Where the California AG's app privacy recommendations fall short

Shane Schick

Let's begin with some applause. The California Attorney General's office has taken the first step by issuing recommendations for developers, mobile platform providers and carriers to address potential privacy issues head-on, before they get legislation forced upon them. The document that the AG's office published, Privacy on the Go, is less than two dozen pages and is written with surprising clarity. As the industry waits for the National Telecommunications Information Administration to complete its proposed mobile app transparency code of conduct, this is a resource worthy of study and consideration whether you live in San Francisco or somewhere on the other side of the country. Kudos to Attorney General Kamala D. Harris and everyone on her team involved in this effort.

Now let's get realistic for the sake of those developers who actually heed her office's call and try to build privacy into their apps from the outset. As might be expected, much of the advice offered in Privacy on the Go is common sense. If you don't need to collect certain data, don't collect it. If you don't have a privacy policy, write one. If your privacy policy isn't very clear, clear it up. And if you aren't even able to say off the top of your head what kind of personal information your app culls from your customers, figure it out before it's too late.

There are other recommendations, however, that reflect the challenges of creating a one-size-fits-all approach to privacy and apps. As Privacy on the Go acknowledges, no one is going to read an in-depth privacy policy on a smartphone. Harris recommends designing something that suits a smaller screen, even though most consumers would be as likely to scroll past and through it as quickly as they click on the "I accept" button on most desktop-oriented websites. Harris also raises the notion of "short notices" that could deliver in-context and in-time warnings.

"Make readily available from within an app both a short privacy statement highlighting potentially unexpected practices, and privacy controls that allow users to make, review, and change their privacy choices," the report suggests. Okay, but what exactly is unexpected for the average consumer or mobile gamer, whose background and experience will vary widely? Such definitions are a moving target at best.

The notion of what would essentially be privacy pop-ups would also mar many app user experiences. The AG and others might argue that this is the cost of protecting personal information, but it's not a small consideration when it's so difficult to retain and engage users of apps at all. And as recent research has shown, more experienced or "power" users have a different set of expectations around privacy, and they are the ones doing most of the downloading.

Privacy advocates will encourage erring on the side of informing users, but no one has really figured out how to strike the best balance. Of course, it's easy for someone like me to criticize the attorney general's recommendations without offering an alternative, but the point here isn't to dismiss the ideas in Privacy on the Go. We simply have to recognize that such guidelines will forever be a work in progress because the apps market is in an ongoing state of maturity. The overall message from Harris' office is "surprise minimization," but for everyone debating mobile app transparency, the complexity required to develop a workable compromise may prove to be the biggest surprise of all. --Shane