.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
[EXEMPT
FROM
FILING
FEES
UNDER
GOVT.
CODE
SEC. 6103]
~Nae~~~·.
3
SuperiJc ( ·
· California 664
County
of"s~~
oi=rl"
I
t:WFI/a
-.nc/stJo
DEC
0
62012
CL£RKo
.
BY:
M£Ator!t.~
COURT
KAMALA
D.
HARRIS
Attorney General
of
California
ROBERT
MORGESTER
Senior Assistant Attorney General
ADAM
MILLER
(SBN 168254)
Supervising Deputy Attorney General
455 Golden Gate
Avenue,
Suite 11000
Attorneys
for
Plaintiff
.
11
GRIER
THE
PEOPLE
OF
THE
STATE
OF
CALIFORNIA
Deputy
Clerk
SUPERIOR
COURT
OF
THE
STATE
OF
CALIFORNIA
CITY
AND COUNTY
OF
SAN
FRANCISCO
CGC-12
-52 6741
Case No.
COMPLAINT
FOR
CIVIL
PENAL
TIES,
PERMANENT
INJUNCTION
AND
OTHER
EQUITABLE
RELIEF
FOR
.
VIOLATIONS
OF
BUSINESS AND
PROFESSIONS
CODE
SECTION
17200
(UNFAIR
COMPETITION
LAW)
THE
PEOPLE
OF
THE
STATE
OF
CALIFORNIA,
Plaintiff,
v.
DELTA
AIR
LINES, INC.,
Defendant.
. Plaintiff, the People
of
the State
of
California, by and
through
Kamala D.
Harris,
Attorney
General
of
the
State
of
California, alleges the following on information and belief:
INTRODUCTION
1.
In 1972,
the
People
of
the State
of
California made
privacy
an
"inalienable
right"
in the California Constitution. (Cal. Canst., Art. I,
§ 1.) The
People
have
charged
the
Attorney
General with protecting that right. (Cal. Canst., Art. V,
§ 13.)
2.
The innovations
of
the 21st Century have created
new
challenges
to
privacy.
Today, consumers regularly
use
computers, smartphones, tablets,
and
other electronic devices to
share and store sensitive personal information, including their full
name,
date
of
birth,
contact
information, photographs,
bank
accounts, credit card numbers, and location information.
If
a
I
COMPLAINT
FOR
CIVIL PENALTIES, PERMANENT INJUNCTION
AND
OTHER EQ"!JITABLE RELIEF
2
COMPLAINT
FOR
CIVIL
PENALTIES,
PERMANENT
INJUNCTION
AND
OTHER
EQUITABLE
RELIEF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
consumer
stores this information on a smartphone or other device connected to
the
Internet, the
consumer's
personal information may
be
accessed by mobile applications
that
can
collect the
stored personal information and share it with third parties, sometimes
without
the
consumer's
knowledge or consent. Accordingly, it is imperative that consumers are clearly
and
conspicuously informed
ofthepersonal
information that
is
collected from them,
how
that
information is
).lSed,
and with whom it is shared
SO
that the
consumer
i.s
empowered
to make an
educated choice about whether to allow a mobile application to
access
such information.
3.
(
In 2004, California enacted the California Online
Privacy
Protection
Act
to require
commercial operators
ofwebsites
and online services, such as
mobile
applications, to
conspicuously
post
detailed privacy policies so that consumers
know
what
personal information
operators collect and the categories
ofthird
parties with
whom
operators share
or
disclose that
personal information. (Cal. Bus.
& Prof.
Code§§
22575-22579
("CalOPPA")
1
.)
4
..
Since at least 2010,
Defendant
Delta
Air
Lines, Inc., ("Delta")
has
operated a
mobile application, called
"Fly
Delta," for
u.se
on sinartphones and
other
electronic devices.
Delta's
mobile application
m:ay
be
used to check-in online for an
airplane
flight,
view
reservations for air travel, rebook cancelled
or
missed flights,
pay
for
checked baggage, track
checked baggage, access a
user's
frequent flyer account, take
photographs,
and
even
save a
user's
geo-location. Despite collecting substantial personally identifiable
information
("PII") such as a
user's
full name, telephone number, email address, frequent flyer
account
number
and PIN code,
photographs, and geo-locati9n, the Fly
Delta
application does
not
have
a
privacy
policy.
It
does
not
have a privacy policy in the application itself,
in
the platform
stores
from
which
the
application may
be
downloaded, or on
Delta's
website. Users
of
the
Fly
Delta
application do not
know
what personally identifiable information Delta collects about
them,
how
Delta
uses that
information, or to whom
that
information is shared, disclosed, or sold.
As
demonstrated below,
Delta's
conduct violates·CalOPPA and California's Unfair Competition Law. (Cal. Bus. & Prof.
Code § 17200
et seq.).
1
All statutory references herein are to the Business and Professions Code, unless
otherwise indicated.
5
10
15
20
25
2
3
4
6
7
8
9
11
12
13
14
16
1 7
18
19
21
22
23
24
26
27
28
3
COMPLAINT
FOR
CIVIL
PENALTIES, PERMANENT INJUNCTION
AND
OTHER
EQUITABLE RELIEF
'
~'
I
DEFENDANT
AND
VENUE
5. Defendant Delta Air Lines, Inc., ("Delta") is a corporation incorporated in the
State
of
Delaware at 2711 Centerville Road, Suite 400, in the City
of
Wilmington, 19808, County
ofNew
Castle.
The
name
of
its registered agent at such address
is
Corporation Service Company.
6.
Delta's
worldwide headquarters is located in Atlanta, Georgia.
Delta
is primarily
an air carrier engaged in the business
of
providing commercial'
passenger
air transportation
throughout the United States and the world.
7. Delta provides regularly scheduled flight service from airports in
the
following
cities in
the
State
of
California: San Diego, Palm Springs, Long
Beach,
Los Angeles, Burbank,
Ontario, Fresno, Mammoth Lakes, San Jose, San Francisco, Oakland, Santa
Rosa
and Sacramento.
Delta also operates airport lounges in San Francisco, Los Angeles,
and
San Diego.
8.
Since at least 2010,
Delta
has operated the Fly Delta application,
which
is a mobile
application available for download on smartphones and other devices. The Fly
Delta
app is
distributed across California. Delta at all times mentioned herein
has
transacted business
in
the
City and County
of
San Francisco and elsewhere within the State
of
California.
The
violations
of
law described herein occurred in the City and County
of
San Francisco and elsewhere in the State
of
California.
DEFENDANTS'
BUSINESS
ACTS
AND
PRACTICES
9.
CalOPPA provides that "[a]n operator
of
a commercial Web site
or
online service
that
collects personally identifiable information through the Internet
about
individual consumers
residing in California who use or visit its commercial Web site or
online
service shall
conspicuously post its privacy policy on its Web site ... " (Cal. Bus.
& Prof.
Code§
22575(a).)
In
the
case
of
an "online service," "conspicuously post[ing)" the privacy policy requires that the
required privacy policy be "reasonably accessible
...
for consumers
of
the
online service." (Cal.
Bus.
& Prof.
Code§
22577(b)(5).)
10. Delta is an operator
of
a commercial website located at http://www.delta.com.
Delta
is also an operator
of
online services, in the form
of
mobile applications ("apps") that run
'
on
smartphones and other devices utilizing various mobile platform
operating
systems, including
5
10
15
20
25
1
2
3
4
6
7
8
·9
11
12
13
14
16
17
18
19
21
22
23
24
26
27
28
4
COMPLAINT
FOR
CIVIL PENALTIES, PERMANENT INJUNCTION
AND
OTHER EQUITABLE RELIEF
the following:
Apple
iOS (e.g., iPhone, iPad), Android, Windows
Phone
7, and Blackberry. The
Fly
Delta app
can
be obtained from various mobile apps marketplaces (such as
Apple
iTunes or
Google Play) as well as from http://vvww.delta.com/content/www/en
US/
mobile.html.
11.
The
term
"online service" broadly covers any service available
over
the Internet or
that
connects to the Internet, including Internet-enabled gaming platforms, voice-over-Internet
protocol services, cloud services, and mobile applications.
By
way
of
example,
mobile
applications are deemed "online services" under the federal Children's Online
Privacy
Protection
Act,
15
U.S.C. § 6501
et
seq. (See 76 Fed.Reg. 59807 (Sept. 27,
2011).)
12.
The
Fly Delta app sends and receives information
over
the
Internet,
including
r
collecting PII
about
individual consumers residing in California
who
use the
Fly
Delta
app. The
Fly
Delta app is
thus
an online service subject to CalOPP A.
13.
PII that Delta collects through the Fly Delta app includes at least
the
following:
(a)
Gee-location data;
(b) Photographs;
(c)
User's
full name;
(d)
Street addresses (residential and billing);
(e)
Telephone numbers (including cell, fax and/or pager);
(f)
Email addresses;
(g)
Delta SkyMiles account number and flight information;
(h)
Credit/debit card number(s) and expiration date(s);
(i)
Date
of
birth;
(j)
Gender;
(k)
Traveler number;
(I)
Travel-related information such as travel company, emergency contact(s),
seating preferences, medical
needs and dietary requests;
(m)
Passport number, nationality and country
of
residence; and
(n) Corporate contract, employer
or
affiliation (such as
employer
name, title
and contract information).
