Attorney General of California Targets Mobile Apps that Fail to Post Privacy Policies

On October 30, 2012, the Attorney General of California, Kamala D. Harris, issued a press release stating that her office has issued formal letters to nearly one hundred mobile application publishers giving notice that they are not in compliance with the California Online Privacy Protection Act. Under the law, companies and developers receiving the letters have thirty days to comply. A sample of the letter can be found here. Non-compliant companies face potential penalties of up to $2500 per download.

The California Online Privacy Protection Act requires commercial operators of online services that collect personal identifiable information from California consumer residents to conspicuously post a privacy policy. The privacy policy must disclose the types of personally-identifiable information collected and the types of third parties with whom the data is shared, the process for reviewing information collected (if a process is offered), the process for communicating material changes to the policy, and the effective date of the policy

Earlier this year the Attorney General of California released Joint Statements with several mobile-application marketplace companies describing their agreement on a set of mobile-application privacy principles. Those principles include: providing in the application submission process for new or updated mobile applications a field for the application's privacy policy or other privacy notice, offering a means for users to report mobile application publishers that fail to comply with their terms of service or laws, taking action against noncompliant mobile application publishers, and committing to work with the Attorney General of California to develop mobile best practices.

Practice tips

• Check your mobile apps to see if your privacy policy or some other statement describing your privacy practices is posted for users to view in the application and prior to download in the marketplace description. Many mobile-application marketplace companies by now provide a specific field for application publishers to include their privacy policy url.
• If you have apps in development, make sure your developers have the appropriate links to your privacy policy to submit with your apps.
• Make sure your privacy policy covers the personally identifiable information your mobile application collects. If not, update your privacy policy to cover the activities of your application and what your company does with information it collects from the application.
• Note that if you collect even non-personally identifiable information from users with your mobile application you may also need to provide notice and get authorization under the Federal Computer Fraud and Abuse Act and state anti-spyware laws.

This content is provided for general informational purposes only, and your access or use of the content does not create an attorney-client relationship between you or your organization and Cooley LLP, Cooley (UK) LLP, or any other affiliated practice or entity (collectively referred to as “Cooley”). By accessing this content, you agree that the information provided does not constitute legal or other professional advice. This content is not a substitute for obtaining legal advice from a qualified attorney licensed in your jurisdiction and you should not act or refrain from acting based on this content. This content may be changed without notice. It is not guaranteed to be complete, correct or up to date, and it may not reflect the most current legal developments. Prior results do not guarantee a similar outcome. Do not send any confidential information to Cooley, as we do not have any duty to keep any information you provide to us confidential. This content may be considered Attorney Advertising and is subject to our legal notices.