Thursday, December 27, 2012

230 doesn't yet bar suit against Apple over intrusive apps

Pirozzi v. Apple Inc., 2012 WL 6652453 (N.D. Cal.)

Pirozzi sued Apple for failing to prevent third-party software applications distributed through its online App Store from uploading user information from their mobile devices without permission.  She alleged the usual California claims.  Apple moved to dismiss, and the court granted the motion, though with leave to amend; the court also rejected Apple’s broad §230 arguments.

Pirozzi alleged that apps are integral to users’ experiences on Apple devices, and that the App Store was the exclusive source of apps.  Apple thus completely controls users’ experience in the development of Apple devices and the development and selection of available apps. 

In addition, Apple’s App Store Review Guidelines provide that “Apps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used.”  Third parties are contractually required to obtain user consent before they collect any user or device data through their apps.  Apple states that it reviews all apps submitted to the App Store for compliance with its rules.  It also claims that its OS “is highly secure from the moment you turn on your iPhone. All apps run in a safe environment, so a website or app can't access data from other apps. iOS also supports encrypted network communication to protect your sensitive information. To guard your privacy, apps requesting location information are required to get your permission first.”

Notwithstanding these claims, Pirozzi alleged, “Apple-approved apps have downloaded and/or copied users' private address book information (including names and contact information of users' contacts), location data, private photographs and videos without the users' knowledge or consent when a user agrees to allow an app to access the user's then current locations.”  Such apps allegedly include Angry Birds, Cut theRope, Twitter, Facebook, LinkedIn, Instagram, Foursquare, and Yelp! 

Pirozzi alleged that she relied on Apple’s statements when deciding to buy an Apple device and buy apps.  However, she didn’t specify which Apple device she owned, which apps she downloaded, or whether any third-party app actually uploaded personal information from her mobile device.

Apple challenged Pirozzi’s standing on the ground that she failed to allege that she lost money or that any third-party app uploaded her personal information.  But that misconstrued the nature of her allegations: that Apple’s misrepresentations and omitted material facts induced her purchases.  This type of allegation satisfies the injury in fact and causation requirements for Article III standing.  However, Pirozzi failed to allege specifically which statements were material to her purchase decisions, which meant she hadn’t properly alleged injury in fact caused by the complained-of conduct.  (Apple submitted various documents that it argued precluded these claims because of the disclosures therein; this might create an issue of fact as to reasonable reliance, but the disclosures didn’t contradict the representations alleged in the complaint.)

As for the second type of harm identified, misappropriation of her personal information, Pirozzi didn’t allege that a third-party app developer actually misappropriated her personal information, only that it was now at greater risk of misappropriation.  This hypothetical threat was insufficient to confer Article III standing as to her negligence and unjust enrichment claims, absent allegations of specific apps that tracked her personal information and harmed her in some way.

Apple then argued that CDA §230 precluded the claims against it because, since misappropriation of users’ information was the heart of the case, Pirozzi was seeking to hold Apple liable for its exercise of editorial discretion in approving and distributing apps.  Not so: the claims were not based solely on the distribution of apps, but on representations made by Apple itself.  “To the extent that Plaintiff's claims allege that Apple's misrepresentations induced Plaintiff to purchase an Apple Device, those claims do not seek to hold Apple liable for making Apps available on its website.”  Instead, Apple was itself an information content provider as to those claims.  Still, on the record before the court, it would be premature to reject §230 immunity entirely.

Next, the consumer protection claims were grounded in fraud, but they didn’t satisfy Rule 9(b).  Pirozzi failed to allege the particulars of her own experience reviewing or relying upon any of the statements detailed in the complaint, or which devices or apps she bought in reliance thereon, or which apps, if any, downloaded her personal information.  The court declined to decide at this point whether any of Apple’s alleged representations was a specific verifiable claim.

Apple then argued that the CLRA claim failed because App Store users weren’t consumers and the apps weren’t goods or services.  The use of the App Store was free and the apps listed in the complaint were free.  (Angry Birds?  I don’t know about you, but they keep asking me to buy stuff.)  Thus, Pirozzi wouldn’t have paid for Apple’s services or software.  Pirozzi argued that her CLRA claim was premised on her purchase of goods, here Apple devices; the complaint didn’t say that, but she was given leave to amend.

As to negligence, Pirozzi alleged that “Apple owed a duty to Plaintiff to protect her personal information and data, and to take reasonable steps to protect her from the wrongful taking of her personal information and the wrongful invasion of her privacy.”  Apple argued that it owed no such duty to protect her from the conduct of third parties.  Pirozzi rejoined that Apple’s control over the user experience from development of the devices to selection of the available apps created a special relationship between the parties, and that Apple undertook this duty by commiting to review all apps for adherence to its policies.  The court found that these allegations were insufficient to allege an independent legal duty on Apple’s part.  Likewise, her allegations that Apple was unjustly enriched failed to sufficiently allege that Apple received a benefit from the unauthorized access to private user information.

No comments: