California Court of Appeals Affirms Dismissal of State Lawsuit Against Delta for Failing to Post a Privacy Policy Within Its Mobile Application

In a recent ruling,1 California’s Court of Appeals affirmed the dismissal of a 2012 lawsuit against Delta Air Lines, Inc. (Delta) based on claims that the airline violated California’s Online Privacy Protection Act (CalOPPA) by failing to conspicuously post a privacy policy within its mobile application.  The appellate court found that the Airline Deregulation Act of 1978 expressly preempted CalOPPA and denied the State’s request for leave to amend the complaint.  The lawsuit was the first state enforcement action seeking to expand online data privacy protection to the mobile sector.

Background

California has long been a leader in privacy legislation. In 2004, California enacted CalOPPA, the first U.S. state law to require commercial operators of websites and online services that collect consumers’ personally identifiable information (PII) to conspicuously post detailed privacy policies disclosing what information is being collected and the categories of third parties with whom PII will be shared. The California Attorney General interpreted the term “online service” broadly to include any service available over the internet or that connects to the internet, including mobile apps, and demonstrated an unequivocal willingness to enforce CalOPPA in the mobile sphere.

Starting in 2011, the California AG’s office reached out to leading mobile and social app platform operators, including, among others, Apple, Google, and Facebook, and successfully negotiated a Joint Statement of Principles pursuant to which those platforms agreed to privacy principles designed to bring the industry in line with CalOPPA. The agreement provided for the opportunity for consumers to review an app’s privacy policy before downloading it and also offered a consistent location for privacy policies on the app download screen for ease of reference. This agreement with leading platform operators effectively extended the reach of CalOPPA’s privacy protections to millions of mobile app users outside of California.

In late 2012, the AG’s office continued its campaign to strengthen mobile app privacy protection by formally notifying up to 100 popular mobile app developers and companies that their apps were not in compliance with California privacy law and giving them 30 days to post a conspicuous privacy policy that disclosed what PII was being collected and what would be done with that information. The AG’s letters informed that “[p]rotecting the online privacy of California residents is one of the Attorney General’s top priorities” and warned that failure to comply could result in fines of up to $2,500 each time a non-compliant app was downloaded by a California consumer.

Delta and United Airlines were among the recipients. Delta acknowledged receipt and stated that it would comply but did not do so within the 30-day statutory window.

People ex rel. Harris v. Delta Airlines, Inc.

On December 6, 2012, the California AG’s Office filed a legal action against Delta based on the airline’s failure to include a conspicuous privacy policy within its Fly Delta mobile app. According to the complaint, Delta collected consumer PII in connection with the operation of its mobile app which allowed consumers, among other things,  to price and purchase tickets, check-in online, view reservations, and rebook cancelled or missed flights.  The State alleged that Delta’s collection of PII without a privacy policy violated CalOPPA and constituted an unlawful, unfair, or fraudulent business act and practice under California’s unfair competition law.

Delta responded by filing a demurrer in lieu of an answer, arguing that the complaint failed to state a legal basis for a lawsuit because CalOPPA was preempted by the Airline Deregulation Act (ADA) which bars states from enforcing laws relating to rates, routes, or services of an air carrier. Alternatively, Delta argued that CalOPPA did not apply to the Fly Delta mobile app because the app is not an online service as defined by the statute and because the Delta’s privacy policy was reasonably accessible to consumers through its commercial website, www.delta.com. The trial court sustained Delta’s demurrer on ADA preemption grounds and dismissed the complaint with prejudice.

Court of Appeals Affirms Dismissal

The Court of Appeals began its analysis with a restatement of the two “cornerstones” of federal preemption analysis identified by the U.S. Supreme Court in Wyeth v. Levine, 555 U.S 555 (2009).  Namely, that: (1) the question of preemption is fundamentally a question of Congressional intent and (2) the historic police powers of the States are not to be superseded by federal legislation unless that was Congress’ clear and manifest purpose.  On the question of Congressional intent, the appellate court explained that Congress determined that “maximum reliance on market forces” would best further efficiency, innovation, variety, quality and cost of air transportation services2 and enacted a preemption provision to ensure that the states would not undo federal deregulation. Congress’ intent to preempt state law relating to rates, routes, or services of an air carrier was made clear by the ADA’s explicit statutory language.3  The court further explained that Congress’ manifest purpose to preempt was apparent in matters of air transportation where “the federal presence is both longstanding and pervasive.”4

