Legal Update from Hoge Fenton: App Developers Must Include Privacy Policy or Face Stiff Penalties

California Attorney General Kamala Harris has made it clear that developers of mobile applications, or “apps,” will no longer be able to skirt compliance with California’s Online Privacy Protection Act, or CalOPPA (Cal. Bus. & Prof. Code §§ 22575-22579). According to a press release issued by Harris’s office, “The Act requires operators of commercial Web sites and online services, including mobile apps, who collect personally identifiable information about Californians to conspicuously post a privacy policy.”

Earlier this year Harris offered certain participants in the mobile app marketplace a non-legally binding “Joint Statement of Principles” concerning implementation of best practices intended to facilitate CalOPPA compliance and reporting of suspected violators. By June, Harris’s statement had been adopted by at least seven major participants in the mobile app marketplace, including Apple, Google, Microsoft, Research in Motion, Facebook, Amazon and Hewlett-Packard.

On October 30, Harris announced that her office had begun sending non-compliance notices, 100 at a time, to developers of mobile apps without a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Developers in receipt of such a notice would have 30 days to respond, by either providing specific plans and timeline to comply with CalOPPA or by explaining why they believe their app is not subject to CalOPPA. Responses to Harris’s earliest batch of notices were due last week. Under Harris’s command, the Department of Justice recently formed the Privacy Enforcement and Protection Unit, an agency charged with enforcing California’s privacy laws, including CalOPPA.

The Office of the Attorney General has made good on its threat of zero tolerance for noncompliance. On December 6, 2012, the Office of the Attorney General filed its first enforcement action against Delta Air Lines for distributing its “Fly Delta” mobile app without a privacy policy since at least 2010. The app allows customers to check in and make reservations, during which Delta collects details such as name, phone number, e-mail address and geographic location. The Office of the Attorney General had given Delta 30 days to come into compliance by conspicuously posting a privacy policy, telling its “Fly Delta” app users what information was being collected and how it was being used, but Delta has not. The case is People v. Delta Air Lines Inc., pending in San Francisco County Superior Court, case number 12-526741.

While an app’s success may hinge upon its popularity among users, even a moderately popular app may imperil a developer without a CalOPPA-compliant privacy policy. Pursuant to California Business and Professions Code Section 17206(a), any developer in violation of CalOPPA may be subjected to fines of up to $2,500 for each violation, which Harris intends to seek for each copy of the unlawful app downloaded by California consumers.

According to developer Ian Broyles, his “Versagram” app is downloaded between 6,000 and 10,000 times each day. Without an appropriate privacy policy, developers of comparable apps could be exposed to millions of dollars in fines each day under Harris’s enforcement plan.

Scarier still, the most popular apps already are being downloaded hundreds of thousands of times each day. Developer OMGPOP’s “Draw Something” app averaged more than 800,000 downloads per day in the first six weeks after its release earlier this year. Although it is unclear how many of those downloads may be attributed to California consumers, a developer of a wildly popular app could potentially face tens or even hundreds of millions of dollars in fines for a single day in violation of CalOPPA.

For more information about compliance with CalOPPA and other state and federal privacy laws, contact Stephanie O. Sparks, Chair of our Intellectual Property practice group.