By Scott W. Pink and Carissa Bouwer

California Attorney General Kamala Harris launched yet another shot across the bow of advertisers when she filed a complaint last week against Delta Airlines in San Francisco Superior Court alleging that Delta had distributed a mobile app without providing notice of its privacy policy in violation of the California Online Privacy Protection Act, enacted in 2004 (“California Online Privacy Act”). Advertisers will need to take note of this case and review their mobile applications to ensure they are in compliance with the California Online Privacy law.

The California law requires commercial operators of websites and online services to conspicuously post detailed privacy policies which inform consumers of the personal information that is collected from them and how that information will be used. Cal. Bus. & Prof. Code §§ 22575-22579. Although it is a California state law, it has ramifications for all app developers because the law applies to any operator of a website or online service that collects personally identifiable information about consumers residing in California. Personally identifiable information includes name, address, e-mail address, telephone number, social security number, and any other identifier that permits contacting a specific individual. California law provides for fines up to $2500 per noncompliant app that is downloaded by a California consumer. Id. at § 17200, et. al.

As smartphones and tablets have become ubiquitous, advertising has naturally shifted to these new technology platforms. An increasingly popular tool for reaching out to consumers is to distribute free mobile apps that consumers can use to receive information about an advertiser’s product. Both federal and state regulators, including the Federal Trade Commission, have expressed concerns that advertisers and other distributors of mobile apps have been using these apps for collecting and using personal information of consumers without providing adequate notice of such activities.

In February 2012, California Attorney General Kamala Harris reached an agreement with six of the leading mobile app companies. Apple, Google, Amazon, Microsoft, Hewlett-Packard, and Research in Motion agreed to adhere to California’s privacy policies and work to bring app developers into compliance. In April 2012, Harris announced that mobile app providers had six months to comply with the privacy policy requirements under California law. In October, Harris sent warning letters to 100 companies, including Delta Airlines, warning them they were in violation of California’s privacy policy laws.

California’s complaint was filed on December 6 in San Francisco Superior Court and sought to enjoin Delta from continuing to distribute the app without a privacy policy. The People Of The State Of California v. Delta Air Lines, CGC-12-526741. Delta’s smartphone app, Fly Delta, allows customers to check into flights, download boarding passes, track bags, remind them where they parked, and read about planes in its fleet. However, the app also collect personal information from customers such as frequent-flier account numbers, birthdates, geographic location, and sometimes credit card numbers. Although Delta had a privacy policy posted on its website, the complaint alleges that it was not reasonably accessible to users, did not list all of the information collected by the app, and did not specifically mention the Fly Delta App. In response to the complaint, on December 7, Delta had already linked its privacy policy to the Fly Delta App.

While California has been taking aim at all app developers, the Federal Trade Commission has been focusing on privacy policies for apps aimed at children. In December 2012, the FTC released a report titled “Mobile Apps for Kids: Disclosures Still Not Making the Grade” which criticized the way many app developers collect personal information from children without obtaining parental consent or disclosing the information that will be collected. The report stated that in a survey of 400 popular children’s apps, 80% did not have a privacy policy that was accessible before purchase, and only 20% of apps accurately disclosed what information was collected. On December 11, days after the FTC report was released, the Center for Digital Democracy (“CDD”) filed an FTC complaint against Mobbles, a virtual pet game popular among children, for violations of the Children’s Online Privacy Protection Act.

The actions by California and the FTC illustrate the increasing importance for advertisers and app developers to review any mobile apps they may be distributing to ensure that those apps link to the applicable privacy policy and that the underlying privacy policy references the app, what personal information it collects, how it is used and to whom it is disclosed. Contact the authors if you need any assistance in conducting such a review.