Tamara Wilson has filed a class action lawsuit against social media app maker Triller in the Southern District of New York. She’s alleging that Triller unlawfully shared her personally identifiable information with Facebook and other third parties without her knowledge or consent. Suing on behalf of herself and other similarly-situation plaintiffs, Wilson is seeking an order to do the following:
(a) enjoining Triller from further unauthorized collection, storage, and use of certain of consumers’ information; (b) declaring that Triller’s conduct violates the Computer Fraud and Abuse Act, the Video Privacy Protection Act, and state consumer protection statutes; (c) finding that Plaintiff and the Class members are entitled to statutory damages, as well as quantum meruit for unjust enrichment based upon Triller’s actions; and (d) requiring Triller to clearly and conspicuously disclose its written policy that sets forth its retention and use of Plaintiff’s and Class members’ biometric information.
Complaint at 1, Wilson v. Triller, Inc., Case No. 21-cv-11228 (S.D.N.Y. Dec. 31, 2021).
Triller’s app keeps a log of videos that its users have watched or liked. As part of its ad operations, anonymized versions of lose logs (i.e., without users’ names or social handles attached) are shared with third parties such as Facebook. The plaintiff is alleging that given the totality of the datapoints that are shared, “Facebook can easily compile a dossier on any given user which aggregates the user’s video watch history and associates it with their PII.” Id. at 14.
Did Triller Get Adequate Consent?
Most interesting to me in this lawsuit is the allegation that Triller didn’t obtain “informed, written consent” that complies with the VPPA. 17 U.S.C. § 2710(b)(2)(B). That statute requires such consent to be “in a form distinct and separate from any form” (i.e., not buried in Triller’s Privacy Policy). 17 U.S.C. § 2710(b)(2)(B)(i). The provider also must “provide[] an opportunity, in a clear and conspicuous manner, for the consumer to withdraw” that consent. 17 U.S.C. § 2710(b)(2)(B)(iii). It doesn’t appear that either of these happened here, so I’m eager to see Triller’s response.
The plaintiff is also bringing an unjust enrichment claim on the theory that Triller “obscures” its TOU and Privacy Policy. This will probably be a bigger legal battle. Triller certainly has given notice in a literal sense. It has checkboxes and everything! But is that notice sufficient? Even without applying the harsh standards of the VPPA, it can be argued (as the plaintiff does in her complaints) that forcing users to actually scroll through the entire TOU before allowing them to use your service is fairly common practice these days.
It should also be noted, according to Triller’s parent company, “the app’s largest demographic is made up of those aged 16-27.” Complaint at 6, Wilson, 21-cv-11228. This won’t be a COPPA case, but do not be surprised if the standard of reasonableness/adequacy applied here is a bit tougher than if we were talking about an app primarily used by adults.
Abuse Of The CFAA Should Be A Crime.
On the other hand, I don’t see how the plaintiff’s CFAA claim will survive. I am no fan of the CFAA (and similar state law equivalents), but my distaste for it comes from governments trying to impose criminal liability on consumers for supposed “hacking” activity when that activity usually amounts to nothing more than a user skirting the terms of service of some website or app. In this case it’s the opposite: a consumer is alleging the service is guilty of violating the CFAA because it exceeded its authorized access to her devices.
Private actions under the CFAA are an interesting twist on the usual fact pattern, but I think it’s been made clear recently that the standard of “exceeds authorized access” does not apply to users who “have improper motives for obtaining information that is otherwise available to them.” Van Buren v. United States, 141 S. Ct. 1648, 1652 (2021). Triller was authorized to access the data it’s alleged to have used inappropriately. Thus, it wouldn’t have exceeded authorized access under the terms of the CFAA, even if what it did with that data was inappropriate by some other consumer protection or privacy regular.
But make no mistake, I still hate this damn law.
Full complaint: Wilson v. Triller, Inc., 21-cv-11228 (S.D.N.Y. Dec. 31, 2021)