Privacy & Identity Theft

LOS ANGELES – Attorney General Kamala D. Harris today announced a $28.4 million settlement with Aaron’s, Inc., the second largest rent-to-own business in the nation, to resolve allegations that the company violated California consumer protection and privacy laws.

“Aaron’s concealed its illegal privacy and business practices from customers in a deceptive attempt to avoid California’s robust consumer protection laws and increase its profits,” Attorney General Harris said. “This settlement provides millions of dollars in restitution to consumers and requires Aaron’s to make significant changes to its business practices.”

The settlement requires Aaron’s to refund $25 million to California customers who signed lease agreements between April 1, 2010 and March 31, 2014 and to pay $3.4 million in civil penalties and fees.

Approximately 100,000 California customers will be eligible for restitution.

The complaint alleges that Aaron’s violated California’s Karnette Rental-Purchase Act, which is the strongest rent-to-own law in the country, by charging improper late fees, overcharging customers who paid off contracts early, and omitting important contract disclosures.

In addition, the complaint alleges that Aaron’s violated California state privacy laws by permitting its franchised stores to install spyware on laptop computers rented to its customers. A feature in the spyware program called ‘Detective Mode’, which was installed without consumers’ consent or knowledge, allowed the Aaron’s franchisees to remotely monitor keystrokes, capture screenshots, track the physical location of consumers and even activate the rented computer’s webcam. The installation of this software without customer consent violated California law.

Aaron’s, which is headquartered in Atlanta, GA, rents household merchandise, including furniture, appliances and electronics for a monthly or semi-monthly fee. The company operates approximately 75 stores across California (http://www.aarons.com/storelocator.aspx).

According to a Federal Trade Commission report on the rent-to-own industry, nearly all rent-to-own customers have a household income below $50,000 and the vast majority have attained a high school education or less.

Customers who are eligible for restitution will receive notice at their last known mailing address. Customers who believe they are eligible for restitution can also proactively submit a claim by visiting www.rent-to-own-settlement.com or calling 877-449-8548.

It is expected that restitution notices and payments will be mailed in early 2015 and individual restitution payments will vary based on each consumer’s contract.

As part of a stipulated judgment filed this week in Los Angeles County Superior Court, Aaron’s has agreed to full compliance with the Karnette Act in all respects and is prohibited from using or installing spyware on rented computers.

The Los Angeles County Department of Consumer Affairs provided assistance with the investigation.

Tips for consumers regarding rent-to-own businesses:

• Know your rights. Under California law, you have many important protections if you enter into a rent-to-own agreement.  For example, you may be entitled to a reduction in the amount of your lease payment if you suffer a hardship like losing your job. For more information: http://www.dca.ca.gov/publications/legal_guides/s-10.shtml.

• Read your contract carefully before signing. Make sure you understand your obligations under the agreement, including the length of time specified in the contract, and not just the cost of your monthly lease payment.

Copies of the complaint and stipulated judgment are attached to the online version of this release at www.oag.ca.gov/news.

SAN FRANCISCO – Attorney General Kamala D. Harris today issued a series of recommendations for businesses that directly address recent changes to California privacy law. The guide, Making Your Privacy Practices Public, provides businesses with an up-to-date resource to craft a useful, transparent privacy policy for consumers.   

“California has proven that robust and balanced privacy protections are consistent with a thriving innovation economy,” Attorney General Harris said. “This guide is a tool for businesses to create clear and transparent privacy policies that reflect the state’s privacy laws and allow consumers to make informed decisions.”

In 2003, California established the landmark California Online Privacy Protection Act, which was the first law in the nation to require operators of commercial websites, including mobile apps, to conspicuously post a privacy policy if they collect personally identifiable information from Californians. In 2013, the Act was amended by Assembly Bill 370, which requires privacy policies to include information on how the operator responds to Do Not Track signals or similar mechanisms. The law also requires privacy policies to state whether third parties can collect personally identifiable information about the site’s users.

