California Attorney General Kamala Harris has begun warning mobile application developers, and companies that have apps available for download, that failing to "conspicuously" post privacy policies within 30 days could mean fines.
California, a state known for pioneering privacy mandates like the landmark 2003 breach notification bill, SB-1386, entered into an agreement in February with operators of mobile app platforms to improve privacy protections for users.
Google, Amazon, Apple, Microsoft, Research in Motion (maker of the BlackBerry) and Hewlett-Packard were among the companies that committed to the agreement, with Facebook later joining in June.
Shum Preston, a spokesman for the California attorney general's office, told SCMagazine.com on Thursday that Delta Air Lines, United Airlines and OpenTable, an online restaurant reservation service, are among the companies being contacted for having allegedly non-compliant apps.
“It's going to be a rolling process that will take us two to three weeks,” Preston said of notification letters. “And we don't want to inform [the public about this] until we've confirmed they've received a letter.”
Harry Sverdlove, CTO of security firm Bit9, told SCMagazine.com on Thursday that ensuring privacy when downloading apps is a hard task for end users to take on -- and that regulation could help.
Bit9 released a report Thursday that found that more than 100,000 Android apps in the Google Play marketplace, out of more than 400,000 analyzed, posed a security risk to users and enterprise networks to which they connect.
“It's a tough problem for the consumers to deal with,” Sverdlove said of app privacy concerns. “I certainly think companies can [improve] this though their own policies. For instance, Google Play makers have taken on a number of advancements to help keep malware from coming out.”
This includes the introduction earlier this year of Bouncer, a custom malware scanner for Android apps.
The Bit9 report classified apps as a security risk based on various factors, including the number of permissions requested when users downloaded them, the reputation of the app developer or publisher, the number of times the app was downloaded, and user ratings.
[An earlier version of this story incorrectly stated that notification letters were sent to 100 companies and developers].