In March 2023, the White House published its National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.  Buried in the report was a quiet, but notable, concern related to the possibility of deanonymizing a consumer due to “insufficient disassociability”.  See Report, pg. 6.  A new wave of class action lawsuits in California—already over three dozen at the time of writing—now seeks to turn a spotlight on these practices, claiming that companies are using “grey market” data to match user patterns with personal identifiable information (PII).

For example, a complaint recently filed in California Superior Court—Gabriela Hernandez v. MRI Software LLC, 23-stcv-14389—opens with allegations that online anonymity promotes the free exchange of ideas and reinforces cybersecurity. It then contrasts these virtues with a process it calls “de-anonymization,” which it alleges “involves cross-referencing anonymized data with ‘commercially available information’ (“CAI”) obtained from grey data markets to reveal an individual’s identity.” The crux of the complaint alleges that certain types of online targeted advertising technology is doxing. These types of technology reveal the identity of anonymous website visitors for marketing purposes. 

The complaint alleges that the technology takes website usage data with other publicly-available information to build marketing profiles. Based on this business model, the complaint refers to this type of technology as “spyware.” It then alleges that this type of technology violates the California Unauthorized Access to Computer’s Act because it “obtain[s] Plaintiff’s IP addresses and expos[es] Plaintiff’s name, face, location, e-mail, and browsing history.” The lawsuit also brings claims under the California Invasion of Privacy Act alleging that the technology accesses the contents of its website communications without first obtaining consent.

The target of these lawsuits is agnostic—since this initial complaint, lawsuits have been filed against retailers, technology companies, and food and beverage companies.  Not surprisingly, most companies that sell products or services via a website use technology that tracks usage to support marketing and sales efforts. The legal theories here challenge the proprietary of these commercial activities and, if successful, would require remediation and significant business changes. The legal claims also have potentially devastating financial effects: the California Unauthorized Access to Computer’s Act provides for compensatory and punitive damages as well as attorneys’ fees, and the California Invasion of Privacy Act provides for damages of at least $5,000 per violation, only further multiplied due to the class allegations.  Just as importantly comes the potential reputational damage of being publicly accused of misusing customers’ sensitive information—however attenuated this theory of doxing is from other notions of the term.

While no California court has ruled on the viability of these claims, companies should take notice and review their use of this technology and the data retrieved through them.  Relying on its litigation experience in similar privacy matters, as well as its strong regulatory and brand protection technology group, Crowell has helped clients build successful defenses to these claims, as well as review and remediate internal policies and programs related to the use of these technologies.