Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride
Plaintiff sued Lyft (and others) over privacy violations based on the allegedly improper disclosure of user information by the Zimride service. He alleged that he used the Zimride service, once owned by Lyft and now owned by Enterprise Holdings, and his information made its way to Mixpanel, a third party analytics service. California has a statute on the books that places restrictions on anyone who has access to personal information gathered “for the purpose of assisting private entities in the establishment or implementation of carpooling or ridesharing programs.” Plaintiff alleged that:
Zimride’s disclosure of information such as the user’s ‘gender, age, zip code, metro region, travel plans, and link to the user’s Facebook profile’ aids Mixpanel in ‘compil[ing] comprehensive profiles of consumers’ digital lives.’
Mixpanel was not a party to the lawsuit. The remaining defendants argued that the statute didn’t apply to this situation, and if it did, they had consent.
Statutory Applicability: The statute was a 1990 amendment to the California privacy statute. It was enacted in the wake of an improper disclosure by Caltrans and some of its department offices. The statute applies when defendants gather information for the purpose of assisting others in establishing carpool programs. The court says it does not apply here because the data wasn’t gathered to help other institutions create carpool programs. [Eric’s comment: to me, the statutory language pretty clearly contemplates restrictions on government actors who were trying to help community organizers put together carpool/rideshare programs]. Nevertheless, the court says it’s not persuaded by defendants’ remaining arguments that Zimride is not a “ridesharing” program and that they do not have access to any personal information.
Statutory violation: Given the statutory inapplicability, the court’s remaining discussion about the statute seems like dicta. Nevertheless, the court tackles the issue of whether the conduct violates the statute. The information itself could fall within the statute—the court says the statutory scope is broad and the list of personal information described is not exhaustive. However, the court agrees that there’s no allegation that Mixpanel receives the information for any purpose than “establishing or implementing a rideshare or carpooling program” (the court says there’s no allegation that Mixpanel exploits the information).
The court then grants leave to amend.
Fans of Video Privacy Protection Act, you’ve found its long-lost cousin! Seriously, legislators who drafted the VPPA probably felt the same amount of surprise when plaintiffs tried to apply it to streaming sites who used cookies as the drafters of this legislation must feel when they discover carpool privacy statutes might restrict the disclosures of the Ubers and Lyfts of the world. Snark aside, the privacy universe has changed a lot in the past 25 years, and legislators and drafters of privacy policies would do well to preemptively confront the question of whether disclosure of someone’s attributes is the same as disclosing their actual identity.
It’s interesting that the analytics company did not get sucked in to the lawsuit. One wonders to what extent they’re on the radar screen of plaintiff’s lawyers.
NB: I hadn’t previously heard of Zimride. A TechCrunch article from today (as well as a 2015 website announcement) both indicate that its moving into the education and corporate ride-sharing space.
Loosely related: “FOIA Documents Reveal Massive DEA Program to Record American’s Whereabouts With License Plate Readers”
“A San Francisco Entrepreneur Almost Sued Uber Over Privacy Issues” (“A San Francisco Bay Area entrepreneur and author whose location in an Uber vehicle was allegedly broadcast to a roomful of party-goers without his permission considered legal action against the company and consulted an attorney, he said on Wednesday.”)
case citation: Garcia v. Enterprise Holdings, 2015 U.S. Dist. LEXIS 8799 (N.D. Cal. Jan. 23, 2015)
Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy
Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media
Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act
Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed
Hulu Unable to Shake Video Privacy Protection Act Claims
Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury
Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora
Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook
No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix
Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu
Granick on CISPA’s Deficiencies (With Some of My Own Comments)
Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox
Jan.-Feb. 2012 Quick Links, Part 6 (Privacy and more)
Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox