Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride

Screen Shot 2015-01-28 at 9.28.47 AMPlaintiff sued Lyft (and others) over privacy violations based on the allegedly improper disclosure of user information by the Zimride service. He alleged that he used the Zimride service, once owned by Lyft and now owned by Enterprise Holdings, and his information made its way to Mixpanel, a third party analytics service. California has a statute on the books that places restrictions on anyone who has access to personal information gathered “for the purpose of assisting private entities in the establishment or implementation of carpooling or ridesharing programs.” Plaintiff alleged that:

Zimride’s disclosure of information such as the user’s ‘gender, age, zip code, metro region, travel plans, and link to the user’s Facebook profile’ aids Mixpanel in ‘compil[ing] comprehensive profiles of consumers’ digital lives.’

Mixpanel was not a party to the lawsuit. The remaining defendants argued that the statute didn’t apply to this situation, and if it did, they had consent.

Statutory Applicability: The statute was a 1990 amendment to the California privacy statute. It was enacted in the wake of an improper disclosure by Caltrans and some of its department offices. The statute applies when defendants gather information for the purpose of assisting others in establishing carpool programs. The court says it does not apply here because the data wasn’t gathered to help other institutions create carpool programs. [Eric’s comment: to me, the statutory language pretty clearly contemplates restrictions on government actors who were trying to help community organizers put together carpool/rideshare programs]. Nevertheless, the court says it’s not persuaded by defendants’ remaining arguments that Zimride is not a “ridesharing” program and that they do not have access to any personal information.

Statutory violation: Given the statutory inapplicability, the court’s remaining discussion about the statute seems like dicta. Nevertheless, the court tackles the issue of whether the conduct violates the statute. The information itself could fall within the statute—the court says the statutory scope is broad and the list of personal information described is not exhaustive. However, the court agrees that there’s no allegation that Mixpanel receives the information for any purpose than “establishing or implementing a rideshare or carpooling program” (the court says there’s no allegation that Mixpanel exploits the information).

Consent: Finally, the parties have a dispute over consent, and this turns on whether Zimride’s privacy policy had the adequate disclosures, and of course, whether users were informed of it. Although not clear from the court’s discussion, the Zimride app may not have had a mandatory leak-proof implementation of the terms of service (next to which a link to the privacy policy was displayed). This has caused problems for other companies (e.g., Zappos, Barnes and Noble), but the court says, without any analysis, that Zimride had a “browsewrap agreement”. The court does not make a finding as to whether or not the consent (in the privacy policy) was legally effective in all cases, but says that plaintiff failed to allege lack of consent:

[g]iven the express provisions of the privacy policy and TOS, which ostensibly contradict [plaintiff’s] bare allegation that he did not consent, Plaintiff must allege additional facts to support his claim.

The court then grants leave to amend.

__

Fans of Video Privacy Protection Act, you’ve found its long-lost cousin! Seriously, legislators who drafted the VPPA probably felt the same amount of surprise when plaintiffs tried to apply it to streaming sites who used cookies as the drafters of this legislation must feel when they discover carpool privacy statutes might restrict the disclosures of the Ubers and Lyfts of the world. Snark aside, the privacy universe has changed a lot in the past 25 years, and legislators and drafters of privacy policies would do well to preemptively confront the question of whether disclosure of someone’s attributes is the same as disclosing their actual identity.

The court’s treatment of the consent issue is confusing. On the one hand, the court says that “to use Zimride, Plaintiff necessarily had to agree with Zimride’s TOS and Privacy Policy, but on the other, the court calls Zimride’s TOS and privacy policy “browsewrap agreements” (“where . . . terms and conditions . . . are generally posted on the website”). [emphasis added] As Eric has said repeatedly, it’s time to retire terms such as “click-wrap” and “browse-wrap”. The terms confuse courts and add nothing to the analysis. The app here had a check-the-box and apparently plaintiff’s argument is that there was no explicit disclosure that by checking the box he had agreed to the privacy policy. Again, it’s trivially easy to companies to preempt this argument. To the extent the app simply failed to include the requisite language next to the “okay” button, it’s tough to have much sympathy for it. Perhaps the whole misunderstanding is partially a result of being able to log-in via Facebook–that necessitates a certain amount of information being passed to third parties. (The precise nature of Facebook Connect implementation can have consequences, as we saw in the Hulu case.) Perhaps the plaintiff’s qualm here is the extent of disclosure not matching up with the actual practices. Perhaps consumers deserve assurances that third party analytics companies don’t construct user profiles (Mixpanel’s marketing language was not very reassuring in this regard)?

Screen Shot 2015-01-28 at 9.28.54 AMOn the consent issue, a bunch of recent cases (in particular, the email scanning ones) have examined the efficacy of consent that is contained in a privacy policy or terms of service, and they’re all over the place. Perhaps companies would do well to call out specifically terms where consent is likely to be important (or maybe even have a separate confirmation screen)? That’s essentially what Zimride did here, but perhaps it did not call out that this information would be shared with third parties (something that, perhaps should have been obvious, due to the Facebook sign-in?).

It’s interesting that the analytics company did not get sucked in to the lawsuit. One wonders to what extent they’re on the radar screen of plaintiff’s lawyers.

NB: I hadn’t previously heard of Zimride. A TechCrunch article from today (as well as a 2015 website announcement) both indicate that its moving into the education and corporate ride-sharing space.

Loosely related: “FOIA Documents Reveal Massive DEA Program to Record American’s Whereabouts With License Plate Readers

A San Francisco Entrepreneur Almost Sued Uber Over Privacy Issues” (“A San Francisco Bay Area entrepreneur and author whose location in an Uber vehicle was allegedly broadcast to a roomful of party-goers without his permission considered legal action against the company and consulted an attorney, he said on Wednesday.”)

case citation: Garcia v. Enterprise Holdings, 2015 U.S. Dist. LEXIS 8799 (N.D. Cal. Jan. 23, 2015)

Related posts:

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act

Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed

Hulu Unable to Shake Video Privacy Protection Act Claims

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

Granick on CISPA’s Deficiencies (With Some of My Own Comments)

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Jan.-Feb. 2012 Quick Links, Part 6 (Privacy and more)

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Beacon Class Action Settlement Approved — Lane v. Facebook