Following a year in which she repeatedly announced her intention to make mobile privacy a priority, California Attorney General Kamala Harris filed the first mobile privacy enforcement action against Delta Air Lines. The case, The People Of The State Of California v. Delta Air Lines, CGC-12-526741, filed in San Francisco Superior Court December 6, 2012, alleges violations of California’s Unfair Competition Law based upon Delta’s alleged failure to comply with California Online Privacy Protection Act (“CalOPPA”). With potential statutory penalties of $2,500 per violation, the stakes are sky high.

Delta had received a letter from the attorney general’s office in late October notifying the company of non-compliance with CalOPPA, and giving it 30 days to become compliant. In particular, the letter noted that the Fly Delta app “does not have a privacy policy reasonably accessible for consumers.” With the expiration of the 30-day period, the attorney general wasted no time in filing the current action. While the case is notable for being the first mobile privacy enforcement action, it is equally notable for the violations that it alleges.

The primary allegations are twofold. First, the complaint repeats the allegation of the letter, that Delta does not have a privacy policy for its mobile application that is readily accessible to the consumer in the application or on the platforms from which it could be downloaded, an alleged CalOPPA violation in its own right. Second, the complaint alleges that neither the presence, nor the substance, of the Delta website privacy policy is sufficient for compliance with CalOPPA with respect to the mobile application. Critically, the complaint alleges that “while the privacy policy on Delta’s website describes some of the PII collected on their website, Delta does not disclose anywhere several types of PII that the Fly Delta app collects, but the Delta website does not collect.” In short, the attorney general is not just paying attention to the presence of the privacy policy, but also the content and the information practices unique to the mobile environment.

Any company that has a consumer-facing mobile application should take note. Per the attorney general, every mobile application that collects personally identifiable information must have a privacy policy that is readily available to the consumer on the platforms on which the application is available for download, and within the application itself. Just as important, the attorney general is urging that each privacy policy must disclose the information-collection and sharing practices of the mobile application specifically, and that it is not sufficient to simply link to the website privacy policy. Information-collection practices often vary between website and mobile applications, and the privacy policy must be an accurate reflection of the information-collection and sharing practices in the application.