As many as 100 mobile app providers, including United Continental Air Lines, Delta Air Lines and Open Table, have received warnings from the California Attorney General that they are violating the California Online Privacy Protection Act (OPPA) for failing to conspicuously post their privacy policies. The OPPA requires online services that collect personal information from Californians to conspicuously post a privacy policy.
California historically has been aggressive in protecting consumers’ privacy online; indeed, OPPA was the first state law requiring the posting of online privacy policies on a company’s website. Even though OPPA only applies to personal information collected from California residents by operators or website or online service, it has become a de-facto national privacy law requiring these companies to post a privacy policy on their websites.
In an effort to extend OPPA to mobile devices, platforms and apps, this past February, California Attorney General Kamala D. Harris argued that OPPA covered mobile applications and forged an agreement with mobile application platform providers, including Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion. (In June, Facebook joined the agreement extending privacy protections to social apps in the Facebook App Center.) Under the agreement, consumers will be afforded the opportunity to review an app’s privacy policy before downloading the app, and also will be provided with a consistent place from which to view an app’s privacy policy on the app-download screen. Our previous blog post provides further details on the agreement.
Then, this past July, Harris formed the Privacy Enforcement and Protection Unit (PEPU) within California’s Justice Department to oversee privacy issues and prosecute companies that run afoul of the state’s privacy laws. Harris expressed her concern about the sharing and storage of sensitive personal information in the press release announcing the formation of PEPU: “In the 21st Century, we share and store our most sensitive personal information on phones, computers and even the cloud. It is imperative that consumers are empowered to understand how these innovations use personal information so that we can all make informed choices about what information we want to share. The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”
Staying true to her word, on October 29, Harris sent multiple notices to companies using mobile apps that were allegedly not posting their privacy policies as required by OPPA. According to a press release, letters will be sent to up to 100 non-compliant apps advising that they have “30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information.” Harris warned mobile app providers that “[p]rotecting the privacy of online consumers is a serious law enforcement matter,” and the California Department of Justice has been working “hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians…”
These developments illustrate the importance of considering and addressing privacy in the design, implementation, marketing and distribution of apps. Not only is the California Attorney General taking these issues seriously, but without a privacy policy, companies will not be able to provide their apps on the most popular platforms, including the iTunes Store, Android Marketplace and BlackBerry App World. Most important, failing to comply with OPPA and/or heeding the Attorney General Harris’ warnings could be very costly – violators can face fines of up to $2,500 for every non-compliant app that gets downloaded.
