The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

What’s More Challenging? Establishing Privacy Class Action Standing, or Climbing Mount Kilimanjaro?

Two opinions recently issued from the Northern District of California have important implications for parties seeking privacy class actions. Both opinions highlight the evolving jurisprudence around establishing standing for consumer privacy lawsuits.

In re Apple iPhone Application Litigation

On November 25, 2013, Judge Lucy Koh granted Apple’s motion for summary judgment on all of plaintiffs’ claims in In re Apple iPhone Application Litigation, 11-MD-02250-LHK (N.D. Cal. Nov. 25, 2013). Plaintiffs alleged that Apple violated its Privacy Policy by allowing third parties to access iPhone users’ personal information. Based on those misrepresentations, plaintiffs claimed they overpaid for their iPhones, and that their iPhones’ performance suffered. Plaintiffs also alleged that Apple violated its Software License Agreement (“SLA”) when it falsely represented that customers could prevent Apple from collecting geolocation information by turning off the iPhone’s Location Services setting. Plaintiffs alleged that, contrary to this representation, Apple continued to collect certain geolocation information from iPhone users even if those users had turned the Location Services setting off. Based on the SLA misrepresentations, plaintiffs alleged they overpaid for their iPhones and suffered reduced iPhone performance. Plaintiffs argued that Apple’s alleged conduct constituted a violation of California’s unfair competition law (“UCL”) and the Consumer Legal Remedies Act (“CLRA”).

Judge Koh disagreed, finding that plaintiffs failed to create a genuine issue of material fact concerning their standing under Article III, the UCL, and the CLRA. Judge Koh held that plaintiffs presented enough evidence of injury—that plaintiffs purportedly overpaid for their iPhones and suffered reduced iPhone performance. Conversely though, Judge Koh held that plaintiffs could not establish that such injury was causally linked to Apple’s alleged misrepresentations. Judge Koh ruled that actual reliance was essential for standing. Accordingly, plaintiffs must have (1) seen the misrepresentations; and (2) acted on those misrepresentations.  Judge Koh noted that none of the plaintiffs had even seen the alleged misrepresentations prior to purchasing their iPhones, or at any time thereafter. Because none of the plaintiffs had even seen the misrepresentations, they could not have relied upon such misrepresentations. Without reliance, Judge Koh held that plaintiffs’ claims could not survive.

In re Google, Inc. Privacy Policy Litigation

On December 3, 2013, Judge Paul Grewal granted Google’s motion to dismiss in In re Google, Inc. Privacy Policy Litigation, Case No. C-12-01382-PSG (N.D. Cal. Dec. 3, 2013), but not based on lack of standing. The claims stemmed from Google’s change in its privacy policies. Before March 1, 2012, Google maintained separate privacy policies for each of its products, and those policies purportedly stated that Google would only use a user’s personally-identifying information for that particular product. Google then introduced a new privacy policy informing consumers that it would commingle data between products. Plaintiffs contend that the new privacy policy violated Google’s prior privacy policies. Plaintiffs also alleged that Google shared PII with third parties to allow third parties to develop apps for Google Play.

In assessing standing, Judge Grewal noted that “injury-in-fact has proven to be a significant barrier to entry,” and that establishing standing in the Northern District of California is akin to climbing Mount Kilimanjaro. Notwithstanding the high burden, Judge Grewal found that plaintiffs adequately alleged standing.

Plaintiffs alleged standing based on (1) commingling of personally identifiable information; (2) direct economic injury; and (3) statutory violations. With respect to the commingling argument, plaintiffs contended that Google never compensated plaintiffs for the value associated with commingling PII amongst different Google products. Judge Grewal rejected this argument, noting that a plaintiff may not establish standing by pointing to a defendant’s profit; rather, plaintiff must actually suffer damages as a result of defendant’s conduct.

