California Court Dismisses Complaint Alleging Airline Privacy Violations

Can states regulate an airline's online and/or mobile application privacy policies? A California court has said the answer is no. In a victory for airlines, the Superior Court of California dismissed with prejudice a complaint against Delta Air Lines filed by the California Attorney General that alleged violations of the California Online Privacy Protection Act (CalOPPA). The order cites "the reasons set forth in Delta's papers" as grounds for the decision, endorsing, among other things, Delta's position that the Airline Deregulation Act preempts CalOPPA and that the federal government alone has the authority to regulate airline privacy policies. Judge Marla Miller explained the court's ruling in California v. Delta Air Lines, Cal. Super. Ct., No. CGC 12-526741, noting that "this case is, in effect, an attempt to apply a state law designed to prevent unfair competition, which regulates an airline's communication with consumers, and I think it's preempted."

In the complaint, Attorney General Kamala Harris alleged that Delta violated CalOPPA by failing to "conspicuously post a privacy policy in its Fly Delta app." The complaint also alleged that Delta failed to comply with the privacy policy published on its website because the policy did not disclose that its mobile app collected users' personal information, such as geolocation information. Judge Miller's decision also implicitly acknowledges that the "Fly Delta" app, which allows customers to search flights, book tickets, and check in electronically, constitutes a "service" preempted under the Airline Deregulation Act, which generally prohibits state regulation "related to a price, route, or service of an air carrier." (49 U.S.C. § 41713(b)(1)).

The state of California has aggressively pursued its mobile application privacy policies in recent months. Following an agreement with Google, Apple, Amazon, and other major app developers, the State Attorney General issued guidance last January on what it expects by way of privacy from mobile applications. The safe harbor carved out by the Act remains unique to the airline industry. The ruling is limited to the commercial aviation industry. Whether and how it might be extended to other industries, including federally regulated ones, is unknown at this time. California is not alone in focusing on privacy and data security. With the rise in reported data breaches, companies operating in all states will need to pay close attention to state and federal privacy requirements.