Delta Wins CalOPPA Case - But Your Mobile App May Not Fly

By Cynthia J. Larose

In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly.  On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.

As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA.  As early as 2012, its office began sending notices of non-compliance to mobile application developers.  When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA.  Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case.  

California Attorney General Kamala Harris filed the case against Delta in 2012, alleging that the carrier had failed to include a privacy policy on its mobile application.  This failure, noted the Attorney General, violated the California Online Privacy Protection Act (“CalOPPA”).

CalOPPA, which first went into effect in 2004, requires “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” to have a conspicuous privacy policy that complies with California Business and Professions Code § 22575(a)-(b).  The Attorney General, Kamala Harris, believes that companies, which fail to make their privacy policies readily available on their mobile apps, violate CalOPPA.   Kamala Harris has made privacy compliance one of her priorities.  Since 2012, she has successfully persuaded companies such as Apple, Amazon, Microsoft, Facebook, and Google to make privacy policies readily available within their apps.

The May 25, 2016, appellate ruling means that Delta may be off the hook from having to comply with CalOPPA.  However, as we have previously explained, companies outside of the airline industry must remain diligent when it comes to the California Attorney General’s CalOPPA enforcement actions.  This is because the recent decision by the Court of Appeal—that federal law preempts state claims against Delta—does not protect non-airlines.  As such, California Attorney General’s office will likely continue to pursue similar enforcement actions against other companies that fail to follow its guidance with respect to mobile apps.

To avoid steep penalties, companies that utilize mobile applications should take the following steps:

  • Determine whether your app collects personally identifiable information.
  • Confirm that the application allows users to access your privacy policy directly within the app.
  • Ensure that your privacy policy accurately describes an effective date, what information you collect, how the information is shared, how it can be accessed by users, and how you notify users of material changes to the policy.
  • Consult your Mintz Levin privacy team to confirm that your current practices comply not only with CalOPPA, but with other similar laws in all states where you conduct business and with Federal Trade Commission guidelines.

Subscribe To Viewpoints

Published

Viewpoint Topics

Professionals

Author

Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.