Lawsuits concerning alleged misuse of personally identifiable information (“PII”) are on the rise. According to the United States General Services Administration, PII “refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other personal or identifying information that is linked or linkable to a specific individual.” Although this once meant information as private as a Social Security Number, the definition has expanded to include, among other things, email address and online usernames and passwords. Recently courts have begun scrutinizing whether or not consumers have standing to assert claims relating to PII. In response, some consumers have brought lawsuits alleging a loss of value to their PII. These consumers make the argument that PII is akin to personal property, and that unauthorized distribution of PII diminishes the value of such PII, thus harming the affected consumers.
Recently, a California federal court in Yunker v. Pandora Media, Inc. held that a dilution of value to PII due to unauthorized sharing is insufficient to bring a claim. The Yunker case concerned the Pandora App. When a user downloaded the Pandora App, Pandora gathered PII about the user, including user age, gender, location and a universally unique device identifier. The Pandora App was integrated with advertising libraries such as AdMob, Ad-Marvel, comScore (SecureStudied), Google.Ads, and Medialets. These advertising libraries operated in the background while Pandora users navigated the App. The libraries collected significant PII which was later packaged and sold by the libraries.
The Court Denies Standing for Pesonally Identifiable Information Claim
The court in Yunker rejected the plaintiff’s dilution theory. The court reasoned that plaintiff’s complaint failed to allege that he attempted to sell his PII, that he would do so in the future or that he was foreclosed from entering into a value for value transaction relating to his PII as a result of Pandora’s conduct. Critically, the court reasoned that plaintiff never alleged that, had he known how Pandora intended to use his PII, he would not have downloaded or used the Pandora App.
Another Court Finds Standing
Two years before Yunker was decided, another federal court refused to dismiss a PII loss of value claim on the basis of standing. In Claridge v. RockYou, Inc., the plaintiff was a registered account holder with RockYou, a publisher and developer of online services and applications for use with social networking sites, such as Facebook, MySpace, hi5 and Bebo. Customers of RockYou provided email addresses, registration passwords and social media usernames and passwords, which RockYou would store in its database. The plaintiff in Claridge alleged that RockYou promised that it would safeguard its users’ PII. Despite this assurance, RockYou was informed by an online security firm that there was a flaw in RockYou’s system that allowed hackers to take advantage of web software to introduce malicious code into its network. The plaintiff alleged that RockYou did not respond to this information timely and sued. Specifically, the plaintiff alleged that RockYou’s customers, including the plaintiff, “paid” for the products and services that they “purchased” from RockYou by providing their PII, and that the PII constituted valuable property that was exchanged for RockYou’s promise to employ commercially reasonable methods to safeguard the PII that was exchanged. The court refused to dismiss the complaint, focusing on both the extremely sensitive nature of the PII at issue and the fact that there was a breach in RockYou’s servers. Although the court expressed doubt that the plaintiff could ultimately prove damages, the lawsuit was nevertheless allowed to proceed.
Defending Pesonally Identifiable Information Lawsuits
Individual consumers, as well as class action plaintiffs’ lawyers, are likely to continue to seek to use the diminution of value theory to assert claims for unauthorized use of, or access to, PII. Therefore, it is critical for companies that collect and store PII to retain counsel to both review and revise privacy policies and aggressively defend them in litigation.