SAN FRANCISCO’S FEDERAL court is home to some of the country’s most ambitious lawsuits, including suits against Big Oil for the costs of climate change, and Meta for the consequences of teen addiction to social media.
On Friday, a new far-reaching case joined the club: a class action for invasion of privacy brought against LiveRamp Holdings Inc., a public company headquartered in San Francisco that describes itself as “a global technology company that helps companies build enduring brand and business value by collaborating responsibly with data.”
The plaintiffs describe LiveRamp very differently. Their 83-page complaint, studded with 163 footnotes, reads like a piece of investigative journalism. It depicts a company with a $2.2 billion market capitalization that has largely operated under the radar as it has collected, consolidated, and commercialized intimate personal data on 700 million consumers worldwide, including “virtually every single adult” in the United States.
Invitations to comment on the case were not accepted by the plaintiffs’ lawyers nor by LiveRamp.
As the complaint describes it, LiveRamp is “operating a massive identity surveillance system that assigns every American a proprietary, permanent identifier — the equivalent of an online social security number.”
That identifier is then tied to extensive online and offline personal information, including names, postal addresses, email addresses, phone numbers, as well as digital IDs used on browsers, online applications, smartphones, smart TVs and game consoles.
The complaint explains that for each person in LiveRamp’s database, there is an “identity graph,” which is essentially a “map” that connects all these identifying points of data into “a single, non-anonymous ‘identity profile’ that can be used to track all of that person’s online activity in real time.”
LiveRamp makes its money by selling the information it collects to businesses and data brokers by way of a “Data Marketplace.”
Selling personal data, a segment at a time
The complaint alleges that LiveRamp’s clients can buy segmented portfolios containing people’s “highly sensitive health, religious, economic, sexual, and financial information.”
Examples include “segments of people with cancer, union members, Muslims, Jewish people, African Americans, poor people, payday loan prospects, online gamblers, unemployed individuals who were ‘seen at clinics/hospitals’ and users of the LGBT dating app Grindr.”
The suit contends that the data collection and sale is all done without the consent of consumers or “even their awareness that it is happening.”
The complaint says that the two plaintiffs in the class have seen materials from LiveRamp that contain the personal information that has been collected about them. In the case of Christina Riganian of Tujunga in Southern California, her identity profile allegedly contains several thousand pieces of information.
The materials also show that information about Riganian has been disclosed to at least 62 third parties, including pharmaceutical companies, publishers, advertisers, advertising technology companies like Google, Amazon and Microsoft, as well as to data brokers who can use it for resale.
LiveRamp allegedly has her Social Security number and driver’s license data and has tracked her activity “on at least hundreds of websites and mobile apps, including the interception and collection of Plaintiff’s searches for and views of articles related to health and personal financial issues.”
The complaint provides granular examples of how LiveRamp’s personal data can be used by its clients and concludes, “LiveRamp’s sale of these highly detailed, personal, and sensitive “psychographic” profiles represents one of the most uniquely invasive and comprehensive forms of surveillance in modern history.”
LiveRamp was a division of a data broker named Acxiom that was allegedly one of the companies that provided data to Cambridge Analytica that was allegedly used to target and manipulate U.S. voters in the 2016 presidential election. The complaint says that in 2018, after that scandal erupted, Acxiom renamed itself LiveRamp Holdings Inc.
The plaintiffs seek to represent both a national class and a California subclass of consumers “whose personal information, or data derived from their personal information, was made available for sale or use through LiveRamp’s RampID or Data Marketplace.”
California’s right to privacy law
The complaint asserts a number of legal theories but leads with the claim of invasion of privacy under the California Constitution.
Article I, Section 1 of the Constitution provides: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property and pursuing and obtaining safety, happiness, and privacy.”
California is one of a minority of American states that has an explicit protection of privacy in its constitution. The term was added by a voter-approved constitutional amendment in 1972.
The plaintiffs’ lawyers unearthed eerily prescient language from the 1972 ballot pamphlet that described the proposed privacy amendment and offered an argument in its favor: “Computerization of records makes it possible to create ‘cradle-to-grave’ profiles of every American. At present there are no effective restraints on the information activities of government and business. This amendment creates a legal and enforceable right of privacy for every Californian.”
The plaintiffs build on that foundation to assert that members of the proposed classes have a reasonable expectation of privacy in their lives, even while browsing online.
They say modern life requires being online, and class members don’t surrender the right to privacy by logging onto the internet.
According to the plaintiffs, “At no point during its process of collecting or processing personal information, compiling of dossiers, or selling services based on that personal information, does LiveRamp ever directly ask individuals for their consent.”
Moreover, the plaintiffs believe that the data collection is so pervasive and intrusive that consent is not “reasonably or practically possible,” and even were it given, it would not be legally enforceable.
The plaintiffs face many hurdles in obtaining the relief they seek. One of the highest will be the difficulty in distinguishing between LiveRamp’s data collection and utilization practices and those of the many internet companies that collect and utilize data from their customers.
The suit has been assigned to U.S. District Judge Jon Tigar, who is based in Oakland.
The post Identity crisis: Lawsuit alleges tech company violated privacy laws by reselling client data appeared first on Local News Matters.