In late January, California Attorney General Rob Bonta announced one of the agency’s top enforcement priorities for 2023. The attorney general’s office is conducting investigations into popular mobile apps, with a focus on the "retail, travel, and food service industries." The Data Privacy Day investigative sweep came with an added sense of urgency, after the affirmative right to cure within a 30-day period expired at the end of 2022. Now companies that receive inquiries from the California attorney general are not guaranteed the opportunity to fix any compliance gaps before being subject to penalties.

As always, anyone who receives a letter from a privacy enforcer should take the scrutiny seriously and work proactively to demonstrate a commitment to filling gaps as quickly as possible. Even better, organizations should try to avoid gaps in the first place. As with prior California enforcement sweeps, there is a theme privacy teams can look to for direction. This time, it’s consumer choice.

All eyes on mobile

Echoing the Sephora enforcement, the attorney general’s office promises it is focused on whether organizations are providing consumers with the option to opt out, offering a mechanism for consumers who want to stop the sale of their data and properly responding to opt-out requests by consumers or their agents.

But this tranche of investigations comes with another big reminder: don’t treat your mobile app as an afterthought. Often, as organizations build out compliance processes, they focus on their web properties first. Mobile apps are equally important and come with the same compliance obligations, even as, in some cases, mechanisms for achieving full compliance are still under development.

Reading between the lines

It may not be apparent at first glance, but the attorney general’s statements about the mobile app sweep provide a detailed roadmap for compliance, while highlighting some of the areas that are most often being missed in the mobile app environment.

Consumer rights. Organizations that offer mobile apps and are unsure of where to start will first want to double check their process for respecting consumer rights requests, regardless of the strength of their California presence. This should include both technical measures and written processes that are user-tested. One common pitfall: While it can be tricky to address a consumer request to both access and delete personal data, organizations should have processes in place to honor both requests — first providing a copy of the individual’s data before deleting it.

Authorized agents. The attorney general also warns about respecting consumer requests that come from authorized agents. This is a developing area, so some confusion is understandable, especially as a variety of services have emerged purporting to assist consumers with data requests. It can be difficult for organizations to determine if an agent request is legitimate, especially if it makes use of templates or arrives in the midst of processing the volume of access requests from consumers that often coincides with new rules. Nevertheless, organizations are under an obligation to verify and respond to such requests. For starters, the attorney general called out one reputable service by name. Permission Slip, from Consumer Reports, is a mobile app (currently only available on iOS) that addresses the California Consumer Privacy Act provision allowing a consumer to delegate a third party to exercise their data rights. The app communicates consumer-set permissions to companies and facilitates data-related requests on the individual's behalf.

Universal opt outs. The Office of the Attorney General continues to highlight, as it did in Sephora, the importance of respecting universal opt-out mechanisms. Specifically, the attorney general’s statement calls on technology providers to develop and adopt user-enabled global privacy controls for mobile operating systems. Unlike in the desktop environment, where websites have been responding to California’s rules by embracing Global Privacy Control, there is not a standard mechanism in the mobile environment that fully complies with the California rules. During this period when full compliance is not possible, it is important for companies to stay up to date as standards develop and to support the efforts of multistakeholder groups to develop new opt-out mechanisms.

Sharing personal data. The CCPA now requires organizations to respect consumer requests to opt out from the sale and sharing of their personal data, including any selling, renting, releasing, disclosing, disseminating or making the data available to another party. The expanded scope of these provisions should by now be reflected in organizations’ vendor contracts and internal procedures.

Organizations that use consent management platforms as a one-size-fits-all solution should note certain platforms’ default classifications, like "strictly necessary" cookies, sometimes align more closely with the EU General Data Protection Regulation than the updated CCPA requirements. For example, some third-party integrations for purposes like analytics or functionality may need to enable consumer opt-outs under the CCPA, even if they are treated as necessary under the GDPR. Privacy professionals should ensure they conduct their own analyses of these requirements against third-party integrations on their websites and mobile apps alike, rather than relying on the CMP to reflect new compliance obligations.

While opt-out implementation has matured in the context of website cookies, many organizations have not taken the same care in applying their opt-out policies to third-party software development kits in the mobile ecosystem. Privacy pros should work to ensure they understand the types of data that software development kits and other third-party integrations can access and for what purpose.

Complaints are your friend. In the wake of Sephora and other scrutiny from California, in-house attorneys should be aware of the possibility of receiving consumer complaints from the attorney general’s office, which can use this as a pre-enforcement tool. Like Virginia, the California Office of the Attorney General shares consumer complaints with businesses to make organizations aware of real-time gaps they can address without immediately being subject to legal action. This method keeps organizations out of the spotlight while giving legal and privacy teams enough time to build a proper mitigation strategy.

But almost every business has a more direct method of tracking consumer sentiment: customer service processes can also serve as an early warning signal for privacy issues. Businesses should develop a process to track and address privacy complaints, wherever they originate, and flag recurring or sensitive issues for mitigation.

California dreaming

Organizations with mobile apps that have not received a letter from the attorney general must still remain vigilant. This enforcement cycle serves as a timely reminder for all organizations that the mobile environment must meet the same standards as the web. At a minimum, mobile apps should provide consumers with an accessible method to submit opt-out requests, include a functional “Do Not Sell or Share My Personal Information" link in the app, and create a process to ensure authorized agent requests are respected. Of course, mobile apps are also subject to the full slate of requirements under CCPA, including the updated rules from the California Privacy Protection Agency.

As ever, privacy compliance is an ongoing process of reflection and iteration. Re-examining your California posture through the perspective of your mobile app is only one of many ways to keep your privacy program proactive and fresh.