Earlier this month, San Francisco City Attorney Dennis Herrera filed a complaint in California state court against MeetMe, Inc., the maker of a social networking app that, as the complaint puts it, is designed “to introduce users to new people and enable them to interact with strangers online and in person.” The complaint takes issue with one of the ways MeetMe encourages users to interact—by sharing their location with each other. Herrera asserts that although MeetMe informs users about the way its app uses geolocation information, it fails to do so in a way that is sufficiently clear—particularly given that many of MeetMe’s users are minors.
According to Herrera, the consequences of MeetMe’s data practices have been serious—the app allegedly has been used by men accused of sexual misconduct involving minors.
Importantly for privacy professionals, this case raises questions about what it means to provide clear notice in the mobile environment, and how, if it all, the answer changes when the user is a minor. The case also raises the important question of whether failure to adequately disclose how information is shared can be a violation of California’s Unfair Competition Law (UCL), a statute that sometimes is compared to Section 5 of the Federal Trade Commission Act.
According to the complaint, the MeetMe app collects geolocation data from MeetMe users’ mobile devices and uses that data to tell other users “who is nearby and how far away they are.” Herrera alleges that this functionality “broadcasts” geolocation data collected from minors—who make up a large portion of MeetMe’s user base—to “thousands of other users, including sexual predators, stalkers and other criminals.” The complaint cites several press accounts about men who allegedly have used this feature to engage in sexual misconduct involving minors.
The complaint also alleges that the MeetMe app fails to adequately inform users that their location will be shared with other users. According to the complaint, the “only” notice about MeetMe’s use and sharing of geolocation data comes through a pop-up notice displayed after the initial installation of the app. The pop-up allegedly asks permission to “use your location data to show you cool people to meet near you.”
Herrera asserts that this permission “falsely impl[ies] that geolocation data will be used only to show the user the location of others who are nearby and will not automatically be used for other purposes—like broadcasting the user’s location to thousands of other people.” He contends that the pop-up notice is therefore insufficient to inform MeetMe’s users about how their geolocation data will be used.
The complaint asserts that, as a consequence of these practices, MeetMe violates California’s UCL which prohibits any “unlawful, unfair or fraudulent business act or practice.” Herrera contends that MeetMe’s practices are “unfair,” “deceptive” and “unlawful.”
The complaint asserts that MeetMe’s practices are unfair because they offend “established public policy” and “cause harm that greatly outweighs any benefits associated with those practices.” It is important to note that the “practices” at issue in Herrera’s suit are not the underlying crimes against minors described in the complaint, but rather MeetMe’s allegedly unauthorized sharing of geolocation data with others.
Even assuming the sharing described in the complaint was unauthorized—which may be a dubious assumption—it is noteworthy that Herrera asserts the sharing offends “established public policy.” Herrera’s support for this assertion appears to come in the form of privacy best practices guides, published by the FTC and California Attorney General, for mobile app developers and others in the mobile ecosystem. These guides are unquestionably important to companies that operate in the mobile ecosystem; but MeetMe may push back against the notion that the guides, published just last year, represent “established public policy.”
Also up for debate is how MeetMe’s practices “cause harm.” Although the perpetrators involved in the crimes described in the complaint allegedly used MeetMe to cause substantial harm, it is not clear precisely how MeetMe caused any harm. And if, as appears likely, the “harm” asserted in the complaint is the sharing of geolocation information, then there may be a question about whether the mere sharing of information through an app can cause the harm necessary to support a legal claim. Courts in recent privacy litigation matters have suggested it cannot.
The complaint also asserts that MeetMe violated the UCL’s prohibition on fraudulent practices by deceptively failing to disclose (or adequately disclose) how it uses and shares minors’ geolocation information. As noted above, however, the complaint acknowledges that MeetMe presented users with a pop-up requesting permission “to use your location data to show you cool people to meet near you.” Herrera asserts that notwithstanding this disclosure, users would not have understood that their location information would be shared with others—i.e., users would have believed that their location information would be used only so that they could see others’ locations, but others could not see theirs.
This assertion may be seen as implausible, particularly given the MeetMe app’s basic functionality appears to be the sharing of location information with people nearby to encourage interaction. Put differently, it may be hard to convince a court that a user would expect the app not to disclose the user’s geolocation data to others even while disclosing the geolocation data of others to that one user.
Claims under the UCL’s unlawfulness prong “piggyback” on other legal claims; if the plaintiff can prove that the defendant’s businesses practices violated any federal, state or local law, he or she may obtain relief under the UCL.
Here, Herrera asserts—without elaboration—that MeetMe’s practices constituted a common law invasion of privacy and a violation of the right to privacy under California’s Constitution. Litigants in similar privacy litigation matters have struggled to show that the alleged misuse of personal information collected online involves harm of a sufficient magnitude to support recovery under these theories. In general, these claims have been successful only in cases involving egregious privacy violations. Herrera may face significant hurdles in convincing the court that sharing geolocation data gives rise to a claim under one of these theories.
It is, of course, difficult to predict how a case will unfold in litigation. It will be very interesting to see how MeetMe responds to Herrera’s complaint and how the court will address these issues.