Another Judge Declines to Dismiss Claims Against Apple over App Privacy Practices — Pirozzi v. Apple
[Post by Venkat Balasubramani]
Pirozzi v. Apple, Inc., 12-cv-01529-JST (N.D. Cal. Aug. 3, 2013)
This is a lawsuit alleging that Apple allowed its app developers to improperly collect the personal information of users. The court previously granted Apple’s request to dismiss the claims, but after plaintiff amended the lawsuit the court declines Apple’s request to dismiss. (Previous post here: “Court Dismisses Class Action Against Apple Over Its App Developers’ Information Collection Practices – Pirozzi v. Apple.”)
Standing: Plaintiff cited to a wealth of statements from Apple saying that it maintains a safe ecosystem (“All apps run in a safe environment …”) and
takes precautions—including administrative, technical, and physical measures—to safeguard [the user’s] personal information . . .
Interestingly, plaintiff did not allege that her information was ever uploaded from her device. The court says “she abandoned that theory.” Nevertheless, the court says that she adequately alleges standing because she bought her iPhone relying on Apple’s statements regarding security, according to the court there’s a causal connection between her reliance and plaintiff’s alleged loss (citing to Goodman v. HTC). The court does say that she can’t rely on Apple’s general “reputation for safety” or at least has not fleshed this out sufficiently in her complaint.
The court also says that she can satisfy statutory standing to the extent she makes out a claim under the statutes in question (California unfair competition and false advertising laws).
UCL Claim: The court says she adequately pleads a claim under the fraudulent and the unfair prongs of the unfair competition statute. Interestingly, with respect to the unfair prong the court says “Apple offers nothing in the way of ‘reasons, justifications, or motives’ or ‘utility of [its] conduct’ to weigh against the alleged harm.”
False Advertising: The court says that she adequately states a claim under California’s false advertising statute as well, largely based on the allegations that support the UCL claim.
Consumer Legal Remedies Act: The court also declines to dismiss this claim, again based on the allegations that plaintiff relied on the security assurances made by Apple. The court also cites to Judge Koh’s second ruling in the iPhone privacy case.
Negligent Misrepresentation: This claim also survives, again based on the prior allegations.
Another data point in the dizzying world of app-privacy litigation, which has involved multiple lawsuits against Apple, as well as against app developers, such as Path. (See “Class Action Against Path Over Cellphone Address Book Access Keeps Going — Hernandez v. Path”). (A couple of lawsuits in the Northern District of California were consolidated, but one against Path and others in Illinois continues separately.) It’s interesting that the contract/misrepresentation claims end up moving forward but the substantive privacy claims (e.g., based on federal statutes or otherwise) are not a part of the case. (They were not included to begin with, in contrast to the other iPhone privacy case.)
This is a different judge than the one who initially heard the case, and perhaps that explains the different result. Regardless, it’s a tough loss for Apple, especially given that the plaintiff admitted that none of her information was purloined. For what it’s worth Judge Koh’s ruling whittling down (severely) similar privacy claims against Apple let survive the misrepresentation-based claims as well. (“Judge Koh Whittles Down iPhone App Privacy Lawsuit – In re iPhone Application Litig.”) Other decisions have been less willing to allow contract-based claims unless the plaintiff can show that the alleged deficiency was material to the decision to purchase, but neither of the iPhone privacy cases focused on that issue.
This order also highlights Apple’s flowery language around its privacy practices. I’m not sure if those representations fall into the category of implied promises that put Apple in a place where it is precluded from arguing a Section 230, defense, but it certainly makes it a tougher argument for Apple to make. As far as marketing copy goes, it would be wise to excise words such as “safe” and “secure” from your marketing vocabulary. Those will always end up coming back to haunt you. (See our discussion of this in Mazur v. eBay; see also the FTC’s 2010 enforcement action against Twitter.)
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks