Skip to content

It looks like we may have content for your preferred language. Would you like to view this page in English?

California AG Files First Suit for Alleged Mobile App Privacy Policy Violations

After serving notice that mobile app companies must comply with California's online privacy statute, last week Attorney General Kamala Harris filed the first of what is likely to be many suits against companies that develop, sell or operate mobile applications, alleging that the app's privacy policy - or lack thereof - violates the California Online Privacy Protection Act (CalOPPA). At the end of October, she gave some 100 companies, including many that offer some of the most popular apps on the mobile market, 30 days to take action. The complaint, filed Dec. 6, 2012, in San Francisco Superior Court, asserts that the company's app collects customer information, including name, telephone number, email and mailing address, along with sensitive personal information such as birth dates and credit card numbers, but lacks a privacy policy, as CalOPPA requires.

The California statute provides that "[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site," and includes specific requirements for the content of privacy policies. Operators of "online services" must make that policy reasonably accessible to those consumers.

On October 30, 2012, AG Harris announced that her newly formed Privacy Enforcement and Protection Unit had started sending letters to companies that develop, sell or operate apps, reminding them of their obligations under the law. The notice letters warned the companies that they had 30 days to bring their apps into compliance by conspicuously posting a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Having a website with the applicable privacy policy conspicuously posted might adequately meet the statutory requirement, but only if a link to that website is "reasonably accessible" to the user within the app, according to the letter. It stated that companies that fail to comply face fines of $2,500 per download.

With this lawsuit, AG Harris continues to make clear that the mobile space will be one of the targets of her office's privacy efforts. In February 2012, she announced that her office had reached an agreement with the major providers in the mobile market to implement privacy principles designed bring the industry in line with California law.
This client alert is a publication of Loeb & Loeb LLP and is intended to provide information on recent legal developments. This client alert does not create or continue an attorney client relationship nor should it be construed as legal advice or an opinion on specific situations.

Circular 230 Disclosure: To assure compliance with Treasury Department rules governing tax practice, we inform you that any advice (including in any attachment) (1) was not written and is not intended to be used, and cannot be used, for the purpose of avoiding any federal tax penalty that may be imposed on the taxpayer, and (2) may not be used in connection with promoting, marketing or recommending to another person any transaction or matter addressed herein.