Henson v. Turn
Vacated – Turn allegedly surreptitiously tracked and profiled plaintiffs by using the undetectable and undeletable Verizon ‘supercookie’ (a unique header ID [X-UIDH] Verizon embedded into all web requests sent from Verizon customer devices). Plaintiffs claimed that if they deleted any Turn cookies, Turn would use the Verizon X-UIDH to restore Turn cookies to their previous states. In so doing, plaintiffs alleged, Turn would continue to track, profile, and target them, irrespective of any cookie deletions, Do Not Track, or other privacy settings. Claims were filed under N.Y. Gen. Bus. Law §349 (deceptive acts and practices) as well as Trespass to Chattels claims.
Turn contended that claims should be arbitrated since Verizon subscription contracts – contracts that specifically called out tailored advertising programs – mandated all disputes related to a Verizon subscription be resolved by arbitration. Plaintiffs countered that Turn was not a signatory to their Verizon agreements, therefore they did not agree to arbitrate claims against Turn. The district court agreed with Turn, finding the behavior of non-signatory Turn directly arose from expressly incorporated provisions in the subscriber contracts with Verizon, contracts that “clearly anticipate(d) the introduction of third parties“. The district court also accused plaintiffs of attempting to “avoid arbitration by artful pleading” by dropping claims against Verizon from an earlier complaint.
The appellate court disagreed, finding that bypassing consumer privacy controls for Turn’s own commercial gain was not an activity contemplated in the Verizon subscription contract. Additionally, Turn was not a third-party beneficiary to the Verizon subscription contracts, since agreements between Turn and Verizon clearly stated:
• “(the parties) are independent of each other”
• “nothing in th[e] Agreement creates any partnership, joint venture, … or other similar relationship”
• “neither party shall have the authority to bind the other in any way”
In fact, Verizon publicly rebuked Turn’s alleged practices upon discovering them. Thus, the district court erred in enforcing the arbitration provisions of a contract to which Turn was not intended to be a party, and the order compelling arbitration was vacated.
[9th Circ.; 16-71818 (orig: N.D. CA; 4:15-cv-01497)]
jbho: looks like this supercookie issue continues to haunt Turn. You may remember the FTC went after Turn for the same issue. No fines were assessed, but Turn signed up for 20 years of FTC oversight.
Also interesting here are the choice of law arguments. The district court applied New York’s Equitable Estoppel laws*, rather than California’s. Although, in the final analysis, both courts and the parties appeared to agree there was no material difference between the two. So it would appear the lack of relationship between Turn & Verizon ultimately proved fatal to Turn’s attempt to compel arbitration, not the choice of law? Was this analysis just to add on to the beat down being given to the district court?
Of course, my main interest here is the marketing enforcement. It will be interesting to see how the court rules on the collection and (mis)use of (personal) information. Stay tuned…
* Equitable estoppel is a doctrine that precludes a party from claiming the benefits of a contract while simultaneously attempting to avoid the burden that contract imposes.
UPDATE: 30Oct2017 – petition for rehearing en banc denied (9th Circ. – Doc#43). “The full court has been advised of the petition for rehearing en banc and no judge has requested a vote on whether to rehear the matter en banc.”
UPDATE: 16Jul2018 – statement of recent decision (N.D. CA – Doc#85). As part of its defense, Turn informed the Court of the decision in Cohen v. Casper (S.D. N.Y.; 1:17-cv-09325), where the court found invasion of privacy claims, absent harm, were insufficient to confer standing for NYGBL claims.
UPDATE: 22Oct2018 – discovery demand for plaintiffs’ devices denied (N.D. CA – Doc#91). As part of its defense, Turn asked that plaintiffs produce: (i) complete forensic images of their devices, (ii) complete web browsing histories, and (iii) all cookies on plaintiffs’ devices. Plaintiffs claimed allowing Turn to obtain complete forensic images, web histories, and all cookies would essentially be (another) invasion of privacy. Plaintiffs stated they were willing to produce all browsing histories and cookies associated with Turn partner websites, however, Turn would first need to identify its partner websites.
The court found allowing Turn to obtain complete forensic images would be overbroad, as it would sweep in documents and information not relevant to the issues in the case. Moreover, plaintiffs had already forensically imaged their devices, and were able to produce information from those images. Given that Turn’s request might sweep in privileged documents as well, the court denied the request as neither relevant nor proportional. Turn cited no legal basis for direct access to these images.
As for access to cookies and web histories, the court agreed with plaintiffs that Turn did not need a full web browsing history or all cookies to run its comparisons. The court deviated slightly from plaintiffs’ request, by requiring plaintiffs to include date information. Date fields of plaintiffs’ cookies and browsing histories were sufficient for Turn to run its comparisons, and full content of cookies and histories were neither relevant nor proportional to the needs of the case.
FYI: the court also noted, “(t)here is an Orwellian irony to the proposition that in order to get relief for a company’s alleged surreptitious monitoring of users’ mobile device and web activity, a person has to allow the company unfettered access to inspect his mobile device or his web browsing history.” Indicates that the bar for forcing plaintiffs to surrender a device will be very high.
UPDATE: 17Dec2018 – Dismissed (N.D. CA – Doc#92). First, the court declined to take judicial notice of the FTC Consent Decree, since it explicitly stated the Turn neither admitted or denied allegations, and did not “constitute either an adjudication on the merits or a factual or legal finding regarding any compliance or noncompliance with the requirements of the Communications Laws.” Second, the court dismissed claims under the New York General Business Law Section 349. Although claims that the failure of Turn to disclose it would create new cookies with the same information as deleted ones would mislead a reasonable consumer were sufficient to withstand a motion to dismiss, plaintiffs failed to allege the information involved was confidential and readily identifiable, and thus failed to identify a cognizable injury. Finally, on trespass to chattels claims, plaintiffs failed to allege Turn’s conduct had any noticeable effect on the performance of plaintiffs’ devices. The court also declined to rule that preventing plaintiffs from effectively using security features like a third-party cookie blocker was a cognizable deprivation of the use of chattel under law.
The court granted plaintiffs leave to amend the complaint to address the defects identified – “if they can” – and (i) show personal confidential data was collected, or (ii) Turn activities caused substantial degradation to the device functions. The schedule for the amended complaint is as follows (N.D. CA – Doc#93):
• Amended Complaint due 25Jan2019
• Motion to Dismiss / Answer to the Amended Complaint 11Mar2019
• Response in Opposition to Motion to Dismiss due 25Apr2019
• Reply in Support of Motion to Dismiss due 16May2019
Note that is Turn’s reply in support of its motion to dismiss, Turn claimed that Plaintiffs never blocked cookies in their browsers or opted-out of Turn’s services. An issue that will likely come to the fore if litigation progresses.
UPDATE: 23Jan2019 – notice of voluntary dismissal (N.D. CA – Doc#95). Plaintiffs voluntarily dismissed with prejudice all claims, without explanation.
- Advertising Cases
- National Advertising Division (NAD)
- Online Interest Based Advertising Accountability Program (OIBAAP)
- Cross Device Identification – XDID