Attorney Cautions That Privacy Laws Cover All Platforms, Not Just Sites
Though several recent enforcement actions have targeted websites, mobile apps are also subject to all privacy laws, a lawyer said Thursday during a webinar by Privado, a privacy vendor. Daniel Goldberg, a Frankfurt Kurnit lawyer, also noted that it's no longer enough for companies to rely on privacy vendors for compliance; they must practice due diligence too.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The California Consumer Privacy Act “is technology-agnostic, so it does not matter if you're [dealing] with a website or via mobile” or “dealing with any other service,” Goldberg said.
Mobile apps are like the “wild, wild west,” added Privado CEO Vaibhav Antil. “Manipulative patterns come up more and more” and “it's also very hard to audit" apps for regulators and providers. As a result, “the number of privacy risk[s] on your mobile app are really, really large.”
The other big issue, Antil said, is the lack of transparency. Privacy policies are unclear on what software development kits (SDKs) are doing, he said. Also, “permission piggybacking makes [apps] super, super complex, because you might need some sensitive permissions for your app to function,” but then that “same [sensitive data] is available to your SDKs.”
Despite this, many recent California enforcement actions have targeted websites, not apps. The state's enforcement actions in the Honda settlement (see 2503120037), Todd Snyder (see 2505060043) and Healthline (see 2507030026) “are perhaps the most important regulatory enforcement actions in the prior year,” Goldberg said. A lesson from those actions is that “companies can have [a tool] that looks like it's done all [things] correctly, but if the data flows aren't working properly, or it is misconfigured, that can lead to a potential violation of the law."
Antil agreed. “Things which are on the user-facing side” need to be thought of “as the front office of your privacy program,” he said. “Those are … constantly being audited by regulators and plaintiffs.”
Goldberg said there “really isn't a ‘set it and forget it’ [method that works] anymore.” With all three of these examples, “these are not companies that did nothing,” he said. “These are companies that had measures in place, that had actually used a vendor to implement those, but the way that it was configured was not tracking the law perfectly.”
In a webinar hosted by his firm last week, Goldberg noted the set-it-and-forget-it message no longer applies, and said regulators are taking a closer look at what tools are actually working (see 2507240056).
“You cannot rely on your vendor forms when they say this is compliant, or we think this is compliant,” Goldberg said during Privado's webinar. “You have to do your own due diligence, and you have to look at the law.” He added, “Your vendor is a tool ... not a protection. [Having a privacy vendor is] not a safe harbor.”
“Enforcement is significantly up,” the lawyer added. “Prior to the last several years, there really wasn't much going on,” but now with comprehensive privacy laws in 20 states, "we're seeing regulators act on many of those laws."
In addition, states without privacy laws are invoking unfair competition measures or other consumer protection statutes, he said. Goldberg said understanding one's data flows and making sure everything works in accordance with laws is crucial, because, while the settlements have not carried substantial fines yet, that will likely change. “The numbers are going to keep getting higher."