Smart TV Data Collection Lawsuit Moves Forward

By: Mackenzie Wallace, Craig Carpenter, and John AtkinsAre there limits to how much personal data your devices can collect about you and your family?  As the number and variety of connected devices increases, companies potentially have access to more consumer data than ever. This data can be extremely useful and valuable to companies, but may also concern uninformed consumers.  In California, a group of consumers is challenging the data collection activities of their Smart TVs, and a California court has ruled that the plaintiffs can move forward with class action claims regarding privacy, consumer protection, and fraud, among other things.Vizio is a leading producer of “Smart TVs,” which are digital and internet-integrated televisions. Vizio’s Smart TVs, by default, record a great deal of information about customers’ viewing habits, and this feature is difficult to disable. Indeed, Vizio’s business model, by its own admission, relies on collecting and selling information of this kind. Starting in late 2015, various plaintiffs brought class action suits against Vizio based on federal and state contract, fraud, and privacy claims, alleging among other things that they would not have purchased Smart TVs, or would have paid less for them, if they had known that Vizio collected this information.In September, Vizio filed a motion to dismiss the claims for lack of subject matter jurisdiction and for failure to state a claim, arguing that the plaintiffs had (1) failed to establish the concrete injuries necessary to have Article III standing to confer jurisdiction on the court, and (2) failed to adequately plead the causes of action they alleged.Last week, the United States District Court for the Central District of California ruled on Vizio’s motion to dismiss, denying the motion with respect to most of the plaintiffs’ claims, and granting it with respect to a few others, as follows:Federal Video Privacy Protection Act and the Wiretap ActCiting to Spokeo Inc. v. Robins (136 S. Ct. 1540), Vizio argued that a statutory violation alone is insufficient for Article III standing.  The court left the door open for the plaintiffs’ claims under the VPPA and the Wiretap Act, holding in part that Congress had specifically established, by creating these acts, that the interception of consumers’ personal electronic information and disclosure of their viewing history are cognizable injuries. While a few courts have held that some of the information collected and sold by Vizio (such as IP addresses) does not constitute personally identifiable information (PII), here the plaintiffs argued that the data collected by Vizio contained enough identifiers that could be combined to identify individuals. However, because the plaintiffs had not adequately pleaded interception, the court dismissed the Wiretap Act claims with leave to replead. State Law Privacy Claims The court declined to dismiss the plaintiffs’ state law privacy claims based on the common law claim of intrusion upon seclusion, which has been a tort in most states for over a century.Consumer Protection ClaimsThe court determined that the plaintiffs’ allegations that they would not have purchased, or would have paid less for, Smart TVs had they known of the disputed features were sufficient to support a claim of injury under a variety of state consumer protection statutes. However, the court found certain statutory false advertising claims inadequately pleaded and dismissed them with leave to replead.FraudHere the court split the baby, finding that the plaintiffs had standing to allege fraud claims, and further had adequately pleaded their claims for fraudulent omission based upon Vizio’s data collection statements in its privacy policy, but that they had failed to adequately plead other fraud claims, which were dismissed with leave to replead.Ultimately, the important takeaway is that the court found cognizable injuries sufficient for the purposes of Article III standing on essentially every claim the plaintiffs asserted. Although the court discussed Spokeo, it distinguished the injury here by relying on Congress’s judgment in identifying intangible harms that meet standing requirements.The court’s ruling should not, perhaps, be so surprising, nor should it necessarily be taken to imply that other holders of PII are in danger. Unlike in cases involving private information breaches at hospitals or other holders of considerable private information, here the injuries alleged arose largely from the improper or unauthorized collection of such information, rather than a failure to keep confidential information previously collected properly.This case also raises the interesting question of when the collection and combination of de-identified and non-personal information can become PII for privacy and security regulation purposes. Courts and businesses have largely agreed that certain “anonymous” digital identifiers like IP addresses are not alone PII, but as the amount of non-personal digital information grows and as companies become more sophisticated in combining such information to build valuable user profiles, it is less clear when this information becomes “identification” information. The answer to this question may have a significant impact on the industry because “big data,” on which companies are increasingly reliant for information, is itself dependent to an extent on the availability of significant amounts of aggregate and de-identified information.