Stephen S. Wu-- SL: Legal Writer,, (408) 573-5737, 50 W. San Fernando St., Ste. 750, San Jose, CA 95113

California Attorney General Sues Delta Citing Lack of Privacy Policy on Mobile App

I have now written two posts -- one on October 7 and one on November 6 urging developers of mobile apps to develop and implement a privacy policy, with a supporting privacy program. At the end of October, California Attorney General Kamala Harris sent letters notifying mobile app developers that they must post their privacy policies or face enforcement actions under California’s Online Privacy Protection Act (OPPA) of 2003, which requires commercial websites or online services that obtain personally identifiable information about California consumers to post their privacy policies. On December 6, Harris filed a lawsuit in San Francisco’s Superior Court alleging that Delta Airlines failed to heed her warning and does not have a privacy policy for its mobile app Fly Delta. For a copy of the complaint, click here.
The complaint asserts a single claim--violation of California’s Business & Professions Code Section 17200 and following, which is California’s Unfair Competition Law (UCL). The UCL prohibits unlawful, unfair, or fraudulent business acts or practices, as well as false advertising. The AG’s complaint alleges two violations. First, the complaint says that the failure to post a privacy policy in its mobile app violated the OPPA. The AG acknowledged that the Delta website has a privacy policy, but emphasized that the Fly Delta app does not.

Second, the complaint says that Delta violated its own website privacy. In a somewhat unclear statement, the AG says that Delta does not comply with its own website privacy policy because “the Fly Delta app does not comply with the Delta website privacy policy.” That sounds somewhat circular, but the facts alleged in the complaint suggest that the absence of a discussion of Fly Delta’s functionality in the website privacy policy means Delta is collecting and using information in ways that are beyond the disclosed practices in the website notice.

The most interesting part of the complaint was the AG’s position that mobile apps are covered by OPPA, even though OPPA says it covers only operators of “websites” and “online services.” Mobile applications are not expressly covered. Nonetheless, the AG cited a Federal Trade Commission interpretation of the phrase “online services” to include any service available over the Internet, or that connects to the Internet or a wide-area network (which is consistent with my thinking of the statute’s languge). It then asserts that Fly Delta gathers information over the Internet, and thus is covered.

Some of that information is being collected via the cellular network and not the public Internet per se. The information may be transmitted ultimately via the Internet to Delta’s servers. I don’t know the technical details of Delta’s services. But Delta might argue based on the plain language of the statute that it is not an “online service.” I don’t think it’s a winning argument. Nonetheless, I think the legislature may need to fix the language of the statute to include mobile apps to clarify OPPA’s coverage.

In any case, we are past the theoretical stage and past the warning stage: mobile apps developers need privacy policies. If your app doesn’t have one, now is the time to write and post one. The AG appears to be starting to pick targets for its enforcement efforts, and a large company like Delta is a natural first choice. Nonetheless, this enforcement effort is going to continue on for years to come. In addition, the lack of a privacy policy is simple to show, so these are easy cases for the AG. No mobile app is immune from an enforcement action. The best way to reduce this risk is to make sure you have a robust privacy program in place that includes a mobile app privacy policy conspicuously available for users to review.