California is one of the greatest states here in the US. San Francisco, Silicon Valley, Hollywood, great forests, San Diego, more celebrities per square mile, etc. There are so many things to love. In the mobile space, and more increasingly in the social and local, I wouldn’t say we love California so much as we watch them very closely.
Unlike some other areas of the law where if you are in, say, Nebraska, you don’t need to worry about California, mobile application regulation is not one of them. Like privacy and data breach, where one state seems to lead the charge and set the agenda, for mobile governance, that state is California.
The most recent missive from the office of Attorney General Kamala D. Harris is titled “Privacy on the Go.” It isn’t all that new, January 2013, but it is a blueprint to look at alittle closer if you are in this space. Let’s look at some of the sections in a bit more detail:
Whenever a regulator goes to the trouble of defining terms, you should always pay particular attention to what they say as well as what they don’t say. Personally identifiable data doesn’t only include information about the user itself, it also includes information about their device (“a device via a unique identifier”). And it includes automatically collected data. Oh my, right? So if your application reads the UDID (Unique Device ID – Apple’s term for the unique identifier) or even the IMEI (International Mobile Equipment Identity) and stores it somewhere for any type of present or future use, you are collecting personally identifiable data. There are lots of good reason to collect this data. Oh, if you are collecting the UDID on your consumer’s iPhone, stop. Apple doesn’t like it, and was heralded as being very progressive in their switch to a Identifier for Advertisers (Apple Switches from UDID to IFA).
Privacy by Design
Quite frankly, the rest of the document is what I would consider to be table stakes. It is very good reading, and if you are just getting up to speed in this space, do read it in detail. Concepts like being transparent, limiting data collection, and limiting data retention are pretty standard stuff. And if you really did a good job with designing privacy into your mobile application, this should be pretty simple. Think about where to display your privacy practices and give users the ability to opt out of it where possible. If you truly need data to satisfy some other requirement, tell the user that by opting out of that particular data collection practice (think location information for financial institutions) they will not be able to use that functionality.
California talks about short form privacy statements which I think are a really good idea, but I think you should have a fully fleshed out statement somewhere in your application as well. California’s embracing of a short privacy statement is an acceptance of research that has shown that users don’t read privacy policies (The Real Reason No One Reads Privacy Policies).