California Attorney General Kamala Harris announced two major initiatives this year that indicate the California Department of Justice is likely going to increase the enforcement of both state and federal privacy and data security law breaches against app developers and owners.
Mobile and Social App Platform Providers Industry Agreement
In February 2012, Attorney General Harris brokered a Joint Statement of Principles (the “Joint Statement”) with six large, mobile and social platform providers (Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research in Motion) to increase privacy protections for consumers. Facebook also signed the Joint Statement in June 2012 (all seven companies, collectively, the “Platform Providers”). The purpose of the Joint Statement is to strengthen privacy protections for consumers who use apps on their mobile phones, tablets and other devices.
Under the Joint Statement, the Platform Providers committed to adhere to the following principles: (1) all apps made available via the Platform Providers’ platforms that collect personal information should have a conspicuous posted privacy policy that clearly and completely describes how consumers’ personal data is collected used and shared; and (2) users should have the opportunity to view an app’s privacy policy before they decide whether they want to download the app.
In practice, this means the Platform Providers are modifying their platforms so that app owners may post (and consumers may view) an app’s privacy policy before the consumer downloads the app, and consumers can view the privacy policy in one consistent location that is easy for the consumer to access. The Platform Providers will step up enforcement against app developers and owners whose apps do not have privacy policies, and they will create mechanisms through which consumers may report: (1) apps or developers who do not post privacy policies; (2) inaccurate privacy policies; and (3) apps or developers that violate the law or the Platform Providers’ user agreements.
California Department of Justice – Privacy Enforcement and Protection Unit
On July 19, Attorney General Harris announced the creation of the Privacy Enforcement and Protection Unit (“Privacy Protection Unit”) that will increase enforcement of privacy law breaches and educate consumers on privacy issues. The Privacy Protection Unit will be a division of the eCrime Unit (which Attorney General Harris established in 2011 to prosecute identity theft, data intrusions and other crimes involving technology), and it will be staffed with Department of Justice employees, including six prosecutors who will focus solely on (1) policing companies and individuals’ privacy practices; and (2) prosecuting violations of both California and federal privacy laws including without limitation, laws relating to (a) cyber privacy, (b) health privacy, (c) financial privacy, (d) the collection, retention, disclosure and destruction of personal or sensitive information and (e) data breaches.
Enforcement Actions Against App Developers and Owners
There are a wide range of state and federal privacy and data security laws that the California Department of Justice may seek to enforce, including without limitation: (1) the California On-Line Privacy Protection Act which may be invoked if you do not post a privacy policy; (2) California’s Unfair Competition Law and/or False Advertising Law which may be invoked if you have an inaccurate privacy policy or fail to comply with your privacy policy; (3) federal privacy laws, such as the Children’s On-Line Privacy Protection Act and the Health Insurance Portability and Accountability Act which may apply if you collect information from children under the age of 13 or certain health information; and (4) California’s state security breach notification law which may be invoked if you experience a security breach involving certain electronic, unencrypted personal information. Penalties for breach of these laws range from several hundred dollars to several million dollars, and the publicity arising from such a suit could cost a business even more in actual or future sales.
App developers and providers may also be sued for breach of contract by the Platform Providers if they do not comply with the Platform Providers’ terms of use agreements.
Tips for Complying With State and Federal Privacy and Data Security Laws
1. Develop a privacy policy that clearly and accurately describes how you collect, use and disclose consumers’ personal information. (Do not copy a privacy policy from another app. Each privacy policy must be customized to account for: (a) the specific technology used by the app; (b) the specific information collected by means of an app; and (c) your business practices in using and disclosing such information.)
2. If you add new features to your app or alter your business practices relating to the information you collect via your app, remember to update your privacy policy to accurately reflect these changes.
3. If your app is available via a platform operated by a Platform Provider, contact the applicable Platform Provider to see what mechanisms it will make available to help you conspicuously display your privacy policy.
4. Implement a company-wide data security program that reflects best practices in your industry, and if you suspect there might have been a data security breach, immediately call your attorney to discuss next steps.
If you have any questions about whether your app complies with applicable privacy and data security laws, if you need help in preparing a privacy policy or if you suspect your company experienced a data security breach, please contact Helen Christakos at (650) 696-2545 or at hchristakos@carr-mcclellan.com.