On October 30, California Attorney General Kamala Harris announced that her office is notifying up to 100 companies and mobile application developers that they are not in compliance with the state’s Online Privacy Protection Act (“CalOPPA”). According to Harris’ sample letter, the problem is that the offending apps downloadable through the Apple App Store and Google Play platforms do “not currently have a privacy policy reasonably accessible for consumers.” [emphasis added] Under the Act, operators of commercial websites or online services that collect personally identifiable information from California consumers have 30 days to comply or face enforcement action that includes penalties up to $2500 for each time an app is downloaded. Thus, Harris asks companies to respond in that timeframe with either specific plans and a timeline to comply, or “why you believe this app is not covered by CalOPPA.” No list of offending companies has been released, but it has been reported that a couple of airlines and OpenTable have each received letters.
This latest crackdown will come as no surprise to privacy practitioners: As the press release reminds folks, in February, Harris engaged seven leading mobile and social app platforms which agreed to privacy principles that allow consumers the opportunity to review an app’s privacy policy in a consistent location in the platform store before the app is downloaded. In July, Harris announced the creation of the Privacy Enforcement and Protection Unit within her Department to focus on civil prosecution of state and federal privacy laws. Earlier this month, Harris used social media to tip off one company about problems: http://twitter.com/CalAGHarris. As the only state to require privacy policies for mobile applications in addition to websites, and with the NTIA-led multi-stakeholder discussions on a mobile app privacy code of conduct going nowhere fast, California is positioned to exert considerable influence in the app privacy space for the foreseeable future.
