• An Illinois woman was arrested on July 11 and charged with theft after she allegedly stole a dress from a boutique in West Frankfort, Illinois, then posted a selfie wearing the dress on her Facebook page. Police Chief Shawn Talluto noted, “[W]hen the social media aspect played into it, we were able to identify who it was. And by looking at the background of the photograph we were able to pinpoint where she was at.”
  • New, mobile-only banks without any brick-and-mortar branches form a small part of the banking industry today—but they may be poised for growth. These banks, without a physical presence, reportedly can handle a typical transaction for a fraction of what having a teller handle it would cost, and can deliver value-added services to consumers through smartphone interfaces.
  • Shakira has become the first celebrity to reach 100 million Likes on Facebook. The “Hips Don’t Lie” singer, who joined the social media platform in October 2007, beat Cristiano Ronaldo, Eminem, Rihanna, Vin Diesel, and even Michael Jackson to the new record.
  • According to a current study by Bank of America, Americans are very closely attached to their smartphones. Of those surveyed, 85 percent said they check their phone at least a few times a day and 35 percent say they check it constantly. 47 percent of Americans say they couldn’t last more than one day without their phone. And, perhaps most worrisome, Millennials between ages 18 to 24 view their mobile phone as more important to their daily lives than even deodorant or their toothbrush . . . .
  • The Uniform Law Commission has embraced the Uniform Fiduciary Access to Digital Assets Act, which, to the extent adopted by states, would give grieving families immediate access to a deceased family member’s online accounts, unless the deceased family member specified otherwise in a will.  Privacy advocates have expressed skepticism regarding the initiative.
  • In a break from past practice, the New York Police Department has begun to embrace social media, giving its precinct commanders “relatively free rein” in using Twitter. Top brass hopes to spur greater sharing of information and to engage the public in a dialogue regarding police business.

California Attorney General Kamala Harris released a long-awaited report entitled Making Your Privacy Practices Public (Report) on May 21, 2014. The Report recommends “best practices” for compliance with the California Online Privacy Protection Act (CalOPPA). It was originally intended to answer critical questions about exactly what website, online service, and mobile application operators (collectively, “site operators”) must do to comply with CalOPPA’s new do not track (DNT) disclosure obligations, which took effect on January 1, 2014. It does not accomplish that goal. Unfortunately, the Report leaves important questions unanswered and raises new questions.

The Report explains that “its recommendations . . . which in some places offer greater privacy protection than required by existing law, are not regulations, mandates or legal opinions.” It fails, however, to clarify what the law actually requires, and we expect that trade associations will continue to seek guidance on important compliance issues. In the meantime, site operators may wish to comply with at least some of the Report’s recommendations to the extent possible because such “recommendations” tend to harden into regulatory “expectations” over time. Continue Reading California AG Offers Best Practices for Do Not Track Disclosures; Crucial Compliance Questions Left Unanswered

Snapchat’s recent settlement with the Federal Trade Commission (FTC) generally provides a comprehensive but not groundbreaking roadmap to the FTC’s privacy and data security expectations in the mobile environment under Section 5 of the FTC Act, with two very notable exceptions:

  1. It now appears that companies are required to follow researchers’ blogs and other writings to see if there are any privacy or data security vulnerabilities, and to act on any such information promptly; and
  2. It also appears that the FTC expects companies to be aware of all third parties who have technology that can interact with an app, and to make sure that when consumers engage in any such interaction, all of the company’s privacy and data security representations remain true. If the FTC continues down this path, it will create unsustainable new burdens on app developers, many of which have very few resources to begin with. Furthermore, if this is the new standard, there is no reason it should be limited to the app environment—analytically, this would lead to a rule of general application.


