Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

What information does the Application obtain and how is it used?

• The MMA bifurcates this section into “User Provided Information” (e.g., information provided during registration) and “Automatically Collected Information” (e.g., mobile device’s unique device ID and the IP address of the mobile device).

 Does the Application collect precise real time location information of the device?

• This section is applicable to companies that collect “precise, real-time locational information.” Developers that collect such information should indicate how such information is used and, if applicable, opt-out options. Even if such information is not collected, the MMA recommends including a statement to that effect.

 Do third parties see and/or have access to information obtained by the Application?

• This section will be unique to the developer and application. In addition to disclosing to whom and in what circumstances information is disclosed to third parties, the MMA states that, generally, developers reserve the right to transfer information in the event of a sale of the application. 

 Automatic Data Collection and Advertising

• This section is intended to address applications that are ad supported. The MMA provides model language to address situations where a third party ad network obtains data for the purpose of ad targeting. 

 Where are my opt-out rights?

• This section will be unique to the developer, the application and the ad network utilized by the application, if applicable. The MMA provides an example that gives the user the following opt-out options: (a) opting out from all information collected by uninstalling the application; (b) opting out from the use of information for serving targeted ads; and (c) opting out from locational data collection.  

 Data Retention Policy, Managing Your Information

• This section is intended to communicate how long the developer will retain User Provided Data (the MMA has included “for as long as you use the Application and for a reasonable time thereafter.”) and allow users to contact the developer directly with notice to delete such data. 

Children

• This section is intended to address compliance with the Children’s Online Privacy Protection Act.   Even if the developer doesn’t need to comply with the act because the act is not applicable to the application, the MMA recommends including language that states the developer doesn’t knowingly solicit information or market to children under the age of 13. 

 Security

• This section is intended to provide an overview to the user of the developer’s security procedures and will be unique to the developer. The MMA has stated that “developers should ensure that their security procedures are reasonable.”

 Changes

• This section is intended to afford developers the flexibility to modify their privacy policy. The MMA notes that material changes to privacy practices generally require a user’s prior consent.

 Your Consent

• This section is intended to capture the user’s consent to have his/her data processed, collected and disclosed as set forth in the privacy policy. The MMA’s proposed language also geographically limits where activities related to data collected from users may occur to the United States.

 Contact Us

• This section is meant to provide email access to the developers of the application should a user have privacy questions or concerns.

While the Framework is not meant to set forth rigid parameters for developers to operate within, they do provide valuable guidelines that will assist most developers, with the help of their lawyers, to create a mobile application privacy policy that users will understand. However, it should be noted that the developers mustn’t simply rely on the language provided by the MMA; they must still draft a privacy policy to address their unique, application-specific privacy practices. Inaccurate or deceptive privacy policies are subject to actions by the Federal Trade Commission, state attorneys general and other regulators. 

• Extra-territorial reach: The rules would apply to any processing of personal data related to EU citizens and non-EU citizens living in the EU, even where the data controller is located in a country outside of the EU. Further, Binding Corporate Rules (which have, to date, been used to legitimize transfers among members of the same corporate group only) are also explicitly addressed in the proposed rules, lending them additional support as a mechanism to transfer personal data and simplifying the approval process.

• Data Protection Regulator: Data controllers and data processors would be regulated by the data protection regulator in the EU country where they have their “main establishment,” creating a simplified “one-stop-shop” approach.

• Data Protection Officers: Public authorities and private companies with more than 250 employees would have to appoint a data protection officer to ensure data protection compliance.

• Reporting Obligations: The current obligation requiring companies to notify data protection supervisors of all data protection activities would be repealed. A company would however be required to notify its national data protection regulator of a personal data breach without undue delay and, where feasible, not later than 24 hours of becoming aware of it.

• Right to Data Portability: Individuals would have easier access to their own data and be able to transfer personal data from one service provider to another more easily. This change is intended to improve competition among services.

• Right to be Forgotten: Data controllers would be required to delete an individual’s personal data if that person explicitly requests deletion or otherwise when there is no other legitimate reason to retain it.

• Powers of National Data Protection Authorities: The powers of national data protection authorities would be strengthened so they can better enforce the EU rules in their jurisdictions. They would be empowered to fine companies that violate certain EU data protection rules up to €1 million or up to 2% of the company’s global annual turnover.

• Explicit Consent: Consent to process data would be required to be explicit (rather than merely assumed). Further, parental consent would be required to be obtained when processing personal information from children who are under 13 years old.

• Obligations to Demonstrate Compliance: Companies would be required to adopt measures to document and demonstrate compliance with the new rules.

The EC’s proposals (including this Regulation Proposal and this Directive Proposal) have been passed from the EC to the European Parliament and EU member states for discussion. It is anticipated that the new rules will take effect two years after they have been adopted—hence they are unlikely to be effective prior to 2014.