California Takes Aim at Companies That Fail to Provide Privacy Policy In Mobile Applications

Does your company have a mobile app that collects information from users?  If so, then you may face fines in California if the app does not include a prominent link to a privacy policy that addresses the types of content you collect.

The increased risk is the result of a new initiative by the California Attorney General’s Office to enforce the California Online Privacy Protection Act of 2003 (“CalOPPA”) against developers and owners of mobile apps.  CalOPPA requires any operator “of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California” to make a privacy policy readily available to those consumers.  Among other things, the privacy policy must identify the specific categories of personal information collected, as well as the third parties with whom such information may be shared. 

The case filed last month against Delta Airlines is an illustration of this more aggressive enforcement policy.   The basis for the suit is Delta’s mobile app, Fly Delta, which allows a user to view and manage his or her flight, take pictures, and locate Delta services based on his or her location.  The complaint alleges that Delta violated CalOPPA because its privacy policy, while available on the company’s website, is not accessible within the Fly Delta app and does not discuss how Delta uses the photographs and location data collected by the app.  If the Attorney General prevails, Delta could face fines of $2500 for each time the app has been downloaded.

To promote privacy best practices, the Attorney General this month issued recommendations for the mobile app industry, adopting a “surprise minimization” approach.  The recommendations include a number of changes to how apps collect and share personal information, including using non-persistent device identifiers, higher security measures, and “enhanced” means of notification, such as special pop-up windows, when certain information is collected. 

California’s recent enforcement in this area is only the latest in an increasingly aggressive state and federal regulatory effort to address the issue of mobile privacy.  Now is a perfect time for companies with mobile applications to review and update their privacy policies to stay abreast of recent changes.  If you have questions about mobile privacy policies in California or generally, please contact Peter Guffin at or Kyle Glover at of Pierce Atwood LLP’s Privacy and Data Security Group.