In 2012, Attorney General Harris created the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. The unit also works to educate consumers and recommend best practices to businesses on privacy-related issues.

After receiving requests from the business community regarding privacy policy requirements, Attorney General Harris’ Privacy Enforcement and Protection Unit consulted with numerous stakeholders from the business sector, academia and privacy advocates in developing these recommendations.

The guide is available here: http://bit.ly/RUh7Do

Key recommendations from the guide include:

• Prominently label the section of your policy regarding online tracking, for example: “California Do Not Track Disclosures.”
• Describe how you respond to a browser’s Do Not Track signal or similar mechanisms within your privacy policy instead of providing a link to another website.
• If third parties are or may be collecting personally identifiable information, say so in your privacy policy.
• Explain your uses of personally identifiable information beyond what is necessary for fulfilling a customer transaction or for the basic functionality of the website or app.
• Describe what personally identifiable information you collect from users, how you use it and how long you retain it.
• Describe the choices a consumer has regarding the collection, use and sharing of his or her personal information.
• Use plain, straightforward language that avoids legal jargon and use a format that makes the policy readable, such as a layered format. Use graphics or icons instead of text.

“HP commends the work of California in establishing expectations-based guidance for privacy as it strikes the right balance between innovation and the protection of legitimate consumer rights,” said Scott Taylor, Vice President and Chief Privacy Officer, Hewlett-Packard.

"I applaud the California Attorney General's publication of best practices for communicating with citizens about privacy. Their common-sense recommendations are clear, readable, useful, and mercifully short.  Companies will understand how to comply with the letter and spirit of California transparency laws. In particular, I am delighted to see a light-touch legislative approach for transparency around Do Not Track," said Aleecia McDonald, Director of Privacy, Center for Internet and Society, Stanford Law School.

"Publication of Making Privacy Practices Public is an important step toward helping consumers understand what companies do with the data they collect about them.  Too many privacy policies are incomprehensible legalese.  The best practices spelled out by the California Attorney General if adopted by companies would put privacy policy statements in straightforward, understandable language,” said John Simpson, Director of Privacy Project, Consumer Watchdog.

Attorney General Harris has been a staunch advocate for policies that both protect consumers’ personal information online and foster the continued growth of California’s robust technology economy.

Most recently, Attorney General Harris issued recommendations to California businesses to help protect against and respond to the increasing threat of malware, data breaches and other cyber risks. The guide, Cybersecurity in the Golden State, provides recommendations focused on small to mid-sized businesses, which are particularly vulnerable to cybercrime and often lack the resources to hire cybersecurity personnel. In 2012, 50% of all cyber attacks were aimed at businesses with fewer than 2,500 employees and 31% were aimed at those with less than 250 employees. (http://bit.ly/1p9DGiA)

In 2013, Attorney General Harris issued a guide, Privacy on the Go: Recommendations for the Mobile Ecosystem, which provided app developers with recommendations to develop strong privacy practices, translate those practices into mobile-friendly policies, and coordinate with industry actors to promote transparency. (http://bit.ly/1lZIZAC) 

In October 2012, Attorney General Harris sent letters to approximately 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave 30 days to post a conspicuous privacy policy. (http://bit.ly/1lZIEOv) In December of that year, the Attorney General filed the first legal action against Delta Airlines, Inc. for its failure to do so. (http://bit.ly/1k2y6Pb)

In February 2012, Attorney General Harris reached an agreement among the seven leading mobile and social app platforms - Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion (now Blackberry) - which required that mobile apps provide privacy policies that users could find in a consistent location in the platform store and review before downloading an app. (http://bit.ly/1nkfUiF)

SAN FRANCISCO -- Attorney General Kamala D. Harris today issued recommendations to California businesses to help protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

"My office issued this guide to support California’s businesses and ensure a robust economy,” Attorney General Harris said. “Technology has created new opportunities and new risks for California businesses, including cyber attacks. This guide offers specific, straightforward recommendations to help businesses continue to thrive by reducing cyber security risks to employees and customers.”

The guide, Cybersecurity in the Golden State, provides recommendations focused on small to mid-sized businesses, which are particularly vulnerable to cybercrime and often lack the resources to hire cybersecurity personnel. In 2012, 50% of all cyber attacks were aimed at businesses with fewer than 2,500 employees and 31% were aimed at those with less than 250 employees.

Click here to view Cybersecurity in the Golden State: https://oag.ca.gov/cybersecurity

The guide is a product of a collaborative effort between the California Attorney General’s office, the California Chamber of Commerce and Lookout, a mobile security company.

“Prevention is the best medicine. Not only does the guide provide useful information to reduce the threat of cybercrime, it highlights the need to be proactive in preventing data breaches. This is good for California businesses and consumers,” said Allan Zaremberg, President and CEO of the California Chamber of Commerce.

“Security should not be viewed as a technology problem; it needs to be viewed as a business problem. If companies take a more proactive approach to security, they mitigate issues related to cyber risk,” said Kevin Mahaffey, co-founder and CTO at Lookout. “We’re happy to collaborate with Attorney General Harris to identify the steps businesses can take to improve their security practices -- for companies of all sizes.”

Key Recommendations for small business owners:

• Assume you are a target and develop an incident response plan now.
• Review the data your business stores and shares with third parties including backup storage and cloud computing. Once you know what data you have and where it is, get rid of what is not necessary.
• Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and it is easy to use.
• Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, avoiding downloading software from unknown sources and practicing safe online banking by only using a secure browser connection.

In 2003, California was the first state to pass a law (AB 700) mandating data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in security breach. In 2012, companies and state agencies subject to the law were required for the first time to report any breach that involved more than 500 Californians to the Attorney General’s Office (SB 24). That first year, The Attorney General’s office received reports of 131 data breaches, which placed the personal information of an estimated 2.5 million Californians at risk. More information is available here: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million

Attorney General Harris created the eCrime Unit in 2011 to identify and prosecute cyber crimes such as hacking, theft of intellectual property, identity theft, on-line fraud and extortion and identity theft. Attorney General Harris also established the office’s Privacy Enforcement and Protection Unit in 2012 to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government.

SAN FRANCISCO – Attorney General Kamala D. Harris today kicked off Tax Identity Theft Awareness Week by issuing tips for Californians to follow to prevent tax-related identity theft as the annual tax compiling and filing process begins.

Tax-related identity theft increases in January and commonly occurs when:

• Thieves use stolen personal information to file tax returns in someone else’s name in order to obtain a refund.

• Thieves use a stolen Social Security number (SSN) for employment, which may complicate state and federal income tax obligations for the victim.

• Thieves send phishing emails that look like they are from the Internal Revenue Service (IRS) or the Franchise Tax Board (FTB) that ask for personal information or include links to official-looking web sites.

California consumers are urged to use the following tips to better prevent tax-related identity theft:

• Never open an email or a text message that says it is from the IRS or the FTB - they are always fraudulent. State and federal tax agencies never initiate contact with taxpayers by email, text message or social media to request personal or financial information or to send notice regarding audits or refunds.

• It’s fine to show your Social Security card to your employer when you start a job or to your financial institution for tax reporting purposes. Do not routinely carry your card or other documents that display your SSN.

• While preparing your tax return for electronic filing, make sure to use a strong password. A strong password is at least eight characters and includes a combination of at least three upper and/or lowercase letters, punctuation, symbols and numerals.

• Once you have e-filed your return, save it to a flash drive, CD or similar device and then delete the tax information from your hard drive. Store the CD or flash drive in a safe place, such as a lock box or safe. If working with an accountant, ask about what measures they take to protect your information.

• Use a locked mailbox and don’t leave your mail in it for long periods of time. Take your mail that contains sensitive information (bills, tax returns) to the post office.

• If your SSN is stolen, reference the California Attorney General’s Identity Theft First Aid page for instructions on what to do: www.oag.ca.gov/idtheft/first-aid.

You may have a tax identity theft problem if you receive a letter from the IRS or FTB stating that:

• you filed more than one tax return,
• someone has already filed using your information,
• you have a balance due, refund offset or have had collection actions taken against you for a year in which you did not file a return, or
• you received wages from an employer for whom you have not worked.

If you receive such a letter (not an email) from the IRS or FTB, immediately contact the agency’s identity theft unit:

Internal Revenue Service: phishing@irs.gov

IRS Identity Protection Specialized Unit

1-800-908-4490

California Franchise Tax Board: www.ftb.ca.gov/individuals/id_theft.shtml#ID

ID Theft Resolution Coordinator

1-916-845-3669

Additional Resources:

Internal Revenue Service

Identity Theft web pages:  www.irs.gov/uac/Suspicious-e-Mails-and-Identity-Theft and

www.irs.gov/uac/Indications-your-identity-may-have-been-stolen-and-how-to-report-it-to-us

Franchise Tax Board

Identity theft web page: www.ftb.ca.gov/individuals/id_theft.shtml#ID

California Attorney General

Identity Theft Protection and First Aid: http://oag.ca.gov/idtheft  

Federal Trade Commission

Tax Identity Theft Awareness Week: http://www.consumer.ftc.gov/features/feature-0029-tax-identity-theft-awareness-week 

For more information on how to identify and protect yourself from identity theft visit Attorney General Harris’ website.

SAN FRANCISCO – Attorney General Kamala D. Harris today issued tips for the holiday season on how Californians can protect themselves from identity theft and make the most of their charitable giving.

Tips for safe shopping:

• Review your bank and credit card statements frequently for unusual transactions.
• In the event of a security breach involving your credit card, monitor your account and contact your bank promptly if you see any suspicious transactions.
• If the security breach involves your debit card, the best way to protect yourself is to immediately cancel the card and get a replacement with a different number.
• Don’t make purchases in free Wi-Fi hotspots, such as a coffee shop, which can put your passwords and other information at risk.
• Shop on secure websites. One indicator about which websites are safe, and which are not, is the presence of a yellow padlock icon in the browser bar. Another indicator is ‘https’ in the web address.
• Never send sensitive personal or financial information through e-mail. Legitimate companies will not ask you to do so because it is not a secure way to transfer sensitive information.
• If you are receiving text messages on your cell phone saying you have won a prize or gift card, do not click on the link in the message – it is most likely a scam and may install a virus on your phone.
• Know the return policies of the retailers you shop with before you leave the store or conclude an online transaction. Many retailers will give you a refund if you have a receipt and your return is prompt, but some may only give store credit. Ask a clerk if the policy is not posted at the register.

Tips for donating wisely:

• The best way for many donors to select worthwhile charities is to work with a local charity as a volunteer. This helps provide first-hand knowledge about programs that benefit your community.
• You may want your donation used for a specific program or purpose within a charity. If a website has a “donate” button, check to see if you can designate a specific purpose for your donation. If you can’t, contact the charity to be sure your donation will be spent for the purpose you intend.
• If you are contacted by a solicitor on behalf of a charity, ask if he/she works for a commercial fundraiser and what percentage of donations goes directly to the charity. You may prefer to contact the charity directly to make a donation.
• If you receive an email or text message asking for a donation to a charity, contact the charity directly and confirm that the request is legitimate.
• If a solicitor tells you the donation is for your local police, firefighter or other public safety agency, check directly with the agency to avoid a potential scam.
• Don’t assume that charity recommendations on Facebook, blogs, or other social media have been vetted. Research the charity yourself.
• Make charitable contributions directly on a charity's website. If donating by check, use the full name of the charity rather than initials or an abbreviation. Do not give your credit card number to a telephone solicitor or in response to any unsolicited phone call you receive.

Additional consumer tips, information, and lists of resources are available at:

The California Attorney General’s consumer tips on identity theft and other privacy issues, https://oag.ca.gov/privacy/info-sheets

The California Attorney General’s Guide to Charitable Giving, http://oag.ca.gov/sites/all/files/agweb/pdfs/charities/publications/CharitiesSolicitation.pdf

www.ftc.gov, or toll free nationwide at (877) 382-4357

www.give.org, for additional information about a specific charity

SAN FRANCISCO -- Attorney General Kamala D. Harris today released guidelines on preventing and remedying medical identity theft, including best practice recommendations for the health care industry and tips for consumers.  The guidelines are part of a report, Medical Identity Theft: Recommendations for the Age of Electronic Medical Records, which frames the escalated migration to electronic medical records as an opportunity for the healthcare industry to address this problem.

“Medical identity theft has been called the privacy crime that can kill,” said Attorney General Harris. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology.”

Medical identity theft occurs when an individual uses someone else’s personal information to obtain medical goods or services. For example, a thief may use stolen information to submit fraudulent bills, a doctor or provider may use patient information to write fraudulent prescriptions or an individual may use someone else’s information to obtain treatment.

The report focuses on the impact of identity theft on the accuracy of medical records and argues that the serious risk that inaccuracies pose is not always adequately addressed by existing healthcare industry procedures.

A companion information sheet for consumers, First Aid for Medical Identity Theft, describes the signs of medical identity theft and provides tips on what to do in response. The signs of possible medical identity theft include notice of a data breach from a health care provider, an unknown item in an Explanation of Benefits from a health insurer, a call from a debt collector about an unfamiliar medical bill and questions about your identity or health conditions at intake in a doctor’s office or hospital.

Key recommendations for health care providers:

• Implement an identity theft response program with clear written policies and procedures for investigating a flagged record.
• Offer patients who believe they may be victims of medical identity theft a free copy of the relevant portions of their medical records to review for signs of fraud.

Key recommendations for insurers:

• Make Explanation of Benefits statements patient-friendly. Include information on how to report any errors discovered.
• Use automated fraud-detection software to flag suspicious claims that could be the result of identity theft.

The report can be found here: http://bit.ly/1eup6NO

The guide for consumers can be found here: http://bit.ly/1gnDICS

SAN FRANCISCO -- Attorney General Kamala D. Harris today released the first report detailing the 131 data breaches reported to her office in 2012, showing that 2.5 million Californians had personal information put at risk through an electronic data breach.

The report found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company’s network.

"Data breaches are a serious threat to individuals' privacy, finances and even personal security,” Attorney General Harris said. "Companies and government agencies must do more to protect people by protecting data."

In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in security breach. In 2012, companies and state agencies subject to the law were required for the first time to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian)

While not required by law, Attorney General Harris is issuing this report that analyses the data breach notices reported in 2012, provides information to the public about those breaches, and makes recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those recommendations include practices that would decrease the number of data breaches, make it easier for consumers to recover from the loss or theft of their personal information, and call for law enforcement agencies to more aggressively target breaches involving unencrypted personal information.

First, companies should encrypt digital personal information when moving or sending it out of their secure network.  In 2012, encryption would have prevented reporting companies and agencies from putting over 1.4 million Californians at risk. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information.

In addition, companies should review and tighten their security controls on personal information, including training employees and contractors.

Companies should make the breach notices they send easier to read. The report found that the average reading level of the notices submitted in 2012 was 14th grade, much higher than the average U.S. reading level of 8th grade. Recipients need to be able to understand the notices so that they can take appropriate action to protect their information.

