Insights

California Attorney General Announces Agreement on Privacy Policies for Mobile Applications

On Wednesday, February 23, 2012, California's Attorney General announced an agreement with the six largest mobile device companies that will require privacy policies for mobile applications. The agreement is the result of negotiations that began in August 2011 between the California Attorney General and Amazon.com, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion. The agreement is designed to ensure compliance with the California Online Privacy Protection Act, which according to California's Attorney General requires mobile applications that collect personal data from California consumers to have a conspicuous privacy policy.

The California Online Privacy Protection Act, Bus. & Prof. Code § 22575, requires that "an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy." Personally identifiable information is information that can be used on its own, or in combination with other information, to identify an individual, such as name, address, telephone number, email address, or Social Security number. Under the act, a privacy policy must describe the kind of information that is collected, how it is shared, and the process, if one exists, by which a user can review and make changes to his or her personal information. For more information concerning the requirements of this important California law, click here.

In a statement announcing the agreement, California's Attorney General noted that mobile devices have become the means by which most people access applications and browsers, yet privacy practices in the mobile space have lagged behind those in the traditional browser-based internet access space. According to a 2011 Wall Street Journal report, 45 of the top 101 mobile applications have no privacy policy. California's Attorney General also cited a study by TrustE and Harris Interactive that found that only 19 percent of the top 340 free applications contain a link to a privacy policy and that only 5 percent of all mobile applications have a privacy policy.

Under the agreement, a mobile application that collects personal data from a user must include a conspicuous privacy policy that describes the application's privacy practices and provides "clear and complete" information on how personal data is collected, used, and shared. To increase developer awareness of privacy issues, the application submission process for new or updated applications must include an optional data field for the text of the privacy policy or a hyperlink to the policy. The agreement also requires the mobile device companies to create a process for users to report noncompliant applications and for companies to respond to such reports.

The agreement calls for the mobile device companies to continue to work with California's Attorney General to develop best practices for mobile privacy and model mobile privacy policies. The companies and California's Attorney General will meet again within six months to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy.

The agreement states that it is not intended to impose legally binding obligations, but that California's Attorney General will ensure that mobile applications comply with the law. It also makes clear that any action a company takes with respect to a noncompliant application will not limit law enforcement or any other regulator's right to pursue an action against the developer.

Companies that collect personal data through mobile applications or otherwise through mobile devices should evaluate their existing data collection and privacy policies. This will require companies to determine what changes, if any, should be made to data collection practices and policies in order to remain compliant with the California Online Privacy Protection Act and other relevant laws.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.

Mauricio Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Elaine Wallace
San Francisco
+1.415.875.5831
ewallace@jonesday.com

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.