California Attorney General Sues Delta Air Lines for Failing to Have a Mobile App Privacy Policy

Keeping good on her threat from October, the California Attorney General has brought her first lawsuit over a company’s failure to include a privacy policy in its mobile app.  The suit, against Delta Air Lines, alleges a violation of the California Online Privacy Protection Act (“CalOPPA”), which requires operators of online services to make a privacy policy reasonably accessible (and also requires operators of commercial websites to conspicuously post privacy policies on their websites). See Cal. Bus. & Prof. Code §§ 22575-22579. In the Complaint, the Attorney General has taken the position that the term “online service,” as used in CalOPPA, “broadly covers any service available over the Internet or that connects to the Internet,” including mobile applications, and requires a privacy policy to be available within the app.  The Complaint alleges that the “Fly Delta” app collects at least 14 categories of personal information including geo-location data, a user’s full name, address, and credit card number and expiration date.  Further, the Complaint alleges that the failure to have a privacy policy that informs users what information is collected and how it is used constitutes an “unlawful, unfair, or fraudulent” business act or practice under California law. The complaint seeks an injunction and $2,500 damages for each violation of CalOPPA, which the Attorney General has previously argued applies to each download of a noncompliant app.

Interestingly, the Complaint impliedly recognizes the possibility that a court could conclude that having a privacy policy posted on the company’s website may comply with CalOPPA – but the Complaint makes it clear that this is not the case with Delta.  The Complaint includes allegations that although Delta has a privacy policy on its website, it does not mention the “Fly Delta” app at all and does not include information about what information is collected in the app specifically (as opposed to on the website) and how it is used.

Companies with mobile apps that do not have privacy policies should strongly consider adding one now that is accessible from within the application. Although CalOPPA provides a company with 30 days to post a policy after being notified of noncompliance, a company should be proactive so as to avoid the scrutiny of an Attorney General who clearly means business.