Mobile application and website privacy policies--it's not just about California.

• Author: Krasnow, Melissa J.
• Position: TECH STRATEGY

Companies that have a commercial website and/or offer a mobile application that collects personally identifiable information through the Internet about any individual consumer residing in California should take heed of the state's law requiring privacy policies and its attorney general's enforcement activities and guidance.

Given that a California resident could use a website or mobile application of any company, all organizations that conduct business with--and that collect personally-identifiable information from--California residents should take note. Also, note, that California has often been the first state to enact privacy legislation and issue privacy guidance, so it is not inconceivable that other states could follow suit.

Companies need to first determine whether such commercial website and/or mobile application has a privacy policy (and if there is not a privacy policy, prepare one) and then assess whether such privacy policy complies with the California Online Privacy Protection Act and related guidance.

Companies also should keep apprised of developments regarding privacy policies and mobile applications.

CALIFORNIA ONLINE PRIVACY PROTECTION ACT

Under the California Online Privacy Protection Act, an operator of a commercial website or online service (including a mobile application) that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service must conspicuously post its privacy policy on its website. In the case of an online service (including a mobile application), the privacy policy should be available in accordance with any other reasonably accessible means of making the policy available for consumers of the online service.

Personally identifiable information means individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form.

Examples of personally identifiable information include: first and last name; home or other physical address (including street name and name of a city or town); email address; telephone number; Social Security number; any other identifier that permits the physical or online contacting of a specific individual; or information concerning a user that the website or online service collects online from the user and maintains in personally identifiable form in combination with an...