Trick or Treat: California's AG Notifies Nearly 100 Apps of Need for Privacy Policy
A few weeks ago, many of us took note when California's Attorney General Kamala Harris used Twitter to note that United Airlines' new mobile app did not include a privacy policy: "Fabulous app, @United Airlines, but where is your app's #privacy policy?" It may have been "just a tweet" at the time, but Harris clearly means business. Yesterday, her office reportedly sent notices to as many as 100 apps, including United, Delta, and OpenTable, instructing them to conspicuously post a privacy policy pursuant to California's Online Privacy Protection Act (Business & Professions Code Sections 22575-22579) ("CalOPPA") within their app within 30 days. The policy must inform users of what personally identifiable information about them is being collected and what will be done with that information. If the companies fail to comply with this directive, the Attorney General may take legal action under CalOPPA, which Harris's office contends provides for fines of up to $2,500 for each download of a noncompliant app. Harris's actions should come as no surprise in a year when she entered into an agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, later joined by Facebook, requiring that any app that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app’s privacy practices that provides clear and complete information regarding how personal data is collected, used and shared. The parties to that agreement also agreed to include in the application submission process for new or updated apps either an optional data field for a hyperlink to, or for the text of, the app’s privacy policy or a statement describing the app’s privacy practices. Over the summer, Harris also formed a new Privacy Enforcement and Protection Unit to oversee privacy issues and prosecute companies that violate California's many privacy laws.
What exactly is the point of the notices that went out yesterday? Harris's office takes the position that app developers are operators of online services that are subject to CalOPPA. As addressed at the time her office entered into the agreement with the app platforms, the Attorney General wants users to have the opportunity to review an app's privacy policy before downloading the app so that they understand what information the app will collect and how that information will be used and shared. Many apps don't have any privacy policy; the ones that do often bury it on a "Help" page or other unlikely link where a user may never find it.
Easy takeaway here - apps that may collect personal information from California residents (and yes, that's most apps) must post a privacy policy where it can easily be found that clearly describes its privacy practices. Even better, apps should post a privacy policy that doesn't require a user to scroll through 20 pages of stuff on his/her phone. This can be accomplished by using plain language and using a layered approach, if necessary.