Dressing old laws in class-action suits: Tracking technologies that disclose personal information

As discussed in the first part in this series, the plaintiff's bar continues to repurpose old laws in the context of emerging technologies, attempting to enforce privacy rights using class-action lawsuits. Recent legal theories have applied the California Invasion of Privacy Act and the Video Privacy Protection Act to prevent the disclosure of personal information through tracking technology. One of these suits resulted in a rare jury verdict and another in a novel class certification. 

CIPA violation gets a plaintiff-friendly jury verdict

Software development kits allow app developers to incorporate ready-made features into their products. That said, "SDKs have caused particular regulatory consternation due to their role in tracking location" and those that enable real time interception of CIPA covered communications carry real risk for developers and vendors alike. 

In August, a unanimous jury found that Meta violated CIPA Section 632 in the case of Frasco v. Flo Health by intentionally eavesdropping on plaintiffs' confidential communications without consent. Plaintiffs alleged Flo Health, the developers of a sexual and reproductive health app, shared personal information with Meta and Google without their consent, including menstrual cycle timing, preferred birth control methods, and details about sexual activity. The app allegedly recorded user interactions that were then intercepted by the SDKs and collected by Meta and Google for advertising, marketing, and research and development purposes. 

The U.S. District Court for the Northern District of California dismissed a Stored Communication Act claim against Flo Health in June, finding "the complaint does not plausibly allege that Flo was an electronic communication service provider within the meaning of the SCA." Nevertheless, the court denied a motion to dismiss based on a lack of Article III standing, finding the plaintiffs plausibly alleged the disclosure of private information and intrusion upon seclusion. At the summary judgment stage in May, the court found Flo Health consented to Meta’s data collection practices, effectively ending the  Electronic Communications Privacy Act claim against Meta under the party exception.

Two weeks before trial, Google settled; mid-trial, Flo Health settled. That left only a CIPA claim against Meta. The jury sided with the plaintiffs, and the court denied Meta's renewed motion for a judgment as a matter of law. The court ruled that Meta captured user communications with the Flo app in real time, not mere "secondhand repetitions" as Meta argued. It didn’t matter that Meta only captured a user's communications; under the CIPA, one party's communications are sufficient.

The court also found that a physical device was not necessary to fall within the statute — and even if it were, a user's phone would qualify. Additionally, it noted "Meta actively encouraged app developers to incorporate its SDK into their apps" and acted to "restrict the acquisition of health information ... only on the heels of bad press about its practices." Based on these findings, the court ruled Meta intentionally used an electronic device to intercept communications. 

As for consent, the court held that Meta's privacy policy did not sufficiently disclose the disputed conduct to confer implied consent. Moreover, Flo Health's policy expressly assured its users that it would not share their personal information with Meta in any way. The court agreed that the plaintiffs' communications were confidential — despite their knowledge that the Flo app was storing them — because they could not reasonably expect to be overheard by a non-party. 

Meta will likely appeal the verdict and maintains that any transfer of sensitive health data from third-party apps violates its terms of use. However, that  contractual control did not satisfy the district court when Meta willingly accepted the data, albeit contrary to its own terms.

Of note, a jury also awarded class plaintiffs in Rodriguez v. Google USD425 million after finding that Google continued collecting data even after users turned off tracking features in their Google accounts. The complaint alleged that Google indirectly collected data through its relationship with apps like Uber and Instagram, which use Firebase SDKs to enable Google Analytics services and marketing on the Google Play Store. In seeking relief, plaintiffs invoked the ECPA, CIPA, California's constitutional right to privacy, and other rights of action. Google plans to appeal the verdict, arguing that its privacy policy clearly disclosed its tracking practices. 

The VPPA rises again — this time with class certification

The Video Privacy Protection Act, which provides a cause of action against "a video tape service provider who knowingly discloses ... personally identifiable information concerning any consumer of such provider," was passed by Congress after Circuit Judge Robert Bork's video rental history was publicly disclosed during his U.S. Supreme Court nomination. From these beginnings, the VPPA has found renewed application with the rise of pixel and cookie-tracking technology. Until recently, those claims largely have been confined to individual plaintiffs.

