Harris v. Delta Air Lines, Inc. Ca Ct App A139238 (May 25, 2016)


Delta is primarily an air carrier engaged in the business of providing passenger air transportation.  To facilitate access to its services by consumers and potential consumers, Delta maintains a commercial website Delta.com accessible on the Internet.  Since at least October 2010, Delta is also “an operator of online services,” in the form of the Fly Delta mobile application, which can be downloaded from the Internet and runs on smart phones and other mobile devices.  In its complaint, the State alleges that the Fly Delta mobile application “may be used to check-in online for an airplane flight, view reservations for air travel, rebook cancelled or missed flights, pay for checked baggage, track checked baggage, access a user’s frequent flyer account, take photographs, and even save a user’s geo-location.”  The Fly Delta mobile application also allegedly allows customers to send and receive information over the Internet, and collects certain personally identifiable information (“PII”) about individual consumers residing in California. However, as of the filing of the complaint, Delta had failed to post a readily accessible privacy policy concerning the PII collected from users of the Fly Delta mobile application—either in the Fly Delta mobile application itself, in the platform stores from which the mobile application could be downloaded, or on the Delta.com website. Consequently, as of the filing of the complaint, the current version of the Fly Delta mobile application, released June 15, 2012 (on Google) and June 22, 2012 (on Apple), had been downloaded by consumers millions of time since October 2010 without the posted privacy policy required by the OPPA.  And, thus, users of the Fly Delta mobile application were not informed that PII was collected concerning them, how Delta used that information, or to whom that information was shared, disclosed or sold.


Could California enforce the Online Privacy Protection Act of 2003 against Delta Air Lines, an air carrier under the Airline Deregulation Act of 1978?


We conclude our discussion by noting that we do not write on an entirely clean slate.  Several federal district courts have considered the scope of ADA preemption in the context of state enforcement of consumer protection laws similar to the UCL for an air carrier’s violation of its privacy policy regarding the collection of PII.  All the courts have reached the same conclusion we reach here today—the ADA preempts state-law claims seeking to enforce air carriers’ privacy policies through consumer protection laws similar to the UCL.  (See In re JetBlue Airways Corp. Privacy Litigation (E.D.N.Y.2005) 379 F.Supp.2d 299 (JetBlue Airways );  In re American Airlines, Inc., Privacy Litigation (N.D.Tex.2005) 370 F.Supp.2d 552 (American Airlines );  Copeland v. Northwest Airlines Corp. (W.D.Tenn.2005) 2005 U.S. Dist. Lexis 35139 (Copeland );  In re Northwest Airlines Privacy Litigation (D.Minn.2004) 2004 U.S. Dist. Lexis 10580 (Northwest Airlines ).)  In these cases, the plaintiffs claimed to have been injured by an airline’s unauthorized collection and disclosure of certain of their PII in their passenger name records (PNRs) in violation of the airline’s stated privacy policies concerning the sharing of PII.  (JetBlue Airways, supra, at pp. 303, 304, 305;  American Airlines, supra, at p. 554;  Copeland, supra, at pp. *2–3;  Northwest Airlines, supra, at p. *3.)  The plaintiffs alleged the airlines’ conduct constituted deceptive trade practices under the Texas Deceptive Trade Practices–Consumer Protection Act, the New York General Business Law, the Minnesota Deceptive Trade Practices Act, the Tennessee Consumer Protection Act, and similar statutes of 45 other states and the District of Columbia, which prohibit unfair and deceptive acts and practices.  (JetBlue Airways, supra, at pp. 305, 315, fn. 12;  American Airlines, supra, at p. 555;  Copeland, supra, at p. *9, fn. 3;  Northwest Airlines, supra, at p. *3.) The federal district courts uniformly concluded that the plaintiffs’ claims were expressly preempted by the ADA under Morales and Wolens.  (JetBlue Airways, supra, at pp. 315–316;  American Airlines, supra, at p. 555;  Copeland, supra, at pp. *9–10;  Northwest Airlines, supra, at pp.* 10–12.)  As the federal district court in JetBlue Airways explained, the plaintiffs’ claim concerning a violation of the airline’s privacy policy “fits squarely within the range of state law actions that the Supreme Court concluded, in Wolens and Morales, are expressly preempted by the ADA, because it represents a direct effort to regulate the manner in which [the airline] communicates with its customers in connection with reservations and ticket sales, both of which are services provided by the airline to its customers.”  (JetBlue Airways, supra, at p. 315.)  And, as further explained by another federal district court, and pertinent to our discussion, “Congress surely intended to immunize airlines from a host of potentially varying state laws and state-law causes of action that could effectively dictate how [air lines] manage personal information collected from customers to facilitate the ticketing and reservation functions that are integral to the operation of a commercial airline.”  (American Airlines, supra, at p. 564, fn.omitted).  We find these decisions both persuasive and dispositive of the federal preemption issue in this case.

We therefore hold that state enforcement of the OPPA’s privacy policy requirements as applied to Delta’s Fly Delta mobile application is expressly preempted by the ADA.  To compel Delta to comply with the OPPA would effectively interfere with the airline’s “selection and design” of its mobile application, a marketing mechanism “appropriate to the furnishing of air transportation service,” for which state enforcement has been held to be expressly preempted by the ADA.  (Wolens, supra, 513 U.S. at p. 219;  see Morales, supra, 504 U.S. at pp. 387–390.)

Useful for

Airline Deregulation Act prevents enforcement of U.S. State privacy law

Treaty provisions considered

No treaty provisions considered.

Legislation considered

US Airline Deregulation Act 1978/

Key subjects or concepts

Local Law on Privacy/ Preemption/