California, a state with consumer protection laws that are among the strongest in the country, has had explicit legislation governing online privacy since 2004 when the California Online Privacy Protection Act1 (“CalOPPA”) was enacted. CalOPPA § 22575(a) forces all operators of websites or online services to post their privacy policies in a conspicuous manner assuming they target individuals residing in California.
The California Attorney General, Kamala Harris, concluded in 2012 that, with regard to mobile devices and the apps they employ, the “conspicuous” display of privacy notices required an app-specific version and that a mere link to the company’s website was insufficient to meet the posting requirements referenced above. Harris sent notices to mobile developers Oct. 30, 2012, warning that they were not in compliance with California privacy law if their apps did not contain a conspicuously posted privacy notice. Shortly thereafter, California filed suit against Delta Airlines Inc., alleging the airline’s “Fly Delta” app lacked the requisite privacy notice despite collecting extensive personally identifiable information (PII) of its customers.
On Jan. 10, 2013, California’s Attorney General took the next logical step and issued recommendations for the mobile ecosystem. App developers were encouraged to build privacy in their apps and to provide privacy notices based upon an informed decision about the privacy practices that will be used in the app. These privacy practices should then be communicated to the potential customer through a privacy notice that meets the following requirements:
- Easy to Find
- The privacy notice should be conspicuously accessible to users and potential users.
- A link to the policy should be available within the app (for example, on controls/settings page).
- Easy to Read
App developers should make the privacy notice clear and understandable by using plain language and a format that is readable on a mobile device.
- One format is a layered notice that highlights the most relevant privacy issues.
- Another format is a grid or “nutrition label for privacy” that displays privacy practices by data type.
- Graphics or icons can help users to easily recognize privacy practices and settings.
- Privacy icons will be most effective if they are widely used and consumer comprehension is supported by an awareness campaign
- Description of Privacy Practices
The privacy notice should describe the app developer’s practices regarding the collection, use, sharing, disclosure, and retention of, including at least the following items:
- The types or categories of PII collected by the app.
- The uses and retention period for each type or category of PII.
- Whether the app, or a third party, collects payment information for in-app purchases.
- The choices a user has regarding the collection, use, and sharing of PII, with instructions on how to exercise those choices.
- The process for a user to review and request corrections to his or her PII maintained by the app, if available.
- A means for users to contact the app developer with questions or concerns.
- Enhanced Measures for Collection of Sensitive Data
If an app collects sensitive information or PII not needed for that app’s basic functionality, users should be alerted to those types of data collection through special notices:
Practices that are likely to deserve special notice include:
- Collection, use or disclosure of PII not required for the app’s basic functionality.
- Accessing text messages, call logs, contacts or potentially privacy-sensitive device features such as camera, dialer and microphone.
- A change in the app developer’s data practices that involves new, unexpected uses or disclosures of PII.
- The collection or use of sensitive information (such as precise geo-location, financial or medical information, passwords).
- The disclosure to third parties of PII for that third party’s own use, including use for advertising.
Conclusion: Despite the dismissal of the case against Delta in May 2013, app developers should take the Attorney General’s recommendations very seriously and continue to consider privacy in every step of the app development process. The dismissal was based solely on the preemption of state law by the Federal Airline Deregulation Act and should not be seen as an indication that there will be no future enforcement of the California Online Privacy Protection Act.