This post was also written by Amy S. Mushahwar.
In February, California Attorney General Kamala D. Harris warned mobile app developers that their disclosure of data-collection practices to consumers would face scrutiny from her office in the coming months, and that entities not in compliance with California’s requirement to maintain and post a privacy policy would be investigated. We discussed that warning, and noted that mobile app developers would have some time to play “catch up” to draft, approve, and post privacy policies. As of October 30, time’s up.
On Tuesday, Attorney General Harris announced that she sent letters to approximately 100 mobile app developers and companies that her office determined were non-compliant with California privacy law. Those companies have 30 days to come into compliance; that is, to conspicuously post a clear and appropriately formatted mobile privacy policy within their mobile app. Entities that do not comply within 30 days potentially face a civil penalty of $2,500 for each download of the non-compliant app, which could add up quickly if your app receives considerable consumer traffic.
The California Online Privacy Protection Act requires an operator of a website and other online services who collects personally identifiable information from California residents to conspicuously post or make available its privacy policy. That privacy policy must include the categories of personally identifiable information the operator collects, as well as the policy’s effective date and the operator’s method for notifying consumers of changes to the policy. In addition, if the operator has a process whereby consumers can review and request changes to their collected information, the policy must describe that process.
We have previously discussed the state attorneys general focus on mobile application privacy for the 2012, and more recently interviewed Travis LeBlanc on mobile application privacy for the 2012, and more recently interviewed Travis LeBlanc, who noted that the new Privacy Protection and Enforcement Unit would pay close attention to privacy in the mobile environment.
Mobile app developers who were not in this first round of enforcement notices, but who have not yet posted a privacy policy that describes the categories of personally identifiable information their apps collect, should take this opportunity to get something in place immediately. Attorney General Harris calls these letters the “first step” in the Privacy Protection and Enforcement Unit’s efforts to enforce the Online Privacy Protection Act, and will likely move on to another round of apps. The time for playing catch up is over.