App developers and privacy practices: Preach what you practice
App developers and privacy practices: Preach what you practice

Recently, SC Magazine published an article about a company called Path, which settled Federal Trade Commission charges that it violated the Children's Online Privacy Protection Act. The FTC accused Path of collecting personal data from children without parental consent. Path agreed to pay a civil penalty of $800,000 as part of the settlement.

Although many app developers like Path have a privacy problem because their practices don't match their policies, other app developers have a more fundamental problem – they have no privacy policy in place at all. Companies without a privacy policy are at risk for a lawsuit or government enforcement action.

This is not a theoretical issue. Last December, California Attorney General Kamala Harris sued Delta Airlines in San Francisco Superior Court for allegedly failing to have a privacy policy for its mobile app, called Fly Delta. Her complaint claims Delta violated California's Online Privacy Protection Act (OPPA), which requires commercial websites or online services that obtain personally identifiable information about state residents to post their privacy policies. 

If your business is headquartered outside of California, you may be asking yourself why Harris' suit based on a California law matters to you. The suit matters because her office (or class-action plaintiffs) can sue an app developer for allegedly violating OPPA as an unfair trade practice, even if they are out of state. Delta Airlines is a Delaware corporation with its headquarters in Atlanta. Harris sued in San Francisco, contending that Delta regularly did business in California and also violated the law there. By offering an app to Golden State residents without a privacy policy, Delta arguably injured the state's residents and made it subject to suit in its courts.

If you sell mobile apps and you don't have a privacy policy, now is the time to write and post one in a conspicuous place. Users should have a chance to review the policy before using the app.  Also, your business should support the policy with more detailed practices and procedures. For instance, your business should conduct a periodic review of your privacy policy to make sure it continues to match your practices. Companies like Path get into trouble when they don't update their policies to match new marketing programs or app features that collect more or new kinds of personal data.

The California law also requires that the policy cover certain topics. An app's privacy policy must identify: the categories of information collected by the app; the categories of businesses or individuals with whom the app provider may share the information; any means for the consumer to review and request changes to the information; the process to notify consumers of changes to the policy; and the effective date of the policy.

In short, app developers should create, maintain and update their privacy policies, and make sure their policies match their information practices. I like to give clients an easy slogan to remember, “Promise what you can deliver, and deliver what you promise.” If you can put that slogan into practice, you can go a long way toward reducing your privacy legal risk.