California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.
Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004.
On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.
This will be a relief for the already heavily regulated airline industry. Airlines already look to State law for examples of best practices, but managing to the ever evolving and often conflicting State laws on privacy as well as the DOT’s regulations (not forgetting the data requirements of the FAA, TSA, CBP and foreign governments) would have been a double burden. This case appears to confirm that the DOT, not the States, regulates privacy practices by airlines.
Harris has stated that she plans to police mobile app privacy using CalOPPA. Her office released a set of best practices for mobile app privacy policies in January, a month before the Federal Trade Commission released its own mobile app guidelines. But considering federal regulators’ interest in the issue, it is debatable whether, like the Delta case, such matters are better left for enforcement at the Federal level.
Delta added a prominent link to its privacy policy on the home screen of the Fly Delta App not long after the filing of the suit and has had a public privacy policy on its main Web site all along.