Last year, California cracked down on mobile apps that didn’t meet the state’s user privacy laws. This January, California Attorney General Kamala Harris put out a document titled “Privacy on the Go: Recommendations for the Mobile Ecosystem” to help mobile app professionals make sure they stay on the right side of the law. Kamala explains at the beginning of the document:
Along with the many wonderful capabilities these apps offer, we remain mindful that the mobile environment also poses uncharted privacy challenges, such as the difficulty of providing consumers with meaningful information about privacy choices on small screens and the many players who may have access to sensitive user information. These are challenges that we must confront and that we must resolve in a way that appropriately protects privacy while not unduly stifling innovation. As Attorney General, I am commited to ensuring that this balance is maintained. …
We are now offering this set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process. We have arrived at these recommendations after consulting a broad spectrum of stakeholders: mobile carriers, device manufacturers, operating system developers, app developers, app platform providers, mobile ad networks, security and privacy professionals, technologists, academics, and privacy advocates. We are grateful for their comments and look forward to working with all stakeholders in promoting and adopting these recommendations. It is my hope that our recommendations along with continued private-public collaborations will contribute to improving privacy practices in the mobile marketplace.
The document outlines recommended practices for mobile app developers, platform providers, advertising networks and “others.” As mobile app testers, it’s your job to see how well these parties follow through with the recommendations. While the recommendations are not laws (yet) they are good practices that put user data privacy and security at top of mind, which will help everyone in the long run. Here are some of what you should be looking for when you test an app, based on the California recommendations:
- Is the personally identifiably data requested reasonably necessary for the app’s functionality as described to users?
- What permissions is the app asking for? Do they make sense? Can users modify these permissions?
- Are unusual or especially important practices (such as accessing sensitive information) specifically highlighted?
- Are users notified about third party access to their data? Are the details (who the third party is, what information they can access, how long and how they will store it, etc) shared?
Those are just a few highlights taken from the report. If you play any role in the mobile app ecosystem you should read full report. It will give you insights into different phases of a mobile app’s life and what different stack holders can do to ensure user privacy and mobile app security.