About WDFloyd

Dave Floyd is a lawyer, consultant, and business owner in Austin, Texas. He is planning to run for Austin City Council to represent Austin's new District 5.

Monday, March 11, 2013

Legal Liability for Failing to Include a Privacy Statement in a Mobile App

This article was originally posted on the Prism Risk Management blog in January:


Companies that do business online must navigate an increasingly complex legal landscape, as state governments pass legislation regarding consumer privacy rights and data security. California has one of the strictest privacy laws in the country, the California Online Privacy Protection Act (CalOPPA). The state’s attorney general recently filed the first lawsuit under the statute for failing to include adequate privacy protections. The case, California v. Delta Air Lines, Inc., No. CGC-12-526741 (Cal. Super. Ct., Dec. 6, 2012), alleges that Delta Air Lines violated CalOPPA by failing to include a privacy policy in its mobile application. While CalOPPA should only apply to companies that do business in California, federal statutes with similar provisions have nationwide reach.

California enacted CalOPPA in 2004. The law requires businesses that operate online services, including websites and mobile apps, to provide detailed information to consumers regarding what personal information the business collects, such as a user’s name and contact information. The business must post this privacy policy in a conspicuous location on the website, via a hyperlink, or, in the case of mobile apps, within the application. The policy must notify users of how the business uses their personal information and with whom it shares the information.

The lawsuit alleges that Delta’s mobile app, “Fly Delta,” does not have a privacy policy. The app is available for smartphones and other mobile devices, allowing users to check in to flights, check reservations, track luggage, and more. As such, users must input personal information including their Delta online account login. The state alleges that Delta does not have a privacy policy displayed in any of the locations the statute allows, such as on Delta’s website, in an “app store” where users can download the app, or within the app itself. The lawsuit seeks injunctive relief and a fine of $2,500 for each CalOPPA violation.

Although Delta is incorporated in Delaware and headquartered in Georgia, the state of California asserts jurisdiction over it because it maintains a presence at airports in at least thirteen California cities. CalOPPA only applies to users residing in the state, and Delta’s app is available for download to those users. The mere availability of an online service within a state does not, by itself, give a court jurisdiction over the business providing that service, but the growth of web-based services has also led to a growth in creative jurisdictional arguments. Delta’s physical presence in California may have made the issue simple in their case, but companies may face liability in unfamiliar jurisdictions for online-related laws in the future.

Most states do not have statutes comparable to CalOPPA. Texas, for example, has no statutes regulating the privacy of personal information online, except regarding government web sites. At the federal level, the Children’s Online Privacy Protection Act (COPPA) applies to businesses nationwide that collect personal information from children under the age of thirteen. The scope of the law may be narrower than California’s law, but its requirements are stricter, including notices to parents identifying the types of information gathered, and procedures to allow parents to review and remove information about their children. Recent amendments to COPPA expand its scope to include businesses that have “actual knowledge” that they collect personal information from children, and not just online services expressly directed at children.
Post a Comment