Tag Archives: privacy

by

Encouraging Trend: Judges Can’t “Stand” Online Privacy Class Actions

security

Cross-posted at WLF’s Forbes.com contributor page

In their never-ending search for the next big thing, class action plaintiffs’ lawyers had high hopes for suits alleging various violations of Internet users’ “privacy.” All of the prerequisites for a big award seem to be present: (1) lots of class members; (2) easy-to-understand facts; (3) large, profit-seeking corporations; (4) sympathetic media coverage; and (5) an enforcement void (or the impression of one) left by state and federal regulators who talk more about protecting privacy than actually regulating.

But as two federal district court rulings in the waning days of 2012 reflect, online privacy class actions have generally been missing one other key element for success: actual harm. As we have addressed here several times in the past (here and here), thanks to that annoying constitutional “case or controversy” requirement, plaintiffs who don’t suffer a concrete loss or injury don’t have standing to be in federal court in the first place.  Judges have thankfully been quite demanding when applying this concept in an area like online privacy litigation, where the concept of “privacy” can be very subjective and slippery.

For instance, consider the December 28, 2012 decision in In re Google Inc. Privacy Policy Litigation. Suing on behalf of everyone in the U.S. who has a Google account or owns an Android device, the plaintiffs claimed that the company’s consolidation of its separate privacy policies (and thus the ability to access user information across Google services) violated various federal and state laws and common law protections. The plaintiffs advanced numerous theories of harm, all of which the judge rejected. Android device owners could not claim they were financially harmed by having to buy a replacement device because no proof was offered that any class member actually did buy a replacement. Nor could Google service users claim harm based on “abstract concepts” such as loss of control of personal information or fear that their data might be used against their interests.

In another late 2012 ruling, Pirozzi v. Apple, a federal trial court similarly dismissed plaintiffs’ privacy-related claims for lack of standing. According to the complaint, Apple allegedly violated federal, state, and common laws by failing to prevent third-party applications sold on its App Store from uploading user information from mobile devices. The alleged injury here?  First, Apple “misled” the plaintiffs into buying Apple mobile devices by falsely claiming their devices were “safe and secure.” As a result, plaintiffs’ information is at greater risk of being misappropriated.

On the first claim, the court agreed that bearing such a financial cost would constitute an injury, but only if the plaintiffs could show which particular statements of device safety they relied upon. Their complaint provided no such information. On the second claim, the court cited to the growing list of precedents which relate that mere “fear” of misappropriation of personal information is insufficient to establish standing to sue.

It’s unlikely we’ve heard the last of these cases, however, since both judges allowed the plaintiffs to amend and refile their complaints. No doubt the lawyers will continue the “throw lots of spaghetti against the wall” approach common to class actions, and hope some allegations stick. Such tactics waste precious judicial resources and divert companies’ attention and money from pro-consumer innovation and growth.

What’s worse, as Santa Clara University law professor Eric Goldman argued in a superb Working Paper last year, online privacy advocates should abhor class action litigation, as they utilize the same tactics those advocates despise. As he argues, class actions: (1) are typically opt-out, rather than opt-in; (2) provide plaintiffs with little meaningful notice or control; and (3) are gamed by lawyers who maximize their own financial interests over the interests of the class.

While litigating these suits is certainly a poor use of company resources, we hope that privacy class action defendants keep pushing back against the spaghetti-throwing lawyers, rather than settling for nuisance value. Court decisions such as In re Google and Pirozzi should help encourage them to do so.

by

Plaintiffs in Playstation Data Security Class Action Back to the Drawing Board

Cross-posted at Forbes.com’s WLF contributor site

One of the hallmarks of frivolous litigation is a class composed of arguably uninjured plaintiffs who often receive little in the way of remuneration for the asserted wrong.  That remuneration is reserved for the lawyers, and the class is thus relegated to receiving coupons or promises to refrain from future behavior.  Where the plaintiffs have not endured any real harm, litigation merely burdens the docket while enriching plaintiffs’ lawyers.  However, a recent opinion in the United States District Court for the Southern District of California may bode well for defendants who encounter this type of litigation, particularly in data breach cases.

