Is Your Music App Compliant? #Conspicuous Privacy Policy
By San Francisco based entertainment and IP attorney Daniel Turner (@dantrnr). Contact: turner@gammallp.com.
In music tech, the medium truly is the message. And as 2012 comes to a close, it is a practical truism within the industry that 'apps are the future of music.' In fact, if current analytics are at all reliable, it might be fair to say that 'apps are music's present.'
As any developer or technology industry insider also knows, there always exists a significant 'law lag' between policy and technological innovation. When it comes to apps, the story is no different. While apps have for some time been driving mobile tech R&D and marketing strategy, they have largely remained off the radar of law enforcement. Well, it looks like the law may finally be catching up.
Staying true to her threat, California Attorney General Kamala D. Harris (D) has filed the first enforcement action against a mobile app operator for failure to conspicuously post a privacy policy on their website. The December 6, 2012 complaint filed against Delta Air Lines alleges that despite the collection of customer's "personally identifiable information" ("PII"), the "Fly Delta" app does not have a privacy policy. At stake for Delta (and all future defendants) is a potential fine of up to $2,500 per download and a permanent injunction against continued use of the non-compliant app.
Delta cannot complain that it was caught off guard by the lawsuit. In February of 2012 Harris succeeded in negotiating a privacy protocol with 6 majors of the tech world (Apple, Amazon, Microsoft, Google Hewlett-Packard and Research in Motion). Then in July of 2012 Harris announced the creation of a Privacy Enforcement and Protection Unit within the CA DOJ. Finally, in a widely publicized notice dated October 26, 2012, Harris informed 100 companies (including Delta) operating in CA that they had 30 days to comply with the California Online Privacy Protection Act ("CalOPPA"). CalOPPA requires companies that collect PII through a "commercial Website or online service" to "conspicuously post its Privacy Policy on its Website." While the 2004 law does not specifically refer to mobile apps, Harris' October 26 notice made absolutely clear that as far as the CA DOJ is concerned, "[a]n operator of a mobile application ('app') that uses the Internet to collect PII is an 'online service' within the meaning of CalOPPA."
The music tech community should pay particularly close attention to this shift in consumer protection strategy. Because music tech is often on the cutting edge of app development and is one of the best-positioned industries to monetize user-collected data, they may quickly become a target of zealous enforcers.
With no Federal guidelines to follow, and no case law on the books, the question of what exactly is required of app developers vis-a-vis privacy policies remains somewhat of a murky question. Assuming that the courts will agree with Harris' argument that operators of mobile apps are running an 'online service,' CalOPPA lays out specific privacy policy form and content requirements. With regard to content, the privacy policy in question must at the very least "[i]dentify the categories of personally identifiable information that the operator collects," and describe the process by which the operator will notify consumers of material changes to the policy.
All apps are not created equal. Gone are the days when a company could simply 'adopt' the policy of YouTube or Facebook and feel like they adequately covered their bases. Innovative uses of geolocation capabilities, optimization of user preference data to create unique modes of music discovery, scrobbling user sourced media, multipurpose social sound sharing platforms, and the design of real-time interactive user experiences are just a few of the technologies utilized by music tech apps that must receive specific attention within a privacy policy.
In short, what this means for app operators and developers is that they must craft personalized privacy policies that at minimum identify what the app does, what personal information is being gathered, how it is stored and how the company will notify customers of changes.
DISCLAIMER – The information presented in here is purely for educational purposes and should not be relied upon as legal advice. Legal information is not the same as legal advice. Legal advice involves an examination of the particular facts of your case and an analysis of how the relevant law applies to those unique facts. In no case should a general informational blog be used as a substitute for the advice of a competent attorney, licensed in your state, conducting a thorough legal analysis.
Privacy Policies are important because it somehow gives an assurance that information provided by consumers.Since there are no rules governing this, it is up for the developers to assure its consumers that personal identifiable information are always kept private.