California Attorney General Releases Recommendations for the Mobile Ecosystem

January 11, 2013

On Jan. 10, 2013, California Attorney General Kamala D. Harris issued a publication titled Privacy On The Go: Recommendations for the Mobile Ecosystem.1 The issuance of these guidelines takes place approximately one month after the Attorney General filed the first enforcement action under California’s Online Privacy Protection Act (“CalOPPA”) against a company providing a mobile application.2 As privacy enforcement appears likely to continue, businesses operating in the mobile ecosystem should review the recommendations and their practices to ensure compliance with federal and state privacy laws, including CalOPPA.

CalOPPA requires an operator of a website or online service that collects personally identifiable information from California consumers to post a conspicuous privacy policy. Attorney General Harris has made several moves over the last year to apply and enforce this law in the mobile arena. In February 2012, the Attorney General forged an agreement intended to bring the mobile industry in line with CalOPPA,3 and in July 2012, the state unveiled a new Privacy Enforcement and Protection Unit within the Department of Justice.4 Attorney General Harris began formally notifying mobile app companies of potential noncompliance with CalOPPA last fall 5 and, in December 2012, filed suit against Delta Airlines.6

Because CalOPPA and other privacy laws were enacted before mobile technology became widespread, it remains to be seen how CalOPPA will be interpreted by the courts in the context of mobile technology.7 In the meantime, the Attorney General’s recommendations provide guidance as to potential areas of scrutiny by the Attorney General.

According to the Attorney General, “[w]e are now offering this set of privacy practice recommendations to assist app developers, and others, in considering privacy early in the development process.”8 The recommendations were generated in consultation with a broad range of stakeholders, and acknowledge the importance of innovation and the tension between innovation and privacy. The recommendations are not limited to mobile app developers, but include guidance for other players in the mobile ecosystem, such as developers, platform providers, ad networks, operating systems and mobile carriers. The Attorney General’s guidance includes specific recommendations, such as encouraging mobile ad networks to avoid out-of-app ads delivered by modifying browser settings or placing icons on the mobile desktop, moves away from use of persistent device identifiers, and provides app developers with a privacy policy for the ad network that can be provided to end users.

The recommendations include some specific guidance on issues that have been recently debated. For example, the Attorney General includes unique device identifiers within its definition of personally identifiable data. The Attorney General also includes precise geo-location data within the definition of sensitive information. These positions may be addressed in other venues, and the Attorney General expressly invites the National Telecommunications and Information Administration to consider the guidelines in developing codes of conduct.

The Attorney General’s recommendations also include the concept of “surprise minimization,” and recommends steps to reduce surprise to consumers when an app collects personally identifiable data that is not necessary to the app’s basic functionality. To combat such surprise, the Attorney General recommends enhanced measures and special notices intended to draw users’ attention to unexpected data practices, delivered in context and just-in-time. The Attorney General also advocates the use of “short privacy statements” to highlight these unexpected practices and allow users to easily review and change settings.

The Attorney General also issues special caution to businesses directed to or collecting data from children under the age of 13. Such practices not only implicate sensitive issues unique to children, but may also subject businesses to additional obligations under laws such as the Children’s Online Privacy Protection Act, which was recently amended.

Significantly, the Attorney General acknowledges that the recommendations go beyond existing obligations under various privacy laws, but does not identify which recommendations the Attorney General views as required by existing laws and which recommendations go beyond existing laws. Thus, there remains a grey area as to when the Attorney General or others may claim violations of law for failure to adopt the recommendations. For instance, the implementation of measures like the short privacy statement may implicate uncharted aspects of CalOPPA’s requirements, such as what it means, in the context of a mobile application, to conspicuously post a privacy policy, and whether it matters that a more comprehensive policy is linked elsewhere either within the app or on a company’s website. In light of these developments, those doing business in California should review privacy policies and practices to ensure compliance with applicable privacy laws.  


If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following Morgan Lewis lawyer:



2 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004)


This article was originally published by Bingham McCutchen LLP.