State AG Monitor

California Means Business on Mobile Privacy

Posted in Data Privacy

For those companies who have not yet received the message, yesterday’s lawsuit against Delta Air Lines, Inc. by California Attorney General Kamala Harris makes it very clear that she means business on mobile privacy. AG Harris’s lawsuit alleges that Delta committed an unlawful, unfair or fraudulent business practice by failing to include a privacy policy in its mobile app (“Fly Delta,” which allows users to check flight status and check in for flights, among other things), in violation of California’s Online Privacy Protection Act (CalOPPA).

This lawsuit should come as no surprise as AG Harris sent letters in late October 2012 to 100 top app developers (including Delta, as well as United Airlines and Open Table), notifying them that her office reviewed their apps and believed them to be in violation of California law and giving them 30 days to comply. While this is the first lawsuit to be filed by the AG under CalOPPA, it likely will not be the last. It is being prosecuted by California’s new Privacy Enforcement and Protection Unit, which AG Harris created this summer in order to enforce state and federal privacy laws.

This is not AG Harris’s first foray into mobile privacy. In February 2012, she entered into a Statement of Principles with the six largest mobile app platforms (including Apple, Google, and RIM; a seventh –Facebook– agreed to the Statement of Principles in June 2012), pursuant to which the app platforms agreed to increase awareness among app developers about their legal obligations with respect to consumer privacy, and promote more transparency in privacy practices. Under the Statement of Principles, the app platforms agreed, among other things, to modify their submission process for new apps to make it easier for developers to link to or include a privacy policy, as well as to make it easier for consumers to report to the app platforms those apps that do not comply with applicable law.

Without a doubt, this lawsuit will be the first of many that AG Harris files against mobile app developers. Any company with a mobile app that in any way collects users’ personal data needs to post a thorough and comprehensive privacy policy to avoid running afoul of CalOPPA and, just as importantly, ensure that it abides by that privacy policy.