California – You Don’t Check In, And You Can’t Leave

California is one of the greatest states here in the US.  San Francisco, Silicon Valley, Hollywood, great forests, San Diego, more celebrities per square mile, etc.  There are so many things to love.  In the mobile space, and more increasingly in the social and local, I wouldn’t say we love California so much as we watch them very closely.

Unlike some other areas of the law where if you are in, say, Nebraska, you don’t need to worry about California, mobile application regulation is not one of them. Like privacy and data breach, where one state seems to lead the charge and set the agenda, for mobile governance, that state is California.

The most recent missive from the office of Attorney General Kamala D. Harris is titled “Privacy on the Go.”  It isn’t all that new, January 2013, but it is a blueprint to look at alittle closer if you are in this space.  Let’s look at some of the sections in a bit more detail:

Key Terms
Whenever a regulator goes to the trouble of defining terms, you should always pay particular attention to what they say as well as what they don’t say.  Personally identifiable data doesn’t only include information about the user itself, it also includes information about their device (“a device via a unique identifier”).  And it includes automatically collected data.  Oh my, right?  So if your application reads the UDID (Unique Device ID – Apple’s term for the unique identifier) or even the IMEI (International Mobile Equipment Identity) and stores it somewhere for any type of present or future use, you are collecting personally identifiable data.  There are lots of good reason to collect this data.  Oh, if you are collecting the UDID on your consumer’s iPhone, stop.  Apple doesn’t like it, and was heralded as being very progressive in their switch to a Identifier for Advertisers (Apple Switches from UDID to IFA).

Privacy by Design
Both the Federal Trade Commission (FTC) and California have been talking about this concept of Privacy by Design. What does it mean? To my ear and mind, it merely means that you think about privacy elements as you are working up the wireframes for your UI, and as you are designing the flows for the User Experience (UX). Consider what information you need from the user to provide them whatever you are providing them. Ask the question of “do you really need it?” Then really consider how you are going to use that data, which may change your answer as to what you are going to collect. Don’t only consider how you are going to use that data today, but spend some time thinking about how you could use that data in the future. Are you going to sell it, would you sell it. Based on your answers to those questions, your UX and UI may need some changing, even if that is just some changes to how you inform the user about your data collection practices, aka privacy policy.

Privacy Practices
Quite frankly, the rest of the document is what I would consider to be table stakes.  It is very good reading, and if you are just getting up to speed in this space, do read it in detail.  Concepts like being transparent, limiting data collection, and limiting data retention are pretty standard stuff.  And if you really did a good job with designing privacy into your mobile application, this should be pretty simple.  Think about where to display your privacy practices and give users the ability to opt out of it where possible.  If you truly need data to satisfy some other requirement, tell the user that by opting out of that particular data collection practice (think location information for financial institutions) they will not be able to use that functionality.

California talks about short form privacy statements which I think are a really good idea, but I think you should have a fully fleshed out statement somewhere in your application as well.  California’s embracing of a short privacy statement is an acceptance of research that has shown that users don’t read privacy policies (The Real Reason No One Reads Privacy Policies).

Final Thoughts
This was a pretty high level look at CA’s most recent document on privacy.  If you have a mobile application that is consumer facing (and maybe even your enterprise apps as well) you are subject to California’s rules.  And California is not a wallflower when it comes to enforcing this stuff.  Just ask Delta Airlines (California sues Delta over lack of Privacy Policy on Mobile App).  So even if you didn’t check in to the Hotel California’s Privacy Suite, rest assured you won’t be allowed to leave.

This entry was posted in Mobile and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s