Privacy Policies Now a Must for Mobile Apps

Advertisement

The National Law Review recently published an article, Privacy Policies Now a Must for Mobile Apps, written by Tanya L. CurtisLeonard A. Ferber, and Doron S. Goldstein of Katten Muchin Rosenman LLP:

Katten Muchin

Advertisement

 

California has long been a leader in privacy legislation. That position was strengthened recently when the California Attorney General filed a first-of-its-kind lawsuit against a company for its failure to include a privacy policy with a smartphone application. The lawsuit, filed on December 6 against Delta Airlines, alleges that the airline violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application. This action by the state of California has broad implications to anyone developing or distributing mobile apps.

Background

In 2004, California enacted the California Online Privacy Protection Act (CalOPPA)requiring commercial operators of websites and online services to conspicuously post detailed privacy policies to enable consumers to understand what personal information is collected by a website and the categories of third parties with which operators share that information. CalOPPA provides that “an operator shall be in violation of this [posting requirement] only if the operator fails to post its policy within 30 days after being notified of noncompliance,” and if the violation is made either (a) knowingly and willingly or (b) negligently and materially. In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

Advertisement

While CalOPPA does not define an “online service” or specifically mention “mobile” or “smartphone” applications, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.” In light of this interpretation, in 2011 the Attorney General’s office contacted the six leading operators of mobile application platforms in an attempt to improve mobile app compliance with CalOPPA. In February 2012, the Attorney General reached an agreement with these companies on a set of principles designed to ensure that mobile apps include a conspicuously posted privacy policy where applicable law so requires (such as in California), and that the policy appear in a consistent location on the app download screen.

Advertisement

Delta markets its Fly Delta mobile app though various online “app stores.” Among other things, the Fly Delta app allows customers to check in to flights, rebook cancelled flights and pay for checked baggage. Delta has a website that includes a privacy policy, but that policy did not mention the Fly Delta app or the types of information collected from the app.

The Case

In October, the California Attorney General’s office sent letters to a number of mobile application makers, including Delta, that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta either forgot about or ignored the letter, and the Attorney General filed suit.

The complaint stated that the Fly Delta application did not have a privacy policy within the application itself or in the app stores from which the application could be downloaded. The complaint also noted that, while Delta’s website has a privacy policy, the policy does not mention the Fly Delta app or the personal information collected by the app, and is not reasonably accessible to consumers who download the app. Since Delta failed to respond to the October letter, the Attorney General charged the airline with violating California law by knowingly and willfully, or negligently and materially, failing to comply with CalOPPA. And, in a separate charge under a provision of CalOPPA not requiring 30 days’ notice of noncompliance, the Attorney General alleged that Delta failed to comply with the privacy policy posted on its own website, in that the Fly Delta app does not comply with that policy. The complaint asks for damages of $2,500 for each violation, presumably for each download.

Advertisement

What You Need to Know

While California is currently unique in applying its privacy law to mobile applications, many states look to California, as a leader in this area, for guidance. CalOPPA applies to any “operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service…” In light of California’s large population, the practical effect of CalOPPA is that an overwhelming number of online businesses (including mobile app developers) must comply with it.

It is now clear that virtually all mobile or smartphone app makers, as well as companies that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users. The actions of the California Attorney General also make it clear that there is a cost to noncompliance. Such accessibility can be achieved either by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s or developer’s overall web privacy policy.

Advertisement

©2012 Katten Muchin Rosenman LLP

Published by

National Law Forum

A group of in-house attorneys developed the National Law Review on-line edition to create an easy to use resource to capture legal trends and news as they first start to emerge. We were looking for a better way to organize, vet and easily retrieve all the updates that were being sent to us on a daily basis.In the process, we’ve become one of the highest volume business law websites in the U.S. Today, the National Law Review’s seasoned editors screen and classify breaking news and analysis authored by recognized legal professionals and our own journalists. There is no log in to access the database and new articles are added hourly. The National Law Review revolutionized legal publication in 1888 and this cutting-edge tradition continues today.