First California lawsuit over mobile privacy issues crashes

Court rules that federal airline laws preempt state statutes in suit seeking to force Delta Air Lines to notify mobile app users about data collection plans

A California state court has dismissed a closely watched lawsuit charging that Delta Air Lines failed to comply with state privacy laws for mobile applications.

In a brief ruling last week, California Superior Court Judge Marla Miller agreed with Delta's claim that the federal Airline Deregulation Act (ADA) of 1978 supersedes state statutes.

The ADA prevents states from enforcing laws that could impact the prices, routes or services offered by an airline.

Delta argued that its mobile application was a service offered by the airline to customers and was therefore was covered by the ADA.

In an email, Delta spokesman Paul Skrbec said that the airline is "pleased the Court has confirmed our view that the California statute does not apply to airlines because it is preempted by federal law. The protection of customer information is something that Delta takes very seriously."

The court's action effectively ends the first lawsuit alleging that a company failed to adhere to a state's privacy laws for mobile applications.

California Attorney General Kamala Harris filed the lawsuit against Delta last December, alleging that the airline had violated the California Online Privacy Protection Act (CalOPPA) by failing to properly disclose the data collection and use policies associated with its Fly Delta smartphone app.

The lawsuit was filed after Delta failed to quickly respond after the state notified it of the alleged privacy violations.

In the complaint, Harris said that Delta had been offering the Fly Delta app since at least 2010 to let customers check in for flights online, view reservations, rebook or cancel flights, check-in baggage, take photographs and other things.

Fly Delta lacks a privacy policy while the app collects an extensive amount of personal information, including the user's full name, telephone number, email address and geo location data, Harris said in the complaint.

The lawsuit contended that the app violates the CalOPPA law by not providing information on Delta's data collection or use policies.

Harris had contended that Delta's claim that the federal law preempts state laws were without merit. CalOPPA, she argued, merely requires a company to disclose its online privacy policies and in no way affects an airline's prices or services.

While the dismissal of the lawsuit is a setback for Harris, few expect that it will slow down the state's plan to go after alleged violators of online privacy laws.

Last year, Harris struck an agreement with several companies, including Facebook and Google, to make their privacy policies more transparent to users of their mobile applications.

In October, she sent notices to 100 mobile application developers warning them that they weren't in compliance with California privacy laws and urging them to notify customers of their data collection practices within 30 days.

The Delta lawsuit was seen by some as a test of the state's ability to enforce its privacy policies on providers of mobile applications and services. Over the past 18 months or so. Harris and other state and federal regulators have expressed growing concern over the data collection and sharing practices of providers of mobile applications and services.

Just last week, Rep. Hank Johnson (D-Ga.) introduced legislation that would require mobile app developers to provide clear notice to consumers and get their consent before collecting personal data from mobile devices.

"Delta was not a great test case for the California AG so she will be back," said Scott Vernick, partner at the Fox Rothschild LLP law firm in Philadelphia.

"Any company worth its salt, and particularly mobile app developers, should make sure that that they are complying with CalOPPA," he said, Going forward expect other states could enact and strongly enforce such rules, he said.

Harris' office did not respond to a request for comment on the ruling.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, or subscribe to Jaikumar's RSS feed . His e-mail address is

Read more about privacy in Computerworld's Privacy Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags LineGov't Legislation/RegulationregulationsecurityDelta Air Linesgovernmentprivacymobile apps

More about BillDeltaDelta Air LinesFacebookGoogleScott CorporationTopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place