California Attorney General Kamala Harris’ attempt to bring an enforcement action against Delta Air Lines, Inc. won’t be leaving the runway. California Superior Court Judge Marla J. Miller has dismissed a data privacy complaint against Delta brought by Attorney General Harris. The development comes as an unexpected bump in the road for the Attorney General’s office, which has made enforcement of state privacy regulations a top priority. Judge Miller agreed with Delta’s argument that the claim should be dismissed on federal preemption grounds.
While the dismissal of the complaint against Delta is not the outcome the Attorney General wanted, it is properly viewed as a set-back rather than defeat. The Attorney General’s office has worked systematically over the past two years to build consensus around its claim that mobile applications are an “online service” and therefore must comply with CalOPPA. Its complaint against Delta was widely viewed as a test case signaling the Attorney General’s intention to increase enforcement efforts. Although the complaint was dismissed, Judge Miller’s holding that the federal Airline Deregulation Act of 1978 preempts application of CalOPPA to the Fly Delta application is industry-specific. Attorney General Harris is still free to (and likely will) bring enforcement actions against non-compliant mobile applications that aren’t operated by commercial airlines. Whether the same preemption argument would apply to other federally-regulated industries remains an open question.
So then, if you’re not in the business of operating a commercial airline, what does this mean for you? It means there is no time like the present to make sure that your mobile application or website service complies with CalOPPA’s requirements. An advisor to Attorney General Harris has already confirmed that in addition to preparing an appeal of the dismissal of the claim against Delta, the Attorney General’s office is preparing to bring a number of additional enforcement actions. As we have noted previously, the $2,500 per violation fine associated with this type of claim would potentially be staggering, since each download of a non-compliant application would constitute a separate violation. The potential penalties likely exceed the cost to comply by a large multiple. As always, if you have any questions your Mintz Levin privacy team is ready to help.