Category Archives: Privacy Policy

California Consumer Privacy Act comes into Force Jan. 1, 2020

The California Consumer Privacy Act (the “CCPA”) is a new law intended to enhance privacy rights and consumer protections for California residents, which comes into force on January 1, 2020. 

In the lead-up to the CCPA coming into force, this blog post covers three common questions we receive: (1) do I need to comply? (2) when do I need to comply? and (3) what happens if I do not comply?

1.         Do I need to comply? Probably, but not directly.  Most companies that operate from Canada or in states other than California, will not directly have to comply with the CCPA as the territorial scope of the law is fairly limited, especially when compared with the EU’s General Data Protection Regulations (the “GDPR”).  To fall under the territorial scope of the CCPA, you have to be a for-profit business doing business in the State of Californiaand have one of three factors apply: 

(a) gross revenue of over $25,000,000 USD

(b) handle the personal information of more than 50,000 consumers, households or devices (it is unclear in the Act, at this stage, whether this is a California or world-wide number); or 

(c) derive more than 50% of annual revenue from the selling of consumers’ personal information.  

While the CCPA may not apply directly to many companies, as we saw with the GDPR rollout in 2018, the CCPA will likely indirectly apply as major tech companies like Google and Apple will have to comply with this law and as such, they will likely require, as part of their own compliance requirements, that companies they do business with that collect personal information also comply.  The extent of this indirect compliance is currently unclear and may only apply to certain provisions of the CCPA.

2.         When do I need to comply?  The effective date of the CCPA (the date at which the CCPA becomes law), is January 1, 2020, and while enforcement by the California Attorney General’s office may not begin until supporting regulations are finalized (deadline for regulations is June 1, 2020), we recommend that companies that need to comply directly begin compliance work immediately and aim to be fully compliant by January 1.  Companies that only need to comply indirectly may have some time to wait and see how the CCPA will affect contracts and terms with CCPA compliant companies but it won’t hurt to be compliant by early 2020. 

3.         What happens if I do not comply?  Beware of the cost!  There are several penalty clauses in the CCPA, including $2,500 for each non-intentional violation and $7,500 for each intentional violation.  If you have over 50,000 users, these penalties can easily amount to over $125,000,000.  For companies that will have to comply indirectly through contracts or user agreements, beware of indemnification clauses and other liability amendments that may push these penalties onto your company.

For many companies, the CCPA may not directly apply. However, it’s important to monitor CCPA factors, relative to your company’s business, to ensure that you do not miss compliance should a factor be met in the future – this is especially important in rapidly growing startups where it’s easy for a compliance obligation to be missed. Even if the CCPA factors are not met, there may be an obligation to comply as large tech companies will likely be complying and force compliance on everyone else they do business with.

Preparing your Privacy Policy for Apple Arcade

With the recent launch of Apple Arcade, we’re encountering a rush of clients seeking advice on how to make their Privacy Policy compliant with Apple Arcade rules. Apple Arcade requires a different Privacy Policy than the iOS store and submitting your standard Privacy Policy will most likely result in your title being rejected from Apple Arcade.

While we have yet to encounter a published instruction manual for Apple Arcade Privacy Policy compliance, we have noticed the following three trends:

  1. Heavy Focus on Limiting Information Collection. Apple is taking data protection seriously and an Arcade-compliant Privacy Policy must limit its information collection to only that information that a developer truly requires. In most cases, Apple will question each item of information collected and require substantive backing for why such information must be collected. Ultimately, don’t be surprised to discover that the final product is a stripped-down Privacy Policy in which you collect very little information, even if this causes the information collection practices of the same game across different platforms to vary.
  2. Active Review Process. Apple is very involved in each Privacy Policy and anticipate a formal review process (as compared to the seamless process you see in the iOS store). Each clause is closely scrutinized and Apple will push back on each item of information collected, even going so far as to suggest ideal language.
  3. Review is Inconsistent. Perhaps reflecting the absence of a published manual for Arcade Privacy Policies (we’ve yet to locate one), each review proceeds differently and what raises issues for one review may not for you. We have been surprised to discover that a clause accepted for one game will be rejected for a different game. Eventually Apple will develop constituent review standards but until then it’s important to work with legal counsel that has done Arcade deals in the past and can put that knowledge to work when negotiating with Apple.

Launching on Apple Arcade is still novel and Apple is still getting up to speed with the Privacy Policy review process. As such, it’s important to work with legal counsel that’s familiar with the Arcade review process to ensure your title passes review quickly.

US and Canada – similar countries, similar privacy laws… right? Wrong.

