As noted often in this blog, privacy policies are fertile grounds for missteps, litigation and regulatory/criminal enforcement procedures. Whereas many companies worry primarily about Federal Trade Commission investigations, dozens of companies were recently reminded that states like California have their own laws that require re-inspecting both placement and content of privacy policies.
Recently, California Attorney General Kamala Harris notified Delta Airlines, United Continental, Open Table and dozens of other mobile app developers and companies that they may be failing to conspicuously post their privacy policies in compliance with the California Online Privacy Protection Act (“OPPA”). “Protecting the privacy of online consumers is a serious law enforcement matter,” said Attorney General Kamala D. Harris. “We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws.”
Codified at California Business and Professions Code Sections 22575-22579, OPPA applies to operators of commercial web sites or online services that collect “personally identifiable information through the Internet about individual consumers residing in California….” OPPA regulates what must be contained in privacy policies as well as how the privacy policies must be posted or made readily available.
According to Chris Conley (a technology lawyer at the ACLU) in a recent article from Bloomburg Businessweek, California is the only state to require privacy policies for mobile applications as well as websites. California, in fact, has its own regulatory agency called the California Office of Privacy Protection.
Given that California’s population exceeds thirty-seven million people as of the most recent census – or more than 10% of the nation – it is almost impossible to avoid the reaches of OPPA. Companies creating and maintaining privacy policies must consider not just the FTC’s regulations, but state regulations like California’s as well. Given that this latest step by California follows on the heels of agreements reached in February 2012 with Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research In Motion to improve privacy protections on mobile apps, this topic in California is gaining steam.