On October 30, 2012, California Attorney General Kamala Harris announced that her office would begin notifying the developers of as many as 100 mobile apps that their apps do not comply with the state’s Online Privacy Protection Act (OPPA) and that they have 30 days to bring them into compliance.
The announcement does not come as a surprise. Earlier this year, the Attorney General published a Joint Statement of Principles with the major platforms that distribute and sell mobile apps, providing that they will distribute only apps that have privacy policies that consumers are able to review prior to download. At that time, her office told app developers that they had six months to come into compliance or to be notified of violations. Shortly thereafter, Attorney General Harris formed a Privacy Enforcement and Protection Unit, intended specifically to enforce OPPA and other privacy laws.
In light of the Attorney General’s announcement and her continued focus on privacy, companies that collect personal information online from California residents—whether through a website, online service, or app—should take steps to ensure that they are in compliance. According to the Attorney General’s sample non-compliance letter attached to her press release, failure to comply could subject a company to a fine of up to $2,500 each time a non-compliant app is downloaded.
The Law’s Requirements
OPPA requires a commercial website operator or online service provider, including a mobile app developer, that collects personally identifiable information (PII) from consumers residing in California to post a conspicuous privacy policy. Because OPPA applies to any company that collects data online about California residents, companies both within and outside of California may be subject to enforcement activity.
Under OPPA, the privacy policy must include:
- The categories of PII that the website, online service, or app collects from its users;
- The third parties with whom such PII may be shared;
- The process by which the consumer can review and request changes to his or her PII, if the website operator, online service provider, or app developer maintains such a process;
- The process by which the operator, provider, or developer notifies consumers of material changes to its privacy policy; and
- Its effective date.
Additional Considerations
Compliance with OPPA does not necessarily ensure compliance with all applicable laws. In particular, the Federal Trade Commission (FTC) has long taken the position that privacy policies should describe, in a way that consumers can easily understand, all material collection, use, and disclosure practices. This means that, in addition to the information required by OPPA, a privacy policy should include other disclosures, such as:
- Its scope;
- How PII may be used;
- How “other information”—information that may not be considered PII but the collection of which may be material to users—is collected, used, and disclosed. This may include, for instance, users’ clickstream information or other information derived from their interaction with the website, service, or app and collected for purposes of personalizing content or displaying targeted ads;
- How PII is secured and for how long it may be retained;
- How the user may exercise various rights, such as to opt out of receiving direct marketing or to opt out of the sharing of his or her PII with third parties;
- How the user may access the PII collected from him or her and the control that he or she has with respect to it; and
- How the user can contact the operator or developer.
Drafting a compliant privacy policy is only the first step. A company must also implement measures to ensure that it complies with the representations it makes in its privacy policy, to avoid claims that its privacy policy is deceptive or misleading.
In light of the increased enforcement activity by the California Attorney General and FTC, mobile app developers will want to ensure their mobile apps include a privacy policy, that the privacy policy is conspicuously posted on the mobile apps, and that the privacy policy is followed in practice.