On December 6, 2012, California's Attorney General filed a suit against Delta Air Lines ("Delta") alleging that Delta violated the California Online Privacy Protection Act ("CalOPPA")1 and California's Unfair Competition Law2 by collecting personally identifiable information from consumers through its "Fly Delta" mobile application ("Fly Delta app") and either knowingly and willfully, or negligently and materially, failing to (i) conspicuously post a privacy policy applicable to the Fly Delta app within 30 days after receipt of notification of non-compliance, and (ii) comply with the privacy policy posted on the Delta website with respect to the Fly Delta app.3 The complaint, which is the first-ever action brought by the Attorney General to enforce CalOPPA against a provider of a mobile application, follows the Attorney General's issuance of a press release on October 30, 2012, which stated that the Attorney General was in the process of notifying up to 100 mobile application providers of their failure to comply with CalOPPA, and intended to "take all necessary steps to enforce California's privacy laws" in the area of mobile applications.4

The California Online Privacy Protection Act

CalOPPA, which applies to operators5 of commercial websites or online services that collect personally identifiable information about individual consumers residing in California who use or visit their commercial websites or online services (each, an "Operator"), sets forth minimum content requirements for privacy policies of Operators6 (the "Content Requirement"), and requires Operators to "conspicuously post" their privacy policy on their website, or in the case of an online service, provide a "reasonably accessible means of making the privacy policy available for consumers of the online service"7 (the "Posting Requirement"). CalOPPA defines "personally identifiable information" ("PII") as individually identifiable information about an individual consumer that is collected by an Operator from the individual and maintained by the Operator in an accessible form, including information such as the consumer's name, physical address, email address, telephone number, social security number, and any other identifying information that can be used to contact the consumer physically or online.8

CalOPPA's Content Requirement obligates Operators to include the following minimum information in their privacy policies:

  1. Identification of the categories of PII that the Operator collects through the website or online service and the categories or third-party persons or entities with whom the Operator may share that PII;
  2. A description of any process that the Operator uses by which a consumer who visits the website or uses the online service may review or request changes to any of his or her PII;
  3. A description of the process by which the Operator notifies consumers who visit its website or use its online service of any material changes to the Operator's privacy policy for that website or online service; and
  4. The effective date of the privacy policy.9

An Operator will be in violation of CalOPPA if it (i) fails to comply with the Posting Requirement (and thus with the Content Requirement) within 30 days after being notified of its non-compliance, or (ii) knowingly and willingly, or negligently and materially, fails to comply with the provisions of its posted privacy policy.10

Details of the Complaint

In the complaint, the Attorney General states that the term "online service" under CalOPPA "broadly covers any service available over the Internet or that connects to the Internet, including Internet-enabled gaming platforms, voice-over Internet protocol services, cloud services, and mobile applications."11 The complaint further states that because the Fly Delta app sends and receives PII over the Internet about various consumers, including consumers residing in California who use the app, it constitutes an online service that is subject to CalOPPA's requirements.12

According to the complaint, Delta began offering the Fly Delta app in 2010, and since that time has engaged in the collection of "substantial" PII from consumers through the application, yet failed to conspicuously post a privacy policy applicable to the Fly Delta app.13 As a result, the Attorney General sent a letter to Delta on October 26, 2012, which notified Delta that it was in violation of CalOPPA due to its failure to make a privacy policy applicable to the Fly Delta app reasonably accessible to consumers using the application.14 Delta thereafter issued a statement indicating that it had received the letter from the Attorney General and that it intended to provide the requested information;15 however, the complaint states that Delta failed to post a privacy policy within the required 30 days following notification of non-compliance.16

Furthermore, the complaint states that while Delta does have a privacy policy on its website, the policy neither mentions the Fly Delta app nor covers certain categories of PII that are collected through the app but not through the website, such as geo-location data and photographs.17 Thus, the complaint states that Delta is in violation of Section 22576 of CalOPPA for knowingly and willfully, or negligently and materially, (i) failing to conspicuously post a privacy policy applicable to the Fly Delta app within 30 days of being formally notified by the Attorney General; and (ii) failing to comply with the provisions in its posted privacy policy by collecting certain PII through the Fly Delta app that are not covered in the privacy policy posted on the Delta website.18

