California Attorney General Kamala Harris

Developers and operators of educational technology services should take note.  Just before the election, California Attorney General Kamala Harris provided a document laying out guidance for those providing education technology (“Ed Tech”).  “Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data” provides practical direction that operators of websites and online services of a site or service used for K-12 purposes can use to implement best practices for their business models.

Ed Tech, per the Recommendations, comes in three categories: (1) administrative management systems and tools, such as cloud services that store student data; (2) instructional support, including testing and assessment; (3) content, including curriculum and resources such as websites and mobile apps.  The Recommendations recognize the important role that educational technology plays in classrooms by citing the Software & Information Industry Association; the U.S. Market for PreK-12 Ed Tech was estimated at $8.38 billion in 2015.

The data that may be gathered by through Ed Tech systems and services can be extremely sensitive, including medical histories, social and emotional assessments and test results.  At the Federal level, the Family Educational Rights and Privacy Act (FERPA) and the Children’s Online Privacy Protection Rule (COPPA) govern the use of student data.  However, according to the Recommendations, these laws “are widely viewed as having been significantly outdated by new technology.”

Recognizing this, California has enacted laws in this space to fill in gaps in the protection.  Cal. Ed. Code § 49073.1, requires that local education agencies (county offices of education, school districts, and charter schools) that contract with third parties for systems or services that manage, access, or use pupil records, to include specific provisions regarding the use, ownership and control of pupil records. On the private side, the Student Online Personal Information Privacy Act (SOPIPA), requires Ed Tech provides to comply with baseline privacy and security protections.

Building on this backdrop of legislation, Attorney General Harris’ office provided six recommendations for Ed Tech providers, especially those that provide services in the pre-kindergarten to twelfth grade space.

  • Data Collection and Retention: Minimization is the Goal 

Describe the data being collected and the methods being used, while understanding that data can be thought of to include everything from behavioral data to persistent identifiers.  If your service links to another service, disclose this in your privacy policy and provide a link to the privacy policy of the external service.  If you operate the external service, maintain the same privacy and security protections for the external service that users enjoyed with the original service.  Minimize the data collected to only that necessary to provide the service, retain the data for only as long as necessary, and be able to delete personally identifiable information upon request.

  • Data Use: Keep it Educational

Describe the purposes of the data you are collecting.  Do not use any personally identifiable data for targeted advertising, including persistent identifiers, whether within the original service, or any other service.  Do not create profiles other than those necessary for the school purposes that your service was intended for.  If you use collected data for product improvement, aggregate or de-identify the data first.

  • Data Disclosure: Make Protections Stick 

Specifically describe any third parties you share personally identifiable data with. If disclosing for school purposes, only do so to further the school specific purpose of your site.  If disclosing for research purposes, only disclose personally identifiable information if you are required by federal or state law, or if allowed under federal and state law, and the disclosure is under the direction of a school, district or state education department.  Service providers should be contractually required to use any personally identifiable data only for the contracted service, not disclose the information, take reasonable security measures, delete the information when the contract is completed, and notify you of any unauthorized disclosure or breach.  Do not sell any collected information, except as part of a merger or acquisition.

  • Individual Control: Respect Users’ Rights 

Describe procedures for parents, legal guardians, and eligible students to access, review and correct personally identifiable data.  Provide procedures for students to transfer content they create to another service, and describe these procedures in your privacy policy.

  • Data Security: Implement Reasonable and Appropriate Safeguards

Provide a description of the reasonable and appropriate security you use, including technical, administrative and physical safeguards, to protect student information.  Describe your process for data breach notification.  Provide training for your employees regarding your policies and procedures and employee obligations.

  • Transparency: Provide a Meaningful Privacy Policy

Make available a privacy policy, using a descriptive title such as Privacy Policy, in a conspicuous manner that covers all student information, including personally identifiable information.  The policy should be easy for parents and educators to understand.  Consider getting feedback regarding your actual privacy policy, including from parents and students.  Include an effective date on the policy and describe how you will provide notice to the account holder, such as a school, parent, or eligible student.  Include a contact method in the policy, at a minimum an email address, and ideally also a toll-free number.

Given the size of the California market, any guidance issued by the California Attorney General’s office should be carefully considered and reviewed.   If you are growing an ed tech company, this is the time to build in data privacy and security controls.   if you are established, it’s time to review your privacy practices against this Guidance and see how you match up.  If you have any questions or concerns as to how these recommendations could be applied to your company, please do not hesitate to contact the team at Mintz Levin.

 

It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at https://oag.ca.gov/reportprivacy.  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.

 

 

In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly.  On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.

As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA.  As early as 2012, its office began sending notices of non-compliance to mobile application developers.  When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA.  Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case.   Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly

Written by Jake Romero, CIPP/US

When you think of catastrophic events that take place online and have a devastating effect on millions of people, you probably think of HBO Go crashing during the True Detective finale.  However, California Attorney General Kamala Harris wants to remind you that you should be thinking about data breaches.  New data and statements released by the office of Attorney General Harris disclose that more than 20 million customer accounts been affected over the past two years by the ever-increasing number of data breaches, and also provide insight into the central role the Attorney General’s office hopes to play in remedying the problem. Continue Reading Over 20 Million Customer Accounts Affected by Data Breaches in California; Attorney General Harris Promises Increased Enforcement

Written by Jake Romero

If You Care About the Security of Your Online Data or Just Love Charts, This Report is For You

Californians are a diverse bunch (as you’ve probably gathered from those commercials with Arnold Schwarzenegger), but apparently there is something that 2.5 million of us all have in common.  California Attorney General Kamala Harris has released a first-of-its-kind data breach report  that includes statistics, recommendations and assessments based on breaches that were reported to the Attorney General’s office during the 2012 calendar year.  The most notable/alarming finding is that in 2012, 2.5 million California residents had personal information compromised in connection with a data breach.  That’s roughly equal to the populations of San Diego, San Francisco and Oakland combined.

California was the first to pass a data breach notification law (California Civil Code Sections 1798.29(a) and 1798.82(a)) ten years ago, but 2012 was the first year in which organizations who issue certain types of data breaches were also required to notify the office of the Attorney General.  In total, 131 data breaches were reported  by 103 different entities, with the average breach incident involving 22,500 individuals.   According to the Breach Report, more than half of the breaches involved social security numbers and more than half were the result of intentional acts by an unauthorized individual.   California is the first state to compile a comprehensive review of reported breaches and the results provide important information and other states should take up the example.

The Breach Report includes recommendations for the California legislature and the state’s enforcement agencies, but arguably the most important recommendations are those directed at the providers of online services:

  • Encryption – If your online service collects personally identifiable information and does not encrypt it, expect very little sympathy from Attorney General Harris following a breach.  In the message preceding the Breach Report, Attorney General Harris calls the failure of companies to encrypt sensitive personal information “particularly striking,” and notes that if encryption had been used, over 1.4 million of the Californians would not have had their data put at risk in 2012.  As noted in the Breach Report, California’s data breach notification law includes an incentive to encrypt data in the form of an exemption for certain data breach incidents from the notification requirements where the personally identifiable information that was accessed was encrypted.  If that isn’t enough motivation, however, the Breach Report also warns that the Attorney General’s Office intends to make the investigations of breaches involving unencrypted personal information a priority, and will encourage other enforcement agencies to do the same.
  • Security Through Training – As noted above, more than half of the breaches that were reported in 2012 were the result of an intentional act by outsiders or malicious insiders.  The Attorney General’s office recommends that companies that collect private information review their security procedures on an ongoing basis to make sure that their security controls remain up to date.  As part of this process, the Attorney General’s office recommends regular training for employees and contractors to ensure that best practices are implemented and updated to address new threats.
  • Stop With the Fancy Talk – The average reading level of individuals in the United States is 8th grade.  A survey conducted by the Attorney General’s office using data breach notification samples provided by organizations in connection with reported breaches found that the average notification was written at a 14th-grade level.  The Breach Report emphasizes that the point of such notices is to ensure that each recipient can understand its contents.  Generally this is an important point to keep in mind for any notification, terms or policy that is intended for your consumers, including your privacy policy.
  • Be Prepared to Offer Credit Monitoring Assistance – The Breach Report found that in 29% of the most serious types of breaches (those involving Social Security or driver’s license numbers), credit monitoring services were not offered to the consumers whose information was put at risk.  Attorney General Harris noted that clearing up this type of identity theft can be both costly and time-consuming, but that protective measures provided by the company who experienced the breach can help to limit ongoing risks.

Perhaps the biggest take-away for providers of online services, however, is how common data breaches have become.  The data and statistics included in the report demonstrate that data breaches happen across all industry sectors, in all sizes of companies, with all types of data and in a number of different ways.  The time to prepare your company for a data breach is before it happens, rather than after.  Nobody wants to be on this list, but if you do experience a data breach, having a plan in place will help keep your sleepless nights to a minimum.  As always, your Mintz Levin privacy team is here to help.

Written by Evan Nadel and Jake Romero

Delta Airlines, Inc. may have to pay fines equal to 20 “excess bag” fees for each user that has downloaded its “Fly Delta” mobile application.  California Attorney General Kamala Harris has filed a complaint against Delta, alleging that Delta has failed to conspicuously post a privacy policy on its mobile application, in violation of California’s Online Privacy Protection Act (“CalOPPA”).

Over the past year, we have followed the number of incremental steps that the California Attorney General’s office has taken toward ensuring that mobile applications comply with CalOPPA’s provisions, including the requirement that operators of commercial websites and online services that collect personally identifiable information from users post a privacy policy that explains what information is collected and how it is shared.  Most recently, we reported that Attorney General Harris’s office had issued warning letters to the developers of 100 of the most popular mobile applications without compliant privacy policies, giving them 30 days to bring their respective applications into compliance.  At that time, a spokesperson from Delta acknowledged that they had received one such notice, and that Delta “intended to provide the requested information.”