The Court of Appeals continued its analysis by discussing the Supreme Court and federal courts’ historically broad interpretation of the ADA preemption provision. The Supreme Court considered the reach of the ADA preemption provision in three cases: American Airlines, Inc. v. Wolens, 513 U.S. 219 (1995); Morales v. Trans World Airlines, Inc., 504 U.S. 374 (1992); and Northwest, Inc. v. Ginsberg, 572 U.S. __ , 134 S.Ct. 1422 (2014).  In those cases, each of which involved attempts to use state consumer protection laws to regulate airlines’ fare advertising and enforce violations of airline frequent flyer rules, the Supreme Court adopted an expansive view of preemption because of the inevitable impact on airline prices and services.  A number of federal courts have reached similar conclusions in the context of lawsuits seeking to enforce air carrier privacy policies through state consumer protection laws.  See In re JetBlue Airways Corp. Privacy Litigation 379 F. Supp. 2d 299 (E.D.N.Y. 2005); In re American Airlines, Inc., Privacy Litigation 370 F. Supp. 2d 552 (N.D. Tex. 2005); Copeland v. Northwest Airlines Corp. 2005 U.S. Dist. Lexis 35139 (W.D. Tenn. 2005); and In re Northwest Airlines Privacy Litigation 2004 U.S. Dist. Lexis 10580 (D. Minn. 2004).

Turning to the specific issues on appeal, the California appellate court described the Fly Delta mobile app as a marketing mechanism selected and designed to facilitate access to the airline’s services and found it “clear, beyond cavil, that the complaint does ‘relate to’ Delta’s services” within the meaning of the ADA.5 The court rejected the State’s suggestion that CalOPPA was merely a disclosure regime instead finding that it highlighted the potential for intrusive regulation of airline business practices. “If each State were to require Delta to comply with its own version of the OPPA, it would force Delta to design different mobile applications to meet the requirements of each state. And, indeed, enforcement of the OPPA’s privacy policy requirements might well make it impossible for an airline to use a mobile application as a marketing mechanism at all.”6 Interpreting the ADA preemption provision otherwise would be “inconsistent with Congress’[s] major legislative effort to leave such decisions, where federally unregulated, to the competitive marketplace.”7

Notably, the appellate court rejected the State’s argument that the ADA should not preempt because CalOPPA is a law of general applicability – that is, it is not related specifically to the airline industry. The court reasoned that the Supreme Court twice rejected the notion that only state laws specifically addressed to the airline industry are preempted. As per Judge Scalia in Morales, “the ADA imposes no constraints on laws of general applicability. Besides creating an utterly irrational loophole (there is little reason why state impairment of the federal scheme should be deemed acceptable so long as it is effected by the particularized application of a general statute), this notion similarly ignores the sweep of the ‘relating to’ language.”8

In light of the above, Court of Appeals agreed that the State’s claims against Delta were expressly preempted by the ADA, affirmed the dismissal and refused to permit an amendment of the complaint finding “no reasonable possibility that the complaint can be amended to avoid the preclusive effect of federal preemption.”9

Conclusion

The Delta ruling reinforces the broad scope of the ADA’s preemption provision and its limitation on state consumer protection laws including those of general applicability.  However, despite the outcome, the Delta litigation and the California AG’s intent to vigorously enforce CalOPPA has had a far reaching impact on the mobile marketplace.  The Joint Statement of Principles raised the bar in terms of the disclosures consumers expect from mobile app providers as has voluntary compliance by the many website and online service providers which cannot rely on federal preemption principles.  Privacy policies are now standard fare for airline mobile apps including Fly Delta.

1 People ex rel. Harris v. Delta Air Lines, Inc. Case No. A139238, 2016 WL 3001805 (Cal. Ct. App. May 25, 2016).

2 See 49 U.S.C. §§ 40101(a)(6) and (12)(A) .

3 49 U.S.C.App. § 1305(a)(1) now 49 U.S.C. § 41713(b)(1)( Except as provided in this subsection, a State, political subdivision of a State, or political authority of at least 2 States may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier that may provide air transportation under this subpart.)

4 2016 WL 3001805 at *8.

5 Id.

6 Id. at *9.

7 Id.

8 Id. at *9.

9 Id. at *12.