Developers Take Note: California Sues Delta for Violating the State’s Mobile App Privacy Laws

Here’s a cautionary tale for any company connecting with customers and clients on mobile devices.

During one of the year’s busiest travel seasons, when a change of plans can cost travelers upwards of $150, Delta Airlines was just hit with a lawsuit for NOT changing a thing. (Oh, the irony.)

Earlier this year, California Attorney General Kamala Harris warned the airline, along with about 100 other companies and mobile app developers, that she was cracking down on apps that did not comply with the California Online Privacy Protection Act.

But Delta failed to change course, and it didn’t take long for the airline to show up on again Harris’ radar screen. From Ifrah Law:

“In the complaint against Delta, the AG contends that Delta has operated a mobile app called “Fly Delta” since at least 2010… The California AG alleges that the Fly Delta app lacks a privacy policy, despite the fact that Delta’s app collects substantial amounts of personal information, including full names, telephone numbers, email addresses, photographs, and geo-locations. According to the complaint, ‘Users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed, or sold.’”

The move – or to be precise, the inaction – could end up costing Delta a lot more than a change fee: Harris is seeking penalties of $2,500 for each time the “Fly Delta” app was downloaded (according to the complaint, it has been downloaded “millions of times”).

Five takeaways for companies with mobile plans:

1. It’s time for everyone to comply with the law:

“According to a recent TRUSTe survey cited by the California AG, less than 20 percent of the top 340 free mobile apps contained a link to a privacy policy. As such, all website operators and mobile app operators, as well as the companies who employ them, should monitor the California AG’s enforcement efforts and ‘best practices’ guidance so as to conform their privacy policies to California standards.” (White & Case)

2. Policies must clearly describe the information you collect and what you do with it:

“Your mobile application privacy policy must include a full description of the information being collected. We recommend having all of your key technicians review the policy to ensure its accuracy and completeness. Mobile applications have the potential to collect and transmit far more data than the average website, and the full extent of information being transmitted is not always readily apparent.” (Mintz Levin)

3. Linking to your website privacy policy won’t do the trick:

“Lest companies take comfort that their website privacy policies can keep them out of trouble with respect to mobile applications, the complaint against Delta claims that its website privacy policy (i) does not mention the App (ii) is not reasonably accessible to consumers of the App and (iii) does not disclose several types of personal information that the App collects but the website does not. Drawing inferences from these allegations, it is unlikely that companies can satisfy CalOPPA’s mobile application privacy requirements through a website privacy policy.” (BakerHostetler)

4. 30 days means 30 days:

“The Attorney General’s [October 30, 2012] letters asked app developers to respond within 30 days with either (1) specific plans and a timeline to comply with CalOPPA or (2) an explanation of why their app is not covered by CalOPPA. Just a few days after the 30 day period ended, on December 6, 2012, the Attorney General filed the first legal action under CalOPPA against Delta Airlines, alleging that its Fly Delta app violates the online privacy law.” (Fenwick & West)

5. Stay tuned: there’s undoubtedly more to come:

“The California Attorney General’s lawsuit against Delta is a sure sign that California will continue to follow through on its efforts to mandate compliance with its Online Privacy Protection Act, and other states may follow California’s lead.” (Ifrah Law)

The updates:

Follow @Privacy_Law on Twitter>>