This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.
Users of mobile applications (“apps”) on Apple’s “iOS” devices (iPhone, iPad, and iPod Touch, etc., or “iDevices”) could go forward with claims under California’s Consumers Legal Remedies Act and Unfair Competition Law against Apple for violating their privacy rights by unlawfully allowing third-party apps that run on the devices to collect and make use of personal information, for commercial purposes and without users’ knowledge or consent, the federal district court in San Jose, California has ruled.
The court dismissed the users’ claims against Apple and mobile app developers for violations of the Stored Communications Act, the Wiretap Act, the Computer Fraud and Abuse Act, and California’s constitutional right to privacy.
Two Putative Classes
The second class, referred to as the “Geolocation Class,” consisted of iDevice purchasers who alleged that they “unwittingly, and without notice or consent transmitted location data to Apple servers.” They alleged that, starting in July 2010, Apple began intentionally collecting data on their precise geographic location and storing that information on the iDevice in order to develop a database about the geographic location of cellular towers and wireless networks. They asserted that Apple continued collecting geolocation information about them even after they switched off the location services settings on their iDevices, despite the fact that Apple had represented that they could prevent the collection of such data in that way.
Article III Standing
Both the iDevice Class and the Geolocation Class users alleged sufficient injury to have standing to sue under Article III of the U.S. Constitution, the court decided. In their initial complaint, the users had relied on a theory that collection of personal information itself created a particularized issue for purposes of standing, which the court rejected (CCH Privacy Law in Marketing ¶60,676).
In their amended complaint, the users’ allegations had been significantly developed to allege particularized injury, in the court’s view. The users articulated additional theories of harm beyond their theoretical allegations that personal information has independent economic value. In particular, they alleged actual injury, including diminished and consumed iDevice resources, such as storage, battery life, and bandwidth; increased, unexpected, and unreasonable risk to the security of sensitive personal information; and detrimental reliance on Apple’s representations regarding the privacy protection given to users of iDevice apps.
In addition, the users described the specific iDevices used, the specific defendants that allegedly accessed or tracked their personal information; which apps they downloaded that accessed their personal information; and what harm resulted from the access or tracking of their information. They also identified the types of information collected, such as their home and workplace locations, gender, age, zip code, terms searched, and ID and password for specific app accounts.
The users also identified an additional basis for Article III standing, the court said. The injury required by Article III may exist by virtue of statutes creating legal rights, the violation of which creates standing. The users alleged violations of their statutory rights under the Wiretap Act and the Stored Communications Act. The alleged injuries were fairly traceable to the actions of the defendants. The Geolocation Class asserted that Apple intentionally designed its software to retrieve and transmit geolocation information located on its customers’ iPhones to Apple’s servers.
The iDevice Class alleged that Apple designed its products and App Store to allow individuals to download third-party apps and that Apple represented to users that it took precautions to safeguard their personal information. The app developers were accused of accessing personal information without users’ knowledge or consent. These allegations were sufficient to establish standing, the court concluded.
Stored Communications Act
The users’ claims under the Stored Communications Act (SCA) failed because the SCA was not applicable to the alleged conduct by Apple and the Mobile Industry Defendants, the court determined. Stating an SCA claim requires an allegation that the defendants accessed without authorization a “facility through which electronic communication service is provided.” The users’ mobile devices did not meet the SCA’s definition of “facility.” The users’ iDevices did not provide an electronic communications service simply by virtue of enabling use of electronic communication services.
In addition, the storage of real-time location information and other data on the iDevices did not qualify under the SCA as “electronic storage,” the court said. The iDevices stored location data for up a year; such storage did not constitute the type of temporary, intermediate storage of data incidental to the transmission of the data.
The users asserted that Apple’s collection of precise geographic location data from WiFi towers, cell phone towers, and GPS data on users’ devices constituted “interceptions” of data prohibited by the Wiretap Act. However, such data was not “content” covered by the Wiretap Act, the court said. Data automatically generated about a telephone call did not constitute “content” because it contained no information about the substance of the communication. The geolocation data was generated automatically and was not part of the information intentionally communicated by the users.
Computer Fraud and Abuse Act
The court also rejected the users’ Computer Fraud and Abuse Act (CFAA) claims. Apple had the authority to access iDevices and to collect geolocation data as a result of the voluntary installation of software by the users and, therefore, could not have violated the CFAA. In addition, the users failed to allege damage or “impairment” to their devices or an interruption of service.
California Constitutional Right to Privacy
Collection of the users’ data by Apple and the Mobile Industry Defendants did not violate the users’ right to privacy under the California Constitution, the court found. The alleged disclosure of device identifier numbers, personal data, and geolocation information from the users’ iDevices—even if transmitted without their knowledge or consent—was not an egregious breach of social norms, as required to state a claim for invasion of privacy. Rather, it was routine commercial behavior, according to the court.
California Consumer Legal Remedies Act
Apple could be liable for violating California’s Consumer Legal Remedies Act (CLRA), the court determined. The users sufficiently alleged that they sustained harm as a result of the alleged data collection practices. With respect to geolocation data, the users alleged that Apple had stored such data on the users’ iDevices for Apple’s own benefit, at a cost to the users, and the that if Apple had disclosed the true cost of the geolocation features, the value of the iDevices would have been materially less than what the users paid.
In addition, the users contended that because of Apple’s failure to disclose its practices with regard to collection of personal data via apps, the users overpaid for their iDevices. At the pleadings stage, the users sufficiently alleged that they were consumers under the CLRA, and their allegations related to the purchase of goods, the court said.
California Unfair Competition Law
The court also decided that the users could go forward with their claims under the California Unfair Competition Law (UCL). The users had standing under the UCL because they alleged that they paid more for their iDevices than they would have if Apple had disclosed its privacy practices. Apple’s conduct could be illegal under the Consumers Legal Remedies Act and therefore covered by the UCL. In addition, the conduct could be “unfair,” for purposes of the UCL. The users met their burden of pleading fraud with particularity, according to the court.
The decision is In re iPhone Application Litig., CCH Privacy Law in Marketing ¶60,775.
Further details regarding CCH Privacy Law in Marketing appears here.