Does Your Mobile Application Put You at Risk of Getting Sued for Privacy Violations?

Unless you have a posted privacy policy including some very specific information, the answer maybe yes! And it does not matter where your company is located. If your mobile app is available to California users, it is susceptible to the long arm of the California Attorney General, who has recently shown an unequivocal willingness to enforce California law regarding privacy matters against mobile app operators.

At issue is a 2004 statute, the California Online Privacy Protection Act (“CalOPPA”), that has five requirements for mobile app privacy policies. First, a privacy policy must identify the categories of personally identifiable information that the operator collects from users. Personally identifiable information includes: a first and last name, a physical address, an email address, a telephone number, a social security number, any other identifier that permits the physical or online contacting of a specific individual, and information about a user collected in combination with one of the other identifiers and maintained in that form. Second, the policy must also identify the categories of third-party persons or entities with whom they may share that personally identifiable information. Third, if a mobile app operator has a process for users to review and request changes to personally identifiable information that is collected through the mobile app, the privacy policy must provide a description of that process. Fourth, the policy must also describe the process by which a mobile app operator notifies users of material changes to the operator’s privacy policy. Finally, the privacy policy must also give its effective dates.

Under CalOPPA, the required policy must also be “reasonably accessible” for users of the mobile app. While this term is not defined in the statute, published guidance from the State of California suggests that “reasonably accessible” means that the privacy policy must have a conspicuous posting or link on the app platform page to make it available to users before downloading the app and that there must also be a link within the app for users to access the policy after downloading.

The reason all mobile app operations need to move quickly to comply with CalOPPA is that California filed its first lawsuit against a mobile app operator for violation of CalOPPA in December 2012. In People v. Delta Air Lines Inc., California sued Delta Air Lines under CalOPPA and the state’s Unfair Competition Law, for Delta’s failure to include a compliant privacy policy within its Fly Delta mobile app. The Attorney General’s office sent a letter to the company’s general counsel giving Delta thirty days to post a conforming privacy policy and when the company did not, the state sued asking for $2,500 for every download of the non-conforming app, as well as fees and costs. The Attorney General’s office has sent out many warning notices to other companies with deficient privacy policies.

Moreover, in recent interviews, California Attorney General’s office has made it clear that enforcement against the mobile app market is a priority and the office expects to be filing other enforcement actions not only against those with deficient privacy policies, but also against those with acceptable privacy policies who fail to follow their own policies. Violators in the former category can expect to receive notices from the California Attorney General that they have thirty days to correct deficiencies in their policies. However, there is no such thirty-day notice requirement for operators who fail to conform to their own policies. The state can sue those operators with no notice if the violations of their privacy policies are either “knowing and willful” or “negligent and material.”

However, California is not the only jurisdiction looking to police privacy matters when it comes to mobile apps. In addition to CalOPPA, the Children’s Online Privacy Protection Act (COPPA) includes provisions that protect the privacy of minors and the Federal Trade Commission (the “FTC”) has shown that it is willing to use it and Section 5 of the FTC Act regarding unfair or deceptive practices as enforcement tools for deficient data privacy practices. (A recent enforcement action of the Federal Trade Commission against Path, Inc. for, among other things, a misleading policy regarding the information the company collected from social networking users resulted in an $800,000 settlement and a 20-year commitment to independent privacy assessments.) The FTC is also in the process of amending the rules under COPPA to adapt to new technology. The new rules will take effect July 1, 2013 and include, among other changes, the fact that persistent identifiers, like IP addresses and mobile device identifiers, will be treated as personally identifiable information under COPPA (consistent with European Union practices).

Public entities are not the only ones looking to enforce privacy laws. There has also been a recent spate of class action lawsuits based on privacy violations in the mobile app space. These suits deal particularly with targeted advertising that violates COPPA, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act or other laws addressing the accessing and tracking of consumer behavior online.

Mobile app operators, therefore, should treat CalOPPA as the floor for their compliance in the realm of privacy practices, not the ceiling. It is also clear that this is an area in which the law, like the technology, is changing rapidly. Mobile app operators can assume the requirements for safeguarding users’ privacy will only increase. Conforming to industry best practices now without waiting for legislation is more likely to position companies to be in-line with future mobile app regulation and, perhaps more importantly, to position them to conform with the likely trend of user expectations.

There is a significant amount of best practices guidance in the area of privacy for mobile apps. The California Attorney General’s office itself has disseminated privacy guidelines that extend beyond the requirements of the CalOPPA. They encourage developers to increase transparency in data collection and use, limit the collection and retention of data, provide meaningful choice to consumers and improve data security. There is also guidance in this area from the FTC. In February the FTC issued a report recommending mobile app developers: (1) post a privacy policy and make it available through the platform’s app store, (2) provide just-in-time disclosures and affirmative consent when collecting sensitive data or making disclosure to third parties, (3) improve coordination and communication with third parties interacting with the data collected in order to be able to accurately disclose these practices to users, and (4) participate in self-regulatory programs and similar in order to develop guidance on how to implement privacy disclosures. The National Telecommunication and Information Administration draft Mobile App Transparency “Code of Conduct” document also provides insight into the industry consensus about appropriate privacy practices. Finally, guidance on privacy considerations for mobile app operators is also available from the European Union in the Article 29 Working Party’s “Opinion on apps on Smart Devices.”

In sum, mobile app privacy policies and practices are simply not an element of the business of offering mobile apps that operators can afford to ignore, but fortunately, the information and guidance for avoiding problems in this area is growing steadily.