Mobile Application Privacy Policy Enforcement by the California Attorney General

Under the Act, an operator of a commercial website or online service, including mobile and social applications, that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service must conspicuously post its privacy policy on its website, or in the case of an operator of an online service, make such privacy policy available in accordance with any other reasonably accessible means of making the privacy policy available for consumers of the online service (California Bus. and Prof. Code Sections 22575(a) and 22577(b)(5)).

Personally identifiable information means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form, including any of the following: (1) first and last name, (2) home or other physical address, including street name and name of a city or town, (3) email address, (4) telephone number, (5) Social Security number, (6) any other identifier that permits the physical or online contacting of a specific individual, or (7) information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in the Act (California Bus. and Prof. Code Section 22577(a)).

Specific Requirements

The privacy policy required by the Act must do all of the following:

1. identify the categories of personally identifiable information that the operator collects through the website or online service about individual consumers who use or visit its commercial website or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information;

2. provide a description of any process for an individual consumer who uses or visits its commercial website or online service to review and request changes to any of his or her personally identifiable information that is collected through the website or online service;

3. describe the process by which the operator notifies consumers who use or visit its commercial website or online service of material changes to the operator's privacy policy for that website or online service; and

4. identify its effective date.

California Bus. and Prof. Code Section 22575(b).

Conspicuously posting with respect to a privacy policy includes posting the privacy policy through any of the following:

1. a Web page on which the actual privacy policy is posted if the Web page is the home page or first significant page after entering the website;

2. an icon that hyperlinks to a Web page on which the actual privacy policy is posted, if the icon is located on the home page or the first significant page after entering the website, and if the icon contains the word "privacy" (the icon must also use a color that contrasts with the background color of the Web page or is otherwise distinguishable);

3. a text link that hyperlinks to a Web page where the actual privacy policy is posted, if the text link is located on the home page or first significant page after entering the website, and if the text link does one of the following:
   
   
   1. includes the word "privacy,"
   2. is written in capital letters equal to or greater in size than the surrounding text, or
   3. is written in larger type than the surrounding text, or in contrasting type, font, or color to the surrounding text of the same size, or set off from the surrounding text of the same size by symbols or other marks that call attention to the language;

4. any other functional hyperlink that is so displayed that a reasonable person would notice it; or

5. in the case of an online service, any other reasonably accessible means of making the privacy policy available for consumers of the online service.

California Bus. and Prof. Code Section 22577(b).

According to a sample notice of noncompliance, an operator of a mobile application that uses the Internet to collect personally identifiable information is an online service within the meaning of the Act. An application's commercial operator must conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a website with the applicable privacy policy conspicuously posted may be adequate but only if a link to that website is reasonably accessible to the user within the application. A recipient of a notice of noncompliance has an application available through a platform(s) without having a privacy policy reasonably accessible for consumers. A recipient must respond to the California Attorney General's notice of noncompliance within 30 days of the date of that notice with the specific plans and timeline to comply with the Act or why the application is not covered by the Act.¹

Ramifications for Noncompliance

A website or online service operator that collects personally identifiable information and fails to post its privacy policy within 30 days after being notified of noncompliance is in violation of the Act (California Bus. and Prof. Code Section 22575(a)). Under California's Unfair Competition Law, violations of the Act may result in civil penalties of up to $2,500 for each violation (i.e., for each copy of the unlawful application downloaded by California consumers) (California Bus. and Prof. Code Section 17206(a)).

Accordingly, mobile application developers and companies that have applications should determine whether their applications include a privacy policy that is conspicuously posted in a means that is reasonably accessible to consumers in accordance with the Act and, if not, take the steps necessary to make sure that their applications do so in compliance with the Act.

This California Attorney General notification of noncompliance follows its 2012 adoption of a Joint Statement of Principles with Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion (i.e., mobile and social application market companies) regarding privacy principles designed to bring the industry in line with the Act. This agreement allows consumers the opportunity to review an application's privacy policy before they download the application rather than after and offers consumers a consistent location for an application's privacy policy on the application-download screen in the platform store. The agreement also commits these platforms to educate developers about their obligations to respect consumer privacy and to disclose to consumers what private information they collect, how they use the information, and with whom they share it. These platforms will also work to improve compliance with privacy laws by giving users tools to report noncompliant applications and committing companies to implement processes to respond to these reports.

The Act is one of the privacy laws that the Privacy Enforcement and Protection Unit in the California Department of Justice is charged with enforcing. The mission of this unit, which was created in July, is to enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government, including laws regarding cyber privacy, health privacy, financial privacy, identity theft, government records, and data breaches.²

¹See State of California Department of Justice, Office of the Attorney General press release, "Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law," October 30, 2012.

²See State of California Department of Justice, Office of the Attorney General press release, "Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit," July 19, 2012.