App Law and Which Way I Ought To Go From Here
|Adam Grant in Mobile Guidelines Tuesday, April 1, 2014|
Alice: Would you tell me, please, which way I ought to go from here?
Cat: That depends a good deal on where you want to get to.
Alice: I don’t much care where.
Cat: Then it doesn’t matter which way you go.
Alice: As long as I get somewhere (Alice adds)v Cat: Oh, you’re sure to do that if you only walk long enough.
In addition to my monthly column as the Chief Legal Contributor for this amazing magazine, I regularly speak on the subject of Mobile App and Online Privacy issues across the country. During many of my talk, I am often asked by developers and other professionals, “Which law do I have to comply with when I develop my mobile app?” We discuss the various California and Federal laws which may apply to their specific mobile app. However, the apps are used throughout the country, in many states, and in some cases, throughout the world in numerous countries. Thus, the obvious and inevitable conundrum is which law should the app developer follow and what to do if certain laws conflict.
On March 21, 2014, the FTC issued a press release about a recent ruling by a district court in the 9th Circuit which discussed the Children’s Online Privacy Protection Act (COPPA). In the press release, the FTC announced it filed documents with the 9th Circuit Court of Appeals which argued that a district court incorrectly ruled that COPPA preempts [a legal term that means, “controls or takes precedence over”] state privacy laws regarding children between 13 and 18 years. The case, entitled, Angel Fraley vs. Facebook, Inc., involves a class action filed against Facebook over its use of teenagers’ likenesses in “Sponsored Stories” posts. Sponsored Stories are a form of advertising that typically contains posts which appear on Facebook about or from a Facebook user or entity that a business, organization, or individual has paid to promote so there is a better chance that the posts will be seen by the user or entity’s chosen audience. The district court approved a settlement of the class action and ruled that the objections raised by some potential class members on points of California state law were not valid. The court concluded that “as to the complaint’s assertion that Facebook should have acquired parental consent for members of the minor subclass, COPPA stood as a potential preemption hurdle.” In so ruling, the court found that that COPPA’s provisions which relate to children under 13 preempted state laws regarding the privacy of children older than 13.
Thus, according to the FTC, a District Court in the 9th Circuit failed to apply the correct law to the case against Facebook. If a California court arguably relied upon the wrong law in the analysis, one questions how would mobile app developers and their counsel be able to determine the proper law to follow. The recent case involving Facebook demonstrates that the 9th Circuit District Court is in good company when it comes to application of the law to the ever changing legal landscape applicable to mobile apps and online privacy.
A trial court in the San Francisco Superior Court legally “chastised” the California Attorneys General, Kamala Harris, for filing a lawsuit against Delta Airlines for allegedly violating California’s Online Line Privacy Protection. The lawsuit, filed in December 2012 as part of California’s privacy initiative to protect California consumers, alleged that Delta’s “Fly Delta” app failed to comply with California’s law. In response to the complaint, Delta’s counsel filed a document that argued California privacy law was preempted by the federal law enforced by the Department of Transportation. Thus, the very first lawsuit in California to apply California’s Online Privacy Protection Act to a mobile app was dismissed before it really got started. Currently, the case is before the California Court of Appeals for Northern California, which is likely to hear oral argument on the matter sometime late this year or early next year. However, it is the second time in the very recent past that a court decided specific federal laws preempt the area of mobile app and online privacy.
These two cases are further complicated by the role that jurisdiction plays in complying with the law of a certain state. Both of these cases were filed in California against companies that have their principal place of business in California and both logically involved the application of California law. However, based on California law, in particular, the California Online Privacy Protection, a non-California based company can also be sued in California. According to the act, a company is responsible for taking a California consumer’s personal identifiable information. The act does not require any actual commerce to take place or that the company have its principal place of business in California. Traditionally, an online company can be sued in California if it engages in commerce over the internet with a California consumer. Whereas, a website that merely provides information, absent the commerce component, can’t be sued in California. However, if a California Consumer downloads a free navigation mobile app that only provides information, but obtains geo-location information and other personal information, California law has been interpreted so as to support a lawsuit against this out of state corporation. Consequently, even if a mobile app developer does not sell the app and does not sell any product using the app, potentially, they can be held responsible for violating any number of different state laws.
This further complication brings me back to the wise words of the Cheshire Cat and how I address this problem with clients and to those I speak to throughout the country. According to the Cheshire Cat, which way you go, depends a lot on where you want to get to. Because mobile app and online privacy law is so far behind the daily technological advances in the area, strict compliance with every singly possible law does not seem a reality. So, if you want to go to the “land of perfect compliance,” you are going to take the path much less traveled or even possible. However, if you want to go to the “land of substantial and reasonable compliance,” then according to me, and the Cheshire cat, … “you’re sure to do that if you only walk long enough.” Happy trails.