Privacy Litigation Alert: First Lawsuit Filed Under Californias Online Privacy Protection Act

The People of the State of California v. Delta Air Lines Inc., No. 12-526741 (Superior Court for the State of California, City and County of San Francisco filed Dec. 6, 2012).

On Thursday, December 6, 2012, California Attorney General Kamala D. Harris filed the first enforcement action under California's Online Privacy Protection Act (CalOPPA), marking the latest step in the increasing regulatory enforcement of California's online privacy law. The complaint alleges that Delta Airlines violated the law by failing to include a CalOPPA compliant privacy policy within its Fly Delta mobile app. CalOPPA has been in place for eight years, but the Attorney General has recently made its enforcement a priority, especially in the mobile app market.

California's Online Privacy Protection Act (CalOPPA)
CalOPPA, Cal. Bus. & Prof. Code §§ 22575-22579, applies to any operator of a commercial website or online service – including a mobile app that collects personally identifiable information about consumers residing in California.

The statute defines personally identifiable information to include:

  • A first and last name.
  • A home or other physical address, including street name and name of a city or town.
  • An e-mail address.
  • A telephone number.
  • A social security number.
  • Any other identifier that permits the physical or online contacting of a specific individual.
  • Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above.

The law requires the operator of a website or online service that collects personally identifiable information to "conspicuously post" its privacy policy. For operators of online services like mobile apps the required privacy policy must be "reasonably accessible... for consumers of the online service." According to the Attorney General, having a website with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that website is "reasonably accessible" to the user within the app. This can present design challenges in the mobile environment, where screen space is at a premium.

The privacy policy must:

  • Identify categories of personally identifiable information that the operator collects.
  • Identify categories of third-parties with whom the operator may share personally identifiable information.
  • Describe the process the consumer can use to review and request changes to stored information, if such a process exists.
  • Describe the process the website or online service operator uses to notify consumers about material changes to the operator's privacy policy.
  • Identify the privacy policy's effective date.

A website or online service operator violates the law if it does not post the required privacy policy within 30 days after being notified of non-compliance.

Increasing Enforcement of CalOPPA
On February 22, 2012, Attorney General Harris reached an agreement with companies in the mobile app market to help enforce the state's privacy laws. Core principles included a commitment to post the required privacy policy in mobile apps, an agreement to provide space for privacy policies in app distribution platforms, and an agreement to implement a method of reporting and responding to reports of non-compliance. Apple, Google, Microsoft, Amazon, Hewlett-Packard, and Research In Motion adopted the Joint Statement of Principles in February, and Facebook joined the group in June.

About five months after the Joint Statement of Principles, on July 19, 2012, the Attorney General created a new Privacy Enforcement and Protection Unit within the Department of Justice eCrime Unit. The Privacy Unit's mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. CalOPPA is one of the laws the Privacy Unit is charged with enforcing.

On October 30, 2012, Attorney General Harris began notifying up to 100 mobile app developers that they were not in compliance with CalOPPA's privacy policy requirements. The Attorney General's letters asked app developers to respond within 30 days with either (1) specific plans and a timeline to comply with CalOPPA or (2) an explanation of why their app is not covered by CalOPPA.

Just a few days after the 30 day period ended, on December 6, 2012, the Attorney General filed the first legal action under CalOPPA against Delta Airlines, alleging that its Fly Delta app violates the online privacy law.

Allegations Concerning the Fly Delta App
The Attorney General's lawsuit targets the Fly Delta application for smartphones and other electronic devices. The app allows customers to check in online, view reservations, pay for checked baggage, book flights, and perform other tasks related to flying.

The Attorney General's complaint alleges that the Fly Delta app collects personally identifiable information about customers, including geo-location data, photographs, user's full name, street addresses, telephone numbers, email addresses, account number and flight information, credit and debit card numbers, date of birth, gender, passport number, and employer information. The complaint also alleges that a privacy policy is not available within the app itself.

According to the Attorney General's complaint, Delta's website includes a privacy policy, but the policy does not mention the Fly Delta app and is not reasonably accessible to consumers of the Fly Delta app. The complaint also alleges that website's privacy policy does not address certain types of information the app collects, including photographs and geo-location information.

The complaint seeks an injunction prohibiting Delta from distributing the app until it complies with CalOPPA, in addition to a penalty of up to $2,500 for each copy of the non-compliant app downloaded by California consumers.

Focus on Mobile Apps
Although CalOPPA applies to any website or online service that collects personally identifiable information, the Attorney General's focus on mobile app developers is notable, particularly in light of the absence of enforcement actions in the eight years the statute has been in effect. The Attorney General's office sent letters like the one it sent to Delta to numerous other app developers, and the Delta lawsuit may be just the first of many future enforcement actions.