This story was written by Keith Dawson for UBM DeusM’s community Web site Develop in the Cloud, sponsored by AT&T. It is archived here for informational purposes only because the Develop in the Cloud site is no more. This material is Copyright 2012 by UBM DeusM.

California Sues Delta Over Mobile Privacy

Must have a visible policy & doesn't.

California law requires mobile apps that collect personal information to disclose prominently what they do with it. Delta Airlines doesn't, so the state sued after a 30-day warning.


Delta's free-to-download "Fly Delta" app lets users check in to flights, pay for checked baggage, rebook flights, etc. According to California's attorney general Kamala Harris, the app doesn't offer an easy way to access Delta's privacy policy. The airline does have such a policy available on their website, but it does not mention "Fly Delta" or any mobile app.

We noted in an edition of the Friday Four early last month that Harris had sent warning letters to Delta and to a reported 100 other mobile app makers. Now, a month later, the lawsuit against Delta may be the first of in a series.

That pesky law
The 2004 California law is called the Online Privacy Protection Act (OPPA). What it says is that if a website or online service collects particular private data, it must have a privacy policy available to be viewed and read in a way that it "can be understood." OPPA is the reason that almost all websites feature a link to a privacy policy on their home page. When the law went into effect, there was no such thing as a mobile app.

Following a string of privacy fiascos involving mobile apps beginning last year (anyone remember Path?), Harris decided to stretch the 2004 law to encompass mobile apps as well as websites. She brokered a deal last February with a half dozen major mobile app platform vendors -- Amazon, Apple, Google, HP, Microsoft, and Research In Motion -- in which they agreed to require privacy policies for all apps they host.

How transparent?
Requiring that a privacy policy "can be understood" when read on a large, desktop computer screen is one thing. (Reasonable men might argue that privacy policies today are not exactly written to be understandable.) Making such a legal document comprehensible on a mobile device is a problem of a different order. Something like the privacy icons we discussed a few weeks back could help. In any case, making a privacy policy comprehensible on a small screen is no easy task.

You could say that the clock started ticking for mobile app developers to solve this problem last February. Certainly by the time Harris's letters went out in late October, they should have known. Delta has made no visible progress towards a privacy policy that is usable from its Fly Delta app, and neither, it would seem, have most other app makers.

Fences are going up across what had once been the Wild West. Joe Mullin, writing in Ars Technica, put it well when he wrote, "The days when most mobile apps have been able to just blow off the requirement are likely coming to a close."

Related links