Loyola University Chicago School of Law, LL.M. in Health Law 2017
Global music technology giant and headphone maker, Bose Corporation, has been hit with a class-action lawsuit alleging that Bose collected the listening preferences of the users of its wireless headphones and its companion application without their knowledge and sold that information to third parties. Counsel representing the class filed the complaint in federal court in Chicago, Illinois alleging violations of the Electronic Communications Privacy Act (“ECPA”) and the Illinois-specific Eavesdropping Statute.
Electronic Communications Privacy Act
The ECPA, 18 U.S.C. §§ 2510, et seq., passed in 1986 protects wire, oral, and electronic communications while they are conducted, in transit, and stored on computers. The ECPA also applies to email and telephone conversations, and all data stored electronically. The ECPA consists of three titles. Title I prohibits the intentional, actual, or attempted, interception, use, disclosure, or procurement of the contents of any wire, oral, or electronic communication, as well as prohibiting the admissibility of illegally obtained communications in court. Title II protects contents of files stored by service providers related to subscribers such as name and billing records. Title III covers pen registers and trap/trace devices and requires government entities to obtain a court order authorizing the installation and use of these devices.
Illinois Eavesdropping Statute
The Illinois Eavesdropping Statute, 720 ILCS 5/14-1 et seq., experienced issues with constitutionality since its inception in 1994. For ten years before the courts in People v. Clark, 2014 IL 115776, and People v. Melongo, 2014 IL 114852, found the statute overbroad and unconstitutional in its current form, the statute was one of the strictest eavesdropping laws in the United States. Today, the statute requires all-party consent when it comes to recording private conversations or electronic communications, meaning all parties must consent to the recording of the private conversations, including the conversation’s originator.
In Zak v. Bose Corp., N.D. Ill., No. 1:17-cv-02928, the nineteen page complaint first establishes that plaintiff bought a $350 pair of QuietComfort 35 headphones and downloaded the accompanying mobile application to “get the most out” of the headphones. The Bose Connect mobile application allows the user of the Bose technology to “pair” the product they buy with the mobile application to pause, resume, rewind, and skip songs. The user of the Bose technology must register on the application and input certain identifiable pieces of information, such as name, email address, and the Bose technology serial number. This information coupled with song preferences allows Bose to track the user activity. Bose does not warn that the use of the mobile application yields data on listening preferences that Bose monitors and collects. Moreover, Bose fails to mention that the music company discloses what songs a user listens to, to a third party data mining company called Segment .io, Inc (“Segment”). The complaint contends that Bose intentionally designed and programmed the mobile application to automatically disclose this information to Segment for further disclosure. The information collected and disclosed is personal and sensitive to that particular user of Bose technology, which could predict or suggest the user’s political affiliation, “religious views, thoughts, sentiments and emotions.” The complaint argues that Bose intentionally collected, used, and disclosed this information without user consent, which violates both the ECPA and the Illinois Eavesdropping Statute. Finally, the complaint sets forth the evidence to support the establishment of a class action, including discussions on numerosity, commonality and predominance, adequate representation, and superiority.
From a compliance perspective, developing a mobile application poses various regulatory issues. Depending on the industry, the sheer number of privacy regulatory frameworks that apply are abundant. In this case, proper due diligence and vetting of the mobile application development procedure could have prevented the likelihood such an event. Since the application targets consumers, alignment and compliance with the FTC Act, the ECPA, and specific state laws are integral. Companies should avoid deceptive tactics and fraudulent misrepresentation of their products’ services. Of the lessons learned, the most obvious involves restraint on wiretapping or gaining sensitive information using a phone application without user consent. If the application collects user information and preferences, the developer must develop a proper and adequate Notice of Privacy Practices. Monitoring and oversight, as well as implementing proper written policies, procedures, and standards of conduct are the most relevant effective elements of a compliance program that could have prevented this situation.