skip to Main Content

Hot on the heels of a global settlement agreement with major app providers, the California Attorney General’s Office (AG) has filed a lawsuit against Delta Air Lines, Inc. for failure to post a privacy policy associated with its mobile application.

California’s Online Privacy Protection Act (Act) requires that “an operator of a commercial website or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial website or online service shall conspicuously post its privacy policy.” In a settlement agreement reached with major app providers earlier this year, the AG stated that the Act requires mobile applications that collect personal data from California consumers to conspicuously post a privacy policy. The agreement reached was a “statement of principles”, as follows:

  1. Where applicable law so requires, an application (“app”) that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app’s privacy practices that provides clear and complete information regarding how personal data is collected, used and shared.
  2. In an effort to promote greater transparency and to increase developer awareness of privacy issues, the Mobile Apps Market Companies will include, in the application submission process for new or updated apps, either (a) an optional data field for a hyperlink to the app’s privacy policy or a statement describing the app’s privacy practices or (b) an optional data field for the text of the app’s privacy policy or a statement describing the app’s privacy practices. For developers who choose to submit a hyperlink or text in the available data field, the Mobile Apps Market Companies will enable access to the hyperlink or text from the mobile application store.
  3. The Mobile Apps Market Companies have, or will implement a means for users to report to the Mobile Platform Companies apps that do not comply with applicable terms of service and/or laws.
  4. The Mobile Apps Market Companies have or will implement a process for responding to reported instances of non-compliance with applicable terms of service and/or laws. Any action that a Mobile Apps Market Company takes with respect to such an application will not limit law enforcement or any other regulator’s right to pursue an action against a developer for alleged violation of applicable law.
  5. The Mobile Apps Market Companies will continue to work with the California Attorney General to develop best practices for mobile privacy in general and model mobile privacy policies in particular. Within six months the participants will convene to evaluate privacy in the mobile space, including the utility of education programs regarding mobile privacy. 

The suit against Delta parrots those principles, and it is both short and to the point. It alleges that Delta’s “Fly Delta” mobile application collects a substantial amount of personally identifiable information (PII), but the application does not have a privacy policy in the application itself, in the stores from which the application may be downloaded, or any reference to the application in the privacy policy on Delta’s website. In short, the app collects PII, but “California consumers do not know how Delta is collecting, managing or sharing the PII.”

This may be a single warning shot to mobile app developers, or herald a new round of enforcement efforts against those developers. Regardless, Compliance with the Act by app developers should now be the norm, and the compliance requirements are identical as those that website or online service operators have been living with since 2004. For further information or assistance for mobile app developers, please contact Cyrus Wadia, head of Cooper, White & Cooper LLP’s Intellectual Property Group.

Back To Top