This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.
Users of mobile applications (“apps”) on Apple’s “iOS” devices (iPhone, iPad, and iPod Touch, etc., or “iDevices”) could go forward with claims under California’s Consumers Legal Remedies Act and Unfair Competition Law against Apple for violating their privacy rights by unlawfully allowing third-party apps that run on the devices to collect and make use of personal information, for commercial purposes and without users’ knowledge or consent, the federal district court in San Jose, California has ruled.
The court dismissed the users’ claims against Apple and mobile app developers for violations of the Stored Communications Act, the Wiretap Act, the Computer Fraud and Abuse Act, and California’s constitutional right to privacy.
Two Putative Classes
The users’ amended consolidated complaint asserted claims with respect to two putative classes of individuals. The first class, referred to as “the iDevice Class,” contended that Apple-approved apps created by third-party companies (Admob, Inc., Flurry, Inc., AdMarval, Inc., Google, Inc., and Medialets, Inc., collectively, “Mobile Industry Defendants”) unlawfully collected information about the users, including their addresses and current whereabouts, gender, age, zip code, time zone, and information about which functions the users performed on the app. They alleged that Apple violated its express privacy policy by allowing the Mobile Industry Defendants to design apps with the capability to track and collect data about their app use or other personal information.
The second class, referred to as the “Geolocation Class,” consisted of iDevice purchasers who alleged that they “unwittingly, and without notice or consent transmitted location data to Apple servers.” They alleged that, starting in July 2010, Apple began intentionally collecting data on their precise geographic location and storing that information on the iDevice in order to develop a database about the geographic location of cellular towers and wireless networks. They asserted that Apple continued collecting geolocation information about them even after they switched off the location services settings on their iDevices, despite the fact that Apple had represented that they could prevent the collection of such data in that way.
Article III Standing
Both the iDevice Class and the Geolocation Class users alleged sufficient injury to have standing to sue under Article III of the U.S. Constitution, the court decided. In their initial complaint, the users had relied on a theory that collection of personal information itself created a particularized issue for purposes of standing, which the court rejected (CCH Privacy Law in Marketing ¶60,676).
In their amended complaint, the users’ allegations had been significantly developed to allege particularized injury, in the court’s view. The users articulated additional theories of harm beyond their theoretical allegations that personal information has independent economic value. In particular, they alleged actual injury, including diminished and consumed iDevice resources, such as storage, battery life, and bandwidth; increased, unexpected, and unreasonable risk to the security of sensitive personal information; and detrimental reliance on Apple’s representations regarding the privacy protection given to users of iDevice apps.
In addition, the users described the specific iDevices used, the specific defendants that allegedly accessed or tracked their personal information; which apps they downloaded that accessed their personal information; and what harm resulted from the access or tracking of their information. They also identified the types of information collected, such as their home and workplace locations, gender, age, zip code, terms searched, and ID and password for specific app accounts.
The users also identified an additional basis for Article III standing, the court said. The injury required by Article III may exist by virtue of statutes creating legal rights, the violation of which creates standing. The users alleged violations of their statutory rights under the Wiretap Act and the Stored Communications Act. The alleged injuries were fairly traceable to the actions of the defendants. The Geolocation Class asserted that Apple intentionally designed its software to retrieve and transmit geolocation information located on its customers’ iPhones to Apple’s servers.
The iDevice Class alleged that Apple designed its products and App Store to allow individuals to download third-party apps and that Apple represented to users that it took precautions to safeguard their personal information. The app developers were accused of accessing personal information without users’ knowledge or consent. These allegations were sufficient to establish standing, the court concluded.
Stored Communications Act
The users’ claims under the Stored Communications Act (SCA) failed because the SCA was not applicable to the alleged conduct by Apple and the Mobile Industry Defendants, the court determined. Stating an SCA claim requires an allegation that the defendants accessed without authorization a “facility through which electronic communication service is provided.” The users’ mobile devices did not meet the SCA’s definition of “facility.” The users’ iDevices did not provide an electronic communications service simply by virtue of enabling use of electronic communication services.
In addition, the storage of real-time location information and other data on the iDevices did not qualify under the SCA as “electronic storage,” the court said. The iDevices stored location data for up a year; such storage did not constitute the type of temporary, intermediate storage of data incidental to the transmission of the data.
Wiretap Act
The users asserted that Apple’s collection of precise geographic location data from WiFi towers, cell phone towers, and GPS data on users’ devices constituted “interceptions” of data prohibited by the Wiretap Act. However, such data was not “content” covered by the Wiretap Act, the court said. Data automatically generated about a telephone call did not constitute “content” because it contained no information about the substance of the communication. The geolocation data was generated automatically and was not part of the information intentionally communicated by the users.
