California AG Sues Delta Air Lines For Lack of Mobile App Privacy Policy

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

In the first enforcement action concerning mobile applications under California's online privacy law, California Attorney General Kamala D. Harris (D) Dec. 6 filed a state court complaint against Delta Air Lines Inc. for allegedly failing to post a privacy policy that covers its mobile app (People v. Delta Air Lines Inc., Cal. Super. Ct., No. CGC-12-526741, complaint filed 12/6/12).

The complaint, filed in the Superior Court of California for the City and County of San Francisco, alleged that Atlanta-based Delta violated the California Online Privacy Protection Act and the state's Unfair Competition Law by failing to “conspicuously post a privacy policy in its Fly Delta app” and failing to comply with its own website privacy policy.

“Despite collecting substantial personally identifiable information ('PII') such as a user's full name, telephone number, email address, frequent flyer account number and PIN code, photographs, and geo-location, the Fly Delta application does not have a privacy policy[,]” the complaint alleged.

According to a Dec. 6 statement by the attorney general, Delta was one of the companies that received notice from the attorney general that they had 30 days to post privacy policies within their mobile apps informing users about what PII is collected and how it is used (210 DER A-16, 10/31/12).

“Losing your personal privacy should not be at the cost of using mobile apps, but all too often it is,” Harris said in her office's statement. “California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information.”

In a Dec. 7 statement to BNA, Delta spokesman Paul Skrbec said that the company “does not comment on pending litigation.”

Must 'Conspicuously Post' Privacy Policy.

The California Online Privacy Protection Act, Cal. Bus. & Prof. Code Section 22575(a), provides that:

An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service shall conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with paragraph (5) of subdivision (b) of Section 22577.  

Section 22577(b)(5) provides that “any other reasonably accessible means of making the privacy policy available for consumers of the online service” is an acceptable means of posting a privacy policy for an online service.


Section 22575(a) deems operators of websites or online services that fail to post a privacy policy within 30 days after they are notified that they are not in compliance with the act in violation of the act.

If an operator fails to conspicuously post a privacy policy in accordance with Section 22575(a) or fails to comply with the provisions of its own privacy policy and yet still collects PII from California consumers, the operator may also violate Section 22576 of the act.

The law, which was enacted in 2004, clearly applied to websites, but as mobile apps became prevalent the scope of the law came under review.

In February, six mobile app developers whose platforms represent 95 percent of the Inc., Apple Inc., Google Inc., Hewlett-Packard Co., Microsoft Corp., and Research in Motion Co.--signed a Joint Statement of Principles with the California attorney general agreeing to strengthen privacy notifications and protections to bring them in line with the California law (35 DER A-33, 2/23/12). Facebook Inc. joined the apps agreement in June (121 DER A-4, 6/25/12).

“If developers do not comply with their stated privacy policies, they can be prosecuted under California's Unfair Competition Law and/or False Advertising Law,” the California attorney general's office warned in its statement.

No Action on Letter.

In April, an official from the California attorney general's office told app developers they had six months to adapt to the principles or be notified of violations.

On Oct. 26, the attorney general sent formal notification letters to developers whose apps it alleged were not in compliance with the law and gave them 30 days to comply (210 DER A-16, 10/31/12).

According to the complaint, Delta was one of the companies sent a letter notifying it of its noncompliance with the act. But as of Dec. 6, Delta had not conspicuously posted a privacy policy on its Fly Delta app, the complaint said.

Although Delta maintains a privacy policy on its website, “this privacy policy does not mention the Fly Delta app, and is not reasonably accessible to consumers of the Fly Delta app[,]” the complaint alleged.

Delta's failures to comply with the online privacy act constitute “unlawful, unfair, or fraudulent business acts and practices” that violate California's Unfair Competition Law, Cal. Bus. & Prof. Code §Section 17200, according to the complaint.

The attorney general's office has requested that the court permanently enjoin Delta from similar unlawful conduct and order Delta to pay $2,500 for each violation of the Unfair Competition Law. It has also requested that the court award it attorneys' fees and costs of investigation.

Adam Miller, supervising deputy attorney general, represented California.

By Katie W. Johnson  

Full text of the complaint is available at