The Snapchat app became very popular because of its branding as an “ephemeral” mobile messaging service. Among other things, the app promised its users and prominently represented—in its privacy policy and an FAQ, among other places—that the “snaps” (e.g., messages) users sent would “disappea[r] forever” after 10 seconds (or less). However, according to the FTC’s complaint, in addition to other problems with the app’s privacy and security features, it was much too easy to capture these supposedly ephemeral messages, making the company’s claims false and misleading in violation of Section 5. And since the company’s representations were not consistent with the app’s practices, now it’s the FTC that won’t be disappearing any time soon. Continue Reading Snap Judgment: FTC Alleges Snapchat Did Not Keep Its Privacy and Security Promises, But Suggests Broad New Duty in the Process

From our sister blog, MoFo Tech:

Widely applicable rules regarding consumer privacy disclosures in our increasingly mobile world are only now emerging. Government agencies, individual states, and professional associations are all weighing in on how mobile app developers should disclose how they collect, store, use, and protect the wide range of highly personal data being collected every day.

The Application Privacy, Protection, and Security Act of 2013, better known as the APPS Act, is intended to bring conformity to the unwieldy world of mobile app development. With a divided Congress struggling to pass even mandatory legislation, though, passage of any type of discretionary legislation this year seems unlikely, says D. Reed Freeman Jr., a partner with Morrison & Foerster in Washington, D.C. In the meantime, Freeman says, developers should focus on the Federal Trade Commission, “because even without congressional action, it has broad jurisdiction, and it has already brought cases and issued guidance on mobile privacy and data security.”

Charged with the intentionally broad mandate of guarding consumers from “deceptive” and “unfair” business practices, the FTC has been proactively applying its consumer protection laws across nearly all media, including mobile technology. A recent FTC policy document is especially revealing because it describes how the FTC expects disclosures of material facts to be made on mobile devices, “and privacy disclosures can certainly be material,” Freeman says.

So it’s up to the mobile app company to think carefully about the ways its program could surprise a reasonable user and disclose them appropriately. Freeman offers this rule of thumb:  “Would a reasonable consumer, under the circumstances, understand what information is being collected about her while she’s on a mobile device and what it is being used for?” If so, companies need to disclose those facts clearly and not bury them in EULAs or terms of use.

California’s Online Privacy Protection Act, passed in 2003, has taken consumer privacy one step further than the FTC has. It requires companies that operate commercial websites or online services and that collect personal information of any kind—including usernames and passwords—to prominently post a privacy policy somewhere on their homepage, says Andrew Serwin, a partner in Morrison & Foerster’s San Diego office.

And while California’s jurisdiction ends at the state line, its reach is often national, Serwin adds. “Companies with customers in all 50 states have to ask themselves whether they want to develop state-specific programs or apply standards across the board,” he says. Since the mobile world doesn’t recognize geographic boundaries, Serwin recommends that developers work toward the highest standards and beyond. “Privacy isn’t just a legal issue. It’s a brand issue,” he says.

Apart from knowing the law, businesses need to consider their own reputations and their customer relationships when collecting, using, and protecting personal information, Serwin says. For example, how could losing users’ passwords tarnish the company’s image in the market? “Current law doesn’t specifically cover that possibility, but,” he notes, “it may be in the company’s best interest to address these types of issues.”

Peer-to-peer (“P2P”) business models based on the Internet and technology platforms have become increasingly innovative.  As such models have proliferated, they frequently result in clashes with regulators or established market competitors using existing laws as a defensive tactic.  The legal battles that result illustrate the need for proactive planning and consideration of the likely legal risks during the early structuring phase of any new venture.

Collaborative consumption, or the “sharing economy” as it is also known, refers to the business model that involves individuals sharing their resources with strangers, often enabled by a third-party platform.  In recent years, there has been an explosion of these P2P businesses.  The more established businesses include online marketplaces for goods and services (eBay, Taskrabbit) and platforms that provide P2P accommodation (Airbnb, One Fine Stay), social lending (Zopa), crowdfunding (Kickstarter) and car sharing (BlaBlaCar, Lyft, Uber).  But these days, new sharing businesses are appearing at an unprecedented rate; you can now find a sharing platform for almost anything.  People are sharing meals, dog kennels, boats, driveways, bicycles, musical instruments – even excess capacity in their rucksacks (cyclists becoming couriers).

The Internet and, more specifically, social media platforms and mobile technology has brought about this economic and cultural shift.  Some commentators are almost evangelical about the potential disruption to traditional economic models that the sharing economy provides, and it’s clear that collaborative consumption offers a compelling proposition for many individuals.  It helps people to make money from under-utilized assets and tap into global markets; it gives people the benefits of ownership but with reduced costs and less environmental impact; it helps to empower the under-employed; and it brings strangers together and offers potentially unique experiences.  There’s clearly both supply and demand, and a very happy set of users for a great many of these new P2P services.

However, not everyone is in favor of the rapid growth of this new business model.  Naturally, most of the opposition comes from incumbent businesses or entrenched interests that are threatened by the new competition or those that have genuine concerns about the risk posed by unregulated entrants to the market.  Authorities and traditional businesses are challenging sharing economy businesses in a variety of ways, including arguing that the new businesses violate applicable laws, with accommodation providers and car-sharing companies appearing to take the brunt of the opposition to date.

Bed Surfing

One of the most successful P2P marketplaces, San Francisco-founded Airbnb is a platform that enables individuals to rent out part or all of their house or apartment.  It currently operates in 192 countries and 40,000 cities.  Other accommodation-focused P2P models include One Fine Stay, a London-based platform that allows home owners to rent out empty homes while they are out of town.

Companies such as these have faced opposition from hoteliers and local regulators who complain that home owners using these platforms have an unfair advantage by not being subject to the same laws as a traditional hotel.  City authorities have also cited zoning regulations and other rules governing short-term rentals as obstacles to this burgeoning market.  It has been reported that some residents have been served with eviction notices by landlords for renting out their apartments in violation of their leases, and some homeowner and neighborhood associations have adopted rules to restrict this type of short-term rental.

These issues are not unique to the United States.  Commentators have reported similar resistance with mixed responses from local or municipal governments in cities such as Barcelona, Berlin and Montreal.

It’s not particularly surprising that opposition to P2P accommodation platforms would come from existing incumbent traditional operators after all, that’s typical of most new disruptive business models in the early stages before mainstream acceptance.  But the approaches taken by P2P opponents illustrate that most regulations were originally devised to apply to full-time commercial providers of goods and services, and apply less well to casual or occasional providers.

This has consequences for regulators, who are likely to have to apply smarter regulatory techniques to affected markets.  Amsterdam is piloting such an approach to accommodation-sharing platforms, realizing the benefits that a suitably-managed approach to P2P platforms could have on tourism and the local economy.

Car Sharing

Companies that enable car-sharing services have also faced a barrage of opposition, both from traditional taxi companies and local authorities.  In many U.S. cities, operators such as Lyft and Uber have faced bans, fines and court battles.

It was reported in August 2013 that eleven Uber drivers and one Lyft driver were recently arrested at San Francisco airport on the basis of unlawful trespassing offenses.  In addition, during summer 2013, the Washington, D.C. Taxicab Commission proposed new restrictions that would prevent Uber and its rivals from operating there.  Further, in November 2012, the California Public Utilities Commission (“CPUC”) issued $20,000 fines against Lyft, SideCar and Uber for “operating as passenger carriers without evidence of public liability and property damage insurance coverage” and “engaging employee-drivers without evidence of workers’ compensation insurance.

