California AG Threatens Enforcement of Privacy Policy Disclosure Laws Against App Providers

Author:Mr James DeGraw, David M. McIntosh, Douglas Meal and Mark P. Szpak
Profession:Ropes & Gray LLP

Opening up a potential new enforcement risk for all providers of apps, California Attorney General Kamala D. Harris announced on October 30 that she is sending notices to up to 100 providers of mobile apps claiming that their apps do not comply with California's privacy laws. The California Attorney General asserts that the targeted companies' apps are non-compliant because they fail to include, within the apps, privacy policies reasonably accessible by app users. According to the California Attorney General, failure by the recipients to correct the alleged deficiencies within 30 days could expose them to fines of up to $2500 for each copy of a non-compliant app a California consumer downloads. Recipients of the Attorney General's notice reportedly include United Airlines, Delta Airlines, OpenTable, and other providers of popular apps.

The crux of Attorney General Harris' assertions is the way in which the targeted companies are providing consumers with privacy notices. Having a separate web site that has the company's privacy policy may not be enough, especially if a link to the web site policy is not "'reasonably accessible' to the user within the app." Even if a company has a privacy policy that a consumer could find on its web site, the Attorney General is taking the position that California privacy laws require the company's apps to have, conspicuously posted within the apps in a means reasonably accessible to consumers, a privacy policy that informs consumers of what personally identifiable information about them is being collected and what will be done with that private information.

This emphasis on the way and manner in which privacy notices are provided to consumers – that is, the user interface for informing consumers of a company's privacy policies and any changes to those policies – is consistent with recent enforcement efforts by the United States Federal Trade Commission and certain recommended changes to privacy laws made by the FTC in its March 2012 Report, Protecting Consumer Privacy in an Era of Rapid Change, and by the White House in its February 2012 proposal, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. All are pushing for companies to deploy more transparent, conspicuous and accessible notices, with a growing tendency to recommend express consumer opt-in for certain data collection practices too. The FTC has also expressed general...

To continue reading