Tech firms agree to privacy protections for mobile apps

In an effort led by California's attorney general, Apple, Google, Microsoft, and others have agreed to require developers to inform users about data usage policies before they download apps.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
4 min read
California Attorney General Kamala Harris addresses the media at a press conference this afternoon in San Francisco. Elinor Mills/CNET

SAN FRANCISCO--California's Office of the Attorney General has gotten agreements from Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research In Motion to improve privacy protections on mobile apps.

The companies will require developers to include privacy policies in their apps so that users will be informed about the data that apps will access, use, and share before they download the apps, California Attorney General Kamal Harris said today in a news conference. The news follows disclosure that some mobile apps were using address book data without user notification or permission.

Basically, California's Online Privacy Protection Act, one of the strongest consumer privacy laws in the country, will now be applied to mobile apps, which currently have no privacy protections, Harris said. The law requires commercial Web sites or online services that collect personally identifiable information about consumers to conspicuously post a privacy policy that details the kinds of information gathered, how the information may be shared with other parties and describe how a consumer can review and make changes to their stored data.

"This will give more information to the consumers so they understand how their personal and private information can be used and potentially manipulated," Harris said. "Most mobile apps make no effort to inform users...Consumers should be informed what they're giving up before they download the app."

The six companies, which are the major mobile platforms for apps, will need to redesign their app stores and marketplaces so that the text of the privacy policy for each app is visible on the store or there is a link to it on a Web site. The companies then will be required to monitor that developers are following the guidelines.

Developers and platform providers that do not comply with the law can be prosecuted under California's Unfair Competition Law and/or False Advertising Law, which has penalties of up to $500,000 per use of the app in violation, Harris said. "If developers do not follow the privacy policies we will sue," she added.

Because of the global nature of the Internet, the law will apply to every mobile app provided through the six firms' app stores even though it is a state law.

The attorney general's office will meet with the mobile application platforms in six months to assess how they're doing, but Harris did not specify a time frame for when the privacy policies will need to be on the app marketplaces and in use.

Harris said she first contacted the six tech firms in August of last year about the matter after realizing that there was confusion in the industry as to whether the California Online Privacy Protection Act applies to mobile apps.

Asked for comment, a Google spokesman provided this statement: "From the beginning, Android has had an industry-leading permissions system which informs consumers what data an app can access and requires user approval before installation. Coupled with the announced principles, which we expect to complete in the coming weeks, consumers will have even more ways to make informed decisions when it comes to their privacy."

Meanwhile, Marc Rotenberg, executive director of the Electronic Privacy Information Center, wasn't impressed with the announcement. "Privacy policies do not protect privacy," he said in an e-mail to CNET. "That is well known. Better approach is to limit data collection to that which is actually necessary for the app's functionality."

This issue of Web app privacy came to a head last week when Apple announced that iOS applications that collect user contacts data without permission were violating its guidelines. Apple said it would release a software fix to prohibit that behavior. The company was likely prompted to take the action after a media firestorm arose when mobile photo-sharing app Path and other popular apps were found to be collecting user contact information without permission.

Last week, the Federal Trade Commission released a report saying mobile apps for kids lack privacy policies. Also last week, Twitter fessed up that it uploads and stores the contact list data of many app users for 18 months without an explicit heads-up.

It's not just state officials who are taking notice of the data privacy issue. Just ahead of Apple's announcement last week, a ranking member of a subcommittee in the House of Representatives wrote to Apple, asking why the company doesn't force app developers to ask users for permission before downloading contacts.

And last May, U.S. Sen. Al Franken (D-Minn.) asked Google and Apple to require that all mobile apps in its stores have privacy policies. His letter came amid a controversy over a location database discovered in Apple's iOS that contained information about Wi-Fi hot spots and cell towers.

Web privacy: In search of the holy grail

See all photos

Updated at 4:47 p.m. PT with EPIC reaction, 3:38 p.m. with Google comment, 2:38 p.m. with more details and background, 1:01 p.m. with details from the news conference and 12:28 p.m. with background.