This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

Mobile Privacy Guidelines from California

Common-sense suggestions still rile industry.

California's Attorney General has released 23 pages of suggested best practices on mobile privacy, for developers and other players. The ad industry doesn't like the suggestions.

The current A-G of California has been making a priority of mobile privacy, as we have been discussing. Kamala Harris has pushed to extend a California law, the Online Privacy Protection Act, to cover the mobile devices that did not even exist when the law was written in 2004.

Last year Harris staffed up a Privacy Enforcement and Protection Unit in the state's Department of Justice. This unit has now authored Privacy On the Go: Recommendations for the Mobile Ecosystem (PDF). It contains recommendations for bet practices for a number of players in the mobile sphere: app developers as you would expect, but also app-store providers (such as Apple and Google), advertising networks, operating-system providers, and mobile carriers.

Beyond the laws
The recommendations go well beyond existing federal or state laws, even the privacy-friendly California laws as expansively interpreted by this privacy-friendly regulator. Here is how Ars Technica summarizes the suggestions:

The state recommends that app developers limit data collection, limit data retention, and avoid using global device identifiers that could be correlated across apps. The report also recommends using encryption to handle data, limiting access to personal user data by employees, and designating an employee to periodically review an app's privacy practices to ensure that the privacy policy remains up to date.

These all sound sensible, even if they go beyond what is mandated by law. Where the A-G's report steps out on a limb is in the section recommending that mobile apps take special care with "sensitive information." This is a category of data not generally codified in law. The report defines it as follows:

Sensitive information is personally identifiable data about which users are likely to be concerned, such as precise geo-location; financial and medical information; passwords; stored information such as contacts, photos, and videos; and children's information.

While we may agree that such information would qualify as "sensitive" to the average user, the ad industry has never agreed to any such classification, and it seems particularly disinclined to do so.

Ad industry reacts
A coalition of advertising industry groups leaked to Ad Age a draft letter (PDF) intended for Kamala Harris. The letter lays out, in a lawyerly way, all the objections these trade groups have to the initiative the California A-G is pushing. The heart of the objections must be that following California's recommendations would hobble the advertising ecosystem and its thousands of players.

This recommendation alone, from page 15 of the A-G's document, would hamstring most of targeted mobile advertising as it is practiced today: "Move away from the use of unchangeable device-specific identifiers and transition to using app-specific and/or temporary device identifiers."

No wonder the industry has a beef with this document, generated by a regulatory agency that has not (yet) been captured by the industry it exists to regulate. The plain fact is that the practice of Internet advertising works in fundamental opposition to user privacy. The same is true to a far greater degree for mobile advertising. The interests of user privacy and advertising won't be reconciled by any such best-practices guide, however well-intentioned.

Related posts: