Merely Monitoring App Activity Data Does Not Support a Claim Under California’s Invasion Of Privacy Act, But Is It Sufficient To Allege (Common-Law) Invasion of Privacy?
In the ongoing action related to Alphabet Inc.’s alleged monitoring and tracking of non-Google applications on Android devices, McCoy V. Alphabet, Inc. et al., No. 5:20-cv-05427, the Northern District of California recently granted Defendant a sweeping victory on most of Plaintiffs’ allegations, albeit with leave to amend. In a 25-page order on Defendant’s motion to dismiss, the court made it poignantly clear that “…disclosure of common, basic digital information to third parties [were not] as serious or egregious violations of social norms” to “adequately plead claims for invasion of privacy or intrusion upon seclusion”. However, failing to heed the court’s instruction, Plaintiff recently filed an amended complaint that in many respects fails to cure its predecessor’s pleading deficiencies.
This case, which was filed by Plaintiff Robert McCoy in August 2020, on behalf of himself and a class of “millions of [Android users] individuals” asserts multiple claims against Google Inc. and its parent corporation Alphabet, Inc. McCoy voluntarily dropped Alphabet Inc. from the suit two months after filing the complaint. McCoy essentially alleges that Google has built an internal program in its Android smartphones, called Android Lockbox, which allows the company to allegedly monitor and collect sensitive personal data on users when they interact with non-Google applications (“apps”) on their smartphones. McCoy also alleges that this is done without obtaining meaningful consent or providing adequate disclosures as required by law.
In its motion to dismiss the complaint, Defendant made it abundantly clear that the “app activity data” which Plaintiff was alleging was improperly being collected, “was not tied to any personally identifiable information, was anonymized, and was aggregate.” (emphasis added). Thus, despite Plaintiff’s repetitive stance that Defendant collected so-called “sensitive personal information,” Plaintiff was unable to convince the Court that the nature of information which Defendant was gathering, i.e. “the frequency and duration of use of certain apps,” raised to the “requisite level of an egregious breach of social norms or intrusion in a manner highly offensive to a reasonable person.” Also, although pled separately, the Court considered Plaintiff’s allegations under Article I, Section I of the California Constitution and the common law invasion of privacy – intrusion upon seclusion together (on the basis they were related) and deemed both to be insufficiently plead.
In regard to Plaintiff’s claim under California’s Invasion Of Privacy Act (“CIPA”), CIPA makes it unlawful for any person to use a “machine, instrument, or contrivance” to “intentionally tap, or make any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument” or to read, attempt to read, or learn the “contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line or cable” without the consent of all parties to the communication. Plaintiff here alleges that Defendant collected data on when and how often an Android Smartphone user opens and runs non-Google apps and the amount of time spent on the apps. This alone, the Court opined was “more akin to log in activities”, and not sufficient to plead a CIPA violation.
Following the Court’s ruling, Plaintiff filed his amended complaint earlier this week, but in relation to Plaintiff’s CIPA and Constitutional and Common-Law Privacy Claims, the allegations remain substantively the same. Plaintiff specifically (re)alleges:
92. The confidential and sensitive data, which Defendant monitored, transmitted, and disclosed without Plaintiff’s and Class members’ authorization and/or consent included, inter alia, how long Plaintiff’s and Class members’ use certain apps and how often apps were open. Plaintiff and Class members had a legally protected informational privacy interest in the confidential and sensitive information as well as an autonomy privacy interest in conducting their personal activities without observation, intrusion, or interference.
93. Defendant’s actions constituted a serious invasion of privacy that would be highly offensive to a reasonable person in that: (i) the invasion occurred within a zone of privacy protected by the California Constitution, namely the collection and stockpiling of unnecessary information by businesses without consent, and the misuse of information gathered for an improper purpose; (ii) the invasion deprived Plaintiff and Class members of the ability to control the circulation of their personal information, which is considered fundamental to the right to privacy.”
As indicated above, despite the Court’s clear and detailed order, Plaintiff’s amended complaint makes no substantive addition to its previously dismissed CIPA, and Constitutional and Common-Law Privacy Claims. Moreover, with the entire premise of these claims resting on the alleged improper tracking of Plaintiffs’ app-activity, it remains unclear how these claims would survive another potential motion to dismiss. At the motion to dismiss hearing, Plaintiff also conceded to dismissing his CCPA claim, because there was no allegation of a security breach in the complaint. Defendant’s motion to dismiss Plaintiff’s allegations for breach of contract, California Civil Code § 1709, California Unfair Competition Law and request for relief under the Declaratory Judgment Act was denied, so those claims remain as initially pled, in the amended complaint. Keep following for more on this case.