Website Privacy Policies and the CalOPPA
Moving off of the traditional website, does the company now offer a mobile application? Is it active on Twitter or Facebook? Policies that may have described a website's operations several years ago may have little relationship to a company's mobile app or social media presence.
Beyond these business questions, recent amendments to CalOPPA require additional disclosures. Websites now must disclose how they, and any third-parties that provide services to that site, respond to “do not track” signals from browsers. Another new provision requires websites to disclose whether third parties collect PII on the operator's website over time and across other sites, which enables the practice known as behavioral targeting.
In addition, California also recently enacted an “eraser” law that will empower registered users under the age of 18 (significantly higher than the federal COPPA standard of 13) of a site “predominantly comprised of minors” to direct websites to remove, or request the removal of, content that the youth has posted. This law will take effect on January 1, 2015, so companies should begin planning how they will come into compliance.
Although California's CalOPPA in practice provides what in effect is a national baseline for privacy policies, numerous other state laws, federal laws, compilations of industry best practices, and consumer protection laws impose still other obligations on businesses and their privacy policies. Websites increasingly should be mindful of whether information about people that they may make available constitutes “credit reports” under the federal Fair Credit Reporting Act. And they also should be aware of the Federal Trade Commission's (FTC) increasingly extensive history of bringing enforcement actions on privacy issues.
Seemingly everyone today makes available a smartphone mobile application. What information does your company's app collect? Does it copy the user's address book and, if so, why? And is that fact disclosed to the user? Where?
To help companies address privacy issues arising from their mobile apps, a number of industry groups and trade associations have developed codes of conduct or best practices. Once again, the California Attorney General has expressed a view, publishing a set of “Privacy on the Go” recommendations in January 2013. Many industry groups and think tanks have chimed in with recommended best practices as well. All of these are sources of good advice. However, if a company is a member of one of these groups, or has pledged to adhere to a particular code, then it should ensure that it does in fact live up to those recommendations.
In addition, in 2013 a multistakeholder group convened by the National Telecommunications and Information Administration released a draft code of conduct regarding the transparency of privacy practices in mobile apps. That code, which will most directly affect app developers, as they actually write the app software, provides that an app should present, before being downloaded, certain specified information regarding whether certain categories of personal data are collected by the app and, if so, whether those data are shared and with whom.
A company must also evaluate the implications of the FTC's recent revisions to its rule implementing the Children's Online Privacy Protection Act (COPPA). One may think that a site does not collect personal information from children under the age of 13, but there are ways to trip up. One of the more obvious ones is collecting years of birth, which can result in a site being charged with having knowledge of any users under age 13.
Furthermore, in amendments to its regulation implementing COPPA that took effect last July, the FTC broadened the definition of “personal information” that is subject to the prior verifiable parental consent requirement, and expanded the rule to apply both to third-party plug-ins such as the Facebook “Like” button and to third-party advertising networks. The revised regulation also specifically applies to mobile apps. In addition, the revised regulation also has changed how a site aimed “predominantly” at teenagers can confine its COPPA-related obligations to those children who are under 13. (See FTC's New COPPA Rule Expands Children's Online Privacy Obligations, January 2013 Privacy In Focus).
Understanding the current COPPA requirements is vital, because many commonplace website and mobile app practices can inadvertently run afoul of the rule. The same rules govern mobile apps used by children, but compliance is more complex due to the smaller screens on smart devices.
Data Security and Breach Notification
And pay attention to the security features of apps. In late March, the FTC announced that it had entered into consent decrees with two companies, Credit Karma and Fandango, for failing to take reasonable steps to secure their apps. Interestingly, the FTC specifically cited both companies for disabling the SSL certificate validation, which would have verified that the apps' communications were secure, and thereby potentially exposing users' data to hackers and thieves. The consent decrees being entered into in those cases will require the companies to put in place comprehensive security programs to address risks related to the development and management of new and existing products and to protect the security, integrity, and confidentiality of information covered by the order. Under the decrees, the companies will remain subject to independent security audits every other year for the next 20 years. A similar fate could well befall other companies that do not take what the FTC regards as reasonable steps to secure their apps.