In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly. On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.
As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA. As early as 2012, its office began sending notices of non-compliance to mobile application developers. When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA. Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case.
The May 25, 2016, appellate ruling means that Delta may be off the hook from having to comply with CalOPPA. However, as we have previously explained, companies outside of the airline industry must remain diligent when it comes to the California Attorney General’s CalOPPA enforcement actions. This is because the recent decision by the Court of Appeal—that federal law preempts state claims against Delta—does not protect non-airlines. As such, California Attorney General’s office will likely continue to pursue similar enforcement actions against other companies that fail to follow its guidance with respect to mobile apps.
To avoid steep penalties, companies that utilize mobile applications should take the following steps:
Determine whether your app collects personally identifiable information.
Consult your privacy team to confirm that your current practices comply not only with CalOPPA, but with other similar laws in all states where you conduct business and with Federal Trade Commission guidelines.