At a May 9, 2013, hearing, the California Superior Court dismissed the lawsuit that California Attorney General Kamala Harris filed against Delta Airlines in December 2012.¹ As reported in the January 2013 issue of Eye on Privacy,² the state’s lawsuit alleged that the company’s “Fly Delta” mobile application (app) violated the California Online Privacy Protection Act (CalOPPA) by failing to provide required privacy disclosures.³ The AG sought enforcement of CalOPPA through California’s Unfair Competition Law (California UCL).⁴ According to the AG, Delta violated CalOPPA by “fail[ing] to conspicuously post a privacy policy in its Fly Delta app” despite the AG’s earlier written notice of non-compliance, and because the Fly Delta app failed to comply with the privacy policy posted on Delta’s website.⁵ The court dismissed the action based on its conclusion that the state law claim was preempted by the Federal Airline Deregulation Act of 1978 (ADA).⁶

While this specific holding would not apply to most companies offering consumer apps, the action demonstrates the California AG’s intent to vigorously enforce CalOPPA in the context of such apps based on her position that mobile apps collecting personally identifiable information (PII) are “online services” under CalOPPA.

Background on CalOPPA

Enacted in 2004, CalOPPA was the first state law in the country to require owners of commercial websites or online services to post a distinctive and easily accessible link to a privacy policy.⁷ The law requires operators of commercial websites or online services that collect PII through the Internet from California consumers who visit the site or use the service to “conspicuously” post a privacy policy on their site that informs consumers about the categories of PII collected on the site, as well as the categories of third parties with whom that PII is shared. The law also requires operators of online services to make such a policy reasonably accessible to users.

The statute specifically defines PII as “individually identifiable information about an individual consumer,” including: “(1) a first and last name; (2) a home or other physical address, including street name and name of a city or town; (3) an e-mail address; (4) a telephone number; (5) a social security number; (6) any other identifier that permits the physical or online contacting of a specific individual; [and] (7) information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in [the statute].”⁸ The privacy policy itself must contain the following information:

• A list of the categories of PII the operator collects;
• A list of the categories of third parties with whom the operator shares that PII;
• A description of the process by which the consumer can review and request changes to the PII the operator collects from him or her;
• A description of the process through which consumers are notified that the operator has materially changed its privacy policy; and
• The privacy policy’s effective date.⁹

Further, under CalOPPA, a “conspicuous” post means any of the following:

• The privacy policy appears on the website’s homepage;
• The privacy policy is directly linked to the website’s homepage through an icon containing the word “privacy” and it appears in a color different from the background color of the homepage itself; or
• ” The privacy policy is linked to the website’s homepage through a hypertext link containing the word “privacy,” in all capital letters either equal to or greater than the size of the surrounding text, in a color that differs from the background color of the homepage.¹⁰

The California AG’s Enforcement of CalOPPA in the Context of Mobile Apps

Around October 26, 2012, the California AG sent letters to approximately 100 allegedly non-compliant companies, including Delta, notifying them of her view that CalOPPA applies not just to websites, but also to mobile apps.¹¹ The letter stated that companies with apps used by California residents would have 30 days to respond with their specific plans and timelines to comply with CalOPPA, or an explanation of why the mobile app in question was not covered by CalOPPA, or else they would face an enforcement action. Non-compliance could result in fines amounting to $2,500 per individual download.¹² Delta acknowledged receipt of the letter on October 30, 2012, and stated that it would “provide the requested information,” but for whatever reason, did not do so within the 30-day window.¹³

Attorney General Harris made good on her promise by suing Delta over its Fly Delta app on December 6, 2012. The complaint alleged that Delta did not make a privacy policy available to consumers within the Fly Delta app.¹⁴ The complaint also asserted that Delta’s website privacy policy neither mentioned the Fly Delta app nor disclosed the types of PII collected, which included the user’s geolocation, photographs, full name, telephone number, and email address.¹⁵

Dismissal of the Delta Litigation

In a motion filed on February 11, 2013, Delta asked the court to dismiss the California AG’s lawsuit at the pleading stage. Delta primarily argued that the preemption provision of the ADA precluded enforcement of CalOPPA against Delta. Alternatively, the company asserted that CalOPPA did not apply to the Fly Delta app because a mobile app is not an “online service” as defined by the statute. Delta explained that “online service” is a technical term that is not satisfied by the fact that an app sends or receives information over the Internet. Delta also claimed that the Delta privacy policy was already reasonably accessible to consumers through its homepage, which satisfied the statutory requirements.¹⁶

Adopting Delta’s primary argument, Judge Marla J. Miller agreed that the AG’s claim was preempted because the ADA evinces Congress’ intent that any regulatory burdens on air carriers would be imposed only through the Department of Transportation. In an oral ruling,¹⁷ the judge focused on the ADA’s provision stating “that a state court may not enact or enforce a law, regulation or other provision having the force and effect of law related to a price, route, or service of an air carrier.”¹⁸ She noted that although the Fly Delta app could be used by non-Delta customers, and collect information irrelevant to airline services, it also could be used by airline customers in connection with such services. Thus, in offering the Fly Delta app, Delta acts as a “provider” of airline-related “services” under the ADA,¹⁹ and the AG’s claim “deriv[ed] from the enactment or enforcement of state law” and “relate[d]” specifically to airline “services.”²⁰

Implications for Mobile App Operators

Unfortunately, because the court based its dismissal of the Delta action on federal preemption and did not address the substantive requirements or scope of CalOPPA, the decision provides no guidance or solace to companies in the mobile app space that do not have any possibility of making similar federal preemption arguments. Nonetheless, the fact that the California AG proceeded with a lawsuit against a well-funded defendant based on her position that CalOPPA extends to mobile apps demonstrates that her office will vigorously enforce CalOPPA against companies with mobile apps that collect PII from California residents.

Until a court thoroughly evaluates CalOPPA’s scope, operators of mobile apps that collect PII from California consumers can reduce their risk by complying with the law’s requirements. This means, among other things, ensuring that the company’s privacy policy is accessible from within its mobile application and ensuring that the policy accurately describes any PII collection, use, sharing, and disposal practices.