Opening up a potential new enforcement risk for all providers of apps, California Attorney General Kamala D. Harris announced on October 30 that she is sending notices to up to 100 providers of mobile apps claiming that their apps do not comply with California's privacy laws. The California Attorney General asserts that the targeted companies' apps are non-compliant because they fail to include, within the apps, privacy policies reasonably accessible by app users. According to the California Attorney General, failure by the recipients to correct the alleged deficiencies within 30 days could expose them to fines of up to $2500 for each copy of a non-compliant app a California consumer downloads. Recipients of the Attorney General's notice reportedly include United Airlines, Delta Airlines, OpenTable, and other providers of popular apps.

The crux of Attorney General Harris' assertions is the way in which the targeted companies are providing consumers with privacy notices. Having a separate web site that has the company's privacy policy may not be enough, especially if a link to the web site policy is not "'reasonably accessible' to the user within the app." Even if a company has a privacy policy that a consumer could find on its web site, the Attorney General is taking the position that California privacy laws require the company's apps to have, conspicuously posted within the apps in a means reasonably accessible to consumers, a privacy policy that informs consumers of what personally identifiable information about them is being collected and what will be done with that private information.

This emphasis on the way and manner in which privacy notices are provided to consumers – that is, the user interface for informing consumers of a company's privacy policies and any changes to those policies – is consistent with recent enforcement efforts by the United States Federal Trade Commission and certain recommended changes to privacy laws made by the FTC in its March 2012 Report, Protecting Consumer Privacy in an Era of Rapid Change, and by the White House in its February 2012 proposal, Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy. All are pushing for companies to deploy more transparent, conspicuous and accessible notices, with a growing tendency to recommend express consumer opt-in for certain data collection practices too. The FTC has also expressed general concerns about apps and the lack of privacy notices within them in its February 2012 look at apps targeted at children, Mobile Apps for Kids: Current Privacy Disclosures are Disappointing, though the FTC does not yet appear to have taken on the scale of possible enforcement efforts that the California Attorney General announced this week.

The California Attorney General's efforts should be of broad concern, as she is relying on currently existing California statutes to target a wide range of companies and is threatening to impose statutory civil penalties not available to the FTC. The California laws Attorney General Harris is relying on include the California Online Privacy Protection Act (Cal. Bus. & Prof. Code §§ 22575-79) and the California Unfair Competition Law (Cal. Bus. & Prof. Code §§ 17200 et seq.). The California Privacy Act requires the "operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service" to "conspicuously post" its privacy policy on its Web site or make it available, "[i]n the case of an operator of an online service, [by] any other reasonably accessible means of making the privacy policy available for consumers of the online service." A violation of this requirement occurs only if the operator fails to correct a deficiency within 30 days of notice. The Attorney General is asserting that violations are enforceable under California's unfair competition law, which allows her to seek civil penalties of up to $2,500 per violation.

Attorney General Harris' app notices follow on the agreement she reached in February with several leading operators of mobile application platforms (including Amazon, Apple, and Google). In that agreement, the platform operators committed to provide consumers the opportunity to review an app's privacy policy before downloading an app (rather than after), with policies being made available in consistent places on download screens. Attorney General Harris also recently established a Privacy Enforcement and Protection Unit in the California Department of Justice with a stated broad mission to enforce and protect privacy, including California and U.S. laws regulating the collection, retention, disclosure, and destruction of sensitive information. The notices sent last week to app providers appears to be the first general enforcement effort initiated by the Unit.

The actions of California's Attorney General serve as a reminder that it is important to ensure that a company's data handling practices, including how notices of those practices are given, keep up and evolve with changing technologies. They also should prompt a review of companies' existing practices to ensure that they keep up and evolve with the changing legal and consumer expectations that govern data handling practices.

www.ropesgray.com

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.