Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

Lawmakers Develop Mobile Privacy Legislation While California AG Files Privacy Suit Against Mobile App Developer

James Denvil, an associate in our Washington office, contributed to this entry. 

This week, Washington lawmakers and California’s Attorney General focused their attention on mobile privacy.  The Senate Judiciary Committee is considering a measure that would establish legal requirements for apps that collect or share location information from mobile devices.  A Democratic congressman released for public comment the first of three provisions that he plans to incorporate into a mobile privacy bill.  And California Attorney General Kamala Harris filed a complaint alleging that Delta Air Lines violated California privacy law by failing to conspicuously post a privacy policy for its “Fly Delta” app.

Mobile Privacy in the Senate

On December 4, Senator Al Franken (D-MN), chairman of the Senate Subcommittee on Privacy, Technology, and the Law released a revised version of the Location Privacy Protection Act that would require companies to obtain express consent from users before collecting, recording, obtaining, or sharing geolocation information from mobile devices.     

Franken introduced a version of the bill last year, which would have applied to the collection of location information from smartphones, laptops, tablets, in-vehicle navigation devices, and any other devices intended to be carried by or travel with users.  Under the 2011 measure, companies collecting location information without consent would have been liable for civil penalties of no less than $2,500.  

Sources indicate that the revised version allows companies to get one-time approval from users rather than having to obtain permission every time location information is collected or shared.  The revised bill also specifies that it does not apply to law enforcement.

The Senate Judiciary Committee considered but did not vote on the measure on Thursday, December 6.  The committee chose to delay voting on the measure until its next business meeting, scheduled for December 13.  Senator Charles Grassley (R-IA) explained that the vote was delayed to give the committee time to ensure that the measure’s enforcement mechanisms do not create undue burdens for industry. 

Mobile Privacy in the House 

On December 5, House Democrat Hank Johnson of Georgia released the first of three provisions for his planned AppRights.us bill that would address mobile app transparency, security, and control.  AppRights.us is a web-based project initiated by Johnson to develop mobile privacy legislation.   Each provision of the bill will be released for a two-week public comment period, and the congressman will report on the feedback he receives before introducing the bill. 

The first provision addresses user control.  It requires that developers enable users to delete mobile applications and the personal information stored by mobile applications at any time.  Developers would also be prohibited from using or sharing personal information collected via deleted mobile applications within a reasonable time after the applications are deleted.

The provision can be viewed here

Mobile Privacy in California

At the state level, California Attorney General Kamala Harris, who created a new Privacy Enforcement and Protection Unit earlier this year, filed a privacy suit on December 6 against Delta Air Lines Inc.  The suit alleges that Delta’s “Fly Delta” app does not contain a privacy policy.  Harris claims that the complaint is California’s first legal action under the California Online Privacy Protection Act of 2003 (“CalOPPA”), and she seeks to enjoin Delta’s distribution of the app as well as penalties of up to $2,500 per app download. 

As mentioned in an earlier post, available here, Harris notified dozens of developers in October that they were not in compliance with the notice provisions of CalOPPA, which requires operators of websites or online services that collect personal information from California residents to “conspicuously post” a privacy policy.  Harris gave developers 30 days to bring their apps into compliance with those provisions.  Travis LeBlanc, who oversees the Privacy Enforcement and Protection Unit, previously stated that a handful of developers decided to ignore the warnings.  LeBlanc suggested that these developers may believe that CalOPPA does not apply to their apps.  But the Attorney General’s office takes the position that because of the size of California’s population, app developers should assume that their apps will be downloaded by some California residents. 

The “Fly Delta” app allows users to check in for flights, view and change their reservations, track their baggage, rebook flights, access frequent flyer accounts, and manage other information related to their travels.  Harris claims that the app collects personal information from travelers, including location information and account numbers.  “California law is clear,” Harris said, “Mobile apps collecting personal information need privacy policies.”  

By filing this suit, Harris makes clear that if apps lack those needed privacy policies, she will take action.