Mobile application businesses should consider reviewing their practices for compliance with federal and state privacy laws, including California’s Online Privacy Protection Act (“OPPA”).1 On Oct. 30, 2012, after several indications of an increased commitment to privacy protections for mobile users, California Attorney General Kamala D. Harris issued a press release confirming that the Privacy Enforcement and Protection Unit has begun to formally notify mobile app companies of noncompliance with OPPA.
OPPA requires an operator of a website or online service that collects personally identifiable information from California consumers to post a conspicuous privacy policy. While the law has seen little activity since it went into effect in 2004, there have been several recent indications that this may change. In Feb. 2012, Attorney General Harris announced an agreement intended to bring the mobile industry in line with OPPA2 and in July 2012, the Attorney General announced a new Privacy Enforcement and Protection Unit within the Department of Justice.3
The Attorney General’s latest press release, issued Oct. 30, 2012, confirms that the state has begun formally notifying mobile application companies of potential noncompliance with OPPA.4 According to the press release, the state will send letters to up to 100 apps perceived to be noncompliant, starting with the most popular apps available on mobile platforms. Attorney General Harris confirmed that “[p]rotecting the privacy of online consumers is a serious law enforcement matter. […] It is critical that we take all necessary steps to enforce California’s privacy laws.”
Attorney General Harris also released a sample letter directed to alleged noncompliant companies. This letter provides that within 30 days, the notified party must either respond with specific plans for compliance with OPPA, or explain why the notified party believes the app is not covered by OPPA. The letter also confirms the Attorney General’s intent to enforce OPPA through California’s Unfair Competition Law, which permits penalties of up to $2,500 per violation (and the Attorney General claims each copy of the alleged unlawful app downloaded by California consumers constitutes a violation).
The Attorney General referred to these letters as a “first step” toward enforcing OPPA, confirming the state’s plan to apply existing privacy law to new technologies such as mobile devices. Because OPPA and other privacy laws were enacted before mobile technology became widespread, it remains to be seen how enforcement by the state or private parties may proceed and how the courts will address defenses under OPPA. These issues and potential defenses are addressed in further detail in our recent article published in Law360.5
In light of these developments, those doing business in California should review privacy policies and practices to assess how these new developments might affect such businesses.
1 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004)
2 http://www.bingham.com/Alerts/2012/02/California-Attorney-General-Announces-Privacy-Protocol-for-App-Developers
This article was originally published by Bingham McCutchen LLP.