The People of the State of California v. Delta Air Lines Inc., No. 12-526741 (Superior Court for the State of California, City and County of San Francisco filed Dec. 6, 2012).
California's Online Privacy Protection Act (CalOPPA)
CalOPPA, Cal. Bus. & Prof. Code §§ 22575-22579, applies to any operator of a commercial website or online service – including a mobile app that collects personally identifiable information about consumers residing in California.
The statute defines personally identifiable information to include:
- A first and last name.
- A home or other physical address, including street name and name of a city or town.
- An e-mail address.
- A telephone number.
- A social security number.
- Any other identifier that permits the physical or online contacting of a specific individual.
- Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above.
- Identify categories of personally identifiable information that the operator collects.
- Identify categories of third-parties with whom the operator may share personally identifiable information.
- Describe the process the consumer can use to review and request changes to stored information, if such a process exists.
Increasing Enforcement of CalOPPA
About five months after the Joint Statement of Principles, on July 19, 2012, the Attorney General created a new Privacy Enforcement and Protection Unit within the Department of Justice eCrime Unit. The Privacy Unit's mission is to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. CalOPPA is one of the laws the Privacy Unit is charged with enforcing.
Just a few days after the 30 day period ended, on December 6, 2012, the Attorney General filed the first legal action under CalOPPA against Delta Airlines, alleging that its Fly Delta app violates the online privacy law.
Allegations Concerning the Fly Delta App
The Attorney General's lawsuit targets the Fly Delta application for smartphones and other electronic devices. The app allows customers to check in online, view reservations, pay for checked baggage, book flights, and perform other tasks related to flying.
The complaint seeks an injunction prohibiting Delta from distributing the app until it complies with CalOPPA, in addition to a penalty of up to $2,500 for each copy of the non-compliant app downloaded by California consumers.
Focus on Mobile Apps
Although CalOPPA applies to any website or online service that collects personally identifiable information, the Attorney General's focus on mobile app developers is notable, particularly in light of the absence of enforcement actions in the eight years the statute has been in effect. The Attorney General's office sent letters like the one it sent to Delta to numerous other app developers, and the Delta lawsuit may be just the first of many future enforcement actions.