Android and Pandora Privacy Rulings Accept Low Hurdle for Standing
A pair of rulings from Judge White in lawsuits involving the privacy practices of Android and Pandora employ a loose standard for standing and allowed plaintiffs in both cases to press forward with their claims.
In re Google Android Consumer Privacy Litigation, 1-MD-02264 JSW (N.D. Cal. Mar. 10, 2014): Judge White recently rejected Google’s request to dismiss claims that Google—through the Android platform—gained access to and improperly passed to third parties (or allowed third parties to access) personal information:
- class Members’ home and workplace locations and current whereabouts;
- several universally unique device identifiers (“UUIDs”) assigned to Plaintiffs’ Android mobile phones;
- other device-specific data that was useful to Google and third parties for purposes of “device-fingerprinting;” (i.e., the creation of a back-up unique identifier to engage in tracking of a particular device);
- along with personal information about Plaintiffs such as their gender and age, what functions Plaintiffs performed on Apps, search terms entered, and selections of movies, songs, or restaurants.
Highlights of the ruling:
- the court rejects Google’s standing argument, finding that at the pleading stage, plaintiffs have sufficiently alleged standing
- the court grants Google’s request to jettison the Computer Fraud and Abuse Act claim, finding that even if plaintiffs’ damage allegations are aggregated, they fail to satisfy the damage threshold
- the court dismisses the UCL claim based on the unlawful prong since it piggybacked on the CFAA claim
- the court declines the request to dismiss the UCL claim based on the unfairness prong (“Unfair simply means any practice whose harm to the victim outweighs any benefits.”)
- finally, the court also rejects Google’s argument that plaintiffs are not entitled to restitution because money wasn’t paid directly to Google
The court also cites to the recent ruling in a privacy lawsuit against Apple, which initially left some claims standing but ultimately dismissed those claims at the summary judgment stage. (See Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation.)
Yunker v. Pandora, No. 11–CV–03113 JSW (N.D. Cal. Mar 10, 2014): Pandora was sued for making misrepresentations regarding its disclosure of personal information to third parties. The court initially dismissed the lawsuit in an order that made me think plaintiff would not want to re-file, but plaintiff, along with other putative class action reps, re-filed. (See “Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora”.) This time around the court declines Pandora’s motion to dismiss.
Standing: The court previously concluded that plaintiff failed to allege sufficient facts to satisfy standing but this time around, says that plaintiffs’ allegations regarding “decreased memory space” satisfies standing. The court also cites to their allegations that their PII was economically valuable and that plaintiffs would not have paid fees or turned over their PII had they known how Pandora would misuse it.
UCL Claim: The court previously dismissed the UCL claim on standing grounds, but this time around says that plaintiffs satisfy standing. The court cites again to the use of memory and additional fees incurred by plaintiffs.
Privacy claim under the California Constitution: The court previously dismissed this claim because Pandora’s acts were not an “egregious breach of the social norms underlying the privacy right.” Plaintiffs’ amended complain doesn’t change the court’s view.
Ouch. A diluted test for standing strikes again. Both of these cases are good examples of a court applying nominal scrutiny to the allegations of a privacy plaintiff. It’s tough to mark an exact point where a shift occurred, or even know that it has, but my sense is that standing is increasingly becoming less useful for defendants in privacy cases. These cases don’t raise the issue of statutory standing, where courts have always been more permissive; at this point, these cases involved UCL and breach of contract claims.
These lawsuits may end up going the way of the first generation cookie lawsuits. The slight difference between the two is that while the previous lawsuits were based on privacy intrusions that occurred while plaintiffs were using free services, these lawsuits involve products that were nominally purchased. For this reason, the unfair competition claims are a good hook, at least at the initial stages. Further factual development may show, for example, that the plaintiffs did not rely on Google’s representations or that they haven’t been harmed in a benefit-of-the-bargain sense. This is ultimately what happened with the iPhone app litigation, and I wouldn’t be surprised if a similar outcome was in store for these plaintiffs. [It’s unclear as to the precise extent to which the Pandora plaintiffs’ status as paying customers affects their overall chances. Only some of the plaintiffs are paying customers, but the court doesn’t specify whether the chances of recovery are different for paying versus non-paying customers.]
As a final note, I wouldn’t be surprised if the allegations regarding the collection and transmission of information by Google and app-developers have some shred of truth to them. These lawsuits are typically fashioned around the findings of security/privacy researchers that have some measure of reliability. Of course, that doesn’t mean that it was a conscious decision by Google, or even that there’s a direct financial benefit as a result of the collection and disclosure of information in question. Still, it’s a sad state of affairs when the biggest mobile platforms are facing allegations that their privacy practices turned out to not be as promised.
– In re Google Android Consumer Privacy Litigation, 1-MD-02264 JSW (N.D. Cal. Mar. 10, 2014)
– Yunker v. Pandora, No. 11–CV–03113 JSW (N.D. Cal. Mar 10, 2014)