California Alerting Mobile Application Developers to Potential Violations of the State's Online Privacy Act
[26680]
November 13, 2012
TO:
PRIVACY ISSUES WORKING GROUP No. 2-12
COMPLIANCE MEMBERS No. 21-12
SMALL FUNDS MEMBERS No. 37-12
ADVERTISING COMPLIANCE ADVISORY COMMITTEE No. 21-12
TECHNOLOGY COMMITTEE No. 14-12
RE:
CALIFORNIA ALERTING MOBILE APPLICATION DEVELOPERS TO POTENTIAL VIOLATIONS OF THE STATE'S ONLINE PRIVACY ACT
In 2004, the California Online Privacy Protect Act was enacted. [1] In relevant part, this law requires an operator of a commercial website or online service that collects personally identifiable information [2] on a consumer residing in California to conspicuously post a privacy policy. [3] The Privacy Enforcement and Protection Unit within the Office of the Attorney General of California has recently begun sending letters to operators of commercial websites or online services that are subject to the law to notify them of their potential violation of California’s law based upon their failure to post their privacy policy on their mobile applications. [4] The letter, a copy of which is attached, informs these companies of the law’s requirements, the potential penalties for a violation, [5] and asks the letter’s recipient to inform the Unit within thirty (30) days of either their specific plans and timeline to comply with the law or explain why the law does not apply to them.
The Office of the Attorney General has also published two documents that are relevant to the application of the law to mobile applications as well as to the Unit’s inquiry. The first of these is a “Mobile Applications and Mobile Privacy Fact Sheet.” It discusses the emergence of mobile applications, privacy policies in the mobile space, and what California law requires of operators of mobile applications. In addition, it discusses an agreement that the Attorney General entered into in February with “six leading mobile application platforms,” which are Amazon, Apple, Google, Hewlett-Packard, Microsoft, and RIM. Through this agreement, these firms have agreed to a statement of principles “to foster innovation in privacy protection, promote transparency in privacy practices, and facilitate compliance with privacy laws in the mobile arena.” The five principles agreed to by the firms are:
- Where required by law for mobile applications that collect personal data from a user, to conspicuously post a privacy policy or other statement describing the application’s privacy practices and providing clear and complete information regarding how personal data is collected, used, and shared;
- To include in their application submission process for new or updated applications an optional data field for either: (i) a hyperlink to the app’s required privacy disclosure; or (ii) the text or the privacy policy;
- To implement a means for application users to report to the platform those applications that do not comply with applicable terms of service and/or the law;
- To implement a process for responding to instances reported pursuant to 3; and
- To continue to work with the California Attorney General to develop best practices for mobile privacy and, within six months, to “convene to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.”
A copy of the Mobile Applications document, as well as the Joint Statement of Principles between the Attorney General and the six platforms are attached.
Tamara K. Salmon
Senior Associate Counsel
endnotes
[1] A copy of the law is available at: http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=22001-23000&file=22575-22579.
[2] The law defines “personally identifiable information” to include any of the following: a first and last name; a home or other physical address, including street and city or town name; a telephone number; a social security number; any other identifier that permits the physical or online contacting of a specific individual; and “information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with [another piece of personally identifiable information],” See California Business and Professional Code §22577(a).
[3] The law specifies what satisfies the “conspicuously post” requirement. See California Business and Professions Code §22577(b).
[4] A press release announcing this initiative is available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance.
[5] According to the letter, a violation may result in penalties of up to $2500 for each violation and each copy of the unlawful mobile app downloaded by a California consumer constitutes a separate violation of the law.