PrivacyTraining_ad300x250.Promo1-01
DPC16_Banner_300x250-COPY

Earlier this month, San Francisco City Attorney Dennis Herrera filed a complaint in California state court against MeetMe, Inc., the maker of a social networking app that, as the complaint puts it, is designed “to introduce users to new people and enable them to interact with strangers online and in person.” The complaint takes issue with one of the ways MeetMe encourages users to interact—by sharing their location with each other. Herrera asserts that although MeetMe informs users about the way its app uses geolocation information, it fails to do so in a way that is sufficiently clear—particularly given that many of MeetMe’s users are minors. 

According to Herrera, the consequences of MeetMe’s data practices have been serious—the app allegedly has been used by men accused of sexual misconduct involving minors. 

Importantly for privacy professionals, this case raises questions about what it means to provide clear notice in the mobile environment, and how, if it all, the answer changes when the user is a minor. The case also raises the important question of whether failure to adequately disclose how information is shared can be a violation of California’s Unfair Competition Law (UCL), a statute that sometimes is compared to Section 5 of the Federal Trade Commission Act. 

HERRERA'S ALLEGATIONS

According to the complaint, the MeetMe app collects geolocation data from MeetMe users’ mobile devices and uses that data to tell other users “who is nearby and how far away they are.” Herrera alleges that this functionality “broadcasts” geolocation data collected from minors—who make up a large portion of MeetMe’s user base—to “thousands of other users, including sexual predators, stalkers and other criminals.” The complaint cites several press accounts about men who allegedly have used this feature to engage in sexual misconduct involving minors.

The complaint also alleges that the MeetMe app fails to adequately inform users that their location will be shared with other users. According to the complaint, the “only” notice about MeetMe’s use and sharing of geolocation data comes through a pop-up notice displayed after the initial installation of the app. The pop-up allegedly asks permission to “use your location data to show you cool people to meet near you.”

Herrera asserts that this permission “falsely impl[ies] that geolocation data will be used only to show the user the location of others who are nearby and will not automatically be used for other purposes—like broadcasting the user’s location to thousands of other people.” He contends that the pop-up notice is therefore insufficient to inform MeetMe’s users about how their geolocation data will be used.

LEGAL CLAIMS

The complaint asserts that, as a consequence of these practices, MeetMe violates California’s UCL which prohibits any “unlawful, unfair or fraudulent business act or practice.” Herrera contends that MeetMe’s practices are “unfair,” “deceptive” and “unlawful.”  

Unfairness

 The complaint asserts that MeetMe’s practices are unfair because they offend “established public policy” and “cause harm that greatly outweighs any benefits associated with those practices.” It is important to note that the “practices” at issue in Herrera’s suit are not the underlying crimes against minors described in the complaint, but rather MeetMe’s allegedly unauthorized sharing of geolocation data with others.

Even assuming the sharing described in the complaint was unauthorized—which may be a dubious assumption—it is noteworthy that Herrera asserts the sharing offends “established public policy.” Herrera’s support for this assertion appears to come in the form of privacy best practices guides, published by the FTC and California Attorney General, for mobile app developers and others in the mobile ecosystem. These guides are unquestionably important to companies that operate in the mobile ecosystem; but MeetMe may push back against the notion that the guides, published just last year, represent “established public policy.”

Check out the IAPP’s Mobile App Tool to compare the different guidelines and figure out which apply to you.

Also up for debate is how MeetMe’s practices “cause harm.” Although the perpetrators involved in the crimes described in the complaint allegedly used MeetMe to cause substantial harm, it is not clear precisely how MeetMe caused any harm. And if, as appears likely, the “harm” asserted in the complaint is the sharing of geolocation information, then there may be a question about whether the mere sharing of information through an app can cause the harm necessary to support a legal claim. Courts in recent privacy litigation matters have suggested it cannot.

Deception

The complaint also asserts that MeetMe violated the UCL’s prohibition on fraudulent practices by deceptively failing to disclose (or adequately disclose) how it uses and shares minors’ geolocation information. As noted above, however, the complaint acknowledges that MeetMe presented users with a pop-up requesting permission “to use your location data to show you cool people to meet near you.” Herrera asserts that notwithstanding this disclosure, users would not have understood that their location information would be shared with others—i.e., users would have believed that their location information would be used only so that they could see others’ locations, but others could not see theirs.

This assertion may be seen as implausible, particularly given the MeetMe app’s basic functionality appears to be the sharing of location information with people nearby to encourage interaction. Put differently, it may be hard to convince a court that a user would expect the app not to disclose the user’s geolocation data to others even while disclosing the geolocation data of others to that one user.

Unlawfulness

 Claims under the UCL’s unlawfulness prong “piggyback” on other legal claims; if the plaintiff can prove that the defendant’s businesses practices violated any federal, state or local law, he or she may obtain relief under the UCL.

Here, Herrera asserts—without elaboration—that MeetMe’s practices constituted a common law invasion of privacy and a violation of the right to privacy under California’s Constitution. Litigants in similar privacy litigation matters have struggled to show that the alleged misuse of personal information collected online involves harm of a sufficient magnitude to support recovery under these theories.  In general, these claims have been successful only in cases involving egregious privacy violations. Herrera may face significant hurdles in convincing the court that sharing geolocation data gives rise to a claim under one of these theories.

***

It is, of course, difficult to predict how a case will unfold in litigation. It will be very interesting to see how MeetMe responds to Herrera’s complaint and how the court will address these issues.

Written By

Stephen Satterfield

1 Comment

If you want to comment on this post, you need to login.

  • Jason Cronk Mar 20, 2014

    I think the City Attorney is upset about the use of the app for illegal purposes but it stretching to make this argument. As you point out the user is implicitly acknowledging that their location will be shared with other users to facilitate the exact same information they themselves are receiving (information about the whereabouts of others). Perhaps they could have been explicit about it but I'm not convinced that UCL requires explicit consent in these bidirectional cases. 

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

NEW! FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Schooled in Privacy

Looking to get some higher-ed in privacy? Check out these schools that include data privacy courses in their curricula.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

NEW! Raise Staff Awareness

Equip all your data-handling staff to reduce privacy risk, with Privacy Core™ e-learning essentials.

The Industry of Privacy

Take stock, compare your practices to those of other organizations, and get budget with these studies on the industry of privacy.

More Resources »

P.S.R.—One Powerhouse Program

The program is too good to miss. The speakers are world-renowned. P.S.R. brings you the best of the best in privacy and security. Don't wait: Register now!

Speak at the Intensive!

The call for proposals for our London event, the Data Protection Intensive, is now open! Submit your session idea today.

Time to Get to Work at the Congress

Thought leadership, a thriving community and unrivaled education...the Congress prepares you for the challenges ahead. Register today.

GDPR Comprehensive London: Last Chance!

The IAPP GDPR Comprehensive heads to London this fall. This is your last chance at this popular program this year!

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»