Plaintiff’s Location-Based Privacy Claim Against BART Reporting App Fails
In Moreno v. S.F. Bay Area Rapid Transit District, the plaintiff sued BART and Elerts Corporation for allegedly violating several California privacy statutes and infringing plaintiff’s common law and constitutional privacy rights. The court rejects the claims.
BART, in cooperation with its police department and Elerts (a developer), created the “BART Watch” mobile application. The application allowed users to report suspicious activity by “sending pictures, text messages, and locations of suspicious people of activities.” However, the app periodically transmitted the user’s clientid and location information to the app’s servers. The app did not require a user to enter their mobile telephone number but left it optional. The app also had a mandatory click-through mechanism for contract formation. The terms mention location information sharing when a consumer filed a “report” but did not advise that the app allegedly tracked location information on a persistent basis:
when you use the Licensed Application to submit reports, and if you have enabled location services permission for the Licensed Application, the Licensed Application automatically includes your location in the Content transmitted to ELERTS and that location may be used by ELERTS consistent with the rights granted to ELERTS to use Content.
A separate privacy policy was accessible via a hyperlink at the end of the terms but did not have any definitive disclosures. The policy had an integration clause.
No consent to the tracking: Defendants argued that plaintiff consented to the activity by agreeing to the online terms. The court disagrees. While the terms of service had a leak-proof clickthrough mechanism, the terms did not necessarily include the privacy policy. The privacy policy is linked at the end of the terms of service but not in a way that the user clicking on the terms would reasonably be on notice of the privacy policy. In sum, the court says “Defendants’ argument [on consent] prevails only if the Privacy Policy satisfies the requirements for a browse-wrap agreement that the user either had ‘actual notice’ of its terms or ‘if the [App] puts a reasonably prudent user on inquiry notice of the terms. . . .” Neither is satisfied here.
The tracking “device” claim fails: The court rejects the California Penal Code Section 637.7 claim. That statute prohibits the use of electronic “tracking devices” to determine the location or movement of a person. The court explained that the plaintiff did not allege that she had submitted her contact information, so there is no allegation that the app tracked the plaintiff specifically as opposed to an anonymous clientid. The court also found that the app was not an electronic “tracking device” within the meaning of the statute. The definition of “electronic tracking device” requires the device to be “attached to” something, and the court says the app is not “attached to” the cellphone. The court also says the app is not a “device” within the meaning of the statute. A “device” is a thing made for a particular purpose or that performs a special function, but the app doesn’t seem to fit this definition. The court also cites to the legislative history to confirm its understanding that the statute is intended to target devices placed on cars, boats, or other “movable objects”.
The Cellular Communications Interception Act Also Fails: The court also dismissed the plaintiff’s claim under the Cellular Communications Interception Act, a 2016 statute that placed certain restrictions on the use of cell phone interception technology by state and local governments. The court found that Elerts did not fall under the statute as a “local agency that operates cellular communications interception technology”. Rather, it’s merely a vendor that developed the app. The court also says that there’s no plausible allegation that defendants “knowingly” violated the statute. Specifically, there’s no credible allegation that BART was aware of the functionality in question.
Constitutional and Common Law Privacy Claims: The court rejects plaintiff’s constitutional and common law privacy claims. The court noted two online privacy cases where the court found the conduct insufficiently egregious. A third case involved vehicle tracking where the court dismissed the claims for failure to plead the tracking with specificity. Ultimately the court says the tracking of anonymous clientid information is not an egregious breach of social norms. The court points to the fact that plaintiff was on notice that the app would have access to some location information, and the nature of the app itself provided implicit notice that cuts against any egregiousness of the tracking:
She was thus on notice that BART would be accessing this information. Further, users download the BART Watch App so that they can report suspicious activity happening on BART—it is implicit that the App would need to provide BART police with the user’s location to do so. How else would the police know where to go? Indeed, the App clearly states that it will use a user’s location to do so even—and especially—in the case of an anonymous report. That BART also “periodically” accesses this information even when the user is not using the App is not an egregious violation of social norms.
The court rejects the intrusion on seclusion claims on similar grounds.
__
Cases are few and far between that address consent to tracking. The email scanning cases address the issue but no case has definitively set forth the requirements for consent or whether consent can be procured in a privacy policy. The case contains a good discussion of how to implement a leak-proof terms of service, but the terms were of little use given that the privacy policy was not effectively incorporated. (Oddly, the court never references the language of the policy itself, but one can presume it must have been favorable to defendants.)
It’s interesting to not see the issue of standing raised. Perhaps defendants saw it as a difficult argument to make given plaintiff’s allegations of statutory violations and of wrongful disclosures. It would have been tough to argue that defendants only violated “bare procedural rules” of the type described in Spokeo and therefore plaintiff lacked standing.
Plaintiff’s device tracking claim is reminiscent of privacy claims asserted in the divorce context, and perhaps that’s the genesis of the statute. The plaintiff attempted to shoehorn a claim into a statute that the court concluded did not fit.
Location tracking is something apps never seem to get right. The precise nature of the tracking is unclear, including whether the app transmitted a user’s location when the user took affirmative steps on their device to stop sharing the location. One can see several reasons why having BART persistently tracking app users’ locations without consent is a bad thing. Of course, that doesn’t mean that plaintiffs should be able to necessarily sue for statutory damages based on ill-fitting privacy statutes. The court recognizes this and shuts down the lawsuit. It’s worth noting that the court gave plaintiff a chance to amend, and it has filed an amended complaint.
Eric’s Comments: An app making it easier to report crimes generally sounds like a good idea. Automatic reporting of the device’s geographic location at the time the user submits a crime report sounds logical (by way of comparison, 911 services do this). Any other geographic tracking of citizens carrying the device–even if putatively “anonymized”–by a government actor (in this case, BART) sounds like an absolutely horrible idea. This is a good case study of how the app designers should have voluntarily restricted the potential tracking from day 1 (i.e., a “privacy-by-design” moment). Unless such restrictions are baked-in from day 1, it’s impossible to trust *any* government-issued app that might ask for location information. Even then, no matter what the app’s disclosures say, I rarely grant apps permission to access my location–only when it’s absolutely necessary to the apps’ functioning–because inevitably both government and private actors will find it irresistible to misuse that information.
Case citation: Moreno v. SF Bay Area Rapid Transit Dist., 2017 US Dist LEXIS 206009 (Dec. 14, 2017)
Related posts:
Facebook Persistent Tracking Lawsuit Crashes Again
Facebook Beats Privacy Lawsuit Alleging Persistent Tracking
Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook
Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn
The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon