Users Lacked Standing to Assert Privacy Claims Against Apple, Mobile App Developers
This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.
Users of mobile applications on Apple’s devices could not maintain an action against Apple and mobile app developers for alleged violations of various federal and state privacy laws, because the users failed to allege that they had suffered any injury, the federal district court in San Jose has decided.
Without sufficient allegations of any injury in fact, a federal district court concluded that the users did not have constitutional standing.
Users may download apps for Apple devices only through Apple’s "App Store" application and website. According to the complaint, Apple represented to users that it took precautions to safeguard their personal information against "theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction."
Apps Access User Information
However, the devices’ operating system allows apps—without consent of the users—to access, use and track the following information: address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity, keyboard cache, photographs, SIM card serial number, and unique device identifier. Developers of apps are able to exploit this access to collect and track personal data without the user’s permission or knowledge.
The users brought suit against Apple and eight mobile app developers for violations of various federal and state laws, including the Computer Fraud and Abuse Act and California’s Computer Crime Law. Apple and the developers argued that the users lacked standing to bring suit, because they did not allege any injury in fact. Apple also argued that its privacy agreements with users barred the users’ claims.
Injury in Fact
To satisfy the constitutional standing requirements of Article III, plaintiffs must show that:
(1) They have suffered an injury in fact that is concrete and particularized and actual or imminent;
(2) The injury is fairly traceable to the challenged action of the defendant; and
(3) It is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.
In their complaint, the users alleged three injuries:
(1) Misappropriation or misuse of personal information;
(2) Diminution in value of the personal information, which is an "asset of economic value" due to its scarcity; and
(3) "Lost opportunity costs" in having installed the apps and diminution in value of the Apple devices because their insufficient security made them less valuable in light of the privacy concerns.
The court determined, however, that the users failed to allege any injury to themselves. The users did not identify which devices they used, if any of the developers accessed or tracked their personal information, and what harm, if any, resulted from such activity. As a result, the users failed to identify any concrete harm from Apple’s or the developers’ activities.
Injury Traceable to Defendants
In addition, the users failed to allege any injury that was fairly traceable to Apple or the developers. The users’ only allegation as to Apple was that Apple designed a platform that could potentially be used by the developers for harmful acts. Such conjectural or speculative allegations about the risk of harm are not sufficient for standing, the court concluded.
Lastly, Apple argued that "click-through" agreements with the users governed any potential liability for third-party apps on the users’ devices, and the express terms and conditions of the agreements barred claims against Apple for any alleged injuries.
The users argued that the agreements were unconscionable, providing no meaningful choice for users. While the court declined to determine whether the agreements were an absolute bar to the users’ claims, it noted that there is always a meaningful choice when a challenged term in a contract involves nonessential recreational activities—forgoing the activity.
The decision is In re iPhone Application Litigation, CCH Guide to Computer Law ¶50,268.