Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

[Post by Venkat Balasubramani]

Low v. LinkedIn, 11-CV-01468-LHK (N.D. Cal.; July 12, 2012)

This case involves the fact that LinkedIn put users’ unique identifiers into its URLs, allowing advertisers (and others) to associate that unique identifier with users–and, potentially, access the info on their profile pages–when they clicked on a link on LinkedIn. Judge Koh had previously dismissed the case with leave to amend. Low amended his complaint, and the second time around Judge Koh dismisses it with prejudice. Here’s our blog post on the initial dismissal of the lawsuit: LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn.

Standing: citing to Edwards v. First American Corp. and Jewel v. NSA, the court says that plaintiffs have alleged violations of statutory rights as well as (state) constitutional rights and get over the standing hurdle.

Stored Communications Act: Plaintiffs’ claims under the Stored Communications Act claims require the plaintiffs to show that LinkedIn provides either “remote computing services” or “electronic communication services.” The court also says that the analysis looks to whether LinkedIn was acting in this capacity with respect to the particular information that was allegedly wrongfully disclosed. In this case, the court concludes that the LinkedIn was not functioning as a remote computing service with respect to the LinkedIn user ID and URL of the profile pages that the user used to view third party profiles. The unique IDs are created by LinkedIn for its own purposes and are not sent to LinkedIn for storage or processing by plaintiffs.

Invasion of Privacy: The court says that invasion of privacy claims must meet “high standards” for the types of invasion that are actionable—“there must be an egregious breach of the social norms underlying the privacy right.” The court says that disclosure of the LinkedIn ID and the profile page is not the type of information that amounts to a serious invasion. Additionally, although plaintiffs claimed that the information could be used to glean plaintiffs’ browsing history and used to identify plaintiffs, there was no allegation that this actually occurred.

False advertising law: Plaintiffs failed to allege reliance on any purported misrepresentations by LinkedIn. Although one of the named plaintiffs had paid for a premium LinkedIn subscription and satisfied the monetary loss elements, the court still finds that there was no allegation that plaintiffs viewed any representations within LinkedIn’s privacy policy and made a purchasing decision based on these representations.

Breach of contract: Plaintiffs’ breach of contract claims fails because they have not alleged sufficient damages. The sole basis for damages is the loss in value to plaintiffs’ information. The court again reiterates skepticism that this has value in plaintiffs’ hands to begin with, but she says that even if it does, any sort of diminution in value would not be a cognizable form of contract damages.

Other claims: The court also dismisses the claims for conversion (browsing history and personally identifiable information is not property); unjust enrichment (no standalone claim); and negligence (no damages).

__

In his comments to the original post about this case, Eric noted that this was a “low-merit” privacy lawsuit that had little chance of success the second time around. Sure enough, Judge Koh dismantles plaintiffs’ claims and sends them packing.

It’s worth noting that the FTC’s enforcement action against MySpace involved allegations against MySpace that were somewhat similar to the plaintiffs’ allegations against LinkedIn in this case: in both situations, the companies involved allowed third parties to tie the user’s unique identifiers with their public profiles. (See Ed Felten’s blog post on the MySpace settlement–“Syncing and the FTC’s MySpace Settlement“):

What made the possible syncing problematic in the case of Myspace was that (1) Myspace enabled ad networks to use Myspace’s Friend ID pseudonym to get personal information about the associated user, and (2) Myspace promised its users that it would not share that personal information with third parties.

The FTC has been increasingly aggressive in its enforcement actions around the privacy practices of online entities. While the court ruled that LinkedIn could not be held liable in a civil lawsuit brought by plaintiffs, it’s an open question as to whether these practices could land it in the crosshairs of the FTC.

Other coverage:

InsidePrivacy: Low Case Against LinkedIn Dismissed In Its Entirety

FourthAmendment.com: N.D.Cal.: LinkedIn not a remote computing service and does not provide electronic communication services, so it can’t be sued under SCA

Related posts:

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]