Recent Privacy Developments: California AG Continues to Lead on Mobile with New Recommendations and FTC Amends COPPA


​Nearly all businesses today are involved in some way in the development or distribution of mobile applications. The first part of this Client Alert highlights recent activities of the California State Attorney General to increase enforcement and provide further guidance on how to improve compliance of mobile applications and the related mobile ecosystem with the requirements of the California Online Privacy Act. These developments have a broad reach, impacting many companies, including those that are not physically located in California.

Children were the focus of the second significant development in the privacy area this past month, with the Federal Trade Commission issuing amendments to the Children’s Online Privacy Protection Act (COPPA). These amendments, which have been a long time in the making, highlight the increasing complexity of how companies collect and use data, and the potential risks when collecting information through sites and services that are directed to or are used by children under the age of 13.

California Attorney General Office Update: AG Releases Recommendations for the Mobile Ecosystem

California Attorney General Kamala Harris continues to highlight the importance of mobile privacy with her office's Jan. 10 report, "Privacy on the Go: Recommendations for the Mobile Ecosystem." The report provides guidance on developing and implementing strong privacy practices that help to promote transparency for consumers. Harris stated that her recommendations aim to "strike a responsible balance between protecting consumers' personal information and fostering the continued growth of the innovative app economy."

In February 2012, Harris announced that California privacy laws apply to mobile applications, thereby requiring developers to write privacy policies for their apps. Since that time, Harris has sent notices to over 100 organizations requiring that they post privacy policies on their apps within 30 days or face legal action. In December, Delta Airlines became the first enforcement target when Harris sued the company for failing to prominently post a privacy policy within its app. Delta could be fined up to $2,500 for each use, leading to a multimillion-dollar penalty.

California’s state laws govern business conducted within the state, including the operation of app stores within California, and, accordingly, California law may apply to any business that offers mobile apps to California consumers. Mobile app developers and providers that do not comply with California’s privacy-related laws may therefore be exposed to liability under the California Online Privacy Act, as well as California's Unfair Competition Law and/or False Advertising Law, regardless of where the developer itself is located.

Some of the recommendations for app developers in Harris's "Privacy on the Go" report include:

  • Limiting collection of personally identifiable data to what is necessary for an app's basic functionality;
  • Using a privacy policy that is clear, accurate and conspicuously accessible; and
  • Using short, context-specific privacy statements or notices together with privacy controls within the app to draw users’ attention to data practices that might be unexpected or sensitive and provide the user with meaningful choice.

Mobile app platform providers are encouraged to make app privacy policies accessible on the platforms (i.e., app stores) so users can review them before download, and to use their platforms to educate users on mobile privacy. The report suggests that mobile ad networks should avoid using out-of-app ads (e.g., those delivered by placing icons on the mobile desktop or by modifying browser settings); make their privacy policies more readily available to app developers; and transition away from device-specific identifiers such as uniform device identifiers (UDIDs) and toward temporary device identifiers or app-specific identifiers.

The report also addresses the role of operating system developers in developing global privacy settings that provide users with control over the data and device features that are accessible to apps, as well as the role of mobile carriers in educating customers on the importance of mobile privacy particularly as it relates to children.

The full report can be found here.

Federal Trade Commission Update: Children’s Online Privacy Protection Act (COPPA) Amendments

The FTC recently announced a set of amendments to COPPA that were developed in a rule-making process that began in 2010. Prior to the amendments going into effect, COPPA applied to websites and online services directed toward children under 13 that collect personal information from children, as well as to companies that operate general audience websites and have actual knowledge that they collect personal information from children.

While this remains true after the amendments, COPPA now also extends to websites and online services that may not directly collect children’s personal information but that benefit by allowing third parties, such as plug-ins or advertising networks, to collect such information “directly from” their sites and services. The foregoing is not intended to cover platforms like app stores that simply provide consumers access to other companies’ child-directed content.

COPPA compliance requires that websites and online services to whom the Act applies obtain verifiable parental consent and use privacy policies that can be understood by a child, in addition to other new compliance requirements, and clarifies certain existing requirements. Here are some of the more significant changes in the Act:

  • COPPA now applies to websites and online services that are directed at children under 13 years of age that collect personal information or that have benefited by allowing another person to collect such information directly from users of such website or online service. These sites must presume users are children under 13 and therefore must obtain parental consent from all users. The Act also now extends to plug-ins and ad networks when they have actual knowledge that they are collecting personal information through child-directed sites; these sites and services must obtain parental consent only if the user identifies his or herself as under 13.
  • The amendments also expand the definition of “personal information” for purposes of the Act to include geolocation information, as well as photos, videos and audio files that contain a child’s image or voice. This change is consistent with the trend toward requiring consent before enabling collection of geolocation data. Similarly, parental consent is required for the collection or use of a “persistent identifier” that can be used to recognize a user over time and across sites. However, consent is not required if the identifier is used solely to support the internal operations of the site or service (e.g., contextual advertising (typically meaning advertising that is shown based on the content of the webpage on which the ad is to be shown), frequency capping (generally, capping the number of times an advertisement is shown to a particular visitor), legal compliance, site analysis and network communications).
  • Parental consent is now required before companies may use or disclose children's personal information to contact a specific individual (including through behavioral advertising), subject only to the exceptions for specified permitted uses of persistent identifiers as described above. Contacting individuals using children's personal information in order to amass a profile on that person or for any other purpose is prohibited.
  • The FTC has provided additional guidance on the notice that must be sent to parents before collecting their children’s personal information, and has streamlined what covered entities must include in their privacy policies to comply with COPPA.
  • Approved methods of acquiring parental consent are expanded in the amendments to include, by way of example, electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID and alternative payment systems (assuming they meet the same stringent criteria as credit cards).
  • The amendments require websites and online services that fall within the Act to take reasonable steps to ensure personal information is only disclosed to those that have the ability to and agree to protect the confidentiality, security and integrity of the information.
  • Children's personal information may only be retained for as long as is reasonably necessary for business or legal purposes and then must be securely destroyed.

The full set of amendments can be found here.

Joe Wright (Associate, Technology Transactions Group) also assisted in the preparation of this Client Alert