Privacy on the Move – California Imposes New Requirements on Mobile Apps

A vast array of companies are actively entering the mobile application space as a means of gaining market share and solidifying guest relations. The trend is not limited to online service companies; firms as disparate as shopping centers, airlines, and travel agents rely on mobile applications to enhance their business. However, as mobile applications gain popularity, these companies must consider how privacy and security laws will impact how they can use those applications.

For companies with operations in California, that issue was highlighted on December 6, 2012, when the California Attorney General filed a lawsuit against Delta Airlines for failing to include a privacy policy with a smartphone application. The lawsuit, the first of its kind, alleges that Delta violated California law requiring online services to “conspicuously post its privacy policy” by failing to include such a policy with its “Fly Delta” mobile application.

The California online privacy law

In 2004, California enacted the California Online Privacy Protection Act (“CalOPPA”). This law requires operators of websites and online services to “conspicuously post” privacy policies about the personal information that is collected, how the consumer can access or request changes to personal information, how the operator of the site will notify consumers of changes, and the effective date of the policy.

In the case of an online service, “conspicuously posting” a privacy policy requires that the policy be “reasonably accessible…for consumers of the online service.”

CalOPPA does not define an “online service” or mention “mobile” or “smartphone” applications, likely due to the fact that in 2004, smartphones and mobile applications were just being developed. However, the California Attorney General considers any service available over the internet or that connects to the internet, including mobile apps, to be an “online service.”

California Attorney General becomes active

In 2011 the Attorney General contacted the six leading operators of mobile application platforms – Apple, Amazon, Google, Hewlett-Packard, Microsoft and Research in Motion – to discuss mobile app compliance with CalOPPA. On February 22, 2012, the Attorney General reached an agreement with these companies on a set of principles. The principles require, among other things, that mobile applications include a conspicuously posted privacy policy describing the app’s privacy practices, and that the policy appear in a consistent location on the app download screen.

Following up on this development, in October 2012, the California Attorney General’s office sent letters to a number of mobile application makers that did not have a privacy policy reasonably accessible to app users, giving them 30 days to respond or make their privacy policies accessible in their apps. Delta’s response was not definitive, and the Attorney General sued. The risks are high – failure to comply with CalOPPA can result in fines of up to $2,500 for each violation.

National (and international) implications from this California development?

While California is the only jurisdiction to have applied its (9 year old) privacy law to mobile applications to date, California is widely regarded as a leader in consumer privacy, and many states look to California for guidance. If California did this by administrative interpretation, so could a lot of other states.

In any event, CalOPPA will have a broad reach, because it applies to:

“… [any] operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service….”

Thus, website or online service operators must comply with CalOPPA if they do business with any California consumers. With the size of California’s population and the importance of its market, the practical effect of CalOPPA will force an overwhelming number of online businesses (including mobile app developers) to comply with it.

As a result, any firm that use smartphone apps as part of their “mobile strategy,” must make privacy policies accessible to app users, by including the privacy policy within the app itself or by creating an icon or text link to a readable version of the privacy policy, which may be part of a company’s overall web privacy policy. Moreover, mobile applications should be designed with security and privacy in mind.

Robert E. Braun is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Bob helps clients to develop and implement privacy and information security policies, negotiate agreements for technologies and data management services, and comply with legal and regulatory requirements. He helps clients to develop and implement data breach response plans, and he and his team respond quickly to clients’ needs when a data breach occurs. Contact Bob at or +1 310.785.5331.