In our last article, we examined the challenges plaintiffs encounter in bringing privacy and data breach claims, including difficulties establishing Article III standing, cognizable injury under state law, and the stringent requirements for class certification. Faced with the daunting problem of establishing an economic “injury” from the mere disclosure of personal data, plaintiffs have now begun to turn their attention to legal theories that do not require proof of actual damages. As we will see, some of these theories have gained legal traction, at least for the time being.

In the Sony Gaming Network data breach litigation, Sony faced a class action from consumers after a criminal intrusion into its PlayStation video game network. The original complaint alleged that plaintiffs faced an increased risk that their personal information would be misused. Finding that “the mere ‘damage of future harm, unaccompanied by present damage, will not support a negligence action,’” the court dismissed the case.

Thereafter, plaintiffs filed an amended complaint in which, among other things, they relied on several state consumer protection statutes that did not require proof of actual economic damage. To support their claims, plaintiffs alleged that Sony misrepresented in its PlayStation Network User Agreement and Privacy Policy that it provided reasonable security to its users, and that Sony’s network utilized “industry-standard encryption.” Plaintiffs’ amended complaint also included allegations that Sony omitted material information regarding its network security at the point of sale to consumers. According to the amended complaint, these consumers would not have purchased their consoles had they been aware of the truth regarding the network’s security.  

Even though Sony’s Network User Agreement and Privacy Policy were not provided to plaintiffs until after they purchased their consoles, the court found these allegations were sufficient to state claims for declaratory and injunctive relief under Florida and Michigan consumer protection statutes.  According to the court, the alleged misrepresentations and omissions regarding the security of Sony’s network, particularly allegations that Sony would take “reasonable security measures” to safeguard personal data, could create an “overall misleading impression” to consumers. Going further, the court found that the allegations were sufficient to state claims for statutory damages under the consumer protection statutes of New Hampshire, and were also sufficient to allege “a loss of money or property” under the Missouri Merchandising Practices Act. The court also found that plaintiffs’ omission-based claims for the return of the purchase price of plaintiff’s consoles passed muster under California’s consumer protection statutes.

The Sony case is not alone in refusing to dismiss claims based on misrepresentations in user agreements and privacy policies. In 2012, Hackers infiltrated LinkedIn’s computer systems and posted millions of stolen users’ passwords on the Internet.  The named plaintiff in the ensuing class action alleged she paid for a premium subscription, which provided her increased networking tools and capabilities. In her first amended complaint, the plaintiff alleged that she did not receive the benefit of her bargain with LinkedIn, and faced increased risk of future harm as a result of the 2012 hacking incident. The court rejected both theories based on lack of standing, finding that the promise of industry standard security had not been a part of the plaintiff’s bargain for premium services.

The plaintiff thereafter filed a second amended complaint, this time asserting that she read LinkedIn’s User Agreement and Privacy Policy prior to her purchase of a premium subscription. According to the second amended complaint, had LinkedIn disclosed or admitted to allegedly lax security practices, the plaintiff would either have attempted to purchase a premium subscription at a lower price or not at all. The court held that the new allegations were sufficient to confer standing under the “fraud” prong of California’s Unfair Competition Law because “the representation in LinkedIn’s Privacy Policy falls within the scope of the labeling/advertising cases” subject to the statute.

Despite these limited successes, claims of misrepresentation do not always fair well. For example, in a recent putative class action against Apple, plaintiffs alleged the company failed to adequately disclose that certain iPhone applications collected and disseminated the plaintiffs’ personal information, and that the company had designed its operating system to permit that practice. The plaintiffs also claimed that they relied on Apple’s alleged misrepresentations about privacy and data collection in purchasing their devices, and therefore overpaid for their purchase.

Although the plaintiffs asserted similar misrepresentation claims that initially survived scrutiny in the Sony and LinkedIn cases, the Court granted summary judgment in Apple’s favor.  According to the court, to establish standing under California’s Unfair Competition Law, the plaintiffs must set forth specific facts showing that they actually relied on Apple’s alleged misrepresentations about privacy and suffered economic injury as a result of that reliance. Although the court found there was a genuine issue as to whether the plaintiffs suffered an “injury in fact,” it concluded that “actual reliance” is an essential element of standing under Article III, and the plaintiffs failed to raise a genuine issue concerning that element.

As the recent Sony, LinkedIn, and iPhone cases demonstrate, consumer data breach litigation is slowly evolving beyond the initial pleading pitfalls that have doomed many cases to early dismissal. Claims of misrepresentations in user agreements and privacy policies are beginning to gain legal recognition, particularly where they occur at the point of sale. In addition, claims of violations of state consumer protection statutes, especially those that do not require proof of actual economic injury, have proven more resilient to early attacks on the pleadings.

In the next article in this series, we will examine how the emerging trends in consumer data breach litigation may impact companies considering their own end user agreements and privacy policies.