If a haunted house or trick-or-treating was your scariest experience last week, you must not be one of the 100 mobile application developers who received a notice of non-compliance from California Attorney General Kamala D. Harris. On October 30, Attorney General Harris’s office announced that letters had been sent to the developers of dozens of the most popular mobile applications warning in each case that the developer’s application is not in compliance with California’s Online Privacy Protection Act (“CalOPPA”) because it fails to have a privacy policy reasonably accessible to consumers . The letters give the developer 30 days to respond by providing either specific plans to bring the application into compliance or an explanation regarding why the developer believes that the application is not covered by CalOPPA.
As noted in the non-compliance notice letters, the potential cost to mobile application developers of not meeting the CalOPPA requirements can be substantial. Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers. Since Attorney General Harris has started by targeting the most popular non-compliant applications, including, reportedly, the mobile applications of Delta Airlines, United Continental Holdings and OpenTable , the penalties assessed could potentially be substantial.
As we have previously discussed on this blog, CalOPPA requires that “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” conspicuously post a privacy policy that meets the requirements of California Business and Professions Code § 22575(a) and (b). In the past year, Attorney General Harris has reached agreements with the seven major mobile application platforms providing that mobile applications constitute an “online service” and are therefore subject to CalOPPA’s requiremen. Among the requirements, the privacy policy must be “reasonably accessible” which, for mobile applications, requires that, among other things, the policy be available for review prior to download and include a description of the information being collected.
An additional noteworthy aspect of the non-compliance notice letters is that they are sent on behalf of Attorney General Harris by Adam Miller, Supervising Deputy Attorney General of the newly-created Privacy Enforcement and Protection Unit. The Privacy Enforcement and Protection Unit was established earlier this year and granted authority to enforce state and federal privacy laws and regulations. The non-compliance notices confirm speculation made at the time of the Privacy Unit’s establishment that the application of CalOPPA to mobile applications would reside high on the list of the Unit’s priorities.
All indications from the Attorney General’s office suggest that this is merely the beginning of a prolonged campaign. In other words, now is the time for mobile application developers to ensure that applications meet the requirements of California state law, before the 30 day clock is ticking for you.