We’re back to the problems the California Attorney General is having with constructively addressing privacy issues with mobile apps. As you know, Attorney General took two big actions with respect to those issues. The second big action was the release of the Attorney General’s less than helpful document: Privacy on the Go; Recommendations for the Mobile Ecosystem. The problem with that document are discussed in a previous post here at Big Data and the Law.
The Attorney General’s first big action was suing Delta Air Lines for an alleged breach of the California Online Privacy Protection Act.
You can find the complaint here:
California lost, sort of, but losing isn’t the main problem with the Attorney General’s action. We need to review the background to understand why the Attorney General’s action was such a bad idea.
The attempt to extend the application of the California Online Privacy Protection Act to a mobile app was a new thing. The California Online Privacy and Protection Act applies to all “operators” “of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service.” The Attorney General has taken the position that mobile apps fall into that bucket and thus have to have privacy policies as the California Online Privacy Protection Act requires.
The process for enforcing the California Online Privacy Protection Act is that the state gives a noncompliant “operator” notice of noncompliance and the operator then has thirty days to comply. Clearly the Attorney General wants to start sending out noncompliance letters in bulk. If that is what the Attorney General has in mind, it makes sense to make an example of someone as a way to encourage others to comply. It would also be helpful to establish precedent that the California Online Privacy Protection Act really does apply to mobile apps. That is what the Delta suit might have done – if the state had sued someone else.
Alas, that was not the case with the state’s suit against Delta. In Delta, the Attorney General picked a defendant that was not subject to regulation by the State of California on the matters that were the subject of the state’s suit. As an airline, Delta is subject to United States Federal regulation; regulation that pre-empts the state’s regulation in this regard. The net result was a dismissal of the Attorney General’s suit.
You can find Delta’s brief in support of its motion to dismiss here:
You can find the court’s very terse dismissal here:
Because the case was dismissed on jurisdictional grounds, the court didn’t address the question whether the California Online Privacy Protection Act applies to mobile apps.
So, after all is said and done, the Attorney General has managed to accomplish exactly nothing. The Attorney General can’t even lose in a way that is helpful.
I’m sure the Attorney General will find a new victim. Maybe that victim will be someone that is actually subject to California law in this regard. Maybe that will help.