“Most of us understand that what we do on the Internet is not completely private.… We browse the Internet, and the data-collecting infrastructure of the digital world hums along quietly in the background.” So began a decision by the Third Circuit holding that Viacom and Google did not violate federal or state law by tracking children’s internet activities. Plaintiffs alleged that Viacom and Google unlawfully used cookies to track children’s web browsing and video-watching habits on Viacom’s websites for the purpose of selling targeted advertising based on the users’ web history. The court dismissed claims that Viacom’s actions constituted a violation of the federal Wiretap Act as well as claims under the Federal Stored Communications Act. The court found that the information Viacom shared with Google did not violate the New Jersey privacy laws, because the information shared could not be considered personally identifiable information under the statutes. Looking at whether plaintiffs had standing under Spokeo, the court determined that they did because “each plaintiff complains about the disclosure of information relating to his or her online behavior.” The court, however, dismissed the majority of the claims and reversed and remanded on a discrete claim for intrusion upon seclusion. View the decision. (Read our discussion of Spokeo in Consumer Fraud Class Action Developments.)
A Missouri federal magistrate judge dismissed, for lack of standing, a class action suit against Scottrade for claims stemming from data hacks. In February 2016, several Scottrade customers filed a class action against the company after it was revealed that personal information of over 4.6 million clients was stolen from the company’s servers between September 2013 and February 2014. While plaintiffs alleged that they had suffered injuries as a result of the data breaches, including increased risk of identity theft and identity fraud, costs of monitoring and mitigating against the data theft, and failure to receive the full value of the bargained-for services, the court held that plaintiffs failed to meet the injury-in-fact requirement of Article III of the Constitution. The court held that the increased risk of future harm of identity theft from an information breach alone did not constitute an injury in fact, distinguishing cases in which customers’ personal confidential information was stolen and later used for fraudulent purchases. Here, the information had not been used for two years following the hack. The court also rejected the argument that plaintiffs’ personal information had suffered a deprivation of value as “insufficient to demonstrate an injury in fact.” View the decision. (Read our discussion of Spokeo in Consumer Fraud Class Action Developments.)
A Wisconsin federal judge dismissed claims against Time Warner Cable by one of its former customers on the grounds that the customer lacked Article III standing. Plaintiff had alleged that Time Warner Cable collected personal information — including names, addresses and Social Security numbers — from customers and maintained the information even after those customers canceled their subscription plans. Applying Spokeo, the district court held that the complaint failed to allege any concrete injury as a result of Time Warner’s retention of customers’ personal information, as plaintiff had not alleged any misuse of his personal information. Plaintiff’s complaint was dismissed for lack of standing, as well as on separate grounds for failure to state a claim. View the decision. (Read our discussion of Spokeo in Consumer Fraud Class Action Developments.)
PayPal Settles Texas State Attorney General’s Charges That Venmo Users’ Contact Lists Were Misused and Private Information Inadvertently Disclosed
In the Matter of State of Texas and PayPal, Inc. (Tex. Dist. Ct. May 2016)
PayPal has entered into a $175,000 settlement with the Texas Attorney General’s Office after the state alleged that PayPal’s Venmo application, a popular app used to transfer money and marketed as a convenient way to share payments among friends, violated portions of the Texas Deceptive Trade Practices Consumer Protection Act. The Texas AG alleged that the Venmo app used consumers’ personal phone contact lists without adequate explanation or disclosure as to how this information would be used by the company. Further, the AG alleged that PayPal failed to disclose how users’ transactions and communications with other users would be shared. In addition to paying monetary damages, PayPal agreed to several alterations of its business practices, including seeking permission from users prior to accessing their contact lists and informing users how such information will be used if permission is granted. View the decision.
California Appeals Court Finds Federal Airline Deregulation Act Preempts CalOPPA in Fly Delta Mobile App Case
People ex rel. Harris v. Delta, 247 Cal. App. 4th 884 (Cal. Ct. App., 1st Dist. 2016)
A California court held that the federal Airline Deregulation Act of 1978 preempts California’s Online Privacy Protection Act (OPPA), and dismissed claims that Delta’s Fly Delta mobile app violates the state statute. The Delta app allegedly allowed customers to send and receive information over the internet, collecting certain personally identifiable information without posting a readily accessible privacy policy concerning that collection as required under the California state statute. In finding preemption, the court held that “[i]f each State were to require Delta to comply with its own version of the OPPA, it would force Delta to design different mobile applications to meet the requirements of each state.” Such a result “might well make it impossible for an airline to use a mobile application as a marketing mechanism at all.” View the decision.
Florida District Court Dismisses Wendy’s Data Breach Class Action for Lack of Standing
Torres v. The Wendy’s Co., No. 6:16-cv-00210 (M.D. Fla. July 15, 2016)
The court dismissed, without prejudice, a proposed class action over a January data breach at Wendy’s, finding that allegations of two fraudulent charges allegedly made to representative plaintiff’s debit card were insufficient to establish Article III standing. In dismissing the case with leave to replead, the court found that the harm plaintiff alleged was “highly speculative.” Applying the standard from the Eleventh Circuit’s 2012 decision in Resnick v. AvMed, the court noted that even assuming that plaintiff’s two fraudulent charges would constitute actual identity theft, plaintiff had not alleged any monetary harm stemming from the two fraudulent charges, including that the two fraudulent charges were unreimbursed by his credit union. View the decision.
InMobi Settles FTC Charges That Geo-Tracking Advertising Software Collected Consumer and Children’s Private Information in Violation of Federal Law
United States v. InMobi PTE Ltd., No. 16-cv-03474 (N.D. Cal. June 22, 2016)
InMobi SDK, a Singapore-based software developer and mobile advertising company, agreed to pay $950,000 in civil penalties and to implement a comprehensive privacy program to settle FTC charges that its geo-targeting practices violated the Children’s Online Privacy Protection Act of 1998 and other statutes by collecting consumer (including children’s) information without consent. InMobi provides an advertising platform for mobile application developers, which includes access to its software development kit. That software includes geo-targeting products, which allow advertisers to promote products based on users’ physical locations. This geo-tracking system requires the app to seek and be granted permission from the mobile user, and allows users to deny access to their locations. However, InMobi’s apps were still able to obtain consumers’ locations when the mobile device was connected to Wi-Fi networks, by means of analyzing neighboring networks and deducing the users’ geographical location from that analysis. Although InMobi’s privacy policy stated it did not direct any of its applications toward children under the age of 13, thousands of app developers using InMobi’s services alleged that they alerted InMobi that their services were specifically tailored toward children and that InMobi made no attempt to curtail the collection of users’ personal information through these applications. View the decision.