Future of Mobile Applications’ Privacy through the lens of CPRA

Where would we be without the advancements made in the past ten years? Most people use technology as a means to simplify their life; from waking up to the gentle chiming from their Bedtime application (“app”)[1] on their iPhone, listening to the latest NPR news update, using the Waze app to figure out the shortcuts between work and home, and asking AI assistants to find answers to questions. The future of technology, from the release of new mobile apps to autonomous vehicles, is limitless. Tasks that used to be mundane and time-consuming are no longer a cause for concern, and quality is the standard we have come to expect.

As the reliance on mobile devices is increasing,[2] mobile device usage is also growing. In 2018, Mary Meeker’s report indicated that the average hours Americans spent on mobile was 3.6 hours more per day than 2 hours per day on a desktop or laptop.[3] Based on eMarketer, almost 91% of Americans’ average daily time on the mobile will be in the app instead of the browser by 2022.[4] Thus, it shows that companies should focus on the optimization of their mobile apps instead of websites.

The change of privacy law in California has been a hot topic for discussion in legal fora. On November 3, 2020, less than a year of the California Consumer Privacy Act (CCPA), Californians voted the new California Privacy Rights Act (CPRA or CCPA 2.0)[5] into law by supporting the measure to strengthen consumer privacy rights. CPRA proposes more substantial privacy rights for consumers than CCPA by changing the scope of business, protecting sensitive information, and making it difficult to weaken privacy laws in the future.[6] We will discuss updates in connection with mobile app businesses.

Scope of Businesses

The CPRA reduces the threshold of businesses by increasing required personal information from 50,000 California consumers/households to 100,000 to ease small businesses from the requirements.[7] Therefore, businesses should be aware of the number of users on their mobile apps. Once the number of users reaches 100,000, businesses fall under the CPRA’s scope and should reevaluate the process. However, because of unique landscape of the mobile app industry, any businesses have the potential for dramatic user increases in a day.[8] Accordingly, it will be the best practice for mobile app businesses to adhere to CPRA regardless of their current user counts.

Sensitive Information

The CPRA has created a new subcategory of personal information, namely sensitive personal information.[9] The sensitive personal information includes, but not limited to, identification information such as Social Security numbers, driver’s license, state identification card, passport numbers, consumer online account information, customer geolocation information, the information in consumers’ communication content, and specified health information such as sexual orientation, genetic data.[10]

The CPRA has implemented heightened obligations to use or disclose sensitive personal information beyond limited purpose.[11] A consumer can limit the business purpose of using sensitive personal information in helping to ensure security and integrity; short-term, transient use; performing services on half of the business; maintaining the quality of, improving, the business’s service or device.[12]

Besides, businesses need to notice consumers use or disclose sensitive personal information beyond the limited purpose. Moreover, the CPRA requires businesses to provide a clear and conspicuous link on the website displaying “Limit the Use of My Sensitive Personal Information,” which enables consumers to follow the link and limit the use or disclosure of their sensitive personal information.[13] Furthermore, a business must limit its use and the disclosure of sensitive personal information to service providers or contractors upon consumers’ request.[14] Specifically, a service provider or contractor may not use the sensitive personal information upon receiving instructions from the business, to the extent it has actual knowledge that the information is sensitive personal information.[15]

Thus, businesses that collect sensitive personal information in their mobile apps need to be aware of heightened requirements by CPRA. Should mobile app businesses need to collect any sensitive personal information, mobile app businesses can implement some of the requirements earlier, such as adding a link for consumers to limit the use or disclosure of their sensitive personal information in the app, restricting the use of the private area of app content such as messages.

Notice

In terms of the notice, the CPRA contains two different notice requirements that apply to sensitive personal information – one is a “generic” notice.[16] The other is “above and beyond” notice.[17] Under the generic notice, any businesses that collect sensitive personal information have obligations to adhere to.[18] If businesses collect sensitive personal information, they must inform consumers, at or before the point of collection, that categories of the sensitive personal information to be collected; purposes for which such categories are collected or used, and whether such information is sold or shared.[19] Under “above and beyond” notice, businesses using or disclosing sensitive personal information beyond the limited purposes have obligations to follow the law.[20] Businesses must notify consumers that such sensitive personal information may be used or disclosed to a service provider or contractor for additional, specified purposes and consumers’ right to limit the use or disclosure of the sensitive personal information.[21] However, there is an exception when businesses collect or process sensitive personal information incidentally or without the purpose about a consumer.[22] Here, businesses need to follow the notification guideline based on the business model of their mobile apps. If mobile apps use or disclose sensitive personal information for any reason other than the original intention, businesses must notify consumers about the usage and the right to limit. Also, if there is an honest mistake, businesses can use the exception to get out of the situation.

