California Targets Mobile Apps For Missing Privacy Policies

Mobile app developers that don't post conspicuous online and in-app privacy policies will face $2,500 fine per download.

Mathew J. Schwartz, Contributor

October 31, 2012

4 Min Read

10 Best Apps For the Samsung Galaxy Note

10 Best Apps For the Samsung Galaxy Note

10 Best Apps For the Samsung Galaxy Note (click image for larger view and for slideshow)

Mobile app developers, beware: California is set to begin fining mobile app developers that release apps that lack a clear -- and easily accessible -- privacy policy.

The state's Attorney General, Kamala D. Harris, this week began notifying numerous businesses that collectively develop as many as 100 different mobile apps that they're currently breaking the California Online Privacy Protection Act -- a.k.a. CalOPPA -- by not having such privacy policies in place. In letters dated Oct. 29, the businesses were informed that they have "30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information," according to a statement released by Harris's office.

Violators will face fines of up to $2,500 for every non-compliant app that gets downloaded. "Protecting the privacy of online consumers is a serious law enforcement matter," said Harris in a statement. "We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California's privacy laws."

According to Harris's office, the California Online Privacy Protection Act "requires commercial operators of online services, including mobile and social apps, which collect personally identifiable information from Californians, to conspicuously post a privacy policy." To help enforce those privacy protections, the state's Attorney General recently added a new privacy enforcement and protection unit.

[ A lot of attention is being paid to apps. Read Popular Android Apps Vulnerable. ]

Businesses that received the state's privacy-warning letters this week included the airlines Delta and United Continental, as well as OpenTable, reported Bloomberg.

Delta spokeswoman Chris Kelly Singley confirmed by email that "we have received the letter from the Attorney General and intend to provide the requested information." Likewise, United spokeswoman Mary Clark said via email that the company is "taking all steps necessary and appropriate to ensure compliance with California law as it relates to our mobile app." She also noted that United's customer privacy policy, available on its website, details the types of personally identifiable information that the company collects, as well as for what purpose, although that privacy policy currently makes no reference to any mobile app.

OpenTable didn't immediately respond to an emailed request for comment.

Under California law, businesses that have been notified that they're violating the state's privacy policy have 30 days to post a conspicuous privacy policy both online, as well as in their mobile apps. In the warning letter sent by the California Attorney General's office, notified businesses were told that they must also respond, within 30 days, with details of their "specific plans and timeline to comply" with the state's privacy law, or else provide an explanation for why the business believes its app isn't covered by the law.

Harris first began warning businesses that their mobile apps had to comply with the state's privacy law in February, when she announced that as part of a legal settlement, the six businesses with the largest mobile app distribution platforms -- Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research In Motion -- had agreed to a set of privacy principles, which include allowing consumers to review the privacy policy for any app before they download it. At the time, according to Harris, a majority of apps lacked any privacy policy. In June, meanwhile, Facebook announced that it would also abide by those mobile-app privacy principles.

When it comes to protecting consumer privacy, California continues to be on the leading edge, and its efforts have had influence far beyond the state's borders. Notably, the state was the first to pass mandatory data-breach-notification legislation, via S.B. 1386. That law requires any business that experiences a breach to notify affected state residents, unless the breached data was encrypted. But the alerts also helped residents of other states learn about breaches that may have involved their personal information. California's law also became the model for other states, almost all of which now have data-breach notification requirements in place. In contrast, Congress has been unable to pass a national data breach notification law.

[Editor's note: Story updated 11:45 a.m. 10/31 to add comment from United.]

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights