On December 6, California Attorney General Kamala Harris initiated the first enforcement action under California’s Online Privacy Protection Act (CalOPPA) in San Francisco Superior Court. The complaint filed against Delta Air Lines Inc. asserts that the airline’s operation of its mobile app called “Fly Delta” violates both CalOPPA and California’s unfair competition law (UCL).
CalOPPA was enacted in 2004, before the smartphone revolution, so it does not specifically target smartphones or mobile applications. While the Act does not expressly apply to mobile apps, the California AG takes the position that it does and cites to the fact that mobile applications are deemed “online services” under the federal Children’s Online Privacy Protection Act (COPPA) in support of its position.
Companies can expect more enforcement actions from California’s AG, as well as from other state AGs and federal agencies such as the Federal Trade Commission (FTC). In fact, the FTC just released a report that says a large number of mobile apps that target children collect and share PII with third parties without parental disclosure and the agency plans to launch an investigation into potential COPPA violations. California has been leading the charge with respect to privacy enforcement and Kamala Harris has clearly staked out the privacy arena as a critical part of her administration’s enforcement agenda. In February, she struck an agreement to improve privacy protections with six of the largest mobile and social app companies: Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, and Facebook joined the settlement in June. Over the summer, Harris formed a new Privacy Enforcement and Protection Unit charged with regulating privacy issues and enforcing California’s various privacy laws.
So what does this all mean for businesses? There are a number of takeaways for companies with an online and/or mobile presence:
- Do not ignore your privacy obligations because enforcement actions will only continue to increase in the coming months. The consequences of non-compliance can be severe. The AG seeks penalties against Delta in the amount of $250,000 for each violation, which it asserts occurs each time the app has been downloaded since its launch in 2010. This could easily result in billions of dollars in fines. Delta may also find itself the target of civil class actions under California’s UCL, although class members would still have to overcome the Article III standing hurdle by showing a resulting harm.
The tension between online behavioral advertising and the many user benefits generated through the personalization of an individual’s online experience versus mounting state and federal agency privacy concerns will only continue to grow. Companies doing business on the Internet and the mobile space should regularly assess and modify their privacy practices to avoid being the target of a future enforcement action.