Consent Overcomes Internet Privacy Concerns in Data Mining Case
In her Internet Issues/Social Media column, Shari Claire Lewis discusses Cooper v. Slice Technologies which is "useful for Internet businesses and consumers alike when navigating the often confusing world of online privacy."
August 20, 2018 at 02:45 PM
9 minute read
It described the paradigm of the Internet business model. In the recent opinion Cooper v. Slice Technologies, No. 17-CV-7102 (JPO) (S.D.N.Y. June 6, 2018), by Judge J. Paul Oetken of the U.S. District Court for the Southern District of New York, addressing data mining and Internet privacy, the court recognized “…the Faustian bargain that undergirds much of the Internet: you give me a free service, and I suppress the knowledge that you are probably selling my data to digital touts.” Nevertheless, individuals who use social media or the Internet have brought—and continue to bring—privacy complaints against a wide variety of well known (and lesser known) entities, with consent frequently raised in defense. The court's decision is useful for Internet businesses and consumers alike to navigate the often confusing world of online privacy.
Background
The case involved the UnrollMe website, a free online service that allows people to unsubscribe from and opt out of mailing lists, newsletters, and other unwanted emails. To do so, the website, operated by UnrollMe Inc., a subsidiary of Slice Technologies, Inc., asks people for their email usernames and passwords.
The complaint against UnrollMe alleged that it sold its customers' email data to third parties in violation of state and federal law. For example, the complaint alleged that UnrollMe compiled a list of thousands of customers who used the Lyft ridesharing app and sold the list to Lyft's competitor, Uber.
The plaintiffs sought to represent a class of UnrollMe customers, claiming that UnrollMe had not adequately disclosed to consumers the extent of its data mining practices. The plaintiffs asserted claims under the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §2510 et seq., the Stored Communications Act (SCA), 18 U.S.C. §§2701 et seq., and California's Invasion of Privacy Act (CIPA), Cal. Penal Code §§630. They also asserted a claim for common law unjust enrichment.
UnrollMe moved to dismiss the plaintiffs' complaint, arguing that the plaintiffs lacked standing and that their complaint failed to state a claim because UnrollMe users had consented to the sale of their anonymized data as set forth in UnrollMe's online privacy policy.
Standing
In its decision, the court first addressed whether the plaintiffs had standing to bring their complaint. Standing requires that the plaintiffs suffered an injury in fact, that the injury was fairly traceable to the defendants' challenged conduct, and that the injury was likely to be redressed by a favorable decision. In this case, the only element of standing in dispute was whether the plaintiffs had suffered an injury in fact.
The court pointed out that the plaintiffs' complaint “hint[ed]” at three types of harm:
(1) that UnrollMe sold raw email account information, including the plaintiffs' personally identifiable data;
(2) that UnrollMe sold redacted—or “anonymized”—email data, stripped of personally identifying information; and
(3) that UnrollMe sold anonymized emails, but in such a way that the buyers potentially could “deanonymize” the data and uncover personal information.
The court found that the plaintiff's complaint did not adequately allege that UnrollMe had sold non-anonymized data. The court pointed out that the plaintiffs' complaint merely alleged that UnrollMe “may have” overlooked information unique to consumers when sharing data with third parties. As an example, the complaint alleged that “[b]ehind every Lyft email are unique identifiers that can identify each Lyft user.” The court ruled that the allegation was insufficient for standing purposes, explaining that just because an original Lyft email included the user's email address did not mean that the email address had been included in the anonymized dataset sold by UnrollMe.
The court next ruled that the third category of harm—the risk that third-party buyers might deanonymize users' data—was “too remote.” It noted that the complaint alleged that researchers had “revealed the ease [with] which particular people can be identified from purportedly anonymized data sources,” particularly for taxi trips. However, according to the court, the “mere possibility” that someone might deanonymize the plaintiffs' emails was not enough to constitute injury in fact.
The court reached a different conclusion with respect to the second category of harm: the act of allegedly selling the plaintiffs' anonymized emails. The court ruled that, assuming that UnrollMe's customers had not consented, the sale of their anonymized email data was a concrete injury sufficient for standing purposes. For that conclusion, the court relied on the recent decision by the U.S. Court of Appeals for the Second Circuit in Mount v. PulsePoint, Inc., 684 F. App'x 32 (2d Cir. 2017), holding that a plaintiff could sue a company that used “cookies” to monitor and sell Internet-browsing data even though the data was anonymized and even though there was no allegation that the data contained personally identifying data.