Computer Fraud and Abuse Act
The court also rejected the users’ Computer Fraud and Abuse Act (CFAA) claims. Apple had the authority to access iDevices and to collect geolocation data as a result of the voluntary installation of software by the users and, therefore, could not have violated the CFAA. In addition, the users failed to allege damage or “impairment” to their devices or an interruption of service.
California Constitutional Right to Privacy
Collection of the users’ data by Apple and the Mobile Industry Defendants did not violate the users’ right to privacy under the California Constitution, the court found. The alleged disclosure of device identifier numbers, personal data, and geolocation information from the users’ iDevices—even if transmitted without their knowledge or consent—was not an egregious breach of social norms, as required to state a claim for invasion of privacy. Rather, it was routine commercial behavior, according to the court.
California Consumer Legal Remedies Act
Apple could be liable for violating California’s Consumer Legal Remedies Act (CLRA), the court determined. The users sufficiently alleged that they sustained harm as a result of the alleged data collection practices. With respect to geolocation data, the users alleged that Apple had stored such data on the users’ iDevices for Apple’s own benefit, at a cost to the users, and the that if Apple had disclosed the true cost of the geolocation features, the value of the iDevices would have been materially less than what the users paid.
In addition, the users contended that because of Apple’s failure to disclose its practices with regard to collection of personal data via apps, the users overpaid for their iDevices. At the pleadings stage, the users sufficiently alleged that they were consumers under the CLRA, and their allegations related to the purchase of goods, the court said.
California Unfair Competition Law
The court also decided that the users could go forward with their claims under the California Unfair Competition Law (UCL). The users had standing under the UCL because they alleged that they paid more for their iDevices than they would have if Apple had disclosed its privacy practices. Apple’s conduct could be illegal under the Consumers Legal Remedies Act and therefore covered by the UCL. In addition, the conduct could be “unfair,” for purposes of the UCL. The users met their burden of pleading fraud with particularity, according to the court.
The decision is In re iPhone Application Litig., CCH Privacy Law in Marketing ¶60,775.
Further details regarding CCH Privacy Law in Marketing appears here.
Showing posts with label Stored Communications Act. Show all posts
Showing posts with label Stored Communications Act. Show all posts
Thursday, July 05, 2012
Friday, December 30, 2011
Blogging in Absent Employee’s Name Could Be False Endorsement
This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.
A former employee of an interior design firm who had a personal Twitter following of approximately 1,250 people had standing to pursue a Lanham Act false endorsement claim against the firm for its alleged use of her personal Twitter and Facebook accounts to promote its business when the former employee was in the hospital, the federal district court in Chicago has ruled.
The former employee satisfied the prudential standing requirement for a false endorsement claim because she had developed a protected, commercial interest in her name and identity through her use of social media in the Chicago design community, according to the court.
There was undisputed evidence in the record that during the former employee’s hospitalization, design firm employees accessed her personal Facebook account and accepted friend requests at least five times and posted 17 Tweets on her personal Twitter account.
Stored Communications Act
The court said that the firm’s unauthorized access to the former employee’s Twitter and Facebook accounts could constitute violations of the Stored Communications Act (SCA) if the former employee could show that she suffered actual damages as a result of the firm’s unlawful access to her accounts. The SCA claim required further discovery on the issue of damages.
Right to Publicity
The former employee could not pursue an lllinois Right of Publicity Act claim, the court held. The firm’s employees who used the account did not pass themselves off as the plaintiff and thus did not appropriate her identity within the meaning of the Act, the court determined. Before leaving the firm, the former employee had publicly thanked her temporary replacements for their “amazing posts.”
The decision is Maremont v. Susan Fredman Design Group, Ltd., CCH Guide to Computer Law ¶40,312.
Further information regarding CCH Guide to Computer Law appears here.
A former employee of an interior design firm who had a personal Twitter following of approximately 1,250 people had standing to pursue a Lanham Act false endorsement claim against the firm for its alleged use of her personal Twitter and Facebook accounts to promote its business when the former employee was in the hospital, the federal district court in Chicago has ruled.
The former employee satisfied the prudential standing requirement for a false endorsement claim because she had developed a protected, commercial interest in her name and identity through her use of social media in the Chicago design community, according to the court.
There was undisputed evidence in the record that during the former employee’s hospitalization, design firm employees accessed her personal Facebook account and accepted friend requests at least five times and posted 17 Tweets on her personal Twitter account.
Stored Communications Act
The court said that the firm’s unauthorized access to the former employee’s Twitter and Facebook accounts could constitute violations of the Stored Communications Act (SCA) if the former employee could show that she suffered actual damages as a result of the firm’s unlawful access to her accounts. The SCA claim required further discovery on the issue of damages.
Right to Publicity
The former employee could not pursue an lllinois Right of Publicity Act claim, the court held. The firm’s employees who used the account did not pass themselves off as the plaintiff and thus did not appropriate her identity within the meaning of the Act, the court determined. Before leaving the firm, the former employee had publicly thanked her temporary replacements for their “amazing posts.”
