By Mike Pfeifer* and Nickolas Milonas
In the latest development of ongoing concerns regarding mobile data privacy, Apple, major app developers, and social media networks (such as Facebook, Twitter, and Electronic Arts) recently succeeded in dismissing all but one of the claims in a data privacy class action lawsuit. The suit centered on the apps’ alleged data harvesting of consumers’ address books and other mobile data. The federal court for the Northern District of California tossed out all but one of the various claims in the lawsuit, which included alleged violations of both federal and state consumer protection laws, as well as violations of common law. The class action combined four suits filed after it was discovered that a mobile photo sharing app, Path, secretly obtained information from consumers’ address books and calendars.
Apple avoided liability under the California Comprehensive Computer Data Access and Fraud Act (CDAFA), which prohibits companies from, among other things, accessing computer networks in order to facilitate the wrongful harvesting of user data. Plaintiffs argued, among other things, that Apple was liable because it (i) published certain apps to its App Store, and (ii) encouraged of the development of the certain app features through guidelines and tutorials provided to developers.
With respect to the first theory, the court held that the Communications Decency Act (CDA) preempted the state law claim by shielding Apple from liability as a web publisher. The CDA protects from liability web publishers that re-post third-party content in a neutral manner. As for the second theory, the court found that Apple’s guidelines and tutorials amounted to actions that contributed to the development of the alleged illegal content. This triggered the “information content provider” exception to CDA immunity that applies to companies that create and develop prohibited content, as opposed to simply re-posting it from a third-party. Nevertheless, Apple escaped liability under this second theory because of a technical subtlety.
Additionally, the court found that the plaintiffs did not rely upon any particular representations or advertising campaigns Apple made about app privacy when purchasing their mobile devices. Although the court previously ruled in favor of plaintiffs on this issue, on further review, it determined that in order to allow such a claim to proceed, a plaintiff must have done more than simply visit Apple’s App Store. While the website represented that the apps in question ran in an environment safe from data sharing, there was little evidence that plaintiffs actually saw or relied upon that representation.
The court likewise held that Apple did not have any affirmative duty to disclose the potential danger of privacy infringement stemming from use of the apps in question. A products liability claim failed because the court found that mobile address books not constitute property for which there can be a physical harm.
The court spared the app developer defendants, including the designer of the popular mobile device game “Angry Birds,” from liability under the Electronic Communications Privacy Act and Texas and California wiretap statutes. However, the court allowed the plaintiffs’ “intrusion into seclusion” common law claim to proceed, noting that a jury should decide whether the harvesting of data from address books is “highly offensive,” the legal requirement once an individual’s reasonable expectation of privacy has been satisfied.
As more consumers access, create, and store content on mobile devices, issues surrounding data privacy, as well as the legal parameters of accessing mobile data, will necessarily continue and develop.
*Mike Pfeifer is a summer associate in K&L Gates’ Washington, DC office and contributed to this post.