Following a one-year-plus period during which California Attorney General Kamala Harris has made mobile privacy protection a high priority, the first mobile privacy enforcement action under California’s Online Privacy Protection Act (“CalOPPA”) was filed December 6, 2012, against Delta Air Lines. The case – The People Of The State Of California v. Delta Air Lines, CGC-12-526741, filed in San Francisco Superior Court – is based upon Delta’s alleged failure to comply with CalOPPA by not “conspicuously posting a privacy policy” in its mobile app, “Fly Delta,” that would inform users of what personally identifiable information is collected and how it is used by the company. Because potential statutory penalties are $2,500 per copy of the app as downloaded by California residents (which may number in the hundreds of thousands of copies), the potential ramifications here are enormous.

Given this backdrop, any company that has a consumer mobile application – or is considering one – should tread carefully.

CalOPPA mandates that mobile apps “conspicuously post” privacy policies advising consumers of what personally identifiable information is collected and how it is handled by the collector. This mandate is met when such policies are “readily accessible . . . for consumers of the online service” operating the mobile app. The “Fly Delta” app collects information such as users’ names, photographs, street addresses, telephone numbers, email addresses, credit card numbers, dates of birth, passport numbers, and employer contact information. However, despite collecting such personally identifiable information, the app does not include a privacy policy within the app itself, and is not otherwise accessible to users to explain the app’s data collection process nor of how that information is being used.

Significantly, although Delta does operate a separate website (at that does include a privacy policy, that policy does not mention the Fly Delta app nor is it accessible from the app itself. The app has been available on all major smartphones since October 2010, and has been updated numerous times, with each version omitting the required privacy policy provisions. This omission is itself a violation of the Delta website privacy policy.

With this background, the California AG notified Delta in writing (along with approximately 100 other companies) of its violation of CalOPPA on October 26, 2012, providing Delta 30 days to rectify the violations. Despite Delta’s public response that it would “supply the requested information,” the app was not revised to comply with CalOPPA. Thus, the instant action ensued.

The primary allegations are twofold. First, the complaint repeats the allegation of the letter, that Delta does not have a privacy policy for its mobile application that is readily accessible to the consumer in the application or on the platforms from which it could be downloaded. Second, the complaint alleges that neither the presence, nor the substance, of the Delta website privacy policy is sufficient to comply with CalOPPA with respect to the mobile application. The complaint notes that “while the privacy policy on Delta’s website describes some of the PII collected on their website, Delta does not disclose anywhere several types of PII that the Fly Delta app collects, but the Delta website does not collect.” Most importantly, the attorney general is not simply focusing on the presence of the Delta privacy policy, but also the content and the information practices within the unique characteristics of the mobile environment.

Although CalOPPA technically applies to only those companies whose mobile apps or other online services collect personally identifiable information of individual consumers residing in California, the ubiquity of these services essentially guarantees the requisite connection to California. Per the California attorney general, every mobile application that collects personally identifiable information must have a privacy policy that is readily accessible to consumers on the platforms on which the application is available for download, and within the application itself. Equally as important, the attorney general is urging that each privacy policy must disclose the information-collection and sharing practices of the mobile application in particular, and that it is not sufficient to merely link it to a related website privacy policy. Because information-collection practices often differ between website and mobile applications, a mobile application’s privacy policy must be an accurate reflection of its information-collection and sharing practices.