California Attorney General Kamala Harris


It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.



In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly.  On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.

As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA.  As early as 2012, its office began sending notices of non-compliance to mobile application developers.  When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA.  Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case.   Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly

Written by Jake Romero, CIPP/US

When you think of catastrophic events that take place online and have a devastating effect on millions of people, you probably think of HBO Go crashing during the True Detective finale.  However, California Attorney General Kamala Harris wants to remind you that you should be thinking about data breaches.  New data and statements released by the office of Attorney General Harris disclose that more than 20 million customer accounts been affected over the past two years by the ever-increasing number of data breaches, and also provide insight into the central role the Attorney General’s office hopes to play in remedying the problem. Continue Reading Over 20 Million Customer Accounts Affected by Data Breaches in California; Attorney General Harris Promises Increased Enforcement

Written by Jake Romero

If You Care About the Security of Your Online Data or Just Love Charts, This Report is For You

Californians are a diverse bunch (as you’ve probably gathered from those commercials with Arnold Schwarzenegger), but apparently there is something that 2.5 million of us all have in common.  California Attorney General Kamala Harris has released a first-of-its-kind data breach report  that includes statistics, recommendations and assessments based on breaches that were reported to the Attorney General’s office during the 2012 calendar year.  The most notable/alarming finding is that in 2012, 2.5 million California residents had personal information compromised in connection with a data breach.  That’s roughly equal to the populations of San Diego, San Francisco and Oakland combined.

California was the first to pass a data breach notification law (California Civil Code Sections 1798.29(a) and 1798.82(a)) ten years ago, but 2012 was the first year in which organizations who issue certain types of data breaches were also required to notify the office of the Attorney General.  In total, 131 data breaches were reported  by 103 different entities, with the average breach incident involving 22,500 individuals.   According to the Breach Report, more than half of the breaches involved social security numbers and more than half were the result of intentional acts by an unauthorized individual.   California is the first state to compile a comprehensive review of reported breaches and the results provide important information and other states should take up the example.

The Breach Report includes recommendations for the California legislature and the state’s enforcement agencies, but arguably the most important recommendations are those directed at the providers of online services:

  • Encryption – If your online service collects personally identifiable information and does not encrypt it, expect very little sympathy from Attorney General Harris following a breach.  In the message preceding the Breach Report, Attorney General Harris calls the failure of companies to encrypt sensitive personal information “particularly striking,” and notes that if encryption had been used, over 1.4 million of the Californians would not have had their data put at risk in 2012.  As noted in the Breach Report, California’s data breach notification law includes an incentive to encrypt data in the form of an exemption for certain data breach incidents from the notification requirements where the personally identifiable information that was accessed was encrypted.  If that isn’t enough motivation, however, the Breach Report also warns that the Attorney General’s Office intends to make the investigations of breaches involving unencrypted personal information a priority, and will encourage other enforcement agencies to do the same.
  • Security Through Training – As noted above, more than half of the breaches that were reported in 2012 were the result of an intentional act by outsiders or malicious insiders.  The Attorney General’s office recommends that companies that collect private information review their security procedures on an ongoing basis to make sure that their security controls remain up to date.  As part of this process, the Attorney General’s office recommends regular training for employees and contractors to ensure that best practices are implemented and updated to address new threats.
  • Stop With the Fancy Talk – The average reading level of individuals in the United States is 8th grade.  A survey conducted by the Attorney General’s office using data breach notification samples provided by organizations in connection with reported breaches found that the average notification was written at a 14th-grade level.  The Breach Report emphasizes that the point of such notices is to ensure that each recipient can understand its contents.  Generally this is an important point to keep in mind for any notification, terms or policy that is intended for your consumers, including your privacy policy.
  • Be Prepared to Offer Credit Monitoring Assistance – The Breach Report found that in 29% of the most serious types of breaches (those involving Social Security or driver’s license numbers), credit monitoring services were not offered to the consumers whose information was put at risk.  Attorney General Harris noted that clearing up this type of identity theft can be both costly and time-consuming, but that protective measures provided by the company who experienced the breach can help to limit ongoing risks.

Perhaps the biggest take-away for providers of online services, however, is how common data breaches have become.  The data and statistics included in the report demonstrate that data breaches happen across all industry sectors, in all sizes of companies, with all types of data and in a number of different ways.  The time to prepare your company for a data breach is before it happens, rather than after.  Nobody wants to be on this list, but if you do experience a data breach, having a plan in place will help keep your sleepless nights to a minimum.  As always, your Mintz Levin privacy team is here to help.

Written by Evan Nadel and Jake Romero

Delta Airlines, Inc. may have to pay fines equal to 20 “excess bag” fees for each user that has downloaded its “Fly Delta” mobile application.  California Attorney General Kamala Harris has filed a complaint against Delta, alleging that Delta has failed to conspicuously post a privacy policy on its mobile application, in violation of California’s Online Privacy Protection Act (“CalOPPA”).

