On Tuesday, District Court Judge Lucy Koh in San Jose dismissed multiple purported class actions against Apple and several mobile ad networks on the grounds that the plaintiffs did not show that any one of them suffered identifiable harm, despite general allegations that Apple’s iPhone and other mobile devices leaked users’ personal information to the ad networks and to applications. (Note: ZwillGen represented The New York Times in this matter at an earlier stage of the litigation before the plaintiffs decided to drop all applications developers from the suit.) The court was especially dubious of the plaintiffs’ claims against Apple, which, it said, could not be liable for its design of the iPhone or other devices, in no small part because the App Store and operating system terms of use agreements waived such claims. The ruling in this case imposes some high barriers to others seeking payouts for device ID and other data leaking. It also suggests companies operating in the mobile ecosystem can protect themselves more generally from such suits via well-written terms of service.
The guts of the opinion explain why the plaintiffs have no standing to sue, with a second section suggesting the plaintiffs are going to have a hard time refiling something the Court will find meritorious. Essentially, the opinion says that in order to prove standing a plaintiff needs to prove that an individual suffered an identifiable harm that was allegedly caused by the defendant. The court held that:
(1) The complaint doesn’t allege a specific injury suffered by any particular plaintiff;
(2) The plaintiffs did not identify a concrete harm from collection and tracking of their information that would be sufficient as an injury in fact; and
(3) The plaintiffs did not allege sufficiently that it was Apple’s conduct that caused any harm.
On point one, the court said:
“Plaintiffs do not identify what iDevices they used, do not identify which Defendant (if any) accessed or tracked their personal information, do not identify which apps they downloaded that access/track their personal information, and do not identify what harm (if any) resulted from the access or tracking of their personal information.”
On point two, the court said the plaintiffs had not:
… “alleged any “particularized example” of economic injury or harm to their computers, but instead offered only abstract concepts, such as “opportunity costs,” “value-for-value exchanges,” “consumer choice,” and “diminished performance.” Other cases have held the same. See In re Doubleclick, Inc., Privacy Litig., 154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) (“cookies” case, holding that unauthorized collection of personal information by a third-party is not “economic loss”); see also In re JetBlue Airways Corp., Privacy Litig., 379 F. Supp. 2d 299, 327 (E.D.N.Y. 2005) (airline’s disclosure of passenger data to third party in violation of airline’s privacy policy had no compensable value).
What would satisfy as an allegation of harm? The court cited public disclosure of data like “publicly disclosed included credit card numbers, social security numbers, financial account numbers, and information regarding AOL members’ personal issues, including sexuality, mental illness, alcoholism, incest, rape, and domestic violence” or data collected or disclosed in violation of a statute. However, the allegations here of “address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID)” didn’t suffice.
On point three, the court said:
“There is no allegation that Apple misappropriated data, so there is no nexus between the alleged harm and Apple’s conduct. Plaintiffs’ only allegation is that Apple “designed” a platform in which Mobile Industry Defendants and absent app developers could possibly engage in harmful acts, or that Apple’s platform caused “users’ iDevices to be able to maintain, synchronize, and retain detailed, unencrypted location history files.”
Connected to point three, and of utmost interest to coders and other innovators is the Court’s ruling regarding liability for privacy unfriendly design under the Computer Fraud and Abuse Act: “However, negligent software design cannot serve as a basis for a CFAA claim. See 18 U.S.C. § 1030(g) (“No cause of action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.”)”
The Court gave the plaintiffs leave to amend, but the road to successfully do so will be rocky. They are going to have to “provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants’ conduct or role in that harm”, said the Court.
The Court went on to highlight other problems with the Complaint that the plaintiffs need to address in the next iteration. Most importantly is Apple’s App Store Terms of Service (TOS) and iOS Software License, which Apple argued bars liability. The plaintiffs asserted that these agreements are adhesion, or take-it-or-leave-it, contracts that are not enforceable under California law. The Court asked the plaintiffs to identify any procedural or substantive unfairness in any new complaint they would file, especially as the apps at issue are “nonessential recreational activities”. Tell that to any iPad owner!
Of course, if all adhesion contracts were unconscionable, then any click-through or website TOS would be unenforceable in California. This Court has made clear that, at least for recreational apps, the TOS should have teeth.
The full opinion can be found here.