Finally, the report recommends that legislators consider expanding the law to require notification of breaches involving passwords. Attorney General Harris is supporting legislation, SB 46 by Senator Ellen Corbett, which would require notification of a breach involving a user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Additional key findings of the report include:

• The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
• More than 1.4 million Californians would not have been put at risk, and 28 percent of the data breaches would not have required notification, if the data had been encrypted.
• The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
• More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
• More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.

Attorney General Harris established the Privacy Enforcement and Protection Unit in 2012 to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes California’s Online Privacy Protection Act, as well as laws relating to cyber privacy, health and financial privacy, identity theft, government records and data breaches.

In October 2012, Attorney General Harris announced a settlement with Anthem Blue Cross over allegations the company breached its members’ personal data by failing to protect their Social Security Numbers.

A complete copy of the data breach report and a list of all 131 breaches are attached to the online version of this release at http://oag.ca.gov.

To learn more about the Attorney General’s privacy work, visit http://oag.ca.gov/privacy.

SAN FRANCISCO -- Attorney General Kamala D. Harris today issued recommendations for mobile application (app) developers and the mobile industry to safeguard consumer privacy. Today’s report provides guidance on developing strong privacy practices, translating these practices into mobile-friendly policies, and coordinating with mobile industry actors to promote comprehensive transparency.

“Californians want to know what personal information their apps collect, how it is used and with whom it is shared,” said Attorney General Harris. “To meet this need and keep pace with rapidly changing technology, these recommendations strike a responsible balance between protecting consumers’ personal information and fostering the continued growth of the innovative app economy.”

Today’s report, Privacy on the Go: Recommendations for the Mobile Ecosystem, is the result of an outreach effort that compiled input from stakeholders throughout the mobile industry. Its purpose is to serve as a template for the mobile industry to develop mobile-friendly privacy policies and practices that will improve consumer privacy without stifling innovation.  To accommodate the smaller screens of mobile devices, the report recommends the use of special notifications such as icons, or pop-up notifications to inform consumers about how personally identifiable information is being collected and shared.

The issue of mobile privacy is increasingly pressing as more than half of American adult cell phone owners access the Internet from their phones, and more than 1,600 mobile apps are released every day.

To protect consumers’ online privacy, Attorney General Harris forged an agreement among the seven leading mobile and social app platforms in 2012. The agreement – with Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft and Research in Motion – involved displaying app privacy policies that users could find in a consistent location in the platform store and review before downloading an app. 

In October 2012, the Attorney General sent letters to approximately 100 mobile app developers and companies that were not in compliance with the California Online Privacy Protection Act and gave 30 days to post a conspicuous privacy policy. In December, the Attorney General filed the first legal action against Delta Airlines, Inc. for violating California’s online privacy law, which requires apps that collect personally identifiable information to conspicuously post a privacy policy.

Last year, Attorney General Harris also established the Privacy Enforcement and Protection Unit to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes California’s Online Privacy Protection Act, as well as laws relating to cyber privacy, health and financial privacy, identity theft, government records and data breaches.

A copy of the report is available here: http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/privacy_on_the_go.pdf

To learn more about the Attorney General’s privacy work, visit http://oag.ca.gov/cybersafety.

SAN FRANCISCO -- Attorney General Kamala D. Harris today issued a consumer alert with tips for the holiday season on how Californians can make the most of their charitable giving through smart donations and protect themselves from identity theft when shopping online.

Tips for safe shopping:

• Shop on secure websites. One clue about which websites are safe and which are not is to look for a yellow padlock in the browser bar or ‘https’ in the web address (the ‘s’ stands for ‘secure’).

• Don’t make purchases over a free Wi-Fi hotspot like at a coffee shop, which can be scanned by those looking to capture your passwords and other information.

• Never send personal or financial information through e-mail. Legitimate companies will not ask you to do so because it is not a secure way to transfer sensitive information.

• If you are receiving text messages on your cell phone saying you have won a prize or gift card, do not click on the link in the message – it is most likely a scam and may install a virus on your phone.

