It’s time for a compliance check on those website or mobile app privacy policies, before the California Attorney General comes knocking.

Attorney General Kamala D. Harris has announced the release of a new tool for consumers to report websites, mobile applications, and other online services that may be in violation of the California Online Privacy Protection Act (CalOPPA).  The form is available at  As a reminder, a website owner or app operator may violate CalOPPA by failing to post privacy policies or posting incomplete or inadequate policies that do not meet the requirements of the statute.

As we have previously written on this blog, the potential cost for not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.

“In the information age, companies doing business in California must take every step possible to be transparent with consumers and protect their privacy,” said Attorney General Harris. “As the devices we use each day become increasingly connected and more Americans live their lives online, it’s critical that we implement robust safeguards on what information is shared online and how. By harnessing the power of technology and public-private partnerships, California can continue to lead the nation on privacy protections and adapt as innovations emerge.”

Mobile app creators should be aware that the Attorney General’s office will not only be relying on consumers to identify non-compliant apps.  The Office is also partnering with the Usable Privacy Policy Project at Carnegie Mellon University to develop a tool that will identify mobile apps that may be in violation of CalOPPA by looking for discrepancies between disclosures in a given privacy policy and the mobile app’s actual data collection and sharing practices (for example, a company might share personal information with third parties but doesn’t disclose that in its privacy policies).

If you have any questions regarding CalOPPA compliance, please do not hesitate to contact the team at Mintz Levin.



In a decision favorable to the airline industry—but not helpful to other companies—the California Court of Appeal said that a privacy enforcement action against Delta is not going to fly.  On May 25, 2016, the Court of Appeal tossed the California Attorney General’s CalOPPA enforcement action against Delta Airlines, affirming the lower court’s 2013 dismissal of the case with prejudice.

As we previously wrote, California AG’s office has been taking incremental steps toward ensuring that mobile applications comply with CalOPPA.  As early as 2012, its office began sending notices of non-compliance to mobile application developers.  When some companies failed to respond, the Attorney General chose Delta as its pilot case, promptly filing its first-ever enforcement action under CalOPPA.  Over the past three years, we have followed the Attorney General’s CalOPPA compliance campaign, including the Delta case.   Continue Reading Delta Wins CalOPPA Case – But Your Mobile App May Not Fly

The federal government may be completely unable to pass laws, but that certainly isn’t the case with the State of California, which has just completed a data privacy hat trick by passing three significant laws addressing a broad subset of data privacy issues. The big question: is your online and/or mobile business ready for the coming changes?

Read the latest Mintz Levin Privacy Alert analyzing what effect these new laws will have on business and how you should be preparing to comply.


As we continue our “new year, new look” series into important privacy issues for 2013, we boldly predict:

Regulatory Scrutiny of Data Collection and Use Practices of Mobile Apps Will Increase in 2013

Mobile apps are becoming a ubiquitous part of the everyday technology experience.  But, consumer apprehension over data collection and their personal privacy with respect to mobile applications has been growing.   And as consumer apprehension grows, so does regulatory scrutiny.  In 2012, the Federal Trade Commission (FTC) offered guidance to mobile app developers to “get privacy right from the start.”    At the end of 2012, the California Attorney General’s office brought its first privacy complaint against Delta Airlines, Inc., alleging that Delta’s mobile app “Fly Delta” failed to have a conspicuously posted privacy policy in violation of California’s Online Privacy Protection Act.  And also in December, SpongeBob Square Pants found himself in the middle of a complaint filed at the FTC by a privacy advocacy group alleging that the mobile game SpongeBob Diner Dash collected personal information about children without obtaining parental consent.

In 2013, we expect to see new regulatory investigations into privacy practices of mobile applications.   Delta was just one of 100 recipients of notices of non-compliance from the California AG’s office and the first to be the subject of a complaint.  Expect to see more of these filed early in this year as the AG’s office plows through responses from the lucky notice recipients.   Also, we can expect to hear more from the FTC on mobile app disclosure of data collection and use practices and perhaps some enforcement actions against the most blatant offenders.

Recommendation for action in 2013:  Take a good look at your mobile app and its privacy policy.   If you have simply ported your website privacy policy over to your mobile app – take another look.  How is the policy displayed to the end user?  How does the user “accept” its terms?  Is this consistent with existing law, such as California, and does it follow the FTC guidelines?  



Written by Evan Nadel and Jake Romero

Delta Airlines, Inc. may have to pay fines equal to 20 “excess bag” fees for each user that has downloaded its “Fly Delta” mobile application.  California Attorney General Kamala Harris has filed a complaint against Delta, alleging that Delta has failed to conspicuously post a privacy policy on its mobile application, in violation of California’s Online Privacy Protection Act (“CalOPPA”).

Over the past year, we have followed the number of incremental steps that the California Attorney General’s office has taken toward ensuring that mobile applications comply with CalOPPA’s provisions, including the requirement that operators of commercial websites and online services that collect personally identifiable information from users post a privacy policy that explains what information is collected and how it is shared.  Most recently, we reported that Attorney General Harris’s office had issued warning letters to the developers of 100 of the most popular mobile applications without compliant privacy policies, giving them 30 days to bring their respective applications into compliance.  At that time, a spokesperson from Delta acknowledged that they had received one such notice, and that Delta “intended to provide the requested information.”

