California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information.
— California Attorney General Kamala Harris on bringing first lawsuit for failure to include privacy policy with mobile app.
The Law: California Online Privacy Protection Act of 2003
California Business & Professions Code Sections 22575 – 22579
An operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California; shall
- CONSPICUOUSLY POST its privacy policy on its website (i.e, a text hyperlink should contain the word Privacy, be written in caps of equal or greater size than surrounding text, in contrasting font or color) which discloses:
- the CATEGORIES OF PERSONALLY IDENTIFIABLE INFORMATION (PII) COLLECTED;
- the CATEGORIES OF PII SHARED WITH THIRD PARTIES;
- the PROCESS to REVIEW AND REQUEST CHANGES TO PII (if any);
- how Consumer is NOTIFIED of PRIVACY POLICY CHANGES; and
- its EFFECTIVE DATE
Liability attaches only if a web operator fails to post a policy within thirty (30) days of being notified of non-compliance.
Application to Mobile Apps and Delta Lawsuit
California Attorney General Harris has taken the position that the Cal-OPPA applies to mobile platforms as well and has secured commitments from mobile and social app makers to include privacy policies. This fall, Harris began sending notice of non-compliance to a number of companies explaining that
an operator of a mobile application (“app”) that uses the Internet to collect PII is an”online service” within the meaning of CalOPPA.
One such company was Delta Airlines and its Fly Delta mobile app.
[S]ince at least 2010, Delta has operated a mobile app called “Fly Delta” for use on smartphones and other electronic devices. The Fly Delta app may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location. Despite collecting substantial personally identifiable information such as a user’s full name, telephone number, email address, frequent flyer account number and pin code, photographs, and geo-location, the Fly Delta application does not have a privacy policy.
Delta failed to correct this within the 30-day period and thereby triggered the California Attorney General’s action to restrain further violations and for $2,500 in damages per app downloaded in violation. The suit follows the creation of a new Privacy Enforcement Unit within the Attorney General’s Office.
Delta has responded by quickly posting a privacy policy, but one analyst has already faulted the policy as incomplete.
Cyber Report 