A Q&A with Ronald Raether, Jr.
In an increasingly device-dependent world, the issue of data integrity with regard to mobile applications is becoming ever more critical. In California, the attorney general brought a case against Delta Airlines for not warning customers that it was collecting sensitive data. I asked Ronald Raether, Jr., defense attorney and partner at Faruki Ireland & Cox in Dayton, OH, about the case and its implications for liability and regulatory exposure.
Do you think this can be an exposure that impacts many companies across the US?
Any company offering a mobile app that is used by a California consumer is subject to this regulation, and since they can’t possibly isolate out that consumer, it applies to everyone. Companies have already been dealing with these jurisdictional questions with regard to websites since OPPA was introduced in 2004. The bigger issue is really how the regulation relates to startups and their need for revenue and cost avoidance as well as the general ignorance around these obligations. Startups tend to focus exclusively on developing towards the concept often without consideration to privacy or security. As a result, once a startup achieves some success they could be putting all of their profits in jeopardy if they haven’t baked in compliance from the beginning. This is even more relevant in the case of mobile apps because the lack of real estate on the smaller screen means there’s less room for compliance announcements. In other states I think we will see similar legislation like that being considered in Maine and attorneys general to scrutinize companies’ policies and conduct and bring unfair competition claims based on any inconsistencies. The FTC will likely follow suit. We’ve already seen this with the Path application, which was ordered to pay $800,000 to settle FTC charges that it didn’t live up to its privacy promises.
Can a California enforcement action lead to class action exposure?
Yes, it could lead to class action exposure but I am not certain it will. For example, in the wake of the recent suit brought by the California attorney general against Delta we have yet to see a private class action filed. The reason may be that there are no statutory damages that arise from the violation so the incentives are not there for plaintiff’s counsel.
What can a company do to mitigate their risk here?