The issue of "standing" is a challenge in privacy litigation. To establish Article III standing, a requirement for federal litigation, a plaintiff must "show (1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision."[1] In other words (admittedly over simplified), a plaintiff must show that she has already suffered a harm due to the defendant, and that the court has power to redress that harm. Otherwise, her case may be dismissed.
Courts generally find that standing does not exist because the alleged harm is speculative, rather than certainly impending.[2] Plaintiffs must show actual misuse of their private information; the mere risk of misuse is too speculative to create standing.[3] Accordingly, plaintiffs in privacy litigation must be especially careful to explicitly plead a concrete and particularized actual injury. Otherwise, like the sword of Damocles, the threat of dismissal dangles above a plaintiff's case by only a hair; ready to fall and gut the claim without a moment's notice. Or, in the case of In re Google, Inc. Privacy Policy Litigation, three years' notice.
Last month, a class action lawsuit accusing Google Inc. of disclosing Android app users' private information without permission was dismissed by a California federal judge due to lack of standing.[4] Android users, over the course of three separately amended complaints, claimed that Google violated its own privacy policy by disclosing personal information to mobile device app developers without the users' permission.
The Facts
Google has many products that the casual internet user likely makes use of from time to time: Android, YouTube, Gmail, Picasa, Voice, Google+, Google Maps, Docs, Google Play, and Reader. Each product has the ability to track a user's personal information. Prior to March 2012, Android devices had privacy policies that disclosed how some applications on an Android device may send information to Google, but the apps will do so in such a way that the user cannot be personally identified by that information. Google has always maintained a policy permitting the combination of information submited under your account with information from other services, but prior to March 2012 that policy was qualified. But, after March 2012, Google replaced these policies with a single, unified policy, which permits Google to comingle user data across accounts and disclose it to third-parties for advertising purposes.
As a result of Google's policy shift, app developers allegedly acquired the ability to obtain and review a user's personalized information. Here is how: To buy and download an Android app, a user must access Google Play. To access Google Play, the user must create a Google Wallet account. To create a Wallet account, a user must have a Google account and provide his or her name, username, country, and zip code. Requesting an app consumes resources such as battery capacity and bandwidth. So from 2012 to May 2014, the purchase of a paid app through Google Play allowed the app's developer to access the purchaser's name, email address and "the physical or geographical location associated with the Play account and/or the Android device used to download the application."[5] Android users then sued Google under many different theories. But after years of motion practice, only two remained: breach of contract and fraudulent unfair competition.
The Litigation
Google is no stranger to privacy litigation (see my May 14, 2015 post on Google wallet for an example), and indeed the company has been defending itself in this matter for three years. Google argued that plaintiffs did not allege that app developers actually accessed and misused Android users' information, and even if they did, a class action lawsuit is inappropriate; any allegation of harm would be so distinct and specific to each individual that a class action would not be an effective means for attaining relief for all. Basically: Android users have not shown that they have standing.
U.S. District Judge Paul Grewal acknowledged as much in the first two sentences of his opinion: "You might think that after three years of complaints, motions to dismiss, orders on motions to dismiss, leave to amend, amended complaints and more, at least the fundamental question of plaintiffs' Article III standing to pursue this suit would be settled. You might think that, but you would be wrong." [6] Android users always alleged that it was possible for developers to look up the record of a particular transaction on a Google server and also access the user's email and rough address, but never alleged that any app developer actually did so.
After Google's third motion to dismiss, the Court determined that the only alleged injury-in-fact "was the depletion of battery and bandwidth resulting from systemic, repeated transmission of personal information from Android devices to third-party developers." In response, Android users filed a third amended complaint, but as Judge Grewal noted, plaintiffs "managed something somewhat unusual: they pled themselves out of a case."[7] Plaintiffs' new complaint failed to allege that the transmission of personal information from their phones drains bandwidth and battery life, and now they claim they were injured without any actual disclosure of their information to third parties.[8] The Android users failed to show standing. Here is how:
No Injury
Plaintiffs merely alleged the possibility that app developers could review and misuse a user's information. Android users did not allege economic injury from any dissemination; they did not allege dissemination at all. Instead, plaintiffs alleged that misuse was possible, and that some third parties would be willing to pay large sums of money for a consumer database containing a user's information for mass marketing purposes, a similar theory to that alleged in the recent Ninth Circuit decision of In re Facebook Privacy Litigation.[9]
Standing existed in In re Facebook because plaintiffs alleged that they were harmed by the dissemination of their personal information by Facebook, and as a result the plaintiffs lost the sales value of that information. But the Android case can be distinguished. First, the Android information at issue is names and email addresses. This is information that plaintiffs concede is published freely through users' own work websites. Second, the Android users did not allege injury in the form of loss of the users' ability to sell their own information or its market value. The only alleged injury was loss of battery and bandwidth. So even if disclosure occurred, no real injury exists. That information could be misused at one point, but such an injury is far too speculative to establish standing.
Not Traced to Actions of Defendant
Plaintiffs did claim they suffered battery and bandwidth depletion, but the Court found no connection between that and the alleged breach of contract or unfair competition claims. Yes, when a user purchases an app there are transmissions back and forth between the user's device and Google's servers, but Plaintiffs never alleged that those transmissions contain any personal information. Plaintiffs also conceded that the transmission of data did not consist of a user's actual name and email address in human-readable form, but rather in computer readable pieces of information. The loss of battery life or use of bandwidth is not "fairly traceable to the challenged action," because the downloading of the app occurs before any record of the transaction or making available of information for lookup.
Injury cannot be Redressed
Finally, any injury (if one had been alleged) cannot be redressed by a favorable court decision. No changes to the receipt of information would alter the battery or bandwidth consumed in purchasing an app. The Court noted that "[e]ven if tomorrow this court ordered Google to cease making any transaction data whatsoever available to the developers from whom users purchase apps, it would not change the battery and bandwidth use of the purchase process at all."[10]
Android users may have thought they had a dream case, but the standing requirement turned their claims into a three year nightmare. The district court's decision did not create any new law, but it continued a trend that has dominated privacy litigation for years: the mere risk of future disclosure is not an Article III injury-in-fact. Until a plaintiff can show otherwise, courts will continue to find they have no leg to stand on.
[1] Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000).
[2] Clapper v. Amnesty Int'l, 133 S.Ct. 1138 (2013).
[3] This trend could be changing, however, in light of the recent Seventh Circuit decision in Remijas v. Neiman Marcus Group, LLC, No. 14-3122 (7th Cir. Jul. 20, 2015). More on that in my next blog article.
[4] In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-001382 (N.D. Cal. Jul. 15, 2015).
[5] Id. at p. 5.
[6] Id. at p. 1.
[7] Id. at p. 2.
[8] Id.
[9] In re Facebook Privacy Litig., 572 F. App'x, 494 (9th Cir. 2014) (unpublished).
[10] Google, at p. 13.
