Stephen S. Wu-- SL: Legal Writer,, (408) 573-5737, 50 W. San Fernando St., Ste. 750, San Jose, CA 95113

Don't Forget Your App's Privacy Policy

Last week, I gave a presentation on data breaches at the Online Trust Alliance’s Online Trust Forum 2012 in San Jose. It was a great program about mobile commerce, privacy, security, and brand protection. During the conference, one of the speakers talked about how an informal study of mobile apps showed that many apps companies do not have privacy policies. Even worse, only a small percentage of the companies have privacy policies that accurately reflect their actual practices in collecting, using, and sharing information. Companies without a privacy policy or without an accurate one are creating legal risk for themselves.
Legal risk can arise from class action complaints brought by law firms against companies that may have violated the law. Likewise, legal risk also stems from federal or state officials seeking to enforce federal or state laws. Both federal and state laws prohibit unfair and deceptive trade practices, and law enforcement officials can use these laws to seek monetary penalties from companies that violate the law.

California’s Online Privacy Protection Act (OPPA) of 2003 requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies. “Personally identifiable information” includes a first and last name, address, email address, telephone number, social security number, or any other identifier that permits physical or online contacting of a specific individual. Accordingly, the definition of “personally identifiable information” is quite broad, and beyond the scope of the security breach notification laws in California and other states. Violations of the law can occur even if the website operator or online service provider did not knowingly or willfully fail to comply.

OPPA not only says that operators of online services must have privacy policies, it also says that these privacy policies must cover certain topics. A privacy policy must identify the categories of information collected by the operator, the categories of others with whom the operator may share the information, any means for the consumer to review and request changes to the information, the process to notify consumers of changes to the policy, and the effective date of the policy.

One question is whether OPPA covers mobile apps on popular mobile platforms such as iOS and Android. California enacted the law in 2004, before the release of the first iPhone and the era of mobile apps. Accordingly, it appears out of date. Nonetheless, a company that provides an app service that gathers personally identifiable information through the mobile Internet is an operator of an “online service.” Accordingly, although no courts have looked at this issue, OPPA’s language appears broad enough to cover mobile apps.

Consequently, commercial makers of apps that collect personally identifiable information from California consumers and have no privacy policy are violating OPPA. Those that have an inaccurate privacy policy may be violating laws against unfair and deceptive trade practices. Areas of greater risk include companies that collect certain kinds of information, such as geolocation information, without notifying the user first. Also, companies that share information with third parties, but do not warn the user, are at risk. The upshot is that apps makers should not forget to create, maintain, and update their privacy policies, and make sure their policies match their information practices.