A company that believes its general website privacy policy provides sufficient notice to those who download the company’s smartphone app may now face an opponent in the state of California.

One month ago, California Attorney General Kamala D. Harris sent a letter to more than 100 companies notifying them that they are not in compliance with California law, due to the fact that their mobile applications use or collect personal information but don’t have privacy policies disclosing their privacy practices. She gave those companies 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information is being collected and what will be done with that private information.

The letters were sent as a first step to legal action under the California Online Privacy Protection Act (COPPA), which requires any commercial operator of online services, including mobile and social apps, that collect personally identifiable information from Californians to conspicuously post a privacy policy.

Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

And now, Attorney General Harris has begun filing lawsuits against such companies and has signaled that more are coming. This follows on the heels of a suit by the New Jersey attorney general against an app developer/publisher as well as investigations by other state attorneys’ general.

Attorney General Harris’ enforcement campaign follows an agreement she reached with the leading mobile and social app platforms to improve privacy protections for millions of users worldwide who use apps on their electronic devices. The platforms — Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion — agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy. The agreement requires that platforms have the capacity to display an app’s privacy policy before the user downloads an app, and offer consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

COPPA was enacted in 2004 and does not contain the words “mobile,” “smartphone,” “app” or “application” but Attorney General Harris argues that “the term ‘online services’ covers any service available over the Internet,” including “mobile applications.” It is still unclear if courts will adopt or reject Attorney General Harris’ interpretation of COPPA.

The mobile app business has gone from infancy to juggernaut in four years — Apple reports that more than 35 billion apps have been downloaded from its App Store alone. The letters and lawsuits from Attorney General Harris indicate an increased focus in California in this burgeoning field.

This focus affects all companies that use apps to collect consumer information and that have end-users in California. Whether or not a company has offices or conducts significant business in California is not required to find that California law has been violated. Because of the global nature of the Internet, the law will apply to developers and publishers throughout the world even though COPPA is a state law.

Companies should avoid simply relying on or repurposing their website privacy policies to satisfy their obligations under the California law. Website privacy policies are generally tailored — consciously or not — to the operating systems, software packages and hardware components of laptops and desktop machines.

Mobile devices, however, have different operating systems, different ways of storing and tracking end-users, different associated software and different tools that the end-user must use if he or she wishes to control the collection or sharing of information. Even the third parties used by companies for advertising and analytics are often different in the mobile arena. As a result, when website privacy policies are repurposed for the mobile space, there is a high likelihood that they will be inaccurate with respect to data collection by third parties, end-user tracking, local storage and end-user controls, to name a few.

In the best-case scenario, companies should attempt to have privacy disclosures that specifically address the unique nature of mobile apps and, if possible, have that privacy disclosure available pre-download as well as within the app itself, and in a form that is optimized for mobile viewing. In addition, companies should not rely on their mobile app developers to describe information collection and sharing practices. Companies should independently test the mobile apps and craft disclosures based on what is actually happening and not what they are told is happening.