This post was also written by Christopher G. Cwalina.

A recent decision in ongoing litigation over mobile application practices shows how difficult the defense of privacy class actions can be. Even if the defense wins dismissal of some causes of action, the survival of any cause of action may force the defendant into costly discovery.

On June 12, U.S. District Judge Lucy Koh granted in part and dismissed in part Motions to Dismiss filed in the iPhone Application Litigation MDL in the Northern District of California, case no. 5:11-md-02250. In this case, plaintiffs claimed defendants violated plaintiffs’ privacy rights by unlawfully allowing third-party applications to collect and use personal information, including location information, from users’ mobile devices without consent. Plaintiffs brought 13 causes of action against Apple and the Mobile Industry defendants, including those based on federal statute, state statute, contract law, tort, and equity.

Defendants contended that plaintiffs lacked Article III standing and the case should be dismissed for lack of subject matter jurisdiction. They argued that plaintiffs failed to allege actual injury-in-fact. Judge Koh disagreed, noting that “Plaintiffs have alleged actual injury, including: diminished and consumed iDevice [iPhone, iPad, and iPod Touch] resources, such as storage, battery life and bandwidth; increased, unexpected, and unreasonable risk to the security of sensitive personal information; and detrimental reliance on Apple’s representations regarding the privacy protection afforded to users of iDevice apps.” The court found that plaintiffs’ alleged overpayment for those devices was enough to establish standing under California’s Unfair Competition Law (UCL). The court then found that the alleged business practices may be unlawful under California’s Consumer Legal Remedies Act (CLRA), unfair in that they are injurious to consumers and may not be outweighed by benefits to consumers, and fraudulent in that Apple made misrepresentations and material omissions to induce the purchase of mobile devices.

In addition, the court declined to dismiss the claims on the grounds that Apple’s Privacy Policy expressly permitted the collection and transfer of user data at issue, in part because the policy’s language was ambiguous as to the exact definition of “personal information.” Although many of the counts against Apple, and all of the counts against the other Mobile Industry defendants – Admob, Inc., Flurry, Inc., AdMarval, Inc., Google, Inc., and Medialets, Inc. – were dismissed, counts against Apple under the CLRA and UCL will proceed.

Notably, the court rejected Apple’s argument that all of the claims should be dismissed on the grounds that Apple has permission to collect and transfer user data pursuant to the Privacy Policy. On this point, the court said that “Plaintiffs have a colorable argument that the terms of the privacy agreement were ambiguous and do not necessarily foreclose the remaining claims against Apple.” The court stated that there was ambiguity as to whether something like a user’s unique device identifier is “personal information” under the terms of the privacy policy, and thus whether its collection and use was consistent with that policy. While this is one trial court decision on a preliminary motion, the decision reinforces the need for companies to closely examine disclosures to see how well they would hold up in any subsequent litigation.