Bad Idea: Overdisclosing People’s Positive STD Status–Doe v. Successfulmatch

This is a privacy lawsuit brought by people who signed up for a dating site (Positive Singles) for people with STDs. Plaintiffs allege that Successfulmatch, the company that operates the site, made numerous privacy representations stating in its website copy that it “care[s] about [users’] privacy more than other sites.”

A registration page said that the site would not “disclose, sell, or rent any personally identifiable information to any third party organizations.” The terms of service stated that profiles created on the site

may be shared with other sites within the SuccessfulMatch network. By posting or maintaining a profile on this or any other SuccessfulMatch Network site, [users] agree and consent that said profile shall be subject to placement on other SuccessfulMatch Network sites, at the discretion of SuccessfulMatch, without further notice.

Defendant operated its own sites but also allowed others to become “private label” or affiliate partners. An affiliate obtains a domain name and builds a site using SuccessfulMatch software, and populates the site with SM user data. Affiliated sites include “blackpoz.com” “hivaidsdating.com” “HIVgaymen.com” “alllifestyle4bbw.com” “christiansafehaven.com” and “STDhookup.com”. If a user registers with one of these affiliate sites, he or she also automatically registers with SuccessfulMatch and the user profile can be viewed across the entire network.

Plaintiffs alleged that SuccessfulMatch was liable for claims under California’s unfair competition and Consumer Legal Remedies Act by making affirmative representations regarding the scope of privacy protections, and for omitting the extent of sharing across the network. SuccessfulMatch brought a variety of defenses, none of which work.

The SuccessfulMatch website did disclose that profiles may be shared but plaintiffs argued, and the court agreed, that the disclosure did not detail the number of sites or the nature of the relationship between the affiliate sites and the main sites. Plaintiffs further alleged that the site they signed up on (positivesingles.com) uses terms such as “100% confidential” and “exclusive” to denote that profiles would be limited to that particular site. The court says whether reasonable consumers would be deceived is a factual question, and plaintiffs alleged sufficient misleading statements to state a claim. Defendant tried to argue that its disclosure of affiliate-profile sharing was sufficient to dispel any misunderstanding, but the court says that the location and prominence of the disclosure matters, plus the disclosures were qualified and general.

Defendant also argued that they did not have a duty to disclose the withheld information but the court says plaintiffs allege sufficient facts to fit this into a “duty to disclose” scenario. The information disclosed would be material to plaintiffs’ decision, and in fact plaintiffs requested and were not provided with the affiliate information. [This vaguely sounds like it implicates California’s Shine the Light privacy statute.]

Finally, defendant raised two other arguments that did not get traction with the court. First, it argued that the allegedly deceptive statements were “mere puffery,” but the court doesn’t give it the benefit of the doubt given the ambiguity in defendant’s disclosures and plaintiffs’ allegations of being misled. Second, defendant argued that it complied with California’s privacy statute and this insulates it. CalOPPA, the statute which requires the posting of a privacy policy for commercial websites that collect personal information, does not expressly dictate what information the policy must contain. While it generally requires the posting of a policy, it is not a get-out-of-jail free card for allegedly misleading statements when such a policy is posted.

Finally, defendant asserted a “benefit of the bargain” argument, saying that plaintiffs received what they paid for (i.e., dating site services) and the fact that their profiles were wrongfully shared did not cause them to lose the benefit of the bargain. However, this argument is only credited when the misrepresentation was not material to the consumer. Given that the privacy representations are alleged to be material, whether or not plaintiffs’ received or took advantage of the dating site services is immaterial.

Finally, after all this, the court says that plaintiffs’ failed to satisfy Rule 9’s particularity requirement: they did not state exactly when the misrepresentations were made and which specific representations each plaintiff relied on. Thus, the court dismisses, but signals that plaintiffs can likely remedy this deficiency.

__

This is a privacy case where the plaintiffs and claims have key differences from the run-of-the-mill privacy case. First, the facts here are sensitive, and even incidental disclosure would support a claim for damages. Second, these are paying customers and did not sign-up for a free service. It’s unclear whether this is what keeps the lawsuit going in contrast to the numerous other information-sharing lawsuits we see that are routinely dismissed. The case of course contains the age-old scenario of a website making rosy marketing assurances that may not be backed up by its actual practices. (Something the FTC has been cracking down on and that ensnared mainstream sites and services such as Facebook, Snapchat, and even Twitter.)

The key factual question is the role of these affiliate sites. They could just be a means of driving traffic, and while this does not neutralize allegedly misleading statements, it does put it in a slightly different light than a case where a site is actually sharing information with third parties. Unstated in the court’s opinion is whether there is increased security risk or downstream disclosure from the affiliate sites. Once the information is out of SuccessfulMatch’s hands, it’s tough to control what happens to it.

Again, this case is a rare standout as a privacy lawsuit with legs. FWIW, this case involves non-California residents. California residents brought a separate lawsuit in state court. This recently resulted in a whopping $16.5M jury award against the company ($1.5M in compensatory damages and $15M in punitive damages).

Case Citation: Doe v. Successfulmatch.com, 13-cv-03376-LHK (N.D. Cal. Sept. 30, 2014)

Related posts:

Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act

Washington State Supreme Court Hears an Interesting Privacy Case: Dillon v. Seattle Deposition Reporters

Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed

Lawsuit Over Google’s Unified Privacy Policy Pared Down, But Two Claims Survive

Hulu Unable to Shake Video Privacy Protection Act Claims

Apple May Be Liable For Privacy Violations by Third Party Developed Apps

Privacy Claims Based on LinkedIn’s Security Promises Survive Motion to Dismiss

Android and Pandora Privacy Rulings Accept Low Hurdle for Standing

Talk on Why State Legislatures Shouldn’t Regulate Internet Privacy

Is Sacramento The World’s Capital of Internet Privacy Regulation? (Forbes Cross-Post)

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

My Testimony on California’s Efforts to Regulate Internet Privacy

California Assembly Hearing, “Balancing Privacy and Opportunity in the Internet Age,” SCU, Dec. 12

Google Gets Dismissal of Lawsuit Over Privacy Policy Integration–In re Google Privacy Policy

Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation

Google Wins Cookie Privacy Lawsuit