First, privacy policies must be updated. Your privacy policies should contain a section that specifically addresses the requirements of the CCPA. Specifically, your privacy policy must:

• Identify the categories of personal information collected in the last 12 months, the sources from which they were collected, and how they are used and shared;
• Notify consumers of and provide instructions on how to exercise their rights to know and delete;
• Tell consumers whether their information is “sold” as that term is broadly defined in the CCPA and, if so, what their rights are to opt-in or opt-out of the sale;
• Notify consumers that they cannot be discriminated against for exercising their rights; and
• Include a “last updated” date and contact information for consumers to ask you questions or voice concerns.

Second, your privacy policy should be available to consumers before they download your app with a link on the app storefront’s product page (or, if available outside the storefronts, on the download page), as well as from within the app. The link in the app would most commonly be found in the Settings menu; however, there is some flexibility concerning placement so long as it is reasonably accessible.

Third, you should also provide a link directly to the California section of your privacy policy in both the app storefront’s product page and within the app. The link should take consumers directly to the section of your privacy policy that contains the disclosures required by the CCPA.

Fourth, if you collect personal information for purposes consumers would not reasonably expect, you must provide consumers a just-in-time notice, usually in the form of a pop-up within the app. For example, if you operate a flashlight app that collects geolocation data, you must provide your consumers with a pop-up notice, alerting them to that unexpected collection of data.

Fifth, if you share consumers personal information with other companies, at the very least, you must take the steps to determine whether that sharing falls within the CCPA’s broad definition of “sale.” In many cases, it will. This is critically important because the “sale” of consumers’ personal information triggers opt-in and opt-out requirements.

Specifically, for consumers under 13 years old, you cannot “sell” personal information without first obtaining consent from a parent or guardian, verified by one of the methods approved within the CCPA. If this situation applies to you, I recommend you reach out to me directly to discuss further because you also have obligations under the Children’s Online Privacy Protection Act (COPPA). For consumers 13 to 15 years old, you must obtain opt-in consent, whereby the consumer must opt-in and then separately confirm the opt-in. Parental consent and opt-in consent from minors must occur before any information is “sold,” meaning it would most likely occur at startup. For consumers 16 and older, you must provide a “Do Not Sell My Info” link in your privacy policy and directly within the app (e.g., in the Settings menu).

These five steps will help you begin down the path of CCPA compliance. However, the law is complicated and goes beyond these basic requirements. If you do not have the internal resources (and, even if you do), it is a good idea to consult a professional.

• • •

Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.CC

The post The California Consumer Privacy Act: 5 Steps Mobile App Developers Should Be Taking Now appeared first on ESRB Ratings.

First, privacy policies must be updated. Your privacy policies should contain a section that specifically addresses the requirements of the CCPA. Specifically, your privacy policy must:

• Identify the categories of personal information collected in the last 12 months, the sources from which they were collected, and how they are used and shared;
• Notify consumers of and provide instructions on how to exercise their rights to know and delete;
• Tell consumers whether their information is “sold” as that term is broadly defined in the CCPA and, if so, what their rights are to opt-in or opt-out of the sale;
• Notify consumers that they cannot be discriminated against for exercising their rights; and
• Include a “last updated” date and contact information for consumers to ask you questions or voice concerns.

Second, your privacy policy should be available to consumers before they download your app with a link on the app storefront’s product page (or, if available outside the storefronts, on the download page), as well as from within the app. The link in the app would most commonly be found in the Settings menu; however, there is some flexibility concerning placement so long as it is reasonably accessible.

Third, you should also provide a link directly to the California section of your privacy policy in both the app storefront’s product page and within the app. The link should take consumers directly to the section of your privacy policy that contains the disclosures required by the CCPA.

Fourth, if you collect personal information for purposes consumers would not reasonably expect, you must provide consumers a just-in-time notice, usually in the form of a pop-up within the app. For example, if you operate a flashlight app that collects geolocation data, you must provide your consumers with a pop-up notice, alerting them to that unexpected collection of data.

Fifth, if you share consumers personal information with other companies, at the very least, you must take the steps to determine whether that sharing falls within the CCPA’s broad definition of “sale.” In many cases, it will. This is critically important because the “sale” of consumers’ personal information triggers opt-in and opt-out requirements.

Specifically, for consumers under 13 years old, you cannot “sell” personal information without first obtaining consent from a parent or guardian, verified by one of the methods approved within the CCPA. If this situation applies to you, I recommend you reach out to me directly to discuss further because you also have obligations under the Children’s Online Privacy Protection Act (COPPA). For consumers 13 to 15 years old, you must obtain opt-in consent, whereby the consumer must opt-in and then separately confirm the opt-in. Parental consent and opt-in consent from minors must occur before any information is “sold,” meaning it would most likely occur at startup. For consumers 16 and older, you must provide a “Do Not Sell My Info” link in your privacy policy and directly within the app (e.g., in the Settings menu).

These five steps will help you begin down the path of CCPA compliance. However, the law is complicated and goes beyond these basic requirements. If you do not have the internal resources (and, even if you do), it is a good idea to consult a professional.

• • •

Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.CC

The post The California Consumer Privacy Act: 5 Steps Mobile App Developers Should Be Taking Now appeared first on ESRB Ratings.

Under Section 1798.120(c) of the CCPA, absent opt-in consent, a business is prohibited from selling the personal information of a California resident, if the business has “actual knowledge” the resident is under 16 years old. For children 13 to 15 years old, the opt-in consent can come directly from the child. The current version of the California Attorney General’s draft regulations requires that consent to come in two steps: first, the child must request to opt-in, then the child must separately confirm the opt-in choice. For children under 13 years old, opt-in consent must come from a parent or guardian using one of several methods that will be approved in the regulations. In both cases, the business must provide notice of the right and method to later opt-out.

When compared with current protections afforded by COPPA, Section 1798.120(c)’s biggest change is that it extends protections to children under 16 years old, whereas COPPA’s protections extend only to children under 13 years old. How material this difference turns out to be will depend largely on how the California Attorney General, and likely California courts, interpret the term “actual knowledge.” The statute says that if a business willfully disregards a child’s age, it will be deemed to have actual knowledge. What does that mean in an online world where most websites and apps don’t request or require a user’s age? How would those businesses have actual knowledge, if at all? Will they be expected to make assumptions based on the content of their websites and apps (i.e., something closer to constructive knowledge) or have a duty to monitor their user base to identify potential underage users (e.g., review user profiles)? It is far too early to know how these questions will ultimately get answered, but with July 1 almost here, that process is almost underway.

It is also noteworthy that the stakes are likely to be high. The current ballot initiative to pass the California Privacy Rights Act (CCPA 2.0) in November would triple the penalty for violations involving minors to $7,500 for each violation. CCPA 2.0 would also create a new agency to enforce the law and to pursue penalties.

• • •

Have more questions about CCPA compliance? Feel free to reach out to us through our Contact page to learn more about our program. Be sure to follow us on Twitter and LinkedIn for more privacy-related updates.

The post California Goes Beyond COPPA to Protect Children’s Privacy appeared first on ESRB Ratings.