AARP Defeats Lawsuit for Sharing Information With Facebook and Adobe

Plaintiff sued AARP alleging that AARP violated its privacy policy (link to policy effective April 2015) by allowing Adobe and Facebook to collect PII about plaintiff. The court says there’s not a sufficient allegation of violation of AARP’s privacy policy in the first place. Further, even if there were, plaintiff fails to satisfy Article III standing.

Plaintiff Ethel Austin-Spearman is, as described by the court, “an internet savvy woman.” In late 2010 she investigated and purchased an AARP membership online and prior to doing so, viewed AARP’s privacy policy. According to her, the privacy policy assured users that personal information about users was collected and disclosed to third parties in only limited circumstances. However, contrary to these assurances, plaintiff alleges that when she stayed logged in to her Facebook account and accessed the AARP website, Facebook regularly tracked “the titles of the articles and videos that [she] accesses and views as she browses the AARP website.” As to Adobe, her allegation is that the cookie placed by Adobe captures personal information as well as information regarding what content she viewed on the AARP website.

She brought claims against AARP, including violation of the DC Consumer Protection Act fraud, unjust enrichment, and breach of contract.

No underlying violation: The court first says that Austin-Spearman failed to allege an underlying violation. The privacy policy employed by AARP was somewhat typical in talking about information collected by AARP (such as registration information) and information AARP allowed third parties to collect (defined as non-personal information that would be typical for ad-tracking purposes). While at first glance the policy could support a view that AARP would not allow third parties to collect personal information, the court says that a closer look reveals this is not the case. First, the policy talks about “social media accounts” and expressly says that if you access AARP’s website while “logged-in” to a social media account, the social media account (such as Facebook) may collect “data and information” about you. Second. The policy also says that AARP may disclose “your [a customer’s] information . . . with companies [AARP] hire[s] to provide . . . services such as . . . improving advertising services . . . and managing databases or other technology.” The court says that no matter how many times plaintiff repeats her mantra of improper disclosure, the actual language of the policy does not support her claims of breach.

No economic injury: Even assuming she stated a violation, the court says that the complaint fails to plausibly allege economic injury. First, the court rejects the “overpayment” theory. According to plaintiff’s own allegations, she did not even see the policy until after she paid, so there’s no way that she could have relied on promises in the policy in making her purchasing decision. The privacy policy was not a part of the bargain. (See also In re LinkedIn User Privacy Litigation.) Second, the court says that the complaint makes clear she received the benefit of the bargain: she utilized her AARP membership. Website usage is one of the many benefits AARP members receive, and the complaint does not contend that it is an essential or even primary benefit to members. While it may have been important to plaintiff personally, she must allege that the breached term “was objectively essential to the contract at issue . . .” This she fails to do. Indeed, AARP likely didn’t materially breach the agreement because it substantially performed its portion of the bargain.

__

This is a super interesting case, because it does something court decisions rarely do–actually analyze the language of a privacy policy and assess whether a website has complied. Hoang v. IMDb was the most recent example of a court doing this; while the trial itself was interesting, it fizzled on appeal, with the Ninth Circuit adopting a “no harm no foul” approach (as did the court here). Interestingly, the court here never tackles the question of whether the information at issue is even personally identifiable information (a term that is used often but lacks a precise legal definition).

Unfortunately, there could be a problem with the court’s ruling. The court looked to the policy in effect currently (in 2015) and initially concluded that this was the operative policy plaintiff signed up under. Following the initial ruling, which was issued a month ago, AARP pointed out that the current policy was recently revised (i.e., it was not the one in effect in 2010). In response, the court did not revisit its analysis, but merely added language to a footnote to the effect that it “assume[s] that the privacy policy at the web address provided by the Plaintiff is the same privacy policy that existed at the time Austin-Spearman first accessed the AARP website.” I’m not sure what went on here, but there was an easy alternative that the could have supplied the language of the policy in effect when plaintiff signed up: Internet Archive. The order is not clear precisely when in 2010 plaintiff signed up, but archive.org contains a link to the AARP website over time, and under this version of the policy which is accessible here the analysis would be markedly different. Analysis of her claims under the correct version of the privacy policy should be fixed, either on reconsideration or on appeal. It’s possible of course that she can show a technical violation of the privacy policy but still not prevail on the merits. The dismissal also could be affirmed on standing grounds.

