
CA to app devs: get privacy policies or risk $2500-per-download fines - ajdecon
http://arstechnica.com/tech-policy/2012/12/ca-to-app-devs-get-privacy-policies-or-risk-2500-per-download-fines/#p3n
======
rprasad
What the CA Privacy Act requires:

1) type of information gathered by your website/app

2) if and how the information may be shared with third parties

3) the process by which a user can review and make changes to their stored
information

4) your privacy policy's effective date

5) a description of the changes made to your privacy policy since it first
became effective (i.e., a bullet point list)

#4 and #5 are very easy.

#1 should also be easy. If you are collecting any information from the user's
phone (i.e. contacts), from other apps (i.e., fitness apps), from websites
(i.e., facebook/twitter), or from the user directly (i.e., a form), you list
it here. The law requires only a general description, but good guys will be
specific about the type of information they are requesting. (General means,
"your contact information, birthday, friends list." Simply saying "your
personal information" is too general.)

#2 should be easy: are you using 3rd party APIs or services (AWS, Dropbox,
Facebook). If so, what customer information is being shared with them? _This
includes information shared for technical reasons, i.e., to retrieve a
customer's facebook friends using the email address he entered into your app._

#3 does not actually require you to have a process for the user to review the
data you have collected. However, since you already have collected the
information, it is trivially easy to show the user what you have collected.

