While this specific holding would not apply to most companies offering consumer apps, the action demonstrates the California AG’s intent to vigorously enforce CalOPPA in the context of such apps based on her position that mobile apps collecting personally identifiable information (PII) are “online services” under CalOPPA.
Background on CalOPPA
- A list of the categories of PII the operator collects;
- A list of the categories of third parties with whom the operator shares that PII;
- A description of the process by which the consumer can review and request changes to the PII the operator collects from him or her;
Further, under CalOPPA, a “conspicuous” post means any of the following:
The California AG’s Enforcement of CalOPPA in the Context of Mobile Apps
Around October 26, 2012, the California AG sent letters to approximately 100 allegedly non-compliant companies, including Delta, notifying them of her view that CalOPPA applies not just to websites, but also to mobile apps.11 The letter stated that companies with apps used by California residents would have 30 days to respond with their specific plans and timelines to comply with CalOPPA, or an explanation of why the mobile app in question was not covered by CalOPPA, or else they would face an enforcement action. Non-compliance could result in fines amounting to $2,500 per individual download.12 Delta acknowledged receipt of the letter on October 30, 2012, and stated that it would “provide the requested information,” but for whatever reason, did not do so within the 30-day window.13
Dismissal of the Delta Litigation
Adopting Delta’s primary argument, Judge Marla J. Miller agreed that the AG’s claim was preempted because the ADA evinces Congress’ intent that any regulatory burdens on air carriers would be imposed only through the Department of Transportation. In an oral ruling,17 the judge focused on the ADA’s provision stating “that a state court may not enact or enforce a law, regulation or other provision having the force and effect of law related to a price, route, or service of an air carrier.”18 She noted that although the Fly Delta app could be used by non-Delta customers, and collect information irrelevant to airline services, it also could be used by airline customers in connection with such services. Thus, in offering the Fly Delta app, Delta acts as a “provider” of airline-related “services” under the ADA,19 and the AG’s claim “deriv[ed] from the enactment or enforcement of state law” and “relate[d]” specifically to airline “services.”20
Implications for Mobile App Operators
Unfortunately, because the court based its dismissal of the Delta action on federal preemption and did not address the substantive requirements or scope of CalOPPA, the decision provides no guidance or solace to companies in the mobile app space that do not have any possibility of making similar federal preemption arguments. Nonetheless, the fact that the California AG proceeded with a lawsuit against a well-funded defendant based on her position that CalOPPA extends to mobile apps demonstrates that her office will vigorously enforce CalOPPA against companies with mobile apps that collect PII from California residents.
1 State of California v. Delta Air Lines, Inc., Case No. CGC-12-526741 (Cal. Sup. Ct., complaint filed Dec. 6, 2012), available at http://oag.ca.gov/system/files/attachments/press_releases/Delta%20Complaint_0.pdf?.
2 Wilson Sonsini Goodrich & Rosati, “Eye on Privacy,” (Jan. 2013), available at http://www.wsgr.com/publications/pdfsearch/eye-on-privacy/mar2013/eye-on-privacy_03-13.pdf.
3 California Online Privacy Protection Act (CalOPPA), Cal. Bus. & Prof. Code §§ 22575-22579, available at http://oag.ca.gov/privacy/COPPA.
4 California Unfair Competition Law (California UCL), Cal. Bus. & Prof. Code §§ 17200 et seq., available at http://www.leginfo.ca.gov/cgi-bin/displaycode?section=bpc&group=17001-18000&file=17200-17210. The California UCL prohibits individuals and entities from committing unlawful, unfair, or fraudulent business acts and practices, and government officials bringing suit for violations of CalOPPA may seek civil penalties and equitable relief under the UCL. Cal. Bus. & Prof. Code §§ 17203, 17206-07. Private plaintiffs may also assert claims for violations of CalOPPA under the UCL. Id. § 17204.
5 See complaint, supra note 1 at ¶30
6 Airline Deregulation Act (ADA), Pub. L. 95-504, 49 U.S.C. § 1371, et seq.
8 Cal. Bus. & Prof. Code § 22577(a).
11 A sample of the letter is available here.
13 The letter to Delta was attached to the complaint. See complaint, supra note 1.
16 A copy of Delta’s opening brief is available here. Delta’s reply brief is available here.
17 A transcript of the ruling is available here (“Delta Transcript”).
19 See Karen Gullo, “Delta Wins Dismissal of California Mobile” (May 9, 2013), available at http://www.businessweek.com/news/2013-05-09/delta-wins-dismissal-of-california-mobile-app-privacy-suit-1.