5
COMPLAINT
FOR
CIVIL PENALTIES,
PERMANENT
INJUNCTION
AND
OTHER
EQUITABLE
RELIEF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
14.
Although the Fly Delta app collects California consumers' PII, there
is
no
privacy
policy available
to
consumers within the app itself. In other words, the privacy policy required by
CalOPPA to be conspicuously posted
is
not accessible to consumers
of
the Fly Delta app, so
California consumers
do
not know how Delta
is
collecting, managing or sharing the PII collected
by
the Fly Delta
app.
15.
For example, a.consumer can provide credit or debit card information to pre-pay
for checked baggage on the Fly Delta app, but there is
no
disclosure on the Fly Delta app
of
this
. collection ofPII, nor whether this or any other PII may be shared
with
third parties.
16.
Delta's website, located at http://www.delta.com/content/www/en US/privacy-
and-security.htmLdoes contain a privacy policy about Delta's website (the "Delta website"). But
this privacy policy does not mention the Fly Delta app,
and
is
not reasonably accessible to
consumers
of
the Fly Delta app.
'
17.
While the privacy policy on Delta's website describes some
of
the PII collected by
Delta on their website, Delta does not disclose anywhere several
types
of
PII that the Fly Delta
app collects, but the Delta website does not collect. For example,
the
Fly Delta app collects
consumer (a) geo-location data and (b) photographs. The Delta website privacy policy does not
indicate that it collects geo-location data or photographs.
18.
In the Fly Delta app,
ifthe
consumer chooses the "Traveling with
Us"
option, then
the "Delta Sky Clubs" option, the Fly Delta app suggests "Delta
Sky
Clubs
NearY
ou" by
accessing the consumer's mobile device geo-location functionality (e.g., GPS).
For
example,
an
I
Andwid device located in San Francisco, California, using the Fly Delta app reflects a Delta Sky
Club also
in
San Francisco. But nowhere
in
the Fly Delta
app
or
on
the Delta website does Delta
disclose to consumers
in
a privacy policy that it
is
collecting this form
ofPII,
i.e., where the
consumer and the consumer's mobile device
is
currently located.
19.
Similarly,
if
the consumer chooses the "Traveling with Us" then "Parking ·
Reminder" options within the Fly Delta app, the consumer
is
able
to
take and store a photograph
within the Fly Delta app using the mobile device's camera. The consumer can also store text
(e.g.,
"Garage
G,
3rd floor, stall
10
l")
and select a "Save This Location" option, which presumably
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
collects and stores the consumer's GPS location based upon the gee-location
of
the mobile device.
"But nowhere in the Fly Delta app or on the Delta Website does Delta
di~close
to consumers in a
privacy policy that it is collecting these forms ofPII.
20. The Fly Delta app has been available for download from the Google Play
(formerly known as Android Market) and Apple iTunes marketplaces
since
at least October
of
2010. Since that time, Delta has provided updated versions
of
the Fly Delta app
on
Apple iTunes
approximately
15
times. The current versions
of
the Fly Delta app
were
last released June
15,
2012 (Google) and June
22,2012
(Apple).
The
Fly Delta app has been downloaded by
consumers millions
of
times since October
of
2010 without the conspicuously posted privacy
policy required by CalOPPA.
21.
CalOPPA provides that "[a]n operator shall be in violation
of
this subdivision
[requiring conspicuous posting
of
its privacy policy] only
ifthe
operator fails to post its policy
within
30
days after being notified
of
noncompliance," and the violation
is
made either (a)
knowingly and willfully; or (b) negligently and materially. (Cal. Bus.
& Prof.
Code§§
22575(a)
and 22576.)
·
22.
On or about October 26, 2012, the California Attorney General sent a letter by
U.S. Mail to Delta, addressed to Richard B. Hirst, Senior Vice President and General Counsel,
to
a Delta post office box address in Atlanta, Georgia, notifying Delta
of
its noncompliance with
CalOPP
A.
A true and correct copy
of
said letter is attached hereto and incorporated by reference
herein as Exhibit
A.
23.
On or about October 30, 2012, several media sources reported that Delta had
released a statement that said: "We have received the letter from the Attorney General and intend
to provide the requested information." (See http://articles.latimes.com/20 12/oct/30/business/la-fi-
tn-atty-gen-kamala-harris-puts-mobile-apps-on-notice-about-privacy-20 121030, accessed
December
6,
2012.) As
ofthe
date offiling, the Fly Delta app
on
multiple platforms still does not
have a privacy policy conspicuously posted, i.e., reasonably accessible to consumers within the
apps.
