California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information.
The Law: California Online Privacy Protection Act of 2003
California Business & Professions Code Sections 22575 – 22579
An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California; shall
- the CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION (PII) COLLECTED;
- the CATEGORIES OF PII SHARED WITH THIRD PARTIES;
- the PROCESS to REVIEW AND REQUEST CHANGES TO PII (if any);
- its EFFECTIVE DATE
Liability attaches only if a web operator fails to post a policy within thirty (30) days of being notified of non-compliance.
Application to Mobile Apps and Delta Lawsuit
California Attorney General Harris has taken the position that the Cal-OPPA applies to mobile platforms as well and has secured commitments from mobile and social app makers to include privacy policies. This fall, Harris began sending notice of non-compliance to a number of companies explaining that
an operator of a mobile application (“app”) that uses the Internet to collect PII is an”online service” within the meaning of CalOPPA.
One such company was Delta Airlines and its Fly Delta mobile app.
Delta failed to correct this within the 30-day period and thereby triggered the California Attorney General’s action to restrain further violations and for $2,500 in damages per app downloaded in violation. The suit follows the creation of a new Privacy Enforcement Unit within the Attorney General’s Office.