That thirty day period has since lapsed and, in a complaint filed on Thursday with the San Francisco County Superior Court,  Attorney General Harris alleges that Delta continues to engage in unfair business practices by violating CalOPPA’s privacy policy requirement.  According to the complaint, the Fly Delta mobile application has been available since 2010 and has been downloaded millions of times.  The Fly Delta app collects a broad array of personally identifiable information from its users, including, among other things, geo-location data, photographs, names, addresses, telephone numbers, email addresses, date of birth, credit card numbers and expiration dates, and frequent traveler account numbers.  Although Delta’s main website does contain a privacy policy,  that privacy policy is not accessible through the mobile application and does not include a full description of the information collected by Fly Delta.  Attorney General Harris is seeking an injunction against Delta preventing it from distributing the Fly Delta app, as well as a penalty of $2,500 for each violation.  For mobile app developers, “each violation” can mean $2,500 for each time the non-compliant application was downloaded.   Civil class actions under California’s Unfair Competition Law (Bus. & Prof. Code § 17200, et seq.) involving “Fly Delta” are likely to follow, although users who downloaded the app at no cost will face a challenge establishing standing under that law.

The legal action against Delta is yet another indication of how serious Attorney General Harris is about enforcing California’s right to privacy.  For mobile app developers, that means there is no better time to make sure that your application complies with California’s regulations.  Here are a few key considerations:

  • • CalOPPA requires that the privacy policy be “conspicuously” posted.  For mobile applications, that means that the privacy policy must be accessible before the user has downloaded the application.  Once the application has been downloaded, the privacy policy should be accessible from inside the application itself.
  • • Your mobile application privacy policy must include a full description of the information being collected.  We recommend having all of your key technicians review the policy to ensure its accuracy and completeness.  Mobile applications have the potential to collect and transmit far more data than the average website, and the full extent of information being transmitted is not always readily apparent.
  • • Simply linking to your website’s privacy policy is not sufficient.  As noted above, mobile applications can potentially collect much more data than the average website, including geo-location data and pictures that are stored on the mobile device.  One of the noteworthy aspects of Attorney General Harris’s complaint against Delta is that it contends that even if the user could access Delta’s website privacy policy through the Fly Delta app, that privacy policy would not be sufficient to bring the application into compliance with CalOPPA.

We are certain to see more legal actions and fines in the near future.

In the meantime, the complaint against Delta serves as a reminder that, in addition to worrying about whether you have too many liquids to get through security, you should also be concerned about whether your app complies with federal and state privacy laws.    If you have questions regarding compliance with CalOPPA and the mobile privacy policy requirements, Mintz Levin’s privacy team is ready to assist.

Written by Jake Romero

If a haunted house or trick-or-treating was your scariest experience last week, you must not be one of the 100 mobile application developers who received a notice of non-compliance from California Attorney General Kamala D. Harris.  On October 30, Attorney General Harris’s office announced that letters had been sent to the developers of dozens of the most popular mobile applications warning in each case that the developer’s application is not in compliance with California’s Online Privacy Protection Act (“CalOPPA”) because it fails to have a privacy policy reasonably accessible to consumers .  The letters give the developer 30 days to respond by providing either specific plans to bring the application into compliance or an explanation regarding why the developer believes that the application is not covered by CalOPPA.

As noted in the non-compliance notice letters, the potential cost to mobile application developers of not meeting the CalOPPA requirements can be substantial.  Violations of CalOPPA may result in penalties of up to $2,500 per violation which, for mobile applications, means up to $2,500 for each copy of the non-compliant application that is downloaded by California consumers.  Since Attorney General Harris has started by targeting the most popular non-compliant applications, including, reportedly, the mobile applications of Delta Airlines, United Continental Holdings and OpenTable , the penalties assessed could potentially be substantial.

As we have previously discussed on this blog, CalOPPA requires that “an operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service” conspicuously post a privacy policy that meets the requirements of California Business and Professions Code § 22575(a) and (b).  In the past year, Attorney General Harris has reached agreements with the seven major mobile application platforms providing that mobile applications constitute an “online service” and are therefore subject to CalOPPA’s requirement.  Among the requirements, the privacy policy must be “reasonably accessible” which, for mobile applications, requires that, among other things, the policy be available for review prior to download and include a description of the information being collected.

An additional noteworthy aspect of the non-compliance notice letters is that they are sent on behalf of Attorney General Harris by Adam Miller, Supervising Deputy Attorney General of the newly-created Privacy Enforcement and Protection Unit.  The Privacy Enforcement and Protection Unit was established earlier this year and granted authority to enforce state and federal privacy laws and regulations.  The non-compliance notices confirm speculation made at the time of the Privacy Unit’s establishment that the application of CalOPPA to mobile applications would reside high on the list of the Unit’s priorities.

All indications from the Attorney General’s office suggest that this is merely the beginning of a prolonged campaign.  In other words, now is the time for mobile application developers to ensure that applications meet the requirements of California state law, before the 30 day clock is ticking for you.    If you need assistance, or have questions, the Mintz Privacy and Security team is here to help.