Another Judge Declines to Dismiss Claims Against Apple over App Privacy Practices — Pirozzi v. Apple

August 15, 2013 · by Venkat Balasubramani · in E-Commerce, Privacy/Security

Pirozzi v. Apple, Inc., 12-cv-01529-JST (N.D. Cal. Aug. 3, 2013)

This is a lawsuit alleging that Apple allowed its app developers to improperly collect the personal information of users. The court previously granted Apple’s request to dismiss the claims, but after plaintiff amended the lawsuit the court declines Apple’s request to dismiss. (Previous post here: “Court Dismisses Class Action Against Apple Over Its App Developers’ Information Collection Practices – Pirozzi v. Apple.”)

Standing: Plaintiff cited to a wealth of statements from Apple saying that it maintains a safe ecosystem (“All apps run in a safe environment …”) and

takes precautions—including administrative, technical, and physical measures—to safeguard [the user’s] personal information . . .

Interestingly, plaintiff did not allege that her information was ever uploaded from her device. The court says “she abandoned that theory.” Nevertheless, the court says that she adequately alleges standing because she bought her iPhone relying on Apple’s statements regarding security, according to the court there’s a causal connection between her reliance and plaintiff’s alleged loss (citing to Goodman v. HTC). The court does say that she can’t rely on Apple’s general “reputation for safety” or at least has not fleshed this out sufficiently in her complaint.

The court also says that she can satisfy statutory standing to the extent she makes out a claim under the statutes in question (California unfair competition and false advertising laws).

UCL Claim: The court says she adequately pleads a claim under the fraudulent and the unfair prongs of the unfair competition statute. Interestingly, with respect to the unfair prong the court says “Apple offers nothing in the way of ‘reasons, justifications, or motives’ or ‘utility of [its] conduct’ to weigh against the alleged harm.”

False Advertising: The court says that she adequately states a claim under California’s false advertising statute as well, largely based on the allegations that support the UCL claim.

Consumer Legal Remedies Act: The court also declines to dismiss this claim, again based on the allegations that plaintiff relied on the security assurances made by Apple. The court also cites to Judge Koh’s second ruling in the iPhone privacy case.

Negligent Misrepresentation: This claim also survives, again based on the prior allegations.

Another data point in the dizzying world of app-privacy litigation, which has involved multiple lawsuits against Apple, as well as against app developers, such as Path. (See “Class Action Against Path Over Cellphone Address Book Access Keeps Going — Hernandez v. Path”). (A couple of lawsuits in the Northern District of California were consolidated, but one against Path and others in Illinois continues separately.) It’s interesting that the contract/misrepresentation claims end up moving forward but the substantive privacy claims (e.g., based on federal statutes or otherwise) are not a part of the case. (They were not included to begin with, in contrast to the other iPhone privacy case.)

This is a different judge than the one who initially heard the case, and perhaps that explains the different result. Regardless, it’s a tough loss for Apple, especially given that the plaintiff admitted that none of her information was purloined. For what it’s worth Judge Koh’s ruling whittling down (severely) similar privacy claims against Apple let survive the misrepresentation-based claims as well. (“Judge Koh Whittles Down iPhone App Privacy Lawsuit – In re iPhone Application Litig.”) Other decisions have been less willing to allow contract-based claims unless the plaintiff can show that the alleged deficiency was material to the decision to purchase, but neither of the iPhone privacy cases focused on that issue.

This order also highlights Apple’s flowery language around its privacy practices. I’m not sure if those representations fall into the category of implied promises that put Apple in a place where it is precluded from arguing a Section 230, defense, but it certainly makes it a tougher argument for Apple to make. As far as marketing copy goes, it would be wise to excise words such as “safe” and “secure” from your marketing vocabulary. Those will always end up coming back to haunt you. (See our discussion of this in Mazur v. eBay; see also the FTC’s 2010 enforcement action against Twitter.)

Other coverage: Apple Website’s ‘Safety’ Statements Give iPhone User Standing in Apps Case

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark