On Jan. 10, 2013, California Attorney General Kamala D. Harris issued a publication titled Privacy On The Go: Recommendations for the Mobile Ecosystem.1 The issuance of these guidelines takes place approximately one month after the Attorney General filed the first enforcement action under California’s Online Privacy Protection Act (“CalOPPA”) against a company providing a mobile application.2 As privacy enforcement appears likely to continue, businesses operating in the mobile ecosystem should review the recommendations and their practices to ensure compliance with federal and state privacy laws, including CalOPPA.
Because CalOPPA and other privacy laws were enacted before mobile technology became widespread, it remains to be seen how CalOPPA will be interpreted by the courts in the context of mobile technology.7 In the meantime, the Attorney General’s recommendations provide guidance as to potential areas of scrutiny by the Attorney General.
The recommendations include some specific guidance on issues that have been recently debated. For example, the Attorney General includes unique device identifiers within its definition of personally identifiable data. The Attorney General also includes precise geo-location data within the definition of sensitive information. These positions may be addressed in other venues, and the Attorney General expressly invites the National Telecommunications and Information Administration to consider the guidelines in developing codes of conduct.
The Attorney General’s recommendations also include the concept of “surprise minimization,” and recommends steps to reduce surprise to consumers when an app collects personally identifiable data that is not necessary to the app’s basic functionality. To combat such surprise, the Attorney General recommends enhanced measures and special notices intended to draw users’ attention to unexpected data practices, delivered in context and just-in-time. The Attorney General also advocates the use of “short privacy statements” to highlight these unexpected practices and allow users to easily review and change settings.
The Attorney General also issues special caution to businesses directed to or collecting data from children under the age of 13. Such practices not only implicate sensitive issues unique to children, but may also subject businesses to additional obligations under laws such as the Children’s Online Privacy Protection Act, which was recently amended.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact the following Morgan Lewis lawyer:Del-Sesto-Ronald
2 The Online Privacy Protection Act of 2003, Cal. Bus & Prof. Code § 22575 et. seq. (2004)
This article was originally published by Bingham McCutchen LLP.