• To get the full value of a gift card, use it right away. Gift cards that are lost or stolen are not always replaceable. Retailer or restaurant gift cards do not have expiration dates, but bank cards, like Visa or MasterCard gift cards, or cards issued by a mall that can be used at different stores, may sometimes have expiration dates.

• Know the return policies of the retailers you shop with before you leave the store or conclude an online transaction. Many retailers will give you a refund if you have a receipt and your return is prompt, but some may only give store credit. Ask a clerk if the policy is not posted at the register.

Tips for donating wisely:

• Make sure your charitable donations are well spent and serving the activities you support by working with a local charity as a volunteer or by contacting the charity directly to make a donation.

• If you are contacted by a solicitor on behalf of a charity, ask if he/she works for a commercial fundraiser and what percentage of donations being raised is going directly to the charity. You may prefer to contact the charity directly to make a donation.

• If a solicitor tells you the donation is for your local police, firefighter or other public safety agency, check directly with the agency to avoid a potential scam.

• Make charitable contributions by writing a check or by credit card directly on a charity's website. If donating by check, use the full name of the charity rather than initials or an abbreviation. Do not give your credit card number to a telephone solicitor or in response to any unsolicited phone call you receive.

Additional consumer tips, information, and lists of resources are available at:

www.ftc.gov, or toll free nationwide at (877) 382-4357

www.idtheftcenter.org, for information on your credit history

www.give.org, for additional information about a specific charity

SAN FRANCISCO – Attorney General Kamala D. Harris announced today the first legal action under California’s online privacy law against Delta Airlines, Inc. for failing to comply with the state’s Online Privacy Protection Act.

Delta, headquartered in Atlanta, GA, was among the companies given 30 days to conspicuously post a privacy policy within their mobile app that informs users of what personally identifiable information is being collected and what will be done with it.

“Losing your personal privacy should not be the cost of using mobile apps, but all too often it is,” said Attorney General Harris. “California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information.”

The California Online Privacy Protection Act requires commercial operators of websites and online services, including mobile and social apps, which collect personally identifiable information from Californians to conspicuously post a privacy policy. Privacy policies are an important safeguard for consumers. Privacy policies promote transparency in how companies collect, use, and share personal information.  If developers do not comply with their stated privacy policies, they can be prosecuted under California’s Unfair Competition Law and/or False Advertising Law.

The complaint alleges that since at least 2010, Delta has operated a mobile app called “Fly Delta” for use on smartphones and other electronic devices.   The Fly Delta app may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location. Despite collecting substantial personally identifiable information such as a user’s full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location, the Fly Delta application does not have a privacy policy.

The suit seeks to enjoin Delta from distributing its app without a privacy policy and penalties of up to $2,500 for each violation.  The suit was filed in San Francisco Superior Court and a copy of the complaint is attached to the online version of this press release.

This action by Attorney General Harris follows an agreement she forged among the seven leading mobile and social app platforms to improve privacy protections for millions of users around the globe who use apps on their smart phones, tablets, and other electronic devices. Those platforms – Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research in Motion – agreed to privacy principles designed to bring the industry in line with California law requiring mobile apps that collect personal information to have a privacy policy. The agreement allows consumers the opportunity to review an app’s privacy policy before they download the app rather than after, and offers consumers a consistent location for an app’s privacy policy on the application-download screen in the platform store. 

The California Online Privacy Protection Act is one of the privacy laws that the DOJ’s Privacy Enforcement and Protection Unit is charged with enforcing. Created by Attorney General Harris in 2012, the Privacy Unit’s mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes laws relating to cyber privacy, health privacy, financial privacy, identity theft, government records and data breaches.

The October 2012 press release announcing the notification to mobile app developers can be found here: https://www.oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance. The February 2012 press release announcing the apps agreement can be found here: https://www.oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy. The June 2012 press release announcing that Facebook joined the apps agreement can be found here: https://www.oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-expansion-california%E2%80%99s-consumer.