With respect to plaintiffs’ allegations of direct economic injury, Judge Grewal held that those allegations sufficed to confer standing. Plaintiffs argued they suffered direct economic injuries because of reduced performance of Android devices (plaintiffs had to pay for the battery power used by Google to send data to third parties). Plaintiffs also argued that they overpaid for their phones and had to buy different phones because of Google’s practices. These allegations sufficed to establish injury. Based on Judge Koh’s opinion in Apple, one key issue in the Google case will likely be whether any of the plaintiffs actually read and relied upon Google’s privacy policies.

Finally, Judge Grewal found that standing could be premised on the alleged violation of statutory rights. This ruling is consistent with the trend in other federal courts. Though Judge Grewal ultimately dismissed the complaint for failure to state a claim, the opinion’s discussion of standing will be informative to both the plaintiff and defense bars in privacy litigation.

The Apple and Google lawsuits represent a fraction of the many lawsuits seeking to recover damages and/or injunctive relief for the improper collection and/or use of consumer information. Establishing standing remains a difficult hurdle for plaintiffs in consumer privacy lawsuits, though courts are increasingly accepting standing arguments based on statutory violations and allegations of economic injuries. The Apple decision is on appeal, so we will see if the Ninth Circuit sheds further light on issues of standing in privacy lawsuits.

The Most Popular Flashlight App Kept Consumers in the Dark about Tracking Them.

Have you ever downloaded a flashlight app?

Well, if you have and use it on an Android, you might want to check out which one it is. If it’s “Brightest Flashlight Free,” there’s some big news for you, along with more than 50,000,000 other users!

On December 5, 2013, the Federal Trade Commission (“FTC”) issued a settlement package with the app’s developer – Goldenshores Technologies, LLC – claiming that the company violated Section 5 of the FTC Act with its deceptive practices. The FTC alleges that, not only did the company omit material information about sharing sensitive user data with advertising networks and other third parties, but it also failed to ensure that the privacy disclosures it did make were accurate and sufficiently prominent. So, just think, if you have Brightest Flashlight Free, your precise location data has been shared with third parties without your consent, and they could be using that data to track your whereabouts.

How did Goldenshores Technologies do it? Well, according to the FTC charges, the company deceptively failed to disclose to consumers that the app transmitted users’ precise geolocation and unique device identifier – information the FTC considers sensitive – to third parties. Furthermore, the privacy policy, found only in the End User License Agreement and not in the app’s promotional page on the Google Play store, listed some information that the company might collect, but failed to mention the inclusion of sensitive information. The privacy policy also stated that only Goldenshores would use the information listed, not third parties.

But wait! There’s more! Even if you downloaded Brightest Flashlight Free but never used it, the FTC alleges that you could still have been tracked. According to the proposed settlement, if users downloaded the app, viewed the End User License Agreement but then chose to reject it, the user’s precise geolocation information and Device ID was already being transmitted. So even if you never used the downloaded app, your sensitive data was already on its way. How many of us remember whether we downloaded an app that we never used?

So what’s the big deal? Well, with location data and device IDs, an advertising company can pull together your information across several apps, enabling a marketer to follow you throughout your day. And if you downloaded Brightest Flashlight Free, you weren’t given a choice about it.

The FTC’s proposed settlement package has a number of elements. Even though Brightest Flashlight Free has been accused of improperly collecting and sharing sensitive information, because the app was free, the settlement does not include a fine against the company. It does, however, require Goldenshores to clean up its act and stop misrepresenting how consumer information is collected and shared, and how much control consumers have over the way that their information is used. Goldenshores must also provide a just-in-time disclosure that fully informs consumers when, how, and why their geolocation information is being collected, used, and shared, as well as obtains their affirmative express consent before doing so. And, fortunately, the company must delete all of the sensitive information Brightest Flashlight Free nefariously collected. So that’s the good news. But what about the sensitive data already sent to third parties? No mention of that being deleted, unfortunately.

The commission is accepting comments on the proposed consent agreement package through January 6, 2014. Maybe someone will ask them what will happen to all the sensitive data those third parties already have.