Main Menu
California’s Cold Call to Mobile App Developers

California’s attorney general is dialing up enforcement of the state’s online privacy consumer protection law against mobile application developers. The California state legislature enacted the California Online Privacy Protection Act in 2003, which requires operators of commercial websites or online services (including mobile app developers) to conspicuously provide a privacy policy if the operator collects personally identifiable information about California consumers through the Internet. Because the breadth of the law places the vast majority of mobile app developers at risk of violating it, even those developers located outside of the Golden State need to take heed.

Until now, app developers have not been called to task under the law. This past October, however, the California attorney general began notifying many mobile app developers of their noncompliance with California’s Online Privacy Protection Act. Under the law, those mobile app developers (and other online operators) that collect such personal information and fail to conspicuously post a privacy policy are subject to a fine of up to $2,500 for each app downloaded. This liability accrues only if the app developer fails to set forth its privacy policy within 30 days of being notified of its noncompliance. For many of these recently-notified companies, their 30 day window has since closed. In fact, Delta Airlines was just sued by the California attorney general in federal court for failing to provide access to the privacy policy pertaining to its “Fly Delta” app after receiving its warning.

California’s attorney general realizes that the increasing prevalence of mobile applications exposes consumers to the unwanted or unauthorized collection and use of their personal information, especially when they are unaware of the application provider’s privacy policies. These policies provide a level of transparency between providers and consumers and build trust in that valuable commercial relationship. Consumers are beginning to expect accessible, consistent, and fair privacy and data security practices, so it also makes good business sense to share and follow one’s own privacy policies.

While the California law remains largely ambiguous as to what content the privacy policy must contain, it does provide that the privacy policy shall:

  • identify the categories of personally identifiable information collected;
  • identify those third parties with whom the operator may share such information;
  • if applicable, describe the process by which consumers may review and request changes to any of their personally identifiable information;
  • describe the process by which the operator notifies consumers of material changes to the privacy policy; and
  • identify the privacy policy’s effective date.

The state’s requirements are not particularly onerous, but are nonetheless important.  For further guidance on advertising and privacy issues surrounding mobile apps, read my previous post titled “FTC Issues Mobile App Guidance.”



Recent Posts




Back to Page