Privacy & Identity Theft

SAN FRANCISCO -- Attorney General Kamala D. Harris today released guidelines on preventing and remedying medical identity theft, including best practice recommendations for the health care industry and tips for consumers.  The guidelines are part of a report, Medical Identity Theft: Recommendations for the Age of Electronic Medical Records, which frames the escalated migration to electronic medical records as an opportunity for the healthcare industry to address this problem.

“Medical identity theft has been called the privacy crime that can kill,” said Attorney General Harris. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology.”

Medical identity theft occurs when an individual uses someone else’s personal information to obtain medical goods or services. For example, a thief may use stolen information to submit fraudulent bills, a doctor or provider may use patient information to write fraudulent prescriptions or an individual may use someone else’s information to obtain treatment.

The report focuses on the impact of identity theft on the accuracy of medical records and argues that the serious risk that inaccuracies pose is not always adequately addressed by existing healthcare industry procedures.

A companion information sheet for consumers, First Aid for Medical Identity Theft, describes the signs of medical identity theft and provides tips on what to do in response. The signs of possible medical identity theft include notice of a data breach from a health care provider, an unknown item in an Explanation of Benefits from a health insurer, a call from a debt collector about an unfamiliar medical bill and questions about your identity or health conditions at intake in a doctor’s office or hospital.

Key recommendations for health care providers:

• Implement an identity theft response program with clear written policies and procedures for investigating a flagged record.
• Offer patients who believe they may be victims of medical identity theft a free copy of the relevant portions of their medical records to review for signs of fraud.

Key recommendations for insurers:

• Make Explanation of Benefits statements patient-friendly. Include information on how to report any errors discovered.
• Use automated fraud-detection software to flag suspicious claims that could be the result of identity theft.

The report can be found here: http://bit.ly/1eup6NO

The guide for consumers can be found here: http://bit.ly/1gnDICS

SAN FRANCISCO -- Attorney General Kamala D. Harris today released the first report detailing the 131 data breaches reported to her office in 2012, showing that 2.5 million Californians had personal information put at risk through an electronic data breach.

The report found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company’s network.

"Data breaches are a serious threat to individuals' privacy, finances and even personal security,” Attorney General Harris said. "Companies and government agencies must do more to protect people by protecting data."

In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in security breach. In 2012, companies and state agencies subject to the law were required for the first time to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian)

While not required by law, Attorney General Harris is issuing this report that analyses the data breach notices reported in 2012, provides information to the public about those breaches, and makes recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those recommendations include practices that would decrease the number of data breaches, make it easier for consumers to recover from the loss or theft of their personal information, and call for law enforcement agencies to more aggressively target breaches involving unencrypted personal information.

First, companies should encrypt digital personal information when moving or sending it out of their secure network.  In 2012, encryption would have prevented reporting companies and agencies from putting over 1.4 million Californians at risk. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information.

In addition, companies should review and tighten their security controls on personal information, including training employees and contractors.

Companies should make the breach notices they send easier to read. The report found that the average reading level of the notices submitted in 2012 was 14th grade, much higher than the average U.S. reading level of 8th grade. Recipients need to be able to understand the notices so that they can take appropriate action to protect their information.

Finally, the report recommends that legislators consider expanding the law to require notification of breaches involving passwords. Attorney General Harris is supporting legislation, SB 46 by Senator Ellen Corbett, which would require notification of a breach involving a user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Additional key findings of the report include:

• The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
• More than 1.4 million Californians would not have been put at risk, and 28 percent of the data breaches would not have required notification, if the data had been encrypted.
• The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
• More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
• More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.

Attorney General Harris established the Privacy Enforcement and Protection Unit in 2012 to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes California’s Online Privacy Protection Act, as well as laws relating to cyber privacy, health and financial privacy, identity theft, government records and data breaches.

In October 2012, Attorney General Harris announced a settlement with Anthem Blue Cross over allegations the company breached its members’ personal data by failing to protect their Social Security Numbers.

A complete copy of the data breach report and a list of all 131 breaches are attached to the online version of this release at http://oag.ca.gov.

To learn more about the Attorney General’s privacy work, visit http://oag.ca.gov/privacy.

SAN FRANCISCO -- Attorney General Kamala D. Harris today issued recommendations for mobile application (app) developers and the mobile industry to safeguard consumer privacy. Today’s report provides guidance on developing strong privacy practices, translating these practices into mobile-friendly policies, and coordinating with mobile industry actors to promote comprehensive transparency.

“Californians want to know what personal information their apps collect, how it is used and with whom it is shared,” said Attorney General Harris. “To meet this need and keep pace with rapidly changing technology, these recommendations strike a responsible balance between protecting consumers’ personal information and fostering the continued growth of the innovative app economy.”

Today’s report, Privacy on the Go: Recommendations for the Mobile Ecosystem, is the result of an outreach effort that compiled input from stakeholders throughout the mobile industry. Its purpose is to serve as a template for the mobile industry to develop mobile-friendly privacy policies and practices that will improve consumer privacy without stifling innovation.  To accommodate the smaller screens of mobile devices, the report recommends the use of special notifications such as icons, or pop-up notifications to inform consumers about how personally identifiable information is being collected and shared.

The issue of mobile privacy is increasingly pressing as more than half of American adult cell phone owners access the Internet from their phones, and more than 1,600 mobile apps are released every day.

To protect consumers’ online privacy, Attorney General Harris forged an agreement among the seven leading mobile and social app platforms in 2012. The agreement – with Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion – involved displaying app privacy policies that users could find in a consistent location in the platform store and review before downloading an app. 

In October 2012, the Attorney General sent letters to approximately 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave 30 days to post a conspicuous privacy policy. In December, the Attorney General filed the first legal action against Delta Airlines, Inc. for violating California’s online privacy law, which requires apps that collect personally identifiable information to conspicuously post a privacy policy.

Last year, Attorney General Harris also established the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes California’s Online Privacy Protection Act, as well as laws relating to cyber privacy, health and financial privacy, identity theft, government records and data breaches.

A copy of the report is available here: http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf

To learn more about the Attorney General’s privacy work, visit http://oag.ca.gov/cybersafety.

SAN FRANCISCO -- Attorney General Kamala D. Harris today issued a consumer alert with tips for the holiday season on how Californians can make the most of their charitable giving through smart donations and protect themselves from identity theft when shopping online.

Tips for safe shopping:

• Shop on secure websites. One clue about which websites are safe and which are not is to look for a yellow padlock in the browser bar or ‘https’ in the web address (the ‘s’ stands for ‘secure’).

• Don’t make purchases over a free Wi-Fi hotspot like at a coffee shop, which can be scanned by those looking to capture your passwords and other information.

• Never send personal or financial information through e-mail. Legitimate companies will not ask you to do so because it is not a secure way to transfer sensitive information.

• If you are receiving text messages on your cell phone saying you have won a prize or gift card, do not click on the link in the message – it is most likely a scam and may install a virus on your phone.

• To get the full value of a gift card, use it right away. Gift cards that are lost or stolen are not always replaceable. Retailer or restaurant gift cards do not have expiration dates, but bank cards, like Visa or MasterCard gift cards, or cards issued by a mall that can be used at different stores, may sometimes have expiration dates.

• Know the return policies of the retailers you shop with before you leave the store or conclude an online transaction. Many retailers will give you a refund if you have a receipt and your return is prompt, but some may only give store credit. Ask a clerk if the policy is not posted at the register.

Tips for donating wisely:

• Make sure your charitable donations are well spent and serving the activities you support by working with a local charity as a volunteer or by contacting the charity directly to make a donation.

• If you are contacted by a solicitor on behalf of a charity, ask if he/she works for a commercial fundraiser and what percentage of donations being raised is going directly to the charity. You may prefer to contact the charity directly to make a donation.

• If a solicitor tells you the donation is for your local police, firefighter or other public safety agency, check directly with the agency to avoid a potential scam.

• Make charitable contributions by writing a check or by credit card directly on a charity's website. If donating by check, use the full name of the charity rather than initials or an abbreviation. Do not give your credit card number to a telephone solicitor or in response to any unsolicited phone call you receive.

Additional consumer tips, information, and lists of resources are available at:

www.ftc.gov, or toll free nationwide at (877) 382-4357

www.idtheftcenter.org, for information on your credit history

www.give.org, for additional information about a specific charity

SAN FRANCISCO – Attorney General Kamala D. Harris announced today the first legal action under California’s online privacy law against Delta Airlines, Inc. for failing to comply with the state’s Online Privacy Protection Act.

Delta, headquartered in Atlanta, GA, was among the companies given 30 days to conspicuously post a privacy policy within their mobile app that informs users of what personally identifiable information is being collected and what will be done with it.

“Losing your personal privacy should not be the cost of using mobile apps, but all too often it is,” said Attorney General Harris. “California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information.”

The California Online Privacy Protection Act requires commercial operators of websites and online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies are an important safeguard for consumers. Privacy policies promote transparency in how companies collect, use, and share personal information.  If developers do not comply with their stated privacy policies, they can be prosecuted under California’s Unfair Competition Law and/or False Advertising Law.

The complaint alleges that since at least 2010, Delta has operated a mobile app called “Fly Delta” for use on smartphones and other electronic devices.   The Fly Delta app may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location. Despite collecting substantial personally identifiable information such as a user’s full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location, the Fly Delta application does not have a privacy policy.

The suit seeks to enjoin Delta from distributing its app without a privacy policy and penalties of up to $2,500 for each violation.  The suit was filed in San Francisco Superior Court and a copy of the complaint is attached to the online version of this press release.

This action by Attorney General Harris follows an agreement she forged among the seven leading mobile and social app platforms to improve privacy protections for millions of users around the globe who use apps on their smart phones, tablets, and other electronic devices. Those platforms – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy. The agreement allows consumers the opportunity to review an app’s privacy policy before they download the app rather than after, and offers consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store. 

The California Online Privacy Protection Act is one of the privacy laws that the DOJ’s Privacy Enforcement and Protection Unit is charged with enforcing. Created by Attorney General Harris in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The October 2012 press release announcing the notification to mobile app developers can be found here: https://www.oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. The February 2012 press release announcing the apps agreement can be found here: https://www.oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy. The June 2012 press release announcing that Facebook joined the apps agreement can be found here: https://www.oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-expansion-california%E2%80%99s-consumer.

SAN FRANCISCO -- Attorney General Kamala D. Harris this week began formally notifying scores of mobile application developers and companies that they are not in compliance with California privacy law.

The companies were given 30 days to conspicuously post a privacy policy within their app that informs users of what personally identifiable information about them is being collected and what will be done with that private information. Letters will be sent out to up to 100 non-compliant apps at this time, starting with those who have the most popular apps available on mobile platforms.

"Protecting the privacy of online consumers is a serious law enforcement matter," said Attorney General Kamala D. Harris. "We have worked hard to ensure that app developers are aware of their legal obligations to respect the privacy of Californians, but it is critical that we take all necessary steps to enforce California’s privacy laws."

The letters are the first step in taking legal action to enforce the California Online Privacy Protection Act (Simitian), which requires commercial operators of online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies are an important safeguard for consumers. Privacy policies promote transparency in how companies collect, use, and share personal information. Companies can face fines of up to $2,500 each time a non-compliant app is downloaded.

This action by Attorney General Harris follows an agreement she forged among the seven leading mobile and social app platforms to improve privacy protections for millions of users around the globe who use apps on their smartphones, tablets, and other electronic devices. Those platforms – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy. The agreement allows consumers the opportunity to review an app’s privacy policy before they download the app rather than after, and offers consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store.

The California Online Privacy Protection Act is one of the privacy laws that the Privacy Enforcement and Protection Unit is charged with enforcing. Created in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The February 2012 press release announcing the apps agreement can be found here. The June 2012 press release announcing that Facebook joined the apps agreement can be found here.

A sample non-compliance letter is attached.

SAN FRANCISCO -- Attorney General Kamala D. Harris today urged parents, coaches and officials for youth sports to develop protective policies related to minors’ personal information, particularly for information posted online.

Attorney General Harris also announced that after an inquiry from her office, GameChanger, a popular sports statistics website, has updated its privacy policy and practices to better protect minors. The action comes as more and more information about minors is being posted online, often without adult consent.

“Most parents probably do not realize that the simple act of signing a child up for soccer or Little League could put enough information online to put the minor in harm’s way,” said Attorney General Harris. “While the Internet makes tracking games and statistics easier, it is important that parents, coaches, school officials and volunteers all are informed and think carefully about any information that is put online, especially when it pertains to children.”

GameChanger updated its privacy policy and put new protections for minors in place after an inquiry from Attorney General Harris’s Privacy Enforcement & Protection Unit.

The changes include: not allowing anyone under the age of 13 to sign up or post on the site; removing last names of team members under the age of 13; and providing privacy information pertaining to minors to users when teams are added to the website.

