In January, California Attorney General Kamala Harris further built on her high-profile 2012 campaign to improve privacy protection for consumers who use mobile devices by issuing a report titled “Privacy on the Go” (“Privacy Report”) which lists recommended best practices for app developers, mobile advertising networks, operating systems developers, app platform providers, mobile carriers and others in the mobile industry. The Privacy Report is not legally binding, but it further highlights that consumer privacy is a top priority for California regulators. It also provides useful guidance on the regulators’ key privacy concerns relating to the mobile industry, and it signals potential future regulatory actions.


The Privacy Report’s key premise is that mobile device users tend to ignore traditional app privacy notices, because they are complex documents that are difficult to review on small screens.

Harris encourages companies to: (1) consider privacy issues at the time they are designing products and services; (2) implement the Fair Information Practice Principles; and (3) adopt a “surprise minimization” approach to alert users about how their information is collected, used and disclosed and give them control over data practices not directly related to an app’s functionality or that involve sensitive information.

Harris offers numerous industry-specific recommendations, including the following:

•   Only collect data you need to operate the app (app developers/owners)

•   Obtain prior consent from users before obtaining/accessing personal information (app developers/owners and ad networks)

•   Create transparent privacy notices that accurately describe your collection, use and disclosure of consumers’ personally identifiable data (app developers/owners and ad networks)

•   Provide consumers with the opportunity to learn about privacy practices before downloading apps, and provide app users with tools to report non-compliant apps (app platform providers and ad networks)

•   Move away from unchangeable, device-specific identifiers and transition to temporary device identifiers (ad networks)

•   Securely transmit user data using encryption for permanent unique device identifiers and personal information (ad networks)

Impact on the mobile industry

Forewarned is forearmed. App developers, mobile advertising networks, operating systems developers, app platform providers and mobile carriers may want to consider implementing the Privacy Report suggestions now to stay ahead of the curve. Although the Privacy Report is not legally binding, it shows that privacy is high on the regulator radar. Mobile industry companies should take note. As indicated in the report, certain areas-such as collecting only the data needed, making privacy policies transparent and consistent across apps and devices and making data more secure-are key concerns. Companies in the mobile industry should voluntarily and quickly implement measures that comply with these guidelines. As part of your initiatives, we encourage you to think like a consumer, and create simple, clear policies and promote these as features of your services. Additionally, companies that voluntarily comply with these guidelines should advise their customers and their peers of this. Leading today, rather than having measures imposed later on, is the right approach both from a risk management and customer relations perspective.

We can help you find innovative ways to stay ahead of the recommendations in this report.

If you have any questions about how to comply with state or federal privacy laws or whether to implement the best practice recommendations in the Privacy Report, please contact Helen Christakos, Esq. at: (650) 342-9600 or hchristakos@carr-mcclellan.com.