The California Consumer Privacy Act: 5 Steps Mobile App Developers Should Be Taking Now
The California Consumer Privacy Act (CCPA) is already in effect, and beginning July 1, 2020, the California Attorney General will begin to enforce it. This law impacts all businesses with an online presence in California. Though confusing to many, the new law is not going away and cannot be ignored. For developers of mobile apps, there are a few basic requirements that should be part of the early stages of your compliance plan.
First, privacy policies must be updated. Your privacy policies should contain a section that specifically addresses the requirements of the CCPA. Specifically, your privacy policy must:
- Identify the categories of personal information collected in the last 12 months, the sources from which they were collected, and how they are used and shared;
- Notify consumers of and provide instructions on how to exercise their rights to know and delete;
- Tell consumers whether their information is “sold” as that term is broadly defined in the CCPA and, if so, what their rights are to opt-in or opt-out of the sale;
- Notify consumers that they cannot be discriminated against for exercising their rights; and
- Include a “last updated” date and contact information for consumers to ask you questions or voice concerns.
Second, your privacy policy should be available to consumers before they download your app with a link on the app storefront’s product page (or, if available outside the storefronts, on the download page), as well as from within the app. The link in the app would most commonly be found in the Settings menu; however, there is some flexibility concerning placement so long as it is reasonably accessible.
Third, you should also provide a link directly to the California section of your privacy policy in both the app storefront’s product page and within the app. The link should take consumers directly to the section of your privacy policy that contains the disclosures required by the CCPA.
Fourth, if you collect personal information for purposes consumers would not reasonably expect, you must provide consumers a just-in-time notice, usually in the form of a pop-up within the app. For example, if you operate a flashlight app that collects geolocation data, you must provide your consumers with a pop-up notice, alerting them to that unexpected collection of data.
Fifth, if you share consumers personal information with other companies, at the very least, you must take the steps to determine whether that sharing falls within the CCPA’s broad definition of “sale.” In many cases, it will. This is critically important because the “sale” of consumers’ personal information triggers opt-in and opt-out requirements.
Specifically, for consumers under 13 years old, you cannot “sell” personal information without first obtaining consent from a parent or guardian, verified by one of the methods approved within the CCPA. If this situation applies to you, I recommend you reach out to me directly to discuss further because you also have obligations under the Children’s Online Privacy Protection Act (COPPA). For consumers 13 to 15 years old, you must obtain opt-in consent, whereby the consumer must opt-in and then separately confirm the opt-in. Parental consent and opt-in consent from minors must occur before any information is “sold,” meaning it would most likely occur at startup. For consumers 16 and older, you must provide a “Do Not Sell My Info” link in your privacy policy and directly within the app (e.g., in the Settings menu).
These five steps will help you begin down the path of CCPA compliance. However, the law is complicated and goes beyond these basic requirements. If you do not have the internal resources (and, even if you do), it is a good idea to consult a professional.
• • •
Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.CC