California Attorney General

The federal government may be completely unable to pass laws, but that certainly isn’t the case with the State of California, which has just completed a data privacy hat trick by passing three significant laws addressing a broad subset of data privacy issues. The big question: is your online and/or mobile business ready for the coming changes?

Read the latest Mintz Levin Privacy Alert analyzing what effect these new laws will have on business and how you should be preparing to comply.


By Cynthia Larose, Evan Nadel, and Jake Romero

California Attorney General Kamala Harris’ attempt to bring an enforcement action against Delta Air Lines, Inc. won’t be leaving the runway. California Superior Court Judge Marla J. Miller has dismissed a data privacy complaint against Delta brought by Attorney General Harris. The development comes as an unexpected bump in the road for the Attorney General’s office, which has made enforcement of state privacy regulations a top priority. Judge Miller agreed with Delta’s argument that the claim should be dismissed on federal preemption grounds.

See our Mintz Levin Privacy client advisory here for more information.

We posted this alert back in March, and now California Attorney General Kamala Harris has released a recommended set of privacy best practices for app developers and advertising networks entitled “Privacy on the Go:  Recommendations for the Mobile Ecosystem.” Written after consulting a “broad spectrum of stakeholders,” including app developers, ad networks, privacy professionals and privacy advocates, the best practices urges those developing apps to consider building privacy protections in from the start and to display brief notices prior to taking actions such as data collection.

Those of us here at the Privacy & Security Matters blog approve of the title.

Original March 13, 2012 post:

Although one would never realize it when downloading many popular mobile apps on any of the major platforms (Apple’s iTunes, Google, Amazon, RIM, HP, etc.) — the requirements of California’s Online Privacy Protection Act to have a “clear and conspicuous” privacy policy apply to mobile apps as well as online website.   California’s Attorney General has reached an agreement on a set of principles with Apple, Google, Amazon, HP, RIM and Microsoft that will see all companies implementing new standards for displaying privacy policies for apps that collect personal data.

“We can sue and we will sue,”  Attorney General Kamala D. Harris said when announcing the agreement.   For more, including tips for app developers, see our Mintz Levin client alert here.

As we continue our “new year, new look” series into important privacy issues for 2013, we boldly predict:

Regulatory Scrutiny of Data Collection and Use Practices of Mobile Apps Will Increase in 2013

Mobile apps are becoming a ubiquitous part of the everyday technology experience.  But, consumer apprehension over data collection and their personal privacy with respect to mobile applications has been growing.   And as consumer apprehension grows, so does regulatory scrutiny.  In 2012, the Federal Trade Commission (FTC) offered guidance to mobile app developers to “get privacy right from the start.”    At the end of 2012, the California Attorney General’s office brought its first privacy complaint against Delta Airlines, Inc., alleging that Delta’s mobile app “Fly Delta” failed to have a conspicuously posted privacy policy in violation of California’s Online Privacy Protection Act.  And also in December, SpongeBob Square Pants found himself in the middle of a complaint filed at the FTC by a privacy advocacy group alleging that the mobile game SpongeBob Diner Dash collected personal information about children without obtaining parental consent.

In 2013, we expect to see new regulatory investigations into privacy practices of mobile applications.   Delta was just one of 100 recipients of notices of non-compliance from the California AG’s office and the first to be the subject of a complaint.  Expect to see more of these filed early in this year as the AG’s office plows through responses from the lucky notice recipients.   Also, we can expect to hear more from the FTC on mobile app disclosure of data collection and use practices and perhaps some enforcement actions against the most blatant offenders.

Recommendation for action in 2013:  Take a good look at your mobile app and its privacy policy.   If you have simply ported your website privacy policy over to your mobile app – take another look.  How is the policy displayed to the end user?  How does the user “accept” its terms?  Is this consistent with existing law, such as California, and does it follow the FTC guidelines?  



Written by Evan Nadel and Jake Romero

Delta Airlines, Inc. may have to pay fines equal to 20 “excess bag” fees for each user that has downloaded its “Fly Delta” mobile application.  California Attorney General Kamala Harris has filed a complaint against Delta, alleging that Delta has failed to conspicuously post a privacy policy on its mobile application, in violation of California’s Online Privacy Protection Act (“CalOPPA”).

Over the past year, we have followed the number of incremental steps that the California Attorney General’s office has taken toward ensuring that mobile applications comply with CalOPPA’s provisions, including the requirement that operators of commercial websites and online services that collect personally identifiable information from users post a privacy policy that explains what information is collected and how it is shared.  Most recently, we reported that Attorney General Harris’s office had issued warning letters to the developers of 100 of the most popular mobile applications without compliant privacy policies, giving them 30 days to bring their respective applications into compliance.  At that time, a spokesperson from Delta acknowledged that they had received one such notice, and that Delta “intended to provide the requested information.”

