IAPP-GDPR Web Banners-300x250-FINAL

Earlier this month, San Francisco City Attorney Dennis Herrera filed a complaint in California state court against MeetMe, Inc., the maker of a social networking app that, as the complaint puts it, is designed “to introduce users to new people and enable them to interact with strangers online and in person.” The complaint takes issue with one of the ways MeetMe encourages users to interact—by sharing their location with each other. Herrera asserts that although MeetMe informs users about the way its app uses geolocation information, it fails to do so in a way that is sufficiently clear—particularly given that many of MeetMe’s users are minors. 

According to Herrera, the consequences of MeetMe’s data practices have been serious—the app allegedly has been used by men accused of sexual misconduct involving minors. 

Importantly for privacy professionals, this case raises questions about what it means to provide clear notice in the mobile environment, and how, if it all, the answer changes when the user is a minor. The case also raises the important question of whether failure to adequately disclose how information is shared can be a violation of California’s Unfair Competition Law (UCL), a statute that sometimes is compared to Section 5 of the Federal Trade Commission Act. 


According to the complaint, the MeetMe app collects geolocation data from MeetMe users’ mobile devices and uses that data to tell other users “who is nearby and how far away they are.” Herrera alleges that this functionality “broadcasts” geolocation data collected from minors—who make up a large portion of MeetMe’s user base—to “thousands of other users, including sexual predators, stalkers and other criminals.” The complaint cites several press accounts about men who allegedly have used this feature to engage in sexual misconduct involving minors.

The complaint also alleges that the MeetMe app fails to adequately inform users that their location will be shared with other users. According to the complaint, the “only” notice about MeetMe’s use and sharing of geolocation data comes through a pop-up notice displayed after the initial installation of the app. The pop-up allegedly asks permission to “use your location data to show you cool people to meet near you.”

Herrera asserts that this permission “falsely impl[ies] that geolocation data will be used only to show the user the location of others who are nearby and will not automatically be used for other purposes—like broadcasting the user’s location to thousands of other people.” He contends that the pop-up notice is therefore insufficient to inform MeetMe’s users about how their geolocation data will be used.


The complaint asserts that, as a consequence of these practices, MeetMe violates California’s UCL which prohibits any “unlawful, unfair or fraudulent business act or practice.” Herrera contends that MeetMe’s practices are “unfair,” “deceptive” and “unlawful.”  


 The complaint asserts that MeetMe’s practices are unfair because they offend “established public policy” and “cause harm that greatly outweighs any benefits associated with those practices.” It is important to note that the “practices” at issue in Herrera’s suit are not the underlying crimes against minors described in the complaint, but rather MeetMe’s allegedly unauthorized sharing of geolocation data with others.

Even assuming the sharing described in the complaint was unauthorized—which may be a dubious assumption—it is noteworthy that Herrera asserts the sharing offends “established public policy.” Herrera’s support for this assertion appears to come in the form of privacy best practices guides, published by the FTC and California Attorney General, for mobile app developers and others in the mobile ecosystem. These guides are unquestionably important to companies that operate in the mobile ecosystem; but MeetMe may push back against the notion that the guides, published just last year, represent “established public policy.”

Check out the IAPP’s Mobile App Tool to compare the different guidelines and figure out which apply to you.

Also up for debate is how MeetMe’s practices “cause harm.” Although the perpetrators involved in the crimes described in the complaint allegedly used MeetMe to cause substantial harm, it is not clear precisely how MeetMe caused any harm. And if, as appears likely, the “harm” asserted in the complaint is the sharing of geolocation information, then there may be a question about whether the mere sharing of information through an app can cause the harm necessary to support a legal claim. Courts in recent privacy litigation matters have suggested it cannot.


The complaint also asserts that MeetMe violated the UCL’s prohibition on fraudulent practices by deceptively failing to disclose (or adequately disclose) how it uses and shares minors’ geolocation information. As noted above, however, the complaint acknowledges that MeetMe presented users with a pop-up requesting permission “to use your location data to show you cool people to meet near you.” Herrera asserts that notwithstanding this disclosure, users would not have understood that their location information would be shared with others—i.e., users would have believed that their location information would be used only so that they could see others’ locations, but others could not see theirs.

This assertion may be seen as implausible, particularly given the MeetMe app’s basic functionality appears to be the sharing of location information with people nearby to encourage interaction. Put differently, it may be hard to convince a court that a user would expect the app not to disclose the user’s geolocation data to others even while disclosing the geolocation data of others to that one user.


 Claims under the UCL’s unlawfulness prong “piggyback” on other legal claims; if the plaintiff can prove that the defendant’s businesses practices violated any federal, state or local law, he or she may obtain relief under the UCL.

Here, Herrera asserts—without elaboration—that MeetMe’s practices constituted a common law invasion of privacy and a violation of the right to privacy under California’s Constitution. Litigants in similar privacy litigation matters have struggled to show that the alleged misuse of personal information collected online involves harm of a sufficient magnitude to support recovery under these theories.  In general, these claims have been successful only in cases involving egregious privacy violations. Herrera may face significant hurdles in convincing the court that sharing geolocation data gives rise to a claim under one of these theories.


It is, of course, difficult to predict how a case will unfold in litigation. It will be very interesting to see how MeetMe responds to Herrera’s complaint and how the court will address these issues.

Written By

Stephen Satterfield


If you want to comment on this post, you need to login.
  • Jason Cronk Mar 20, 2014

    I think the City Attorney is upset about the use of the app for illegal purposes but it stretching to make this argument. As you point out the user is implicitly acknowledging that their location will be shared with other users to facilitate the exact same information they themselves are receiving (information about the whereabouts of others). Perhaps they could have been explicit about it but I'm not convinced that UCL requires explicit consent in these bidirectional cases.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»