On Friday, September 8, Yelp became the latest mobile application maker to be held to account for potentially violating users' privacy. The plaintiffs in a long-running class action lawsuit allege that Yelp and other app developers improperly uploaded address book data from their phones without their consent. The court's ruling on Friday denied Yelp's motion for summary judgment on those claims. (Of course, it's important to recall that failing to defeat a claim on summary judgment is not the same thing as being found liable. Yelp can continue to defend itself against the lawsuit, but will have to do so based on the facts of the case, knowing it's possible that plaintiffs will win if they prove what they say they can prove.)
Like so many other social media sites and mobile apps on the market, Yelp has included a "Friend Finder" feature in its app since 2010. These mine the contacts information on a user's phone and suggest that the user connect with them within the Yelp service as well. For the first two years this feature was in place, a popup dialog box gave users the option of whether or not to run the friend-finding feature. The language of these warnings changed over time, but not until 2012 did the message alert users that their contact information was being uploaded to Yelp.com. That change came about only as a result of Apple's internal investigation of app privacy practices and its resulting instruction to Yelp.
Therefore, plaintiffs now allege that, between 2010 and 2012, Yelp was committing the common law privacy tort of "intrusion into seclusion" by "surreptitiously obtaining, improperly gaining knowledge, reviewing and retaining Plaintiffs’ private address books (or substantial portions thereof) as stored in the Contacts App on Plaintiffs’ iDevices." This cause of action has two elements: (1) intrusion into a private place, conversation or matter, (2) in a manner highly offensive to a reasonable person.
Plaintiffs' claim survived as to the first element because Yelp could not prove it had sufficient consent from its user. Neither the pop-up dialog box within the app nor the privacy policy to which users agreed when creating their accounts specifically said that contact data would be uploaded to Yelp.com. Various versions of the text did say the app would "find" or "look at" the contact data, but it never said "upload." The Court found this distinction to be critical:
Although this distinction may strike some as purely semantic, the Court made clear that "consent is defined by the scope of its terms," and that those terms will be read very strictly. That includes the degree of consent, because even though users allowed Yelp to view the data, that did not translate into consent for its further transmission to a remote server. The Court was likewise unpersuaded by the apparent fact that the app could not meaningfully even "look" at the data without uploading it. Although it remains possible for Yelp to prove that the average, reasonable user would understand this, "that is a question for the jury, not this Court."
Similarly, the Court declined to rule as a matter of law whether the alleged intrusion was "highly offensive." Noting that the iPhone itself has not even been in existence for 10 years, "and the prospect of an application developer taking advantage of a user’s contacts data is even newer still." Therefore, the Court was particularly hesitant to substitute its own judgment for public "customs and habits [that] are very much in flux." It did, however, include a subtle plea that "[p]erhaps a democratically elected legislature will embody the community standards in a statute," thus sparing judges from having to weigh such arguments in the future.
Rulings like this one are a wake-up call to the app development industry. We are beginning to emerge from the "Wild West" stage of legal development in this area--where anything seemed to be fair game because no one knew what the rules were for user data--into a regulatory environment that is motivated to justify the continued vitality of privacy law in a digital world. Although this one, preliminary ruling from a single judge is a far cry from precedential rule of law, it does come from an influential court (the U.S. District for the Northern District of California, which encompasses Silicon Valley) and attempt to stitch together a coherent approach. The Perkins case that this ruling distinguishes, for example, was one in which the court found that LinkedIn's disclosure was sufficiently specific to cover the collection of friend-finding data and the sending of an invitation email to those friends--but was not sufficient to justify LinkedIn's follow-up emails to those same contacts. And the other defendants in Yelp's case include such notable app publishers as Twitter, Instagram and Rovio.
The primary takeaway for app developers, then, is to disclose, disclose, disclose. Be sure your app makes users aware of whatever collection or use of data your app makes. You may think the disclosure will scare users off from using your app, but that risk (even if accurate, which it often isn't) probably isn't worth the headache of being the subject of a lawsuit like this one.
Also, have a lawyer parse your disclosure language ahead of time, and to revisit it on a regular basis to see if it needs updating. Yes, many tech companies, especially startups, are often allergic to legal fees. But it's so much easier to spend a few bucks on prevention than to bet the company on hundreds of thousands of dollars in defense costs later.
Just think about how much money Yelp would've saved if a lawyer had told them to say "upload" instead of "look at."