Earlier this week, Judge Grewal dismissed the putative class action lawsuit for a second time. The opinion nicely summarizes the current trends in both Article III standing and grounds for substantive dismissal. Some of the plaintiffs’ claims are tossed for lack of Article III standing; the remainder are tossed on a 12(b)(6) motion to dismiss. While dismissal is never good for plaintiffs, Judge Grewal gives them another chance (which they will surely take). More importantly, Judge Grewal’s opinion provides a roadmap for future plaintiffs to survive dismissal motions, so I think plaintiffs will find this opinion quite interesting. The opinion doesn’t break a lot of new doctrinal ground, but it’s written in a clear and engaging style that makes it citation-bait. Some of my highlights:
PII and Economic Injury. Citing La Court v. Specific Media, the opinion rejects the argument that privacy violations create an economic injury because the defendant values PII. Check out Judge Grewal’s elegant treatment of the topic:
a plaintiff must allege how the defendant’s use of the information deprived the plaintiff of the information’s economic value. Put another way, a plaintiff must do more than point to the dollars in a defendant’s pocket; he must sufficient allege that in the process he lost dollars of his own. Plaintiffs’ allegations certainly plead that Google made money using information about them for which they were provided no compensation beyond free access to Google’s services. But an allegation that Google profited is not enough equivalent to an allegation that such profiteering deprived Plaintiffs’ of economic value from that same information.
I bolded my favorite part because that I think it perfectly encapsulates most privacy lawsuits: the class action lawyers see money in the defendant’s bank account and they want to move it into their bank accounts. But simply showing up to court and saying “gimme!” isn’t very persuasive.
Judge Grewal also gestures towards the popular meme that if you’re not paying for an online service, you’re the product. He says: “Google still manages to turn a healthy profit by selling advertisements within its products that rely in substantial part on users’ personal identification information (“PII”)….in this model, the users are the real product.” I refer you to Mike Masnick’s teardown of this meme.
Battery Drain as Cognizable Injury. Citing Goodman v. HTC among others, the opinion says that alleging battery drain creates an Article III injury. Note the mobile exceptionalism; increased power consumption of desktop or laptop computers typically doesn’t create Article III standing, but battery consumption of a mobile device apparently can. Expect plaintiffs to allege mobile phone battery drains in every privacy lawsuit going forward.
Reliance on Misrepresentations. Judge Grewal was clearly aware of his chamber-mate Judge Koh’s opinion last week in In re iPhone Application Litigation because he cites it, but his opinion implicitly conflicts with her by finding Article III standing when the plaintiff simply alleges it had overpaid because it relied on Google’s misrepresentations. Judge Koh just reached the opposite conclusion last week. Admittedly, she did so on summary judgment after extensive discovery, while Judge Grewal was ruling on a motion to dismiss. Still, the opinion doesn’t acknowledge the conflict or try to resolve it.
Statutory Violations Automatically Create Cognizable Injury. In the Edwards case, the Supreme Court recently punted on whether a statutory violation automatically creates a cognizable injury for Article III standing purposes. Judge Grewal, applying the Ninth Circuit’s ruling in Edwards, says yes–violations of federal and state statutes automatically create an injury for Article III purposes. Thus, for example, the court finds Article III standing for the California publicity rights violation. In contrast, violations of common law and contract breaches don’t have the same consequences on standing. This wasn’t a new legal conclusion, but Judge Grewal makes the standard very clear. Expect privacy plaintiffs to emphasize statutory violations, rather than common law or contract violations, in future lawsuits.
ECPA and Ordinary Course of Business. Judge Grewal also implicitly tussled with Judge Koh on the “ordinary course of business” exception to ECPA violations. Here, Google integrated some Gmail-related data into its Database of Ruin, which isn’t necessarily in the “ordinary course of business” for an email service provider. Nevertheless, Judge Grewal suggests that the “ordinary course of business” for email service providers may be expansive:
in defining “ordinary course of business” as “necessary” it begs the question of what exactly its means for a given action to be “necessary” to the delivery of Gmail. For example, in delivering Gmail is it really “necessary” do more than just the comply with email protocols such as POP, IMAP and MAPI? What about spam-filtering or indexing? None of these activities have anything specifically to do with transmitting email. And yet not even Plaintiffs suggest that these activities are unnecessary and thus lie outside of the “ordinary course business.”
Recall Judge Koh’s treatment of this issue in her troubling Gmail ads ruling (in a footnote!):
The Court does not find persuasive Google’s slippery slope contention that a narrow interpretation of the ordinary course of business exception will make it impossible for electronic communication service providers to provide basic features, such as email searches or spam control….Some of these may fall within a narrow definition of “ordinary course of business” because they are instrumental to the provision of email service.
Of course, Judge Koh’s “may” means by implication that they “may not.” My take is that Judges Grewal and Koh started from different places. Judge Grewal seems to take a fairly expansive view of what might qualify as “ordinary course of business” for email service providers, while Judge Koh expressly took a “narrow” view. Here’s how Judge Grewal distinguished Judge Koh’s Gmail ruling:
among other things, [Judge Koh’s] thorough analysis addressed allegations that Google’s practices violated its own internal policies, further establishing that its actions are outside the course of its business. In this case, Plaintiffs allege no such violation of any internal policy, rendering Plaintiffs claim insufficiently stated to overcome the hurdle that Rule 12(b)(6) imposes.
Um, OK. Earlier, Judge Grewal’s opinion previously said that Google allegedly promised siloed data and then ignored its promise, so isn’t that a pretty clear “violation of an internal policy”? And even if not, this issue is coming right back to Judge Grewal in the next amended complaint where the plaintiffs will surely make the allegation even more explicit. Then what?
Fortunately, the Grewal-Koh pseudo-conflict isn’t likely to matter for too long. Judge Koh’s opinion is on appeal to the Ninth Circuit, and that ruling will trump these district court data points. I’m hoping that the Ninth Circuit fixes Judge Koh’s Gmail ruling.
There’s plenty more good stuff in the opinion. If you practice in the area, read the whole thing.
So where does this ruling leave us? Google gets a win for now, the plaintiffs will be coming back with another amended complaint, future plaintiffs will be reading this opinion closely for helpful pointers, Judges Grewal and Koh probably have some good topics to chat about during their coffee breaks, and who knows what the next privacy ruling out of the Northern District of California will say.
Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation
Google Wins Cookie Privacy Lawsuit
IMDB’s Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon
Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act
Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox
Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox
Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu
No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix
Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation
Class Action Against Path Over Cellphone Address Book Access Keeps Going
Judge Koh Whittles Down iPhone App Privacy Lawsuit
Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power
Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network
Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks
9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap
LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn
Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian
First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing
New Essay: The Irony of Privacy Class Action Lawsuits
Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net
Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark
Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou
Another Lawsuit over Flash Cookies Fails — Bose v. Interclick
Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]
Pingback: Top Ten Internet Law Developments Of 2013 (Forbes Cross-Post) | Technology & Marketing Law Blog()
Pingback: Apple May Be Liable For Apps By Third Party Developers | Technology & Marketing Law Blog()
Pingback: Apple May Be Liable For Privacy Violations by Third Party Developed Apps | Technology & Marketing Law Blog()