On May 14, a judge in the Northern District of California granted in part and dismissed in part four motions to dismiss filed by defendants in the consolidated class action, Opperman v. Path (No. 3:13-CV-00453-JST). The plaintiffs alleged that apps offered by a number of developers (“App Defendants”) accessed and uploaded information from plaintiffs’ mobile devices—including contact information—without plaintiffs’ knowledge or consent. The plaintiffs further alleged that, among other things, Apple had control over these apps, failed to exclude the apps from its App Store, and misrepresented that private information could not be accessed by third-party apps without the user’s express consent. The FTC made similar allegations last year when it claiming that Path deceived customers by collecting contact information from users’ mobile address books without notice and consent. Path settled these charges by entering into a consent decree in February 2013.
The Opperman plaintiffs asserted violation of several common law claims as well as eleven statutory claims—among them, violation of California’s Comprehensive Computer Data Access and Fraud Act (“CDAFA”), California’s Wiretap / Invasion of Privacy Act, the federal Computer Fraud and Abuse Act (“CFAA”), and the Electronic Communications Privacy Act (“ECPA”).
The court found that, as a threshold matter, plaintiffs had standing to bring claims against the defendants in federal court because plaintiffs pled violations of statutes that authorized private rights of action.
Having established plaintiffs’ standing to sue, the court went on to discuss the plaintiffs’ individual claims. Among them were allegations that the defendants violated the CDAFA, which imposes liability on any person who knowingly accesses a computer, computer system, or computer network “without consent.” Plaintiffs argued that, even though they voluntarily downloaded the apps, defendants’ access was “without consent” and therefore in violation of the CDAFA because plaintiffs “did not know that the apps contained the malicious code at issue.” The court rejected this argument, noting that the question was not whether plaintiffs “grant[ed] permission” to the apps to copy their address books; instead, it was whether the apps overcame “technical or code based barriers” in order to access the information. Because plaintiffs voluntarily installed the applications and there was no allegation that the apps overcame technical or code based barriers, the court found that plaintiffs failed to allege the access was “without consent” and dismissed plaintiffs’ claims under the CDAFA. The court also dismissed plaintiffs’ CFAA claims against the App Developers on the same grounds.
The court also dismissed plaintiffs’ claim that the App Defendants violated Title I of ECPA (i.e., the Wiretap Act), which generally prohibits the intentional interception of electronic communications. According to the court, ECPA requires that the interception of communications be contemporaneous with the transmission. Plaintiffs alleged that they met the contemporaneous interception requirement because the apps caused the devices to “send information from the user’s Contacts from the iDevice’s storage memory to processors and active memory being used by the app” and then “simultaneously intercept[ed] that transmission.” The court disagreed with what it called a “tortured” argument, and dismissed the ECPA claims. The court also dismissed plaintiffs’ claims under the Texas Wiretap Acts and the California Invasion of Privacy Act on the same grounds.