LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn
[Post by Venkat Balasubramani with comments from Eric]
Low v. LinkedIn, 2011 WL 5509848 (N.D. Ca.; Nov. 11, 2011)
Low brought a putative class action against LinkedIn, complaining about the fact that LinkedIn “allows transmission of users’ personally identifiable browsing history and other personal information to third parties, including advertisers, marketing companies, data brokers, and web tracking companies . . . ” He asserted a variety of different claims, including under the Stored Communications Act, the California Constitution, breach of contract, conversion, and California consumer protection statutes. The Court finds that Low failed to satisfy Article III standing and dismisses (with leave to amend).
The complaint alleged that LinkedIn assigned users unique user IDs, and LinkedIn “links and transmits the user ID number to third party tracking IDs (‘cookies’).” This allows third parties to track the online browsing histories of users, which is linked to LinkedIn’s unique user ID (using which third parties can probably determine the identity of the user). [It’s unclear from the ruling whether transmitting the user ID is a mistake on LinkedIn’s part or whether it was all part of some nefarious Orwellian scheme to track everything and everyone. It was also unclear whether LinkedIn was allegedly compensated for this. I didn’t check, but I presume LinkedIn has taken corrective measures.]
Emotional harm: Low argued that he suffered “embarrassment and humiliation caused by the disclosure of his personally identifiable browsing history.” But apart from a general allegation that the disclosure of someone’s browsing history to third parties would be embarrassing, Low failed to highlight what information was actually disclosed. Additionally, Low also failed to allege that a third party actually linked the browsing history with his identity, as opposed to his LinkedIn unique ID. To the extent Low tried to rely on the future disclosure of information the court says that this is too conjectural and hypothetical.
Economic harm: Low’s argument for how he had been economically harmed by LinkedIn’s practices was that his browsing history was a marketable piece of property and he was not compensated for LinkedIn’s transfer of this property to third parties. The court recaps the cases on this issue (Specific Media; In re iPhone App Litigation; DoubleClick; In re JetBlue) and says Low failed to allege how he was economically harmed by LinkedIn’s practices. In particular, the court says Low failed to allege how he was prevented from capitalizing on the value of his personal data. Low cited to Krottner v. Starbucks and Doe 1 v. AOL and argued that the mere disclosure of personal information may create standing. The court says that these cases are distinguishable in that they involved the disclosure of sensitive or private information. Krottner involved the theft of a laptop which contained the private information of employees, including names, addresses, and social security numbers. Although the Ninth Circuit said that plaintiffs were not entitled to relief since they were provided credit monitoring, the court found that loss of sensitive information was enough to satisfy standing. The AOL (‘search Valdez’) case involved the packaging and distribution of a huge quantity of search data, which included similarly sensitive information, along with sensitive search information. In this case, the court says that Low’s allegations are easily distinguishable from Krottner and AOL, and are not sufficient:
Low has not alleged that his credit card number, address, and social security number have been stolen or published or that he is a likely target of identity theft as a result of LinkedIn’s practices. Nor has Low alleged that his sensitive personal information has been exposed to the public. Indeed, the Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him. Accordingly, Low has failed to allege an injury-in-fact.
The court also footnotes the issue that violation of a statutory right may in some cases confer standing on a plaintiff, but does not delve into it since plaintiff did not raise this issue and plaintiff was given leave to amend.
This is a helpful order because it recaps many of the recent cases dealing with the issue of what type of harm a plaintiff must allege. Judge Koh, who wrote the order dismissing plaintiff’s claims, also authored the iPhone Privacy opinion, where she methodically picked apart plaintiff’s claims. (See iPhone Privacy Class Action Dismissed for Lack of Standing — In re iPhone App. Litigation.) Judges in the Northern District of California have heard a slew of potential class action privacy lawsuits over the last couple of years and have almost uniformly rejected them. One of the common problems in these cases is that the plaintiffs are not able to articulate with much clarity what practices they are complaining of and how exactly the practices harmed the plaintiff. What often spurs these lawsuits is a research finding or a media report about a company’s practice. The lawsuit does not start with the plaintiff who suffers an injury or a negative consequence.
The idea that a company’s exploitation of your browsing history or viewing habits causes you economic injury is not getting much traction. Courts are mostly saying that in order to allege economic damages, it’s not sufficient to argue that the information has some value in an advertiser or a network’s hands–you have to allege that their use of the information somehow impeded your ability to exploit the information. To my knowledge, the RockYou case is the only one to accept the “PII as property” argument, but the court did so reluctantly, and expressed skepticism over the ultimate fate of this theory. (Here’s my earlier blog post on the RockYou case: “Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.”)
This is not the end of the road for this case, as the court grants leave to amend the complaint, but the court says clearly what type of injury the plaintiff has to allege, and I’m somewhat skeptical that the plaintiff will achieve a better result in round 2.
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks
AOL’s Disclosure of Search Data May Support Claims Under California Law
Another Lawsuit over Flash Cookies Fails — Bose v. Interclick
Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media
iPhone Privacy Class Action Dismissed for Lack of Standing — In re iPhone App. Litigation
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou
1) LinkedIn should never have included a unique ID in its referrer URLs. Same with the other websites that undertook the practice. That was an avoidable error on their parts.
2) Article III standing is an awkward way of disposing of the referrer URL cases. However, at this point, knowing that defendants are going to bring an Article III challenge, it’s becoming embarrassing for plaintiffs’ lawyers to bring such weak arguments about the plaintiffs’ harms. If you’re going to bring a privacy lawsuit, find a plaintiff who actually suffered tangible harms and then allege those harms. If you can’t, let it go.
3) Allegations of “embarrassment and humiliation” as the harm for Article III standing in a privacy class action suit, without specific facts explaining how, should always fail.
4) I thought the whole “data as property” meme died a decade ago. I agree with Venkat that the RockYou case hasn’t opened up a hole for the plaintiffs, but it’s too bad that court gave the glimmer of hope to the plaintiffs.
5) I know why Judge Koh gave the plaintiffs another chance, but I’ll be surprised if they do any better on round 2. I hope future judges will squelch these low-merit privacy suits even more quickly as the plaintiffs continue to make the same pleading errors over and over again.