Class Action Against Path Over Cellphone Address Book Access Keeps Going — Hernandez v. Path

[Post by Venkat Balasubramani with a comment from Eric]

Hernandez v. Path, Inc., 2012 WL 5194120 (N.D. Cal. Oct. 17, 2012)

This is another lawsuit alleging that apps improperly accessed address book and contact information on mobile devices. Screen Shot 2012-10-23 at 1.02.29 PM.pngThe related lawsuit Opperman v. Path is pending in front of Judge Sparks; he initially dismissed the lawsuit with some harsh words for plaintiffs, but they filed a second amended complaint. Access the dismissal order here and the amended complaint here.

The Hernandez lawsuit is pending in the Northern District of California, and some of the plaintiffs’ claims survive Path’s motion to dismiss.

Standing: The court says there is no standing problem, citing among other things the “hypothetical threat of future harm due to a security risk to plaintiff’s personal information” (citing Krottner v. Starbucks).

Wiretap Act & Stored Communications Act: The court dismisses the Wiretap Act claims because the complaint fails to allege that Path “intercepted” any communications. The court reaches a similar result with respect to the SCA claims: “[plaintiffs’ address books] are not a communication to which the SCA applies.” Both of these claims are dismissed with leave to amend.

CA Anti-Hacking Law: The court denies the claims with respect to Section 502 (the statute implicated in Facebook v. Power Ventures). Judge Koh (in the iPhone app class action) said that voluntarily downloading software could undermine a claim under this statute, but Judge Gonzales Rogers does not reach the same conclusion.

CA Invasion of Privacy: Plaintiffs sued under the “wiretapping” provision of California’s invasion of privacy statute. The court dismisses this claim based on the same rationale as the Wiretap Act and SCA claims.

Unfair Competition: Plaintiffs brought claims under California’s notoriously broad (but procedurally limited) unfair competition law. The court says that plaintiffs adequately allege that Path’s conduct was either unfair or unlawful. I was surprised to see no discussion of the fact that Path’s app is free. Section 17200 limits the types of monetary remedies to restitution or disgorgement, and since plaintiffs have not paid Path any money for downloading the app, this is typically a tough argument to make.

Negligence: Most surprisingly, the court allows the negligence claims to move forward. The court says that Path has a duty to not extract plaintiffs’ personal information, not transmit it to third parties, and not store it in an insecure manner. As for damages, the court allows plaintiffs to rely on the costs of removing the tracking software and the diminished bandwidth. (Contrast this with the recent ruling in the Sony PSN data breach case: “Sony Network Data Breach Class Action Suffers Setback.”)

Conversion and Trespass: The court grants the motion with respect to the conversion and trespass claims. According to the court there is no allegation of a “wrongful disposition” of plaintiffs’ property. Similarly, the court says that there’s no allegation of impairment (as required under Intel v. Hamidi) to support a claim for trespass.


This is a bummer for Path, which must now deal with discovery on a bunch of claims. It will be interesting to see whether it will take a hard line and try to get this thrown out at the summary judgment stage.

The ruling is confusing on a bunch of levels. On the one hand the court says that the impairment to plaintiffs’ device is de minimis. On the other hand, the court says that it’s sufficient for a negligence claim. This is just one example of the schizophrenic instincts that seem to inspire the ruling.

The idea that Path has an obligation to safeguard plaintiffs’ information that can be enforced by plaintiffs in advance of any breach and resulting damage is certainly new. This is similar to the theory embraced by the FTC which is currently going after Wyndham Hotels. This is a sketchy enough theory when used by the FTC–an entity that ostensibly has a broader mandate that may include going after conduct that adversely affect consumers, even when there is no present harm–but the idea that a private plaintiff can use this theory is wacky. The FTC’s case against Wyndham Hotels was at least precipitated by a data breach; there’s no such allegation here.

It’s downright painful to see plaintiffs (and the court) contort themselves to slot Path’s conduct into legal causes of action. At the end of the day, Path dropped the ball as far as informing users about how and when it would access their contact information. It used the information to suggest users or allow end users to “find their friends” on Path. It may have done more (and there are vague allegations of improper tracking in the court’s order), but most importantly, it did not use that contact information to do what companies sometimes do—send out spammy communications. Maybe Path deserves a slap on the wrist, but the price it ends up paying (which will go mostly to plaintiffs’ lawyers) will most certainly be out of proportion to any harm it caused.


Eric’s Comment. To me, this case reinforces the irony of privacy class action lawsuits. Consumers almost certainly will get no meaningful benefit from the lawsuits against Path even if they “succeed,” but the lawsuits will produce plenty of (wasted) motion and perhaps a fat payday for the agitating lawyers. Most disappointing is that Judge Rogers was incredibly–and, in my opinion, overly–cautious about dismissing weak causes of action. She repeatedly pointed out defects in the claims but didn’t dismiss them. If judges don’t decisively kill bad lawsuits early, lots of socially wasteful activity ensue.


Other coverage:

Wendy Davis (MediaPost): “Judge Allows Privacy Lawsuit Against Path to Proceed

Related posts:

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]