Key Privacy Law Developments

Federal Privacy Statutes

Ninth Circuit Court of Appeals Rules that Google Can't Escape The ECPA's Reach

A 2010 investigation by the German government revealed that Google's street view cars (those vehicles with cameras affixed to them that produce the panoramic street-level pictures seen in Google maps) had been collecting data from open Wi-Fi networks as they drove around. Back here stateside, a class action was filed in 2011 alleging, among other things, that Google's data collection violated the Electronic Communications Privacy Act (ECPA). On appeal, the Ninth Circuit was tasked with deciding whether or not Google's actions fell into an ECPA exemption that permits capturing data transmissions that are “readily accessible to the general public.” In a 35-page opinion, the court ruled that they did not. Said the court: “Even if it is commonplace for members of the general public to connect to a neighbor's unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network.” (The Ninth Circuit subsequently amended its ruling by later holding that generally speaking, data transmitted over Wi-Fi networks doesn't qualify as “radio communications” exempted under the ECPA.) Joffe v. Google, Inc., 729 F.3d 1262 (9th Cir. 2013).

If for no other reason, the Ninth Circuit's opinion is important in that it shows a federal appeals court gracing a lower court's decision to interpret federal privacy law to cover a defendant's alleged technological malfeasance. This runs counter to a legion of previous decisions where courts across the country have declined to interpret new-age technology as falling under the purview of these types of statutes.

District Court Certifies Federal Claims in Biggest Data Privacy Class Action to Date

If you've picked up a newspaper recently and read an article with details about the Web-browsing trends of U.S. consumers, chances are those stats were provided by one of the largest data analytics companies in the world, comScore, Inc. But where did comScore obtain those stats? In a 2011 class action lawsuit, two plaintiffs alleged that comScore unlawfully gathers consumer data by embedding its proprietary software into third-party software. Thus, according to the lawsuit, when unwitting consumers download seemingly benign software, they also download comScore's data collection software, which subjects their highly sensitive personal information ( e.g. , credit card numbers, social security numbers, user names, passwords) to comScore's data collection practices. The case survived at the pleadings stage, and in 2013 the Northern District of Illinois certified the claims under the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), and ECPA. Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).

Prior to this decision, there were many open questions about whether federal privacy claims could be certified (due mostly to a lack of previous judicial analysis). What the comScore ruling highlights, though, is that class actions on high-tech privacy issues are actually prime candidates for certification. For example, these types of cases often involve uniform data collection and storage practices, consumer-facing form contracts and disclosures presented (or not) through identical means and, as a result, common questions that can be answered through an assessment of a defendant's conduct.

State Privacy Laws and Common Law Claims

Privacy Lawsuits Involving State Statutes and Common Law Claims are Gaining Traction

The Video Rental Privacy Act (VRPA) is a Michigan statute that prohibits companies from releasing the records of their customers' audio, video, or reading choices without consent. In a class action lawsuit filed in Michigan federal court against the video rental giant Redbox Automated Retail LLC, plaintiffs alleged that Redbox disclosed their video records to third-party companies for analytics purposes. After finding that plaintiffs had both Article III and statutory standing to sue, Chief Judge Rosen of the Eastern District of Michigan held that, under the facts alleged, plaintiffs had adequately pleaded violations of the VRPA. Cain v. Redbox Automated Retail, LLC, No. 12-15014 (E.D. Mich. 2013).

More traditional state consumer protection laws are finding success as well. In Pirozzi v. Apple, the plaintiff brought claims under California's unfair competition law and false advertising statutes, among others. The thrust of the allegations was that Apple failed to fulfill its promises to take steps to prevent iPhone from leaking sensitive data. In support, the plaintiff pointed to several public statements made by Apple executives, as well as consumer-facing documents that generally explained that the company would take certain measures to safeguard user data. The plaintiff alleged further that these statements, when read together, were intended to “cultivate a perception that its products are safe and that Apple strives to protect users.” As a result, the plaintiff alleged that he overpaid for an iPhone that didn't work as promised. That's enough, the court ruled, to pass muster at the pleadings stage. Pirozzi v. Apple Inc., 913 F. Supp. 2d 840 (N.D. Cal. 2012).