All three firms appealed these fines, arguing that outdated regulations should not be applied to peer-rental services, and the CPUC allowed the companies to keep operating while it drafted new regulations, which were eventually issued in July 2013.  In August 2013, the Federal Trade Commission intervened and wrote to the Commissions arguing that the new rules were too restrictive and could stifle innovation.  The CPUC rules (approved on September 19, 2013) require operators to be licensed and meet certain criteria including in terms of background checks, training and insurance.  The ridesharing companies will be allowed to operate legally under the jurisdiction of the CPUC, and will now fall under a newly created category called “Transportation Network Company.”

Some operators have structured their businesses in an attempt to avoid at least some of the regulatory obstacles.  For example, Lyft does not set a price for a given journey; instead, riders are prompted to give drivers a voluntary “donation.”  Lyft receives an administrative fee in respect of each donation.  In addition, in its terms, Lyft states that it does not provide transportation services and is not a transportation carrier; rather, it is simply a platform that brings riders and drivers together.  In BlaBlaCar’s model, drivers cannot make a profit, just offset their actual costs, which helps to ensure that drivers are not considered to be traditional taxi drivers, thereby helping them avoid the regulation that applies to the provision of taxi services.

Traditional players embracing the new model

Interestingly, not all traditional players are taking a completely defensive approach.  From recent investment decisions, it appears that some companies appreciate that it could make sense for them to work closely with their upstart rivals, rather than oppose them.  For example, in 2011, GM Ventures invested $13 million in RelayRides and, in January 2013, Avis acquired Zipcar, giving Avis a stake in Wheelz, a P2P car rental firm in which Zipcar has invested $14 million.

The incentive for incumbent operators to embrace P2P models will likely vary by sector.  Perhaps it’s no surprise that this is best illustrated in the car rental industry, where there already exists a financial “pull” and a regulatory “push” towards greener and more sustainable models of service provision.

Legal and Regulatory Issues

Lawmakers and businesses around the world are currently grappling with how to interpret existing laws in the context of P2P sharing economy business models and considering whether new regulation is required.  For example, the European Union is preparing an opinion on collaborative consumption in the light of the growth of P2P businesses there.  One hopes that European policy makers focus more on incentivizing public investment in P2P projects via grants or subsidies than on prescriptive regulation of the sector.

Importantly, however, it’s a particular feature of the market for P2P platforms that much of the regulatory activity tends to be at the municipal or local level, rather than national.  This tends to make for a less cohesive regulatory picture.

In the meantime, anyone launching a social economy business will need to consider whether and how various thorny legal and regulatory issues will affect both the platform operator and the users of that platform.  Often, this may mean tailoring services to anticipate particular legal or regulatory concerns.

