Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride
Plaintiff sued Lyft (and others) over privacy violations based on the allegedly improper disclosure of user information by the Zimride service. He alleged that he used the Zimride service, once owned by Lyft and now owned by Enterprise Holdings, and his information made its way to Mixpanel, a third party analytics service. California has a statute on the books that places restrictions on anyone who has access to personal information gathered “for the purpose of assisting private entities in the establishment or implementation of carpooling or ridesharing programs.” Plaintiff alleged that:
Zimride’s disclosure of information such as the user’s ‘gender, age, zip code, metro region, travel plans, and link to the user’s Facebook profile’ aids Mixpanel in ‘compil[ing] comprehensive profiles of consumers’ digital lives.’
Mixpanel was not a party to the lawsuit. The remaining defendants argued that the statute didn’t apply to this situation, and if it did, they had consent.
Statutory Applicability: The statute was a 1990 amendment to the California privacy statute. It was enacted in the wake of an improper disclosure by Caltrans and some of its department offices. The statute applies when defendants gather information for the purpose of assisting others in establishing carpool programs. The court says it does not apply here because the data wasn’t gathered to help other institutions create carpool programs. [Eric’s comment: to me, the statutory language pretty clearly contemplates restrictions on government actors who were trying to help community organizers put together carpool/rideshare programs]. Nevertheless, the court says it’s not persuaded by defendants’ remaining arguments that Zimride is not a “ridesharing” program and that they do not have access to any personal information.
Statutory violation: Given the statutory inapplicability, the court’s remaining discussion about the statute seems like dicta. Nevertheless, the court tackles the issue of whether the conduct violates the statute. The information itself could fall within the statute—the court says the statutory scope is broad and the list of personal information described is not exhaustive. However, the court agrees that there’s no allegation that Mixpanel receives the information for any purpose than “establishing or implementing a rideshare or carpooling program” (the court says there’s no allegation that Mixpanel exploits the information).
The court then grants leave to amend.
Fans of Video Privacy Protection Act, you’ve found its long-lost cousin! Seriously, legislators who drafted the VPPA probably felt the same amount of surprise when plaintiffs tried to apply it to streaming sites who used cookies as the drafters of this legislation must feel when they discover carpool privacy statutes might restrict the disclosures of the Ubers and Lyfts of the world. Snark aside, the privacy universe has changed a lot in the past 25 years, and legislators and drafters of privacy policies would do well to preemptively confront the question of whether disclosure of someone’s attributes is the same as disclosing their actual identity.
It’s interesting that the analytics company did not get sucked in to the lawsuit. One wonders to what extent they’re on the radar screen of plaintiff’s lawyers.
“A San Francisco Entrepreneur Almost Sued Uber Over Privacy Issues” (“A San Francisco Bay Area entrepreneur and author whose location in an Uber vehicle was allegedly broadcast to a roomful of party-goers without his permission considered legal action against the company and consulted an attorney, he said on Wednesday.”)
case citation: Garcia v. Enterprise Holdings, 2015 U.S. Dist. LEXIS 8799 (N.D. Cal. Jan. 23, 2015)