Privacy & Information Security Law Blog

On December 6, 2012, California Attorney General Kamala D. Harris announced a lawsuit against Delta Air Lines, Inc. (“Delta”) for violations of the California Online Privacy Protection Act (“CalOPPA”). The suit, which the Attorney General filed in the San Francisco Superior Court, alleges that Delta failed to conspicuously post a privacy policy within Delta’s “Fly Delta” mobile application to inform users of what personally identifiable information is collected and how it is being used by the company. CalOPPA requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service,” such as a mobile application, to post a privacy policy that contains the elements set out in CalOPPA. According to Attorney General Harris’ complaint, Delta has operated the “Fly Delta” application for smartphones and other electronic devices since at least 2010. The complaint alleges that “[d]espite collecting substantial personally identifiable information (“PII”) such as user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy. It does not have a privacy policy in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.”

Pursuant to CalOPPA, an operator has violated the subdivision requiring the conspicuous posting of a privacy policy if it fails to post a privacy policy within 30 days after being notified of the noncompliance, and the violation is made either knowingly and willfully or negligently and materially. As we previously reported, in October 2012, the California AG sent letters to approximately 100 mobile app operators, informing them that they are not in compliance with CalOPPA. Delta was one of the recipients of the Attorney General’s letter. According to the complaint, Delta continued to fail to conspicuously post a privacy policy within the Fly Delta app despite receiving the Attorney General’s notification (see Exhibit A of the complaint) on or about October 26, 2012.

According to the California Attorney General’s news release, this is the Attorney General’s first enforcement action under CalOPPA for failing to comply with the state’s law. Violations of CalOPPA may result in penalties of up to $2,500 for each violation.