  • Consumer protection.  Operators will need to consider the extent to which their platforms comply with applicable consumer protection laws, for example when drafting appropriate terms of use for the platform.
  • Privacy.  Operators will need to address issues of compliance with applicable privacy laws in terms of the processing of the personal data of both users and users’ customers, and prepare appropriate privacy policies and cookie notices.
  • Employment.  Where services are being provided, the operator will need to consider compliance with any applicable employment or recruitment laws, e.g., rules governing employment agencies, worker safety and security, and minimum wage laws.
  • Discrimination.  Operators will need to consider potential discrimination issues, e.g., what are the consequences if a user refuses to loan their car or provide their spare room on discriminatory grounds, for example due to a person’s race or sexuality?  Could the operator attract liability under anti-discrimination laws?
  • Laws relating to payments.  One key to success for a P2P business model is to implement a reliable and effective payment model.  But most countries impose restrictions on certain types of payment structures in order to protect consumers’ money.  Where payments are made via the P2P platform rather than directly between users, operators will need to address compliance with applicable payment rules, and potentially deal with local payment services laws.  Fundamentally, it needs to be clear whose obligation it is to comply with these laws.
  • Taxation.  Operators will need to consider taxation issues that may apply – both in terms of the operator and its users.  Some sectors of the economy – hotels, for example – are subject to special tax rates by many cities or tax authorities.  In such cases, the relevant authorities can be expected to examine closely – and potentially challenge, or assess municipal, state or local taxes against – P2P models that provide equivalent services.  In some places, collection of such taxes can be a joint and several responsibility of the platform operator and its users.
  • Safety and security.  When strangers are being brought together via a platform, security issues will need to be addressed.  Most social economy businesses rely on ratings and reciprocal reviews to build accountability and trust among users.  However, some platforms also mitigate risks by carrying out background and/or credit checks on users.  Airbnb also takes a practical approach, employing a full-time Trust & Safety team to provide extra assurance for its users.
  • Liability.  One of the key questions to be considered is who is legally liable if something goes wrong.  Could the platform attract liability if a hired car crashes or a host’s apartment is damaged?
  • Insurance.  Responsibility for insurance is also a key consideration.  The issue of insurance for car-sharing ventures made headlines in April 2013 when it was reported that a Boston resident had crashed a car that he had borrowed via RelayRides.  The driver was killed in the collision and four other people were seriously injured. RelayRides’ liability insurance was capped at $1 million, but the claims potentially threaten to exceed that amount.  Given these types of risks, some insurance companies are refusing to provide insurance coverage if policyholders engage in P2P sharing.  Three U.S. states (California, Oregon and Washington) have passed laws relating to car sharing, placing liability squarely on the shoulders of the car-sharing service and its insurers.
  • Industry-specific law and regulation.  Companies will need to consider issues of compliance with any sector-specific laws, whether existing laws or new regulations that are specifically introduced to deal with their business model (such as crowd-funding rules under the JOBS Act in the United States, and P2P lending rules to be introduced shortly in the United Kingdom).  As noted above, some social economy businesses have already experienced legal challenges from regulators, and as collaborative consumption becomes even more widely adopted, regulatory scrutiny is likely to increase.  Accordingly, rather than resist regulation, the best approach for sharing economy businesses may be to create trade associations for their sector and/or engage early on with lawmakers and regulators in order to design appropriate, smarter policies and frameworks for their industry.


Erasmus said, “There is no joy in possession without sharing.”  Thanks to collaborative consumption, millions of strangers are now experiencing both the joy – and the financial benefits – of sharing their resources.  However, the legal challenges will need to be carefully navigated in order for the sharing economy to move from being merely disruptive to become a firmly established business model.

In late May 2013, the U.S. Food and Drug Administration (FDA) sent an enforcement letter to a mobile medical app developer for failing to obtain a 510(k) clearance before marketing the app, which the FDA said appears to be a “device” under section 201(h) of the Federal Food, Drug, and Cosmetic Act (FDCA). The mobile app—the uChek Urine Analyzer developed by Biosense Technologies Private Limited and available through the iTunes App store—allows a user to read urine dipsticks using a camera phone to screen for diabetes and urinary tract infections. The FDA’s letter signals the type of oversight the FDA intends to exercise over mobile medical app developers, although the agency has not released final guidance in this murky area.

FDA Previously Indicated Light Regulation of Medical Mobile Apps

In March, Congress urged the FDA to clarify the regulation of mobile medical apps in three days of hearings before the House Energy and Commerce Committee. The FDA generally relieved concerns raised by the mobile communications industry, which had feared heavy regulation of mobile phones and tablets as medical devices. Christy Foreman, the Director of the Office of Device Evaluation in the Center for Devices and Radiological Health (CDRH) at the FDA, testified before the committee that the FDA intends to limit regulation to a small subset of apps, in accordance with the FDA’s July 2011 draft guidance on mobile medical apps.

The FDA proposed a narrowly tailored approach focusing on apps that could threaten patient safety if they do not work as intended. These include apps that either: (1) affect the performance or functionality of a currently regulated medical device or (2) have traditionally been considered medical devices. Consistent with this philosophy, the agency does not intend to regulate mundane apps that help people achieve a healthier lifestyle, such as pedometers or calorie counters. Nor does the agency plan to regulate apps that track medical data but otherwise do not meet the definition of “device” in section 201(h) of the FDCA because they are not intended to diagnose, treat, or cure conditions or diseases.

