Stephen S. Wu-- SL: Legal Writer,, (408) 573-5737, 50 W. San Fernando St., Ste. 750, San Jose, CA 95113

California Attorney General Warns Apps Developers to Post Privacy Policies

On October 7, I wrote that developers of mobile apps should create, maintain, and update their privacy policies, and make sure their policies match their information practices. I cited California’s Online Privacy Protection Act (OPPA) of 2003, which requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies. On October 30, California Attorney General Kamala Harris weighed in on this same issue by sending out a press release saying that she had begun notifying apps developers to post their privacy policies, citing Cal. OPPA. For a copy of the press release, click here.
According to the release, the AG gave companies 30 days to post their policies to tell users what information they are collecting and how they will use that information. The AG is sending out letters to developers corresponding to groups of 100 applications at a time. Consequently, this is a large-scale set of notices sent to the industry.

It appears that Attorney General Harris is taking an aggressive stance that mobile apps are covered by Cal. OPPA. She does not distinguish between different types of apps, however, and an app developer could contend that it is not an “online service” within the meaning of the law. I believe a reasonable interpretation of the law would say that a company that provides an app service that gathers personally identifiable information through the mobile Internet is an operator of an “online service.”

Nonetheless, it isn’t as clear for the developer of an app that is simply downloaded and runs stand-alone on the mobile device without communicating with the network or the service provider. For instance, many games run on the device without connecting to the network. A manufacturer of such an app could claim it provides no services online; it is just providing a product. So it isn’t an “online service” within the meaning of OPPA.

For many reasons, I believe it is better for an app developer to have a privacy policy than not. For instance, people may want to know the privacy practices of the developer, even if the developer says only that once the app is purchased, the company collects no personal information whatsoever. Thus, it helps bolster the reputation of the company with the privacy community and customers concerned about privacy. A policy may also deflect the claim that the failure to post a policy is an unfair or deceptive trade practice. General laws prohibiting such practices may apply even if OPPA does not.

For now, the AG seeks to create relationships with the largest industry players to create voluntary codes of conduct. The press release mentions an agreement Harris hammered out with Amazon, Apple, Facebook, Google, HP, Microsoft, and Research in Motion on a set of privacy principles reflecting the interfaces used by mobile devices and also offering users access to notices of privacy practices before they download apps. It may be that voluntary standards will result in significant improvements in privacy practices among apps developers. At the same time, her release makes it clear that a failure to comply with the State’s broad reading of OPPA may lead to enforcement actions, with potential penalties of $2500 for each download of a non-compliant app.