopefully this will wake the others up to the fact that they need to be doing this just like the big boys.
Re: (Score:2)
Why treat mobile apps as a special case? All software applications, client-side or web based should be treated the same way.
Because everybody* has a smartphone.
* "that matters"
RTFS:Mobile apps are not treated as a special case (Score:2)
They aren't. The law, as explained in TFS, applies to all "online services".
Open source privacy policy (Score:5, Interesting)
Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?
Pasting in a generic document is much more likely to happen than all those app developers running out and hiring lawyers, so she will either get lower compliance or shoddier privacy policies.
Is it too much to ask that government take the lead in this case? I can't imagine it costs the AG anything, since that office hires a staff of lawyers.
Re: (Score:3)
What's needed is something like that Terms of Service did not read [tos-dr.info], with easy bullet points telling you just how evil this app is, sure ToS and privacy policies aren't exactly the same thing. This was discussed on slashdot [slashdot.org] last week.
The PowerPoint Effect may be lies (Score:3)
There's a lot of pushback against bullet points, with people talking about "The Power Point effect," where somehow reading a lot of bullet points turn ordinary people into morons. I'm with you -- I think whatever works to make the simplest and clearest communication is best. Going to the level of memes might be taking it too far, but no one's suggest that yet thankfully.
Let's see (Score:4, Funny)
Re: (Score:2)
the problem is that Power Point Bullets do not have a large enough Caliber (or the person doing the Power Point was not threatened with Bullets of a large enough Caliber)
the best way to prevent the PPE is to act as if you need to travel by Air with actual Bullets (and a matching FireArm of course)
1 DO NOT JUST READ THE SLIDES
2 have roughly an index card worth of info on each slide (not counting what you are just stating)
3 don't get "cute" with your transitions/embedded media
4 limit yourself to maybe a dozen
Re: (Score:2)
Re:Open source privacy policy (Score:5, Insightful)
Why didn't the AG attach a sample? Because it's a silly idea.
This is a legal document, probably differing for every case, and the point in requiring it is to make developers take a hard look at what information they access and how they use it. Rubber-stamping a boilerplate lets developers say they have a privacy policy, but it doesn't actually encourage any increase in privacy until somebody's sued over it. Once that happens, there will be a few developers who think about privacy, but most won't even know the case happened.
Like most legal documents, you usually don't actually need a lawyer to write it. You may need a lawyer to make it bulletproof against other lawyers, but any statement is enough. You could drop in a note saying "This app doesn't intentionally collect any personally-identifiable information, and doesn't contact external services" and probably satisfy the needs of the law, assuming it's accurate. In the event of a lawsuit, though, that statement would cause a little trouble (and open up room for opposing lawyers to argue), because it doesn't define "personally-identifiable" or "external" adequately. Does a game ask for a name for a high-score list? Does it send usage reports or download updates from a developer's server?
A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language, so there's no question where users' data goes, but for many apps (especially for those made without the intent of profit) that's unnecessary. Developers should already know how their program works, so they should be able to define one aspect of it.
Disclaimer: IANAL, but I've had my share of dealings with them.
Encourage them to standardize (Score:5, Insightful)
I disagree that it's going to be that different. If they need to list different data fields that will be retained, or change a length of time, they can edit the open-source document for their specific needs. But this gives them a template to work from which has all of the lawyerese perfected.
I can't agree that the document will differ in every case. In my experience, the differences will be slight, and thus having an open source document would encourage programmers to adopt a general standard (like a community rule) for how they're going to approach privacy issues.
The result would be a raising of the overall standard to that of the proposed document, which is why it's a good idea to have professionals write it and "promulgate" it.
Re:Encourage them to standardize (Score:4, Interesting)
A privacy policy shouldn't just be a checkbox on a compliance procedure. Like any policy, it should only be the result of careful consideration. Yes, eventually many developers will come to broadly the same conclusions, but the process of writing (and verifying) the policy conveys the importance it should have. The privacy policy is effectively a promise of what your app will or won't do, and if that promise is made just to save time, it likely won't mean anything to the person making it.
