White & Case
California Attorney General Brings Privacy Law Enforcement Action Against Delta Air Lines Over "Fly Delta" Mobile Application

December 7, 2012
White & Case Technology Newsflash
Daren M. Orzechowski

Technology Newsflash

Long-known as an ardent protector of individual privacy rights, California brought its first legal enforcement action under state privacy laws on December 6, 2012, when state Attorney General Kamala D. Harris filed suit against Delta Air Lines, Inc. for failure to display a privacy policy on its mobile application.1 According to the Complaint, Delta's "Fly Delta" app violates California's Online Privacy Protection Act ("CalOPPA") and Unfair Competition Law because the app collects personally identifiable information ("PII") from users but does not display a privacy policy.2

The Fly Delta app, which has been offered since 2010, allows a user to, among other things, book and check in for flights, pay for and track checked baggage, and save the geo-location of the user's parked car using a photograph taken from the user's phone.3 The Complaint further alleges that, in providing these services, the Fly Delta app collects at least fourteen types of PII, including a user's passport number, geo-location data, corporate or employer affiliation, and credit card information.4 The Fly Delta app itself makes no mention of its collection or use of such PII, nor does it reference the privacy policy on the main Delta Air Lines website. According to the Complaint, Delta's website's privacy policy does not mention the Fly Delta app, nor does it disclose the app's collection of users' geo-location data or photographs.5 If found liable, Delta could face civil penalties of up to $2,500 per violation.6

The suit was filed after Delta failed to comply with a non-compliance letter sent by the California AG's new Privacy Enforcement and Protection Unit. The notice letter gave Delta 30 days to conspicuously post a privacy policy within the Fly Delta app.7 Delta was one of approximately 100 companies that supply popular mobile apps to receive such a notice during the California AG's first round of enforcement efforts in October 2012.8 According to the Complaint, Delta issued a statement saying it intended to comply, but as of the date of filing had not done so.9

The California AG's increased enforcement efforts coincide with its February 2012 "Joint Statement of Principles" agreement with Amazon.com, Apple, Facebook, Google, Microsoft, Research In Motion, and Hewlett-Packard (the "Mobile Apps Market Companies").10 Pursuant to the Joint Statement of Principles, the Mobile Apps Market Companies must include in their application submission processes an optional data field allowing app developers to either (a) insert a hyperlink to their privacy policy, or (b) display the text of their policy or a description thereof (both options would display the data field on screens appearing before a user downloads the app).11 The Mobile Apps Market Companies also agreed to implement user reporting and response processes for non-compliant apps and to collaborate with the California AG on developing best practices for mobile app privacy.12

California's privacy laws have historically been more stringent than other state and federal laws, but the high bar set by California affects any website operator or app developer who collects PII from California residents.13 According to a recent TRUSTe survey cited by the California AG, less than 20 percent of the top 340 free mobile apps contained a link to a privacy policy.14 As such, all website operators and mobile app operators, as well as the companies who employ them, should monitor the California AG's enforcement efforts and "best practices" guidance so as to conform their privacy policies to California standards.

1 - Complaint, People of Cal. v. Delta Air Lines, Inc., No. 12-526741 (Cal. Super. Ct. filed Dec. 6, 2012) (hereinafter, "Complaint"); see also Press Release, Cal. Att'y. Gen., Attorney General Kamala D. Harris Files Suit Against Delta Airlines for Failure to Comply with California Privacy Law (Dec. 6, 2010), available at oag.ca.gov/news/press-releases.
2 - Complaint at 2; see also CalOPPA, Cal. Bus. & Prof. Code § 22575 (West 2012) ("an operator of a commercial web site or online service that collects [PII] through the Internet about individual consumers residing in California . . . shall conspicuously post its privacy policy"); California Unfair Competition Law, Cal. Bus. & Prof. Code § 17200 et seq. (West 2012).
3 - Complaint at 4-6.
4 - Id. at 4.
5 - Id. at 5.
6 - Id. at 8.
7 - Press Release, Cal. Att'y Gen., Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications (Oct. 30, 2012), available at oag.ca.gov/news/press-releases.
8 - Id. (the Privacy Enforcement and Protection Unit was created in July 2012).
9 - Complaint at 6 (failure to post a privacy policy within 30 days after receiving a non-compliance notice is a violation of CalOPPA).
10 - Press Release, Cal. Att'y Gen., Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications (Feb. 22, 2012), available at oag.ca.gov/news/press-releases (hereinafter "Feb. 2012 Press Release") (a copy of the Joint Statement of Principles is available in .pdf form at this link); Press Release, Cal. Att'y Gen., Attorney General Kamala D. Harris Announces Expansion of California's Consumer Privacy Protections to Social Apps as Facebook Signs Apps Agreement (Jun. 22, 2012), available at oag.ca.gov/news/press-releases (announcing Facebook as the seventh signatory to the Joint Statement of Principles).
11 - Feb. 2012 Press Release at "Updated Mobile Apps Information.pdf" (at link provided supra, note 10).
12 - Feb. 2012 Press Release at "Updated Mobile Apps Information.pdf" (at link provided supra, note 10).
13 - See CalOPPA § 22575.
14 - Feb. 2012 Press Release at "Updated Mobile Apps Information.pdf" (at link provided supra, note 10). For information on the survey, see TRUSTe, More Consumers Say Privacy – Over Security – is Biggest Concern When Using Mobile Applications on Smartphones (Apr. 27, 2011) available at truste.com/about-TRUSTe/press-room/news_truste_mobile_privacy_survey_results_2011.

This article is provided for your convenience and does not constitute legal advice. It is prepared for the general information of our clients and other interested persons. This article should not be acted upon in any specific situation without appropriate legal advice, and it may include links to websites other than the White & Case website. White & Case LLP has no responsibility for any websites other than its own, and does not endorse the information, content, presentation or accuracy, or make any warranty, express or implied, regarding any other website.

This article is protected by copyright. Material appearing herein may be reproduced or translated with appropriate credit.

© 2012 White & Case LLP