Privacy in Principle (As California Goes, So Goes the Nation? Part Four)
What happened in the privacy world last week? Well, on Friday, the White House officially released its long-anticipated white paper setting forth a framework for "Protecting Privacy And Promoting Innovation in The Global Digital Economy," including a Consumer Privacy Bill of Rights. Justine blogged about this on Friday here. But something else happened on Thursday, just before the release of the White House Paper. Here in California, Attorney General Kamala Harris announced an agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, the leading operators of mobile application platforms - let's call it the App Agreement for purposes of this post, and the six companies the App Platform Participants.
What did those mobile application platform operators agree to do? According to the Attorney General's website, they committed to "improve privacy protections for millions of consumers around the globe who access the Internet through applications ("apps") on their smartphones, tablets and other mobile devices. . . . These platforms have agreed to privacy principles designed to bring the industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy. " Why haven't you heard about that? Well, there was this little announcement from the White House a few hours after Ms. Harris made her own announcement. It is well worth an exploration of the App Agreement to understand what it says, what it does not say, and what it means in historical context, especially in light of the new White House "Consumer Privacy Bill of Rights." It might be argued that the White House is now enunciating principles and best practices, and encouraging legislation of principles, that have long been embodied not only as best practice but as actual legislation under California law.
What does the App Agreement say?
The App Agreement says that, where required by law, an app that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app's privacy practices that provides clear and complete information regarding how personal data is collected, used and shared. More interestingly, the App Platform Participants have agreed in the App Agreement that they will include in the application submission process for new or updated apps either an optional data field for a hyperlink to, or for the text of, the app's privacy policy or a statement describing the app's privacy practices. For developers who choose to submit such a hyperlink or text, the App Platform Participants will enable access for users to the hyperlink or text from the app store. The App Platform Participants will also implement (a) a means for users to report apps that don't comply with applicable terms of service or laws; and (b) a process for responding to those reported instances of non-compliance. Finally, the App Platform Participants will continue to work with the AG to develop best practices for mobile privacy and mobile privacy policies.
Does the law require that apps post a privacy policy?
Yes, and this is also the position of Attorney General Harris. Indeed, California law has required the posting of privacy policies for nearly eight years, since July 1, 2004. The California Online Privacy Protection Act, Business & Professions Code section 22575 et seq. (I like to call it "CalOPPA"), requires any "operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service [to] . . . conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with" the law. Since day one, July 1, 2004, privacy lawyers have noted that CalOPPA effectively operates like a federal law since it applies to all Web sites and online services that collect personally identifiable information about consumers residing in California. In other words, unless an organization knows that its website will not collect information from California residents, that organization must comply by posting a privacy policy in accordance with CalOPPA.
Is the App Agreement law?
No. The App Agreement is a "Joint Statement of Principles," it is not legally binding. It explicitly states that it is "not intended to impose legally binding obligations on the Participants or affect existing obligations under law."
Does California law require that certain things be included in an app's privacy policy?
Yes, CalOPPA requires that the privacy policy identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. It also requires that, if the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, the privacy policy must provide a description of that process. The privacy policy must also describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service. Finally, the privacy policy must identify its effective date.
How does California law define personally identifiable information? Just name with Social Security number, financial account number, or driver's license number, right?
No, CalOPPA has always broadly defined PII for purposes of online privacy policies to include individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form. Such information includes any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.
What does the App Agreement have in common with the White House Consumer Privacy Bill of Rights?
Two of the principles set forth in the White House's new Consumer Privacy Bill of Rights have long been incorporated in CalOPPA and are reiterated and reaffirmed by the App Agreement: Transparency and Access and Accuracy. California has long required that organizations conspicuously post their privacy policies so that consumers can more easily obtain information about their privacy rights. California has also long required that companies explain to consumers how they can review and request changes to their PII.
Both documents and the principles set forth therein also find their origins in the decades-old Fair Information Practice Principles (FIPPs).
Ms. Harris's requirement that the App Platform Participants engage in ongoing discussions with the AG's office and reconvene in six months also resonates with the Obama Administration's contemplated multi-stakeholder approach to produce enforceable codes of conduct that implement the Consumer Privacy Bill of Rights.
While we're talking about this, anything else to consider about California law?
It is worth noting that a number of longstanding California privacy laws are getting fresh airplay these days. In addition to CalOPPA, discussed here, California's Shine the Light law, California Civil Code section 1798.83, is back on the scene. On the books since January 1, 2005, Shine the Light is now being invoked by plaintiff's lawyers in class actions - the first of their kind - filed in 2012. Shine the Light takes the privacy policy transparency principle a step further. It allows California residents to request information from businesses about their third-party information-sharing practices. Another thing that CalOPPA and Shine the Light have in common - they both specifically make reference to organization's option of using a hyperlink with the word "privacy" in it to make consumers aware of an organization's privacy policy. The App Agreement once again highlights the importance of conspicuous hyperlinks.
Consumer Privacy "Rights" - Not Just for Californians Anymore
Once again, California is driving the conversation on privacy. Principles that may have once seemed outside the mainstream or just another crazy California thing, long memorialized in actual binding law out here, are now going mainstream in this country. They are also moving US conceptions of privacy closer to the European model of core user privacy rights, albeit with a uniquely US multi-stakeholder non-binding flavor. Will we see federal legislation that embodies these principles? Unknown and perhaps unlikely in the short-term. However, given existing California law on this issue, Attorney General Harris's renewed focus on privacy (especially in the ubiquitous mobile space), and the likelihood of increased enforcement and class action litigation for organizations doing business in California, the time may be right for all organizations to reexamine their privacy practices with an eye towards these principles.