A California state court dismissed the California Attorney General’s case against Delta Air Lines for violation of the California Online Privacy Protection Act (“CalOPPA”) late last week. The Attorney General argued that certain features of Delta’s “Fly Delta” mobile app resulted in the collection of Personally Identifiable Information (“PII”) without disclosing its data collection policies to consumers.
Delta argued that its data collection policies were posted before any consumer could have possibly been injured and also that it never collected PII under CalOPPA anyway. A primary basis for the dismissal, though, had nothing to do with consumer privacy laws but rather Delta’s status as an airline. The federal Airline Deregulation Act prohibits states from enacting or enforcing laws or regulations related to the price, route or service of air carriers, which is what CalOPPA would effectively do as applied to Delta.
The key takeaway for any app provider is that this case is not a blow to the Attorney General and not a sign of looser restrictions to come. Indeed, Delta was only one of approximately 100 mobile app operators targeted as part of the California Attorney General’s initial CalOPPA enforcement campaign. This means that companies should continue to comply with the California Attorney General’s recommended guidelines (available at http://oag.ca.gov/sites/all/files/pdfs/privacy/privacy_on_the_go.pdf) and ensure that privacy policies cover mobile apps and app data collection.
Finally, CalOPPA represents only one step in a much longer move toward government efforts to require greater transparency by companies to consumers of their privacy and data collection practices. California’s guidelines, along with the FTC’s similar guidelines (see FTC Releases Recommendations for Mobile App Privacy Practices), should still be used as a baseline for a company’s privacy and data collection practices.