Suit filed against Disney may be a new way to sue for privacy invasion

Mom claims kids’ personal data was collected through mobile game apps

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

A Cal­i­for­nia mom is suing Dis­ney and some of its soft­ware part­ners for alleged­ly col­lect­ing per­son­al infor­ma­tion about her kids through mobile phone game apps.

Bob Sul­li­van, jour­nal­ist and one of the found­ing mem­bers of

This case hinges on a nov­el legal argu­ment that I’m going to watch with great inter­est; an “Intru­sion Upon Seclu­sion” claim that I hadn’t seen before in this kind of case. If the mom—and poten­tial­ly oth­ers, if class-action sta­tus is granted—succeeds at win­ning such a claim and col­lect­ing dam­ages, it could open the doors to a new kind of pri­va­cy lawsuit.

I think the lawyers caught Mick­ey with his shorts down,” said Jeff Chester, direc­tor of the Cen­ter for Dig­i­tal Democracy.

Relat­ed arti­cle: ‘Dig­i­tal kid­nap­ping’ tar­gets per­sonas of juveniles

The alle­ga­tions, which Dis­ney denies, are what you’d expect. The law­suit claims Dis­ney soft­ware places unique iden­ti­fiers on mobile phones that can track app users—both in and out of game play—so Disney’s part­ners can serve tar­get­ed adver­tis­ing. You can expect the usu­al debate about what con­sti­tutes per­son­al infor­ma­tion. Cor­po­ra­tions that want to tar­get ads usu­al­ly claim they anonymize such data. Pri­va­cy advo­cates say that’s bunk. With just a few data points, peo­ple can be pret­ty pre­cise­ly identified.

Fed­er­al law shields kids

Fed­er­al law—the Child Online Pri­va­cy Pro­tec­tion Act, or COPPA—has strict rules about what can be col­lect­ed from kids under age 13. The Fed­er­al Trade Com­mis­sion has weighed in on the issue, mak­ing clear that unique iden­ti­fiers fall under COPPA, mean­ing they gen­er­al­ly shouldn’t be used or col­lect­ed when kids are involved.

The law­suit claims Dis­ney and its part­ners vio­lat­ed COPPA, but that doesn’t real­ly get the mom far. COPPA does not pro­vide a “pri­vate right of action.” Con­sumers can’t sue “under COPPA” and get any­thing; they can mere­ly ask a fed­er­al agency (the FTC) to fine the violator.

So lawyers in the case have seized upon the “intru­sion upon seclu­sion” tort. From what I can tell, this legal strat­e­gy is gen­er­al­ly used when someone’s phys­i­cal space is violated—as in sneak­ing into a home or hotel room. It has been used in pre­vi­ous dig­i­tal pri­va­cy cas­es, how­ev­er, said Dou­glas I. Cuth­bert­son, a lawyer at the firm press­ing the case. He cit­ed inva­sion of pri­va­cy cas­es involv­ing Vizio (smart TVs) and Nick­elodeon (track­ing videos watched; click for more). Both recent­ly sur­vived dis­missal motions. It remains to be seen how much the cas­es are worth to plain­tiffs, however.

Insight on ‘Intru­sion Upon Seclusion’

Accord­ing to Harvard’s pub­li­ca­tion of the Amer­i­can Law Institute’s guide to torts, here’s what “Intru­sion Upon Seclu­sion” requires:

The inva­sion may be by phys­i­cal intru­sion into a place in which the plain­tiff has seclud­ed him­self, as when the defen­dant forces his way into the plaintiff’s room in a hotel or insists over the plaintiff’s objec­tion in enter­ing his home. It may also be by the use of the defendant’s sens­es, with or with­out mechan­i­cal aids, to over­see or over­hear the plaintiff’s pri­vate affairs, as by look­ing into his upstairs win­dows with binoc­u­lars or tap­ping his tele­phone wires. It may be by some oth­er form of inves­ti­ga­tion or exam­i­na­tion into his pri­vate con­cerns, as by open­ing his pri­vate and per­son­al mail, search­ing his safe or his wal­let, exam­in­ing his pri­vate bank account, or com­pelling him by a forged court order to per­mit an inspec­tion of his per­son­al documents.”

Cri­te­ria must be met

The four-pronged test to suc­ceed in such a case, accord­ing to the Dig­i­tal Media Law Project, involves:

First, that the defen­dant, with­out autho­riza­tion, must have inten­tion­al­ly invad­ed the pri­vate affairs of the plaintiff;
Sec­ond, the inva­sion must be offen­sive to a rea­son­able person;
Third, the mat­ter that the defen­dant intrud­ed upon must involve a pri­vate mat­ter; and
Final­ly, the intru­sion must have caused men­tal anguish or suf­fer­ing to the plaintiff.

In the Dis­ney law­suit, plaintiff’s lawyers use the alleged COPPA vio­la­tion to estab­lish that the data col­lec­tion is offen­sive, and to pass sev­er­al of those tests.

Prov­ing injury difficult

Eduard Good­man, glob­al pri­va­cy offi­cer at secu­ri­ty firm Cyber­Scout, which spon­sors Third Cer­tain­ty, says he’s seen the intru­sion upon seclu­sion legal strat­e­gy deployed in data breach law­suits before. But that fourth prong of the test is the trick­i­est to meet.

The prob­lem, as with most all pri­va­cy torts in the U.S., is what is the harm and dam­age here,” Good­man said. Dam­ages and finan­cial com­pen­sa­tion for torts like caus­ing injury in a car acci­dent are well estab­lished. What’s the harm in col­lect­ing someone’s per­son­al data? That’s yet to be determined.

More sto­ries about pri­va­cy and online security:
Con­sumers becom­ing more pro­tec­tive of their privacy
Say so long to your data pri­va­cy under Trump FCC’s new rules
Talk about online secu­ri­ty with your kids

Posted in Featured Story