Privacy Case Against Yahoo Is on Its Last Legs
SAN JOSE, Calif. (CN) - Yahoo batted down most claims that it uses emails from nonsubscribers to target advertising but will still face electronic-storage claims, a federal judge ruled.
Four people who do not use Yahoo but have sent emails to Yahoo subscribers since October 2011 filed suit last year, claiming that the company violates federal and state wiretapping laws - and privacy rights - by scanning their emails to better target advertising at its own subscribers.
In addressing a motion to dismiss the now-consolidated class action, U.S. District Judge Lucy Koh on Tuesday acknowledged that Yahoo's rigorous terms of service establish explicit consent from its users to scan and analyze all emails for targeted advertising, this protecting it from the wiretap portion of the Electronic Communications Privacy Act.
"The court concludes that the terms of service establishes explicit consent by Yahoo Mail users to Yahoo's conduct," Koh wrote. "In light of the clarity of the language in this disclosure, to which Yahoo Mail users agreed when creating an account, the court finds that the ATOS provides explicit and sufficient notification to Yahoo Mail users that any communication sent via Yahoo Mail will be scanned and analyzed for the stated purposes of providing personal product features, providing targeted advertising, and detecting spam and abuse. By agreeing to the ATOS, Yahoo Mail users consented to such conduct. Plaintiffs provide no convincing argument to the contrary other than to say that 'the ATOS does not explicitly inform Yahoo Mail users what Yahoo does with the contents of its users' email.'"
Nonusers fared better, however, with their claim that the company shares data stored on its own servers with third parties in violation of federal law.
"Yahoo's own frequently asked questions page admits that Yahoo shares email content with third parties," Koh wrote. "Under these circumstances, the court concludes that plaintiffs have plausibly alleged that Yahoo improperly disclosed 'contents' of email communications to third parties."
The company must also face a claim under the California Invasion of Privacy Act, which shields the right to privacy by prohibiting electronic eavesdropping. Koh had no patience for Yahoo's attempted to quibble over whether the emails were "in transit" or "in storage" when they were scanned and analyzed - the latter being expressly prohibited.
"The court must defer resolution of whether Yahoo accessed the emails only after the emails were on Yahoo's servers until after discovery makes clear where and how Yahoo's scanning technology intercepted the emails," Koh wrote. "Thus, the court rejects Yahoo's first argument that CIPA does not apply."
She continued: "Yahoo's second argument that CIPA should not apply when an email has reached Yahoo's servers - based on allegedly illogical implications that would result from applying CIPA's all-party consent provision to such emails - similarly assumes the emails were on Yahoo's server when intercepted, which this court cannot assume at this stage. Even if the court could make such an assumption, the court would still have to reject Yahoo's argument that the court should find the emails at issue were not 'in transit' when intercepted because that would contradict the allegations in the complaint, which the court must accept as true. Thus, the court rejects Yahoo's second argument why CIPA does not apply."
As for the invasion-of-privacy claim under the California Constitution, no courts have addressed whether privacy protections should be extended to all email communications in general - regardless of whether or not they contain sensitive or confidential information, Koh found.
The plaintiffs have 21 days to fix their complaint or face full dismissal of the suit, Koh concluded.