November 01, 2012

Calif. begins enforcing law requiring mobile privacy policies

California Attorney General Kamala Harris has begun warning mobile application developers, and companies that have apps available for download, that failing to  "conspicuously" post privacy policies within 30 days could mean fines.

Over the next few weeks, the state Department of Justice will send notification letters to companies and developers responsible for 100 popular apps that do not comply with the California Online Privacy Protection Act of 2003. The law requires entities operating mobile and social apps that collect personally identifiable information to post their privacy policy for users to see when they install an app. Failure to comply may result in fines of up to $2,500 per downloaded app that is not compliant.

California, a state known for pioneering privacy mandates like the landmark 2003 breach notification bill, SB-1386, entered into an agreement in February with operators of mobile app platforms to improve privacy protections for users.

Google, Amazon, Apple, Microsoft, Research in Motion (maker of the BlackBerry) and Hewlett-Packard were among the companies that committed to the agreement, with Facebook later joining in June.  

Shum Preston, a spokesman for the California attorney general's office, told SCMagazine.com on Thursday that Delta Air Lines, United Airlines and OpenTable, an online restaurant reservation service, are among the companies being contacted for having allegedly non-compliant apps.

“It's going to be a rolling process that will take us two to three weeks,” Preston said of notification letters. “And we don't want to inform [the public about this] until we've confirmed they've received a letter.”

Harry Sverdlove, CTO of security firm Bit9, told SCMagazine.com on Thursday that ensuring privacy when downloading apps is a hard task for end users to take on -- and that regulation could help.

Bit9 released a report Thursday that found that more than 100,000 Android apps in the Google Play marketplace, out of more than 400,000  analyzed, posed a security risk to users and enterprise networks to which they connect.

“It's a tough problem for the consumers to deal with,” Sverdlove said of app privacy concerns. “I certainly think companies can [improve] this though their own policies. For instance, Google Play makers have taken on a number of advancements to help keep malware from coming out.”

This includes the introduction earlier this year of Bouncer, a custom malware scanner for Android apps.

The Bit9 report classified apps as a security risk based on various factors, including the number of permissions requested when users downloaded them, the reputation of the app developer or publisher, the number of times the app was downloaded, and user ratings.

[An earlier version of this story incorrectly stated that notification letters were sent to 100 companies and developers].

Related Articles
Related Topics
Related Links

More in News

Privacy-bolstering "Apps Act" introduced in House

The bill would provide consumers nationwide with similar protections already enforced by a California law.

Microsoft readies permanent fix for Internet Explorer bug used in energy attacks

Microsoft is prepping a whopper of a security update that will close 33 vulnerabilities, likely including an Internet Explorer (IE) flaw that has been used in targeted website attacks against the U.S. government.

Weakness in Adobe ColdFusion allowed court hackers access to 160K SSNs

Up to 160,000 Social Security numbers and one million driver's license numbers may have been accessed by intruders.