Caveat Vendor

Policing Mobile Apps Remains Top Priority for California’s Attorney General

July 10, 2013

By Paul Hastings Professional

As we mentioned in a previous blog post, the California Attorney General’s Office has prioritized mobile app privacy in its recent efforts to enforce the California Online Privacy Protection Act (“CalOPPA”).  CalOPPA requires operators of commercial websites or other online services that collect personal information of California consumers to “conspicuously post” their privacy policy.

 Although the issue has yet to be resolved by a court, the AG has publicly taken the position that “online services” include mobile apps.  As we noted last month, the resolution of the Delta Air Lines case left this question unanswered.
 Another question that Delta Air Lines left unresolved is whether a privacy policy must be posted within the mobile app itself, or whether it is sufficient to post the privacy policy on the company’s website.  In the Delta Air Lines complaint, the AG stated in its allegations that Delta had not posted a privacy policy containing the required disclosures about the app either in the “Fly Delta” app or on Delta’s website.  The complaint seemed to suggest that online disclosures may have been permissible if the website provided the requisite information to consumers of the Fly Delta app.  Informally, however, the AG has confirmed its view that CalOPPA requires privacy policies to be embedded in the mobile apps themselves.

These and other insights about the AG’s enforcement efforts were revealed at a recent event held at Paul Hastings’ San Francisco office.  During that event, the AG’s Director of Privacy Education and Policy, Joanne McNabb, laid out the Department’s enforcement priorities beyond mobile privacy.  According to Ms. McNabb, the AG will now turn its attention to data breaches, health information privacy, and protecting the privacy of children online.  As part of that effort, the AG recently released a comprehensive data breach report summarizing the AG’s findings and recommendations about data breaches in 2012.
During the Paul Hastings event, Ms. McNabb explained that the Privacy Enforcement and Protection Unit will take a two-pronged approach involving (1) ensuring compliance and (2) targeted enforcement.  The compliance phase, which began in late 2012, involved sending a series of warning letters sent to online services and commercial websites based on their alleged failure to display a “conspicuously” posted privacy policy.  For those who did not receive such a letter, you may not be out of the woods just yet.  Ms. McNabb revealed that the second phase will involve more directed enforcement efforts targeting popular health apps and children’s apps.  If either category describes your business, the California AG may have its eye on you.
Caveat Vendor is Paul Hastings' Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.