Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.
And now, Attorney General Harris has begun filing lawsuits against such companies and has signaled that more are coming. This follows on the heels of a suit by the New Jersey attorney general against an app developer/publisher as well as investigations by other state attorneys’ general.
COPPA was enacted in 2004 and does not contain the words “mobile,” “smartphone,” “app” or “application” but Attorney General Harris argues that “the term ‘online services’ covers any service available over the Internet,” including “mobile applications.” It is still unclear if courts will adopt or reject Attorney General Harris’ interpretation of COPPA.
The mobile app business has gone from infancy to juggernaut in four years — Apple reports that more than 35 billion apps have been downloaded from its App Store alone. The letters and lawsuits from Attorney General Harris indicate an increased focus in California in this burgeoning field.
This focus affects all companies that use apps to collect consumer information and that have end-users in California. Whether or not a company has offices or conducts significant business in California is not required to find that California law has been violated. Because of the global nature of the Internet, the law will apply to developers and publishers throughout the world even though COPPA is a state law.
Companies should avoid simply relying on or repurposing their website privacy policies to satisfy their obligations under the California law. Website privacy policies are generally tailored — consciously or not — to the operating systems, software packages and hardware components of laptops and desktop machines.
Mobile devices, however, have different operating systems, different ways of storing and tracking end-users, different associated software and different tools that the end-user must use if he or she wishes to control the collection or sharing of information. Even the third parties used by companies for advertising and analytics are often different in the mobile arena. As a result, when website privacy policies are repurposed for the mobile space, there is a high likelihood that they will be inaccurate with respect to data collection by third parties, end-user tracking, local storage and end-user controls, to name a few.
In the best-case scenario, companies should attempt to have privacy disclosures that specifically address the unique nature of mobile apps and, if possible, have that privacy disclosure available pre-download as well as within the app itself, and in a form that is optimized for mobile viewing. In addition, companies should not rely on their mobile app developers to describe information collection and sharing practices. Companies should independently test the mobile apps and craft disclosures based on what is actually happening and not what they are told is happening.