Privacy Enforcement

May 2017

Health Sites Shake Suit Over User Data Sharing

Smith v. Facebook
Dismissed – Facebook allegedly tracked, intercepted, and acquired plaintiffs’ communications with medical websites without plaintiffs’ knowledge or consent, and in violation of the medical websites’ privacy policies and HIPAA. Facebook allegedly used the information gathered, including sensitive medical information, to place plaintiffs into medical categories for purposes of direct marketing. Plaintiff claimed the interception occurred not only on pages with ‘like’ and ‘share’ buttons, but also on pages with just a Facebook icon, by scraping the content of every website with a Facebook plugin.

The court found that although Facebook could ‘invisibly’ identify and watch individual users as they browsed third-party websites, plaintiffs consented to the tracking when they signed up for Facebook accounts.

Facebook’s Data Policy discloses the precise conduct at issue in this case: “We collect information when you visit or use third-party websites and apps that use our Services (like when they offer our Like button . . . ).”

The court also found that stricter consent requirements (HIPAA) did not apply since the only health related information involved was publicly available medical information contained in referring URLs (information about treatment options for specific diseases, specific doctors, search results, blog post titles, etc.).

Nothing about the URLs … relates to the past, present, or future physical or mental health or condition of an individual.”

Thus the consent was adequate and wiretap, tort, and invasion of privacy claims all failed. Since no amendment would change the fact Plaintiffs consented to Facebook activities, the complaint was dismissed without leave to amend.
[N.D. CA; 5:16-cv-01282]
jbho: The dicta provides examples of how Facebook policies did cover the collection. Valuable notes for those looking to update their privacy policies.

The initial complaint contains an interesting discussion of how the internet works. Particularly fascinating is the claim “The ‘c_user’ cookie is the Facebook equivalent of a Social Security number.” That argument may surface elsewhere (e.g., VPPA cases)

Note the court also found it lacked jurisdiction over the healthcare defendants (activities were not purposefully directed at California/doing business in California). So claims against them may resurface elsewhere. Stay tuned…


April 2017

Live Data In Debugging Health App Bugs Users

Richards v. MDLive
Class complaint – MDLive allegedly captured sensitive health data in its mobile app through continuous screenscrapes, and allegedly shared the captured data with non-healthcare third parties. Data was allegedly captured and shared without consumer knowledge or consent.

UPDATE: 2June2017 – MDLive argued in its motion to dismiss that plaintiff was informed and agreed through app ToS that MDLive would share information with vendors – confidentially – to assist in developing and improving the app. Plaintiff received an extension to file an amended complaint (to clarify nature of injuries and claims), but at the deadline filed a notice of voluntary dismissal instead (Doc #20). The court subsequently dismissed the case with prejudice (Doc #21). A motion for reconsideration has been filed.

Telehealth is apparently on record that it has not paid a settlement.
[S.D. FL; 0:17-cv-60760]
jbho: it appears the screenscrapes may have been more for purposes of testing and debugging the app, as opposing to farming data for marketing or other purposes. Nonetheless, sharing such detailed usage data can make people nervous, especially when you’re dealing with sensitive data.

So keep an eye on your mobile developers, and make sure “privacy by design” is being implemented. That means:
• Knowing what your apps need
• Knowing what your apps are actually doing (including any imported code from third party SDKs)
• Turning off the functions you don’t need
• Getting consent for data/functions you do need
• Making sure your privacy policies are updated, and are clearly and conspicuously posted – in the app, and on the AppStore/Play



Messaging App Allegedly Overpromised On Privacy And Security

Auman v. Confide
Class Complaint – Confide allegedly failed to provide the three layers of protection advertised to ensure the confidentiality of messages sent via its products. According to the complaint, Confide represented messages were:
• encrypted end-to-end
• ephemeral – removed after read, and app prevented forwarding, printing, saving, etc.
• screenshot protected – prevented screenshots of messages from being taken
Plaintiff’s alleged the desktop (Windows & macOS) versions of the Confide app did not prevent screenshots from being taken. Thus, promises of ephemerality and screenshot protection were rendered false.

Plaintiff further alleged alerting features, meant to warn a user if a message had been compromised (screenshot attempted or taken), did not work on desktop (Windows & macOS) versions of the confide app.
[S.D. N.Y.; 1:17-cv-02848]
jbho: verify your functionality on all platforms before advertising those features.


Customer Sues ISP For Allegedly Selling Data Without Consent

Michael v. Charter
Class complaint – Charter allegedly failed to disclose in its privacy policies it would sell plaintiff’s personal information (names, addresses, and other subscriber information such as retail subscription packages/channels). Plaintiff claimed the privacy policies were not presented to him at time of installation, and the polices that were ultimately provided failed to comply with the Cable Communications Policy Act (CCPA). Plaintiff further alleged Charter continued to sell his information after he attempted to opt-out.

Plaintiff also seeks to invalidate the arbitration provisions in the Charter agreement, claiming he was not offered an opportunity to opt-out of the arbitration provisions, and Charter does not offer to pay for arbitration.
[E.D. MO; 4:17-cv-01242]
jbho: plaintiff’s may have taken note of the recent TWC case involving alleged CCPA violations (see below). It will be interesting how things evolve in the 8th.


January 2017

No Concrete Harm Affirmed In Data Retention Case

Gubala v. TWC
Affirmed – TWC allegedly maintained plaintiff’s personal information (eight years) after he terminated his account, and after it was no longer needed business, tax, accounting, or legal purposes, in violation of the Cable Communications Policy Act (CCPA). Plaintiff further alleged that anonymizing data did not constitute compliance with the CCPA data destruction requirements. To avoid arbitration, plaintiff removed requests for monetary damages, and pursued injunctive relief only, barring defendant from “the unlawful practices and statutory violations” alleged in the complaint.

The district court found (in the wake of the recent SCOTUS decision in Spokeo) that plaintiff did not have standing, as he did not allege his information had been disclosed by TWC, that he had been contacted by marketers, or otherwise harmed by any use or disclosure of his information. Plaintiff’s allegations of a statutory violation in not destroying data may have been a particularized injury, but were not a concrete harm.

Furthermore, injunctive relief was not appropriate, since plaintiff failed to state a claim upon which relief could be granted*. “If … plaintiff … had alleged facts showing that he had suffered a concrete harm … the CCPA would have allowed him to seek monetary damages … it is not that the plaintiff does not have a remedy at law; it is that he does not want to avail himself of that remedy at law, because to do so, he would have to eschew federal court and submit himself to a binding arbitration award.”

The appellate affirmed the lower court’s dismissal, finding that plaintiff had not alleged: (i) TWC had leaked or lost his information, (ii) that his information was at risk of being leaked or lost, or (iii) that he had suffered any financial or other injury. Furthermore, while privacy rights may be actionable, plaintiff failed to show any privacy harm related to TWC’s (plausibly illegal) retention, or any risk of a future harm resulting therefrom.
[7th Circ.; 16-2613 (Orig: E.D WI; 2:15-cv-01078)]
jbho: One of the first post-Spokeo cases. No imminent risk, no concrete harm?

*For the record: injunctive relief is appropriate when the moving party can demonstrate:
(1) no adequate remedy at law exists; and
(2) it will suffer irreparable harm absent injunctive relief


Other Privacy enforcements of note:

Back to features