California Attorney General Kamala Harris this month filed the first of what is likely to be multiple legal actions against companies that develop, sell or operate mobile applications, where their online privacy policies are in violation of state's online privacy protections.

Harris filed the lawsuit in San Francisco Superior Court Dec. 6 against Delta Air Lines over allegations that the company violated California's Online Privacy Protection Act. According to the complaint, even though the company's “Fly Delta” mobile app collects personal information—such as the user's name, address, date of birth, credit card number, photographs and geolocation information—it doesn't have a privacy policy.

Under California's online privacy statute, an operator of a commercial Website or online service that collects personally identifiable information through the Internet about consumers residing in California who use or visit its Website or online service shall “conspicuously” post its privacy policy on its Website. Operators of online services must make that policy “reasonably accessible” to those consumers.

“Losing your personal privacy should not be the cost of using mobile apps, but all too often it is,” Harris said in a prepared statement announcing the lawsuit. “California law is clear that mobile apps collecting personal information need privacy policies, and that the users of those apps deserve to know what is being done with their personal information.”

While Delta has a privacy policy on its website, the policy is insufficient because it doesn't discuss specific data types collected by the app, and is not reasonably accessible to app users from within the “Fly Delta” app itself, the complaint states.

The lesson that the Delta case raises is that “simply making your policy reasonably accessible is not sufficient; it must be reasonably accessible within any of your applications making use of user information,” states a client alert from law firm Kaye Scholer. “Does your mobile or social media app allow users to chat, find office locations based on the user's location, or snap photographs? If so, then your app falls under the purview of [the statute] and must have an internal link to your privacy policy.”

The legal costs could be significant; the lawsuit seeks to impose a penalty of up to $2,500 per download.

The lawsuit follows several notice letters Harris sent to mobile app companies in October, warning them that they had 30 days to bring their apps into compliance with California's online privacy statute by “conspicuously” posting a privacy policy within their app. “Having a website with the applicable privacy policy conspicuously posted might adequately meet the statutory requirement, but only if a link to that website is ‘reasonably accessible' to the user within the app,” the letter stated.

Delta was among the companies notified in October that its "Fly Delta" app needed a privacy policy. Despite receipt of the notice, Delta failed to post a policy, the complaint stated.

In February, Harris reached an agreement with six of the largest mobile and social app providers in the market to improve on their privacy protections. These companies include Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion; Facebook joined the agreement in June.

The wider lesson here is that California continues to ramp up its privacy enforcement efforts, especially with the new Privacy Enforcement and Protection Unit created under Harris in February. Thus, multinational companies would be wise to take a proactive approach when it comes to privacy policies, and mitigating litigation risk in California, and elsewhere.