Long-known as an ardent protector of individual privacy rights, California brought its first legal enforcement action under state privacy laws on December 6, 2012, when state Attorney General Kamala D. Harris filed suit against Delta Air Lines, Inc. for failure to display a privacy policy on its mobile application.1 According to the Complaint, Delta's "Fly Delta" app violates California's Online Privacy Protection Act ("CalOPPA") and Unfair Competition Law because the app collects personally identifiable information ("PII") from users but does not display a privacy policy.2

The Fly Delta app, which has been offered since 2010, allows a user to, among other things, book and check in for flights, pay for and track checked baggage, and save the geo-location of the user's parked car using a photograph taken from the user's phone.3 The Complaint further alleges that, in providing these services, the Fly Delta app collects at least fourteen types of PII, including a user's passport number, geo-location data, corporate or employer affiliation, and credit card information.4 The Fly Delta app itself makes no mention of its collection or use of such PII, nor does it reference the privacy policy on the main Delta Air Lines website. According to the Complaint, Delta's website's privacy policy does not mention the Fly Delta app, nor does it disclose the app's collection of users' geo-location data or photographs.5 If found liable, Delta could face civil penalties of up to $2,500 per violation.6

The suit was filed after Delta failed to comply with a non-compliance letter sent by the California AG's new Privacy Enforcement and Protection Unit. The notice letter gave Delta 30 days to conspicuously post a privacy policy within the Fly Delta app.7 Delta was one of approximately 100 companies that supply popular mobile apps to receive such a notice during the California AG's first round of enforcement efforts in October 2012.8 According to the Complaint, Delta issued a statement saying it intended to comply, but as of the date of filing had not done so.9

The California AG's increased enforcement efforts coincide with its February 2012 "Joint Statement of Principles" agreement with Amazon.com, Apple, Facebook, Google, Microsoft, Research In Motion, and Hewlett-Packard (the "Mobile Apps Market Companies").10 Pursuant to the Joint Statement of Principles, the Mobile Apps Market Companies must include in their application submission processes an optional data field allowing app developers to either (a) insert a hyperlink to their privacy policy, or (b) display the text of their policy or a description thereof (both options would display the data field on screens appearing before a user downloads the app).11 The Mobile Apps Market Companies also agreed to implement user reporting and response processes for non-compliant apps and to collaborate with the California AG on developing best practices for mobile app privacy.12

California's privacy laws have historically been more stringent than other state and federal laws, but the high bar set by California affects any website operator or app developer who collects PII from California residents.13 According to a recent TRUSTe survey cited by the California AG, less than 20 percent of the top 340 free mobile apps contained a link to a privacy policy.14 As such, all website operators and mobile app operators, as well as the companies who employ them, should monitor the California AG's enforcement efforts and "best practices" guidance so as to conform their privacy policies to California standards.