NB: This is a guest article by John Pavolotsky, a practicing legal professional who focuses on technology transactions and other intellectual property matters at Greenberg Traurig.
Mobile apps are pervasive and, in many cases, mobile is becoming the preferred interface to access software applications, especially in the travel sector where the fit is natural between provider and the traveler on-the-go.
But while some time may still pass until vacations are booked primarily via an app, we are certainly much closer today than only a few years ago.
Pitfalls
With opportunity, of course, comes some risk. The process of developing an app is still relatively new. That said, in many cases, the issues presented in connection with developing an app are similar to ones associated with developing custom software.
For example, apps may be, and in fact, tend to be, developed by third parties, and without a contractual provision presently assigning the developer’s intellectual property rights in the app to the client, unless the app is a work-made-for-hire, under federal (US) copyright law, the app will be owned by the developer.
To that end, care should be taken to prepare a consulting agreement addressing, among other things, ownership of the app and any related intellectual property.
Likewise, the agreement should have the developer indemnify the client from any claims made by any third party that the app (including any data accessed or presented by it) infringes on any intellectual property or other rights of that third party.
An indemnity is simply a promise to compensate another entity for a loss.
Things to remember
Mobile travel apps, in particular, require access to and presentation of data from a multitude of sources, such as GDSs (Global Distribution Systems), map platforms, and social networking sites, if there is a social component.
As such, it should be understood by both the developer and the client which sources need to be accessed, whether any licenses (API (application programmer interface) or other) are required, and the scope and cost of these licenses.
If, for example, the API license is for internal use only, and the API will be accessed by the app to present data to consumers, a distribution license will need to be procured, even though it is debatable whether APIs are copyrightable, and thus require a license.
Many apps still do not have privacy policies.
Here is an example concerning recent developments in California, US. Apps that collect personal data from California consumers must have a conspicuously posted privacy policy, in the view of California’s Attorney General, Kamala Harris, as stated in the "Joint Statement of Principles" issued on February 22, 2012 and signed by seven leading technology companies (Facebook, Amazon, Apple, Google, Hewlett-Packard, Microsoft, RIM).
In practice, this requirement is universal, because a developer may not be able to prevent California consumers from purchasing the app, or will likely not want to.
The Joint Statement provides, among other things, that in the application submission process there will be included:
- either an optional data field for a hyperlink to the app’s privacy policy or to a statement describing the app’s privacy practices
- an optional data field for the text of the app’s privacy policy or a statement describing the app’s privacy practices
These elements make it easier for developers to comply with the requirement to have a conspicuously posted privacy policy.
Privacy policies generally describe how personal data is collected, used, and shared. Contuining the example outlined arlier, the California Online Privacy Protection Act (2004), which is cited by California Attorney General Harris in the Joint Statement, provides additional details about the contents of such policies.
Of course, the California Department of Justice, and in particular the newly-formed Privacy Enforcement and Protection Unit, may prosecute violations of other data privacy and security laws. For example, if app developers do not abide by the posted policies, there is liability under California’s Unfair Competition Law and/or False Advertising Law.
Further, others, including the (US) Federal Trade Commission, have taken an acute interest in privacy policies and security practices.
Failure to post or abide by a privacy policy, or to comply with any other applicable laws, will give rise to a breach of the distribution or license agreement between the developer and the relevant app store and in turn to an indemnity, requiring the developer to pay for all of the liabilities and costs incurred by the app store due to the breach.
Data - lots of it
Apps generate a sea of data, and it is thus critical for the developer to address use and ownership of the data, whether in a privacy policy, data policy or mobile EULA (end user license agreement) discussed below.
Data may have tremendous commercial value, especially in the case of free apps, for which the primary revenue source is in-app advertising, which is wholly dependent on the data collected by app.
Many apps, and especially those that are travel-related, feature LBS (Location-Based Services). Some may know that CTIA (Cellular Telecommunications Industry Association) has published a Best Practices and Guidelines (March 23, 2010) (“Guidelines”), "intended to promote and protect user privacy as . . . ‘LBS’ are developed and deployed".
By way of example, the Guidelines would apply to a developer that makes available through a digital app store an app that requires the user to be located in order to provide roadside assistance or directions to a local travel hot spot.
The Guidelines are premised on notice (of how the location information will be “used, disclosed and protected”) and consent (which may be implied if a user requests a service, such as roadside assistance, which cannot be provided without a user’s location). The Guidelines address a number of other topics, including the security and retention of the location information.
The Guidelines, however, do not address, except by reference to illustrative "Location Based Privacy Policies" available via a link in the Guidelines, international LBS issues, such as transfer and processing of data to and in a country other than where the services are being used.
Regardless, the LBS provider should, whether in a privacy policy, EULA, or otherwise, obtain consent to such transfer and processing and, more broadly, and as discussed, address issues like use and disclosure of the data collected by the provider.
As practical matter, in vetting apps, digital app stores will ask whether or nor the app has LBS capabilities and will want to be assured that, at the very least, the Guidelines are being met.
End-user issues
Lastly, as part of the application submission process, the developer will have the option to include its own mobile EULA to accompany the app, to state the rights and remedies of the consumer and developer with respect to the app.
The distribution or license agreements for each app store are, as one might expect, rather different. One digital app store might require the developer to incorporate certain terms into the mobile EULA. Another might not have any such requirement, but simply provide that if there is conflict between the mobile EULA and the distribution agreement, the latter will govern.
At any rate, each distribution or license agreement with the particular app store should be carefully reviewed.
As for the EULA itself, it should reference the app’s privacy policy and address, among other things, ownership, use restrictions, warranty disclaimers, and limitation of liability, and more generally, just like the privacy policy, be specifically tailored to the capabilities of the app and be consistent with the company’s business practices.
Good luck!
NB: This is a guest article by John Pavolotsky, a practicing legal professional who focuses on technology transactions and other intellectual property matters at Greenberg Traurig.
NB2:Mobile lifeboat image via Shutterstock.