In an order for In re: Sony Gaming Networks, the district court granted leave for plaintiffs to amend their complaint after determining that they had not satisfied the burden of pleading a cognizable injury.  This opinion adds to case-law saying the same; in 2011, another California court dismissed some of the claims against Google for its data collection under the Google Street View program due to the plaintiffs’ lack of monetary damages. Continue reading

by

Update: Federal Judge Unfriendly to Facebook Privacy Suit Settlement

It’s back to the drawing board for those clever plaintiffs’ attorneys who brought a class action against Facebook for its “Sponsored Stories” program.  We previously blogged about the proposed settlement here, wherein the attorneys were slated to earn $10 million for their efforts, public interest groups–many of whom opted not to take a stance on the settlement (and did we mention may possibly be “friendly” with Facebook?)–were to receive another $10 million in cy pres damages, and plaintiffs could expect to receive a weakly worded promise “not to do that again.”

Following a trend of recent rulings rejecting proposed class action settlements (see here and here), Judge Richard Seaborg expressed several concerns over the proposal.  The judge noted that the class members would receive no monetary compensation, and asked for clarity regarding what would actually be required of Facebook when revising their privacy policy.  He further expressed skepticism towards both parties’ agreement over the cy pres award (cy pres damages are conferred to public interest groups in lieu of plaintiffs where distribution to each class member is unfeasible.)  Judge Seaborg opined, “plaintiffs must show that the cy pres payment…was not merely plucked from thin air, or wholly inconsequential to [the plaintiffs’ lawyers.]”  One wonders if Judge Seaborg did not hit the nail exactly on the head.  This is precisely one of the problems with cy pres awards: they create a situation in which the plaintiffs’ lawyers are now only tangentially working towards the benefit of their clients, and thus decrease the attorney’s incentive to achieve the best result.

In this case Judge Seaborg indicated it would be appropriate to increase the cy pres award.  And, whatever one’s opinion of cy pres awards in general, he fairly raised the point that if they are to act as a substitute for plaintiff compensation, the substitute must be necessary and adequate.

Finally, Judge Seaborg not so subtly noted the circumspect equation the plaintiffs’ lawyers used to determine their fee, remarking, “Plaintiffs have presented no reason in logic or law that supports calculating the value of the injunctive relief in such a manner.”  Hopefully, various courts’ willingness to more carefully assess proposed settlements will serve as a warning for the lawyers in round two, and the inevitable future cases to come.

by

What’s Not to “Like”? Plaintiffs’ Lawyers Cash in on Facebook Lawsuit

Plaintiffs’ lawyers have devised a settlement agreement only a beneficiary could love, this time taking Facebook to task for its “Sponsored Stories” program.  We’ve commented on the suit previously here and here.  Of course, plaintiffs’ lawyers should be encouraged to devise settlements that the beneficiaries love–when those beneficiaries are actually the plaintiffs they represent.  But in a bizarre, perplexing, and yet somehow predictable twist, the plaintiffs’ lawyers have managed to devise a settlement that seemingly enriches everyone except the plaintiffs.  Heck, even the trial judge had to recuse herself after it was found that she would receive an indirect benefit from the settlement.

Under Sponsored Stories, Facebook may place your picture alongside an ad that you’ve “liked” or otherwise interacted with on a friend’s page.  Sponsored stories apparently generate more than $1 million in daily revenue for Facebook, and just this week during the company’s first earnings call as a public company, Mark Zuckerberg hailed it as a “success.”  But in Fraley v. Facebook, the plaintiffs allege that the program publicizes their “likes” of advertisers without compensation, and fails to warn them or give them an opportunity to opt out. Continue reading

by

Update: Facebook Settles “Friends as Celebrities” Class Action

At the end of 2011, a Legal Pulse post opined on a Northern District of California federal judge’s refusal to dismiss a class action lawsuit: Judge “Likes” Plaintiffs’ Arguments, Online Privacy Class Action Proceeds. American Lawyer Media’s The Recorder reported this morning that Facebook has filed papers with judge Lucy Koh to reach a settlement in Fraley v. Facebook.

Facebook’s decision comes on the heels of its initial public offering and just several days after plaintiffs’ lawyers sought to consolidate 22 other pending class actions into one suit seeking $15 billion in damages (critiqued here two days ago at The Legal Pulse).

Fraleyalleged that the social networking giant’s “Sponsored Stories” program used Facebook consumers to endorse products or services without their permission and without compensation. That program, the plaintiffs argued, violated California’s Right of Publicity Statute and its Unfair Competition Law.