In contrast to the CCPA, the CPRA grants consumers the right to request that a business correct any inaccurate personal information it maintains.[23] Businesses are required to update the incorrect personal information with commercially reasonable effort when consumers request the information correction.[24] Thus, businesses should have a channel to communicate such information with consumers or provide consumers opportunities to correct the information themselves.

Sharing

Another addition in CPRA compared to CCPA is a new term, “sharing.”[25] Based on the definition, “sharing” means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.[26] The CPRA acknowledges that consumers have the right to opt out of a business’s sharing of personal information, just as they do from the sale of personal information by adding “sharing.”[27] Sharing requirements mirror CCPA’s existing requirements for sales as a business must disclose whether it shares personal information; provide sharing opt-out link on their website; honor sharing opt-out requests; send opt-out requests to parties with whom a business has previously shared personal information; not share personal information of minors without receiving opt-in consent.[28] Therefore, businesses will not only bound by sale but also share. Businesses need to have advertisements based on users’ behavior in their apps. Businesses should disclose personal information in their apps and provide an opt-out function for their users. 

In conclusion, although these are some preparations businesses can take in anticipation of CPRA, the actual application of CPRA still needs to be seen as it takes time to understand how the new law will play out.


[1] Mobile application, or “app” in short, is a software program that runs on mobile devices.

[2] Mobile Fact Sheet, Pew Research Center (June 12, 2019), https://www.pewresearch.org/internet/fact-sheet/mobile/. In Feb 2019, the share of Americans that own smartphones is 81%, up from just 35% in Pew Research Center’s first survey of smartphone ownership conducted in 2011. Moreover, 96 percent of Americans had cell phones and 52 percent had tablet computers.

[3] Mary Meeker, Internet Trends 2019, BOND (June 11, 2019), https://www.bondcap.com/report/itr19/#view/1.

[4] Yoram Wurmser, The Majority of Americans’ Mobile Time Spent Takes Place in Apps, eMarketer (Jul. 9, 2020), https://www.emarketer.com/content/the-majority-of-americans-mobile-time-spent-takes-place-in-apps.

[5] The California Privacy Rights and Enforcement Act of 2020, No. 19-0021 [hereinafter CPRA].

[6] Maria Henriquez, California Voters Approve California Privacy Rights Act (CPRA), Security Magazine (Nov. 5, 2020),https://www.securitymagazine.com/articles/93841-california-voters-approve-california-privacy-rights-act-cpra.

[7] Id.

[8] See generally Artyom Dogtiev, Flappy Bird Revenue – How Much Did Flappy Bird Make?, Business of Apps (Jun. 23, 2020), https://www.businessofapps.com/data/flappy-bird-revenue/. Mobile game Floppy Bird’s download in a day reached to almost 6,500.

[9] What Does the CPRA Mean For Your Privacy Program, OneTrust (Nov. 4, 2020),https://www.onetrust.com/blog/what-does-the-cpra-mean-for-your-privacy-program/.

[10] CPRA § 1798.140(ae).

[11] CPRA § 1798.121(a).

[12] Id.

[13] CPRA § 1798.135(a).

[14] CPRA § 1798.121(c).

[15] Id.

[16] CPRA § 1798.100(a)(2).

[17] CPRA § 1798.121(a). See also CPRA § 1798.135(a).

[18] CPRA § 1798.100(a)(2).

[19] Id.

[20] CPRA § 1798.121(a). See also CPRA § 1798.135(a).

[21] Id.

[22] CPRA § 1798.185.(a)(19)(C).

[23] CPRA § 1798.106(a).

[24] CPRA § 1798.106(c).

[25] CPRA § 1798.140(ah).

[26] Id.

[27] CPRA § 1798.115.

[28] Id.