Loss of Personal Data Value Due to Sharing Insufficient to Establish Article III Standing

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

Allegations of the loss of value of personally identifiable information (PII), diminished mobile device memory space, and the potential for future harm stemming from Pandora Media Inc.'s dissemination of its users' PII to advertisers were not sufficient to create Article III standing, the U.S. District Court for the Northern District of California ruled March 26 (Yunker v. Pandora Media Inc. , N.D. Cal., No. 3:11-cv-03113-JSW, unpublished opinion 3/26/13).

In an unpublished opinion, the court drew heavily from its reasoning in In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012) (11 PVLR 1000, 6/25/12) (iPhone II), in ruling on motions to dismiss a putative class action against Pandora arising out of the alleged misuse of the registration data of its mobile application users.

Pandora's digital music services include an app that users can download and register with the company. When the app runs in the Android operating system, it integrates with a number of advertising libraries that allegedly packaged and sold PII users gave Pandora when registering.

According to Pandora's privacy policy, it could share non-PII information such as user-location information, as well as anonymized PII. The plaintiff in this case claimed that that meant it could not share his PII. He brought a number of federal and state law claims against Pandora for allegedly sharing the PII.

Lowered Value of PII

The court noted that, in the absence of controlling authority from the U.S. Court of Appeals for the Ninth Circuit, district courts such as the court in iPhone II have shied away from finding standing based “solely” on the argument that the plaintiff's PII value has taken a hit.

Nonetheless, the plaintiff argued that he effectively “paid” for the app with the value subsisting in his PII. He cited Claridge v. Rockyou Inc., 785 F. Supp. 2d 855 (N.D. Cal. 2011) (10 PVLR 620, 4/25/11), which found standing based on the decreased value of PII as supplying the necessary injury in fact.

The court here noted that the Claridge court also expressed reservations regarding standing but gave the plaintiff latitude given what it called the new and unsettled nature of the question. The court here also distinguished Claridge, noting that the plaintiff in that case also alleged a data breach, and the defendant had requested the plaintiff's user names and passwords for third-party systems. Those allegations were not present here, the court said.

Moreover, it continued, even if it assumed that PII was a form of personal property, the plaintiff made no showing of how his PII was affected by Pandora. Although he cited studies showing that consumers generally place monetary values on their PII, the plaintiff made no showing that he tried to sell his information, that he might do so in the future, or that Pandora's conduct closed the door to those kinds of transactions to him, the court said. It ruled that this argument did not support standing.

Memory Space Reduced

The court pointed out that the plaintiffs in iPhone II were able to maintain standing along this line, but they alleged that the defendants not only took a large amount of memory but also manufactured the mobile device at issue. In addition, it said, plaintiffs in another case were able to maintain standing against a device manufacturer whose alleged conduct diminished the “performance” of the device (Goodman v. HTC America Inc., No. 2:11-cv-01793 (W.D. Wash. June 26, 2012) (11 PVLR 1106, 7/9/12)).

Here, the court said, the plaintiff's claims were less robust. He did not pay for the app, he did not name a device manufacturer as defendant, and his phone apparently suffered no performance or other problems from the app. It found that this basis was also insufficient for standing.

Potential for Future Harm

The plaintiff relied on Krottner v. Starbucks Corp., 628 F.3d 1139 (9th Cir. 2010) (9 PVLR 1729, 12/20/10), to bolster his argument that Pandora's failure to de-identify his data before allowing advertisers to get the information exposed him to an increased threat of future harm, enough of an injury to create standing.

Krottner was distinguishable, however, the district court said, because it involved a stolen laptop loaded with financial information, such as Social Security and credit card numbers. Letting this kind of sensitive data get into the wrong hands leads directly to an increased risk of identity theft, the court noted. The plaintiff alleged no such risk, merely the possibility that he might fall victim to identity theft in the future, it said. This ground was inadequate to establish standing, the court said.

The plaintiff fared better by arguing that Pandora's conduct amounted to a violation of his constitutional right to privacy. The injury required for standing may be based on harm done to a right created by statute, the court explained. The plaintiff's allegations sufficed, the court said, and it denied the motion on this particular basis.

Wiretap Claim Dismissed

The court dismissed the plaintiff's claim under the wiretap provision of the Electronic Communications Privacy Act, 18 U.S.C. § 2520(a), which creates a private right of action for anyone whose communication is “intercepted, disclosed, or intentionally used in violation of this chapter.”

The court ruled that the plaintiff did not show that Pandora intercepted a communication intended for another party or that it divulged information covered by the act. Pandora was a party to the communication, the court said, and its disclosures of communications intended for it were not covered by the act.

Stored Communications Act Claim

The Stored Communications Act bars a service provider from divulging the contents of a communication while in electronic storage, 18 U.S.C. § 2702(a)(1). Pandora argued that it did not divulge a communication in electronic storage, and the court agreed.

The plaintiff tried to convince the court that his cellphone's universally unique device identifier was a “supercookie” that Pandora improperly divulged. The court cited iPhone II as authority that cookies are not covered under the SCA's definition of electronic storage.

It also found the plaintiff's argument that Pandora amounted to a remote computing service under the SCA entirely conclusory and unsupported. It dismissed this claim.

Computer Fraud and Abuse Act Claim

The Computer Fraud and Abuse Act, 18 U.S.C. § 1030(a), provides a private right of action for certain offenses if a plaintiff can show a loss to itself or others of at least $5,000 over a one-year period.

For the economic injury reasons discussed under the motions on standing, the court found the plaintiff unable to meet this threshold and dismissed the claim.

The court finally dismissed the state law claims asserting breach of contract, breaches of privacy, and unfairness under California's business and consumer codes for lack of standing or failure to state a claim.

Although voicing skepticism over the chances for success, the court granted the plaintiff a month to amend his pleadings.

Laurence F. Pulgram, Sebastian E. Kaplan, and Tyler G. Newby, of Fenwick & West LLP, in San Francisco, and Kurtis J. Kearl, of Pandora, in Concord, Calif., represented Pandora.

Betsy C. Manifold, Francis M. Gregorek, Patrick H. Moran, and Rachele R. Rickert, of Wolf Haldenstein Adler Freeman & Herz LLP, in San Diego, and Joseph J. Siprut, of Siprut PC, in Chicago, represented the plaintiff.

Full text of the court's opinion is available at http://www.bloomberglaw.com/public/document/Yuncker_v_Pandora_Media_Inc_Docket_No_311cv03113_ND_Cal_Jun_23_20.

Request Bloomberg Law: Privacy & Data Security