The inquiry into GameChanger’s policies came after the Attorney General’s office was contacted by a parent who was concerned about the amount of information being posted on the site. Information included on the site for some teams included the teams’ travel schedule, child’s statistics, full name and nicknames.

“I was disturbed when I realized so much information about my son’s team was being posted without my permission,” said Amanda Biers-Melcher of Burbank. “I appreciate Attorney General’s Harris’s assistance with the company and dedication to helping protect the privacy of our children.”

The Attorney General’s Privacy Unit will work with parents and sports leagues to develop best practices for handling children’s personal information in youth sports programs.

Here are tips for anyone who is involved in youth sports:

Playing It Safe with Children’s Information: Tips for Parents

Youth sports teams provide great opportunities for our children to engage in exercise, while learning valuable lessons about team work, healthy competition and fair play. When signing your children up for such activities, be mindful of the need to protect their personal information.

Ask if the team or league will post any of the child’s personal identifying information – such as name, address, school or photo on a website. Tell them if you do not want your child’s information posted online.

• Ask questions about any request for your child’s Social Security number, health insurance number or birth certificate. Propose alternatives, such as the following: 
  • Instead of turning over a copy of a birth certificate, offer to show a copy of the child’s birth certificate and ask that the birth date be entered in the records and noted as verified.
  • Resist providing the Social Security number. In most cases, the child’s Social Security number should not be necessary.
  • Insist that a health insurance number, if required, be protected with strong security measures, such as locking it in an office file cabinet or encrypting it if in a digital format.   
• Ask if the team or league has a written privacy policy, and ask for a copy. If they don’t have one, encourage them to develop an official policy statement that describes the kinds of personal information they collect, how they use it and how it is shared. (Note: If they collect personal information through a website, they may be required to post a privacy policy on the site.)

SAN FRANCISCO -- Attorney General Kamala D. Harris today announced a settlement with one of California’s largest health insurers over allegations the company failed to protect the personal information of its members.

The lawsuit, which was filed in Los Angeles Superior Court today along with the settlement, alleges that Blue Cross of California, which does business under the trade name Anthem Blue Cross, printed Social Security numbers on letters mailed to more than 33,000 of its Medicare Supplement and Medicare Part D subscribers between April 2011 and March 2012. The complaint states that Anthem’s conduct violated a state law that restricts the disclosure of Social Security numbers.

"Our office is committed to protecting the privacy of Californians," said Attorney General Harris. "This settlement requires the company to make significant improvements to its data security procedures to ensure this type of error does not happen again."

After the incident, Anthem sent a letter to all affected members whose Social Security numbers were visible through the mailed envelope, notifying them of the breach and offering each a year of free credit monitoring services.

The settlement also requires Anthem to implement new technical safeguards for its data management system, restrict employee access to members’ Social Security numbers and provide enhanced data security training for all of its associates.

The company must also pay $150,000 to settle the claim. The complaint and settlement reflect Attorney General Harris’ continued efforts to protect Californians’ privacy particularly where thousands of consumers can have their personal information released with a mere push of a button.

Copies of the complaint and judgment submitted to the court for approval are attached to the online version of this release at www.oag.ca.gov.

SACRAMENTO – Attorney General Kamala D. Harris today announced the creation of the Privacy Enforcement and Protection Unit in the Department of Justice which will focus on protecting consumer and individual privacy through civil prosecution of state and federal privacy laws.

“In the 21st Century, we share and store our most sensitive personal information on phones, computers and even the cloud. It is imperative that consumers are empowered to understand how these innovations use personal information so that we can all make informed choices about what information we want to share,” said Attorney General Harris. “The Privacy Unit will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”

The California Constitution guarantees all people the inalienable right to privacy. The Privacy Unit will protect this constitutionally-guaranteed right by prosecuting violations of California and federal privacy laws. The Privacy Unit centralizes existing Justice Department efforts to protect privacy, including enforcing privacy laws, educating consumers and forging partnerships with industry and innovators.

The Privacy Unit’s mission to enforce and protect privacy is broad. It will enforce laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches. By combining the various privacy functions of the Department of Justice into a single enforcement and education unit with privacy expertise, California will be better equipped to enforce state privacy laws and protect citizens’ privacy rights.   

The Privacy Unit will reside in the eCrime Unit and will be staffed by Department of Justice employees, including six prosecutors who will concentrate on privacy enforcement. Joanne McNabb, formerly of the California Office of Privacy Protection, will serve as the Director of Privacy Education and Policy, and will oversee the Privacy Unit’s education and outreach efforts. 

