Words of Wisdom

Back to all blog Posts

Make your privacy policy less private.

Consumer data has never been more valuable than it is today—and almost every business which can collect it, does. As a result, privacy policies, which must disclose a company’s policy in regard to its data collection practices and uses, are now more important than ever.

The recent class action lawsuit against Bose Corporation is a perfect example of this, and is causing everyone to listen more closely. In the suit, plaintiff Kyle Zak alleges that Bose violated the Federal Wiretapping Act and state privacy laws by intercepting and collecting metadata about audio files from users of its wireless headphones and devices without appropriately disclosing its policies or obtaining valid consent from its customers. More specifically, in the complaint, Zak alleges that:

  1. Bose, through its Bose Connect mobile app, “automatically,” “continuously and contemporaneously” harvested behavioral information about customers’ listening habits, which Bose then shared with a data mining company, Segment.io, without users’ knowledge or consent.
  2. Upon downloading the app, customers were not prompted to read or accept the terms of the privacy policy describing the types of information that Bose collected via the app or how Bose intended to use the information collected, causing the collection of information to be unfair and deceptive.
  3. The app’s privacy policy failed to clearly and conspicuously identify the types of information that it shared with third parties.
  4. The app enabled Bose to collect and share metadata from users’ audio files with third parties, married with other personal information that Bose collected when a user registered the product purchase. Zak’s example in the complaint is that an individual who listens to Muslim prayer services while using the Bose Connect app is “very likely a Muslim.”

Although Bose’s policy stated that it may share “non-personal information” with third parties, it did not identify that the metadata and the other information collected from users’ audio files would be considered “non-personal data,” particularly when such information may provide insight into consumers’ health, lifestyle, and religious preferences. The complaint draws a connection between the information collected from users’ metadata and the information collected by Bose as part of its product registration process, suggesting that Bose may have the ability to aggregate user data to develop more robust profiles of its consumers, thus allowing it (and third parties with which it shared the information) to develop more targeting marketing around consumer preferences.

Although the complaint does not specify damages, it is being speculated that damages may exceed $5 million dollars.

Bose is just one of many companies to be caught up in a recent spate of lawsuits alleging violations of the Federal Wiretapping Act and other data privacy regulations:

  • In March of this year, Standard Innovation Corporation settled similar claims (for approximately $3.75 million) that its mobile app illegally collected information about how its customers used its We-Vibe “smart sex toy.” In addition to paying nearly $4 million dollars to plaintiffs, Standard Innovation revamped its privacy policies to add additional transparency about the types of information that the company collects and how the information is collected. The company has also taken steps to delete all personal information collected from its products and app prior to the date of the settlement.
  • In February 2017, Vizio, Inc. reached a settlement with the Federal Trade Commission and the New Jersey Attorney General (for $2.2 million) to settle charges that it installed software on 11 million smart televisions to track consumers’ second-by-second viewing histories and information without their knowledge or consent, which it then sold to advertisers. Similar to Standard Innovation, Vizio was forced to delete any user data collected by its software.

The Bose case and the other recent cases mentioned here have important implications for companies that collect consumer information. With the flood of these cases being filed in different jurisdictions around the US, we can surmise that American consumers are becoming more savvy about their rights in and to their information, as well as the law, and paying closer attention to companies’ data collection practices and related disclosures. We strongly recommend that companies which collect individuals’ personal information review their privacy policies, data collection practices and data security, with a view to increasing transparency with regard to collection and use practices for personal information.

Feel free to share your thoughts with me by commenting below or sending me an email. Of course, if you have any questions about your privacy policy, feel free to give us a call.

Copyright © 2017 Jane Freedman Law, LLC. All rights reserved. All content in this blog is the property of Jane Freedman Law, LLC and may not be copied or redistributed without permission.

This alert is intended to provide a summary of recent legal developments and is intended for general information purposes only. It does not constitute legal advice and should not be relied on as such. The reader should consult with knowledgeable legal counsel to determine how specific laws may be applicable to its particular situation and fact set. Blog posts are based on information that is current as of the date written and Jane Freedman Law, LLC has no duty to and does not intend to update the blog should additional facts or law come to light after the date hereof. Since it is possible that the law or the facts may change after the date hereof, readers should contact Jane Freedman Law, LLC with questions or for assistance if you are considering taking any actions as a result of this blog.