Is Your App Next? Major Airline Sued For Mobile Privacy Violations - Cover Your Apps Today!

Is Your App Next? Major Airline Sued For Mobile Privacy Violations - Cover Your Apps Today!

Photo by mollybob

Online and mobile privacy. If you haven’t been paying attention, its time to take notice. Regulators certainly have, and even the biggest players are being hit – Delta Airlines was just sued by the California Attorney General for having an app without an appropriate privacy policy. This is only the beginning; more enforcement is likely to follow.
Barely a week goes by without major new stories about web and mobile privacy. The Federal Trade Commission just issued a report finding that 80% of children’s apps do not apply with the Children’s Online Privacy Protection Act. In February of 2012 the White House called upon Congress to pass a Consumer Privacy Bill of Rights. This issue becomes more prominent by the day.
With no omnibus federal privacy law, state laws have cropped up. Although relatively unknown to many mobile and web-enabled companies, the California Online Privacy Protection Act, or CalOPPA, requires most companies collecting information from California residents to post a privacy policy to their website or apps. The law is essentially a transparency requirement – it does not restrict companies from collecting or using information, it just requires disclosure of a firm’s data collection and use practices. Under the law, a policy reflecting a firm’s practices must be posted to an app or website “conspicuously,” which is defined to include in any way that a reasonable person would notice.
The law has been on the books since 2004, but it has been scarcely enforced, and many companies are out of compliance. A study conducted in early 2012 found that only 5% of apps were compliant with CalOPPA. With attention comes enforcement.
In February of 2012, the California AG announced that she had reached a deal with Google, Apple, HP, Microsoft, RIM and Amazon whereby these app gateways agreed to facilitate greater compliance with and enforcement of CalOPPA. Essentially, the gateways agreed to have a dedicated place in their app submission and approval process for developers to submit their privacy policies, and to facilitate the identification and reporting of apps that did not comply with CalOPPA. Facebook subsequently signed on to the AG’s program.
In July of 2012, the California AG formed a Privacy Enforcement and Protection Unit, charged solely with enforcing California’s privacy laws, including CalOPPA. The pressure builds.
Then, in October of 2012, Kamala Harris, the California AG sent out an ominous tweet – “Fabulous app @United Airlines, but where is your app’s #privacy policy?”
One week later, the AG’s office sent out letters to 100 prominent apps, including those of United Airlines, Delta Airlines and OpenTable, warning them that their apps did not include prominent privacy policies, and giving them 30 days to comply with CalOPPA. The letter threatened fines of $2,500 per download if the companies did not fix their apps by implementing a privacy policy. Then, one month later, the AG filed a lawsuit against Delta Airlines, bringing claims for violating CalOPPA and seeking extreme damages.
Although lawsuits are likely to be resolved and bad publicity may pass, the time is now to audit privacy compliance and tweak whatever might be needed. CalOPPA requires “conspicuous” posting of privacy policies. Although there is very little court guidance on what this means – the law is only now being tested – for years, the gold standard for online contract formation has been the opt-in “click-through” agreement. Other methods are available as well, and common sense can be a guide – as long as a reasonable person would notice the policy, CalOPPA’s requirements have likely been met.
Privacy issues are here to stay, and are likely only to become heavier as further states and the federal government take notice and pass legislation. If you are not already, get ahead of the trend now.


Contributed by Scott Smedresman Associate at SorinRand.

Scott Smedresman is an associate attorney at SorinRand LLP. He concentrates his practice on advising technology companies on intellectual property and corporate matters, such as technology transactions and intellectual property-related agreements, including license, development, collaboration, distribution, service, and maintenance agreements, as well as trademark and copyright strategy, prosecution, enforcement, and infringement. Having authored articles and given seminars about legal issues impacting mobile applications, he frequently counsels clients on the space, including preparing terms of use, privacy policies and end user licenses, as well advising on SaaS agreements and leveraging users generated content. Scott serves as an advisor to various working groups of the Application Developers Alliance, sitting on groups with PayPal, Intuit and CBS Interactive, among others.

Next entry

Previous entry