Protecting the privacy of Californians is one of Attorney General Harris’s top priorities. The creation of the Privacy Enforcement and Protection Unit follows the forging of an industry agreement among the nation’s leading mobile and social application platforms to improve privacy protections for consumers around the globe who use apps on their smartphones, tablets, and other electronic devices. The platform companies who signed on to that agreement -- Amazon.com Inc., Apple Inc., Facebook, Google Inc., Hewlett-Packard Company, Microsoft Corporation and Research in Motion Limited -- agreed to privacy principles designed to bring the industry in line with California law requiring apps that collect personal information to post a privacy policy and to promote transparency in the privacy practices of apps. 

Attorney General Harris established the eCrime Unit in 2011 to prosecute identity theft, data intrusions, and crimes involving the use of technology. The eCrime Unit provides investigative and prosecutorial support to the five California regional high-tech task forces funded through the High Technology Theft Apprehension and Prosecution Trust Fund Program and provides coordination for out-of-state technology-crime investigation requests. The eCrime Unit also develops and provides training for law enforcement officers, prosecutors, the judiciary and the public on cyber safety and the importance of strong information-security practices.  

The February 2012 press release announcing the apps agreement can be found here: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy

The June 2012 press release announcing that Facebook joined the apps agreement can be found here: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-expansion-california%E2%80%99s-consumer

The December 2011 press release announcing the creation of the eCrime Unit can be found here: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-creation-ecrime-unit-targeting

SAN FRANCISCO -- Attorney General Kamala D. Harris today announced that Facebook has become the seventh company to sign the Joint Statement of Principles to strengthen privacy protections for consumers around the world who use online applications on their smartphones, tablets and other electronic devices. The agreement extends the reach of California’s privacy protections beyond mobile apps to include social apps in Facebook’s App Center, which are used daily by millions of consumers. Among other protections, the agreement seeks to improve compliance with California law requiring apps that collect personal information to have a privacy policy.

“Consumers deserve to be able to make informed choices about how much personal information they want to share with others when using social apps,” said Attorney General Harris. “We are delighted that Facebook has joined Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion to provide consumers with greater control and information about how their personal data is used.  We need to protect privacy while we foster innovation.”

In a letter to Attorney General Harris released today, Facebook wrote “…we hope that you will consider us a signatory to the Joint Statement.” Facebook joins an agreement that was first announced in February when Amazon.com Inc., Apple Inc., Google Inc., Hewlett-Packard Company, Microsoft Corporation, and Research in Motion Limited all signed on to a Joint Statement of Principles. 

In the letter, Facebook’s Chief Privacy Officer Erin M. Egan wrote, “As you know, the Joint Statement’s principles embodied essential protections for Californians and others who use mobile apps by encouraging companies that provide mobile app markets to give developers the ability to provide a link to their privacy policies and to display those links along with other app details….As we built the App Center, we were guided by the principles contained in the Joint Statement.”

Starting in 2011, Attorney General Harris worked with Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research In Motion to forge the Joint Statement to ensure that emerging online technologies such as mobile apps comply with California’s Online Privacy Protection Act (Simitian, 2004).  The Act requires operators of commercial web sites and online services, including mobile and social apps, who collect personally identifiable information about Californians to conspicuously post a privacy policy.  The posting of a privacy policy promotes transparency and provides consumers with more informed control over their personal information. Today’s agreement recognizes the Facebook App Center’s role as a clearinghouse for a variety of social apps.

A letter from the Attorney General’s Office to Facebook said, “California law requires all operators of commercial web sites and online services, including mobile and social apps, who collect personally identifiable information about Californians to conspicuously post a privacy policy.  We are very pleased that Facebook has incorporated the Principles into the design of the App Center and that Facebook requires, as a condition of participating in the App Center, that developers submit a link to a privacy policy.  We are also pleased to see that Facebook is prominently displaying the link to an app’s privacy policy in the App Center, and is implementing a means to report and remediate privacy issues.”

In addition to signing the Joint Statement, Facebook will participate in a multi-stakeholder Advisory Group on Mobile Privacy Practices that the Attorney General’s Office and the California Office of Privacy Protection have convened to develop best practices for mobile privacy generally and to develop model mobile privacy policies in particular.

Copies of both letters are attached to the electronic version of this release at: http://oag.ca.gov/news

The February 2012 press release announcing the apps agreement can be found here: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy