Have you ever received an email from LinkedIn with the invitation: “I’d like to add you to my professional network.”? If you did not respond, did you receive a reminder email a week later? And another one a few weeks after that? If you did, or if you were one of the LinkedIn users who (inadvertently) sent out one of these “endorsement emails,” then Perkins v. LinkedIn (N.D. Ca. June 14, 2014) is a class action lawsuit against LinkedIn you might want to keep an eye on.
The crux of the complaint, which has been brought by nine individual plaintiffs as a class suit, is that LinkedIn violated several state and federal laws by harvesting email addresses from the contact lists of email accounts associated with the class plaintiffs’ LinkedIn accounts and used the contacts to spam their users’ contacts with LinkedIn ads. The class complaint alleged five causes of action:
- violation of California’s common law right of publicity;
- violation of California’s Unfair Competition Law (“UCL”);
- violation of the Stored Communications Act (“SCA”);
- violation of the Wiretap Act; and
- violation of California’s Comprehensive Data Access and Fraud Act (“CCDAFC”).
The district court is allowing the case to proceed on the California right of publicity claim, but not on any others. Here is how the court came to that decision.
First things first, how did LinkedIn get their users’ contacts?
Step 1: Create a LinkedIn account. To be able to use LinkedIn, you have to first create a user profile. To do this, the user must provide their first name, last name, email address and a password. Then, to actually join LinkedIn, the user has to click a “Join LinkedIn” button, which has an asterisk next it pointing to a line at the bottom of a page that states: “By joining LinkedIn, you agree to LinkedIn’s User Agreement, Privacy Policy and Cookie Policy.”
Step 2: Join LinkedIn. After the user clicks the “Join LinkedIn” button, a second page that states “let’s start creating your professional profile” comes up. This page asks the user to provide LinkedIn with country of residence, ZIP code, employment status, job title and industry. Below these fields is a button titled “Create my profile.”
Step 3: Grow Your Network. This is where it gets dicey. A user who clicks the “Create my profile” button is directed to a page that states: “Grow your network on LinkedIn. … Get started by adding your email address,” which the user already provided to LinkedIn.
The “Grow your network on LinkedIn” page has a button for “Continue” under the pre-populated email field with the following statement: “We will not store your password or email anyone without your permission.” The user can “Skip this step” or “Continue.”
A user who continues is led to a screen from Google Accounts that states that “Linkedin.com is asking for some information from your Google Account.” The page then contains two bullet points:
- “Email address,” which contains the user’s email address; and
- “Google Contacts.”
The user can click “Allow” or “No thanks.” A user who chooses “Allow” then proceeds to a screen titled “Connect with people you know on LinkedIn.” This page contains a list of the users’ contacts who are already on LinkedIn titled “people you know on LinkedIn.” The user can then choose between two options: “Add Connection(s)” or “Skip this step.”
After the page containing contacts who already have a LinkedIn account, the user is directed to a page titled “Why not invite some people? … “Stay in touch with your contacts who aren’t on LinkedIn yet. Invite them to connect with you.” Below that statement is a list of the user’s email contacts (names and email addresses) who are not registered on LinkedIn. There is a checkbox next to each, and the “Select All” box is checked by default. At the bottom of the page, the user chooses between “Add to Network” or “Skip this step.”
If a user chooses the “Add to Network” option, LinkedIn sends an email to all of the email addresses affiliated with the checked boxes, which the class suit refers to as “endorsement emails,” that come from the user’s name via LinkedIn and contain the following text: “I’d like to add you to my professional network.” This text is followed by a signature line that contains the LinkedIn user’s name. Below this is a button that says “Accept.”
Step 4: The In ability to Get Off the Endorsement-Email Train. If one week after receiving an endorsement email, the recipient has not joined LinkedIn, LinkedIn sends a follow-up email with the same message. If after a second week, the recipient of the endorsement email still has not joined LinkedIn, LinkedIn sends a third email with the same message.
The class complaint allegations
The lawsuit centers on these endorsement emails. The class complaint alleged: “Each of the reminder emails contain the LinkedIn member’s name … so as to give the recipient the impression that the LinkedIn member is endorsing LinkedIn and asking the recipient to join LinkedIn’s social network.” The class complaint also alleged that once this process was in motion, it was nearly impossible to stop LinkedIn from sending the reminder endorsement emails.
The complaint also claimed LinkedIn’s conduct was contrary to its own policies, which included:
- LinkedIn’s statement seeking a user’s email address to identify a user’s existing contacts provides: “We will not store your password or email anyone without your permission.”
- LinkedIn’s statements in blog posts that provided: “… we are committed to putting our members first. This means being open about how we use and protect the data that you entrust with us as a LinkedIn member”; “Ensuring more privacy and control over your personal data remains our highest priority”; and “Ensuring you more clarity and consistency and control over your personal data continues to be our highest priority.
- A LinkedIn blog post titled “How to Report Abusive Behavior on LinkedIn,” in which LinkedIn provided examples of abusive behavior that violated its terms of service, which included “massively inviting people they don’t know.”
- Two sentences from LinkedIn’s Privacy Policy: (1) “You decide how much or how little you wish to communicate to individuals or groups” and (2) “We do not rent, sell, or otherwise provide your personally identifiable information to third parties without your consent unless compelled by law.”
