Got Privacy? Cali is Watching, Especially for Mobile Apps

Under the California Online Privacy Protection Act (Bus. & Prof. Code §§ 22575-22579), websites or online services collecting personally identifiable information from California consumers shall “conspicuously post its privacy policy”.  There are a number of requirements of such a policy, including that it addresses how its responds to Web browser “do not track” signals.

While encouraged by improved compliance with the CalOPPA for mobile apps, outgoing Attorney General Kamala Harris noted that studies have found deficiencies in disclosing how apps share information with third parties and in compliance with health and fitness mobile apps.

cmu_logo_stack_red_mattingA Carnegie Mellon University (“CMU”) analysis of almost 18,000 popular free apps from the Google Play store found almost half lacked a privacy policy, even though 71 percent of those appear to be processing personally identifiable information.

The report noted:

Even those apps that had policies often had inconsistencies. For instance, as many as 41 percent of these apps could be collecting location information and 17 percent could be sharing that information with third parties without stating so in their privacy policy. . . .

For instance, one common error is to build an app that uses Google Maps, but fail to mention the processing of location information in the related privacy policy. Whenever you’re using Google Maps, you’re effectively sharing personal information with Google.

In response, Attorney General Harris is seeking to “crowdsource” privacy policy violations by the creation of an online reporting tool for privacy violations.  The form (see image below) explains to consumers that a website or app may violate the law if:

• it lacks a privacy policy
• its privacy policy is hard to find
• its privacy policy does not contain all the information required by law
• it does not follow its own privacy policy, or
• it does not notify users of significant changes to its privacy policy


In addition, California is partnering with the Usable Privacy Policy Project at CMU (see video below) to develop a tool that will identify mobile apps that may be in violation of CalOPPA. The tool is designed to look for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).  This tool will help proactively identify and focus attention on policies that may require enforcement.