On Monday, May 16, 2016, the Supreme Court of the United States issued its highly anticipated opinion in Spokeo, Inc. v. Robins, a case that examined the question of whether a plaintiff who ...25 May 2016
Another Court Dismisses for Lack of Standing a Group of Privacy Cases Where Plaintiffs Failed to Allege Concrete Harm; Other Defects Noted
At issue in this case were a group of lawsuits consolidated in the Northern District of California in which the plaintiffs claimed violations of a number of statutory and common law claims that essentially accused the defendants of obtaining information about them without their knowledge or permission.
First, the court found that the plaintiffs did not adequately allege that they suffered any concrete injury, a requirement to demonstrate standing in federal lawsuits. Unable to demonstrate that they actually suffered monetary damages as a result of the collection and sharing of their information, plaintiffs attempted four alternative types of injury: (1) inherent injury due to the misappropriation or misuse of personal information; (2) diminution in the value of the personal information, claimed to be an “asset of economic value” due to its scarcity; (3) “lost opportunity costs” in having installed the apps; and (4) diminution in the value of their mobile devices because they were suddenly “less secure” and “less valuable” in light of the privacy concerns. Citing established precedent, the court rejected the applicability of these “abstract concepts” to prove damages in online privacy cases, instead requiring the plaintiffs demonstrate tangible economic harm.
In so holding, the court distinguished a 2010 case out of the Northern District, Doe I v. AOL LLC, that did find standing when the plaintiffs alleged that the defendant publicly disclosed their personal information online. The court distinguished that case by noting that the AOL plaintiffs claimed the disclosure on the Internet constituted “highly sensitive personal information” such as credit card numbers, Social Security numbers, financial account numbers, and personal details, whereas plaintiffs in the complaint did not allege that these types of information were disclosed.
Second, the court held that despite the lengthy complaint, the plaintiffs never alleged injury-in-fact to themselves, rather only theorizing potential injuries to members of the class based on generally known information about the operation of the devices. On this point, the court stated:
In the Consolidated Complaint, Plaintiffs do not identify what [devices] they used, do not identify which Defendant (if any) accessed or tracked their personal information, do not identify which apps they downloaded that access/track their personal information, and do not identify what harm (if any) resulted from the access or tracking of their personal information.
On top of that, the complaint never attributed any of the conduct alleged to any specific defendant. Instead, the court observed that the plaintiffs “lumped” all of the defendants together, failing to claim what role each defendant played in the alleged harm. The plaintiffs never even alleged that Apple misappropriated any data or had any legally cognizable duty to the plaintiffs – central elements of some of their legal theories – only noting that Apple “designed” a platform in which app developers and ad networks could “possibly engage in harmful acts.”
Finally, despite granting plaintiffs leave to amend, the court cast further doubt on plaintiffs’ ability to bring any successful claims by pointing out a number of claim-specific pleading deficiencies. Most damaging to the complaint was the fact that the plaintiffs voluntarily downloaded the apps at issue – undermining their argument that execution of apps on their iPhones was unauthorized – and agreed to a Terms of Service agreement with Apple that disclaimed any liability on Apple’s behalf. Though they attempted to argue that the Terms of Service were an unconscionable contract of adhesion, the court rejected the argument, noting, among other things, that contracts concerning “nonessential recreational activities” cannot be unconscionable because consumers always have the option of simply forgoing the activity. In a bit of a lighter moment, the court noted that “apps such as ‘Angry Birds’ or ‘Plants versus Zombies’ are nonessential recreational activities.”
The French Data Protection Authority (CNIL) has announced its inspections program topics for 2016, with health data, flight passengers’ data, and data used for marketing and Internet...20 May 2016