6
COMPLAINT
FOR
CIVIL PENALTIES,
PERMANENT
INJUNCTION
AND
OTHER
EQUITABLE
RELIEF
7
COMPLAINT
FOR
CIVIL
PENALTIES,
PERMANENT
INJUNCTION
AND
OTHER
EQUITABLE
RELIEF
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
24.
Delta has violated CalOPPA
by
failing to conspicuously
post
a
privacy
policy in
the Fly
Delta
app following 30 days' notice
of
noncompliance, either (a)
knowingly
and willfully;
or (b) negligently and materially.
25.
Under Section 22576, an operator
of
a commercial
website
is also
in
violation
of
CalOPPA
if
they fail to comply with the provisions
of
its posted
privacy
policy
either
(a)
knowingly and willfully;
or
(b) negligently and materially. This
separate
violation
ofCalOPPA
does
not
require that the operator be given 30 days' notice
of
noncompliance.
26.
Delta has additionally violated
CalOPPA
by
failing
to
comply
with
the
provisions
of
its privacy policy, eithe,r (a) knowingly and willfully;
or
(b) negligently and materially.
27.
The Fly Delta app is not the primary commercial activity
of
Delta, which is to sell
tickets for commercial passenger air transportation throughout the
United
States arid the world.
Delta does
not
charge for download
of
its Fly Delta app.
28. CalOPPA is
not
directed towards air carriers such
as
Delta
but
applies to all
"operator[s]
of
a commercial Web site or online service
...
" (Cal.
Bus.
& Prof.
Code§
22575(a).)
CalOPPA does not relate to rates, routes or services
of
any air carrier.
Any
effect
ofCalOPPA
011:
airline rates, routes
or
services
of
any air carrier is tenuous, remote
or
peripheral. CalOPPA does
.
not
significantly impact federal deregulation
of
air carriers.
FIRST
CAUSE OF ACTION
VIOLATIONS OF BUSINESS AND PROFESSIONS
CODE
SECTION
17200
(UNFAIR
COMPETITION-
SECTION
22575)
29. Plaintiffrealleges Paragraphs 1 through 28 and incorporates
these
Paragraphs by
reference as though they were fully
~et
forth in this cause
of
action.
30. Delta has violated the Unfair Competition Law,
Business
and Professions Code
.·
section 17200 et seq., by committing unlawful, unfair,
or
fraudulent business acts
and
practices.
These acts
or
practices include, but are not limited
to,
the following: ·
(a)
Delta has continued to fail to conspicuously
post
a
privacy
policy in
its
Fly
Delta app, in violation
of
CalOPP A, despite receiving written
notice
on
~r
about
October 26,
2012, from the Attorney General that the Fly Delta app was noncompliant
with
Section 22575
of
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
CalOPPA.
Delta
has accordingly failed to comply
with
Section 22575, and such unlawful failure
to comply
is
made
either (i) knowingly and willfully; or (ii) negligently and materially, pursuant
to Section 22576.
(b)
Delta has further violated Section 22576, by failing
to
even
comply with
the website privacy policy posted
on
the
Delta
website, in that the
Fly
Delta
app
does
not
comply
with the Delta website privacy policy, and such unlawful failure to
comply
is
made
either (i)
knowingly and willfully;
or
(ii) negligently and materially.
PRAYER
FOR RELIEF
WHEREFORE, Plaintiff prays for
judgment
as
follows:
1.
That
under California Business and Professions Code section
17203,
Delta, its
successors, agents, representatives, employees, and all persons who act in
concert
with Delta
be
permanently enjoined from committing any acts
of
unfair competition, including
the
violations
alleged in
the
First and Second Causes
of
Action.
2.
That
under California Business and Professions Code section 17206, Delta be
ordered to
pay
Two
Thousand Five
Hundred
Dollars ($2,500) for each violation
of
California
. Business and Professions Code section 17200 by Delta, as proved
at
trial.
3.
That
Plaintiff recovers its costs
of
suit herein, including attorneys' fees and costs
of
investigation.
4.
For
such other and further
relief
as
the Court
may
deem
just
and proper.
Dated:
December
6, 2012
Respectfully Submitted,
KAMALA D. HARRIS
AttQrney General
of
California
ROBERT~ORGESTER.
