The California Attorney General recently sent a letter to more than 100 companies notifying them that they are not in compliance with California law, due to the fact that their mobile applications use or collect personal information but don't have privacy policies disclosing their privacy practices. She is giving those companies 30 days to conspicuously post privacy policies within their apps that inform users of what personally identifiable information about them is being collected and what will be done with that private information.

“Protecting the privacy of online consumers is a serious law enforcement matter,” said Attorney General Kamala D. Harris. “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.”

Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

What Your Company Needs to Know

Companies should avoid simply relying on or repurposing their website privacy policies to satisfy their obligations under the California law. Website privacy policies are generally tailored — consciously or not — to the operating systems, software packages and hardware components of laptops and desktop machines. Mobile devices, however, have different operating systems, different ways of storing and tracking end-users, different associated software and different tools that the end-user must use if he or she wishes to control the collection or sharing of information. Even the third-parties used by companies for advertising and analytics are often different in the mobile arena. As a result, when website privacy policies are repurposed for the mobile space, there is a high likelihood that they will be inaccurate with respect to data collection by third-parties, end-user tracking, local storage, and end-user controls, to name a few. 

In the best-case scenario, companies should attempt to have privacy disclosures that specifically address the unique nature of mobile apps and, if possible, have that privacy disclosure available pre-download as well as within the app itself, and in a form that is optimized for mobile viewing. In addition, companies should not rely on their mobile app developers to describe information collection and sharing practices. Companies should independently test the mobile apps and craft disclosures based on what is actually happening and not what they are told is happening.