A California mom is suing Disney and some of its software partners for allegedly collecting personal information about her kids through mobile phone game apps.
This case hinges on a novel legal argument that I’m going to watch with great interest; an “Intrusion Upon Seclusion” claim that I hadn’t seen before in this kind of case. If the mom—and potentially others, if class-action status is granted—succeeds at winning such acclaim and collecting damages, it could open the doors to anew kind of privacy lawsuit.
"I think the lawyers caught Mickey with his shorts down,” said Jeff Chester, director of the Center for Digital Democracy.
The allegations, which Disney denies, are what you’d expect. The lawsuit claims Disney software places unique identifiers on mobile phones that can track app users—both in and out of game play—so Disney’s partners can serve targeted advertising. You can expect the usual debate about what constitutes personal information. Corporations that want to target ads usually claim they anonymize such data. Privacy advocates say that’s bunk. With just afew data points, people can be pretty precisely identified.
Federal law shields kids
Federal law—the Child Online Privacy Protection Act, or COPPA—has strict rules about what can be collected from kids under age 13. The Federal Trade Commission has weighed in on the issue, making clear that unique identifiers fall under COPPA, meaning they generally shouldn’t be used or collected when kids are involved.
The lawsuit claims Disney and its partners violated COPPA, but that doesn’t really get the mom far. COPPA does not provide a “private right of action.” Consumers can’t sue “under COPPA” and get anything; they can merely ask a federal agency (the FTC) to fine the violator.
So lawyers in the case have seized upon the “intrusion upon seclusion” tort. From what I can tell, this legal strategy is generally used when someone’s physical space is violated—as in sneaking into a home or hotel room. It has been used in previous digital privacy cases, however, said Douglas I. Cuthbertson, a lawyer at the firm pressing the case. He cited invasion of privacy cases involving Vizio (smart TVs) and Nickelodeon (tracking videos watched; click for more). Both recently survived dismissal motions. It remains to be seen how much the cases are worth to plaintiffs, however.
Insight on ‘Intrusion Upon Seclusion’
According to Harvard’s publication of the American Law Institute’s guide to torts, here’s what “Intrusion Upon Seclusion”requires:
"The invasion may be by physical intrusion into a place in which the plaintiff has secluded himself, as when the defendant forces his way into the plaintiff’s room in a hotel or insists over the plaintiff’s objection in entering his home. It may also be by the use of the defendant’s senses, with or without mechanical aids, to oversee or overhear the plaintiff’s private affairs, as by looking into his upstairs windows with binoculars or tapping his telephone wires. It may be by some other form of investigation or examination into his private concerns, as by opening his private and personal mail, searching his safe or his wallet, examining his private bank account, or compelling him by a forged court order to permit an inspection of his personal documents.”
Criteria must be met
The four-pronged test to succeed in such a case, according to the Digital Media Law Project, involves:
First, that the defendant, without authorization, must have intentionally invaded the private affairs of the plaintiff;
Second, the invasion must be offensive to a reasonable person;
Third, the matter that the defendant intruded upon must involve a private matter; and
Finally, the intrusion must have caused mental anguish or suffering to the plaintiff.
In the Disney lawsuit, plaintiff’s lawyers use the alleged COPPA violation to establish that the data collection is offensive, and to pass several of those tests.
Proving injury difficult
Eduard Goodman, global privacy officer at security firm CyberScout, which sponsors Third Certainty, says he’s seen the intrusion upon seclusion legal strategy deployed in data breach lawsuits before. But that fourth prong of the test is the trickiest to meet.
"The problem, as with most all privacy torts in the U.S., is what is the harm and damage here,” Goodman said. Damages and financial compensation for torts like causing injury in a car accident are well established. What’s the harm in collecting someone’s personal data? That’s yet to be determined.