Mobile

Subscribe to Mobile via RSS

This past week, the operator of the popular Weather Channel (“TWC”) mobile phone app entered into a Stipulation of Settlement with the Los Angeles City Attorney, Mike Feuer (“City Attorney”), closing the books on one of the first litigations to focus on the collection of locational data through mobile phones. (People v. TWC Product and Technology, LLC, No. 19STCV00605 (Cal. Super., L.A. Cty, Stipulation Aug. 14, 2020)). While the settlement appears to allow TWC to continue to use locational information for app-related services and to serve advertising (as long the app includes some agreed-upon notices and screen prompts to consumers), what is glaringly absent from the settlement is a discussion of sharing locational information with third parties for purposes other than serving advertising or performing services in the app. Because applicable law, industry practice and the policies of Apple and Google themselves have narrowed the ability to share locational information for such purposes, the allegations of the case were, in a sense, subsumed in the tsunami of attention that locational information sharing has attracted. While some are viewing this settlement as a roadmap for locational information collection and sharing, in fact the settlement is quite narrow.

This past March, many organizations were forced to suddenly pivot to a “work from home” environment (“WFH”) as COVID-19 spread across our country.  However, many companies did not have the necessary technical infrastructure in place to support their full workforce on a WFH basis.  Often, remote access systems were configured assuming only a portion of a company’s employees – not 100% of a company’s employees – would be remotely accessing the corporate networks simultaneously.  In addition, many employees have limited home Wi-Fi capacity that is insufficient to sustain extended, robust connections with the office systems.  Networks can then become overloaded, connections dropped, and employees can experience extended latency issues, frozen transmissions and the like.

As a result, many employees are using a work-around — often with their employer’s knowledge and approval.  They connect their personal devices to their employer’s network to download what they need from the network, but disconnect to perform the bulk of their work offline.  On a periodic basis and upon the completion of the task at hand, those employees then typically upload or distribute the work product to the organization’s network.

In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials.

Last week, Democratic Senators Ron Wyden and Sherrod Brown and Congresswoman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Envestnet, Inc. (which operates Yodlee) was violating the FTC Act.

According to the letter, Yodlee is the largest consumer financial data aggregator in the United States.  It aggregates financial information from banks, credit card companies and other financial services providers with consumer consent, and maintains a database of credit and debit card transactions of tens of millions of consumers. The letter asserts that Yodlee is used by over 1,200 companies to offer online personal finance tools to consumers.  Yodlee offers its software and platform to fintech providers, banks, financial apps, consumers and others to help process financial data from various sources.

The crux of the letter claims that Envestnet sells access to such consumer data without meaningful notice to consumers of such sale.  The members of Congress reject Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and claim that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. The letter asserts that this is not sufficient, as Envestnet does not appear to take any steps to ensure that its partners give such notice, and even if they did, such practices place the burden on consumers to find such a notice “buried in small print” and then search for a way to opt out of such data sharing.

In an important opinion, the Ninth Circuit affirmed a lower court’s ruling that plaintiffs in the ongoing Facebook biometric privacy class action have alleged a concrete injury-in-fact to confer Article III standing and that the class was properly certified. (Patel v. Facebook, Inc., No. 18-15982 (9th Cir. Aug. 8, 2019)). Given the California district court’s prior rulings which denied Facebook’s numerous motions to dismiss on procedural and substantive grounds, and the Illinois Supreme Court’s January 2019 blockbuster ruling in Rosenbach, which held that a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) need not allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute, the Ninth Circuit’s decision was not entirely surprising. Still, the ruling is significant as a federal appeals court has ruled on important procedural issues in a BIPA action and found standing. The case will be sent back to the lower court with the prospect of a trial looming, and given BIPA’s statutory damage provisions, Facebook may be looking at a potential staggering damage award or substantial settlement.     

In a recent blog post, we wrote about how the Second Circuit found the arbitration clause in a web service’s terms and conditions unenforceable because the user did not have reasonable notice of the terms that were communicated via a hyperlink in a post-sale email. In contrast, a New York district court recently upheld an arbitration clause in Coinbase’s account registration process and granted its motion to compel arbitration concerning claims brought by a user (Sultan v. Coinbase, Inc., No. 18-934 (E.D.N.Y. Jan. 24, 2019)).

This case sheds further light on the do’s and don’ts of online electronic contracting and the enforceability of app-based terms and conditions. The decision reinforces the point that for purposes of establishing a binding agreement with a user – particularly in the context of a mobile app – simplicity and clarity of the user interface is desired. And, in particular, this case reinforces the point that has been illustrated in many cases before that the design of user registration pages should be done with the input of legal analysis as to likely enforceability.

Yesterday, Los Angeles City Attorney Mike Feuer filed an unfair competition lawsuit on behalf of the People of the State of California against the operator of the popular Weather Channel app (“TWC app”) for allegedly failing to conspicuously disclose to users that the TWC app collects and shares users’ mobile geolocation data. (People v. TWC Product and Technology, LLC (Cal. Super., L.A. County)).  In essence, the suit alleges that the TWC app mines users’ precise geolocation data after receiving permission to gather location information to provide “personalized local weather data” without also adequately disclosing that the app also packages this data trove for advertising and analytics services unrelated to weather reporting. The City is seeking injunctive relief and civil penalties under state law for this alleged unfair business practice.  Feuer held a press conference today further detailing the State’s position in this lawsuit and expressed his hope that this case would spur litigation in other jurisdictions and legislation on the issue.

This post discusses some of the contractual requirements imposed by Apple and Google regarding the collection and sharing of locational information.  What consents, if any, do Apple and Google require that app publishers obtain before collecting and using locational information?  This is a question that is being asked with increasing frequency.  In fact, a regular beat of media coverage on the issue  (see, e.g., here or here), has reached crescendo levels with a much-discussed article this past week in the New York Times. Coincidentally (or maybe not?), the NYT article was published the day before Google CEO Sundar Pichai testified before the House Judiciary Committee on Google’s privacy and data collection practices, among other things.

Last week the WSJ published an article detailing how companies are monetizing smartphone location data by selling it to hedge fund clients.  The data vendor featured in the WSJ article obtains geolocation data from about 1,000 apps that fund managers use to predict trends involving public companies.  However, as we’ve