Attorney General of California Targets Mobile Apps that Fail to Post Privacy Policies

Cooley Alert

On October 30, 2012, the Attorney General of California, Kamala D. Harris, issued a press release stating that her office has issued formal letters to nearly one hundred mobile application publishers giving notice that they are not in compliance with the California Online Privacy Protection Act. Under the law, companies and developers receiving the letters have thirty days to comply. A sample of the letter can be found here. Non-compliant companies face potential penalties of up to $2500 per download.

The California Online Privacy Protection Act requires commercial operators of online services that collect personal identifiable information from California consumer residents to conspicuously post a privacy policy. The privacy policy must disclose the types of personally-identifiable information collected and the types of third parties with whom the data is shared, the process for reviewing information collected (if a process is offered), the process for communicating material changes to the policy, and the effective date of the policy

Earlier this year the Attorney General of California released Joint Statements with several mobile-application marketplace companies describing their agreement on a set of mobile-application privacy principles. Those principles include: providing in the application submission process for new or updated mobile applications a field for the application's privacy policy or other privacy notice, offering a means for users to report mobile application publishers that fail to comply with their terms of service or laws, taking action against noncompliant mobile application publishers, and committing to work with the Attorney General of California to develop mobile best practices.

Practice tips

  • Check your mobile apps to see if your privacy policy or some other statement describing your privacy practices is posted for users to view in the application and prior to download in the marketplace description. Many mobile-application marketplace companies by now provide a specific field for application publishers to include their privacy policy url.
  • If you have apps in development, make sure your developers have the appropriate links to your privacy policy to submit with your apps.
  • Make sure your privacy policy covers the personally identifiable information your mobile application collects. If not, update your privacy policy to cover the activities of your application and what your company does with information it collects from the application.
  • Note that if you collect even non-personally identifiable information from users with your mobile application you may also need to provide notice and get authorization under the Federal Computer Fraud and Abuse Act and state anti-spyware laws.
Related Contacts
Michael Rhodes Partner, San Francisco
Adam Ruttenberg Partner, Washington, DC
Diane Savage Of Counsel, Palo Alto