Apple May Be Liable For Privacy Violations by Third Party Developed Apps

There are so many privacy lawsuits around the iOS ecosystem that it’s tough to keep track of them all. This particular (consolidated) lawsuit involves privacy claims against Apple and also against various apps, including Angry Birds, Cut the Rope, Facebook, Path, Foodspotting, Foursquare, GoWalla, Twitter and others. Apple and the app developers both moved to dismiss, and the court grants the motions, with the exception of an invasion of privacy claim against the app developers.

While the plaintiffs are given a chance to amend, they should consider packing this one up and heading home.

Apple: Apple first argued that plaintiffs failed to satisfy standing because they did not identify specific representations from Apple that caused plaintiffs to overpay for the iOS devices. The court says that Apple conflates standing with the merits of the claims. Additionally, plaintiffs can establish standing through statutory violations (citing Edwards v. First American). Finally, Apple cited to a ruling in a privacy lawsuit against LinkedIn for the proposition that plaintiffs alleging overpayment claims have to allege “something more”. The court says this reads the LinkedIn case too broadly, and in any event, plaintiffs had alleged something more (that the iOS platform was designed to allow easy access to personal information).

Apple also raises a Section 230 defense, which we wondered about when we first flagged the case. The court cites to the usual Section 230 standards, but ends up concluding that the amended complaint:

pleads sufficient conduct to classify Apple as an ‘information content provider’ whose conduct is not protected by the CDA.

As support for this proposition, the court cites to Apple’s iOS guidelines that “appear to encourage the practices Plaintiffs complain of in this case.” The court cites to portions of the guidelines and tutorials where Apple teaches and encourages plaintiffs to “code and build apps that non-consensually access, manipulate, alter, use and upload the mobile address books maintained on Apple iDevices.”

Finally, Apple argues that plaintiffs failed to adequately allege misrepresentations, or identify specific statements that plaintiffs relied on. Although in a previous order the court denied Apple’s motion to dismiss on this point, the court revisits the issue and this time around says that the representations are indeed lacking. Plaintiffs vaguely alleged that they “viewed the Apple website,” but this is short of identifying a specific representation that influenced their purchasing decision. Plaintiffs alternatively argued that their allegation of a “long-term” advertising campaign containing deceptions that relieve them of their obligation to satisfy the specificity requirement, but the court rejects this argument.

The court also tosses the remaining claims against Apple: (1) claims under California’s anti-hacking statute, section 502 (for failure to allege that Apple circumvented a technical or code-based barrier); (2) design defect/failure to warn (failure to allege harm to person or property); (3) negligence (economic loss rule); and (4) aiding and abetting (no facts other than those previously alleged that support any theory of aiding and abetting).

App Defendants: The App defendants also raised standing arguments, but the analysis differed slightly between the court’s discussion as to Apple and the discussion as to the app defendants. As to these defendants, because the apps were free, plaintiffs could not allege that they were out any money. As a result, they faced more of a challenge in satisfying standing. The court rejects their theories that standing could come from (1) their request for injunctive relief or (2) interference with their “property rights in their address books.”

Nevertheless, the court finds that they satisfy standing on two different grounds. First, they allege statutory violations, and this is sufficient under Edwards v. First American to satisfy standing. Second, they allege invasion of privacy, which the court says is sufficient to confer standing as to that claim. As to the invasion of privacy claim, the court says that plaintiffs did have a reasonable expectation of privacy in their contact information and address books. The app defendants argued that their access of the contact information was not “highly offensive” to the reasonable person, but the court says it is unable to conclude that as a matter of law. The app defendants also argued that plaintiffs failed to adequately allege damages, but the court also says that this is not amenable to resolution at the motion to dismiss stage. The court does say that plaintiffs’ theory of public disclosure of private facts is not sufficient because there was no allegation that the contact information was disclosed to the public at large. The intrusion of seclusion invasion of privacy claim survives.

Finally, the court gets rid of the various statutory claims. The CFAA and Section 502 claims fail because plaintiffs failed to allege lack of authorization. The ECPA claim, as well as the Texas and California wiretap claims, fail because there was no “interception.” Plaintiffs also alleged a claim under a Texas theft statute, but the court says that plaintiffs can’t satisfy the “deprivation” element of a theft claim.

