Gonzalo E. Mon is a partner in the Advertising Law practice at Kelley Drye & Warren LLP and his co-author, John J. Heitmann, is a partner in the firm’s Telecommunications group. Read more on Kelley Drye’s advertising blog, Ad Law Access, or keep up with the group on Facebook or Twitter.

If you work with mobile apps, you may already know that privacy is a hot issue. Regulators are pushing companies to improve their privacy practices, Congress is contemplating new laws, and class action lawyers are suing companies that don’t clearly disclose their practices. In the past few weeks, this focus on privacy intensified as the FTC, the California Attorney General, and even the White House weighed in with new announcements.

Two things are clear from this recent burst of activity. First, regulators are putting pressure on everyone in the mobile app ecosystem to improve their practices, so you can’t just assume that it’s your partner’s responsibility to comply. And with the number of regulators focusing on these issues, it’s going to be a lot harder for companies to hide. No matter what role you play in the mobile app ecosystem, you should pay attention to these developments. Here’s what you need to know.


Increased Focus on App Privacy


In February, the FTC issued a report about mobile apps directed to children. Although these apps can collect a broad range of information, the FTC noted that neither the app stores nor app developers provide enough information for parents to determine what data is collected from their children or how it is used or shared. In some cases, this could be a violation of federal law. The FTC wants all members of the kids app ecosystem to play an active role in making appropriate disclosures to parents.

Shortly after the FTC issued its report, the California Attorney General announced an agreement with the leading app stores in which the stores agreed to add a field in the app submission process for developers to post their privacy notices or a link to a privacy policy. The agreement is intended to ensure that consumers have an opportunity to access pertinent privacy information before they download an app. Moreover, the app stores have committed to provide a mechanism for consumers to report apps that don’t comply with laws or the app store’s terms of service.

And the White House also stepped into the debate by announcing a data privacy framework that establishes a “Consumer Privacy Bill of Rights.” Although the framework speaks broadly about privacy issues, several sections discuss issues that are particularly relevant to the mobile space. For example, the White House encourages app developers to collect only as much personal data as they need and to tailor their privacy disclosures to mobile screens.


5 Tips to Stay Ahead of the Regulators


Given the quickly changing legal landscape — and the growing number of government institutions that want to play a role in that landscape — it can be difficult for companies in the mobile app space to understand what is required. The following five tips address concerns that all of these institutions appear to share. Accordingly, they should form the starting point for your legal analysis when you develop and launch an app.

1. Don’t collect more than you need.

Because data can function as the currency of the digital age, there is often a tendency to collect as much data as possible. Companies think that even if they don’t have an immediate use for the data now, they might find a use (or a buyer) for it later on. Although this may be true, resist the temptation to collect more data than you need for your app to work. This is a core principle of the FTC’s “privacy by design” framework, as well as the new White House framework.

2. Disclose your privacy practices.

You need to make sure that users easily have the ability to learn what information you are collecting from them and how you are using it before they download your app. (The changes the app stores are making as a result of their agreement with the California AG will make this easier.) Make sure that your privacy notices are easy to read and tailored to the mobile setting. If you’re looking for a place to start, consider the Mobile Marketing Association’s Privacy Policy Guidelines for Mobile Apps.

3. Be careful with children.

If you collect personal information from children under 13, you need to comply with the Children’s Online Privacy Protection Act. Among other things, COPPA generally requires companies to obtain verifiable consent from parents before they collect personal information from their children. The FTC has challenged app developers for violating COPPA, and the agency’s latest report suggests that the FTC expects all members of the kids app ecosystem to play a role in complying.

4. Consider when to get consent.

Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea. Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play. Work with your legal counsel to determine what makes sense in your context.

5. Protect the information you collect.

Unfortunately, it’s not uncommon to read stories about major companies who experience data breaches. Data breaches can be costly to address and they may result in lasting damage to your brand. If you are collecting information from consumers, you need to ensure you have physical, electronic, and procedural safeguards to protect that information. For example, certain data should be encrypted and you should limit access to it. Moreover, you should properly dispose of data when you no longer need it.

Image courtesy of iStockphoto, akinbostanci

More About: apps, contributor, data, features, law, Mobile, privacy

For more Dev & Design coverage:





Brett Miller is the president of Custom Software by Preston (CSP). For more than 10 years, CSP has impressed clients with highly effective software solutions and teams of multi-talented software engineers.

A software development client should complete a thorough “due diligence” before selecting a developer for his critical project. Then, he must complete the finalization process by drafting and executing the legal contract/agreement.

Contracts attempt to define the responsibilities and duties of each party; however, people often overlook whether a contract covers certain risks associated with non-performance.