Specifically, the 2011 draft guidance indicated that the FDA will regulate mobile apps that qualify as medical devices under section 201(h) and that are intended to perform one of two functions: (1) serve as an accessory to a regulated medical device—for example, an app that allows doctors to diagnose patients by viewing medical images on a tablet; or (2) transform a mobile platform into a regulated medical device—for example, an app that allows a patient to measure blood glucose with a smartphone. The FDA’s recent enforcement letter to Biosense falls squarely in line with this proposed regulatory scheme. As the FDA noted in its letter, the uChek app is intended for use with urinalysis dipsticks that have received 510(k) clearance for “direct visual reading.” However, the app allows a mobile phone to analyze the dipsticks and that means “the phone and device as a whole functions as an automated strip reader” that requires new clearance.

FDA Does Not Intend to Regulate Other Mobile Technology

In a prepared statement released on the day of her testimony, Foreman laid out the boundaries of the FDA’s proposed mobile medical app policy. The statement made clear that the FDA does not intend to regulate mobile technology apart from the medical apps themselves. Thus, the FDA will not regulate the sale or general consumer use of smartphones or tablets. Entities that solely distribute mobile medical apps (such as owners and operators of the “iTunes App store” or the “Android market”) will not be considered medical device manufacturers. And mobile platform manufacturers will not be deemed medical device manufacturers simply because their platforms support mobile medical apps regulated by the FDA. Based on these statements, smartphone manufacturers and app distributors can put to rest for now any concerns they might have had about FDA oversight regarding health-related mobile apps.

FDA’s Statements on Mobile App Regulation Ease Uncertainty in Industry

Congress held the recent hearings in response to uncertainty among mobile app developers, which the House Energy and Commerce Committee voiced in a letter to the FDA Commissioner in early March. The letter relayed industry fears of widespread regulation by the FDA and concerns over the lack of final guidance on the regulation of mobile medical apps. At the hearing, the committee also inquired whether the FDA intends for smartphones, tablets, and other devices that display mobile medical apps to be taxed as medical devices under the Patient and Protection and Affordable Care Act (PPACA). Foreman deflected these questions, noting that the IRS, not the FDA, has the authority to impose taxes on medical devices.

Though the mobile medical app market has been growing, Foreman’s testimony showed that the industry is still in its infancy. Foreman stated that the FDA receives fewer than 20 submissions per year for mobile medical apps, which amounts to approximately 0.5% of all medical device applications the agency reviews each year. All mobile medical apps cleared thus far have gone through the 510(k) process, which in 2011 and 2012 took an average of 67 days to complete. The agency has not yet deemed any mobile medical apps to be Class III medical devices.

Further Guidance Expected Later This Year

Mobile medical app developers should look for a final guidance from the FDA on regulation of mobile medical apps later this year. Though Foreman initially projected that the guidance would be published in “the coming months,” when pushed to be more specific she narrowed her projection to the end of the FDA’s fiscal year in September. Technological developments in mobile medical apps have far outpaced the FDA’s sluggish timing in releasing its final guidance. Congress and mobile app developers will be watching closely to see if the FDA’s final guidance brings the clarity and light regulation of mobile medical apps that the agency has proposed. In the meantime, developers whose apps work in tandem with regulated medical devices should pay attention to the FDA’s enforcement letter to Biosense and consider whether FDA clearance is appropriate. We will continue to monitor this topic and provide relevant updates.

The Federal Trade Commission (FTC) announced a potentially groundbreaking settlement with the social networking app Path and released an important new staff report on Mobile Privacy Disclosures late last week.

