CybersecurityPrivacy

California Attorney General to Investigate Mobile Applications

Menma UcheJulia Angels
February 22, 2023
5 min read

News broke ahead of Data Privacy Day in late January 2023 that California Attorney General Rob Bonta is conducting a deep, investigative sweep that focuses on the mobile apps of organizations that fail to comply with consumer opt-outs or do not offer a protection mechanism for consumers who want to exercise the right to prevent the sale of their data. The California Consumer Privacy Act (CCPA) defines the sale of data as the “selling, renting, releasing, disclosing…a consumer’s personal information by the business to a third party for monetary or other valuable consideration.” This means that the organization could be “selling” personal information under CCPA even when sharing data with a third party without providing consumers monetary compensation. The Attorney General’s investigation includes popular mobile apps that allegedly:

  • Fail to comply with consumer opt-out requests, and/or
  • Fail to process consumer requests through an authorized agent.

With fines and penalties under the CCPA on the rise, including a recent widely-publicized settlement for failing to disclose the sale of data to consumers, organizations must work to mature their privacy programs to keep up with the ever-changing data privacy landscape.

What about the penalties?

The CCPA secures the consumer right to request that an organization stops collection, sale and sharing of personal information with third parties. The law also prescribes specific penalties for noncompliance with its requirements.

According to CCPA, if the Attorney General initiates a civil action against an organization, there is an administrative fine of up to $2500 per individual violation if the organization fails to resolve the issue within 30 days after being notified, and up to $7500 if the violation is intentional. The private right of action may incur damages between $100 and $750 per incident.

With the additional amendments to CCPA which is expected to become fully enforceable in the summer of 2023, tighter restrictions on information sharing with third parties are resulting in stricter measures as well. A 30-day cure period is removed and a $7,500 civil penalty for a violation involving minors’ personal information is automatically applied.

The number of penalties for non-compliance with CCPA can significantly increase based on the volume of individual records collected by the business. For example, in the recent settlement mentioned above, the company had to pay $1.2 million just in penalties.

Why is it important?

When it comes to data privacy compliance, organizations’ mobile applications are often overlooked. Research shows that nearly 80% of mobile applications collect personal information (PI), such as phone numbers and email addresses, as well as store names and information on user cookies, all PI subject to CCPA requirements.

Although having access to the user’s account information is important for managing application security, businesses should have necessary processes in place to meet regulatory obligations. Without appropriate privacy controls, such as disclosures, “do not sell” and “opt-out” options, cookies and consent management, as well as reasonable data protection mechanisms, organizations open themselves to a higher level of regulatory risks and potential financial fines.

What to do now

There are a few steps organizations can take to start preparing their privacy programs to gain the trust of consumers, comply with privacy regulations and avoid hefty fines:

  • Understand what consumer/user data is accessed and collected by the organization via its mobile application(s). Understanding and managing data from intake through bi-annual or annual data mapping and disposition activities can help an organization better understand its data ecosystem and data footprint while becoming a good data steward in the long run.
  • Display the required privacy policy and notices at the point of collection with details on business practices regarding sensitive or personal information collection, sharing, selling, processing and protection.
  • Adopt a privacy management technology solution to honor Do Not Sell/Share and Limit My Sensitive Information requests on mobile apps.
  • Think about Global Privacy Control (GPC) signals and how to uphold the user’s specific preferences. GPC is a technical capability that sends users’ universal opt-out of the sale and sharing requests from browsers to websites. Implementing and testing codes and tools will be necessary to ensure that GPC-accessible browsers and extensions are supported.
  • Implement technical solutions to receive and fulfill consumer privacy rights requests (i.e., delete, access, opt-out/do not sell/share, etc.).
  • Create privacy training material for employees handling consumer/employee/b2b contact personal information and privacy rights requests.
  • Review contracts for alignment with CPRA with respect to obligations of service providers and third parties.
  • Assess activities related to records to ensure data is retained no longer than necessary.

Organizations that are subject to CCPA and other privacy regulations have a large responsibility to the consumer to protect their personal information and privacy rights while being transparent about the organization’s data privacy practices. As mobile applications continue to expand the types of personal information collected, organizations need to create clear messages around data processing activities that take place in the application and provide mechanisms for enacting user preferences. Organizations must make it a priority to frequently review and update certain areas of their privacy programs to stay up to date with regulation changes, new privacy software and tools, and updated processes to create a multitude of efficiencies for the future program landscape. If a letter from the enforcement body (e.g., California Attorney General) is received, review the claims, remediate any issues and respond within the 30-day notice-to-cure period.

To learn more about our cybersecurity and privacy solutions, contact us.

Menma Uche

Senior Consultant
Security and Privacy

View all posts

Julia Angels

Senior Consultant
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
8 Apr

Join our experts on April 25 as they delve deep into the strategies and practices essential for safeguarding customer trust, ensuring a stellar user experience, and adhering to privacy and data security standards. Register today! https://ow.ly/fumH50R4fbw #DataPrivacy

Reply on Twitter 1777336025301254502 Retweet on Twitter 1777336025301254502 Like on Twitter 1777336025301254502 Twitter 1777336025301254502
protivititech Protiviti Technology @protivititech ·
5 Apr

Find out how businesses can use #AI technologies for real use cases in #Quantum sensing, simulations and migration to post-quantum cryptography during the latest podcast episode with guest @paul_kassebaum. https://ow.ly/Wy7u50R9t8M

Reply on Twitter 1776309432592330940 Retweet on Twitter 1776309432592330940 1 Like on Twitter 1776309432592330940 4 Twitter 1776309432592330940
protivititech Protiviti Technology @protivititech ·
5 Apr

Protiviti’s Kim Bozzella explains how technology and #Automation in the #Manufacturing industry has—and will continue to—improve productivity and quality enhancement. Read more from the Forbes Technology Council. https://ow.ly/nTPy50R7WYC

Reply on Twitter 1776249003769803111 Retweet on Twitter 1776249003769803111 Like on Twitter 1776249003769803111 Twitter 1776249003769803111
protivititech Protiviti Technology @protivititech ·
1 Apr

Organizations who are part of the Department of Defense supply chain must understand, identify and protect controlled unclassified information, often called #CUI in their environments. Here’s what you need to know: https://ow.ly/bjbW50R59Ke #ProtivitiTech

Reply on Twitter 1774769203540566390 Retweet on Twitter 1774769203540566390 Like on Twitter 1774769203540566390 Twitter 1774769203540566390
protivititech Protiviti Technology @protivititech ·
29 Mar

A global hospitality company is well positioned to leverage the latest AI technologies after hiring Protiviti to establish and implement a comprehensive AI governance standard. Read our latest client story: https://ow.ly/Ir7R50R4nrh #ProtivitiTech #ClientStory

Reply on Twitter 1773772540306919718 Retweet on Twitter 1773772540306919718 Like on Twitter 1773772540306919718 1 Twitter 1773772540306919718
Load More