Take a look at the eight scenarios below. These tips can help your company cover its legal bases when contracting a software developer, or vice versa.


1. Time & Material (T&M) or Fixed-Price Contracts


In a “time and materials” contract, the client assumes the burden of cost overruns, whereas in a “fixed-price” scenario, the developer assumes this risk. Weighing the two, many clients assume they are ahead of the game by passing the potential for cost overruns to the developer. However, they but fail to consider that the developer must add that cost-potential into their fixed-bid up front. So in a fixed-price contract, the client pays the extra cost, even if it proves to be unnecessary.

Fixed-price contracts also have the potential to create disputes. Often, deliverables that were implicitly intended might not be included in the original project scope. Both parties should be very aware of what exactly is included in the project. Fixed-price means there is a fixed scope of work, unless additional moneys are paid.

In a time and materials contract, the developer gets paid on an hourly basis. The motivation to finish quickly may be diminished by the opportunity to bill more hours. In this case, the client takes the risk that the developer will prioritize his own desire to profit on the project.


2. General Note on Contracts and Non-Disclosures (NDAs)


Contracts and NDAs are legal instruments which establish the rights, duties and privileges of those who are a party to the agreement. These instruments protect both parties to the extent that they are willing to pursue them in a court of law.

Here is a simple rule of thumb, although I encourage you to also check with legal counsel. Unless the dispute is over $10,000, most attorneys won’t take the case. And even if they do, they usually keep one-third of any money they collect. It can take several years to win in court, and the problem is further exacerbated by the fact that the losing party may no longer be in business or have assets from which to pay. One last note, many contracts call for the losing party to pay the legal costs for the winning party, which can save you money if you win, but cost dearly if you don’t.


3. Advanced Payment – The Industry Standard


Many contracts call for advanced payments or retainers. Essentially that means the developer works on the client’s money, and therefore, the client bears the risk for the developer’s potential lack of performance. This is the norm in the information technology field. Very few developers will take money out of their own pockets to build a client projects (in the hopes that the client will pay).

An improvement to this model would be to limit the retainer to two week’s worth (or less) of development time/labor (weighing the progress of deliverables). Upon client acceptance, the retainer can be replenished for the next cycle. Sending a wire or paying via credit card allows for instantaneous payment. Client risk is bit more limited when using this approach.


4. Phased Payments – The Other Industry Standard


Some projects are divided into three or more segments. The first phase is paid up-front (client risk); the second is paid at some pre-arranged interval (equal risk); and the last payment is made upon project “completion and acceptance” (developer’s risk). In this scenario the last payment can be problematic to collect, as subjective issues can arise regarding quality and scope.

One minor modification to the phased payment method specifies that the developer finish the final deliverable in their own environment, to which the client has access for testing. Upon client acceptance, the final payment is made and the vendor transfers ownership of the application and all code to the client. This is a very solid, technique balancing risk.


5. Warning! Warning! Kill Switches


Some unscrupulous software vendors build a kill switch into their applications. In the event of a dispute (and the client refuses to pay), the vendor can remotely shut down the application. I recommend that your contract include language that prohibits this “extortion like” practice.


6. Disappearing Freelancers


Many IT Professionals have heard this story before: A company finds what appears to be a knowledgeable (and affordable) freelancer on the Internet. Initial contacts with the individual indicate great responsiveness. Payment is made, a few conversations take place, some small progress is shown — then all communication goes dark and the freelancer disappears.

I believe this most often occurs when, with the best of intentions, a freelancer takes on a project and finds out he bit off more than he could chew. He believe his efforts were substantial, but things just didn’t work out (in other words, “not their fault”). Even more important, as a freelancer he is simply not in a position to refund any money. It’s easier to disappear than to deal with the conflict, so he runs.

Freelance software developers do offer expertise, experience and cheaper rates due to lower overhead, but the clear risk is a lack of any substantial backing. Therefore, this model does have more risk for the end client.


7. Payment via PayPal or Credit Card Carriers


Many developers accept payment via PayPal, and some even accept credit cards. These credit carriers offer “dispute” mechanisms that allow the payee to challenge any charge which was not delivered as promised or described. This method should be encouraged by the client (even if they need to pay the credit card processing fees), as it provides additional protection.

Vendors have an opportunity to respond to any dispute. Carriers to a certain degree are arbitrators and if they receive enough complaints, a vendor’s account can be canceled.


8. Risk Assessment


Software development projects carry financial risk factors for both parties. These risk factors need to be considered seriously and should be discussed with an attorney. Clients and developers alike need to know what they are getting into and prepare for scenarios that don’t work out as planned.

