Written by Evan Nadel and Jake Romero
Delta Airlines, Inc. may have to pay fines equal to 20 “excess bag” fees for each user that has downloaded its “Fly Delta” mobile application. California Attorney General Kamala Harris has filed a complaint against Delta, alleging that Delta has failed to conspicuously post a privacy policy on its mobile application, in violation of California’s Online Privacy Protection Act (“CalOPPA”).
Over the past year, we have followed the number of incremental steps that the California Attorney General’s office has taken toward ensuring that mobile applications comply with CalOPPA’s provisions, including the requirement that operators of commercial websites and online services that collect personally identifiable information from users post a privacy policy that explains what information is collected and how it is shared. Most recently, we reported that Attorney General Harris’s office had issued warning letters to the developers of 100 of the most popular mobile applications without compliant privacy policies, giving them 30 days to bring their respective applications into compliance. At that time, a spokesperson from Delta acknowledged that they had received one such notice, and that Delta “intended to provide the requested information.”
That thirty day period has since lapsed and, in a complaint filed on Thursday with the San Francisco County Superior Court, Attorney General Harris alleges that Delta continues to engage in unfair business practices by violating CalOPPA’s privacy policy requirement. According to the complaint, the Fly Delta mobile application has been available since 2010 and has been downloaded millions of times. The Fly Delta app collects a broad array of personally identifiable information from its users, including, among other things, geo-location data, photographs, names, addresses, telephone numbers, email addresses, date of birth, credit card numbers and expiration dates, and frequent traveler account numbers. Although Delta’s main website does contain a privacy policy, that privacy policy is not accessible through the mobile application and does not include a full description of the information collected by Fly Delta. Attorney General Harris is seeking an injunction against Delta preventing it from distributing the Fly Delta app, as well as a penalty of $2,500 for each violation. For mobile app developers, “each violation” can mean $2,500 for each time the non-compliant application was downloaded. Civil class actions under California’s Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.) involving “Fly Delta” are likely to follow, although users who downloaded the app at no cost will face a challenge establishing standing under that law.
The legal action against Delta is yet another indication of how serious Attorney General Harris is about enforcing California’s right to privacy. For mobile app developers, that means there is no better time to make sure that your application complies with California’s regulations. Here are a few key considerations:
- • CalOPPA requires that the privacy policy be “conspicuously” posted. For mobile applications, that means that the privacy policy must be accessible before the user has downloaded the application. Once the application has been downloaded, the privacy policy should be accessible from inside the application itself.
- • Your mobile application privacy policy must include a full description of the information being collected. We recommend having all of your key technicians review the policy to ensure its accuracy and completeness. Mobile applications have the potential to collect and transmit far more data than the average website, and the full extent of information being transmitted is not always readily apparent.
- • Simply linking to your website’s privacy policy is not sufficient. As noted above, mobile applications can potentially collect much more data than the average website, including geo-location data and pictures that are stored on the mobile device. One of the noteworthy aspects of Attorney General Harris’s complaint against Delta is that it contends that even if the user could access Delta’s website privacy policy through the Fly Delta app, that privacy policy would not be sufficient to bring the application into compliance with CalOPPA.
We are certain to see more legal actions and fines in the near future.
In the meantime, the complaint against Delta serves as a reminder that, in addition to worrying about whether you have too many liquids to get through security, you should also be concerned about whether your app complies with federal and state privacy laws. If you have questions regarding compliance with CalOPPA and the mobile privacy policy requirements, Mintz Levin’s privacy team is ready to assist.