Class Dismissed: Plaintiffs in Apple iPhone Privacy Case Have No Standing
The guts of the opinion explain why the plaintiffs have no standing to sue, with a second section suggesting the plaintiffs are going to have a hard time refiling something the Court will find meritorious. Essentially, the opinion says that in order to prove standing a plaintiff needs to prove that an individual suffered an identifiable harm that was allegedly caused by the defendant. The court held that:
(1) The complaint doesn’t allege a specific injury suffered by any particular plaintiff;
(2) The plaintiffs did not identify a concrete harm from collection and tracking of their information that would be sufficient as an injury in fact; and
(3) The plaintiffs did not allege sufficiently that it was Apple’s conduct that caused any harm.
On point one, the court said:
“Plaintiffs do not identify what iDevices they used, do not identify which Defendant (if any) accessed or tracked their personal information, do not identify which apps they downloaded that access/track their personal information, and do not identify what harm (if any) resulted from the access or tracking of their personal information.”
On point two, the court said the plaintiffs had not:
What would satisfy as an allegation of harm? The court cited public disclosure of data like “publicly disclosed included credit card numbers, social security numbers, financial account numbers, and information regarding AOL members’ personal issues, including sexuality, mental illness, alcoholism, incest, rape, and domestic violence” or data collected or disclosed in violation of a statute. However, the allegations here of “address book, cell phone numbers, file system, geolocation, International Mobile Subscriber Identity (IMSI), keyboard cache, photographs, SIM card serial number, and unique device identifier (UDID)” didn’t suffice.
On point three, the court said:
“There is no allegation that Apple misappropriated data, so there is no nexus between the alleged harm and Apple’s conduct. Plaintiffs’ only allegation is that Apple “designed” a platform in which Mobile Industry Defendants and absent app developers could possibly engage in harmful acts, or that Apple’s platform caused “users’ iDevices to be able to maintain, synchronize, and retain detailed, unencrypted location history files.”
Connected to point three, and of utmost interest to coders and other innovators is the Court’s ruling regarding liability for privacy unfriendly design under the Computer Fraud and Abuse Act: “However, negligent software design cannot serve as a basis for a CFAA claim. See 18 U.S.C. § 1030(g) (“No cause of action may be brought under this subsection for the negligent design or manufacture of computer hardware, computer software, or firmware.”)”
The Court gave the plaintiffs leave to amend, but the road to successfully do so will be rocky. They are going to have to “provide specific allegations with respect to the causal connection between the exact harm alleged (whatever it is) and each Defendants’ conduct or role in that harm”, said the Court.
The Court went on to highlight other problems with the Complaint that the plaintiffs need to address in the next iteration. Most importantly is Apple’s App Store Terms of Service (TOS) and iOS Software License, which Apple argued bars liability. The plaintiffs asserted that these agreements are adhesion, or take-it-or-leave-it, contracts that are not enforceable under California law. The Court asked the plaintiffs to identify any procedural or substantive unfairness in any new complaint they would file, especially as the apps at issue are “nonessential recreational activities”. Tell that to any iPad owner!
Of course, if all adhesion contracts were unconscionable, then any click-through or website TOS would be unenforceable in California. This Court has made clear that, at least for recreational apps, the TOS should have teeth.
The full opinion can be found here.