The decision is Maremont v. Susan Fredman Design Group, Ltd., CCH Guide to Computer Law ¶40,312.
Further information regarding CCH Guide to Computer Law appears here.
Friday, May 27, 2011
Facebook Users’ Privacy Claims Dismissed
This posting was written by Cheryl Beise, Editor of CCH Guide to Computer Law.
The federal district court in San Jose has dismissed claims filed by a putative class of Facebook users who alleged that the social networking website unlawfully transmitted their personal information to third-party advertisers without their consent.
The users’ California Legal Remedies Act (CLRA), Unfair Competition Law (UCL), and unjust enrichment claims were dismissed with prejudice, but the users were granted leave to amend claims alleging that Facebook violated its privacy policy, the federal Wiretap Act and Stored Communications Act (SCA), and the California computer crimes and civil fraud statutes.
The users alleged that, during a four or five month period in early 2010, a redesign of Facebook’s website caused it to transmit to a “referral header” to third-party advertisers when a user clicked on a banner advertisement. The referral header allegedly reported the user ID or username of the user who clicked on an advertisement, as well as information identifying the webpage the user was viewing prior to clicking on the ad.
Federal Wiretap and SCA Claims
The Wiretap Act prohibits electronic communication services providers from divulging the contents of a communication to any person or entity “other than an addressee or intended recipient of such communication.” The SCA provides that an electronic communication service provider “shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.”
Under both statutes, an electronic communication service provider may divulge the contents of a communication to an addressee or intended recipient of such communication.
The court discerned that the users’ allegations were subject to two interpretations. Under the first view, when a Facebook user clicked on a banner advertisement, that click constituted an electronic communication from the user to Facebook. The contents of the communication were a request for Facebook to send the electronic communication to the advertiser. Under the second interpretation, clicking on an advertisement constituted an electronic communication from the user directly to the advertiser.
According to this interpretation, Facebook served merely as a conduit for transmitting the communication to its intended recipient, the advertiser. Neither scenario would support a violation of the SCA or the Wiretap Act, according to the court.
California Computer Crimes Law
The court also held that the Facebook users failed to state a claim under California’s computer crimes statue. To state a violation under most subsections of Cal. Penal Code §502, a plaintiff must show that the defendant’s actions were taken “without permission.” A defendant may only be subjected to liability for acting “without permission” under §502 if the plaintiff can prove that the defendant “circumvented…technical barriers” that had been put in place to block the defendant’s access to the plaintiff’s website.
The users did not allege that Facebook circumvented technical barriers to gain access to a computer, computer network, or website. To the contrary, they alleged that Facebook caused “nonconsensual transmissions” of their personal information as a consequence of Facebook’s “re-design” of its website.
Facebook could not have acted “without permission” as there were no technical barriers blocking access to its own website. To the extent the users’ §502(c) claims alleged that Facebook acted “without permission,” they were dismissed with prejudice.
The court noted that Cal. Penal Code §502(c)(8) created liability for any person who “knowingly introduces any computer contaminant into any computer, computer system, or computer network.” Unlike the other sections of Cal. Penal Code §502(c), subsection (8) does not require that a defendant act “without permission.” Although the users failed to state a claim under §502(c)(8), they were granted leave to amend their claim.
California CLRA, UCL Claims
To assert an unfair competition claim under the California UCL, a private plaintiff must have “suffered injury in fact and . . . lost money or property as a result of the unfair competition.” A violation of the CLRA can only be alleged by an individual consumer who “purchases or leases any goods or services for personal, family, or household purposes.”
The users did not allege that they lost money as a result of Facebook’s conduct. Nor did they allege that they paid fees for Facebook’s services. The users only alleged that Facebook unlawfully shared their “personally identifiable information” with third-party advertisers.
An alleged loss of personal information did not constitute a loss of “property” that could form the basis for a UCL claim, the court held. With regard to their CLRA claim, the users failed to provide any legal support for their assertion that their personal information constituted a form of “payment” to Facebook for its services.
Breach of Contract Claim
To maintain an action for breach of contract under California law, an aggrieved party is required to show “appreciable and actual damage.” Allegations of nominal damages and speculative harm did not amount to legally cognizable damages. The users’ unsupported conclusory statement that they “suffered injury” as a result of Facebook’s breach of its privacy policy was insufficient.
The court advised the users to allege “specific facts showing appreciable and actual damages in support of their claim.” Because the users alleged the existence of a valid contract with Facebook, they could not maintain a claim for unjust enrichment.
The decision is In re Facebook Privacy Litigation., CCH Guide to Computer Law ¶50,183.
Further information about CCH Guide to Computer Law is available here.
Subscribe to:
Comments (Atom)
