APPS Act implications: What developers should know about user privacy, consent

Observers worry about balancing privacy concerns with usability, retention

Let's be honest for a moment: When was the last time you, or anyone you know, took the time during the installation of a software program to read all the way through the user license agreement before clicking on the "I agree" button? And on a smartphone screen? If the answer was "recently," Joe Santilli would like to meet you.

An experienced entrepreneur and developer, Santilli is among those who have been closely following the introduction of the Application Privacy, Protection and Security (APPS) Act of 2013 by Congressman Hank Johnson, which would mandate greater transparency around the way developers collect, use and store personal information about their customers. Among other things, the APPS Act would require developers to ensure apps have "consented terms and conditions, reasonable data security of collected data, and users with control to cease data collection by opting out of the service or deleting the user's personal data to the greatest extent possible."

joe Santilli

Joe Santilli

Like many in the app industry who have looked at the APPS Act, Santilli gives Johnson points for making an effort to address privacy issues. "I think he's done a pretty good job of learning and understanding the mobile app ecosystem," he said, "but (the Act) won't translate into any meaningful protection for consumer."

That's because Santilli believes Johnson's bill ignores a central problem: that consumers don't pay attention to the safeguards that may already been in place, like those user license agreements.

"Not only are you not going to read War and Peace again, they tend to be written in complex language," he said. "People are going to click on a consent form without even reading it."

Nonetheless, Santilli hopes the Act becomes law. His most recent venture, SafeApp, is creating a digital certificate similar to Secure Socket Layer protection found in the desktop. He said such a technology would keep developers' and consumers' private data safe and secure. Others, however, are concerned that the APPS Act may be premature--or that it might go too far in ways that could make it even harder for developers to create successful businesses.

Is legislation fast enough for the app market?
Allison Remsen, executive director of Washington, D.C.-based industry coalition Mobile Future, suggested that it would be better to develop a set of voluntary best practices for developers to follow. Such efforts are already underway--the Commerce Department last year discussed the topic with the NTIA, the Application Developers Alliance and platform providers like Google and Apple.

"Mobile tech is a really fast moving sector and it's very difficult for policymakers to enact rigid rules or laws that address whatever issue they are specifically targeting without creating unintended ripple effects," she said. "An area that might raise concerns today could be resolved by rapidly evolving tech, changing consumer demands or other fast-moving market conditions well before any legislation clears Congress."

Try as lawmakers might, there is no one-size-fits-all solution for consumer privacy protection, as the APPS Act demonstrates, said Mark Brennan, an attorney with Washington, D.C.-based Hogan Lovells US LLP.

"Flexibility is key," he said. " Any detailed requirements could have the side effect of hindering pro-consumer innovation . . . We would not want to 'lock in place' the ways in which developers communicate their data policies and terms of use to consumers because that ultimately could prevent more consumer-friendly transparency models from evolving."   

Aleecia McDonald

Aleecia McDonald

Concerns remain about enforcement and penalties
According to Aleecia McDonald, director of privacy at the Center for Internet and Society at Stanford Law School, the APPS Act is fairly well-tailored to many of the concerns raised by consumer protection groups. But she said that some questions around enforcement and penalties remain.

For example, the Act gives authority around enforcement to the Federal Trade Commission, but state Attorney Generals could also use it on a more local level. McDonald also said the act doesn't cover the issue of damages. She said this could result in confusion--and a potentially expensive legal bill--if a user sued an app maker for breach of privacy or other problem.

For Santilli, the remote prospect of having to pay damages is overshadowed by more immediate concerns. Too many notifications or requests for consent could turn a lot of users off, he noted.

"Minimizing early churn or deletion of the app is the most important part of retention," he said.

The need to prepare for compliance with the APPS Act may be inevitable however, as might the need to be prepared for future laws around related issues, McDonald said.

"We're at a moment where the European Union and the United States are trying to figure out how they harmonize or not the different frameworks and legal perspectives around privacy," she said. "This Act is not something that's particular to mobile. It is not just tied to the technology. It's more about concerns around how pervasive how mobile is in our lives. This is legislation you could almost copy and paste to the Internet writ large."

How to be proactive about the APPS Act
Though she estimated developers would have about a year to comply with the APPS Act if it passes, Aleecia McDonald offered four suggestions for developers to mull in the meantime:
Develop a good privacy policy. It's age-old advice but it remains critical, she said, even for developers who don't have a legal team. Plenty of templates and tools from the likes of PrivacyChoice and TrustE can help with this, she added.
Figure out a recording mechanism for consent. A new telecom act in the Netherland requires consent be given any time someone uses technology that relies on unique identifiers, like a website cookie. "Even if you have a single customer in the Netherlands, you need to be compliant with this," she said. "This is a big deal for a lot of companies."
Ensure data security on the back end. If something goes haywire with an app, you won't just lose customers--you may have to shell out big bucks to inform them of a breach. "Data breach notification is really costly," she said, noting it could require sending a physical letter to everyone affected by a hacker. "This could wipe out all your profits."
Create a deletion process. This isn't necessarily enshrined in many laws today, but developers should think about some kind of "eraser" button that would allow consumers to remove their personal details at any time. This is different than opting out or uninstalling an app.