A graphic from 'Privacy on the Go' illustrates recommendations for building privacy into mobile apps. (Credit: California Office of the Attorney General)

California's attorney general issued long-promised guidelines on mobile privacy today. The "Privacy on the Go (PDF)" report address the varied interests in smartphone and mobile app development, including app developers, carriers, ad networks, and operating system makers.

"We are now offering this set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process," Attorney General Kamala Harris wrote in an introduction to the guidelines.

Sarah Downey, online privacy analyst at online privacy firm Abine, agreed that it's important to get the various mobile interests focused on privacy early. "Apps in previous years wouldn't even have privacy policies," she said, and noted that this could force a major change in how mobile interests do business.

"California is way ahead of the rest of the country when it comes to privacy," Downey said.

The guidelines appear to address both common-sense and forward-thinking recommendations, as well as a range of general and specific guidance. For app developers, for example, the document suggests avoiding "surprises" such as "collecting personally identifiable data from users that are not needed for an app's basic functionality," such as the user's contact list.

"It seems a bit sad that the attorney general has to say that somebody's address book has to be kept private, but I guess that's the world we live in these days," said Kent Lawson, CEO of the mobile and desktop VPN app Private WiFi.

Another example from the guidelines: ad networks are advised to "avoid delivering ads outside the context of the app," such as by modifying browser settings or placing icons on your home screen.

Downey said that it was unusual for the guidelines to be as specific as these are, but that it was a good step in a pro-privacy direction.

"It mentioned using non-persistent identifiers, so that you don't have a single tracker leading back to you," she cited as an example of how the guidelines advised parties to put privacy first.

However, she was also quick to note that the guidelines are merely that, and not law.

Lawson agreed. "Disclosure statements are like terms and conditions, it means so little [in terms of enforcement]. At least something is being done," he concluded.