The Cooper court was not persuaded by UnrollMe's argument that the plaintiffs had suffered no injury from the sale of anonymized emails because they had consented to UnrollMe's use of their anonymized data, explaining that whether there was valid consent was a “merits issue, not a standing issue.” For standing, the court said, the question was whether the harm alleged—nonconsensual selling of anonymized emails—was sufficient. It concluded that the plaintiffs had standing to lodge a claim based on the unauthorized sale of anonymized email data.
Consent
After deciding that the plaintiffs had standing, the court turned to UnrollMe's argument that its customers had consented to UnrollMe's data mining, which negated all of the plaintiffs' claims. For that position, UnrollMe relied on its privacy policy, which stated:
We…collect non-personal information—data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose.…We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.
We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners. If we combine nonpersonal information with personal information, the combined information will be treated as personal information for as long as it remains combined.
The plaintiffs conceded that they had agreed to UnrollMe's privacy policy, but they argued that UnrollMe's actions were not covered by the privacy policy. The court did not accept any of the plaintiffs' arguments.
First, the court rejected the plaintiffs' contention that they allowed UnrollMe to access their emails only for the limited purpose of cleaning up their inboxes, and that they did not allow UnrollMe to sell their data for market research purposes. The court ruled that UnrollMe's privacy policy reserved the right to do “exactly” what UnrollMe did: “collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners.” The court said that the plaintiffs probably were right that most users thought UnrollMe would reduce the noise of Internet marketing rather than increase it, but it ruled that UnrollMe's conduct still fell within the ambit of its privacy policy.
Second, the court dismissed the plaintiffs' argument that UnrollMe's privacy policy was misleading because it said that UnrollMe may sell consumer data, not that it would do so. The court found “no legal support for this distinction.”
Third, and perhaps most clearly illustrating the significance of “consent,” the court rejected the plaintiffs' argument that even if customers had consented, UnrollMe still violated the ECPA, which prohibits interception of electronic communications, even with consent, if the interception was “for the purpose of committing any criminal or tortious act.” 18 U.S.C. §2511(2)(d). The court decided that the plaintiffs' argument that UnrollMe had accessed their emails for a tortious purpose—that is, for their own unjust enrichment and in breach of duties they owed to the plaintiffs—was circular. “If there was consent, then there was no tort,” the court stated.
Next, the court ruled that the plaintiffs had not demonstrated that UnrollMe's privacy policy was unconscionable. The court said that although UnrollMe's conduct might seem unconscionable “in the colloquial sense,” the plaintiffs had not shown that it was unconscionable in the legal sense. The court explained that the mere fact that the privacy policy was “a dense take-it-or-leave-it contract” did not render it procedurally unconscionable. The court also declared that consumers had a meaningful choice: they could have closed their browser window and not used UnrollMe. Moreover, the court noted, UnrollMe was a free Internet service for which the plaintiffs paid nothing, and although its users “simply wanted to clean up their inboxes,” and might not have liked that it sold their anonymized data, that was “not per se unlawful.”
Finally, the court concluded that the plaintiffs had not plausibly alleged that, even if they had consented, UnrollMe had exceeded their consent by insufficiently anonymizing the data. The court said that the “sole plausible allegation” in the complaint was that UnrollMe had sold anonymized consumer data, an activity that was “covered by the privacy policy.”
Conclusion
As the Cooper court made clear, all of the plaintiffs' allegations against UnrollMe depended on a lack of consent to UnrollMe's alleged sale of their anonymized data. The consent provision in UnrollMe's privacy policy enabled it to defeat the plaintiffs' complaint by motion to dismiss. There are several lessons to be learned: For Internet companies, obtaining customers' consent can defeat privacy claims that their customers might later assert; for Internet consumers, it is important to read privacy and other online terms before consenting to them; and for everyone, it is important to remember that nothing in life is free.
Shari Claire Lewis is a partner in the Long Island office of Rivkin Radler.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllThe Unraveling of Sean Combs: How Legislation from the #MeToo Movement Brought Diddy Down
When It Comes to Local Law 97 Compliance, You’ve Gotta Have (Good) Faith
8 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250