What changes in privacy laws mean for Android developers

The legal guidelines concerning Android and other mobile apps are in a constant state of flux, leaving developers unsure of which laws to adhere to. New California and federal laws introduced this year—and set to take effect in 2014 and 2015—will change the way app developers can utilize consumer data, track and notify users, and interface with social media.

SD Times caught up with Adam Grant, a lawyer who specializes in mobile application and online privacy laws, and talked about what Android developers need to know. We picked his brain on the laws Android developers should be aware of, the impact that waves of patent lawsuits may have on development, and the significant laws and decisions that could change the landscape of mobile app and online privacy laws.

SD Times: How would you describe the current state of mobile app and online privacy laws in relation to developers?
Grant: I represent mobile app developers and companies with an online presence, who want to obtain and use consumer information when they use their apps and when they visit their websites. What I try to stress with my clients is the importance of making sure it’s succinctly and clearly shared that you are in fact obtaining user information when they use your apps. The key is balancing the legal needs with the functional and aesthetic aspects of their product.

You need to have these privacy notices in place on the mobile app, but you don’t want to destroy the feel of the user experience. I stress to clients not to think of me at the end of the development process, because by then you’re taking a square peg and putting it into a round hole, and having to reprogram and readjust and redo all of your screens. Part of my advice always includes a cautionary tale of “Don’t take more than you need.” We need to focus on that and make sure each privacy notice is tailored to what interface will be best for the mobile app developer and the likely end user.

What should Android developers in particular be aware of when creating apps?
The most important thing Android developers need to be aware of is that the privacy laws coming from California are the laws the rest of the nation will likely follow. When I presented at AnDevCon [Boston] earlier in the year and at other developer conferences, a hot topic was, “We want to comply, but we don’t know what laws to comply with.”

Android developers should look to California law as a guiding principle, because of Silicon Valley, because of the tech industry in California, and because California tends in many respects to lead the country in progressive legislation. What’s coming down the pipe from the California legislature will usually translate into some level of legislation. That’s exactly what happened with the APPS [Application Privacy, Protection and Security] Act of 2013. It came on the heels of the California attorney general publishing a privacy notices guideline in January of 2013 for mobile app developers.

What laws are set to take effect in the near future, and how will they affect app development, Android and otherwise?
SB 46, which concerns notification of data breaches, as well as updates the timeframe of when a certain notice of breach has to be sent out in relation to a user’s username, e-mail address or use of other identifiable information. It expands the instances in which notices need to be sent out when there’s a certain breach.

AB 370, the “Do Not Track Law,” essentially tells everyone that the app operators need to have a means of responding to a Do Not Track click from a consumer. Much in the same way consumers can take themselves off a Do Not Call list, this is a logical extension into the electronic realm, and the privacy notice needs to include what the operator is going to do. Both of those laws will take effect on Jan. 1, 2014.

(Android tends to be targeted by malware)

Then there’s SB 568, which is one of the more interesting laws coming into play. This is the one taking effect in January 2015. It’s what I’d call, for the under-18 crowd, the “Whoops I shouldn’t have done that late at night on Twitter” law. All social media sites will now need to give kids under the age of 18 an opportunity to permanently erase those “whoops” posts. Part of the law also involves preventing the operators from knowingly advertising harmful products to minors, and they give examples such as firearms, tobacco, dietary supplements and alcohol.

So with all those laws coming into effect, let’s take the deleting posts law. What measures would an Android developer take to accommodate for them?
Well if their mobile app concerns social media, or interfaces with other social media such as Facebook, Twitter, Tumblr, Vine and so forth, then part of the notice needs to include the manner in which the under-18 person can erase the information. The law only applies to under-18-year-olds. So basically, once you’re over 18 and you’re dumb enough to post this stuff, that’s your problem.

Recently there was another in a long line of patent lawsuits against Google and Android, this one filed by a consortium including Apple, BlackBerry, EMC, Ericsson, Microsoft and Sony. The effects of the lawsuits notwithstanding, what effect might they have on Android development?
The logical answer to that is, regardless of whether these patent lawsuits ever end up going to trial, they are going to unfortunately set a precedent by sucking resources away from Android developers. If nothing else it’s a deterrent. So even if no actual jury makes a finding, it will tie up resources, it will cause a person to pause before they do anything that remotely enters into this realm. There have been many instances of these waves of lawsuits that have changed practices.

One way a law hits the books is when a number of lawsuits get filed and they catch the eye of the courts, and then decisions are handed down saying, “Here’s the law given the existing statutes.” What then happens is, usually someone lobbies a legislature and says they now need to actually codify what is case law, and it changes the law on the books. I see these sorts of patent lawsuits as the beginning wave to the end result of changes to the written codes, several years down the line.

Are there any cases in the works in regards to mobile app and online privacy law that Android developers should be paying attention to?
One of the things I’m following is the Delta Airlines case filed by the California state attorney general. It was filed in December 2012, essentially arguing that Delta’s Fly Delta app violates the California Online Privacy Protection Act. The way “CalOPPA” is written, if an app or website is purely informational, and there is no exchange of commerce or money going back and forth, the courts find no jurisdiction. But the California attorney general is arguing that if the only thing you’re giving is information—in other words, Fly Delta or any kind of a free navigation mobile app—if you take information from the consumer, then you can be sued in California. It turns the whole idea of jurisdiction on its head.

In March of this year, the case was dismissed, but it’s now up on appeal. What the Android developers should talk to their attorneys about is being cautious of and being counseled about what’s happening with that case. I do anticipate that case will be decided within a year, and it will decide whether California’s main piece of legislation, CalOPPA, even applies to mobile app developers.

Adam Grant is a partner at the Encino, Calif. law firm of Alpert Barr & Grant, and he’s giving two classes at AnDevCon this week. The first, “A Developer’s Dream: Never Having to Talk to a Lawyer (After Today),” is an overview of the current laws influencing development. The second, “Managing a Proper Privacy Plan for Your App,” analyzes the many laws in the process of being enacted, and how they apply to Android developers.