That thirty day period has since lapsed and, in a complaint filed on Thursday with the San Francisco County Superior Court,  Attorney General Harris alleges that Delta continues to engage in unfair business practices by violating CalOPPA’s privacy policy requirement.  According to the complaint, the Fly Delta mobile application has been available since 2010 and has been downloaded millions of times.  The Fly Delta app collects a broad array of personally identifiable information from its users, including, among other things, geo-location data, photographs, names, addresses, telephone numbers, email addresses, date of birth, credit card numbers and expiration dates, and frequent traveler account numbers.  Although Delta’s main website does contain a privacy policy,  that privacy policy is not accessible through the mobile application and does not include a full description of the information collected by Fly Delta.  Attorney General Harris is seeking an injunction against Delta preventing it from distributing the Fly Delta app, as well as a penalty of $2,500 for each violation.  For mobile app developers, “each violation” can mean $2,500 for each time the non-compliant application was downloaded.   Civil class actions under California’s Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.) involving “Fly Delta” are likely to follow, although users who downloaded the app at no cost will face a challenge establishing standing under that law.

The legal action against Delta is yet another indication of how serious Attorney General Harris is about enforcing California’s right to privacy.  For mobile app developers, that means there is no better time to make sure that your application complies with California’s regulations.  Here are a few key considerations:

  • • CalOPPA requires that the privacy policy be “conspicuously” posted.  For mobile applications, that means that the privacy policy must be accessible before the user has downloaded the application.  Once the application has been downloaded, the privacy policy should be accessible from inside the application itself.
  • • Your mobile application privacy policy must include a full description of the information being collected.  We recommend having all of your key technicians review the policy to ensure its accuracy and completeness.  Mobile applications have the potential to collect and transmit far more data than the average website, and the full extent of information being transmitted is not always readily apparent.
  • • Simply linking to your website’s privacy policy is not sufficient.  As noted above, mobile applications can potentially collect much more data than the average website, including geo-location data and pictures that are stored on the mobile device.  One of the noteworthy aspects of Attorney General Harris’s complaint against Delta is that it contends that even if the user could access Delta’s website privacy policy through the Fly Delta app, that privacy policy would not be sufficient to bring the application into compliance with CalOPPA.

We are certain to see more legal actions and fines in the near future.

In the meantime, the complaint against Delta serves as a reminder that, in addition to worrying about whether you have too many liquids to get through security, you should also be concerned about whether your app complies with federal and state privacy laws.    If you have questions regarding compliance with CalOPPA and the mobile privacy policy requirements, Mintz Levin’s privacy team is ready to assist.

Written by Jake Romero

If a haunted house or trick-or-treating was your scariest experience last week, you must not be one of the 100 mobile application developers who received a notice of non-compliance from California Attorney General Kamala D. Harris.  On October 30, Attorney General Harris’s office announced that letters had been sent to the developers of dozens of the most popular mobile applications warning in each case that the developer’s application is not in compliance with California’s Online Privacy Protection Act (“CalOPPA”) because it fails to have a privacy policy reasonably accessible to consumers .  The letters give the developer 30 days to respond by providing either specific plans to bring the application into compliance or an explanation regarding why the developer believes that the application is not covered by CalOPPA.

As noted in the non-compliance notice letters, the potential cost to mobile application developers of not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.  Since Attorney General Harris has started by targeting the most popular non-compliant applications, including, reportedly, the mobile applications of Delta Airlines, United Continental Holdings and OpenTable , the penalties assessed could potentially be substantial.

As we have previously discussed on this blog, CalOPPA requires that “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” conspicuously post a privacy policy that meets the requirements of California Business and Professions Code § 22575(a) and (b).  In the past year, Attorney General Harris has reached agreements with the seven major mobile application platforms providing that mobile applications constitute an “online service” and are therefore subject to CalOPPA’s requirement.  Among the requirements, the privacy policy must be “reasonably accessible” which, for mobile applications, requires that, among other things, the policy be available for review prior to download and include a description of the information being collected.

An additional noteworthy aspect of the non-compliance notice letters is that they are sent on behalf of Attorney General Harris by Adam Miller, Supervising Deputy Attorney General of the newly-created Privacy Enforcement and Protection Unit.  The Privacy Enforcement and Protection Unit was established earlier this year and granted authority to enforce state and federal privacy laws and regulations.  The non-compliance notices confirm speculation made at the time of the Privacy Unit’s establishment that the application of CalOPPA to mobile applications would reside high on the list of the Unit’s priorities.

All indications from the Attorney General’s office suggest that this is merely the beginning of a prolonged campaign.  In other words, now is the time for mobile application developers to ensure that applications meet the requirements of California state law, before the 30 day clock is ticking for you.    If you need assistance, or have questions, the Mintz Privacy and Security team is here to help.