A CLASS ACTION filed this past week in federal court in San Francisco alleges that e-commerce giant Amazon.com Inc. has violated California’s privacy laws by collecting geolocation data from consumers’ mobile devices without their consent.
The case filed Wednesday by California resident Felix Kolotinsky joins several clusters of recent litigation that assert consumer privacy violations by the tools used by tech companies to track consumer identity, location and behavior for purposes of serving them targeted advertising.
In this case, the plaintiff alleges that Amazon created a software development kit or “SDK” called Amazon Ads. The kit contained prepackaged code that provided tools to enable developers to build apps that can run ads on their mobile applications.
The plaintiff alleges” that “tens of thousands” of developers have embedded Amazon Ads in their mobile apps.
Amazon did not immediately respond to a request for comment on the lawsuit.
Access to a wealth of personal information
The complaint says that when a consumer uses a mobile app that has the Amazon Ads code, it opens a “backdoor” on the mobile device that provides “a direct data collection pipeline to Amazon and its advertising partners.”
The so-called “first party” information that Amazon obtains from the consumer’s mobile device includes geolocation and other metadata that allows Amazon to connect the supposedly “anonymous” mobile ID to an actual individual and then tie that individual to other data collected on their interests and activities.
Amazon is alleged to use the geolocation data to offer its advertisers a “comprehensive consumer profile” made by combining information about both online and in-person activities.
According to the lawsuit, the information “can reveal locations associated with medical care, reproductive health, religious worship, mental health, and temporary shelters such as shelters for the homeless, domestic violence survivors, or other at-risk populations, and addiction recovery centers.”
The complaint asserts that Amazon has essentially “fingerprinted” consumers and has done so “entirely without consumer’s knowledge and consent.”
The plaintiff says that Amazon Ads was installed in two apps that he uses on his mobile phone: NewsBreak and Speedtest by Ookla. He says that he never authorized anyone to share data with Amazon and that he does not consent to it being done.
The legal theory that the lawsuit uses to support its claim is based on California’s law concerning use of “pen registers.” A pen register is a surveillance tool that records outbound “dialing, routing, addressing or signaling information” from a device or a facility. (Unlike a wiretap, a pen register doesn’t collect the contents of a call but only the fact of it, together with the related metadata.)
California’s invasion of privacy laws prohibit the use of a pen register without consent.
Pen registers hail back to an earlier stage in telecommunications technology when the pen register was a physical device that tracked outgoing calls, but the privacy statute defines a pen register to include not only a device but also a “process.”
In an early case to consider how the pen register statute applied to modern internet technology, a federal court in Southern California relied on the process language and allowed SDK litigation to proceed. However, the issue is far from settled, and because Amazon is perhaps the largest entity to have been challenged to date, it is likely that the new case will have an outsize influence on the development of the law.
Surveillance comes under surveillance
Increased attention to the surveillance of consumers has resulted in a wave of litigation, much of it in the federal court in San Francisco.
A raft of privacy cases against Meta — the owner and operator of Facebook, Instagram and other apps — consolidated in the San Francisco court involve a different situation than the Amazon case but raise many of the same privacy concerns. In those cases, the plaintiffs allege that many website developers use a “pixel” provided by Meta to gather analytical information about consumers visiting their websites.
According to the plaintiffs, when the Meta pixel provides data about a consumer to the website owner, it also provides the data to Meta. Many of the cases involve websites created for health care providers and thus have allegedly allowed Meta access to highly sensitive information about people seeking health care.
Meta has attempted on two occasions to have the consolidated Meta pixel cases dismissed for failing to state a viable claim, but its efforts have been unsuccessful to date.
Another significant case in the privacy arena was filed in San Francisco federal court last month. The plaintiffs claim that LiveRamp Holdings Inc., a global data broker headquartered in San Francisco, has assembled electronic “identity graphs” of virtually every American adult without their consent.
The class action suit asserts a claim directly under a provision in California’s Constitution that provides that “All people are by nature free and independent and have inalienable rights. Among these are … pursuing and obtaining safety, happiness, and privacy.”
The plaintiffs contend that the data collection violates the constitutional privacy right.
The post Amazon accused of compromising anonymity of mobile users by tracking without consent appeared first on Local News Matters.