Even common law claims, once thought D.O.A. in privacy law cases, are starting to stick. A lawsuit pending in the Northern District of Georgia was brought by a plaintiff who alleged that a computer she leased from hardware rental company Aarons, Inc. included software capable of activating the webcam and creating screen captures of the activities on her desktop. Aarons argued that the plaintiff's common law invasion of privacy claim should be dismissed because she could only allege on information and belief that she was actually spied on. In denying the defendant's motion to dismiss the privacy invasion claim, the court noted that, “it is unclear how the Plaintiff could know at this time beyond information and belief whether the Defendant actually accessed the Plaintiff's computer.” Sneed v. SEI/Aaron's, Inc., 2013 WL 6669276 (N.D. Ga. 2013).

The take-away from these cases is that state privacy (and non-privacy) laws, as well as common law claims, are becoming more viable vehicles for aggrieved consumers to obtain relief for privacy violations. With many new privacy statutes weaving their way through state legislatures, this trend is likely to only increase.

What to Expect in 2014

As we've introduced above, concerns over consumers' privacy rights in the digital era appear to be steadily seeping into the judiciary. With that in mind, here are our predictions for this year.

First, courts will increase their reluctance to toss privacy lawsuits at the pleadings stage without allowing for some discovery into the alleged wrongdoing.

Second, we anticipate data brokers, aggregators and analytics companies will begin to play an increased role in privacy litigation. For instance, many of the cases that we've discussed involve alleged disclosures of sensitive information to data analytics companies. To demonstrate that privacy violations have significant consequences ' i.e., that unlawfully collected consumer data is being misused ' look for the spotlight to pan over to the recipients of such information.

Third, companies will increasingly be held accountable for public statements about their data privacy and security practices. As a corollary, we believe that courts will increasingly see the merit in claims that a product or service that lacks promised security and privacy protections offers less utility than advertised. It stands to reason then that consumers may be entitled to recover the difference in price of a product or service that doesn't function (e.g., doesn't safeguard consumer data) as warranted.

Lastly, and perhaps least surprisingly, privacy litigation will continue to proliferate in 2014. New and innovative technologies usher in new and serious threats to consumers' privacy rights (e.g., wearable computing devices, appliances and automobiles accessible via the Internet). The data brokerage marketplace (where consumer data is bought, sold and bartered) is still shrouded in secrecy. Companies continue to generate novel ways to collect mass amounts of consumer data. Because federal and state legislatures have failed to meaningfully address these issues, consumers will continue to look to the courts for recourse.

Jay Edelson is the founder and managing partner of Edelson PC, a national firm focusing on plaintiff's class actions, complex litigation on behalf of plaintiffs and defendants, and work on behalf of startups. He has been recognized by the American Bar Association for his views on associate training and firm management. Chandler Givens leads the technical research arm of Edelson PC. Using his tech/legal background, he and a team of engineers investigate complex technological fraud and privacy related violations. Their research has led to precedent-setting lawsuits on issues ranging from the fraudulent programmatic design of software to the unlawful collection and sharing of data under various state and federal laws. Mr. Givens is also often featured as a speaker on cutting-edge cyberlaw issues. [ Editor's Note: Edelson PC represents the Plaintiffs in the comScore and Redbox cases discussed in this article.]

Earlier this year, President Obama addressed the nation to outline steps he will take to rein in the surveillance activities of the National Security Agency in the wake of the Edward Snowden leaks. During his speech, Obama noted that “challenges to our privacy do not come from government alone. Corporations of all shapes and sizes track what you buy, store and analyze our data, and use it for commercial purposes.” The President's remarks were the culmination of a year in which consumer privacy issues have roared into the public narrative, and they underscore a theme that privacy lawyers had already sensed about their practice by the end of 2013: The tide is changing.

Throughout the past decade, courts have mostly been reluctant to rule in favor of consumers litigating over technology-related privacy invasions. Among the hurdles that judges have pointed to in their rulings are: 1) a lack of Article III or statutory standing; 2) failure to show damages; and more generally 3) skepticism about applying now-antiquated federal and state privacy laws to new technologies. In hindsight, these rulings were understandable given the opacity surrounding the tech industry's data mining and analytics practices.

Yet 2013 marked an inflection point, as the true scope and depth of both the government and the private sector's ability to collect and analyze consumer data has taken center stage. These revelations have also been accompanied by a perceivable trend in privacy law jurisprudence. Courts are heightening their scrutiny of companies accused of violating consumers' privacy, and are demonstrating a willingness to permit litigation to progress in ways that seemed highly unlikely only a few years ago. This holds true for lawsuits waged under federal and state privacy statutes, as well as common law claims. For this article, we've selected a handful of decisions from 2013 that are illustrative of this trend. (Note that we've excluded discussion of data breach litigation, as developments in that area warrant an entirely separate article). We conclude with our privacy law predictions for 2014.

Federal Privacy Statutes

Ninth Circuit Court of Appeals Rules that Google Can't Escape The ECPA's Reach

A 2010 investigation by the German government revealed that Google's street view cars (those vehicles with cameras affixed to them that produce the panoramic street-level pictures seen in Google maps) had been collecting data from open Wi-Fi networks as they drove around. Back here stateside, a class action was filed in 2011 alleging, among other things, that Google's data collection violated the Electronic Communications Privacy Act (ECPA). On appeal, the Ninth Circuit was tasked with deciding whether or not Google's actions fell into an ECPA exemption that permits capturing data transmissions that are “readily accessible to the general public.” In a 35-page opinion, the court ruled that they did not. Said the court: “Even if it is commonplace for members of the general public to connect to a neighbor's unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store, and decode data transmitted by other devices on the network.” (The Ninth Circuit subsequently amended its ruling by later holding that generally speaking, data transmitted over Wi-Fi networks doesn't qualify as “radio communications” exempted under the ECPA.) Joffe v. Google, Inc., 729 F.3d 1262 (9th Cir. 2013).

If for no other reason, the Ninth Circuit's opinion is important in that it shows a federal appeals court gracing a lower court's decision to interpret federal privacy law to cover a defendant's alleged technological malfeasance. This runs counter to a legion of previous decisions where courts across the country have declined to interpret new-age technology as falling under the purview of these types of statutes.

District Court Certifies Federal Claims in Biggest Data Privacy Class Action to Date

If you've picked up a newspaper recently and read an article with details about the Web-browsing trends of U.S. consumers, chances are those stats were provided by one of the largest data analytics companies in the world, comScore, Inc. But where did comScore obtain those stats? In a 2011 class action lawsuit, two plaintiffs alleged that comScore unlawfully gathers consumer data by embedding its proprietary software into third-party software. Thus, according to the lawsuit, when unwitting consumers download seemingly benign software, they also download comScore's data collection software, which subjects their highly sensitive personal information ( e.g. , credit card numbers, social security numbers, user names, passwords) to comScore's data collection practices. The case survived at the pleadings stage, and in 2013 the Northern District of Illinois certified the claims under the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), and ECPA. Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).

Prior to this decision, there were many open questions about whether federal privacy claims could be certified (due mostly to a lack of previous judicial analysis). What the comScore ruling highlights, though, is that class actions on high-tech privacy issues are actually prime candidates for certification. For example, these types of cases often involve uniform data collection and storage practices, consumer-facing form contracts and disclosures presented (or not) through identical means and, as a result, common questions that can be answered through an assessment of a defendant's conduct.

State Privacy Laws and Common Law Claims

Privacy Lawsuits Involving State Statutes and Common Law Claims are Gaining Traction

The Video Rental Privacy Act (VRPA) is a Michigan statute that prohibits companies from releasing the records of their customers' audio, video, or reading choices without consent. In a class action lawsuit filed in Michigan federal court against the video rental giant Redbox Automated Retail LLC, plaintiffs alleged that Redbox disclosed their video records to third-party companies for analytics purposes. After finding that plaintiffs had both Article III and statutory standing to sue, Chief Judge Rosen of the Eastern District of Michigan held that, under the facts alleged, plaintiffs had adequately pleaded violations of the VRPA. Cain v. Redbox Automated Retail, LLC, No. 12-15014 (E.D. Mich. 2013).

