Bryan Cave Combines with Berwin Leighton Paisner to Form Bryan Cave Leighton Paisner LLP Learn More

Many of the most popular mobile apps collect personally identifiable information.  Although most app developers are not required to display a privacy policy under federal law, they are contractually required to do so pursuant to the terms and conditions of the websites that market most major mobile device applications (e.g., the Apple Store, or Google Play).  In addition, the California Attorney General has taken the position that applications that collect personal information are required to post a privacy policy pursuant to the CalOPPA discussed in the previous section.

$2,500

The possible penalty under California law for each app downloaded without a privacy policy.1

11%

The percentage of banking related apps reported to contain harmful code.2

90%

The percentage of mobile health and finance apps with at least two critical security vulnerabilities.3

> 60%

The percentage of popular dating apps vulnerable to hacker exfiltration of PII.4

 

Consider the following privacy issues when developing a mobile app:

  1. Does the app have a privacy policy? Privacy policies are a best practice if the app will be used in connection with personally identifiable information.  As discussed above, there is also an argument that they may be required if they solicit information from California residents.
  2. Is the app directed to users younger than 13? Under the Children’s Online Privacy Protection Act (“COPPA”), if the app collects information from children it must include a privacy policy as well as comply with additional requirements imposed under that Act.  See the section titled Collecting Information From Children for more information.
  3. How is personally identifiable information stored by the app? Apps can store data in multiple places, including the device, backups of the device, and the app provider’s servers.  A best practice is for a mobile app’s privacy policy to state accurately where personally identifiable information is stored.
  4. Does the app communicate personally identifiable information to others? A useful privacy policy accurately states whether data that the user provides is relayed to anyone else.
  5. Does the mobile app provider securely communicate any personally identifiable information? A 2016 study concluded that 35 percent of apps utilize non-encrypted communications.   Consider stating within the app’s privacy policy whether the app transmits personally identifiable information, and, if so, whether the information is encrypted in transit.

1. California Online Privacy Protection Act (CalOPPA), Consumer Fed’n of Cal. Educ. Found. (July 29, 2015), https://consumercal.org/about-cfc/cfc-education-foundation/california-online-privacy-protection-act-caloppa-3/.

2. Pierluigi Paganini, 11 Percent of Mobile Banking Apps Include Harmful Code, Sec. Affairs (Feb. 7, 2015), http://securityaffairs.co/wordpress/33212/malware/mobile-banking-apps-suspect.html

3. Arxan Tech., Inc., 5th Annual State of Application Security Report: Perception vs. Reality, 2 (2016), https://www.arxan.com/wp-content/uploads/2016/07/Consolidated-Report-SINGLE-PAGE.pdf.

4. IBM Sec. Intelligence, IBM Security Analysis: Dating Apps Vulnerabilities & Risks to Enterprises, 2 (2015), http://www-01.ibm.com/common/ssi/cgi-bin/ssialias?subtype=WH&infotype=SA&appname=SCTE_WG_WM_USEN&htmlfid=WGL03072USEN&attachment=WGL03072USEN.PDF.