Not only is it Privacy Monday – it is OPENING DAY!   After this long, long winter … welcome back baseball!

It’s usually an end-of-season tradition for some baseball writers and announcers, but I like to revisit it in the spring for what is ahead “in a green field, in the sun” — one of the greatest odes to the game ever written:

It breaks your heart. It is designed to break your heart. The game begins in the spring, when everything else begins again, and it blossoms in the summer, filling the afternoons and evenings, and then as soon as the chill rains come, it stops and leaves you to face the fall alone. You count on it, rely on it to buffer the passage of time, to keep the memory of sunshine and high skies alive, and then just when the days are all twilight, when you need it most, it stops.   …  It breaks my heart because it was meant to, because it was meant to foster in me again the illusion that there was something abiding, some pattern and some impulse that could come together to make a reality that would resist the corrosion; and because, after it had fostered again that most hungered-for illusion, the game was meant to stop, and betray precisely what it promised.

Of course, there are those who learn after the first few times. They grow out of sports. And there are others who were born with the wisdom to know that nothing lasts. These are the truly tough among us, the ones who can live without illusion, or without even the hope of illusion. I am not that grown-up or up-to-date. I am a simpler creature, tied to more primitive patterns and cycles. I need to think something lasts forever, and it might as well be that state of being that is a game; it might as well be that, in a green field, in the sun.

Read “The Green Fields of the Mind” by A. Bartlett Giamatti here and hear him read it himself here.   Or, watch the epic James Earl Jones monologue from Field of Dreams here.

Enjoy Opening Day!

Now back to your regularly-scheduled Privacy & Security Matters programming — Opperman v. Path Inc.‘s Impact on Privacy Notices

Private litigants are emerging as an increasingly potent monitor of corporate privacy practices and a recent litigation over the collection of contact information from iPhone and iPad users provides some guidance on how software and mobile application developers should disclose their privacy practices to consumers.

In his recent ruling in the ongoing Opperman v. Path litigation, Judge Jon Tigar of the Northern District of California denied in part several motions to dismiss a putative class action against Apple and a handful of app developers. The decision keeps alive the Opperman plaintiffs’ claims that Apple misled consumers about its privacy practices, but it did not reach the merits of the case and Apple and the other app developer defendants have denied most of the Plaintiffs’ claims.

At issue are allegations that Apple designed to iOS to permit applications to access consumers personal contact directories without permission or consumer knowledge.  In allowing the case to move forward, Judge Tigar sent several signals to both application stores and app developers about structuring their privacy practices.

Background of the Case

The Opperman plaintiffs allege that between July 10, 2008 and February 2012, that Apple’s iOS operating system permitted app developers to access iPhone, iPad, and iPod Touch users’ personal address books and contact lists without the users permission or knowledge, and hid this fact from consumer using a “buzz advertising” campaign allegedly designed to ensure consumers that Apple’s iOS devices are safe.   Plaintiffs further alleged that Apple pushed app developers to build features into their apps designed to collect contact information, creating a situation where Apple allegedly helped app developers design products aimed at secretly gathering consumer data.

Apple and the app developers all have privacy policies and terms of use in place during the class period, and Apple’s specifically warned consumers that   iOS devices collected user information, including contact information.    Nevertheless, Judge Tigar sided with Plaintiffs, and has allowed their claims Apple and the app developers hid the collection of address and contact information from consumers to go forward.

Communicating Corporate Privacy Practices 

Judge Tigar’s decision to deny Apple and app developer defendants’ motions to dismiss expands private litigants’ ability to bring fraud claims based on companies’ privacy notices.   And it all but ensures such litigants will remain active in challenging companies’ privacy practice.  But the decision includes some generalized guidance on how companies should communicate their privacy practices.

The decision faults Apple for allegedly misleading statements made in a “buzz marketing” campaign.  If Judge Tigar’s decision survives, future plaintiffs need only show “circumstantial evidence” of reliance on false or incomplete statements about a product or service, even if those statements were not made by the company, to survive a motion a dismiss.  Based on this decision, software developers and platform providers should monitor statements about their product or service in the marketplace, and actively rebut incomplete statements to ensure they not dragged into court based solely on the market’s perception of their product.   Companies should also be sure to carefully vet advertising statements about privacy or data security to ensure such statements are factually accurate.

The decision also faults Apple for failing to disclose all “material” information in its privacy notices.   Apple had disclosed to its customers that it allowed app developers to access “contact” information stored on iOS devices.  But this disclosure proved insufficient to foreclose Plaintiffs’ claims that Apple was “actively concealing” its practice of allowing app developers to access contact information.  

The introduction of a materiality standard to privacy notices raises a host of issues and concerns, not least of which is how to measure whether an omitted fact is deemed material.  Nevertheless, Judge Tigar’s decision serves as a reminder that private litigants are scrutinizing privacy notices, and that companies should strive to completely describe their collection of personally identifiable information.