Yesterday, California’s Attorney General Kamala Harris filed the state’s first suit under California’s Online Privacy Protection Act.  The lawsuit, against Delta Air Lines, followed the Attorney General’s warning letters to Delta and many other companies in October to post privacy policies with their mobile apps to inform users of what personally identifiable information is being collected and how the information is used by the company (previously covered by FTC Beat here).

California’s Online Privacy Protection Act mandates that commercial operators of websites and online services, including mobile and social apps, conspicuously post a privacy policy if they collect personally identifiable information from California residents.  In addition to posting a privacy policy, operators must abide by the promises and representations made in those policies.

In the complaint against Delta, the AG contends that Delta has operated a mobile app called “Fly Delta” since at least 2010.  Individuals can use the Fly Delta app to check in for flights, view reservations, rebook  flights, pay for checked baggage, and access a user’s frequent flyer account, among other actions.  The California AG alleges that the Fly Delta app lacks a privacy policy, despite the fact that Delta’s app collects substantial amounts of personal information, including full names, telephone numbers, email addresses, photographs, and geo-locations.  According to the complaint, “Users of the Fly Delta application do not know what personally identifiable information Delta collects about them, how Delta uses that information, or to whom that information is shared, disclosed, or sold.”  The AG asserts that Delta’s conduct violates the Online Privacy Protection Act and California’s Unfair Competition Law.

Delta will, of course, have a chance to defend itself and could argue that its general website policy covers its mobile applications.  Many companies maintain a general privacy policy that covers their website, their mobile applications, and even their social networks.   The complaint acknowledges Delta’s website privacy policy though contends that it is not “reasonably accessible to consumers of the Fly Delta app” and that the app collects different information than is collected through the website.

The lawsuit seeks an injunction to prevent Delta from distributing its application and requests penalties of up to $2,500 for each violation (in other words, each time the app is downloaded).   According to the complaint, the Fly Delta app “has been downloaded by consumers millions of times since October of 2010 without the conspicuously posted privacy policy required by” the Online Privacy Protection Act. The Attorney General’s action in filing the lawsuit demonstrates that she intends to follow through on her earlier warnings to companies to ensure their compliance with the Online Privacy Protection Act.  Other companies who received similar warning letters included Open Table and United Continental.

Companies offering mobile apps and commercial websites should ensure that they post and abide by privacy policies when they are collecting personal information.  Further, if a general privacy policy is meant to cover a company’s app, it should so state and it would be prudent for it to be easily accessible through the mobile app.   The California Attorney General’s lawsuit against Delta is a sure sign that California will continue to follow through on its efforts to mandate compliance with its Online Privacy Protection Act, and other states may follow California’s lead.