Email Harvesting: Repeated Emails From LinkedIn May Violate Publicity Rights
This is a lawsuit alleging that LinkedIn improperly mined users’ contact lists and sent them repeated invitation emails. While Judge Koh eliminated the Stored Communications Act and California anti-hacking statute claims, a chunk of the lawsuit remains. Harvesting contact lists remains a risky business. (See also Path.)
The court describes the sign-up process for LinkedIn in some detail. Users who create profiles are offered a chance to “grow [their] network[s] on LinkedIn.” As part of this process, LinkedIn collects a user’s email address, which is pre-populated – a user can skip this step or continue. Users who continue are taken to a page of their email service provider. (The court uses the example of Google, noting that the complaint focused on individuals who used Gmail accounts to sign up for LinkedIn.) Then the user is asked somewhat obliquely if LinkedIn can access the user’s Google contacts. A user who says “allow” then proceeds to the “connect with people you know on LinkedIn screen.” This page allows a user to connect with people who have LinkedIn accounts, by checking or unchecking boxes next to their accounts. Then comes the next page, which asks innocuously: “why not invite more people”. This page allows a recently signed-up user to invite their friends who don’t have LinkedIn accounts. While the user is given the choice of “adding” users to the network or skipping the step, plaintiffs complained that LinkedIn sent repeated email invites (3 to be exact). Each email contains the name of the user and says the now-familiar “I’d like to add you to my professional network.”
According to plaintiffs, it wasn’t entirely easy to stop this process:
there is no mechanism by which users can withdraw all endorsement emails at once . . . Plaintiffs allege that it would take hours to prevent LinkedIn from sending the repeated endorsement emails to the hundreds or thousands of contacts a user may have.
Plaintiffs alleged claims under the Stored Communications Act, California’s publicity rights statute, Section 502 of the California Criminal Code, and the Unfair Competition Statute.
Standing: The court says that plaintiffs have standing as to the federal statutory claims. As to the remaining claims, the court says that Fraley v. Facebook and Cohen v. Facebook are possibly analogous (one, Fraley, allowed the claims based on Sponsored Stories to move forward, while the court in Cohen rejected the claims as to promotion of the FriendFinder service). The court says this case is “no different from Fraley”:
The Court’s decision in Fraley was premised on the fact that endorsements or invitations from friends or acquaintances are more valuable than generic advertisements that do not contain the recommendation of a familiar or trusted sources. It is this measure or personalization of an endorsement that routinely has a concrete and provable value, as this Court recognized in Fraley and as Judge Seeborg concluded in C.M.D. … In sum, the Court finds that individuals’ names have economic value where those names are used to endorse a product to the individuals’ friends and contacts.
SCA/Wiretap Act: The court addresses LinkedIn’s consent argument and says the key question is whether a reasonable user who viewed LinkedIn’s disclosures would have understood LinkedIn was collecting email addresses. The court says yes, noting that the words “allow” and “no thanks” are presented to the user before the point of collection. Significantly, consent is not buried in a terms of service as it was in the Gmail scanning/advertising case.
Plaintiffs tried to argue that the precise scope of LinkedIn’s collection of emails was unclear, but the court rejects this. It would be clear, the court says, that LinkedIn wants to access a user’s Google contacts . . . i.e., all of them. Plaintiffs also argue that LinkedIn was not clear about its storage practices, but the court says this is irrelevant to consent. The court also rejects plaintiffs’ argument that LinkedIn’s collection of email addresses is contrary to LinkedIn’s own stated policies.
Right of Publicity: As to this claim, the court also agrees that LinkedIn’s disclosures were sufficient to alert users that their names would be attached to emails sent to contacts who were not on LinkedIn. However, the court says that this contsent does not necessarily extend to the second and third emails. Among other reasons, because LinkedIn says “we will not . . . email anyone without your permission,” the court says LinkedIn users may have been led astray.
LinkedIn argued that the alleged harm from the second and third emails would be no different from the first, but the court understandably credits the users’ allegations the repeated emails have more of a deleterious effect on a user’s reputation:
Specifically, the second and third endorsement emails could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network. The reputational harm is magnified by the fact that the only people who receive the second endorsement email are the user’s contacts who chose not to register for LinkedIn upon receipt of the first email. . . . Therefore, individuals who receive second and third email invitations to join LinkedIn after declining one or two previous email invitations to join LinkedIn from the same sender may become annoyed at the sender, which could be professionally or personally harmful. [emphasis added]
Section 502 of California Penal Code: This section has been interpreted to require circumvention of a technical or code-based barrier. Plaintiffs argued that LinkedIn “tunnels through any open email program on a user’s desktop” (i.e., where a LinkedIn user has a Gmail account open on a separate tab, or accesses LinkedIn without having logged out of Gmail, LinkedIn improperly prepopulates the Google account screen where a user is asked whether LinkedIn may access her contact). The court says this does not sufficiently allege circumvention of a code or technical barrier. More importantly, the court says that any alleged harm is undermined by the users’ consent. In practical terms, even if LinkedIn improperly prepopulated the Gmail/LinkedIn page, because the user affirmatively must agree and take an affirmative step before proceeding, a user cannot assert harm.
UCL Claims: Plaintiffs alleged two types of claims under California’s unfair competition statute, those based on misrepresentation and under the unlawful prong. The court dismisses the misrepresentation based claims because plaintiffs failed to allege they actually read and relied on any misrepresentations. As to the UCL claims under the unlawful prong, the court says denial of the motion to dismiss the right of publicity claims necessitates denial of the motion to dismiss these claims as well.
Why must social networks abuse our trust so? In a better world, where networks were less careless about respecting user preferences, I could see giving networks access to my contact lists. But the opportunity to demonstrate user trust in that regard has come and gone (and been squandered). (I’m can’t even get comfortable with the idea of using my primary email address when signing up for accounts.)
While we may not necessarily agree with the legal conclusion that the second and third emails should be treated different from the first, it’s tough to deny that these emails are designed solely to benefit LinkedIn. Any reasonable user would send one email at best, encouraging their friends to join a network. On a related note, perhaps the case offers lessons to those looking to implement a refer-a-friend program, and shows the drawbacks of being aggressive with repeated emails, even if you have properly procured consent.
Consent under the Stored Communications Act has not been tested very often. The ruling alludes to the Gmail scanning case where Google unsuccessfully attempted to rely on consent in its terms of service. Judge Koh makes a point of contrasting that, by noting that consent here is obtained much more explicitly. I think there’s still some room to argue that LinkedIn could have made it clearer, but the ruling nevertheless provides some guidance for those who wish to rely on consent in this setting.
Publicity rights have been the sleeper hit for plaintiffs in litigation against social networks.
Another interesting case and a split-the-baby ruling from Judge Koh. Although we may not always agree with her rulings, she’s thorough and her opinions make for interesting reading.
[Disclosure: I own a small number of shares in LinkedIn. Also, Eric is an Influencer on that platform.]
Case citation: Perkins v. LinkedIn, 2014 WL 2751053 (N.D. Cal. June 10, 2014)