Facebook’s new accountability to shareholders might explain the company’s desire to put this suit behind it, a business decision for which one certainly cannot fault its leaders. The judicial precedent that remains in place, however, is troubling and could come back to haunt Facebook in future lawsuits. As we argued last December, Judge Koh’s reasoning that these “endorsements” had provable value, and thus failure to compensate for them was an injury, was rather unconvincing. Such a low legal bar for surviving a motion to dismiss could give a leg up to future plaintiffs in suits versus Facebook or other online services.

The judge’s conclusion in her December opinion that Facebook users are “celebrities” to their Facebook friends could also have the perverse effect of reducing one’s personal privacy.  Three attorneys make this point in an article for an online symposium sponsored by Stanford Law Review.  In “Famous for Fifteen People“, the authors write:

The implications are significant and potentially far-reaching. The notion that every person is famous to his or her “friends” would effectively convert recognizable figures within any community or sphere, however small, into individuals whose lives may be fair game for the ever-expanding (social) media. If courts are willing to find that nontraditional subjects (such as Facebook users) are public figures in novel contexts (such as social media websites), First Amendment and newsworthiness protections likely will become more vigorous as individual privacy rights weaken. Warren and Brandeis’s model of privacy rights, intended to prevent media attention to all but the most public figures, will have little application to all but the most private individuals.”

by

A Plaintiffs’ Bar Welcome for Facebook to the Public Company Market

Cross-posted at Forbes.com’s WLF contributor site

Welcome to the complicated world of public stock trading; now give us our clients $15 billion.

The same day as its much ballyhooed initial public offering, Facebook was served with a rather rude greeting gift – a class action lawsuit complaint. For those thinking that Congress or federal agencies pose the greatest threat to Facebook’s stock value, don’t forget the courts.

The plaintiffs allege that Facebook’s tracking cookies violate federal wiretap laws, as well as other federal and California statutes and common law principles. As this morning’s ZDNet relates, the suit isn’t exactly new; it seeks consolidation of 21 separate suits filed throughout the country.

Plaintiffs haven’t found a great deal of success thus far advancing privacy-related claims in court, something we’ve touched upon here in the past. But that certainly won’t stop the plaintiffs’ bar from continuing to spin the lawsuit roulette wheel, especially against Facebook now that its sensitivity to lawsuits has multiplied by the number of its shareholders. And as it’s found in at least one privacy class action, some judges will be willing to allow suits to go beyond motions to dismiss.

Analyses such as this one at Politico posit that congressional and regulatory scrutiny will be the greatest impediment to Facebook’s ability to utilize its greatest asset: information on its users. But the plaintiffs’ bar and the judiciary certainly cannot be ignored, considering each entity’s respective desire and ability to play an obstructive (and lucrative) regulatory role. One lawyer involved in the $15 billion class action laid out that perspective, loud and clear, in ZDNet:

This is not just a damages action, but a groundbreaking digital-privacy rights case that could have wide and significant legal and business implications.”

by

EPIC Fail: Court Denies Group’s Effort to Force FTC to Sue Google

It took a judge in the U.S. District Court for the District of Columbia only three days to consider both sides’ arguments in EPIC v. FTC and rule, this afternoon, in favor of the Federal Trade Commission. The court ruled on EPIC’s quixotic effort to force the FTC to embrace EPIC’s viewpoint on whether Google’s forthcoming online privacy policy changes violate a 2011 settlement between Google and FTC. EPIC believes the privacy policy changes do violate the agreement and, as spelled out in a previous Legal Pulse post, felt FTC had a non-discretionary duty to sanction Google.

The Legal Pulse post argued the federal courts cannot review FTC’s decision-making on whether or not to enforce a consent order. Judge Amy Berman Jackson ruled that the applicable law and precedents dictated that same conclusion. She rejected EPIC’s overly liberal interpretation of the Federal Trade Commission Act that FTC had an absolute duty to enforce a settlement agreement, and upheld FTC’s authority to decide when to utilize its enforcement power.

Judge Jackson also noted in a footnote that even if EPIC’s viewpoint on the FTC Act and the Administrative Procedures Act was correct, their challenge wasn’t ripe for review, as EPIC had not asked FTC to enforce the agreement, and FTC had not yet concluded its review of Google’s new privacy policy.