More traditional state consumer protection laws are finding success as well. In Pirozzi v. Apple, the plaintiff brought claims under California's unfair competition law and false advertising statutes, among others. The thrust of the allegations was that Apple failed to fulfill its promises to take steps to prevent iPhone from leaking sensitive data. In support, the plaintiff pointed to several public statements made by Apple executives, as well as consumer-facing documents that generally explained that the company would take certain measures to safeguard user data. The plaintiff alleged further that these statements, when read together, were intended to “cultivate a perception that its products are safe and that Apple strives to protect users.” As a result, the plaintiff alleged that he overpaid for an iPhone that didn't work as promised. That's enough, the court ruled, to pass muster at the pleadings stage. Pirozzi v. Apple Inc., 913 F. Supp. 2d 840 (N.D. Cal. 2012).

Even common law claims, once thought D.O.A. in privacy law cases, are starting to stick. A lawsuit pending in the Northern District of Georgia was brought by a plaintiff who alleged that a computer she leased from hardware rental company Aarons, Inc. included software capable of activating the webcam and creating screen captures of the activities on her desktop. Aarons argued that the plaintiff's common law invasion of privacy claim should be dismissed because she could only allege on information and belief that she was actually spied on. In denying the defendant's motion to dismiss the privacy invasion claim, the court noted that, “it is unclear how the Plaintiff could know at this time beyond information and belief whether the Defendant actually accessed the Plaintiff's computer.” Sneed v. SEI/Aaron's, Inc., 2013 WL 6669276 (N.D. Ga. 2013).

The take-away from these cases is that state privacy (and non-privacy) laws, as well as common law claims, are becoming more viable vehicles for aggrieved consumers to obtain relief for privacy violations. With many new privacy statutes weaving their way through state legislatures, this trend is likely to only increase.

What to Expect in 2014

As we've introduced above, concerns over consumers' privacy rights in the digital era appear to be steadily seeping into the judiciary. With that in mind, here are our predictions for this year.

First, courts will increase their reluctance to toss privacy lawsuits at the pleadings stage without allowing for some discovery into the alleged wrongdoing.

Second, we anticipate data brokers, aggregators and analytics companies will begin to play an increased role in privacy litigation. For instance, many of the cases that we've discussed involve alleged disclosures of sensitive information to data analytics companies. To demonstrate that privacy violations have significant consequences ' i.e., that unlawfully collected consumer data is being misused ' look for the spotlight to pan over to the recipients of such information.

Third, companies will increasingly be held accountable for public statements about their data privacy and security practices. As a corollary, we believe that courts will increasingly see the merit in claims that a product or service that lacks promised security and privacy protections offers less utility than advertised. It stands to reason then that consumers may be entitled to recover the difference in price of a product or service that doesn't function (e.g., doesn't safeguard consumer data) as warranted.

Lastly, and perhaps least surprisingly, privacy litigation will continue to proliferate in 2014. New and innovative technologies usher in new and serious threats to consumers' privacy rights (e.g., wearable computing devices, appliances and automobiles accessible via the Internet). The data brokerage marketplace (where consumer data is bought, sold and bartered) is still shrouded in secrecy. Companies continue to generate novel ways to collect mass amounts of consumer data. Because federal and state legislatures have failed to meaningfully address these issues, consumers will continue to look to the courts for recourse.

Jay Edelson is the founder and managing partner of Edelson PC, a national firm focusing on plaintiff's class actions, complex litigation on behalf of plaintiffs and defendants, and work on behalf of startups. He has been recognized by the American Bar Association for his views on associate training and firm management. Chandler Givens leads the technical research arm of Edelson PC. Using his tech/legal background, he and a team of engineers investigate complex technological fraud and privacy related violations. Their research has led to precedent-setting lawsuits on issues ranging from the fraudulent programmatic design of software to the unlawful collection and sharing of data under various state and federal laws. Mr. Givens is also often featured as a speaker on cutting-edge cyberlaw issues. [ Editor's Note: Edelson PC represents the Plaintiffs in the comScore and Redbox cases discussed in this article.]