Sure, there could be a Creative Commons-like system, where developers pick and choose what options they include. My concern is that by having an easy-to-make policy, the policy is also easy to forget. When a later version adds a new feature or advertisements, how likely is it that the long-forgotten privacy policy will be updated to match? If a legally-bulletproof blanket-permission policy can be made cheaply and easily, why not just apply that to all apps, regardless of the actual capabilities of the program?
Re: (Score:1)
A lawyer could enumerate all the things the app does and doesn't do, in absolutely clear language,...
Clear language? Legalese is about as far from clear as one can get.
Re: (Score:3)
Not to mention, but how exactly do you enumerate all the things your app doesn't do?
Re: (Score:3)
"No other personal information is collected" or other similar wordings will do nicely. If there's something that you know your app will never try to do, it can be listed as a reassuring gesture to the user.
By the way, the link in your signature is broken.
Re: (Score:1)
"No other personal information is collected" or other similar wordings will do nicely. If there's something that you know your app will never try to do, it can be listed as a reassuring gesture to the user.
By the way, the link in your signature is broken.
That works for apps off the various stores....But doesn't work for pre-installed bloatware the provider is running while you use your phone. Verizon is great for these apps. They crash your phone not releasing memory while your doing memory intensive activities. No App needs access to your cellular phone except to keep it from sleeping. Asking for contacts is bad programing and presentation....I'm seeing alot of this disappear from the Google apps. But Apple doesn't present rights to the end user....is it t
Re: (Score:3)
The reader's lack of education is not the author's fault.
My opinion is that the problem of "legalese" stems not from obtuse writing, but rather from the lack of adequate reading comprehension skills in today's society. As printed language has become more common, literature has followed the common grammar into a more casual (but imprecise) tone. Schools, in appealing to modern culture, require less reading of older works in favor of modern literature. Where once a student would read The Canterbury Tales or M
Re: (Score:3)
Where once a student would read The Canterbury Tales or Moby Dick, they now read Harry Potter or Twilight.
that many now call Legalese.
Legalese is not prose or poetry. It is not Chaucer, Shakespeare, Emerson, or Auster. It is closer to math than prose. While literary English hinges on "deeper meaning," legal English hinges on the logical operators of "and" "or" "not" and "nor" and punctuation. A single "and" instead of an "or" or "not" can change the entire meaning of a contract. Well written legal doc
Re: (Score:2)
Just a few hundred years ago, it was not uncommon for a document to break off into several lines of pure Latin, and then jump back into English again without any explanation. The abstruseness of legalese is deliberate for excluding the legally untrained and to justify high fees. Legalese is characterized by long sentences, many modifying clauses, complex vocabulary, high abstraction, and insensitivity to the layman's need to understand the document's gist.
Here's one of my favorite jokes about legalese, bu
Re: (Score:2)
Note the differences in the statements you gave.
“I give you this orange.”
In this case, the giver is simply handing over a fruit. There is no indication of what the receiver is expected to do with it, whether it will be expected back, or whether it even is actually an edible orange. For all the receiver knows, taking the orange means he's just entered a common-law marriage with the giver's niece, mother, and cat.
“Know all persons by these present that I hereby give, grant, release, convey, transfer and quitclaim all my right, title, interest, benefit and use whatsoever in, or and concerning this chattel, otherwise known as an orange, or citrus aurantium, together with all the appurtenances thereto of skin, pulp, pip, rind, seeds and juice to have and to hold the said orange, for his own use and behoof, to himself and his heirs, in fee simple forever, free from all liens, encumbrances, easements, limitations, restraints or conditions whatsoever, any and all prior deeds, transfer, or other documents whatsoever, now or anywhere made to the contrary notwithstanding, with full power to bite, cut, suck or otherwise eat the said orange or to give away the same, with or without its skin, pulp, pip, rind, seeds or juice.”
Clarity at last! Let's break this down a bit...
Know all persons by these present
This is a public deal, and everybody watching is expected to know about it.