Image courtesy of iStockphoto, OtmarW, Flickr, quaziefoto, slimmer_jimmer

More About: contracts, contributor, dev, features, freelance, law, legal, software development, Web Development

For more Dev & Design coverage:


386-google-verizon

Arguments have raged across the web during the past week about the Verizon-Google Legislative
Framework Proposal (read the full document). Opinions range from “it’s great” to “this threatens the underlying foundation of the Internet” and “Google’s gone evil”.

This is my take. The proposal primarily affects US Internet users and, although I’m not a US citizen, the issues will almost certainly affect and/or influence other parts of the world. I do not claim to have unbiased opinions or legal expertise. You may agree or disagree; the discussions will continue for many months — probably years.

What is Net Neutrality?

In essence, net neutrality means all web traffic is treated equally. It does not matter whether the user is downloading a Wikipedia article, a YouTube video, a spam email, or an illegally copied MP3 — no data packet has priority over any another.

The Internet operates under this principal … to an extent. Individual ISPs may restrict your bandwidth or perhaps limit torrent downloads during busy periods. Mobile operators usually operate stricter controls to ensure networks remain responsive: they can — and will — block certain content.

The Federal Communications Commission (FCC) had been negotiating with leading providers to outline a framework for the future regulation of US Internet services. This effort was recently abandoned.

What is the Google and Verizon proposal?

The Verizon-Google Legislative Framework Proposal is a response from both companies to the debate in Congress about the National Broadband Plan and the US Government’s role in the future of the Internet.

Google and Verizon are free to make any recommendations they choose. Both companies have an agenda and neither would make a statement that was not in their best interest. Congress can choose to accept, reject or ignore any proposal and the recommendations are not US legislation. Yet.

The key points are summarized below:

1. Non-discrimination against lawful Internet content
A broadband ISP would be prohibited from preventing user access to lawful content or services. The provider must disclose accurate information about their capabilities and network management. The FCC would be responsible for enforcing consumer protection and can impose fines of up to $2 million for companies violating the rules.

These proposals appear reasonable and received the least attention. However, non-discrimination is limited to “lawful” content without clarifying that term or identifying the policing authority. The flip-side of the proposal is that ISPs could block illegal content.

Laws differ from country to country. Even legal practices in one US state may be outlawed in another. Possible issues include:

  • Sectors such as the entertainment industry could argue that certain types of content breach copyright laws. This could include pirated material or works that mention or are influenced by another.
  • Companies could use legal precedents to block competitor services and gain an advantage.
  • Individuals or organizations could use privacy or other laws to block negative articles.

The proposal could hinder free speech and innovation. In addition, an ISP could be exempt from net neutrality principles if it can claim it’s upholding the law. Even a $2 million fine would be a negligible risk to most large carriers — especially if they can profit from prioritizing content.

Finally, it’s interesting to look back to January 2010 when Google threatened to quit China because its Government blocked content which it deemed illegal. How is this different?

2. Network management
ISPs are permitted to engage in reasonable network management to provide a reliable service, e.g. reduce congestion, ensure security, addresses harmful traffic, etc. Many have latched on to this issue as a direct attack on net neutrality but ISPs already engage in the practice. The proposal states they should be transparent and disclose all network management policies.

The most controversial element is Additional Online Services. In effect, ISPs would be free to offer alternative non-internet services which are “distinguishable in scope and purpose from broadband Internet access service”. These services can make use of the internet and prioritize traffic. The FCC would monitor the systems to ensure they do not threaten the meaningful availability of broadband Internet access.

Services such as health and gaming systems have been mentioned, but it’s difficult to evaluate the effect of alternative networks until they’re implemented. It’s unlikely we’ll see separate commercial networks for websites such as YouTube but it remains a possibility. Few people would want to use a fragmented Internet.

3. Exclusion for wireless
With the exception of service transparency, wireless networks are excused from legislation because of their “unique technical and operational characteristics”. This seems strange and many have speculated a conspiracy: Google could want Verizon to prioritize Android devices.

Wireless networks could become the predominant method of net access over the next few years. If that occurs, what is the point of these proposals? Again, there’s no definition of what constitutes a wireless network. Could a cable ISP put a router outside your house, claim they have a wireless network and avoid legislation?

Overall, I find it strange that Google and Verizon have stepped into the political debate. They may be key players but many of the proposals seem too vague to be workable. At worst, the companies appear to be advocating net neutrality exclusions and have been attacked accordingly. The biggest worry is that Congress will approve legislation without an appreciation of the underlying technical issues.

The debate has just begun.