The complaint alleges that Delta's violation of CalOPPA further constitutes a violation of California's Unfair Competition Law, which defines "unfair competition" as the commission of an unlawful, unfair, or fraudulent business acts and practice.19 Thus, the Attorney General is claiming that by failing to comply with CalOPPA's requirements, Delta engaged in an unlawful business practice that constituted unfair competition, and therefore should be (i) permanently enjoined from committing acts of unfair competition by immediately complying with the requirements of CalOPPA, and (ii) ordered to pay $2,500 for each violation pursuant to Section 17206 of the Unfair Competition Law.20 While the complaint does not expressly state the number of alleged violations, instead noting that this will be proved at trial, it does mention that the Fly Delta app has been "downloaded by consumers millions of times since October of 2010 without the conspicuously posted privacy policy required by CalOPPA."21 Based on the statement in the Attorney General's October 30th press release that "companies can face fines of up to $2,500 each time a non-compliant app is downloaded,"22 this would suggest that the Attorney General will argue that each download constitutes a violation, which, if successful, could potentially result in fines of several billion dollars. California's Unfair Competition Law provides that in determining the amount of the penalty, the court shall consider relevant circumstances such as the nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth.23

Implications

The lawsuit against Delta, which follows the Attorney General's agreement with seven mobile application providers (Amazon, Apple, Facebook, Google, Hewlett-Packard, Microsoft, and Research In Motion) to strengthen privacy protections for users of mobile applications,24 as well as the establishment of the California Department of Justice's Privacy Enforcement and Protection Unit in July,25 further evidences the Attorney General's intention to aggressively enforce consumer privacy protection laws, and is likely the first of a number that will be filed. Accordingly, providers of mobile applications and websites that collect PII from California consumers should heed this latest warning and ensure that that they are acting in compliance with CalOPPA and all other applicable privacy requirements.

Footnotes

1 The Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code §§ 22575 – 22579 (2004).

2 Cal. Bus. & Prof. Code § 17200 et seq. (1992).

3 See Complaint, The People of the State of California v. Delta Air Lines, Inc., No. CGC-12-526741, (Cal. Sup. Ct. 2012).

4 Press Release, State of California Department of Justice, Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law (Oct. 30, 2012), available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance.

5 CalOPPA defines "operator" as "any person or entity that owns a Web site located on the Internet or an online service that collects and maintains personally identifiable information from a consumer residing in California who uses or visits the Web site or online service if the Web site or online service is operated for commercial purposes." The term "does not include any third party that operates, hosts, or manages, but does not own, a Web site or online service on the owner's behalf or by processing information on behalf of the owner." Cal. Bus. & Prof. Code § 22577(c).

6 Cal. Bus. & Prof. Code §§ 22575(b).

7 Cal. Bus. & Prof. Code §§ 22575(a) and 22577 (b)(5).

8 Cal. Bus. & Prof. Code § 22577(a).

9 Cal. Bus. & Prof. Code § 22575(b).

10 Cal. Bus. & Prof. Code § 22576.

11 See Compl. at 5.

12 See id.

13 See Compl. at 6.

14 See id.

15 See Jessica Guynn, "Atty. Gen. Kamala Harris puts mobile apps on notice about privacy [Updated]", Los Angeles Times, October 30, 2012, available at: http://articles.latimes.com/2012/oct/30/business/la-fi-tn-atty-gen-kamala-harris-puts-mobile-apps-on-notice-about-privacy-20121030.

16 See Compl. at 6.

17 See id. at 5.

18 See id. at 6.

19 Cal. Bus. & Prof. Code § 17200.

20 See Compl. at 8.

21 Id. at 6.

22 See Press Release, "State of California Department of Justice, Attorney General Kamala D. Harris Notifies Mobile App Developers of Non-Compliance with California Privacy Law" (Oct. 30, 2012), available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-notifies-mobile-app-developers-non-compliance.

23 Cal. Bus. & Prof. Code § 17206(b).

24 See Press Release, "State of California Department of Justice, Attorney General Kamala D. Harris Secures Global Agreement to Strengthen Privacy Protections for Users of Mobile Applications" (February 22, 2012), available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-secures-global-agreement-strengthen-privacy; Press Release, "State of California Department of Justice, Attorney General Kamala D. Harris Announces Expansion of California's Consumer Privacy Protections to Social Apps as Facebook Signs Apps Agreement" (June 22, 2012), available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-expansion-california%E2%80%99s-consumer.

25 See Press Release, "State of California Department of Justice, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit" (July 19, 2012), available at: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-privacy-enforcement-and-protection.

The content of this article does not constitute legal advice and should not be relied on in that way. Specific advice should be sought about your specific circumstances.