The old version of the policy looks similar to stock privacy policy language that was in circulation at the time. Somewhat confusingly, it organizes information into categories of information collected by AARP and information provided by the user. The collection of information via cookies is all phrased terms of “non-personal information”. In addition to these implied assurances, the policy contains what could be read as an overt assurance that AARP would share a user’s “personal information only with companies [AARP has] selected to provide official AARP member services or support AARP operations.” [emphasis added] The document is classically ambiguous and straddles the line between placating users and hedging in a way that leaves the site room to freely share information. Still, it’s tough to argue that companies such as Adobe and Facebook fit into the carveout referenced above (companies AARP selected to provide official services or support operations). Assuming she can satisfy standing and state law requirements as to damages, she appears to have a colorable claim based on AARP’s violation of the policy.

It’s interesting that the plaintiff did not bring up the Video Privacy Protection Act, which plaintiffs have argued (somewhat unsuccessfully) should transform the standard passing of personal data to a social network into a privacy violation. Hulu, Nickelodeon, and others have grappled with these cases, and have for the most part defeated them. Another avenue could have been the California Reader Privacy Act, which has seen little if any litigation. Perhaps plaintiff’s failure to raise those statutes is a testament to their inefficacy in forging a clear path for plaintiffs in these types of cases.

It’s worth contrasting this ruling with the ruling in the Neiman Marcus case, which I recently blogged about, where the court found standing for putative victims of a retail data breach. Perhaps this case is distinguishable because it’s a data sharing case, where there is no presumption of wrongdoing and misuse of information downstream, as opposed to a data breach case. This could confirm a judge’s instinct of there being no cognizable harm from the allegedly improper disclosure. Many other information sharing cases have failed recently, so this conclusion would not be particularly surprising.

Case Citation: Austin-Spearman v. AARP, 14-cv-1288 (KBJ) (D.C. filed June 30, 2015–see 2015 WL 4036206, amended July 28, 2015–see 2015 WL 4555098)

Related posts:

Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook

In IMDb Privacy Case, 9th Circuit Rejects Hoang’s Appeal

Lawsuit Fails Over Ridesharing Service’s Disclosures To Its Analytics Service–Garcia v. Zimride

Seventh Circuit: Data Breach Victims Have Standing Based on Future Harm

Court Says Plaintiff Lacks Standing to Pursue Failure-to-Purge Claim Under the VPPA – Sterk v. Best Buy

Judge Dismisses Claims Against Pandora for Violating Michigan’s Version of the VPPA – Deacon v. Pandora Media

Android ID Isn’t Personally Identifiable Information Under the Video Privacy Protection Act

Minors’ Privacy Claims Against Viacom and Google Over Disclosure of Video Viewing Habits Dismissed

Hulu Unable to Shake Video Privacy Protection Act Claims

Video Privacy Protection Act Plaintiffs Can Proceed Against Hulu Absent Showing of Actual Injury

Judge Boots Privacy Lawsuit Against Pandora but Plaintiffs Can Replead – Yunker v. Pandora

Split 9th Circuit Panel Approves Facebook Beacon Settlement – Lane v. Facebook

No Privacy Claim Against Netflix for Disclosing Viewing Histories and Instant Queue Titles Through Netflix-Enabled Devices — Mollett v. Netflix

Court Declines to Dismiss Video Privacy Protection Act Claims against Hulu

Granick on CISPA’s Deficiencies (With Some of My Own Comments)

Seventh Circuit: No Private Cause of Action Under the Video Privacy Protection Act for Failure to Purge Information–Sterk v. Redbox

Jan.-Feb. 2012 Quick Links, Part 6 (Privacy and more)

Redbox Can be Liable Under the Video Privacy Protection Act for Failure to Purge Video Rental Records — Sterk v. Redbox

Beacon Class Action Settlement Approved — Lane v. Facebook