Play Store Requires Privacy Policies

Mobile and App Privacy Policy

Google recently informed some developers with apps on its storefront that it will be penalizing apps on its Google Play Store that do not have privacy policies adhering to its User Data Policy.

According to Next Web, Google emailed a notice to developers stating that violations of the User Data Policy would result in their apps’ visibility being limited or removed altogether.

The User Policy states:

You must be transparent in how you handle user data (e.g., information provided by a user, collected about a user, and collected about a user’s use of the app or device), including by disclosing the collection, use, and sharing of the data, and you must limit use of the data to the description in the disclosure. If your app handles personal or sensitive user data, there are additional requirements described below. This policy establishes Google Play’s minimum privacy requirements; you or your app may need to comply with additional restrictions or procedures if required by an applicable law.

With some apps collecting information from children or even sharing data unbeknownst to the user, Google’s enforcement of its policies should increase transparency and better protect users’ personal data. Protecting user data is important for a variety of reasons, such as enabling the usage of maximum data value.   

TRUSTe provides solutions to ensure that your organization’s apps comply with a variety of privacy frameworks or privacy standards. To learn more, schedule a consultation.


Increasing Transparency with California AB 370

Joanne Furtsch, Director of Product Policy

In August 2013, both the California State Assembly and Senate unanimously passed AB 370, which is an amendment to CalOPPA.  The bill amends the privacy policy disclosure requirements that companies need to disclose within their privacy policies:

  • How they will respond to a Web browser signal such as Do Not Track (DNT) or other mechanism that provides consumers with the ability to exercise choice, or
  • Whether third parties collect data through the website or online service.


Moving Privacy onto the Map

Joanne McNabb
Director of Privacy Education and Policy | Office of the Attorney General |
California Department of Justice

I attended a health privacy conference recently and was surprised at how much mobile dominated the conversation, both in sessions and during breaks. Privacy officers in healthcare organizations are struggling to balance the benefits of easy, real-time smartphone consultations among docs with appropriate privacy controls. Privacy officers’ Bring Your Own Device challenge is exacerbated by the difficulty in determining what’s going on in the mobile space: many apps still don’t provide privacy policies.

Of course, I may have mobile tunnel vision, since I’ve been working intensively on mobile privacy for the past several months. As have many in the technology and privacy communities, who are building the thousand or so new apps that come onto the market each day, developing corporate policies on the use of mobile devices, or participating in the laboratory of democracy that is the National Telecommunications and Information Administrationmultistakeholder process on mobile app transparency.

As innovators in Silicon Valley and elsewhere are building out the mobile ecosystem, Attorney General Kamala Harris has seized this watershed moment to encourage them to build in privacy. This encouragement is taking several forms: enforcing privacy laws, empowering consumers with information, and educating businesses in best practices.

Our enforcement actions began not with a bang, but a tweet ( “Fabulous app, @UnitedAirlines, but where is your app’s #privacy policy?” @kamalaharris, Oct. 12). Since then approximately 100 of the most popular free apps have received a letter letting them know that we couldn’t find their privacy policy and giving them 30 days to come into compliance with the California Online Privacy Protection Act or tell us why they think the law doesn’t apply.

Our intention, of course, is to bring apps into compliance and to improve privacy practices in the mobile space. Preparing a privacy policy requires developers to think about – become aware of – their potential and actual data practices, including the practices they inherit from Software Development Kits and libraries. That’s a first step and an important one. From there, decisions have to be made. And only then can the actual drafting of the policy begin.

We want to help developers think through the privacy decision-making process. To that end, we’ve been working on a roadmap, a best practices guide on mobile privacy which we will release soon. We also plan to offer some training sessions for app developers in the new year.

I recognize that while I enjoy reading privacy policies, many people do not. And yet consumers are concerned about the privacy practices of apps. A recent study from the Pew Center on the Internet & American Life found that more than half of mobile app users uninstalled or decided not to install an app because of concerns about its privacy practices. We have some suggestions, and we look to others with a stake in the app economy to come up with privacy innovations to make apps not only useful, convenient, and fun, but also privacy-respectful.

So what is my advice to companies developing mobile apps? IANAL, but I think it would be wise to start mapping your way to a privacy policy now. Don’t wait for a letter.

How many start-ups does it take to write a privacy policy?

Chris Babel

Privacy breakdowns continue to pop up across a variety markets with the biggest headlines coming from two VC-backed mobile app start-ups, Path and Hipster. Both were called out by independent tech professionals for privacy violations stemming from the unauthorized access of user address books stored on their mobile phones, and both have quickly taken responsibility for the issue. Path has taken the additional step to seek help from privacy experts (in the spirit of full disclosure, Path has talked to TRUSTe regarding our privacy management solutions), while Hipster has elected an alternative approach, calling on their mobile start-up colleagues to jointly craft a privacy pledge for the mobile app ecosystem (see responses from Path and Hipster). While Hipster should be applauded for their efforts to raise visibility of an important problem, and while I appreciate the spirit of the suggestion, it is unlikely to address the core problem simply because the issue of privacy cannot be boiled down to taking a pledge to “do the right thing”. In order to define “the right thing”, one needs to fully understand the intricacies of data flows through the online ecosystem, all the nuances of privacy regulation, and how they might apply to each unique business model.

Privacy management is becoming increasingly complex due to the emergence of new compliance requirements, advancements in targeting capabilities, and supporting technology required to monitor and manage data privacy. 2011 saw a record number of FTC privacy cases, legislative proposals, and media coverage into online privacy. End-user concern was also at high levels – with 90 percent of consumers indicating they were concerned about their privacy online; and 88 percent of consumers indicating they would avoid doing business with companies they did not believe were protecting their privacy online.