Author: Kim Verska
Last week in the Northern District of California, LinkedIn got a painful reminder of what might properly be called the First Commandment of Data Privacy, namely, “Thou Shalt Not Surprise Thy User with Your Use of User’s Personal Data.” In Perkins et al v. LinkedIn Corp., a group of plaintiffs brought a case against LinkedIn under California’s statute embodying the common law right to control one’s own name and likeness in public use (or “publicity rights”) based upon LinkedIn’s practice of sending second and third e-mail reminders to a user’s business contacts, after an initial email invitation to join LinkedIn was ignored. In its motion to dismiss, LinkedIn attempted to defend on a variety of bases, but last week the court allowed the case to go forward.
There were several important findings in the court’s rejection of LinkedIn’s motion to dismiss. First and most obviously, while the court saw that the user had consented to one e-mail invitation to each contact, LinkedIn automatically sent differently worded (and increasingly annoying and plaintive) second and third e-mails to each unresponsive contact without the express permission of the user, even including the user’s picture in the second one. This, in addition to breaking the so-called First Commandment, was also a violation of the Second Commandment, which states “Thou Shalt Not Violate Thy Own Published Privacy Policy”: in LinkedIn’s case, theirs stated that they “would not email anyone without your permission.” Another important point was that once a user had allowed LinkedIn to send the first invitation to a particular contact, the user’s ability to control LinkedIn’s automatic reminder e-mails to unresponsive contacts was extremely limited and burdensome (one had to open each invitation individually and mark a box for no further messages).
LinkedIn’s ultimate lesson will likely be not only painful but unusually expensive, as the California privacy statute under which the suit was brought provides for statutory damages of $750 per violation, plus attorneys’ fees. This is in marked contrast to the struggles of most lawsuits based on violations of privacy and security of personal data, where the lack of monetary damages has generally been a bar to successful class actions. FTC consent orders for the privacy policy violation as an “unfair and deceptive trade practice” are likely to follow in its wake.
Other plaintiffs’ lawyers will no doubt be scouring the land for similar cases of automatic e-mails outside the control of the user, where similar statutory damages might be available under this statute in California court, so companies should examine any communications “on behalf of” their users for similar deficiencies. But in a larger perspective, this case brings home the basic lesson that underlies both the First and the Second Commandment: while US privacy laws may apply in various ways to your business, the best policy is never to do anything with a user’s data that the ordinary user would not expect or which would be an unwelcome surprise to the user. This is the surest path to a clean bill of data privacy health (and a happy user base as well).