We are often engaged to review Privacy Policies from a U.S. and Canadian legal perspective.  In many cases these Privacy Policies were drafted by Canadian counsel without considering the laws of the client’s major market, the U.S.  The privacy laws of Canada and the U.S. are quite different and a failure to comply with U.S. privacy law can have enormous financial implications.  Accordingly, it is critical that Canadian companies ensure that their Privacy Policies are compliant on both sides of the border.

Below we detail three common privacy law issues that Canadian companies have when entering the US market.

1. The US is far bigger and more complex than Canada

In Canada, with a couple of exceptions, the Personal Information Protection and Electronic Documents Act (PIPEDA) covers most privacy law issues in the commercial sphere.  Conversely, in the U.S., companies must comply with several different federal privacy laws, as well as state laws, the latter playing a major role in privacy protection.  This means that companies need to worry about complying with the privacy laws of all 50 states as well as several federal laws.

2. Same words, different meanings

Although both countries write their laws in English (In Canada – en Français aussi), words can have varying meanings under the law.  In privacy law in particular, certain key concepts are very different between Canadian and U.S. privacy laws, and companies that ignore these differences open themselves up to huge liability.

For example, the term personal information, at the core of privacy law in both countries, has different meanings in both countries and in the US there is no standard definition from one law to the next, or one state to the next. This means that while you might be compliant in Canada with the current way that you collect data from customers, the exact same data collection practice may be non-compliant in the US.

Other major privacy law concepts that differ in the US include: privacy of children under 13 years old, standards for “consent” and “breach”, rules for third-party access to personal information and jurisdiction issues.

3. Fines are far greater in the US

The price to pay for not complying with US privacy laws is far greater than not complying with Canadian privacy laws. For example, the Office of the Privacy Commissioner of Canada (OPC), the Canadian privacy law enforcement body, does not have the authority to fine companies for most privacy law violations.

In the US, by contrast, recent fines imposed by the Federal Trade Commission (FTC) and sister body, the Federal Communications Commission (FCC), consistently are in the million-dollar range and even up to $25 million in some cases.  Even simple violations such as gathering temporary personal information of children prior to getting parental consent can garner fines of up to a million dollars.  And be aware, the first piece of evidence that the FTC will use to see if a company is complying with US privacy law, is its online privacy policy. If you haven’t changed your privacy policy from a Canadian law compliant privacy policy to a cross-border compliant privacy policy, you are putting your company at huge risk.

Canada’s population is 1/10 that of the U.S.  For business, this means that most Canadian companies are going to look to the U.S. for revenue generation and in the process create exposure to U.S. laws, including privacy laws.  It’s critical that companies stay on top of their exposure to U.S. laws and engage legal counsel to ensure that their operations are fully compliant.

UI/UX Invalidated your Contract

Online contracts are only effective if implemented correctly.   I’ve written on different processes for implementing online contracts, which is often easier to accomplish in the web context.  In the mobile context, implementation is challenging given the need to balance user experience with contract formation.

How you structure contract formation in your mobile application involves negotiation between the UI/UX team and legal counsel and a balancing of user experience against the risks of the contract unenforceability.  With millions of DAU, the risks are enormous.

A recent case illustrates this risk and shows that even sophisticated startups can run the risk of a weaker contract formation process and be burned.  Lyft presented users with this acceptance screen:

LI Image

It includes the typical web approach to contract acceptance, with a check box stating: [I agree] to the Terms of Service (link).  Recently, a NY court determined that this process did not clearly indicate to users that a contract was being agreed to.  The combination of a series of “Next” screens, the small size of the contract formation text (relative to the large, pink “Next” button) and that the contract was presented in the context of an unrelated phone number request all contributed to the court’s conclusion that users were not sufficiently notified of what they were agreeing to and, as a result, did not accept the Lyft Terms of Service.

Luckily for lyft, prior to the lawsuit, a new contract formation process was implemented, one I’ve advocated for myself:

One mobile approach is to present the agreement to the user, require that they scroll through the agreement and, once scrolled through, the user is presented with the following button at the bottom of the page:  [I agree] to the Terms and Conditions.

Take away:

  1.  At a minimum, mobile applications should have prominent language indicating that a contract is being presented to users (ideally as a separate screen labeled “Terms of Service” or similar).
  2. Contract language should be noticeable and not blend into the background as a user registers for the application.  Try to alter the flow of the registration process so the user recognizes that something new is occurring.
  3. Any button on the contract page should state “I agree” or “I accept”, rather than “Next” and this button should not overwhelm the contract link.

In my opinion, the scrolling process described above is one of the better approaches for implementing a contract into a mobile application.  Other approaches are available but your UI/UX team needs to work with legal counsel to ensure that design considerations do not overwhelm contract enforceability.