Caveat Vendor

California’s Attorney General Foiled In First Foray On Mobile Privacy

May 10, 2013

By Paul Hastings Professional

California’s Attorney General Kamala Harris has made it a mission to challenge what she views as mobile app makers’ disregard for consumer privacy.  Her weapon of choice in this campaign is California’s Online Privacy Protection Act, which requires businesses that collect personal information through websites and online services to post a privacy policy “conspicuously” on their websites (along with some other requirements).

Ms. Harris has contended that the law requires that privacy notices be embedded in the mobile apps themselves.  In October of last year, she sent warning letters to businesses offering over 100 different mobile apps to that end, and in December she filed suit against one of the recipients of those letters, Delta Airlines.
The suit acknowledged some uncertainty over whether a privacy policy on a company’s website would suffice under the statute or whether one is required in the mobile app itself; regardless, the complaint alleged, Delta did not mention the mobile app in its website policy.  Hence, Ms. Harris claimed, the statute had been violated.
The suit attracted much attention as a possibly important precedent in the area of mobile privacy.  One key question raised by the suit was whether mobile apps are “commercial websites” or “online services” under the California statute.  Alas, the suit ended with a fizzle yesterday, when the California Superior Court dismissed the case with prejudice in a summary (one-paragraph) order.

The order did not elucidate the reasons for the dismissal beyond citing the arguments made by Delta in its demurrer.  (In fact, the court simply signed the proposed form of order that Delta’s counsel had submitted.)  Nonetheless, a likely compelling basis for that decision was the argument advanced by Delta that the federal Airline Deregulation Act preempts the state-law claim.

That statute, enacted during the Carter Administration to deregulate the airline industry, provides that a state “may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier . . . .”  49 U.S.C. § 41713.  California’s claim, argued Delta, related to a “service” offered by the airline and, hence, was preempted.   In the face of that provision, which courts have construed broadly, Ms. Harris’s choice of an airline as her first litigation target may have been improvident.

Whatever the court’s reasoning in dismissing the case, a ruling on the scope of California’s online privacy law and its applicability to mobile applications now must await another day.

Caveat Vendor is Paul Hastings’ Consumer Issues blog. We welcome your feedback. Please contact our blog editor with any thoughts or suggestions.