Your Business's Mobile App Could Be Subject to California Attorney General Investigation

​The California Attorney General just announced an investigative sweep of mobile apps that allegedly fail to meet the requirements of state data privacy law, meaning businesses that conduct business through apps need to immediately ensure they are compliant with the latest laws and regulations.

Given that California's data privacy law impacts businesses across the country, you might not be spared just because you don't have a physical location in the state. Timed to coincide with Jan. 28's Data Privacy Day – the annual day aiming at raising awareness and promoting best practices surrounding digital privacy and data protection – you should use the warning as an important reminder to determine whether you are selling mobile data and have a mechanism for users to opt out of such sales.

The first thing you should determine is whether your business's app is selling personal information. Your first instinct might be to answer in the negative, but you should take a second look. After all, the California Consumer Privacy Act (CCPA) is a law full of everyday terms that do not align with how we use the words in everyday conversation.

To understand what the California Attorney General is enforcing with these new investigations, start with how the CCPA defines two key terms:

• Personal information is broadly defined to include any data that identifies or is reasonably capable of being linked to a California resident or household. Specific examples include names, Internet Protocol addresses, and unique personal identifiers.
• Selling is the exchange of personal information for monetary or other valuable consideration.
  

Assuming you are not literally providing your app data in exchange for money, let's discuss some common ways in which your app may be selling personal information, but for other valuable consideration besides money.

Scenario 1: If you have third-party advertising on your app that makes available personal information of app users (such as username, device ID, IP address, or any other unique identifier that tells the app that someone is a specific user) to the third party that placed the ad, then you are selling personal information.

Scenario 2: Your app uses a third party to run data analytics on app user activity. Even if you do not personally see, possess, or have access to the analytics data, that does not mean the third party does not sell the data collected from or about your app users, or that the third party does not use this data for its own commercial purposes outside the scope of the services provided to your business. Even if you are paying the analytics provider for the analytics service (or even if you are not paying them for services), you may still be selling personal information to the analytics provider, if that third party is not contractually restricted from using the data about your app users for its own purposes.

What To Do

Selling personal information under the CCPA is not unlawful. But if you determine that you are doing just that through your mobile app, there are hoops that you need to jump through to comply with the law.

First, you need a just-in-time notice that directs or refers the user to your privacy policy and a copy of your privacy policy readily accessible to users in the app.

Second, your privacy policy (both in the app and on your website) must disclose that you are selling personal information.

Third, you must implement methods for your users to effectively opt out of the sale of personal information.

If you do not want to deal with the fuss of opt-outs, you can avoid having some of the data disclosure being considered a sale by entering into a service provider agreement that prevents any third parties from using data they receive or process about your app users for purposes outside of providing you services.

But be aware, if your app is providing data to be used for cross-context behavioral advertising (e.g., targeted advertising), that is also considered sharing under the CCPA, starting as of Jan. 1, and you must still provide opt-outs for that. Regardless of whether you stop selling or sharing, you still need to note in your privacy policy that you sold or shared personal information within the last 12 months and provide a link to your privacy policy in your app, if you are collecting any personal information.

What About Authorized Agents?

For businesses unfamiliar with the authorized agent requirement of the CCPA, you should know that a new cottage industry has sprung up that is engaged by consumers to act as their authorized agent in submitting CCPA requests. The law gives consumers the right to make various CCPA requests through an authorized agent, a third party designated by the consumer to make the request on their behalf. If you are unceremoniously rejecting any CCPA requests not made by the consumer themselves, you should stop.

You should familiarize yourself with the CCPA requirements for authorized agents, including what you can and cannot ask for of the authorized agent. Make sure your privacy policy addresses how authorized agents can make a request on a consumer's behalf.

If you have not updated any of your policies or practices related to the CCPA since the law first went into effect, now is the time. The California Privacy Rights Act, which significantly amends the CCPA, went into effect on Jan. 1. While the California Attorney General's current enforcement actions appear to be focused on rights that existed prior to the recent amendment, at some point, that will change, and you will want to be ready!

More generally, businesses everywhere should be mindful that CCPA enforcement is ongoing even though the latest CCPA amendment that took effect Jan. 1 will not be enforced by the new agency established by this amendment until July 1. If your business is subject to the CCPA and has not taken steps to comply, now is the time.

Darcey M. Groden is an attorney with Fisher Phillips in San Diego. Usama Kahf is an attorney with Fisher Phillips in Irvine, Calif. © 2023. All rights reserved. Reprinted with permission.