Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

March 27, 2013 · by Venkat Balasubramani · in E-Commerce, Privacy/Security

Yunker v Pandora Media, Inc., 2013 US Dist LEXIS 42691 (N.D. Cal. Mar. 26, 2013)

Pandora has been sued before for allegedly revealing listening preferences, but this is a more run-of-the-mill privacy lawsuit against Pandora. Pandora represents to its users that it will not disclose personally identifiable information to third parties. (The representation is implied as the quoted portion of its privacy policy says that it would share non-PII to third parties.) Yunker claims that Pandora did not de-identify the PII and allowed advertisers to access end users’ PII. Predictably, plaintiff considered the PII to be his property and as having economic value. Separately, plaintiff also alleged that certain Pandora components ate up the memory on his device.

Standing: the court concludes about standing: (1) dimunition in the value of PII is not sufficient to confer standing; (2) the allegations regarding decrease in memory space are insufficient; (3) the prospect of future harm from non-anonyized PII is too speculative; and (4) he has standing to pursue violations of his constitutional privacy rights.

Wiretap Claim: the court dismisses Yunker’s wiretap claim on familiar grounds: (1) there is no interception of any communication (using a separate device); and (2) as the recipient of any communication, Pandora could divulge it without running afoul of the Wiretap Act.

Stored Communications Act: the SCA claim has similar definitional problems. Yunker does not identify anything in “storage” that was wrongly disclosed. Cookies don’t fall within the SCA’s protection for stored communications because they are temporary. Yunker also tried to argue that Pandora provided remote computing services but, other than parroting the statutory definition, he did not identify what Pandora offered that fit within this definition. Although he cited to the discovery ruling in the YouTube case, the court distinguishes this on the basis that, unlike YouTube, nothing is uploaded and stored to Pandora by the user.

CFAA claim: the CFAA claim fails due to Yunker’s failure to allege loss sufficient to satisfy the $5,000 jurisdictional threshold. The court says there are other problems with this claim, but dismisses on the basis of failure to satisfy this element.

State law claims: Yunker’s state law claims also suffer from a variety of deficiencies. He cannot advance a claim under the Unfair Competition Law because he has not lost “money or other property” (and PII is not property); Yunker is not a “consumer” under the CLRA because he has not leased or purchased anything; his contract claim is deficient because he fails to allege damages; his privacy claim fails because Pandora’s conduct does not constitute an “egregious breach of social norms”; his disclosure of private facts claims because no personal/intimate facts were disclosed to anyone; and finally, his trespass and conversion claims also fail.

Yunker has the chance to file an amended complaint, but given the skepticism expressed by the court, his chances of curing the deficiencies are fairly slim.

This is a fairly unsurprising result, and in line with numerous recent cases that have tried to assert claims against networks or companies for failing to anonymize information before disclosing to advertisers. As I mentioned in my post about Hoang v. IMDB, that’s a case where a plaintiff actually has some chance of proving harm. Unless plaintiff comes forward with an “Insider”esque smoking gun, these lawsuits are doomed to fail from the start.

Previous privacy lawsuit against Pandora: Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks