California’s Mobile Application Privacy Regulation

Posted by Mark Greisiger

A Q&A with Ronald Raether, Jr.
In an increasingly device-dependent world, the issue of data integrity with regard to mobile applications is becoming ever more critical. In California, the attorney general brought a case against Delta Airlines for not warning customers that it was collecting sensitive data. I asked Ronald Raether, Jr., defense attorney and partner at Faruki Ireland & Cox in Dayton, OH, about the case and its implications for liability and regulatory exposure.

What is the California requirement regarding mobile app privacy policy?
The apparent mobile app privacy policy requirement in California came out of the Online Privacy Protection Act (OPPA), which has been in place since July 2004. Beginning in 2012, the California attorney general has actively pushed the position that OPPA covers mobile apps based on the argument they come within the coverage of online services being offered through the internet. Since then, the attorney general put together a joint statement of principle with a number of leading mobile app platform providers and in January of 2013, released a document called Privacy on the Go, which describes the requirements of OPPA as it relates to mobile apps compliance. The issues it covers include transparency, data minimization (collecting only as much information as you need for the purpose you describe to the consumer), app functionality and accountability. Basically, it boils down to the fact that the consumer shouldn’t be surprised by what information is collected by the app and how it is used.

Do you think this can be an exposure that impacts many companies across the US?
Any company offering a mobile app that is used by a California consumer is subject to this regulation, and since they can’t possibly isolate out that consumer, it applies to everyone. Companies have already been dealing with these jurisdictional questions with regard to websites since OPPA was introduced in 2004. The bigger issue is really how the regulation relates to startups and their need for revenue and cost avoidance as well as the general ignorance around these obligations. Startups tend to focus exclusively on developing towards the concept often without consideration to privacy or security. As a result, once a startup achieves some success they could be putting all of their profits in jeopardy if they haven’t baked in compliance from the beginning. This is even more relevant in the case of mobile apps because the lack of real estate on the smaller screen means there’s less room for compliance announcements. In other states I think we will see similar legislation like that being considered in Maine and attorneys general to   scrutinize companies’ policies and conduct and bring unfair competition claims based on any inconsistencies. The FTC will likely follow suit. We’ve already seen this with the Path application, which was ordered to pay $800,000 to settle FTC charges that it didn’t live up to its privacy promises.

Can a California enforcement action lead to class action exposure?
Yes, it could lead to class action exposure but I am not certain it will. For example, in the wake of the recent suit brought by the California attorney general against Delta we have yet to see a private class action filed. The reason may be that there are no statutory damages that arise from the violation so the incentives are not there for plaintiff’s counsel.

What can a company do to mitigate their risk here?
A company should follow the letter of the law: If it’s offering online services via the internet or via a mobile app the privacy policy as required by the statute needs to be addressed. We talked about startups earlier, but I will just reiterate that the privacy policy needs to be there from the beginning. And companies need to keep the promise of their policies—it’s not just a matter of putting it on paper and meeting the fine print of the statute, you have to be able to make sure that you’re actually doing what you said you would do. Privacy and security needs to be built in the requirements and considered through development and beyond. The adage about being penny wise and pound foolish really applies here.

In conclusion…
To underscore the recommendations and insights of Mr. Raether, we see many companies deploying mobile apps simply as part of an internal marketing effort to appear cutting edge. Yet, too often this is done with little understanding of (a) what type of PII the app is collecting on users, (b) whether data is being leaked intentionally to third party partners, (c) whether an embedded privacy policy is posted and followed, and (d) whether the app is secure. California always seems to be at the forefront of privacy and regulation and other state AGs tend to follow its lead. With significant enforcement fines funding the state AG offices, it will be interesting to see where this trend goes.