Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Governance, Risk and Compliance, Compliance Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

California sues Delta Air Lines over mobile privacy

In a first-of its kind lawsuit, the state of California is suing Delta Air Lines over alleged violations of its Online Privacy Protection Act, which requires, among other things, that companies clearly post privacy policies within their mobile apps.

California Attorney General Kamala Harris filed the suit Thursday in San Francisco Superior Court after Delta allegedly failed to post a policy in its “Fly Delta” app. The complaint contends that the app collects users' personally identifiable information (PII), including names, telephone numbers, email addresses, photographs, geolocations, residential and billing addresses and frequent flyer account numbers and associated PIN codes.

Private data – such as credit and debit card numbers; travel-related information, including emergency contacts; and traveler-related medical needs and dietary requests – are also allegedly captured by the app, as well as users' passport numbers and employer or corporate contact information. 

In letters issued in late October, Harris began warning mobile application developers and companies that have apps available for download, giving them 30 days to post "conspicuous" privacy policies for consumers. Companies may face penalties of up to $2,500 per violation, meaning each time the app is downloaded or used.  

In the filing, Harris claimed that Delta operated the Fly Delta app since at least 2010. While Delta does have a privacy policy listed on its website, the suit said it only details some of the PII it collects. The privacy policy also does not reference the mobile app.

“Delta does not disclose anywhere several types of PII that the Fly Delta app collects…” the suit said. “For example, the Fly Delta app collects consumer geolocation data and photographs. The Delta website privacy policy does not indicate that it collects geolocation data or photographs.” reached out to Delta on Friday to inquire whether the company planned to post a privacy policy within the app in question, or if the company would challenge the suit. A spokesman for the airline said the company doesn't comment on pending litigation.

United Airlines and OpenTable, an online restaurant reservation service, were among the companies California officials contacted for alleged non-compliance. Developers or owners of 100 mobile apps were contacted by letter.

Reached on Friday, Nick Pacilio, a spokesman for the state attorney general's office, would not say whether more suits were expected to be launched against app distributors. 

He did say that letters went out on a rolling basis. “We are handling each company individually," he told

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.