The FTC’s Settlement with Path suggests a new standard may be on the near-term horizon: out-of-policy, just-in-time notice and express consent for the collection of data that is not obvious to consumers in context. The FTC has long encouraged heightened notice and consent prior to the collection and use of sensitive data, such as health and financial information. This settlement, however, requires such notice and consent for the collection and use of information that is not inherently sensitive, but that, from the Commission’s perspective, at least, might surprise consumers based on the context of the collection. Only time will tell, but historically Order provisions like this have tended to become cemented as FTC common law. Moreover, although the Children’s Online Privacy Protection Act (COPPA) portions of the settlement do not break new ground, they do serve as a potent—and expensive—reminder that the FTC is highly focused on kids’ privacy online, particularly in the mobile space.

The FTC’s Report reinforces this sentiment by encouraging all the major players in the mobile ecosystem—including app developers, ad networks, and trade associations—to increase the transparency of the mobile ecosystem through clear, accessible disclosures about information collection and sharing at appropriate times.

To continue reading this post, click here.

On October 30, 2012, California Attorney General Kamala Harris announced that her office would begin notifying the developers of as many as 100 mobile apps that their apps do not comply with the state’s Online Privacy Protection Act (OPPA) and that they have 30 days to bring them into compliance.

The announcement does not come as a surprise. Earlier this year, the Attorney General published a Joint Statement of Principles with the major platforms that distribute and sell mobile apps, providing that they will distribute only apps that have privacy policies that consumers are able to review prior to download. At that time, her office told app developers that they had six months to come into compliance or to be notified of violations. Shortly thereafter, Attorney General Harris formed a Privacy Enforcement and Protection Unit, intended specifically to enforce OPPA and other privacy laws.

In light of the Attorney General’s announcement and her continued focus on privacy, companies that collect personal information online from California residents—whether through a website, online service, or app—should take steps to ensure that they are in compliance. According to the Attorney General’s sample non-compliance letter attached to her press release, failure to comply could subject a company to a fine of up to $2,500 each time a non-compliant app is downloaded.

The Law’s Requirements

OPPA requires a commercial website operator or online service provider, including a mobile app developer, that collects personally identifiable information (PII) from consumers residing in California to post a conspicuous privacy policy. Because OPPA applies to any company that collects data online about California residents, companies both within and outside of California may be subject to enforcement activity.

Under OPPA, the privacy policy must include:

  • The categories of PII that the website, online service, or app collects from its users;
  • The third parties with whom such PII may be shared;
  • The process by which the consumer can review and request changes to his or her PII, if the website operator, online service provider, or app developer maintains such a process;
  • The process by which the operator, provider, or developer notifies consumers of material changes to its privacy policy; and
  • Its effective date.

Additional Considerations

Compliance with OPPA does not necessarily ensure compliance with all applicable laws. In particular, the Federal Trade Commission (FTC) has long taken the position that privacy policies should describe, in a way that consumers can easily understand, all material collection, use, and disclosure practices. This means that, in addition to the information required by OPPA, a privacy policy should include other disclosures, such as:

  • Its scope;
  • How PII may be used;
  • How “other information”—information that may not be considered PII but the collection of which may be material to users—is collected, used, and disclosed. This may include, for instance, users’ clickstream information or other information derived from their interaction with the website, service, or app and collected for purposes of personalizing content or displaying targeted ads;
  • How PII is secured and for how long it may be retained;
  • How the user may exercise various rights, such as to opt out of receiving direct marketing or to opt out of the sharing of his or her PII with third parties;
  • How the user may access the PII collected from him or her and the control that he or she has with respect to it; and
  • How the user can contact the operator or developer.

Drafting a compliant privacy policy is only the first step. A company must also implement measures to ensure that it complies with the representations it makes in its privacy policy, to avoid claims that its privacy policy is deceptive or misleading.

In light of the increased enforcement activity by the California Attorney General and FTC, mobile app developers will want to ensure their mobile apps include a privacy policy, that the privacy policy is conspicuously posted on the mobile apps, and that the privacy policy is followed in practice.