July 05, 2012
Men's Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute -- Boorstein v. Men’s Journal
[Post by Venkat Balasubramani with comments from Eric]
Boorstein v. Men’s Journal LLC, 12-771 DSF (Ex) (C.D. Cal.; June 14, 2012)
Boorstein sued (on behalf of a putative class) alleging that Men’s Journal did not comply with the statute because it failed to provide consumers with the appropriate contact information to enable consumers to make requests under the STL statute. Boorstein did not allege that he took any steps to find out this information (or otherwise find out about Men's Journal's information sharing practices) by contacting Men’s Journal. Boorstein simply alleged that Men's Journal's failure to designate contact information alone was sufficient to allege a violation of the statute.
The court says no go.
No standing as a result of loss of economic value to Boorstein’s information: First, the court says that Boorstein did not suffer economic injury that was caused by a violation of the statute. It’s questionable in the first place whether Boorsteein’s information has economic value in Boorstein’s hands. (See, e.g., Del Vecchio v. Amazon, among other cases.) In any event, the court says the statute does not actually prohibit the exploitation of consumer information for marketing purposes. Additionally, the statute is backward looking, and only requires businesses to disclose their use of consumer information for the “immediately preceding calendar year.” End result: even to the extent plaintiff's personal information is property that can be appropriated by Men's Journal, any harm Boorstein suffered isn't caused by the alleged statutory violation.
Failure to provide contact information is not an “injury” under the STL law: The court also says that Men’s Journal’s failure to display the contact information alone does not state a claim under the STL law. The law requires some sort of “injury” flowing from a violation, and as mentioned above, the court says there’s no injury to the value of Boorstein's personal information that results from the alleged statutory violation. Case law only recognizes “information injury” (failure to provide required information) where the information is requested but not provided. Boorstein’s failure to allege that he requested the contact information from Men's Journal undermines his claim. The court also says that Boorstein’s injury is “procedural,” rather than “informational.”
Boorstein’s argument based on the Men’s Journal subscription fee fails: Boorstein also made the typical consumer protection argument that the price of the Men’s Journal subscription included the value of the designated contact information for STL law purposes, and Men’s Journal’s failure to provide this information means that he has been cheated out of his bargain. [Say what?] The court says that Boorstein’s allegation that Men’s Journal impliedly represented that it would "abide by all applicable laws" doesn’t mean that Men’s Journal agreed to provide contact information as part of the subscription price--or, more importantly, that Boorstein would not have subscribed had he known the contact information would not be forthcoming. The court also says that Boorstein cannot make out a UCL claim because he has not lost “money or property” as a result of Men’s Journal’s violations of the statute. As already mentioned, he would have subscribed anyway, so Boorstein can’t use the subscription price as part of his “money or other property” argument. Similarly, he also can’t use the value of his personal information in order to support his UCL claim.
A few observations:
1. The "personal information as property" meme is not gaining much traction. In fact, apart from an initial decision or two that recognized this as a possible theory (for standing purposes), courts have pretty resoundingly rejected it. (Del Vecchio v. Amazon and In re iPhone App Litigation are two recent examples.) Perhaps a blockbuster appellate ruling will come along to rescue privacy plaintiffs. Until then, the trial courts are not buying this argument at all.
2. The "privacy as part of the purchase price" argument is also something that plaintiffs often raise, but courts don’t like this either. It’s worth noting that in this case, even the plaintiff’s own allegations (as the court described them) didn’t expressly say that he would not have bought the magazine subscription had he known he would not have been provided contact information. There's an obvious reason for this.
3. The court doesn’t get into Article III standing here, and instead relies on lack of statutory standing. To me, the two standing concepts all run together into a big quagmire, but when dealing with a state law in federal court, it seems preferable to rely on statutory standing as a bar. (First American v. Edwards, the then-pending Supreme Court case in which Facebook and other companies weighed in on as amici, involved standing under a federal statute. But in an anticlimactic move, the Supreme Court dismissed the case without ruling on it. I didn't think a ruling in First American's favor in this case would have dramatically changed the landscape, but the lack of a decision from the Supreme Court moots this issue for now.)
4. Obviously, this ruling puts a slight crimp in the legislature’s vision of using STL to give consumers additional control over how their information is used. The court's ruling doesn’t leave consumers in a great position. Even if Boorstein had requested the information and it wasn’t provided, would he be able to obtain damages under the statute? STL provides for statutory penalties, but the tone of the ruling is that Boorstein hadn’t been damaged anyway (or damaged in a way that was tied to the statutory violation), so it’s possible that the court would have come out the same way even if Boorstein had made the necessary request.
California's "Shine the Light" statute is a textbook example of a miscalibrated privacy statute (which I would argue describes almost all privacy statutes). It starts from a simple premise--consumers just want to know if a business is selling their personal information to marketers--and, to effectuate this premise, imposes substantial compliance costs and obligations on businesses (mostly just creating traps for the unwary) without any clear countervailing benefit for consumers or society at large. Not only do I question the basic premise that consumers "just want to know" about sales of their private info to marketers (see my Coasean Analysis of Marketing article), but as this and related cases illustrate, the private cause of action means that the statute almost certainly will be enforced by privacy class action lawyers who are more interested in their own quick profits than in advancing consumer welfare (see my Irony of Privacy Class Action Litigation article). There are a number of good cautionary lessons that legislators, and the privacy advocates who egg them on, could learn from this statute and this ruling, but I'm skeptical either legislators or privacy advocates will take the time to reflect on those lessons.
Venkat's follow-up comment:
I mildly dissent from Eric's position questioning "the basic premise that consumers 'just want to know' about sales of their private info to marketers." I may be idiosyncratic and in the minority in this regard, but particularly when it comes to magazine subscriptions I would love to know where my information ends up. (My instinct is that a big chunk of my junk mail is a result of the three or four magazine subscriptions I have in place.) I'm not sure I would change my purchasing decisions dramatically, but knowing this bit of information may tip the balance a bit or cause me to try to pressure the companies into not making my information available to third parties for direct marketing purposes. [On a loosely related note, those who are trying to get rid of junk mail may want to check out PaperKarma, an app that lets you take photos of and upload junk mail and then sends an unsubscribe request on your behalf.]