Skip to main content

Delta Finds Reprieve in State Court but Not Everyone Will Get to Fly the Friendly Skies

California Attorney General Kamala Harris’ attempt to bring an enforcement action against Delta Air Lines, Inc. won’t be leaving the runway. California Superior Court Judge Marla J. Miller has dismissed a data privacy complaint against Delta brought by Attorney General Harris. The development comes as an unexpected bump in the road for the Attorney General’s office, which has made enforcement of state privacy regulations a top priority. Judge Miller agreed with Delta’s argument that the claim should be dismissed on federal preemption grounds.

As we wrote previously, the claim against Delta arose in connection with the “Fly Delta” mobile application which, according to Attorney General Harris, violates California’s Online Privacy Protection Act (“CalOPPA”) because it fails to post a privacy policy. In October 2012, Delta was one of 100 mobile application developers to receive a warning letter from the Attorney General’s office, requesting that its application be brought into compliance with state law. After the warning letter’s 30 day period expired, Attorney General Harris filed an action alleging that Delta’s application continued to engage in unfair business practices by violating CalOPPA.

While the dismissal of the complaint against Delta is not the outcome the Attorney General wanted, it is properly viewed as a set-back rather than defeat. The Attorney General’s office has worked systematically over the past two years to build consensus around its claim that mobile applications are an “online service” and therefore must comply with CalOPPA. Its complaint against Delta was widely viewed as a test case signaling the Attorney General’s intention to increase enforcement efforts. Although the complaint was dismissed, Judge Miller’s holding that the federal Airline Deregulation Act of 1978 preempts application of CalOPPA to the Fly Delta application is industry-specific. Attorney General Harris is still free to (and likely will) bring enforcement actions against non-compliant mobile applications that aren’t operated by commercial airlines. Whether the same preemption argument would apply to other federally-regulated industries remains an open question.

So then, if you’re not in the business of operating a commercial airline, what does this mean for you? It means there is no time like the present to make sure that your mobile application or website service complies with CalOPPA’s requirements. An advisor to Attorney General Harris has already confirmed that in addition to preparing an appeal of the dismissal of the claim against Delta, the Attorney General’s office is preparing to bring a number of additional enforcement actions. As we have noted previously, the $2,500 per violation fine associated with this type of claim would potentially be staggering, since each download of a non-compliant application would constitute a separate violation. The potential penalties likely exceed the cost to comply by a large multiple. As always, if you have any questions your Mintz Levin privacy team is ready to help.


Read and subscribe to Privacy & Security Matters blog.

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.

Jake Romero