Senior Assistant Attorney General
ADAM MILLER
Supervising Deputy
Attorney
General
Attorneys for
THE PEOPLE
OF
THE STATE OF CALIFORNIA
SF201230741540621862.docx
8
COMPLAINT
FOR
CIVIL
:PENALTIES,
PERMANENT
INJUNCTION
AND
OTHER
EQUITABLE
RELIEF
\.
'
EXHIBIT
A
KAMALA
D.
HARRIS
State
of
California
Attorney
GeiJ:eral
DEPARTMENT
OF
JUSTICE
455
Golden Gate Avenue, Suite
11000
San
Francisco,
CA
941
02
Public: (415) 703-50.00
Telephone: (415) 703-5551
.Facsimile: (415) 703-5480
E~Mail:
Adam.Miller@doj .ca.gov
October
26,2012
Richard B. Hirst
Senior Vice President and
General
Counsel
Delta Airlines, Inc.
I
POBox
20706
Atlanta, GA30320'-6001
RE:
Notice ofNon"'Compliance with Califor:nia Online Privacy Protection
Act
Dear
.Mr.
Hirst:
. I
am
the SupervisingDepu.ty Attorney Gener.al·for this office:' s
new
Privacy
Enfercement
and Protection Unit.
Thi~
l~tter
is/being
sent
to
ID~lta
Airlines, Inc.,
{''Delta''}pur~~t
to
the
Califorriia·Oiiline P1ti:yacy.Protyction Act("CalOP.PA;;"Gal. Bus. & Prof.
Code§§
22575-22579,
copy enclosed). Protecting
the
oriline privacy
of
California residents
is
one
efthe
Attorney
General's top priorities,
and
the
Privacy Enforcement
ari.d
Protecticm Unit,is charged with
enforcing California state
and
federal privacy laws as well as Californiaresidents'
constitutionally guaranteed
right
to privacy.
As
we
hope
you
are
~:tware,,
CalORPA requires
that
"an operator
of
a commercial
Web
site
or
onJ,ine
serv'ice that collects personally identifiablt; information through
the
Internet
about
individual.consumers residir;tg.'in California who use
orvisit
its commercia1
Web
site or online
service"
must
post a
privacy
policy that complies with specified requirements. Cal. Bus. & Prof. ·
Code §22575(a) and (b).
The
p:dvacy policy must
be
"conspicuously" posted, and
in
the
case.of
an
online service, "reasonably accessible
...
for consumers
ofthe
online service." CaL Bus. &
Prof.
Code§
22575(a)
and§
22577(b)(5). A Web site or online service operator that collects
personally identifiable information ("PII") and "fails to
post
its policy
within
30 days after being
notified
of
noncompliance" is in violation ofCalOPPA. Cal. Bus. & Prof.
Code§
22575(a).
An operator
ofa.mobile
application ("app") that uses the Internet
to
collect PII
is
an
"online service" within
the
meaning ofCalOPPA.
Anapp's
commercial operator.rn,ust therefore
conspicuously post its
privacy
policy in a means that is reasonably accessible
to
the
consumer.
Having a Web site with
the
applicable privacy policy
con~picuously
posted
may
be
adequate, but
only
ifa
link to that Web site
is
"reasonably accessible" to the user within
the
app.
Under
California's Unfair Competition Law, Business and Professions·Code sections 172.00 et seq.,
violation_s
of
CalOPPA
may
result in penalties
of
up to $2,500 for each violation, i.e., for
each
October
26,2012
Delta Airlmes, Inc.
Page2
copy
of
the unlawful app downloaded
b;y
California consumers. Cal. Bus.
&Prof.
Code.§
17206(a). ·
It
appears
that
your
"F:lyJllelta"
app,
available
through
the
Apple
App
Store
and
Google
Play
platfor-ms, does
not
currently
Iia:ve
a
privacy
policy
reasonably
accessible
for
consumers.
Therefo-re:this
letter
constitutes
3:0
days
notice
that
the
Fly Delta
app
is
.non-
compliant
with
CalOPP
A.
Rlease 'respond
to
the
ll.l;l;d~rsig:ried
within 3 0 days
of
tb.e
date
of
this letter with
the
followi~g
imormation:
a}
Delt.:Cs:·&pec:ific
plans and tirneline to;comply
with
Ca10PP A;
or
b)
why you believe this app is
no;t
covered
by
CalO,PPA. ·
Ifyou
have
~y
questions,rqgarding
~his
letter please .feel free
to.
contact
me
at
the
above
telephone
number
or addresses. · ·
Sincerely,
~·~
ADAM
MILLER
Supervising
Deputy
Attorney General
For 'KAMALA D. HARRIS
Attorney General
AM·
Enclosures
as
noted