Facebook and Gowalla Motions: The Facebook and GoWalla motions focused on whether Facebook would be held liable as a result of acquiring Gowalla and whether GoWalla’s sale to Facebook somehow constituted a fraudulent transfer. As to the first claim, the court says after reviewing a copy of the Facebook-Gowalla agreement (under seal), that Facebook transferred cash and pre-IPO stock to GoWalla, in exchange for a non-exclusive royalty-free license to GoWalla’s patents. The agreement did not convey to Facebook any title to GoWalla intellectual property. Thus, there was no “transfer” within the meaning of the uniform fraudulent transfer act. Plaintiffs also failed to allege that the transfer put any assets that plaintiffs would be able to execute their prospective judgment against beyond their reach. The argument for successor liability fails as well because plaintiffs failed to allege that Facebook acquired GoWalla and failed to allege a transfer of assets.


The address book lawsuits always struck me as the classic privacy lawsuit that was unsupported by any real harm. The idea that Apple should be held liable for these supposed harms is a crazy stretch, but as always, plaintiffs latched on to flowery marketing language in an attempt to construct a claim.

Fortunately, the court isn’t having it, but unfortunately, the court throws in some Section 230 discussion that probably has Professor Goldman cringing. The analysis should be two-fold: (1) Section 230 bars most attempts to hold Apple liable for information it makes available–i.e., the apps; (2) to the extent it makes contractual promises, it can be held liable for those promises. Instead, the court looks to Apple’s guidelines to developers and casts this “conduct that goes beyond the traditional editorial functions of a publisher.” I’m not sure exactly what the court means here, and whether the court is trying to stretch the 9th Circuit’s Roommates opinion, but it’s somewhat out of left field, and contrary to the well-established body of Section 230 jurisprudence.

The app developers are dealing with claims from free customers, so they are able to rely on standing, but only to a certain extent. Even still, with the exception of the privacy ruling, the court’s treatment of the remainder of the claims is fairly unsurprising. As to the invasion of privacy ruling, I suppose the court could have gone either way at this stage, given the malleability of a standard such as “shocking to the reasonable person.” But I would think most people would find surprising the conclusion that access by the apps of your address books could be “highly offensive”. (Cf. “Court: Husband’s Access of Wife’s Email to Obtain Information for Divorce Proceeding is not Outrageous“.) Perhaps the result should be different if the apps take those address books and misuse the information in them, but for the most part, there is no credible evidence that the apps ever exploited this information, either internally or externally, beyond facilitating interactions with contacts. As a result, although these claims get past the motion to dismiss stage, I can’t imagine they will withstand a motion for summary judgment. Not to mention that they may suffer from the defect that they are probably not amenable to class-wide resolution. In any event, this lawsuit still continues to limp along.

Case citation: Opperman v. Path, 2014 WL 1973378 (N.D. Cal. May 14, 2014) [h/t Courthouse News]

Related posts: Google Wins Cookie Privacy Lawsuit

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

$1 Billion Pro Se Privacy Lawsuit Against Google Fails–Shah v. MyLife

Judge Koh Whittles Down iPhone App Privacy Lawsuit – In re iPhone Application Litig.

Reidentification Theory Doesn’t Save Privacy Lawsuit–Steinberg v. CVS Caremark

App Developer RockYou Settles Privacy Lawsuit–Claridge v. RockYou

Comments on Doe v. IMDB Privacy Lawsuit

Google Gets Dismissal of Lawsuit Over Privacy Policy Integration–In re Google Privacy Policy

Court Dismisses Data Breach Lawsuit Against LinkedIn Based on Compromised Passwords – In re LinkedIn User Privacy Litigation

Men’s Journal Beats Lawsuit Alleging Violation of California’s “Shine the Light” Privacy Statute — Boorstein v. Men’s Journal

New Essay: The Irony of Privacy Class Action Lawsuits

TheDirty Defeats Privacy Invasion Lawsuit–Dyer v. Dirty World

Privacy Claims Based on LinkedIn’s Security Promises Survive Motion to Dismiss

Another Questionable IP Lawsuit Over a Derogatory Twitter Account

Android and Pandora Privacy Rulings Accept Low Hurdle for Standing

Employer Who Takes Over Employee’s Social Media Accounts May Commit Privacy Violation–Maremont v Susan Fredman Design

Sony PlayStation Data Breach Lawsuit Whittled Down but Moves Forward

Is Sacramento The World’s Capital of Internet Privacy Regulation? (Forbes Cross-Post)

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury