Does Your Mobile Application Put You at Risk of Getting Sued for Privacy Violations?May 10, 2013
Moreover, in recent interviews, California Attorney General’s office has made it clear that enforcement against the mobile app market is a priority and the office expects to be filing other enforcement actions not only against those with deficient privacy policies, but also against those with acceptable privacy policies who fail to follow their own policies. Violators in the former category can expect to receive notices from the California Attorney General that they have thirty days to correct deficiencies in their policies. However, there is no such thirty-day notice requirement for operators who fail to conform to their own policies. The state can sue those operators with no notice if the violations of their privacy policies are either “knowing and willful” or “negligent and material.”
However, California is not the only jurisdiction looking to police privacy matters when it comes to mobile apps. In addition to CalOPPA, the Children’s Online Privacy Protection Act (COPPA) includes provisions that protect the privacy of minors and the Federal Trade Commission (the “FTC”) has shown that it is willing to use it and Section 5 of the FTC Act regarding unfair or deceptive practices as enforcement tools for deficient data privacy practices. (A recent enforcement action of the Federal Trade Commission against Path, Inc. for, among other things, a misleading policy regarding the information the company collected from social networking users resulted in an $800,000 settlement and a 20-year commitment to independent privacy assessments.) The FTC is also in the process of amending the rules under COPPA to adapt to new technology. The new rules will take effect July 1, 2013 and include, among other changes, the fact that persistent identifiers, like IP addresses and mobile device identifiers, will be treated as personally identifiable information under COPPA (consistent with European Union practices).
Public entities are not the only ones looking to enforce privacy laws. There has also been a recent spate of class action lawsuits based on privacy violations in the mobile app space. These suits deal particularly with targeted advertising that violates COPPA, the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act or other laws addressing the accessing and tracking of consumer behavior online.
Mobile app operators, therefore, should treat CalOPPA as the floor for their compliance in the realm of privacy practices, not the ceiling. It is also clear that this is an area in which the law, like the technology, is changing rapidly. Mobile app operators can assume the requirements for safeguarding users’ privacy will only increase. Conforming to industry best practices now without waiting for legislation is more likely to position companies to be in-line with future mobile app regulation and, perhaps more importantly, to position them to conform with the likely trend of user expectations.
In sum, mobile app privacy policies and practices are simply not an element of the business of offering mobile apps that operators can afford to ignore, but fortunately, the information and guidance for avoiding problems in this area is growing steadily.