Over the past year, we have followed the number of incremental steps that the California Attorney General’s office has taken toward ensuring that mobile applications comply with CalOPPA’s provisions, including the requirement that operators of commercial websites and online services that collect personally identifiable information from users post a privacy policy that explains what information is collected and how it is shared.  Most recently, we reported that Attorney General Harris’s office had issued warning letters to the developers of 100 of the most popular mobile applications without compliant privacy policies, giving them 30 days to bring their respective applications into compliance.  At that time, a spokesperson from Delta acknowledged that they had received one such notice, and that Delta “intended to provide the requested information.”

That thirty day period has since lapsed and, in a complaint filed on Thursday with the San Francisco County Superior Court,  Attorney General Harris alleges that Delta continues to engage in unfair business practices by violating CalOPPA’s privacy policy requirement.  According to the complaint, the Fly Delta mobile application has been available since 2010 and has been downloaded millions of times.  The Fly Delta app collects a broad array of personally identifiable information from its users, including, among other things, geo-location data, photographs, names, addresses, telephone numbers, email addresses, date of birth, credit card numbers and expiration dates, and frequent traveler account numbers.  Although Delta’s main website does contain a privacy policy,  that privacy policy is not accessible through the mobile application and does not include a full description of the information collected by Fly Delta.  Attorney General Harris is seeking an injunction against Delta preventing it from distributing the Fly Delta app, as well as a penalty of $2,500 for each violation.  For mobile app developers, “each violation” can mean $2,500 for each time the non-compliant application was downloaded.   Civil class actions under California’s Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.) involving “Fly Delta” are likely to follow, although users who downloaded the app at no cost will face a challenge establishing standing under that law.

The legal action against Delta is yet another indication of how serious Attorney General Harris is about enforcing California’s right to privacy.  For mobile app developers, that means there is no better time to make sure that your application complies with California’s regulations.  Here are a few key considerations:

  • • CalOPPA requires that the privacy policy be “conspicuously” posted.  For mobile applications, that means that the privacy policy must be accessible before the user has downloaded the application.  Once the application has been downloaded, the privacy policy should be accessible from inside the application itself.
  • • Your mobile application privacy policy must include a full description of the information being collected.  We recommend having all of your key technicians review the policy to ensure its accuracy and completeness.  Mobile applications have the potential to collect and transmit far more data than the average website, and the full extent of information being transmitted is not always readily apparent.
  • • Simply linking to your website’s privacy policy is not sufficient.  As noted above, mobile applications can potentially collect much more data than the average website, including geo-location data and pictures that are stored on the mobile device.  One of the noteworthy aspects of Attorney General Harris’s complaint against Delta is that it contends that even if the user could access Delta’s website privacy policy through the Fly Delta app, that privacy policy would not be sufficient to bring the application into compliance with CalOPPA.

We are certain to see more legal actions and fines in the near future.

In the meantime, the complaint against Delta serves as a reminder that, in addition to worrying about whether you have too many liquids to get through security, you should also be concerned about whether your app complies with federal and state privacy laws.    If you have questions regarding compliance with CalOPPA and the mobile privacy policy requirements, Mintz Levin’s privacy team is ready to assist.

Written by Jake Romero

If a haunted house or trick-or-treating was your scariest experience last week, you must not be one of the 100 mobile application developers who received a notice of non-compliance from California Attorney General Kamala D. Harris.  On October 30, Attorney General Harris’s office announced that letters had been sent to the developers of dozens of the most popular mobile applications warning in each case that the developer’s application is not in compliance with California’s Online Privacy Protection Act (“CalOPPA”) because it fails to have a privacy policy reasonably accessible to consumers .  The letters give the developer 30 days to respond by providing either specific plans to bring the application into compliance or an explanation regarding why the developer believes that the application is not covered by CalOPPA.

As noted in the non-compliance notice letters, the potential cost to mobile application developers of not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.  Since Attorney General Harris has started by targeting the most popular non-compliant applications, including, reportedly, the mobile applications of Delta Airlines, United Continental Holdings and OpenTable , the penalties assessed could potentially be substantial.

As we have previously discussed on this blog, CalOPPA requires that “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” conspicuously post a privacy policy that meets the requirements of California Business and Professions Code § 22575(a) and (b).  In the past year, Attorney General Harris has reached agreements with the seven major mobile application platforms providing that mobile applications constitute an “online service” and are therefore subject to CalOPPA’s requirement.  Among the requirements, the privacy policy must be “reasonably accessible” which, for mobile applications, requires that, among other things, the policy be available for review prior to download and include a description of the information being collected.

An additional noteworthy aspect of the non-compliance notice letters is that they are sent on behalf of Attorney General Harris by Adam Miller, Supervising Deputy Attorney General of the newly-created Privacy Enforcement and Protection Unit.  The Privacy Enforcement and Protection Unit was established earlier this year and granted authority to enforce state and federal privacy laws and regulations.  The non-compliance notices confirm speculation made at the time of the Privacy Unit’s establishment that the application of CalOPPA to mobile applications would reside high on the list of the Unit’s priorities.

All indications from the Attorney General’s office suggest that this is merely the beginning of a prolonged campaign.  In other words, now is the time for mobile application developers to ensure that applications meet the requirements of California state law, before the 30 day clock is ticking for you.    If you need assistance, or have questions, the Mintz Privacy and Security team is here to help.