Consumer data has never been more valuable than it is today – and almost every business which can collect it does. As a result, privacy policies, which must disclose a company’s policy in regard to its data collection practices and uses, are now more important than ever.
The recent class action lawsuit against Bose Corporation is a perfect example of this, and is causing everyone to listen more closely. In the suit, plaintiff Kyle Zak alleges that Bose violated the Federal Wiretapping Act and state privacy laws by intercepting and collecting metadata about audio files from users of its wireless headphones and devices without appropriately disclosing its policies or obtaining valid consent from its customers. More specifically, in the complaint, Zak alleges that:
- Bose, through its Bose Connect mobile app, “automatically,” “continuously and contemporaneously” harvested behavioral information about customers’ listening habits, which Bose then shared with a data mining company, Segment.io, without users’ knowledge or consent.
- The app enabled Bose to collect and share metadata from users’ audio files with third parties, married with other personal information that Bose collected when a user registered the product purchase. Zak’s example in the complaint is that an individual who listens to Muslim prayer services while using the Bose Connect app is “very likely a Muslim.”
Although Bose’s policy stated that it may share “non-personal information” with third parties, it did not identify that the metadata and the other information collected from users’ audio files would be considered “non-personal data,” particularly when such information may provide insight into consumers’ health, lifestyle, and religious preferences. The complaint draws a connection between the information collected from users’ metadata and the information collected by Bose as part of its product registration process, suggesting that Bose may have the ability to aggregate user data to develop more robust profiles of its consumers, thus allowing it (and third parties with which it shared the information) to develop more targeting marketing around consumer preferences.
Although the complaint does not specify damages, it is being speculated that damages may exceed $5 million dollars.
Bose is just one of many companies to be caught up in a recent spate of lawsuits alleging violations of the Federal Wiretapping Act and other data privacy regulations:
- In March of this year, Standard Innovation Corporation settled similar claims (for approximately $3.75 million) that its mobile app illegally collected information about how its customers used its We-Vibe “smart sex toy”. In addition to paying nearly $4 million dollars to plaintiffs, Standard Innovation revamped its privacy policies to add additional transparency about the types of information that the company collects and how the information in collected. The company has also taken steps to delete all personal information collected from its products and app prior to the date of the settlement.
- In February 2017, Vizio, Inc. reached a settlement with the Federal Trade Commission and the New Jersey Attorney General (for $2.2 million) to settle charges that it installed software on 11 million smart televisions to track consumers’ second-by-second viewing histories and information without their knowledge or consent, which it then sold to advertisers. Similar to Standard Innovation, Vizio was forced to delete any user data collected by its software.
The Bose case and the other recent cases mentioned here have important implications for companies that collect consumer information. With the flood of these cases being filed in different jurisdictions around the US, we can surmise that American consumers are becoming more savvy about their rights in and to their information, as well as the law, and paying closer attention to companies’ data collection practices and related disclosures. We strongly recommend that companies which collect individuals’ personal information review their privacy policies, data collection practices and data security, with a view to increasing transparency with regard to collection and use practices for personal information.