Recent Privacy Developments: California AG Continues to Lead on Mobile with New Recommendations and FTC Amends COPPA

January.14.2013

Nearly all businesses today are involved in some way in the development or distribution of mobile applications. The first part of this Client Alert highlights recent activities of the California State Attorney General to increase enforcement and provide further guidance on how to improve compliance of mobile applications and the related mobile ecosystem with the requirements of the California Online Privacy Act. These developments have a broad reach, impacting many companies, including those that are not physically located in California.

Children were the focus of the second significant development in the privacy area this past month, with the Federal Trade Commission issuing amendments to the Children’s Online Privacy Protection Act (COPPA). These amendments, which have been a long time in the making, highlight the increasing complexity of how companies collect and use data, and the potential risks when collecting information through sites and services that are directed to or are used by children under the age of 13.

California Attorney General Office Update: AG Releases Recommendations for the Mobile Ecosystem

California Attorney General Kamala Harris continues to highlight the importance of mobile privacy with her office's Jan. 10 report, "Privacy on the Go: Recommendations for the Mobile Ecosystem." The report provides guidance on developing and implementing strong privacy practices that help to promote transparency for consumers. Harris stated that her recommendations aim to "strike a responsible balance between protecting consumers' personal information and fostering the continued growth of the innovative app economy."

In February 2012, Harris announced that California privacy laws apply to mobile applications, thereby requiring developers to write privacy policies for their apps. Since that time, Harris has sent notices to over 100 organizations requiring that they post privacy policies on their apps within 30 days or face legal action. In December, Delta Airlines became the first enforcement target when Harris sued the company for failing to prominently post a privacy policy within its app. Delta could be fined up to $2,500 for each use, leading to a multimillion-dollar penalty.

California’s state laws govern business conducted within the state, including the operation of app stores within California, and, accordingly, California law may apply to any business that offers mobile apps to California consumers. Mobile app developers and providers that do not comply with California’s privacy-related laws may therefore be exposed to liability under the California Online Privacy Act, as well as California's Unfair Competition Law and/or False Advertising Law, regardless of where the developer itself is located.

Some of the recommendations for app developers in Harris's "Privacy on the Go" report include:

Limiting collection of personally identifiable data to what is necessary for an app's basic functionality;
Using a privacy policy that is clear, accurate and conspicuously accessible; and
Using short, context-specific privacy statements or notices together with privacy controls within the app to draw users’ attention to data practices that might be unexpected or sensitive and provide the user with meaningful choice.

Mobile app platform providers are encouraged to make app privacy policies accessible on the platforms (i.e., app stores) so users can review them before download, and to use their platforms to educate users on mobile privacy. The report suggests that mobile ad networks should avoid using out-of-app ads (e.g., those delivered by placing icons on the mobile desktop or by modifying browser settings); make their privacy policies more readily available to app developers; and transition away from device-specific identifiers such as uniform device identifiers (UDIDs) and toward temporary device identifiers or app-specific identifiers.

The report also addresses the role of operating system developers in developing global privacy settings that provide users with control over the data and device features that are accessible to apps, as well as the role of mobile carriers in educating customers on the importance of mobile privacy particularly as it relates to children.

The full report can be found here.

Federal Trade Commission Update: Children’s Online Privacy Protection Act (COPPA) Amendments

The FTC recently announced a set of amendments to COPPA that were developed in a rule-making process that began in 2010. Prior to the amendments going into effect, COPPA applied to websites and online services directed toward children under 13 that collect personal information from children, as well as to companies that operate general audience websites and have actual knowledge that they collect personal information from children.

While this remains true after the amendments, COPPA now also extends to websites and online services that may not directly collect children’s personal information but that benefit by allowing third parties, such as plug-ins or advertising networks, to collect such information “directly from” their sites and services. The foregoing is not intended to cover platforms like app stores that simply provide consumers access to other companies’ child-directed content.

COPPA compliance requires that websites and online services to whom the Act applies obtain verifiable parental consent and use privacy policies that can be understood by a child, in addition to other new compliance requirements, and clarifies certain existing requirements. Here are some of the more significant changes in the Act:

