Mobile app developers must now conspicuously post and follow privacy policies just like websites and other commercial online services according to California Attorney General Kamala Harris. On October 30, the Attorney General’s office began sending warning letters to app developers notifying them that they had 30 days to comply. Time is now up. And the consequences are potentially substantial with the law carrying fines of up to $2,500 per download.

California’s Online Privacy Protection Act (OPPA) provides that “[a]n operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site,” or in the case of an operator of an online service, make that policy reasonably accessible to those consumers. The OPPA also includes specific requirements for the content of privacy policies. While the OPPA has been in effect since 2004, the Attorney General’s office only recently began focusing its attention on enforcing the law against app developers.

The Attorney General’s office sent about 100 warning letters to the developers of some of the most popular apps in this first round, stating that it was the first step in enforcement against those developers. Given the high proportion of apps without posted privacy policies, it is likely that additional letters will be sent. While no more formal enforcement actions have been reported, the Attorney General has indicated that she and her office are prepared to sue developers if necessary. In addition, the Attorney General has reached an agreement with the major app platforms to require that apps distributed through their platforms have clear privacy policies.

While the Attorney General is presently giving app developers 30 days to comply with the OPPA in the warning letters, with the increased regulatory and consumer focus on privacy issues, app developers should examine their information privacy practices and draft and post a privacy policy that complies with the OPPA and other privacy laws. Many developers cut and paste privacy policies from other apps. This is a mistake. Those privacy policies may not comply with the law. Also, each developer should tailor its privacy policy to fit their specific app and information privacy practices.