• California Attorney General Announces Agreement on Privacy Policies for Mobile Applications
  • March 2, 2012 | Authors: Mauricio F. Paez; Elaine Wallace
  • Law Firms: Jones Day - New York Office ; Jones Day - San Francisco Office
  • On Wednesday, February 23, 2012, California's Attorney General announced an agreement with the six largest mobile device companies that will require privacy policies for mobile applications. The agreement is the result of negotiations that began in August 2011 between the California Attorney General and Amazon.com, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion. The agreement is designed to ensure compliance with the California Online Privacy Protection Act, which according to California's Attorney General requires mobile applications that collect personal data from California consumers to have a conspicuous privacy policy.

    The California Online Privacy Protection Act, Bus. & Prof. Code § 22575, requires that "an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy." Personally identifiable information is information that can be used on its own, or in combination with other information, to identify an individual, such as name, address, telephone number, email address, or Social Security number. Under the act, a privacy policy must describe the kind of information that is collected, how it is shared, and the process, if one exists, by which a user can review and make changes to his or her personal information.

    In a statement announcing the agreement, California's Attorney General noted that mobile devices have become the means by which most people access applications and browsers, yet privacy practices in the mobile space have lagged behind those in the traditional browser-based internet access space. According to a 2011 Wall Street Journal report, 45 of the top 101 mobile applications have no privacy policy. California's Attorney General also cited a study by TrustE and Harris Interactive that found that only 19 percent of the top 340 free applications contain a link to a privacy policy and that only 5 percent of all mobile applications have a privacy policy.

    Under the agreement, a mobile application that collects personal data from a user must include a conspicuous privacy policy that describes the application's privacy practices and provides "clear and complete" information on how personal data is collected, used, and shared. To increase developer awareness of privacy issues, the application submission process for new or updated applications must include an optional data field for the text of the privacy policy or a hyperlink to the policy. The agreement also requires the mobile device companies to create a process for users to report noncompliant applications and for companies to respond to such reports.

    The agreement calls for the mobile device companies to continue to work with California's Attorney General to develop best practices for mobile privacy and model mobile privacy policies. The companies and California's Attorney General will meet again within six months to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.

    The agreement states that it is not intended to impose legally binding obligations, but that California's Attorney General will ensure that mobile applications comply with the law. It also makes clear that any action a company takes with respect to a noncompliant application will not limit law enforcement or any other regulator's right to pursue an action against the developer.

    Companies that collect personal data through mobile applications or otherwise through mobile devices should evaluate their existing data collection and privacy policies. This will require companies to determine what changes, if any, should be made to data collection practices and policies in order to remain compliant with the California Online Privacy Protection Act and other relevant laws.