A California mom is suing Disney and some of its software partners for allegedly collecting personal information about her kids through mobile phone game apps. I was on the TODAY show this week talking about it.
Within days, the same mom also sued Viacom.
There’s a novel legal argument in these cases that I’m going to watch with great interest; an “intrusion upon seclusion” claim that I hadn’t seen before. If the mom — and potentially others, if class-action status is granted — succeed at winning such a claim and collecting damages, it could open doors to a new kind of privacy lawsuit.
The Disney allegations, which the firm denies, are what you’d expect. The suit claims Disney software places unique identifiers on mobile phones which can track app users — both in and out of game play — so Disney’s partners can serve targeted advertising. You can expect the usual debate about what constitutes personal information. Corporations that want to target ads usually claim they anonymize such data. Privacy advocate say that’s bunk. With just a few data points, people can be pretty precisely identified.
Federal law — the Child Online Privacy Protection Act, or COPPA — has strict rules about what can be collected from kids under 13. The Federal Trade Commission has weighed in on the issue, making clear that unique identifiers fall under COPPA, meaning they generally shouldn’t be used or collected when kids are involved.
The lawsuit claims Disney and its partners violated COPPA, but that doesn’t really get her far. COPPA does not provide a “private right of action.” Consumers can’t sue “under COPPA” and get anything; they can merely ask a federal agency (the FTC) to fine the violator.
So lawyers in the case have seized upon the “intrusion upon seclusion” tort. From what I can tell, this legal strategy is generally used when someone’s physical space is violated — as in sneaking into a home or hotel room. It has been used in previous digital privacy cases, however, said Douglas I. Cuthbertson, a lawyer at the firm pressing the case. He cited invasion of privacy cases involving Vizio (Smart TVs) and Nickelodeon (Tracking videos watched; click for more). Both recently survived dismissal motions. It remains to be seen how much the cases are worth to plaintiffs, however.
According to Harvard’s publication of the American Law Institute’s guide to torts, here’s what ‘Inrusion Upon Seclusion” requires:
“The invasion may be by physical intrusion into a place in which the plaintiff has secluded himself, as when the defendant forces his way into the plaintiff’s room in a hotel or insists over the plaintiff’s objection in entering his home. It may also be by the use of the defendant’s senses, with or without mechanical aids, to oversee or overhear the plaintiff’s private affairs, as by looking into his upstairs windows with binoculars or tapping his telephone wires. It may be by some other form of investigation or examination into his private concerns, as by opening his private and personal mail, searching his safe or his wallet, examining his private bank account, or compelling him by a forged court order to permit an inspection of his personal documents.”
The four-pronged test to succeed in such a case, according to the Digital Media Law Project, involves:
- First, that the defendant, without authorization, must have intentionally invaded the private affairs of the plaintiff;
- Second, the invasion must be offensive to a reasonable person;
- Third, the matter that the defendant intruded upon must involve a private matter; and
- Finally, the intrusion must have caused mental anguish or suffering to the plaintiff.
In the Disney lawsuit, plaintiff’s lawyers use the alleged COPPA violation to establish that the data collection is offensive, and to pass several of those tests.
Eduard Goodman, global privacy officer at security firm Cyberscout, says he’s seen the intrusion upon seclusion legal strategy deployed in data breach lawsuits before. But that fourth prong of the test is the trickiest to meet. (Note: I am sometimes paid to write freelance stories for Cyberscout)
“The problem, as with most all privacy torts in the U.S., what is the harm and damage here,” he said. Damages and financial compensation for torts like causing injury in a car accident are well established. What’s the harm in collecting someone’s personal data? That’s yet to be determined.