On October 30, 2012, California Attorney General Kamala Harris announced that her office would begin notifying the developers of as many as 100 mobile apps that their apps do not comply with the state’s Online Privacy Protection Act (OPPA) and that they have 30 days to bring them into compliance.
The announcement does not come as a surprise. Earlier this year, the Attorney General published a Joint Statement of Principles with the major platforms that distribute and sell mobile apps, providing that they will distribute only apps that have privacy policies that consumers are able to review prior to download. At that time, her office told app developers that they had six months to come into compliance or to be notified of violations. Shortly thereafter, Attorney General Harris formed a Privacy Enforcement and Protection Unit, intended specifically to enforce OPPA and other privacy laws.
In light of the Attorney General’s announcement and her continued focus on privacy, companies that collect personal information online from California residents—whether through a website, online service, or app—should take steps to ensure that they are in compliance. According to the Attorney General’s sample non-compliance letter attached to her press release, failure to comply could subject a company to a fine of up to $2,500 each time a non-compliant app is downloaded.
The Law’s Requirements
- The categories of PII that the website, online service, or app collects from its users;
- The third parties with whom such PII may be shared;
- The process by which the consumer can review and request changes to his or her PII, if the website operator, online service provider, or app developer maintains such a process;
- Its effective date.
- Its scope;
- How PII may be used;
- How “other information”—information that may not be considered PII but the collection of which may be material to users—is collected, used, and disclosed. This may include, for instance, users’ clickstream information or other information derived from their interaction with the website, service, or app and collected for purposes of personalizing content or displaying targeted ads;
- How PII is secured and for how long it may be retained;
- How the user may exercise various rights, such as to opt out of receiving direct marketing or to opt out of the sharing of his or her PII with third parties;
- How the user may access the PII collected from him or her and the control that he or she has with respect to it; and
- How the user can contact the operator or developer.
Website operators often take for granted the enforceability of their websites’ terms of service. In a recent order issued in a case from the Central District of California, Nguyen v. Barnes & Noble, Inc., Judge Josephine Tucker reminds us that such presumptions are not necessarily correct: terms of service that do not require an affirmative manifestation of assent from a website user may not always be upheld in court.