Compliance Management, Government Regulations

Calif. begins enforcing law requiring mobile privacy policies

California Attorney General Kamala Harris has begun warning mobile application developers, and companies that have apps available for download, that failing to  "conspicuously" post privacy policies within 30 days could mean fines.

Over the next few weeks, the state Department of Justice will send notification letters to companies and developers responsible for 100 popular apps that do not comply with the California Online Privacy Protection Act of 2003. The law requires entities operating mobile and social apps that collect personally identifiable information to post their privacy policy for users to see when they install an app. Failure to comply may result in fines of up to $2,500 per downloaded app that is not compliant.

California, a state known for pioneering privacy mandates like the landmark 2003 breach notification bill, SB-1386, entered into an agreement in February with operators of mobile app platforms to improve privacy protections for users.

Google, Amazon, Apple, Microsoft, Research in Motion (maker of the BlackBerry) and Hewlett-Packard were among the companies that committed to the agreement, with Facebook later joining in June.  

Shum Preston, a spokesman for the California attorney general's office, told SCMagazine.com on Thursday that Delta Air Lines, United Airlines and OpenTable, an online restaurant reservation service, are among the companies being contacted for having allegedly non-compliant apps.

“It's going to be a rolling process that will take us two to three weeks,” Preston said of notification letters. “And we don't want to inform [the public about this] until we've confirmed they've received a letter.”

Harry Sverdlove, CTO of security firm Bit9, told SCMagazine.com on Thursday that ensuring privacy when downloading apps is a hard task for end users to take on -- and that regulation could help.

Bit9 released a report Thursday that found that more than 100,000 Android apps in the Google Play marketplace, out of more than 400,000  analyzed, posed a security risk to users and enterprise networks to which they connect.

“It's a tough problem for the consumers to deal with,” Sverdlove said of app privacy concerns. “I certainly think companies can [improve] this though their own policies. For instance, Google Play makers have taken on a number of advancements to help keep malware from coming out.”

This includes the introduction earlier this year of Bouncer, a custom malware scanner for Android apps.

The Bit9 report classified apps as a security risk based on various factors, including the number of permissions requested when users downloaded them, the reputation of the app developer or publisher, the number of times the app was downloaded, and user ratings.

[An earlier version of this story incorrectly stated that notification letters were sent to 100 companies and developers].

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.