Companies with a mobile application that collects any form of user data should conspicuously post a detailed privacy policy within their mobile app, or they may face a lawsuit filed by the Attorney General of California, with fines of up to $2,500 every time the app has been downloaded. Under the California Online Privacy Protection Act of 2003, any company that collects personally identifiable information about a California resident must “make [its privacy] policy available.” On December 6, 2012, Attorney General Kamala Harris filed suit against Delta Air Lines—a company with a privacy policy posted on its website—alleging violation of the Act for failing to have a sufficiently detailed policy and failing to make that policy available within Delta’s “Fly Delta” mobile app.

Background

Earlier this year, California’s Attorney General Kamala Harris announced a deal with some of the largest companies in the mobile-device space to strengthen privacy protections for California consumers. These companies all agreed to privacy principles, including creating greater transparency and giving “mobile users more informed control over who accesses their personal information and how it is used.” Under this agreement, the companies agreed to give users the opportunity to review an app’s privacy policy before it is downloaded, and to post an app’s privacy policy in a consistent location on the application-download screen.

In discussing this agreement, the Attorney General’s office emphasized that the agreement “is designed to ensure that mobile apps comply with the California Online Privacy Protection Act of 2003 (CalOPPA or the Act). Id. CalOPPA was signed by the Governor of California in October 2003 and went into effect on July 1, 2004. The legislation was designed to impose strict new standards on companies operating websites or online services regarding transparency in the way that user information is used.

Starting October 30, 2012, Attorney General Harris announced that she began sending non-compliance letters to the developers and companies behind some of the most popular applications available on mobile platforms. These letters inform the company that it is not currently making a privacy policy “reasonably accessible” to its users from within the app, and is therefore in violation of CalOPPA. The non-compliance letter gives an app developer 30 days to develop a privacy policy and to make the policy reasonably accessible. If the company fails to comply, it can face fines of up to $2,500 for every time the app has been downloaded.

The Act

CalOPPA requires all operators of “a commercial Web site or online service that collects personally identifiable information” to “conspicuously post its privacy policy on its Web site, or ... make that policy available.” The required privacy policy must meet several requirements including: 1) identifying the categories of information collected, 2) identifying the categories of third-parties that the information may be shared with, 3) describing the developer’s process for allowing users to review and request changes to the information, and 4) describing the process by which users will be notified of material changes to the policy.

Companies need to be proactive about their compliance with CalOPPA, as the Act is easily violated and potentially very expensive. First, the types of personally identifiable information encompass more than one might think, including not only a user’s social security number and home address but also the current location of the user’s mobile device, email address, telephone number, and any other identifier that permits the physical or online contacting of a specific individual.

Second, your business does not have to be located in California for your app to expose you to liability— Delta Air Lines is incorporated in Delaware and headquartered in Georgia. The Act merely requires that your service collects personally identifiable information of “individual consumers residing in California.” It is also very likely that other states will soon be targeting mobile apps as well as an arena in which to enforce their consumer protection laws.

Third, nothing in CalOPPA requires an improper use or sale of users’ information to subject a company to liability. All that is required is that the company or app developer fail to make its privacy policy available within 30 days of notice of non-compliance.

Finally, companies need to make sure that their app developers are providing privacy policies that actually match the privacy practices of the company. Also, it is important to remember that the Act can be applied to applications that run inside of social media sites, such as Facebook.

The Delta Case

On December 6, 2012, Attorney General Harris filed suit against Delta Air Lines in San Francisco Superior Court under California’s Unfair Competition Law for violation of CalOPPA. Delta provides a mobile app called “Fly Delta” allowing users to check-in for a flight, view reservations, pay for checked baggage, access their frequent flyer information, take photographs to help remember where they parked, and find nearby “Delta Sky Clubs.”

Notably, Delta has a privacy policy and Delta provides access to the policy via its website. Nonetheless, the Attorney General asserts that Delta is in violation of CalOPPA because the privacy policy does not discuss specific data types collected by the app—location data and photographs—and the privacy policy is not accessible from within the “Fly Delta” app itself.

The Delta complaint illustrates both the breadth of the reach of CalOPPA and the stringency of its requirements. It is clear that the Attorney General of California considers a user’s current location, date of birth, gender, and any photographs taken by that user to be personally identifiable information. Moreover, simply making your policy reasonably accessible is not sufficient; it must be reasonably accessible within any of your applications making use of user information. Does your mobile or social media app allow users to chat, find office locations based on the user’s location, or snap photographs? If so, then your app falls under the purview of CalOPPA and must have an internal link to your privacy policy.

Is Your Company’s Policy in Compliance?

Is your privacy policy up to date, comprehensive, specific and are you doing an adequate job in making it available in all of your mobile and social media applications? Even if you haven’t yet received a letter from Attorney General Harris, you should take a close look at your privacy policies and make sure that they are carefully tailored to your business and “reasonably accessible.” If you don’t, you may find your company’s apps in the sights of the Attorney General of California and your company liable for sizable fines.