Privacy Plaintiffs Lose Because They Didn’t Rely on Apple’s Privacy Representations — In re iPhone App Litigation

Plaintiffs sued Apple claiming they relied on privacy representations from Apple and that the iOS environment was designed to “easily” allow for transmission of user information to third parties. A separate sub-class alleged that Apple collected location information even when the iPhone was turned off. This class asserted a variation of the location-tracking claim: that Apple collected this location information in order to build an internal database of hotspot and cell tower locations. As to this latter claim, the court says that this version of the claim was not fairly presented in the amended complaint, and was applicable to a version of iOS that none of the named plaintiffs used.

The case involved a fair amount of procedural wrangling. The court previously granted Apple’s partial motion to dismiss, leaving only claims under California’s unfair competition law and under the Consumer Legal Remedies Act. There was some shuffling of the named plaintiffs. There was also discovery troubles, which gave plaintiffs several extra months because the court concluded that Apple’s document production had been incomplete. Ultimately, despite the extra time and multiple chances, the court says plaintiffs didn’t put forth enough evidence to withstand Apple’s request for summary judgment.

The crux of plaintiffs’ complaint is that they were deceived into buying iOS devices, that the devices were over-valued (due to privacy deficiencies), or that they did not function as represented. Whether under Article III or statutory standing, these claims all required plaintiffs to allege one key fact: that they relied on Apple’s privacy representations, and reliance on these representations caused the injury in question. Plaintiffs pointed to numerous Apple representations—in the form of flowery language from the website and other marketing materials—but the court says:

none of the plaintiffs presents evidence that he or she even saw, let alone read and relied upon, the alleged misrepresentations contained in the Apple Privacy Policies, SLAs, or App Store Terms and Conditions, either prior to purchasing his or her iPhone, or any time thereafter.

Worse yet, some of the plaintiffs presented declarations attesting to their reliance, but the declarations conflicted with their deposition testimony. The court is not pleased about this:

Attempting to create a genuine issue of material fact by submitting an affidavit contradicting one’s own prior deposition testimony is generally disfavored.

Despite repeated expressions of concern from the court, plaintiffs didn’t provide Judge Koh with specifics, and this dooms the lawsuit. As a fallback, plaintiffs argued that they must have agreed to Apple’s privacy policy when agreeing to the terms of service, so they could rely on privacy representations in Apple’s privacy policy. The court finds this argument wanting as well:

the court repeatedly expressed its skepticism regarding the sufficiency of Plaintiffs’ standing allegations, as well as the viability of Plaintiffs’ theory that they must have standing because they must have agreed to Apple’s Privacy Policy at some point, even if no Plaintiff could remember having done so….

Plaintiffs’ repeated failure to provide any evidence to support the theory that they must have read or seen the alleged misrepresentations in Apple’s Privacy Policy strengthens the Court’s conclusion that Plaintiffs have not met their burden to demonstrate standing.



This is a classic Judge Koh smackdown, and a big ruling for a couple of reasons.

First, privacy lawsuits have typically followed the dismissal-or-settlement trajectory. Most privacy lawsuits don’t make it past the pleading stage, but defendants who lost motions to dismiss typically just wrote settlement checks (e.g., Google with Buzz and Facebook with Beacon and Sponsored Stories). This is the rare privacy lawsuit that gets tossed after discovery. It provides a data point defendants’ lawyers can consider when internally deciding whether to settle or fight. Perhaps we will see fewer checks written to privacy plaintiffs who get past the motion to dismiss stage?

Second, a big category of privacy trip-ups involve misrepresentations. This is the hook the FTC uses against companies and it’s what has gotten everyone from Facebook to Google to Twitter in trouble. This ruling casts doubt that we can simply assume that someone somewhere relies on a company’s privacy representation. Even representations contained in a privacy policy don’t automatically create a privacy claim. Granted the FTC’s enforcement power is broader than a privacy plaintiff’s (both from the standpoint of standing and the type of harm that can be remedied), but it raises the question of whether it makes sense to have the FTC policing the privacy representations of companies without asking whether the representations even influenced consumer behavior. In any event, as demonstrated here, private plaintiffs can be held to more rigorous standing requirements.

Ultimately, this case devolved into claims that Apple misrepresented into products by plaintiffs who claimed that they didn’t get what they paid for. Perhaps this explains the difference between the result in this case and the result in the Gmail scanning case that Eric discusses below (which involved statutory claims). For better or worse, this court’s conclusion seems to be that privacy representations aren’t a crucial part of the bargain when it comes to buying iOS devices.

This is a happy thanksgiving present to Apple!


Eric’s Comments: In my opinion, Judge Koh has among the most interesting dockets of any federal judge in the country. She’s hearing many of the privacy lawsuits against Silicon Valley companies, and everyone’s interested in how she views those cases. This opinion lays out her thinking relatively clearly, so I’ll vote this is an opinion of above-average importance.

Unfortunately, I’m baffled by the legal procedure here. As I read it, she grants summary judgment on Article III standing grounds. Huh? After years of litigation and getting past a motion to dismiss, the judge now says there was no standing to hear the case…? Furthermore, many of the arguments she made sounded like an analysis of the substantive prima facie elements, not the elements of Article III standing. Read literally, Judge Koh seems to be saying that if plaintiffs can’t demonstrate they read and relied upon the documents containing the alleged misrepresentations, then they lack Article III standing to bring the case at all. But how often can plaintiffs demonstrate that they read and relied upon any particular document? Consumers often don’t save a “research trail” of the information they consume along the path towards a transaction. And does this mean that the plaintiffs will have to make these assertions in their complaint or the next round of defendants should be able to get quick motions to dismiss for lack of standing? After all, Article III standing is a threshold prerequisite to the courts’ ability to hear the case at all.

Trying to wrap my head around the interstices of the implications of Judge Koh basing this ruling on Article III standing made my head hurt. Instead, I think this opinion is better explained by Judge Koh’s impatience for litigant shenanigans. The opinion bristles with her annoyance that the plaintiffs couldn’t adequately explain what problem they were trying to address. It’s seemed the plaintiffs thought all they had to do was show Apple did things that buyers didn’t want, and ka-ching! But that’s not how things go down in Judge Koh’s courtroom.

An alternative way of interpreting this ruling is that Judge Koh simply didn’t believe Apple loyalists would abandon their iPhones even if they knew about the minor issues. After all, Apple fans gleefully pay a big premium to buy Apple-branded products, no matter what the T&Cs say.

More generally, this ruling is consistent with judges’ increasing impatience with plaintiffs’ hail-mary efforts to scrap together various ambiguous statements and call them false. Some of Apple’s alleged false statements the plaintiffs cited were mockably weak anchors for misrepresentation claims, such as:

“Your privacy is important to Apple. So we’ve developed a Privacy Policy that covers how we collect, use, disclose, transfer, and store your information.”

“To make sure your personal information is secure, we communicate our privacy and security guidelines to Apple employees and strictly enforce privacy safeguards within the company.”

“Apple takes precautions—including administrative, technical, and physical measures—to safeguard your personal information against loss, theft, and misuse as well as against unauthorized access, disclosure, alteration, and destruction.”

More slippery than Jell-o. We’ve seen the FTC bully companies based on the FTC’s tendentious interpretation of such fluffy statements in privacy policies, but private litigants don’t have the same leverage that the FTC does. A patchwork quilt of selective cutting-and-pasting from the website simply doesn’t persuade judges–or anyone else, for that matter. If the plaintiffs have to work that hard to find a defendant’s misrepresentations, they probably weren’t misled. For a similar example of a Northern District of California judge rejecting such tendentious cutting-and-pasting, see Judge Fogel’s opinion in Woods v. Google.

Here’s another thing I don’t get. Judge Koh raked these plaintiffs over the coals for failing to show any harm, yet she basically gave the plaintiffs in the Gmail privacy case a free pass on that point. If these plaintiffs lacked Article III standing, how do the Gmail plaintiffs have it? (I understand the case involved different claims). I still think her Gmail privacy ruling was a mistake, especially in light of the strong views she expresses in this ruling.

Case citation: In re iPhone Application Litigation, 2013 WL 6212591 (N.D. Cal. Nov. 25, 2013)

Related posts:

Google Wins Cookie Privacy Lawsuit

IMDB’s Disclosure of Actress’s Age Will Go To Trial – Hoang v. Amazon

Did California Unintentionally (?) Impose New Statutory Duties on Every Blogger? A Post on the Newly Enacted California Reader Privacy Act

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

Class Action Against Path Over Cellphone Address Book Access Keeps Going

Judge Koh Whittles Down iPhone App Privacy Lawsuit

Data Breach Claim Survives Based on Allegation of Misuse of Personal Information — Burrows v. Purchasing Power

Sony Network Data Breach Class Action Suffers Setback — In re Sony Gaming Network

Starbucks Data Breach Plaintiffs Rebuffed by Ninth Circuit — Krottner v. Starbucks

9th Circuit Affirms Rejection of Data Breach Claims Against Gap — Ruiz v. Gap

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

Third Circuit Says Data Breach Plaintiffs Lack Standing Absent Misuse of Data — Reilly v. Ceridian

First Circuit Rejects Data Insecurity Claims on the Basis of Article III Standing–Katz v Pershing

New Essay: The Irony of Privacy Class Action Lawsuits

Another Data Loss Case Tossed on Article III Grounds–Whitaker v. Health Net

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]