Recent Privacy Developments: California AG Continues to Lead on Mobile with New Recommendations and FTC Amends COPPA

by Orrick, Herrington & Sutcliffe LLP

Nearly all businesses today are involved in some way in the development or distribution of mobile applications. The first part of this Client Alert highlights recent activities of the California State Attorney General to increase enforcement and provide further guidance on how to improve compliance of mobile applications and the related mobile ecosystem with the requirements of the California Online Privacy Act. These developments have a broad reach, impacting many companies, including those that are not physically located in California.

Children were the focus of the second significant development in the privacy area this past month, with the Federal Trade Commission issuing amendments to the Children’s Online Privacy Protection Act (COPPA). These amendments, which have been a long time in the making, highlight the increasing complexity of how companies collect and use data, and the potential risks when collecting information through sites and services that are directed to or are used by children under the age of 13.

California Attorney General Office Update: AG Releases Recommendations for the Mobile Ecosystem

California Attorney General Kamala Harris continues to highlight the importance of mobile privacy with her office's Jan. 10 report, "Privacy on the Go: Recommendations for the Mobile Ecosystem." The report provides guidance on developing and implementing strong privacy practices that help to promote transparency for consumers. Harris stated that her recommendations aim to "strike a responsible balance between protecting consumers' personal information and fostering the continued growth of the innovative app economy."

In February 2012, Harris announced that California privacy laws apply to mobile applications, thereby requiring developers to write privacy policies for their apps. Since that time, Harris has sent notices to over 100 organizations requiring that they post privacy policies on their apps within 30 days or face legal action. In December, Delta Airlines became the first enforcement target when Harris sued the company for failing to prominently post a privacy policy within its app. Delta could be fined up to $2,500 for each use, leading to a multimillion-dollar penalty.

California’s state laws govern business conducted within the state, including the operation of app stores within California, and, accordingly, California law may apply to any business that offers mobile apps to California consumers. Mobile app developers and providers that do not comply with California’s privacy-related laws may therefore be exposed to liability under the California Online Privacy Act, as well as California's Unfair Competition Law and/or False Advertising Law, regardless of where the developer itself is located.

Some of the recommendations for app developers in Harris's "Privacy on the Go" report include:

  • Limiting collection of personally identifiable data to what is necessary for an app's basic functionality; 
  • Using a privacy policy that is clear, accurate and conspicuously accessible; and 
  • Using short, context-specific privacy statements or notices together with privacy controls within the app to draw users’ attention to data practices that might be unexpected or sensitive and provide the user with meaningful choice.

Mobile app platform providers are encouraged to make app privacy policies accessible on the platforms (i.e., app stores) so users can review them before download, and to use their platforms to educate users on mobile privacy. The report suggests that mobile ad networks should avoid using out-of-app ads (e.g., those delivered by placing icons on the mobile desktop or by modifying browser settings); make their privacy policies more readily available to app developers; and transition away from device-specific identifiers such as uniform device identifiers (UDIDs) and toward temporary device identifiers or app-specific identifiers.

The report also addresses the role of operating system developers in developing global privacy settings that provide users with control over the data and device features that are accessible to apps, as well as the role of mobile carriers in educating customers on the importance of mobile privacy particularly as it relates to children.

The full report can be found here.

Federal Trade Commission Update: Children’s Online Privacy Protection Act (COPPA) Amendments

The FTC recently announced a set of amendments to COPPA that were developed in a rule-making process that began in 2010. Prior to the amendments going into effect, COPPA applied to websites and online services directed toward children under 13 that collect personal information from children, as well as to companies that operate general audience websites and have actual knowledge that they collect personal information from children.

While this remains true after the amendments, COPPA now also extends to websites and online services that may not directly collect children’s personal information but that benefit by allowing third parties, such as plug-ins or advertising networks, to collect such information “directly from” their sites and services. The foregoing is not intended to cover platforms like app stores that simply provide consumers access to other companies’ child-directed content.

COPPA compliance requires that websites and online services to whom the Act applies obtain verifiable parental consent and use privacy policies that can be understood by a child, in addition to other new compliance requirements, and clarifies certain existing requirements. Here are some of the more significant changes in the Act:

  • COPPA now applies to websites and online services that are directed at children under 13 years of age that collect personal information or that have benefited by allowing another person to collect such information directly from users of such website or online service. These sites must presume users are children under 13 and therefore must obtain parental consent from all users. The Act also now extends to plug-ins and ad networks when they have actual knowledge that they are collecting personal information through child-directed sites; these sites and services must obtain parental consent only if the user identifies his or herself as under 13.
  • The amendments also expand the definition of “personal information” for purposes of the Act to include geolocation information, as well as photos, videos and audio files that contain a child’s image or voice. This change is consistent with the trend toward requiring consent before enabling collection of geolocation data. Similarly, parental consent is required for the collection or use of a “persistent identifier” that can be used to recognize a user over time and across sites. However, consent is not required if the identifier is used solely to support the internal operations of the site or service (e.g., contextual advertising (typically meaning advertising that is shown based on the content of the webpage on which the ad is to be shown), frequency capping (generally, capping the number of times an advertisement is shown to a particular visitor), legal compliance, site analysis and network communications).
  • Parental consent is now required before companies may use or disclose children's personal information to contact a specific individual (including through behavioral advertising), subject only to the exceptions for specified permitted uses of persistent identifiers as described above. Contacting individuals using children's personal information in order to amass a profile on that person or for any other purpose is prohibited.
  • The FTC has provided additional guidance on the notice that must be sent to parents before collecting their children’s personal information, and has streamlined what covered entities must include in their privacy policies to comply with COPPA.
  • Approved methods of acquiring parental consent are expanded in the amendments to include, by way of example, electronic scans of signed parental consent forms, videoconferencing, use of government-issued ID and alternative payment systems (assuming they meet the same stringent criteria as credit cards).
  • The amendments require websites and online services that fall within the Act to take reasonable steps to ensure personal information is only disclosed to those that have the ability to and agree to protect the confidentiality, security and integrity of the information.
  • Children's personal information may only be retained for as long as is reasonably necessary for business or legal purposes and then must be securely destroyed.

The full set of amendments can be found here.

Joe Wright (Associate, Technology Transactions Group) also assisted in the preparation of this Client Alert.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick, Herrington & Sutcliffe LLP | Attorney Advertising

Written by:

Orrick, Herrington & Sutcliffe LLP

Orrick, Herrington & Sutcliffe LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.


JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at:

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.