New ‘Consumer Bill of Rights’ for Mobile Apps — What It Means for LBS

Following new regulatory pressure over consumer privacy in mobile apps, the Electronic Frontier Foundation and TRUSTe have unveiled a new “consumer bill of rights” and other products to help mobile app developers provide more transparency to consumers using mobile devices.

These announcements come on the heels of the Obama Administration’s unveiling of a Consumer Privacy Bill of Rights last week, and California Attorney General Kamala Harris’ announcement that Apple, Google, Hewlett-Packard, Microsoft and Research in Motion have agreed to require mobile application developers to provide privacy policies with their applications. These new developments will have consequences on how hyperlocals can connect and transact with their customers via mobile devices.

The stakes are high. New research shows that mobile services are becoming popular with local merchants and consumers. comScore revealed in a new report on February 23, 2012 that more than half of the U.S. smartphone population used their phones to perform retail research while inside a store in 2011. “We expect the mobile and connected device landscape to be shaken up even further in 2012,” said comScore senior VP Mark Donovan. For consumers, seeking local resources invariably means that users may disclose information about themselves and where they are to find a local resource like a restaurant or coffee shop. But government officials fear that consumers may not be aware of how much information is collected from their mobile devices.

On February 23, 2012, President Barack Obama introduced the U.S. Commerce Department’s Consumer Privacy Bill of Rights. “American consumers can’t wait any longer for clear rules of the road that ensure their personal information is safe online,” the President said. The administration’s proposals include requirements that:

• Consumers must be able to understand easily the information about a company’s privacy and security practices.
• Organizations should collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
• Personal data should be kept secure.
• Consumers should have access and correct personal data in usable formats.
• Consumers have a right to reasonable limits on the personal data that companies collect and retain.
• Companies should be held accountable for adhering to the Consumer Privacy Bill of Rights.

On February 22, 2012, California Attorney General Harris declared that mobile applications must have privacy policies under California law. Most major distributors of mobile apps, including Apple, Google, Hewlett-Packard, Microsoft and Research in Motion signed off on an agreement with the California Attorney General to comply with California law, redesign their app stores, and require app developers to provide for privacy policies for mobile applications.

Addressing these new regulatory challenges, the EFF introduced its Mobile User Privacy Bill of Rights on March 2, 2012.  The EFF Privacy Bill of Rights sets “a baseline for what mobile industry players must do to respect user privacy,” said EFF’s Parker Higgins in a blog post. The EFF “Bill of Rights,” directed at app developers, recommends:

1. Give users the right to control what data is collected and how it is used. This includes allowing users to withdraw consent.
2. Collect a minimum amount of data as necessary to provide the services and find a way to anonymize personal information.
3. Tell users what information is collected and how it will be shared. The EFF suggests that disclosure should be made before and after installation.
4. Keep the data secure.

A day after President Obama announced the administration’s Privacy Bill of Rights,  TRUSTe released a new mobile privacy policy service to help mobile app developers and publishers strapped for cash create their own privacy policies using a template made available on TRUSTe’s site.

The template requires developers to go through a series of questions about their information practices, such as, what information they collect, how they use it, and other disclosures about adverting and location based services.

After the developer completes the survey, TRUSTe’s system creates an automated privacy policy based on the information provided by the developer. The policy is presented in a layered approach, in which the home page of the mobile policy provides the disclosure on tabs that link to specific categories.

TRUSTe unveiled the service in response to the California Attorney General’s settlement that requires the major application distributors to require privacy policies.  “We expect the service will greatly benefit the thousands of small developers who do not have the legal and financial resources to do this on their own,” said Chris Babel, CEO of TRUSTe.

Although Congress and the White House are still exploring options in implementing a regulatory scheme for mobile consumer information, the California settlement with the major mobile app distributors sets the current de facto standards on mobile privacy because all major application distributors have agreed to require privacy policies. Since the app stores will require privacy policies for mobile applications, Hyperlocals who depend on mobile apps to transact with customers should focus on getting consent and providing consumers with disclosures on what information is collected, how it is used, how it may be shared, and the options the users have with such information.

Brian Dengler is an attorney with Vorys Legal Counsel and journalist who covers legal issues in eMedia. He is a former vice-president of AOL, Inc., a former newspaperman, and an EMMY-winning TV journalist. He teaches new media issues as an adjunct at Kent State University and formerly at Otterbein University.