Privacy is a good thing in the digital world - you'll get no argument from me. I don't like my data floating around in cyberspace without my consent, but I also realize that much of what makes the internet (and computing generally) so great is that I can use my own judgment to decide who I will and will not trust with my information.
Things like app permissions, which have been a part of the Android package installation process for quite some time, are nice, but let's face it: 95% of us don't read them. And if we do, we may not even be sure what those permissions really entail, or how the app will use those permissions to gather information, or even what kind of information will actually be collected.
California's Attorney General decided he didn't like this, particularly after the whole Path debacle on iOS. So, he got Google, Apple, Microsoft, Amazon, and other mobile app providers together for a round-table discussion on the privacy of personal information gathered by apps. The end result of that meeting-of-the-minds was this agreement. The parts of importance to pull out are the following:
This agreement was drawn up based on (and will be enforced through) a piece of legislation that went into effect in the state of California back in 2004, called the Online Privacy Protection Act of 2003.
Basically, the act requires any online business collecting personal information to disclose the collection, the type of information collected, and any third parties it might be shared with. Here's what qualifies as "personal information:"
- A first and last name.
- A home or other physical address, including street name and name of a city or town.
- An email address.
- A telephone number.
- A Social Security number.
- Any other identifier that permits the physical or online contacting of a specific individual.
- Information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
Identify the categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its site or service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;
Describe the process by which an individual consumer may review and request changes to any personally identifiable information collected, if the operator provides such an option to consumers;
Describe the process by which the operator will notify consumers who use or visit its site or service of material changes to the policy; and
Identify its effective date
Drafting your own policy is certainly an option, but if you're a part time developer or a one-man (or woman) development team, you may not know exactly how to describe the data your app collects in a legally sufficient way. You may not know if it qualifies as "personal information." You may not know how much you need to disclose about how it is used in order to be in compliance. You also may find yourself at the wrong end of an argument on what constitutes "collection." It could all get very messy, very quickly.
In fact, it's entirely unclear to me how today's agreement with the California AG meshes with the language of the applicable statute - the statute says nothing about disclosing how information is used, merely what information is collected and who it is shared with. Yet, the AG's agreement clearly says that the policy must be one that "provides clear and complete information regarding how personal data is collected, used and shared." Talk about confusing.
Oh, and violating this little requirement? Not a good idea unless your bank account is well-padded:
Any violation of this division by any person, except as otherwise provided, is a misdemeanor. Each offense shall be punished by a fine not to exceed five thousand dollars ($5,000), or imprisonment not exceeding one year in a county jail, or both the fine and imprisonment.
It's unclear when the agreement will exactly go into effect, but the parties involved have pledged to take steps to implement it over the next 6 months. So, if you're a developer, expect to be hearing from Google about this relatively soon (if you haven't already). And to clarify - you don't need to be a CA resident for this law to apply to you, it applies to all app developers who make their applications available to the US and have at least one download from a user in the state of California (this is pretty normal for any internet law, though).