Invasion of Privacy Lawsuit Against LiveRamp

LiveRamp, one of the largest data brokers in the world, was sued for invading the privacy of consumers – and now a federal court has ruled that the case can move forward. The invasion of privacy lawsuit against LiveRamp, Riganian v. LiveRamp Holdings, Inc., was filed as a class action in the U.S. District Court for the California Northern District. The plaintiffs are California consumers who accused LiveRamp of unlawfully collecting consumer information both online and offline and then selling that information to third parties for marketing purposes. These actions would constitute violations of both federal wiretap laws and California consumer privacy laws, so the stakes are extremely high for LiveRamp and other data brokers who allegedly collect and share consumer data without consent.

To learn more about the consumer privacy class action lawsuit against LiveRamp, keep reading this blog.

LiveRamp Accused of Collecting and Selling Consumer Data to Third Parties Without Consent

LiveRamp Holdings, Inc. (also known as LiveRamp, Inc.) is primarily a data onboarding company that provides other businesses with access to consumer data for marketing purposes. LiveRamp promotes itself as “the data collaboration platform of choice for the world’s most innovate companies.” Some of LiveRamp’s high-profile clients include Disney, CVS, Sam’s Club, L’Oreal, LinkedIn, Pinterest, KitchenAid, NBCUniversal, and McDonald’s.

LiveRamp is a registered “data broker” in California. Cal. Civ. Code § 1798.99.80 defines a data broker as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”

Riganian v. LiveRamp Holdings, Inc. was filed in the United States District Court, Northern District of California. The class action lawsuit alleges that LiveRamp has built its business around facilitating a “commercial surveillance ecosystem” that involves collecting detailed information about consumers’ identities and the places where they may be found online. The plaintiffs specifically allege that LiveRamp tracked, compiled, and analyzed vast quantities of their personal, online, and offline activities to build detailed “identity profiles” on them for sale to third parties. Alarmingly, all of this information was allegedly collected by LiveRamp even though the plaintiffs never directly interacted with the company.

How Does LiveRamp Collect Personal Information from U.S. Consumers?

According to the civil suit, LiveRamp’s data collection process involves three steps:

1. LiveRamp collects and purchases massive amounts of personal information from countless sources both offline and online.
2. LiveRamp synchronizes the aggregated data about a consumer into a single “identity profile,” with the consumer being slapped with a unique RampID profile that tracks them across online devices and even offline.
3. LiveRamp operates a Data Marketplace ecosystem where advertisers and data brokers can buy and sell information compiled in the RampID Profiles.

The personal information that LiveRamp allegedly collects includes consumers’ names, addresses, phone numbers, digital identifies, and device identifiers.

Widespread Data Collection

The scope and scale of LiveRamp’s data collection business cannot be understated: the company allegedly maintains the largest and most accurate people-based identity graph in the world, with detailed personal information on 700 million consumers. According to LiveRamp, this includes the identities of more than 250 million consumers in the United States. Beyond that, LiveRamp claims that its access to partner websites allows the company to connect to over 92% of all U.S. consumer time spent online.

Moreover, LiveRamp’s surveillance is pervasive, tracking users over time even as they move to different residences or change names due to marriage or divorce.

LiveRamp’s Data Collection Sources

LiveRamp is able to acquire so much data about massive amounts of Americans through both its own surveillance technologies and partnerships with hundreds of third parties.

The LiveRamp data collection sources include:

• Internet “cookies” that are placed on users’ devices to track their web browsing activity.
• Tracking pixels that automatically capture users’ website browsing history.
• JavaScript code that allows LiveRamp to detect users’ personal information through “event listeners.”
• AbiliTec system that constructs user IDs from hundreds of sources containing identifiers such as names, phone numbers, postal addresses, Social Security numbers, and driver’s license records.

RampID Profiles

Once LiveRamp has identified consumers and their online behavior, it builds a unique “RampID” profile for each individual. These profiles are maintained and updated in real time as users visit different websites, apps, and even physical stores. This means that LiveRamp maintains “highly detailed, continuously updated dossiers on hundreds of millions of people.”

LiveRamp’s Data Marketplace

LiveRamp also operates a “Data Marketplace,” which is a central exchange where LiveRamp and its clients sell or share access to the personal information of hundreds of millions of U.S. consumers. LiveRamp uses an “Attribute Enrichment” feature that allegedly allows any of the company’s third-party clients to provide an individual’s name, address, or email and get related “segment” information about the person, including health conditions, financial status, and religious affiliations.

The U.S. District Court observed that much of the data available in LiveRamp’s Data Marketplace can be described as “sensitive,” including information about health conditions, financial vulnerability, religious affiliation, and sexual orientation. The class action complaint states that LiveRamp’s clients are able to buy and sell groups of consumer IDs associated with “people with cancer, union members, Muslims, Jewish people, African Americans, poor people, payday loan prospects, online gamblers, and unemployed individuals who were seen at clinics and hospitals.” LiveRamp also allegedly targets women who are pregnant so that the company can sell their data on the marketplace.

Lawsuit: LiveRamp Collects Personal Data of Hundreds of Millions of Consumers Without Consent

According to the digital privacy lawsuit, none of the hundreds of millions of people who LiveRamp profiles ever have the opportunity to meaningfully consent to this pervasive surveillance. That’s because it is simply not possible to anticipate the ways in which LiveRamp compiles their personal information and shares it with third parties. Moreover, it is impossible for consumers to know in advance which third parties their personal information will be shared with, nor what those third parties will do with that information.

