Data-Mining Privacy Suit Against Yelp Advances

SAN FRANCISCO (CN) — Yelp cannot escape claims that it invaded Apple device users’ privacy by uploading their personal data without consent, a federal judge ruled Friday.
Yelp is one of 14 app developers accused of using a “find friends” feature to mine users’ contacts without their permission.
The consolidated class action stretches back to 2012 when lead plaintiff Marc Opperman sued Apple, Yelp and others for claims of privacy invasion.
During a hearing last month, a Yelp attorney argued app users authorized the crowd-sourcing, business review company to use their contact lists to identify other Yelp users.
But the plaintiffs countered Yelp never disclosed it would upload the contacts to its own server in a manner so insecure that even an “unsophisticated hacker” could access the data.
In a Sept. 9 ruling, U.S. District Judge Jon Tigar denied Yelp’s motion for summary judgment, finding that several pieces of evidence suggest Yelp did not explicitly disclose its intent to upload the contact information.
Yelp argued the plaintiffs had consented to the upload twice — first when agreeing to its terms of service and privacy policy when first registering as users and again when authorizing the app’s friend finder function.
But Tigar found it was “unclear” whether Yelp’s off-screen, privacy policy terms, which could only be accessed through a hyperlink, provided adequate notice.
Yelp further maintained that it needed to upload the data to match users’ contacts with its registered users, and that plaintiffs need not understand every detail of how the process worked to give consent.
Tigar rejected that argument, finding those details matter if the app maker’s conduct goes beyond what the plaintiffs reasonably believed they consented to.
The judge also rebuffed Yelp’s claim that the Copyright Act preempted any claims against it for merely reproducing email addresses and other information not protected by copyright law.
Tigar said the plaintiffs “do not allege that Yelp violated their privacy rights by simply reproducing or copying the address book data.”
The upload and analysis of their contacts is what forms the basis of the privacy claims, Tigar added.
Ultimately, the judge found the parties’ dueling narratives present a “triable issue of fact” that can only be decided by a jury.
“Fundamentally, this case is about whether Apple’s conduct and that of application developers violated community norms of privacy,” Tigar wrote in his 21-page ruling. “A ‘reasonable’ expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms.”
“The Court accepted the fact that Yelp only accessed the email addresses of a user’s contacts to help them find friends on Yelp after receiving consent to do so, and did not save or misuse that information,” Yelp spokeswoman Rachel Youngblade said. “Nonetheless, the Court appears to state that an online mobile app must inform a user any time data is transmitted from their phone to the online company to make the app work. We disagree, and think that users already understand that online apps require information to be transmitted online.”
Class attorney Nicholas Carlin called the ruling significant because it means the plaintiffs are likely to prevail in any future summary judgment motions filed by other app developer defendants.
“The judge ruled that we didn’t have to prove that they did anything with the data beyond what they did in that case — uploading it and storing it,” Carlin said in an interview, addressing the defendants’ argument that they were only liable if they used the data for marketing or other purposes.
“The use of the data that was not consented to for plaintiffs was sufficient to at least go to the jury and find out if it was sufficiently offensive and constituted an invasion of privacy,” Carlin added.
Carlin is with Phillips Erlewine Given & Carlin in San Francisco.
In July, Tigar certified a class of 480,000 Apple device users whose contact data was uploaded by the social network app Path between November 2011 and February 2012.
Tigar indicated at an August hearing that he plans to try the Apple and Path case separately to help form a roadmap for the remainder of the class action.
The parties are expected back in court on Nov. 15 to argue the plaintiffs’ motion to certify a larger class of all U.S. residents who purchased Apple devices prior to Feb. 8, 2012. That’s when Apple implemented new safeguards to prevent “malicious apps” from stealing users’ private data, according to the motion.
Other app developers named as defendants in the lawsuit include Twitter, Instagram and “Angry Birds” maker Rovio.

%d bloggers like this: