California Attorney General Puts Mobile App Developers on Notice

California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven’t posted privacy policies, at least where users can easily find them.

California Attorney General Kamala D. Harris today announced a crackdown on mobile application developers and companies that haven’t posted privacy policies, at least where users can easily find them.

The attorney general is giving recipients 30 days “to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information,” according to a prepared statement.

A sample letter defines the issue at hand. “An operator of a mobile application (“app”) that uses the Internet to collect PII is an “online service” within the meaning of CalOPPA. An app’s commercial operator must therefore conspicuously post its privacy policy in a means that is reasonably accessible to the consumer. Having a Web site with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that Web site is ‘reasonably accessible’ to the user within the app.”

The AG’s office didn’t specify companies but said “the letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms.”

The news service Bloomberg reports that United and Delta airlines and the online reservations site OpenTable are among the targeted companies receiving notices they are in violation of the state’s privacy protocol for mobile applications released in February.  

California is at the vanguard of states requiring privacy policies for mobile applications, acknowledging the growing shift in consumer use of mobile devices such as smartphones and tablets.

Apple, Amazon, Google, Facebook, Microsoft, Research in Motion and HP earlier agreed to let users review app privacy policies before they are downloaded and to post data collection guidelines in a consistent place in accordance with California’s Online Privacy Protection Act.

“The letters are the first step in taking legal action to enforce the California Online Privacy Protection Act, which requires commercial operators of online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy,” according to the statement.

“Privacy policies are an important safeguard for consumers. Privacy policies promote transparency in how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.”



Suggested articles


  • Anonymous on

    Dear California AG.  My company doesnt wish to do business in your state any longer.  If any of your citizens download my app I will bill the state of california $5,000 per occurance.  Thank you for your business. 

  • Anonymous on

    How do they plan on enforcing this? What if the server is situated in Texas? What if the company is situated in Germany? Can they subpeona people in Texas or Germany?

  • Anonymous on

    Hey, California.  IANAL, but if a company isn't in your state, this is called "Interstate Commerce."  There's some document you might vaguely remember hearing about.  It's called the Constitution.  Interstate Commerce was one of the big driving forces that drove it.  IOW, you have no jurisdiction.  So, good luck with that.

  • Bob on

      Now this sounds like it is not just a good idea, but a great idea. From the comments posted I gotta believe these folk are up to no good and should go find some ditches to dig. Better yet go help the poor people on the east coast. They really do need the hot air.

  • Anonymous on


    The 1st three posts aren't saying anything about whether or not forcing these companies to post their privacy policy is a good idea.  It IS a good idea.  It's just that a specific state can't do it.  It has to be done at the federal level.  And, I'm not sure if even that would allow enforcement against non-US companies.

  • Anonymous on

    The only people to complain are those who are up to no good.   if data is collected for a beneficial purpose, (e.g. health benefits and dinding cureas) then why is there a problem saying so. 

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.