California Attorney General Kamala Harris recently announced an agreement between California and the six largest producers of cell phone applications (apps), namely, Amazon, Google, Apple, HP, Microsoft, and RIM, intended to bolster the privacy of California purchasers of cell phone apps.The agreement was pursued by the AG’s office to ensure compliance with California’s Online Privacy Protection Act, which requires online service providers that collect the personal information of California citizens to “conspicuously” post their privacy policies.

There is no single law that defines “personally-identifiable information” or specifies what information must remain private on a nationwide basis. Rather, U.S. privacy laws consist of a patchwork of state-by-state prohibitions, sector-specific laws, and federal regulations. The Gramm-Leach-Bliley Act, for example, establishes the guidelines for the collection of financial data, pin numbers, and similar information, in conjunction with regulations established by the Federal Reserve Board. Violations of these policies are enforced by the Federal Trade Commission.

The protection of personal information, however, is left to each state. California’s privacy laws, one of the strongest nationwide, define personally-identifiable information as information that can be used to identify an individual, such as names, addresses, telephone numbers, email addresses, social security number, or other personal details.

Under the AG’s agreement, all apps available on the six companies’ service sites must provide “clear and complete” privacy policies explaining about how users’ personal data is collected, used, and shared. Apps that do not make use of personal data do not need to present a privacy policy. The AG has emphasized that it intended to prosecute violations of the agreement vigorously, through fines and other legal proceedings. The AG’s agreement with the six cell phone app manufacturers came on the heels of an investigation revealing that most mobile applications have no privacy policies, meaning that consumers storing their personal and information on cell phones regularly have their information used by and potentially sold to third-party vendors of app-makers, without their knowledge, authorization, or approval.

Consider the example of digital music service-provider Spotify (www.spotify.com). Spotify requires prospective users to waive their right to bring a class action, agree that only the laws of New York will apply to disputes with Spotify, and give Spotify automatic access to the user’s information, including the searches made, date/time of the request, performance statistics of the user’s computer and network, and details of the user’s computer, operating system, application version, browser type, and language. Spotify also tells users that their personal information “including gender and age and postal address” will be shared with anyone who merges with or buys Spotify.” Users have no choice but to agree, if they want the app. The agreement, though a positive development for California consumers, is only the first step.

The AG’s office has asked the six app manufacturers to continue working with its office to develop best practices for mobile privacy and mobile privacy policies. In six months, they are scheduled to re-convene with the AG to assess the progress that has been made.