No word yet on whether EPIC will appeal to the D.C. Circuit. For the sake of FTC’s conserving its taxpayer resources for its actual mission, let’s hope they don’t.

by

Update: FTC Urges Court to Dismiss EPIC’s Effort to Compel Action Vs. Google

Our February 15 post, Court Should Dismiss Privacy Group’s Suit Vs. FTC Over Google Buzz Settlement, noted that the Federal Trade Commission would be filing its response to EPIC’s demand that FTC file a legal action against Goole for alleged violations of last year’s FTC-Google privacy settlement involving Google Buzz.

FTC filed its motion to dismiss on Friday.

The Commission’s lawyers didn’t mince words.  It suggested the court dismiss the complaint under Federal Rule of Civil Procedure 12(b)(1) “because [EPIC's] claim is ‘so attenuated and unsubstantial as to be absolutely devoid of merit.’” The motion cites a mountain of precedent supporting the government’s use of discretion in determining when and when not to use its enforcement authority. 

And just in case the federal court feels FTC is somehow shirking its consumer protection duties, the motion devotes two pages to defending the Commission’s commitment to online privacy, stating, “the FTC takes very seriously the need to protect the privacy of consumers, and has devoted substantial resources to this effort.”

EPIC will be filing its response to FTC’s motion to dismiss today.

by

Court Should Dismiss Privacy Group’s Suit Vs. FTC Over Google Buzz Settlement

Cross-posted by Forbes.com at WLF contributor site

On Friday, a federal court in Washington, D.C. will hear what the Federal Trade Commission (FTC) thinks about a lawsuit the online privacy advocate EPIC has filed demanding that FTC charge Google with violations of a settlement agreement between FTC and Google involving Google Buzz.

EPIC isn’t suing Google, and EPIC wasn’t a party to the settlement agreement. But the group wants FTC to embrace EPIC’s view that Google’s soon-to-be-implemented online privacy policy changes tread on certain aspects of the consent order. EPIC argues that administrative law permits third parties to force such action on a federal agency. Because such a view directly encroaches on agencies’ discretion and shifts enormous power to “public interest” activists, business competitors, and assorted gadflies, courts have generally rejected such arguments.

The key issue in this case is not whether Google’s privacy changes run afoul of last year’s agreement with FTC. EPIC obviously thinks so, and devotes most of its injunction motion explaining why. Google doesn’t think so, and provided their thoughts to FTC last month according to one report.

The issue here is whether a non-party to the FTC-Google agreement can force FTC to fine Google. EPIC acknowledges that it cannot bring action under the Federal Trade Commission Act (FTC Act), and instead proceeds under the Administrative Procedures Act (APA) section allowing challenges to agency action “unlawfully withheld.” EPIC tries to make the case that the FTC Act creates a non-discretionary duty for the Commission to act if a consent agreement is violated. But the language EPIC cites relates to the need for the violating party to pay a fine, not for the FTC to take action. FTC has the ultimate discretion over whether a violation occurred and whether to seek a fine. The Supreme Court stated this very clearly in a 1985 APA case, Heckler v. Chaney. Continue reading

by

Federal Circuit Court Goes Its Own Way on Standing in Data Security Class Action

Class action lawsuits alleging data privacy-related violations were quite prevelant in 2011, and observers are expecting that trend to continue, if not expand, in 2012. The Legal Pulse has published a series of posts on one key issue in such suits – what constitutes “harm” in the context of standing to sue – over the past six months, including our final commentary of 2011, Judge “Likes” Plaintiffs’ Arguments, Online Privacy Class Action Proceeds.

One other late 2011 online privacy ruling escaped our attention until recently, Reilly v. Ceridian Corporation from the U.S. Court of Appeals for the Third Circuit. In a departure from Seventh and Ninth Circuit rulings in similar cases, Judge Aldisert’s unanimous opinion affirmed a district court’s dismissal of Reilly’s class action for lack of Article III standing to sue.

In 2009, a hacker broke into payroll processing firm Ceridian’s system and potentially accessed names, social security numbers, dates of birth, and account numbers. Investigators couldn’t determine if the hacker read or copied any data. Ceridian clients filed suit alleging emotional distress and financial harm due to the need to closely monitor their credit.

On the threshold issue of standing, Judge Aldisert found that Reilly’s allegations didn’t demonstrate any ”actuality” and “imminency” of harm, but relied instead on a string of conjectures. He pointedly wrote:

Unless and until these conjectures come true, Appellants have not suffered any injury; there has been no misuse of the information, and thus, no harm.”

Continue reading