Re: (Score:2)
All very true. I did not mean to imply that prose or poetry would translate directly into a career as a lawyer, but rather that I feel schools simply don't focus enough on difficult works (and I generally find older works to have more difficult material). The goal in a literature class is to explore the deeper meanings and interpretations of literature. For that purpose, many modern works are fine (though I'm partial to science fiction, myself).
What I bemoan is that there is never a class emphasizing readin
Re: (Score:2)
Our society has accepted that a fifth-grade reading level should be the defacto standard for most published works. Consumer oriented publications such as newspapers and magazines tend to be written to be easily read by someone with a fifth grade education. Such a level should be appropriate for any contract intended for a general audience. If you write for a specific audience you can use vocabulary that they will (or should) recognize, and sometimes it is more eloquent and precise to use a particular wor
Re: (Score:2)
I think it would be more precise to say that English has largely replaced Latin and Greek as the shared language of communication across cultures. Thus, in much the same way that someone native to Greece two hundred years ago did not need to know English to communicate with people in other countries, someone native to an English-speaking nation today need not learn Latin for that purpose except as an intellectual exercise.
Re: (Score:1)
Re: (Score:2)
Apart from severability and choice of law/venue clauses, there should be almost no legalese in a privacy policy, for two reasons.
First, a contract requires a meeting of the minds. If your policy is so abstruse that one party doesn't actually understand the terms, you may not actually have a contract.
Second, if you can't explain in common English what you are doing with my data, that almost always means that you're doing something nefario
Re:Open source privacy policy (Score:4, Interesting)
This happens anyway. I have to fight this battle every time I build an app that collects personal information. Every single time in four years of developing apps, I have been provided with the privacy policy for their website, that specifically describes things that are only applicable to their website, that doesn't account for their mobile app at all. I've got a current project hanging at the moment where we've chased them for a real privacy policy about half a dozen times. The rest of the app is finished, we're still waiting for the privacy policy, weeks later. If it wasn't for us insisting, the app would be live with a meaningless privacy policy they don't follow, and I'm certain other app developers aren't as insistent as us.
Re: (Score:2)
And even if you need them Iubenda [iubenda.com] is an example of a self service privacy policy generator. They have a legal team that writes the standardized pieces you put together for your site. I've been using it for a couple of web services. Iubenda is specific for the web but I bet the same could be done for mobile applications.
Re:Open source privacy policy (Score:4, Insightful)
...why didn't the AG attach a sample privacy policy and open source it so that developers can use it?
Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business. The whole idea of a 'privacy policy' can be nothing more than a jobs program for the legal profession. It is impossible to enforce such nonsense.
Re:Open source privacy policy (Score:5, Informative)
Because the real intention here is to put small independent developers with their 'disruptive' technology who can't afford a gaggle of lawyers out of business.
Bullshit. It's not a conspiracy. This is an issue everyone in the 80s running single-line BBSes had to deal with. The ECPA became law 24 years ago. The California AG's message should not surprise you.
Copy someone else's privacy policy. It's what lawyers do anyway. You think they actually work at this stuff? It's all boilerplate.
You can say "we do not collect any user data" and make sure your program doesn't phone home or disclaim all privacy whatsoever. and hope nobody actually reads your privacy policy. Copy Facebook's privacy policy if you want to be evil. They bury the "we own everything you post" in language that you and I can understand but not 90 percent of users.
And at the end of it, say "we reserve the right to change this policy in the future." to further cover your ass.
It's not hard if you're honest and up front. It's only hard if you want to deceive users. That's where the tricky language comes in.
--
BMO
Re: (Score:3)
Becasue not all apps will have the same privacy policy. The compliance letter is standard fair.
Re: (Score:2)
Because the privacy policy has to describe what personally identifying information (PII) the online service actually collects and what the online service operator actuall
Re: (Score:2)
Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source
What is this fascination with "open sourcing things?" Are you afraid someone will take the "sample privacy policy" and copyright it? Or are you afraid people will distribute copies without distributing the source?
The government can't copyright things, so there is no need to "open source" the sample privacy policy.
Re: (Score:2)
Instead of attaching a sample compliance letter, why didn't the AG attach a sample privacy policy and open source it so that developers can use it?
As someone who recently hired a lawyer to go over a Privacy Policy and Terms of Service, I can assure you that what the average person THINKS should be in a Privacy Policy and Terms of Service are vastly different than what is needed to be legal, and most important, enforceable.
A good Privacy Policy should include not just what you store, but how you collect it, and how it is stored. Are you using cookies? Can I opt-out of using cookies? Can anyone else see those cookies? If I delete the app, does that dele
Only 30 days? (Score:5, Funny)
With only 30 days to get a policy written and added to the app, I guess that means that most iPhone apps will not be able to comply.
We ownz you (Score:3)
Don't like it? Stop using the app you paid for!
No refunds. Sucks to be you.
It has to be within the app? (Score:5, Informative)
The article contradicts itself. Early in the article, it states that the policy has to be within the app, then later on, it says it has to be in the App Store. There's a huge difference between the two in what it means for app publishers.
Re:It has to be within the app? (Score:4, Insightful)
Re:It has to be within the app? (Score:4, Insightful)
She's supposedly been consulting with app developers, although not ones representative of the larger industry.
Tthis is what could happen if it had to be within the app:
And you've got to fit that into 30 days. And that assumes the changes Apple requires you to make aren't fundamental to your business model or operation of the app. And that assumes only one round of alterations is required. And that assumes it's feasible for you to pay for expensive mobile developers.
Meanwhile, here's what it would be like if the policy only needs to appear in the App Store:
Re:It has to be within the app? (Score:4, Insightful)
No, a much bigger issue in the difference between in-app or an in-store privacy policy is for the consumer. If the privacy policy is in the store, you can read it and assess it before downloading and installing the app. If you don't like the privacy policy, then don't download and install the app. If it's an in-app document or link, then you have to download, install, run, possibly even create an account an login all before you get to see the privacy policy. By that time, the app has probably already completely sucked all personal information out of your phone and submitted it to the app owner.
Same with a EULA that's presented to you when you install a piece of software on your PC. That EULA is presented to you after you've bought the software. So if you don't agree with the EULA, then I'm pretty sure the seller is forced to completely refund the software to you. It's basically the same thing as buying a bread from the baker and after paying, the baker says that you are only allowed to eat the bread at home, and only if don't put any meat on it.
Not in California (Score:1)
In UKRANE Capitalist Country!!!!! DOES Not apply.
Hahah.
$$$$$
Is this guy serious? (Score:5, Interesting)
Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?
Re: (Score:1)
Re: (Score:2)
Kamala Harris, the Attorney-General of California, is not a "he" (strike one), is not any kind of "lawyer wannabe" (strike two), and doesn't get any more money for doing this than she would get as Attorney-General not doing it (strike three).
Re: (Score:3)
Does this guy expect app developers from other states to comply with the laws of California? What about developers from other countries?
People can be forgiven for not realizing Kamala Harris [wikipedia.org] is African American and Asian American, but she's definitely not a guy.
Re: (Score:3)
If you want to sell your product in California, then yes.
Re: (Score:2)
So attach a statement to your app description in the Apple Store "Not Legal for Sale in California".
Re: (Score:2)
"may not be Legal for Sale in California" FTFY
Re: (Score:2)
Kamala Harris is not a guy.
All of the specific businesses I've seen mentioned as recipients of these notices are businesses that do businesses in California in a fairly substantial way besides having their relevant online service available in California (e.g., major US airlines.)
Re: (Score:1)
"App" now officially defined in law (Score:2)
OK, it's official, "app" is known to the State of California to be defined as a "mobile application".
I have only one thing to say about this... (Score:2)
CalOPPA Gangnam Style!
Great. Now all apps: (Score:2)
Permission: Fine GPS position (to verify that you're not in california, so as to not show it)
Re: (Score:2)
UID and user info to confirm records of sale from vendor that the product was billed in califaornia, then sell info... profit?
