Mobile Apps and Consumer Privacy: California is Setting a New Standard for App Developers

California Attorney General Kamala Harris

Do your mobile apps run afoul of California’s privacy laws?  About one hundred mobile application developers are discovering that their products might be “illegal,” and many others now have to worry.  California Attorney General Kamala Harris, consistent with her commitment to consumer privacy interests, has begun to send non-compliance letters to companies like United Airlines and OpenTable, whose applications not only offer consumers the convenience of tracking their flights or making dinner reservations, but also collect information about their preferences through their smartphones.  The letters, which the AG’s office started sending in November, warn of a $2,500 fine for each copy of a non-compliant app downloaded by a California consumer.  Developers were given thirty days to respond. 

This is yet one more battleground as the law tries to catch up with the pace of technology (and vice versa).  At issue is whether the privacy policies these companies must post are conspicuous and reasonably accessible for consumers.  The California Online Privacy Protection Act (“CalOPPA”) requires that mobile application providers (“online service providers” within the language of the Act) post privacy policies describing the “personally identifiable information” (“PII”) their products gather, how that information will be used or shared, and the processes in place for a user to review and edit their PII.

 

The CalOPPA also requires this disclosure to be “reasonably accessible” to consumers.  For companies developing mobile applications, providing a privacy policy website, accessible only outside of the app, may not be enough.  Mobile developers must either post the policy or include a link to the policy within the app itself.

Harris’ action follows an agreement reached in February with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, which together comprise the bulk of the mobile application market and are the industry’s largest accumulators of consumer data.  These six developers agreed not only to formulate privacy policies compliant with the CalOPPA’s requirements, but also to make these policies available to consumers before they download the application.

    

LinkedIn's in-app privacy policy

Going forward, entities developing applications that capture Californians’ personally identifiable information must carefully examine their privacy practices to avoid enforcement action by the California Attorney General.  Best practices include a carefully drafted privacy policy that clearly articulates what information an app will gather, how it will be used, whether and when it will be shared, and the consumer’s right to review and edit their collected data.  The policy should be accessible within the application, either on a separate screen or through a link.  A company may also choose to make the policy automatically available to consumers, in advance, on the platform from which the application is purchased (e.g., Apple’s App Store or GooglePlay) in order to bring itself in line with standards now being set by the large corporations that have already worked through the particulars with the AG’s Office.

There is a further caveat for app developers and providers.  Don’t forget that privacy policies create their own teeth and can bite back.  That is, a policy may be held to constitute a contractual obligation between the company and the consumer who agrees to it.  Thus, failing to provide the protections that a policy promises may subject a provider not only to an enforcement action from the Attorney General’s office (when, for example, the CalOPPA has been violated), but also to claims by consumers (perhaps many thousands of them in the case of a popular app) that a contract has been breached.  For example, in Claridge v. RockYou (2011), a judge in the Northern District of California allowed a class action to go forward where RockYou represented their servers as “secure” in its privacy policy despite its knowledge of security issues with its database.  RockYou later settled the action.

Although the Los Angeles Times reports that the state will “give app makers time to craft a privacy policy and fall into line with California law,” Harris has sent a clear message: her newly created Privacy Enforcement and Protection Unit will enforce the Golden State’s privacy laws.  A barrage of warning letters may sound relatively benign, but this is an opening salvo to what appears to be a vigorous litigation strategy.  On December 6, the Attorney General sued Delta Airlines in a San Francisco Superior Court for its failure to respond to a thirty-day warning letter concerning its Fly Delta app for mobile devices.  The complaint alleges that Delta’s application stores users’ credit and debit card information, geo-location information and photographs, and that Delta has “knowingly and willfully” or “negligently and materially” failed to disclose how it collects, manages, or shares this information.  The lawsuit seeks $2,500 in damages for each violation of the CalOPPA, which could quickly add up to given the fact that the Fly Delta app has been downloaded by millions of users already.  With the swiftness of the Attorney General’s action and the extent of relief that CalOPPA affords, any business seeking to reach California consumers through a mobile app must take heed.  And as we know, especially in the technology world, as California goes, so goes the country …