By: Linda L. Goodman
The California Business and Professions Code Section 22575-22579 (“CalOPPA”) requires that “an operator of a commercial website or online service that collects personally identifiable information (“PII”) through the Internet about individual consumers residing in California who use or visit its commercial website or online service” must post a privacy policy that complies with specified requirements. [Cal. Bus. & Prof. Code § 22575(a) and (b).] The privacy policy must be “conspicuously” posted, and in the case of an online service, “reasonably accessible … for consumers of the online service.” [Cal. Bus. & Prof. Code § 22575(a) and § 22577(b)(5).] A website or online service operator that collects PII and “fails to post its policy within 30 days after being notified of noncompliance” is in violation of CalOPPA. [Cal. Bus. & Prof. Code § 22575(a).]
An operator of a mobile application (“app”) that uses the Internet to collect PII is an “online service” within the meaning of CalOPPA. An app’s commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer within the app itself. Having a website with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that website is “reasonably accessible” to the user within the app. Violations of CalOPPA may result in penalties of up to $2,500 for each violation, i.e., for each copy of the unlawful app downloaded by California consumers. [Cal. Bus. & Prof. Code § 17206(a).]
This past year, the California Attorney General’s Office created a new Privacy Enforcement and Protection Unit. This unit’s sole task is to enforce California Privacy laws. On October 26, 2012, the California Attorney General began notifying hundreds of mobile app developers and commercial operators that their apps available through the Apple App Store and Google Play platforms failed to have a privacy policy reasonably accessible for consumers and provided a 30 day notice to post the appropriate policy.
On December 6, 2012, the California attorney general filed the first of what is likely to be many suits against companies that develop, sell, or operate mobile applications, alleging that the lack of a privacy policy accessible in the app itself violates CalOPPA. The complaint, filed in San Francisco Superior Court, asserts that Delta Airlines’ app collects customer information, including name, telephone number, email and mailing address, along with sensitive personal information such as birth dates and credit card numbers, but lacks access to the privacy policy as required by CalOPPA.
Compliance Recommendation: Have a website with the applicable privacy policy conspicuously posted and be sure that the link to that website is “reasonably accessible” to the user within the app. If that policy changes at any time, be sure to post or link the new policy notifying the consumer that the policy has been updated or changed. Remember, you can only use the consumer’s data in the manner in which you informed them you would use it on the date of collection. Therefore, all changes to a privacy policy expanding your ability to use the data in a broader or different manner, is going forward with new data collection.
______________________________________________________________________
This article is a publication of The Goodman Law Firm and is intended to provide information on recent legal developments. This article does not create an attorney-client relationship, nor should it be construed as legal advice or an opinion on specific situations. This may constitute “Attorney Advertising” under the Rules of Professional Conduct and under the law of other jurisdictions.
Linda L. Goodman is the founder of The Goodman Law Firm, concentrating its practice in internet business and law. Her firm’s clients include Advertisers, Affiliates, Affiliate Networks, and ISP’s.
© 2012 TGLF, A.P.C.