On December 6, California Attorney General Kamala Harris initiated the first enforcement action under California’s Online Privacy Protection Act (CalOPPA) in San Francisco Superior Court. The complaint filed against Delta Air Lines Inc. asserts that the airline’s operation of its mobile app called “Fly Delta” violates both CalOPPA and California’s unfair competition law (UCL).

CalOPPA requires an operator of a commercial website or online service that collects personally identifiable information (PII) through the Internet about consumers residing in California who use or visits its website to “conspicuously post” a privacy policy. The Act defines PII as: a first and last name; a home or other physical address; an email address; a telephone number; a social security number; any other identifier that permits the physical or online contacting of an individual or; information concerning a user that a website or online service collects from the user and maintains in personally identifiable form in combination with any of the aforementioned identifiers.

Under the Act, an operator must post a privacy policy within 30 days after notification of non-compliance. However, enforcement against a company that fails to comply with a posted privacy policy (either knowingly or negligently and materially) does not require a 30 day notification. On October 26, the AG’s office issued warning letters to over 100 popular mobile app developers that did not have compliant privacy policies, giving them the statutory 30 days to comply or explain why their apps are not covered by CalOPPA. Delta acknowledged receipt of the letter on October 30 and stated that it would “provide the requested information” but, for whatever reason, did not do so within the 30 day window. Delta did publish a privacy policy for the Fly Delta app shortly after the lawsuit was filed.

The complaint alleges that, while Delta maintains a privacy policy on its website, the policy “does not mention the Fly Delta app, and is not reasonably accessible to consumers of the Fly Delta app.” The Fly Delta app collects such PII as a user’s full name, telephone number, email address, frequent flyer account number and PIN code, photographs and geo-location, yet, according to the complaint, a privacy policy does not exist “in the application itself, in the platform stores from which the application may be downloaded, or on Delta’s website.” To that end, the complaint avers that “the Delta website privacy policy does not indicate that it collects geo-location data or photographs.”

CalOPPA was enacted in 2004, before the smartphone revolution, so it does not specifically target smartphones or mobile applications. While the Act does not expressly apply to mobile apps, the California AG takes the position that it does and cites to the fact that mobile applications are deemed “online services” under the federal Children’s Online Privacy Protection Act (COPPA) in support of its position.

Companies can expect more enforcement actions from California’s AG, as well as from other state AGs and federal agencies such as the Federal Trade Commission (FTC). In fact, the FTC just released a report that says a large number of mobile apps that target children collect and share PII with third parties without parental disclosure and the agency plans to launch an investigation into potential COPPA violations. California has been leading the charge with respect to privacy enforcement and Kamala Harris has clearly staked out the privacy arena as a critical part of her administration’s enforcement agenda. In February, she struck an agreement to improve privacy protections with six of the largest mobile and social app companies: Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, and Facebook joined the settlement in June. Over the summer, Harris formed a new Privacy Enforcement and Protection Unit charged with regulating privacy issues and enforcing California’s various privacy laws.

So what does this all mean for businesses? There are a number of takeaways for companies with an online and/or mobile presence:

  • Do not ignore your privacy obligations because enforcement actions will only continue to increase in the coming months. The consequences of non-compliance can be severe. The AG seeks penalties against Delta in the amount of $250,000 for each violation, which it asserts occurs each time the app has been downloaded since its launch in 2010. This could easily result in billions of dollars in fines. Delta may also find itself the target of civil class actions under California’s UCL, although class members would still have to overcome the Article III standing hurdle by showing a resulting harm.
  • While the first CalOPPA enforcement action happened to be against an app developer, the statute was crafted with websites in mind and any company that maintains a website that collects PII of a California resident must have a privacy policy “conspicuously posted” on its website that complies with the Act.
  • Having a CalOPPA-compliant privacy policy is only the first step, however, and a policy can actually create liability for a company if it is not followed. Under CalOPPA’s provisions, the AG’s office is not obliged to issue a 30 day warning if it determines that a company is willfully, or negligently and materially, failing to comply with its posted policy. Policies should be crafted with the involvement of technology personnel and reviewed and updated annually to ensure they mirror the company’s practices involving the collection and sharing of PII.
  • If a business has a mobile app that collects PII (and most do) then, at a minimum, the privacy policy on the website should cover the mobile app. Yet, California’s AG seems to have an expectation that the privacy policy should be posted within the app itself, which raises a number of complexities. The limited space on the screen of a smartphone makes it difficult to post a policy “conspicuously,” especially when the prime screen space is understandably devoted to the main purpose of the app: to promote the service and/or product and drive sales. The policy should be written in plain (i.e., non-technical) language and should not be stuck at the end of lengthy text that takes forever to scroll through, nor should it be buried several pages into the app.

The tension between online behavioral advertising and the many user benefits generated through the personalization of an individual’s online experience versus mounting state and federal agency privacy concerns will only continue to grow. Companies doing business on the Internet and the mobile space should regularly assess and modify their privacy practices to avoid being the target of a future enforcement action.