Just Exclude California (Score:3, Insightful)
Re: (Score:3)
Yes, becasue no one want to tap a market that huge.
"because over burdening regulations"
Yes, telling them they have to post there privacy policy where the consumer can reasonably get to is so overburdening~
"avoid states or places where your work is not appreciated."
there is no rule people need to appreciate your work, so get over it.
Re: (Score:1)
The AG is simply right... (Score:4, Insightful)
Re: (Score:3)
Re: (Score:3)
Unless they're selling to someone who lives in California. In which case the sale is governed by California law. Now if the developers said CA residents can't buy it (and are not themselves CA residents) then they can ignore this.
Re: (Score:2)
Two of the three app stores are owned by entities headquartered in California. Only Microsoft's app store would be able to legally ignore it if they decided to go that approach.
Re: (Score:2)
The firms whose apps have been mentioned as recipients of non-compliance notices (e.g., United Airlines, Delta Airlines, and OpenTable) all have significant operations in California besides the mere presence of their mobile app (and OpenTable is headquartered in San Francisco.) So...what's your point?
Re: (Score:2)
Re: (Score:2)
I'm not so sure about that. Maybe I'm reading the wrong thing [ca.gov] (someone please correct me if you have a better reference) but I don't see anything in here which suggests a client application which interoperates with an online service is an online service, or that a client application which downloads other clients, is somehow governed by this law to display those other applications' policies in addition to its own.
You might say this is splitting hairs and ignoring the spirit of the law, but the text I'm readi
Re: (Score:2)
The app is just the mechanism by which a consumer "visits" the online service, which is the point at which the cited law requires the operator of the online service to make the privacy policy available.
Re: (Score:2)
And developers who want to sell their apps in California?
Re: (Score:2)
Developer doesn't have any stores in California. The California resident has to seek them out.
The law could require Apple or Google to delist any app that doesn't accommodate their laws, but a developer in Kazakhstan or Nevada has no presence in California.
Re: (Score:2)
Unless, as is the case of many out-of-state HQ'd operations, they do. United Airlines and Delta Airlines are examples (and, unlike abstract hypotheticals, are actual recipients of non-compliance notices in this case.)
Yeahletmethinkaboutthathowaboutno? (Score:3)
Go pound sand.
Sincerely,
Someone who doesn't live in California.
Re: (Score:2)
You don't live there, why would they give a shit about you? why would you give a shit about them?
Yes, let stop consumer protection, what could go wrong?
Re: (Score:2)
Because:
1) TFA says nothing about the AG threatening only companies located in CA, and
2) California has a long history of strong-arming their regulatory environment onto the rest of the US simply by virtue of the size of their economy.
We don't need another Andrew Cuomo wannabe destroying a major part of the online world in a pathetic attempt to make a name for themselves while forcing their morals on the
Re: (Score:2)
You don't have to live in California to be bound by their laws. If you visit there or do business there, you are bound by their laws.
You will be the one losing out, not California. Someone else has written the equivalent to your app, and they'll get the sales you would have.
And... if you have to be sneaky to get their info, I don't think much of your morality. IMO that's really assholish behavior and I wish you people would stop it.
Re: (Score:2)
FWIW, I agree with you. But as I said in my other response, this doesn't stop anyone from collecting anything. It just requires posting a privacy policy. And if you've read any privacy policies lately, you'll know that they virtually all say "we do what we want, deal with it or piss off".
I support real consumer protection laws. I don't support fee
CA AG has a lot of free time (Score:2)
Re: (Score:2)
There is a theory that what you say is true. It isn't, however, the practice.
The enforcement of laws is riddled with favoritism from top to bottom. People will often justify it by saying "But they couldn't have meant it to cover that situation.". Often, however, there is no justification available, but the laws are enforced with favoritism anyway. This is why there is (in the locality I live) a "crime" described informally as "Driving while brown or black." But that's merely an easily observable instan