Last month, I blogged about how California AG Kamala Harris had issued warning to multiple mobile app developers that they were violating the California Online Privacy Protection Act (OPPA) for failing to conspicuously post their privacy policies. Consistent with OPPA, Harris gave the companies 30 days to conspicuously post a privacy policy within their app that informs users of what personal identifiable information is being collected and what will be done with that private information.
Apparently, at least one company, Delta Airlines, failed to heed that warning for its “Fly Delta” app. In a complaint filed on December 6, 2012 in San Francisco Superior Court, Harris alleges that since at least 2010, Delta’s “Fly Delta” mobile app, which can be used for a variety of purposes associated with flying on Delta, including checking-in, paying for checked baggage or saving a user’s geo-location, collected personally identifiable information, but did not have a privacy policy. Notably, the fact that Delta included a privacy policy on its website was not sufficient because such privacy policy was not reasonably accessible in the “Fly Delta” application, and it did not address the collection and use of a variety of personally identifiable information through the app, including: (i) user’s full name; (ii) geo-location data; (iii) street address (residential and billing); (iv) telephone numbers (including cell, fax and/or page);
(v) Email address; (vi) Geo-location data; (vii) Credit/debit card numbers and expiration dates; and (viii) Delta SkyMiles account number and flight information. The complaint also alleges that Delta has failed to comply with OPPA because through its provision of the “Fly Delta” app, Delta either knowingly and willfully or negligently and materially failed to comply with its existing Privacy Policy.
Pursuant to California’s Unfair Competition Law, Section 22575 of the Business and Professions Code, the lawsuit seeks to enjoin Delta from distributing “Fly Delta” without a privacy policy, as well as penalties of up to $2,500 for each violation. The complaint does not specify the total amount of damages sought. These actions demonstrate the importance that mobile applications comply with OPPA by conspicuously posting a privacy policy in mobile applications and ensuring that such privacy policies address the collection, use and sharing of personally identifiable information through the app.
Harris is not the only regulator focused on mobile applications. This past week, mobile privacy legislation was introduced by Senator Al Franken, Chairman of the Senate Subcommittee on Privacy, Technology and Law, when he released a revised version of the Location Privacy Act, which would require companies to obtain express consent from users before collecting or sharing location data from mobile devices. Also, House Democrat Hank Johnson has developed a web-based legislative project called appRights.us that is intended to facilitate a public conversation about how Congress can help ensure the privacy and security of mobile device users. This past week, Johnson released the first provision of the AppRights.us bill – “Protecting Your Mobile Privacy through User Control.” Finally, on Monday, Dec. 10, 2012, the Federal Trade Commission will hold a press call to announce a follow-up report to an earlier FTC staff report on mobile apps for kids. As has been the case throughout this year and as expected for 2013, mobile privacy continues be a hot topic.
UPDATE 12/10/2012: Today, the FTC released a Staff Report titled: “Mobile Apps for Kids: Disclosures Still Not Making the Grade.” In its second examination of the privacy disclosures and practices of apps offered for children in the Google Play and Apply App stores, the FTC found little progress toward giving parents the information they need to determine what data is being collected from their children, how it is being shared, or who will have access to it.