Hogan Lovells 2024 Election Impact and Congressional Outlook Report
On Tuesday, October 30, the Office of California Attorney General Kamala Harris issued a press release confirming that it had begun “formally notifying” mobile device application (“app”) operators that they are out of compliance with the notice provisions of the California Online Privacy Protection Act of 2003 (“CalOPPA”). Those companies — many of which are major marketers — now have 30 days to bring their apps in line with the statute’s privacy policy requirements or risk fines of up to $2,500 per app download.
As background, CalOPPA requires operators (i.e., owners) of commercial web sites or online services that collect personally identifiable information (“PII”) on California residents who use/visit the web sites or online service to “conspicuously post” a privacy policy. The Attorney General’s office has taken the position that mobile apps that use the Internet to collect PII are “online services” subject to CalOPPA. California’s population size makes it safe for most app developers to assume that California residents comprise at least a portion of the app’s download audience. This week, the Attorney General’s Office began sending letters to companies behind approximately 100 of the most popular apps asserting that they failed to “conspicuously post” the required privacy policy.
The letters are the latest effort by Harris to encourage companies to improve the transparency of their data privacy and security practices. In February 2012, she entered into a Joint Statement of Principles agreement with six major app store platforms, setting forth requirements related to app privacy (see our prior update here). Facebook later joined the agreement and is now requiring that all apps in its App Center have privacy policies.
Under the statute, the following information must be included in the privacy policy: (1) the categories of PII collected through the app and the categories of third-party persons or entities with whom the operator may share that PII; (2) the process by which consumers can review and request changes to any of their PII that was collected through the app, if the operator maintains such a process; (3) a description of the process by which the operator notifies app users of material changes to the policy; and (4) the effective date of the policy.
The letters are a reminder that app developers and their partners should review their app data privacy and security practices and ensure that any apps collecting PII comply with the CalOPPA requirements, as well as other applicable Federal and state laws.
Authored by Mark Brennan.