COPPA now applies to websites and online services that are directed at children under 13 years of age that collect personal information or that have benefited by allowing another person to collect such information directly from users of such website or online service. These sites must presume users are children under 13 and therefore must obtain parental consent from all users. The Act also now extends to plug-ins and ad networks when they have actual knowledge that they are collecting personal information through child-directed sites; these sites and services must obtain parental consent only if the user identifies his or herself as under 13.
The amendments also expand the definition of “personal information” for purposes of the Act to include geolocation information, as well as photos, videos and audio files that contain a child’s image or voice. This change is consistent with the trend toward requiring consent before enabling collection of geolocation data. Similarly, parental consent is required for the collection or use of a “persistent identifier” that can be used to recognize a user over time and across sites. However, consent is not required if the identifier is used solely to support the internal operations of the site or service (e.g., contextual advertising (typically meaning advertising that is shown based on the content of the webpage on which the ad is to be shown), frequency capping (generally, capping the number of times an advertisement is shown to a particular visitor), legal compliance, site analysis and network communications).
Parental consent is now required before companies may use or disclose children's personal information to contact a specific individual (including through behavioral advertising), subject only to the exceptions for specified permitted uses of persistent identifiers as described above. Contacting individuals using children's personal information in order to amass a profile on that person or for any other purpose is prohibited.
The FTC has provided additional guidance on the notice that must be sent to parents before collecting their children’s personal information, and has streamlined what covered entities must include in their privacy policies to comply with COPPA.
Approved methods of acquiring parental consent are expanded in the amendments to include, by way of example, electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID and alternative payment systems (assuming they meet the same stringent criteria as credit cards).
The amendments require websites and online services that fall within the Act to take reasonable steps to ensure personal information is only disclosed to those that have the ability to and agree to protect the confidentiality, security and integrity of the information.
Children's personal information may only be retained for as long as is reasonably necessary for business or legal purposes and then must be securely destroyed.

The full set of amendments can be found here.

Joe Wright (Associate, Technology Transactions Group) also assisted in the preparation of this Client Alert

Authors

Antony Kim Partner, Cyber, Privacy & Data Innovation, Government Investigations and Enforcement Actions

Washington, D.C.

See my bio

D: +1 202 339 8493
M: +1 202 270 7590
E: [email protected]

Practice:

Finance Sector
Technology Sector
Cyber, Privacy & Data Innovation
Government Investigations and Enforcement Actions
Complex Litigation & Dispute Resolution
Antitrust & Competition

vCard

See full bio

Antony Kim Partner Cyber, Privacy & Data Innovation, Government Investigations and Enforcement Actions

Washington, D.C.

Antony (Tony) Kim is a partner in Orrick's internationally recognized Cyber, Privacy & Data Innovation practice, which pursues "an aggressive yet practical approach" to data protection and innovation that "meets the needs of both in-house counsel and tech-savvy business clients."

When faced with a cyber crisis, companies call on Tony to help navigate critical legal, risk and reputational landmines. Tony has helped clients respond to hundreds of cyberattacks and data breaches. He has directed forensic investigations, cross-border notifications, and regulatory and private enforcement matters, in connection with incidents involving personal data of employees and customers, including PCI/payment card data, as well as proprietary data and corporate trade secrets, on behalf of private and public companies as well as governmental entities.

Tony has also defended over fifty clients in regulatory investigations and enforcement actions by the Federal Trade Commission (FTC) and State Attorneys General. These matters have involved (i) cyberattacks and data breach incidents, (ii) privacy implications of innovative data use-cases, and (iii) consumer protection issues relating to online and offline sales & marketing and advertising practices -- particularly in the retail e-commerce and fintech/consumer finance industries. Tony draws insights from his regulatory practice to inform his counseling work, where he regularly advises Legal, InfoSec/IT, Product/Marketing, and C-Suite/Board stakeholders on a host of governance, compliance, and risk mitigation strategies.

Recognized as a leading lawyer, Tony has been ranked in Chambers USA, The Legal 500 US, Benchmark Litigation, The Cybersecurity Docket and Super Lawyers D.C. Rising Stars. He’s been consistently named to The Cybersecurity Docket’s “Incident Response 30” list of the top IR professionals in the U.S. Clients endorse Tony, telling Chambers “He's fantastic,” “He takes the time to tend to companies’ needs and understands clients’ objectives.” The National Law Journal named Tony to its 2014 list of D.C. Rising Stars, a 40-under-40 group of “game changing” private, government and public interest attorneys. Based on surveys of senior in-house counsel, Tony was awarded the Client Choice Award by the International Law Office (ILO)/Lexology in 2015, and was named an Acritas Star Lawyer in 2016 and 2017. In 2016, Law360 named Orrick’s Cyber, Privacy & Data Innovation practice “Practice Group of the Year” in the data privacy category. Chambers repeatedly ranks the Orrick team in Band 1; and in 2019, Chambers named Orrick the “Privacy/Data Security Law Firm of the Year.”

Tony serves on the Firm's Executive Management Committee, focusing on the area of practice innovation. In 2020, the Financial Times named him one of the top 10 Most Innovative Practitioners in North America.

Technology

Energy & Infrastructure

Finance

Orrick blogs

Pro Bono

Diversity, Equity & Inclusion @ Orrick

Orrick Cares

Welcome to the Orrick Alumni Community

Recent Privacy Developments: California AG Continues to Lead on Mobile with New Recommendations and FTC Amends COPPA

California Attorney General Office Update: AG Releases Recommendations for the Mobile Ecosystem

Federal Trade Commission Update: Children’s Online Privacy Protection Act (COPPA) Amendments

Joe Wright (Associate, Technology Transactions Group) also assisted in the preparation of this Client Alert