First Lawsuit Filed Under California's Online Privacy Protection Act

Author:Mr Tyler Newby
Profession:Fenwick & West LLP

The People of the State of California v. Delta Air Lines Inc., No. 12-526741 (Superior Court for the State of California, City and County of San Francisco filed Dec. 6, 2012).

On Thursday, December 6, 2012, California Attorney General Kamala D. Harris filed the first enforcement action under California's Online Privacy Protection Act (CalOPPA), marking the latest step in the increasing regulatory enforcement of California's online privacy law. The complaint alleges that Delta Airlines violated the law by failing to include a CalOPPA compliant privacy policy within its Fly Delta mobile app. CalOPPA has been in place for eight years, but the Attorney General has recently made its enforcement a priority, especially in the mobile app market.

California's Online Privacy Protection Act (CalOPPA)

CalOPPA, Cal. Bus. & Prof. Code §§ 22575-22579, applies to any operator of a commercial website or online service – including a mobile app that collects personally identifiable information about consumers residing in California.

The statute defines personally identifiable information to include:

A first and last name. A home or other physical address, including street name and name of a city or town. An e-mail address. A telephone number. A social security number. Any other identifier that permits the physical or online contacting of a specific individual. Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described above. The law requires the operator of a website or online service that collects personally identifiable information to "conspicuously post" its privacy policy. For operators of online services like mobile apps the required privacy policy must be "reasonably accessible . . . for consumers of the online service." According to the Attorney General, having a website with the applicable privacy policy conspicuously posted may be adequate, but only if a link to that website is "reasonably accessible" to the user within the app. This can present design challenges in the mobile environment, where screen space is at a premium.

The privacy policy must:

Identify categories of personally identifiable information that the operator collects. Identify categories of third-parties with whom the operator may share personally identifiable information. Describe the process the consumer can use to review and request changes to...

To continue reading