Nearly all businesses today are involved in some way in the development or distribution of mobile applications. The first part of this Client Alert highlights recent activities of the California State Attorney General to increase enforcement and provide further guidance on how to improve compliance of mobile applications and the related mobile ecosystem with the requirements of the California Online Privacy Act. These developments have a broad reach, impacting many companies, including those that are not physically located in California.
Children were the focus of the second significant development in the privacy area this past month, with the Federal Trade Commission issuing amendments to the Children’s Online Privacy Protection Act (COPPA). These amendments, which have been a long time in the making, highlight the increasing complexity of how companies collect and use data, and the potential risks when collecting information through sites and services that are directed to or are used by children under the age of 13.
California Attorney General Kamala Harris continues to highlight the importance of mobile privacy with her office's Jan. 10 report, "Privacy on the Go: Recommendations for the Mobile Ecosystem." The report provides guidance on developing and implementing strong privacy practices that help to promote transparency for consumers. Harris stated that her recommendations aim to "strike a responsible balance between protecting consumers' personal information and fostering the continued growth of the innovative app economy."
California’s state laws govern business conducted within the state, including the operation of app stores within California, and, accordingly, California law may apply to any business that offers mobile apps to California consumers. Mobile app developers and providers that do not comply with California’s privacy-related laws may therefore be exposed to liability under the California Online Privacy Act, as well as California's Unfair Competition Law and/or False Advertising Law, regardless of where the developer itself is located.
Some of the recommendations for app developers in Harris's "Privacy on the Go" report include:
Mobile app platform providers are encouraged to make app privacy policies accessible on the platforms (i.e., app stores) so users can review them before download, and to use their platforms to educate users on mobile privacy. The report suggests that mobile ad networks should avoid using out-of-app ads (e.g., those delivered by placing icons on the mobile desktop or by modifying browser settings); make their privacy policies more readily available to app developers; and transition away from device-specific identifiers such as uniform device identifiers (UDIDs) and toward temporary device identifiers or app-specific identifiers.
The report also addresses the role of operating system developers in developing global privacy settings that provide users with control over the data and device features that are accessible to apps, as well as the role of mobile carriers in educating customers on the importance of mobile privacy particularly as it relates to children.
The full report can be found here.
The FTC recently announced a set of amendments to COPPA that were developed in a rule-making process that began in 2010. Prior to the amendments going into effect, COPPA applied to websites and online services directed toward children under 13 that collect personal information from children, as well as to companies that operate general audience websites and have actual knowledge that they collect personal information from children.
While this remains true after the amendments, COPPA now also extends to websites and online services that may not directly collect children’s personal information but that benefit by allowing third parties, such as plug-ins or advertising networks, to collect such information “directly from” their sites and services. The foregoing is not intended to cover platforms like app stores that simply provide consumers access to other companies’ child-directed content.
COPPA compliance requires that websites and online services to whom the Act applies obtain verifiable parental consent and use privacy policies that can be understood by a child, in addition to other new compliance requirements, and clarifies certain existing requirements. Here are some of the more significant changes in the Act:
The full set of amendments can be found here.