In denying WebMD's motion to dismiss in Jancik v. WebMD, the court held that the plaintiff adequately pled she was a consumer under the VPPA and the health website knowingly disclosed her PII via the Facebook Tracking Pixel, a data aggregation tool used to analyze user activity. The plaintiff alleged she exchanged her email address for a WebMD e-newsletter containing video content. When she viewed such videos, the company disclosed the plaintiff's Facebook ID, email address, and video details to Facebook. 

Under the VPPA, a consumer is any "subscriber of goods or services from a video tape service provider." To interpret this term, the court applied the U.S. Court of Appeals for the Eleventh Circuit's multifactor test, which considers the existence of payment, registration, commitment, delivery, association, and/or access to restricted content. Importantly, payment is not required — for example, "there are numerous ... newsletters" that a user can subscribe to for free. Because the plaintiff alleged she exchanged her email address for the WebMD e-newsletter, she was a subscriber. Furthermore, because she claimed the e-newsletter generates revenue for WebMD through advertisements, it constitutes  a "good or service." Based on the allegations, the court found that the plaintiff sufficiently alleged she was a "consumer" under the VPPA. 

On the issue of knowing disclosure of PII, the court held that WebMD's disclosure of the plaintiff's Facebook ID and email address in connection with her video viewing activity amounted to disclosure of PII. Moreover, the court found that plaintiff plausibly alleged that WebMD knowingly disclosed — consciously transmitted — PII to Facebook. Whether WebMD knew Facebook would combine the identity information and video viewing activity was an issue better left for the summary judgement stage. 

Ultimately, the case was certified as a class action. Contested class certification under the VPPA has been an uphill battle, with Jancik marking the first instance of such a case since the law passed in 1988. While other district courts hearing VPPA cases have denied certification due to a lack of class ascertainability or numerosity, the Jancik court noted that "WebMD possesses the list of newsletter subscribers' email addresses and that Facebook possesses ... Event Data associated with those email addresses," making definition of the class administratively feasible. Because WebMD's records contained more than 500,000 unique emails associated with video viewing activity, it was reasonable to infer that the plaintiff's burden to demonstrate numerosity had been met. 

What can entities using tracking technology learn from these cases?

As noted in part one of this series, courts take it very seriously when data is intercepted in real time. In Frasco, thecourt found that using SDKs to capture communications in real time — even those of just one party — qualifies as eavesdropping under CIPA Section 632. The court further held that for CIPA purposes, intentional interception may be implied when a company fails to stem the flow of PII, even if the recipient has directed or contractually required the sender not to share said information.

At the hardware level, a user's phone, which is generally required for an app and SDK to function, may constitute the device required for CIPA applicability. Furthermore, the Frasco court suggested that a physical device may not even be required to fall within the scope of the CIPA. 

As for the VPPA, entities should be aware that the statute is now subject to class certification, assuming certain fact patterns. Analysis suggests that "[t]he varied ways in which users interface with websites — logging into social media accounts, using different browsers, and clearing cookies at different rates — make[s] certifying a class a tall task." But, as the Jancikcourt found, where certain evidence exists connecting a critical mass of individual consumers with the means of disclosure, class certification under the VPPA is a real possibility.

Under the VPPA, a consumer need not pay for a covered video service but can offer identifying information in exchange for the service. A newsletter or similar content that generates revenue through advertisements is also likely considered a "good or service" for VPPA purposes. Finally, there is no requirement that a video tape service provider have affirmative knowledge that the recipient of disclosed consumer information will connect identifying information with video viewing activity. The sharing of both types of information and the mere possibility that they could be connected is enough to constitute "knowing disclosure" under the VPPA.

Following these insights will help entities that employ tracking technology, such as SDKs and tracking pixels, avoid liability as well as the challenges that class-action litigation entails.