On December 6, 2012, the California attorney general filed suit against Delta Airlines for failing to provide mobile application users with adequate notice of its privacy practices.  According to the complaint, the "Fly Delta" application collected customer information, such as credit card information, date of birth and traveler numbers, but did not make Delta's privacy policy available to consumers from within the application itself, which is a requirement under the California Online Privacy Protection Act (CalOPPA).[1]

Delta is not the only company that has caught the attention of the California attorney general.  On October 26, 2012, the attorney general notified hundreds of mobile application developers and companies of their non-compliance with CalOPPA and gave them 30 days to submit specific plans and a timeline to comply with CalOPPA or face fines of up to $2,500 per download.  If you have received such a notice, or if you have a mobile application that collects personally identifiable information, we advise you to consider whether CalOPPA applies to you.

Applicability of CalOPPA

CalOPPA applies to operators of commercial websites or online services that collect personally identifiable information (PII) about individual California consumers.  The statute defines "personally identifiable information" as (a) a first and last name; (b) a home or other physical address, including street name and name of a city or town; (c) an e-mail address; (d) a telephone number; (e) a social security number; (f) any other identifier that permits the physical or online contacting of a specific individual; or (g) any information concerning a user that is collected online and maintained in personally identifiable form in combination with an identifier described above.[2]

According to the California attorney general, operators of mobile applications that collect PII are "online services" within the meaning of CalOPPA.[3]

Privacy Policy Requirements

Operators of websites and online services that are subject to CalOPPA are required to conspicuously post their privacy policies on their websites or, in the case of online services, to make their policies reasonably accessible to consumers.  For mobile applications, the California attorney general has stated that posting a company’s privacy policy within the application description page of the Apple App store or Google Play store does not alone satisfy compliance with CalOPPA.  However, the attorney general has also stated that having a website with the applicable privacy policy conspicuously posted may be adequate if a link to that website is reasonably accessible to the user from within the application.[4]

In terms of substantive requirements, CalOPPA requires privacy policies to include the following:

• a description of the types of PII collected and disclosed by the operator;
• a description of the process by which a consumer can access and request changes to his or her PII, if available;
• a description of the process by which the operator will notify consumers of material changes to the privacy policy; and 
• an effective date.[5]

Considerations for Companies with Mobile Apps

If you collect PII from California consumers through a mobile application, you may wish to take the following steps:

• Review the application to determine whether it collects "personally identifiable information" as defined by the statute.
• Review the application to determine whether your privacy policy is accessible from within the mobile application itself.
• Review your data collection, use, sharing and disposal practices and privacy policy to ensure that your policy accurately describes the types of information collected from mobile users, how such information may be shared with third parties, how users can access their information and the process by which users will be notified of material changes to the policy.  You should also make sure that the policy otherwise complies with your obligations. 
• In the event that you make changes to the privacy policy, consult with your lawyer to ensure that any changes are made in a manner that complies with your obligations.