That thirty day period has since lapsed and, in a complaint filed on Thursday with the San Francisco County Superior Court,  Attorney General Harris alleges that Delta continues to engage in unfair business practices by violating CalOPPA’s privacy policy requirement.  According to the complaint, the Fly Delta mobile application has been available since 2010 and has been downloaded millions of times.  The Fly Delta app collects a broad array of personally identifiable information from its users, including, among other things, geo-location data, photographs, names, addresses, telephone numbers, email addresses, date of birth, credit card numbers and expiration dates, and frequent traveler account numbers.  Although Delta’s main website does contain a privacy policy,  that privacy policy is not accessible through the mobile application and does not include a full description of the information collected by Fly Delta.  Attorney General Harris is seeking an injunction against Delta preventing it from distributing the Fly Delta app, as well as a penalty of $2,500 for each violation.  For mobile app developers, “each violation” can mean $2,500 for each time the non-compliant application was downloaded.   Civil class actions under California’s Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.) involving “Fly Delta” are likely to follow, although users who downloaded the app at no cost will face a challenge establishing standing under that law.

The legal action against Delta is yet another indication of how serious Attorney General Harris is about enforcing California’s right to privacy.  For mobile app developers, that means there is no better time to make sure that your application complies with California’s regulations.  Here are a few key considerations:

  • • CalOPPA requires that the privacy policy be “conspicuously” posted.  For mobile applications, that means that the privacy policy must be accessible before the user has downloaded the application.  Once the application has been downloaded, the privacy policy should be accessible from inside the application itself.
  • • Your mobile application privacy policy must include a full description of the information being collected.  We recommend having all of your key technicians review the policy to ensure its accuracy and completeness.  Mobile applications have the potential to collect and transmit far more data than the average website, and the full extent of information being transmitted is not always readily apparent.
  • • Simply linking to your website’s privacy policy is not sufficient.  As noted above, mobile applications can potentially collect much more data than the average website, including geo-location data and pictures that are stored on the mobile device.  One of the noteworthy aspects of Attorney General Harris’s complaint against Delta is that it contends that even if the user could access Delta’s website privacy policy through the Fly Delta app, that privacy policy would not be sufficient to bring the application into compliance with CalOPPA.

We are certain to see more legal actions and fines in the near future.

In the meantime, the complaint against Delta serves as a reminder that, in addition to worrying about whether you have too many liquids to get through security, you should also be concerned about whether your app complies with federal and state privacy laws.    If you have questions regarding compliance with CalOPPA and the mobile privacy policy requirements, Mintz Levin’s privacy team is ready to assist.

Written by Jake Romero

In a move signaling increased enforcement of the state’s data privacy and security regulations, California’s Attorney General Kamala D. Harris has announced the creation of the Privacy Enforcement and Protection Unit.   The Privacy Unit will be staffed by California Department of Justice Employees, including six dedicated prosecutors, and will have broad authority to enforce federal and state laws relating to the collection, retention, disclosure and destruction of private and sensitive information, including medical, financial and government records, by individuals and public and private organizations.  Effective immediately, a number of California Justice Department programs related to identity theft enforcement and education will be absorbed by the Privacy Unit, in an effort to centralize and streamline California’s data privacy protection efforts.    For California consumers, the creation of the Privacy Unit will likely result in easier access to education materials for protecting personal data.  For businesses and organizations collecting, storing, transmitting or processing personally identifiable information, the Privacy Unit is one of many warning signs that California intends to take the enforcement of data privacy regulations seriously.

The creation of the Privacy Unit is the latest in a series of initiatives by the California Attorney General’s office intended to address growing concerns about data privacy.  In August 2011, Attorney General Harris announced the creation of the eCrime Unit, a division responsible for “investigating and prosecuting large scale identity theft and technology crimes with actual losses in excess of $50,000.  Earlier this year, the six largest companies offering platforms for mobile applications agreed to a set of principles, authored and developed by the Attorney General’s office, designed to ensure that mobile applications sold on such platforms comply with California’s Online Privacy Protection Act.  Last month, that set of mobile application privacy principles was expanded significantly when Facebook elected to sign on as well.

With the Privacy Unit in place, actions enforcing California’s data privacy regulations, which are among the strictest in the nation, are certain to increase.  “The Privacy Unit,” according to Attorney General Harris, “will police the privacy practices of individuals and organizations to hold accountable those who misuse technology to invade the privacy of others.”  Based on prior comments from Harris, such enforcement may include prosecutions under California’s Unfair Competition Law  and/or False Advertising Law, which imposes penalties of up to $500,000.   As a result, if you operate a business or organization using or accessing the personally identifiable information of others, time may be running out to ensure that you comply with California’s quickly evolving requirements.