On November 10, 2022, a plaintiff filed a class action lawsuit against Apple, Inc., citing a recent Gizmodo article reporting that security researchers had found that Apple apps, such as the App Store, collected device and usage data from iPhones regardless of the privacy settings users enabled. The complaint alleges that Apple collects personal information and the content of communications in its apps, and tracks users across apps even when users disabled "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings in their phones. The complaint raises the following three causes of action based on California law:
(1) Unjust enrichment (quasi-contract claim for restitution and disgorgement) or, alternatively, breach of contract: The plaintiff argues that Apple received a benefit from collecting personal information without consent and using it for targeted advertising and to improve its products and services, that Apple knew it was receiving this benefit, that plaintiff received nothing, and that it would be inequitable for Apple to retain the unjust benefit.
Alternatively, if Apple successfully asserts that its Terms of Service form a binding contract, given the Terms of Service incorporates Apple's privacy policy, the plaintiff argues that Apple's collection and use of personal information gathered from its apps where users had disabled the "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings because Apple's privacy notice stated that "Apple requires app developers to ask for permission before they track your activity."
(2) Violation of California Wiretap Act: California's Invasion of Privacy Act (California Penal Code 632, also known as the California Wiretap Act) prohibits intentionally eavesdropping on or recording confidential communications by means of an electronic amplifying or recording device without the consent of all parties to a confidential communication. The plaintiff asserts that Apple tracked and recorded user communications when they were browsing apps from their devices when their "Allow Apps to Request to Track" and "Share iPhone & Watch Analytics" settings were disabled. The plaintiff argues the apps are electronic recording devices, and the disabled tracking and analytics settings indicate recording occurred without authorization.
(3) Invasion of Privacy: Finally, the plaintiff argues that Apple invaded their privacy. This claim is based on California Constitutional law and requires the plaintiff show an invasion of a (1) legally protected privacy interest, (2) where the plaintiff had a reasonable expectation of privacy under the circumstances, and (3) the defendant's conduct was a serious invasion of privacy. The plaintiff alleges that Apple's actions invade privacy rights protected by the California Wiretap Act, the Fourth Amendment (although, notably, Apple is not a state actor), the California Constitution, and Apple's own Privacy Policy. The plaintiff claims Apple's privacy settings had given plaintiff a reasonable expectation of privacy under the circumstances, and that Apple's actions were serious invasions (considering Plaintiff's claim that Apple violated the California Wiretap Act), and that, because of broad public support of privacy rights, reasonable consumers would find Apple's actions highly offensive.
It will be interesting to see if these particular legal claims gain any traction or success in this lawsuit. Similar claims have been made in a range of privacy lawsuits in California, with varying degrees of success. But perhaps more interesting to watch will be whether this is part of a broader shift in Apple’s reputation and exposure to regulatory and legal action on privacy. The plaintiff in this lawsuit referred to Apple’s privacy promises as “illusory.” Apple has long positioned itself as a champion of consumer privacy. But more recently, the company has come under increasing scrutiny and criticism of its privacy and data collection practices. Some of that criticism suggests that those practices are hypocritical and self-serving – often imposing rules and controls that severely restrict the ability of third-party app developers to collect and use data while continuing to collect and use large amounts of personal data itself. Large platform providers are often subject to special scrutiny, in large part because of their unique position to advantage themselves over others operating on their platforms. This lawsuit may be one more indication that no company can remain insulated from an increasingly complex and challenging regulatory environment with regard to privacy and data protection.
Charlotte Lunday is a Senior Associate at Hintze with expertise in COPPA, FERPA, and online safety.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.