Federal Court: Invasion of Privacy Lawsuit Against LiveRamp May Proceed

One of the plaintiffs in the class action suit alleged that LiveRamp collected her personal information when she interacted with the CVS pharmacy website. Another plaintiff alleged that LiveRamp tracked her activity on healthline.com, CVS.com, Health.usnews.com, Patient.info, ABCnews.go.com, and Showtime.com. The personal information allegedly intercepted by LiveRamp included the precise pages visited, articles read, products viewed, and searches queried.

The plaintiffs in the class action asserted multiple claims for relief under both privacy and wiretap theories:

• Invasion of Privacy under the California Constitution.
• Violation of the Federal Wiretap Act.
• Violations of the California Invasion of Privacy Act (CIPA).

LiveRamp filed a motion to dismiss, seeking to get the suit thrown out before trial. However, the U.S. District Court ruled against the motion to dismiss, meaning that the case can proceed.

Class Action: LiveRamp Violated the California Constitution by Tracking Consumers Online

The elements of an invasion of privacy claim under the California Constitution are:

1. The Plaintiff has a reasonable expectation of privacy.
2. The Defendant intruded upon the Plaintiff’s privacy, and the intrusion was highly offensive.

The U.S. District Court for the California Northern District said that it found “unpersuasive” LiveRamp’s contention that the company publicly discloses its data collection practices. The court pointed to the fact that the plaintiffs were not aware of LiveRamp’s conduct at all. This means that any supposed disclosures by LiveRamp would have no effect on consumers’ reasonable expectations of privacy when they visit websites.

The court also stated that LiveRamp’s alleged tracking of user activity across thousands of websites would be sufficient for a claim that LiveRamp unlawfully intruded into the privacy of consumers. The court noted the plaintiffs’ allegation that LiveRamp compiled consumer data from websites and then sold that data to third parties without the consumers’ knowledge or consent. Since this data was often “sensitive” in nature, consumers would have a reasonable expectation of privacy in the information.

The federal court ruled that the plaintiff adequately alleged that LiveRamp gained unwanted access to consumer data in violation of both the California Constitution and social norms.

Court: LiveRamp May Have Violated the Federal Wiretap Act

The Federal Wiretap Act, contained in the Electronic Communications Privacy Act (ECPA), is codified at 18 U.S.C.§ 2511. The federal statute provides for civil penalties against anyone who “intentionally intercepts or endeavors to intercept any wire, oral, or electronic communication.”

In its pre-trial motion to dismiss, LiveRamp argued that the Federal Wiretap Act claim should be thrown out because LiveRamp’s tracking pixel only operates on the websites of clients who have consented to it. Since the federal law is a one-party consent statute, this would ordinarily be the end of the case. However, there is an exception to the single-party consent rule – the “crime-tort exception” – which stipulates that even with consent, it is still a violation of the wiretap law if the defendant intercepted communications for the purpose of committing a criminal or tortious act.

The U.S. District Court agreed with the plaintiffs, stating that the crime-tort exception would apply if LiveRamp commercially exploited unlawfully obtained information from consumers. The court further said that “if Plaintiffs ultimately prove that LiveRamp unlawfully intercepted, packaged, and sold personal information without consent at scale, that conduct will not be excused on the grounds that LiveRamp acted in pursuit of profit.”

The court concluded its analysis by stating that the plaintiffs in the class action will be allowed to move forward with their Federal Wiretap Act claim against LiveRamp.

California Invasion of Privacy Act Claims Against LiveRamp

The plaintiffs in the class action against LiveRamp also asserted claims based on violations of § 631(a) and § 638.51 of the California Invasion of Privacy Act (CIPA).

California’s strong consumer protection laws include the CIPA, which prohibits businesses from wiretapping customers’ communications without consent. Violations of the statute could subject offenders to both criminal and civil penalties.

CIPA § 631(a) – Real-Time Interception

Section 631(a) of the CIPA allows a consumer to recover damages when a company “willfully and without consent of all parties to a communication, attempts to read or learn the contents of the communication while it is in transit.”

The court found that the plaintiffs plausibly alleged that LiveRamp violated the CIPA by reading the personal information the data broker intercepts on websites while that information is in transit. The court noted the allegation that LiveRamp engaged in both the real-time interception of consumer data and the contemporaneous reading of that data. That’s because LiveRamp’s “event listeners” intercept communications while they are in transit, and LiveRamp’s “identity graph” then connects the data into an identity profile that is updated in real time.

CIPA § 638.51 – Pen Register Violation

Section 638.51 of the California Invasion of Privacy Act (CIPA) prohibits companies from using a “pen register” without a court order. The class action alleges that LiveRamp violated the CIPA by using code, scripts, and trackers to record identifying information on users’ devices, including IP addresses and electronic device identification numbers.

In its motion to dismiss, LiveRamp tried to argue that only telephones – not websites – qualify as pen registers under the statute. The court disagreed strongly with this argument.

The CIPA defines a pen register broadly as “a device or process that records dialing, routing, addressing, or signaling information transmitted by an instrument.” The court noted that this definition does not mention telephones at all. By contrast, other sections of the CIPA do mention telephones. This means that the drafters of the statute clearly intended for pen registers to include more than just telephones.

Additionally, federal courts have established clear precedent that pen registers include telephones and other data collection tools, such as internet browser trackers and computer software that identifies consumers through “fingerprinting.”

Once again, the California North District Court agreed with the plaintiffs. The court’s ruling means that the class action against LiveRamp survived the motion to dismiss and can now proceed.

Call the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Do you believe that your personal information was unlawfully collected online? The Los Angeles consumer protection attorneys at Tauler Smith LLP can help you file a civil suit for financial compensation. Our experienced legal team represents plaintiffs in both federal and California state courts.

Call 310-590-3927 or send an email to discuss your possible legal claim.