Despite Apple, Inc.’s best efforts, a federal judge in the Northern District of California has refused to dismiss the amended complaint filed against them due to the company’s practice of tracking users using the unique device identifiers (UDID) connected to every iPhone and iPad sold. As you may recall from our earlier alert, the judge dismissed the claims last year due to failure to plead standing because the claims of harm were too generalized. The plaintiffs have now amended their claims to demonstrate their Article III standing to bring the case in federal court. In essence, the plaintiffs have claimed that the case “boils down to personal privacy in the form of control over personally identifiable information and data resources.”
In accepting the plaintiffs’ new grounds, the court’s finding is similar to the way that personal information has been viewed in recent cases governing data breaches. For example, in Claridge v. RockYou, Inc., No. 09-6032 (N.D. Cal. 2011), the judge declined to dismiss the plaintiffs’ breach of contract, implied contract and negligence claims concerning a data breach of the RockYou website, which exposed the data of 32 million users. RockYou attempted to dismiss the case for lack of standing, arguing that there was no value to the released information and no injury to the plaintiffs, as has been a common defense in past data breach cases. In response, the plaintiffs argued that their e-mail addresses and log-in information carry a monetary value and can be traded on the black market. The court accepted the plaintiffs’ references to other cases and materials that accepted this value. Likewise, the cost to mitigate damages (credit monitoring services) may be considered in determining the damages for the case. The court in the Apple case appears to now be viewing personal information similarly to how it was viewed in Claridge.
All entities that collect personal information should be aware of the Apple case and the RockYou case. While the Apple case involves tracking and the RockYou case is more focused on a data breach, both cases turn on the value of personal information. As courts begin to find more value in personal information, the barriers to plaintiffs in filing lawsuits over the use and misuse of their information may become more common. In preparation, every entity collecting, storing, and transferring personal information should take care to properly protect it and to obtain all necessary consents.