California Attorney General Kamala Harris has made good on her promise to get tough with mobile app makers that fail to provide privacy policies in their apps. Yesterday, her office sued Delta Airlines for violating the California Online Privacy Protection Act (“CalOPPA”), which requires providers of websites and “online services” to conspicuously post privacy policies that describe the provider’s data practices. Harris contends that Delta’s “Fly Delta” app does not contain a privacy policy, despite the fact that Delta collects “personally identifiable information” (“PII”), as that term is defined in CalOPPA.
Interestingly, Harris also alleges that Delta “fail[ed] to comply with the provisions of its privacy policy,” which itself is a violation of CalOPPA. This allegation is somewhat puzzling given that the core assertion of the suit is that Delta has failed to maintain any privacy policy at all in its app. But it appears possible that Harris will argue Delta has failed to comply with its website privacy policy, which, the complaint notes, does not disclose certain categories of PII that are being collected through the app (e.g., location information).
Also noteworthy are allegations that the “Fly Delta app is not the primary commercial activity of Delta,” and that “CalOPPA does not relate to rates, routes or services of any air carrier.” These allegations anticipate a preemption challenge by Delta pursuant to the Airline Deregulation Act. Delta would appear to have a strong argument that the suit is, indeed, preempted. As noted in the complaint, the app enables people to search for and book flights. Thus, the Attorney General’s argument that the app is not related to the “routes and services” of Delta would seem to face an uphill battle.
The one-count complaint seeks recovery under Cal. Bus. & Prof. Code § 17200, alleging that the violations of CalOPPA are “unfair” acts. In addition to injunctive relief, Harris seeks a $2,500 per-violation civil penalty.