people

practices

    Notice: Trying to get property of non-object in /var/www/brownrudnick.com/htdocs/blog/wp-content/themes/bro/header.php on line 192 Warning: Invalid argument supplied for foreach() in /var/www/brownrudnick.com/htdocs/blog/wp-content/themes/bro/header.php on line 192
expand all collapse all
fast finder
Brown Rudnick PROFESSIONALS

News/Resources: Blog

Emerging Technologies BLOG

Mobile App Privacy: Five Things Businesses Can Do To Stay Out Of Trouble

Posted on Friday, Dec 21, 2012

BY Edward J. Naughton and Ryan S. Moore

The business case for offering a mobile app can be compelling: an app can give a business a constant presence on its customers’ mobile desktop, building brand awareness and allowing easy and direct interaction. But businesses that roll out apps need to pay attention to privacy rules, too, as the recent enforcement action by California’s Attorney General reminds us.

On December 6, California’s Attorney General sued Delta Air Lines, claiming that Delta’s “Fly Delta” mobile application violated California’s Online Privacy Protection Act of 2003 (“CalOPPA”). CalOPPA is the state law that requires operators of commercial websites to post the ubiquitous “California Privacy Rights Notice” that shows up in most privacy policies. In simple terms, the law requires commercial websites to conspicuously post a privacy policy that identifies the categories of personal information that the operator collects, how that information is shared, how consumers can review or modify the information that is collected, and how the operator will notify consumers of material changes to the policy.

But CalOPPA doesn’t only apply to commercial websites. It also applies to “online services” – and the California AG has interpreted that term to include mobile apps. In October, the AG’s office notified about 100 companies, including Delta, that their apps did not comply with CalOPPA, and warned them to come into compliance within 30 days.

After 30 days passed, the AG sued Delta, accusing the Fly Delta app of violating CalOPPA. The app, which has been downloaded millions of times since October 2010, allows customers to check-in online and view reservations, among other things. Through the Fly Delta app, Delta allegedly collects certain personal information, including the user’s name, address, phone number, email address, credit card number, date of birth, passport number, geo-location data, and other such information. Delta’s website contains a privacy policy, but according to the AG, this policy doesn’t mention the Fly Delta App, doesn’t disclose all of the data that the Fly Delta app collects, and isn’t conspicuously accessible to users of the Fly Delta app.

The potential liability under CalOPPA is significant: the law authorizes fines of up to $2500 for each violation. Delta apparently published a privacy policy for Fly Delta app after suit was filed, and a settlement of some sort is likely, but no business wants to deal with this kind of lawsuit and the resulting public relations headaches.

Businesses that offer mobile apps can draw several lessons from Delta’s misfortune.

First, be aware that mobile apps may be subject to state and federal privacy regulations. Make sure that you’re familiar with the laws and regulations that may apply. This is no small task: the laws can include CalOPPA’s privacy policy requirements, Massachusetts’ regulations governing data security, the various financial and health privacy laws, and state data breach laws.

Second, make sure that you’re aware of what personally identifiable information is being collected by the app, what your business is doing with that information, and how it’s being shared.

Third, make sure that your privacy policy explicitly addresses your app and discloses all of the categories of information that are being collected and used.

Fourth, make sure that your privacy policy is conspicuously available to users, not just on the company website, and not just on the platform through which the app is offered, but through the app itself.

Fifth, if you’re outsourcing the development of your app, make sure that your requirements and specs address privacy issues, and consider whether it’s appropriate or possible to obtain representations, warranties, and indemnifications from the developer.

Finally — and this should go without saying — if you receive a notice from a regulator raising privacy issues, make sure to respond. Dealing with the matter early may avoid bigger problems later.