It described the paradigm of the Internet business model. In the recent opinion Cooper v. Slice Technologies, No. 17-CV-7102 (JPO) (S.D.N.Y. June 6, 2018), by Judge J. Paul Oetken of the U.S. District Court for the Southern District of New York, addressing data mining and Internet privacy, the court recognized “…the Faustian bargain that undergirds much of the Internet: you give me a free service, and I suppress the knowledge that you are probably selling my data to digital touts.” Nevertheless, individuals who use social media or the Internet have brought—and continue to bring—privacy complaints against a wide variety of well known (and lesser known) entities, with consent frequently raised in defense. The court's decision is useful for Internet businesses and consumers alike to navigate the often confusing world of online privacy.

Background

The case involved the UnrollMe website, a free online service that allows people to unsubscribe from and opt out of mailing lists, newsletters, and other unwanted emails. To do so, the website, operated by UnrollMe Inc., a subsidiary of Slice Technologies, Inc., asks people for their email usernames and passwords.

The complaint against UnrollMe alleged that it sold its customers' email data to third parties in violation of state and federal law. For example, the complaint alleged that UnrollMe compiled a list of thousands of customers who used the Lyft ridesharing app and sold the list to Lyft's competitor, Uber.

The plaintiffs sought to represent a class of UnrollMe customers, claiming that UnrollMe had not adequately disclosed to consumers the extent of its data mining practices. The plaintiffs asserted claims under the Electronic Communications Privacy Act (ECPA), 18 U.S.C. §2510 et seq., the Stored Communications Act (SCA), 18 U.S.C. §§2701 et seq., and California's Invasion of Privacy Act (CIPA), Cal. Penal Code §§630. They also asserted a claim for common law unjust enrichment.

UnrollMe moved to dismiss the plaintiffs' complaint, arguing that the plaintiffs lacked standing and that their complaint failed to state a claim because UnrollMe users had consented to the sale of their anonymized data as set forth in UnrollMe's online privacy policy.

Standing

In its decision, the court first addressed whether the plaintiffs had standing to bring their complaint. Standing requires that the plaintiffs suffered an injury in fact, that the injury was fairly traceable to the defendants' challenged conduct, and that the injury was likely to be redressed by a favorable decision. In this case, the only element of standing in dispute was whether the plaintiffs had suffered an injury in fact.

The court pointed out that the plaintiffs' complaint “hint[ed]” at three types of harm:

(1) that UnrollMe sold raw email account information, including the plaintiffs' personally identifiable data;

(2) that UnrollMe sold redacted—or “anonymized”—email data, stripped of personally identifying information; and

(3) that UnrollMe sold anonymized emails, but in such a way that the buyers potentially could “deanonymize” the data and uncover personal information.

The court found that the plaintiff's complaint did not adequately allege that UnrollMe had sold non-anonymized data. The court pointed out that the plaintiffs' complaint merely alleged that UnrollMe “may have” overlooked information unique to consumers when sharing data with third parties. As an example, the complaint alleged that “[b]ehind every Lyft email are unique identifiers that can identify each Lyft user.” The court ruled that the allegation was insufficient for standing purposes, explaining that just because an original Lyft email included the user's email address did not mean that the email address had been included in the anonymized dataset sold by UnrollMe.

The court next ruled that the third category of harm—the risk that third-party buyers might deanonymize users' data—was “too remote.” It noted that the complaint alleged that researchers had “revealed the ease [with] which particular people can be identified from purportedly anonymized data sources,” particularly for taxi trips. However, according to the court, the “mere possibility” that someone might deanonymize the plaintiffs' emails was not enough to constitute injury in fact.

The court reached a different conclusion with respect to the second category of harm: the act of allegedly selling the plaintiffs' anonymized emails. The court ruled that, assuming that UnrollMe's customers had not consented, the sale of their anonymized email data was a concrete injury sufficient for standing purposes. For that conclusion, the court relied on the recent decision by the U.S. Court of Appeals for the Second Circuit in Mount v. PulsePoint, Inc., 684 F. App'x 32 (2d Cir. 2017), holding that a plaintiff could sue a company that used “cookies” to monitor and sell Internet-browsing data even though the data was anonymized and even though there was no allegation that the data contained personally identifying data.

The Cooper court was not persuaded by UnrollMe's argument that the plaintiffs had suffered no injury from the sale of anonymized emails because they had consented to UnrollMe's use of their anonymized data, explaining that whether there was valid consent was a “merits issue, not a standing issue.” For standing, the court said, the question was whether the harm alleged—nonconsensual selling of anonymized emails—was sufficient. It concluded that the plaintiffs had standing to lodge a claim based on the unauthorized sale of anonymized email data.

Consent

After deciding that the plaintiffs had standing, the court turned to UnrollMe's argument that its customers had consented to UnrollMe's data mining, which negated all of the plaintiffs' claims. For that position, UnrollMe relied on its privacy policy, which stated:

We…collect non-personal information—data in a form that does not permit direct association with any specific individual. We may collect, use, transfer, sell, and disclose non-personal information for any purpose.…We collect such commercial transactional messages so that we can better understand the behavior of the senders of such messages, and better understand our customer behavior and improve our products, services, and advertising. We may disclose, distribute, transfer, and sell such messages and the data that we collect from or in connection with such messages; provided, however, if we do disclose such messages or data, all personal information contained in such messages will be removed prior to any such disclosure.

We may collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners. If we combine nonpersonal information with personal information, the combined information will be treated as personal information for as long as it remains combined.

The plaintiffs conceded that they had agreed to UnrollMe's privacy policy, but they argued that UnrollMe's actions were not covered by the privacy policy. The court did not accept any of the plaintiffs' arguments.

First, the court rejected the plaintiffs' contention that they allowed UnrollMe to access their emails only for the limited purpose of cleaning up their inboxes, and that they did not allow UnrollMe to sell their data for market research purposes. The court ruled that UnrollMe's privacy policy reserved the right to do “exactly” what UnrollMe did: “collect and use your commercial transactional messages and associated data to build anonymous market research products and services with trusted business partners.” The court said that the plaintiffs probably were right that most users thought UnrollMe would reduce the noise of Internet marketing rather than increase it, but it ruled that UnrollMe's conduct still fell within the ambit of its privacy policy.

Second, the court dismissed the plaintiffs' argument that UnrollMe's privacy policy was misleading because it said that UnrollMe may sell consumer data, not that it would do so. The court found “no legal support for this distinction.”

Third, and perhaps most clearly illustrating the significance of “consent,” the court rejected the plaintiffs' argument that even if customers had consented, UnrollMe still violated the ECPA, which prohibits interception of electronic communications, even with consent, if the interception was “for the purpose of committing any criminal or tortious act.” 18 U.S.C. §2511(2)(d). The court decided that the plaintiffs' argument that UnrollMe had accessed their emails for a tortious purpose—that is, for their own unjust enrichment and in breach of duties they owed to the plaintiffs—was circular. “If there was consent, then there was no tort,” the court stated.

Next, the court ruled that the plaintiffs had not demonstrated that UnrollMe's privacy policy was unconscionable. The court said that although UnrollMe's conduct might seem unconscionable “in the colloquial sense,” the plaintiffs had not shown that it was unconscionable in the legal sense. The court explained that the mere fact that the privacy policy was “a dense take-it-or-leave-it contract” did not render it procedurally unconscionable. The court also declared that consumers had a meaningful choice: they could have closed their browser window and not used UnrollMe. Moreover, the court noted, UnrollMe was a free Internet service for which the plaintiffs paid nothing, and although its users “simply wanted to clean up their inboxes,” and might not have liked that it sold their anonymized data, that was “not per se unlawful.”

Finally, the court concluded that the plaintiffs had not plausibly alleged that, even if they had consented, UnrollMe had exceeded their consent by insufficiently anonymizing the data. The court said that the “sole plausible allegation” in the complaint was that UnrollMe had sold anonymized consumer data, an activity that was “covered by the privacy policy.”

Conclusion

As the Cooper court made clear, all of the plaintiffs' allegations against UnrollMe depended on a lack of consent to UnrollMe's alleged sale of their anonymized data. The consent provision in UnrollMe's privacy policy enabled it to defeat the plaintiffs' complaint by motion to dismiss. There are several lessons to be learned: For Internet companies, obtaining customers' consent can defeat privacy claims that their customers might later assert; for Internet consumers, it is important to read privacy and other online terms before consenting to them; and for everyone, it is important to remember that nothing in life is free.

Shari Claire Lewis is a partner in the Long Island office of Rivkin Radler.