Plaintiff Lyft drivers sued Uber for invasion of privacy and other claims. Plaintiff did not state an invasion of privacy claim from using an app on their phone that tracked them. He didn’t have a reasonable expectation of privacy in their geolocation data because the passengers also shared it. Gonzales v. Uber Techs., Inc., 2018 U.S. Dist. LEXIS 65561 (N.D. Cal. Apr. 18, 2018):
Plaintiff alleges that Uber used the data collected from Lyft in conjunction with other databases to learn personal details about Lyft drivers including, but not limited to, drivers’ full names, when and where they typically work, where they take breaks, and the drivers’ home addresses. (Dkt. No. 34 ¶ 83, 92.)
Plaintiff has sufficiently pled a protected privacy interest as to home addresses, see Williams, 3 Cal.5th at 554, and arguably precise geolocation data. See U.S. v. Jones, 565 U.S. 400, 411, 132 S. Ct. 945, 181 L. Ed. 2d 911 (concluding the GPS tracking device of a vehicle, and the subsequent use of that device to monitor the vehicle’s movements on public streets, was a search within the meaning of the Fourth Amendment requiring a warrant). Plaintiff, however, offers no authority to support his argument that the other information Uber allegedly obtained is generally considered private – Lyft ID number, working as a Lyft driver, and full names. The Court concludes it is not.
The second element, a reasonable expectation of privacy under the circumstances, is not met. “A ‘reasonable’ expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms.” Hill, 7 Cal.4th at 37. The decision “must take into account any ‘accepted community norms,’ advance notice to [Plaintiff] …, and whether [Plaintiff] had the opportunity to consent to or reject the very thing that constitutes the invasion.” TBG Ins. Servs. Corp. v. Superior Court, 96 Cal.App.4th 443, 117 Cal. Rptr. 2d 155 (2002). The plaintiff in an invasion of privacy action must have conducted himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant. Hill, 7 Cal.4th at 26. The “community norms” aspect of the “reasonable expectation of privacy” element means that “the protection afforded to the plaintiff’s interest in his privacy must be relative to the customs of the time and place, to the occupation of the plaintiff and to the habits of his neighbors and fellow citizens.” TBG Ins. Servs. Corp., 96 Cal.App.4th at 450.
Plaintiff consented to the sharing of his geolocation data with perfect strangers (Lyft riders); thus, under the circumstances he did not have a reasonable expectation of privacy in such information. (Dkt. No. 34 ¶ 93.)
Plaintiff may have toggled on from home and thus, since Uber was allegedly tracking the location of Lyft drivers, Uber could have determined Plaintiff’s home address. (Dkt. No. 34 ¶ 92.) However, under the circumstances the drivers did not have a reasonable expectation of privacy in their home location. Most Lyft users, both drivers and riders, can expect that their home addresses will be shared with other users on the platform when using the Lyft App. As such,
users cannot reasonably expect that this information will remain private.
Plaintiff argues his consent was limited to Lyft and therefore Plaintiff had a reasonable expectation that only Lyft would have access to his information. However, “the case law suggests that in determining whether a plaintiff has satisfied the elements of the claim, a plaintiff’s lack of consent does not matter so much as the nature of the information in which he or she alleges a privacy interest.” See In re Yahoo, 7 F.Supp.3d at 1040-1041; see also In re iPhone Application Litig., 844 F.Supp.2d at 1063 (“[e]ven assuming this information was transmitted without Plaintiffs’ knowledge and consent, a fact disputed by Defendants, such disclosure [of information including device identifier number, personal data, and geolocation information] does not constitute an egregious breach of social norms”).
Nor is the third element, a serious invasion, met. “Actionable invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right. Thus, the extent and gravity of the invasion is an indispensable consideration in assessing an alleged invasion of privacy.” Hill, 7 Cal. 4th at 37. “The California Constitution sets a high bar for establishing an invasion of privacy claim.” In re Yahoo Mail Litigation, 7 F.Supp.3d 1016, 1038 (N.D. Cal. Aug. 12, 2014) (citing Belluomini v. Citigroup, Inc., No. CV 13-01743 CRB, 2013 U.S. Dist. LEXIS 103882, 2013 WL 3855589, at *6 (N.D. Cal. July 24, 2013)). “Even disclosure of very personal information has not been deemed an ‘egregious breach of social norms’ sufficient to establish a constitutional right to privacy.” Id. (citing In re iPhone Application Litig., 844 F.Supp.2d at 1063) (holding that the disclosure to third parties of unique device identifier number, personal data, and geolocation information did not constitute an egregious breach of privacy sufficient to prove a serious invasion of a privacy interest); Ruiz v. Gap, Inc., 540 F.Supp.2d 1121, 1127-28 (N.D. Cal. Mar. 24, 2008), aff’d, 380 Fed.Appx. 689 (9th Cir. 2010) (unpublished) (holding that the theft of a retail store’s laptop containing personal information, including the social security numbers, of job applicants did not constitute an egregious breach of privacy and therefore was not sufficient to state a claim).