United States: California AG Files First Suit For Alleged Mobile App Privacy Policy Violations

After serving notice that mobile app companies must comply with California's online privacy statute, last week Attorney General Kamala Harris filed the first of what is likely to be many suits against companies that develop, sell or operate mobile applications, alleging that the app's privacy policy - or lack thereof - violates the California Online Privacy Protection Act (CalOPPA). At the end of October, she gave some 100 companies, including many that offer some of the most popular apps on the mobile market, 30 days to take action. The complaint, filed Dec. 6, 2012, in San Francisco Superior Court, asserts that the company's app collects customer information, including name, telephone number, email and mailing address, along with sensitive personal information such as birth dates and credit card numbers, but lacks a privacy policy, as CalOPPA requires.

The California statute provides that "[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site," and includes specific requirements for the content of privacy policies. Operators of "online services" must make that policy reasonably accessible to those consumers.

On October 30, 2012, AG Harris announced that her newly formed Privacy Enforcement and Protection Unit had started sending letters to companies that develop, sell or operate apps, reminding them of their obligations under the law. The notice letters warned the companies that they had 30 days to bring their apps into compliance by conspicuously posting a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Having a website with the applicable privacy policy conspicuously posted might adequately meet the statutory requirement, but only if a link to that website is "reasonably accessible" to the user within the app, according to the letter. It stated that companies that fail to comply face fines of $2,500 per download.

With this lawsuit, AG Harris continues to make clear that the mobile space will be one of the targets of her office's privacy efforts. In February 2012, she announced that her office had reached an agreement with the major providers in the mobile market to implement privacy principles designed bring the industry in line with California law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.