The class plaintiffs also argued LinkedIn knew about the flaws and ignored them by pointing to postings on LinkedIn’s Help Center pages that indicated that users had complained about the company’s harvesting and endorsement email processes. One user complained: “LinkedIn should stop the spammy practices of sending out invitations to people’s address book without their explicit request to do so,” and another complained of reputational harm, “at this point I’m finding LinkedIn more of a problem in terms of hurting my reputation rather than helping it. What’s more the invitations are NOT people in my address book. They are people I don’t know. I find this entire issue extremely unprofessional on LI’s part. You would think with all these members with the same problem LI would respond with a fix.”
The class plaintiffs’ damages
As for their injuries, the class plaintiffs centered their claims on three arguments. First, they alleged the endorsement emails are valuable to LinkedIn because they are used attract new members to LinkedIn.
Second, since LinkedIn charges users $10 to send a LinkedIn message to a LinkedIn user whom the sender is not connected, “[t]he email addresses that LinkedIn takes from its users and uses to promote its service (using the name of the LinkedIn user) have value to a user.”
Lastly, the increased membership that results from the endorsement emails further benefits LinkedIn by expanding the market to which LinkedIn can advertise its Premium Membership program, which costs $39.95 to $49.95 per month.
The court’s decision
Class plaintiffs have standing because their individual names, which were used to endorse LinkedIn to their friends and contacts, have economic value.
First off, the court determined that the individuals’ names have economic value because the endorsement (or invitation) emails were more valuable because they came from a familiar or trusted source. The court analyzed the case Fraley v. Facebook, Inc., 830 F. Supp. 2d 785 (N.D. Cal 2011), a case in which class plaintiffs alleged Facebook sold personalized advertisements at a higher rate by misappropriating the names and likenesses of its users, which returned an economic benefit for Facebook because it could charge more for the personalized advertisements at the expense of the plaintiffs who were not compensated. The court found the two fact patterns similar because, if true, LinkedIn misappropriated the class plaintiffs’ names to promote LinkedIn and to grow its membership base, which is indisputably economically valuable to LinkedIn.
In support of its conclusion, the court noted that its 2012 10-K statement, LinkedIn stated: “our member base has grown virally based on members inviting other members to join our network” and that “our member base has grown virally … we have been able to build our brand with relatively low marketing costs.” The court also looked to statements from Mark Zuckerberg and Sheryl Sandberg who stated that the best recommendations come from friend and are the “Holy Grail” of advertising.
With that, the court concluded that users’ names have economic value when used to endorse or advertise a product to the individuals’ friends and contacts because the advertisement is coming from a trust or familiar source.
SCA and wiretapping claims fail because the consent and authorization defense applies.
Turning toward the claims, LinkedIn argued the class plaintiffs’ SCA and the Wiretap Act claims should be thrown out because the class plaintiffs consented to LinkedIn’s so-called illegal conduct.
The question under both laws is essentially the same: Would a reasonable user who viewed LinkedIn’s disclosures have understood that LinkedIn was collecting email addresses from the user’s external email account such that the user’s acquiescence demonstrates consent or authorization to collect? The court’s answer: Yes.
The “growing your network” portion of signing up for LinkedIn allows a user to “Allow” or say “No Thanks” when LinkedIn seeks permission to access “Google Contacts.” With this prompt, there was also a disclosure that provided that Linkedin.com is seeking a user’s Google Contacts from her Google account. This was not a case where the disclosure was buried in a Terms of Service or Privacy Policy; rather, the disclosure was right next to the “No thanks,” or opt-out, button. Because it was hard to fathom how LinkedIn could have been more clear in what it was attempting to do, the court found that the class plaintiff consented to or authorized the collection of emails addresses and there was no claim under the SCA or the Wiretap Act.
Common Law right of publicity claims stays in because users did not consent to second or third reminder endorsement emails.
The right publicity claim challenged the use of the user’s names in the endorsement emails. To state a claim, the class plaintiffs had to allege:
- LinkedIn used their identities;
- LinkedIn obtained an advantage by appropriating plaintiffs’ name or likeness;
- lack of consent; and
- resulting injury.
The court agreed with LinkedIn that a reasonable user would have understood that its disclosure before the endorsement emails are sent that provides “Why not invite some people,” and “Stay in touch with your contacts who aren’t on LinkedIn yet. Invite them to connect with you” was sufficient to let users know that their name would be used in invitations to join LinkedIn to the user’s contacts who were not current LinkedIn members.
Despite that the court concluded the class plaintiffs consented to LinkedIn’s initial endorsement email, the court went on and held that they sufficiently alleged they did not consent to the second and third reminder endorsement emails because the “Invite [your contacts] to connect with you” prompt discloses LinkedIn intends to send an endorsement email to the user’s contacts, but it does not indicate LinkedIn will send a second or third reminder endorsement email.
Section 502 of California Penal Code, called California’s Comprehensive Computer Data Access and Fraud Act, fails because LinkedIn did not breach a technical or code-based barrier.
California’s Comprehensive Computer Data Access and Fraud Act prohibits certain computer-based conduct such as “[k]knowingly and without permission access[ing] or caus[ing] to be accessed any computer, computer system or computer network.” LinkedIn asked the court to throw out the class plaintiffs’ CCDAFA claim claiming:
- the conduct was authorized; and
- because they did not allege LinkedIn breached any technical or code-based barrier.
The court agreed with LinkedIn’s second argument and did not addressed the authorization issue.
The class plaintiffs argued that LinkedIn breached a code-based barrier by not seeking their Google Accounts password between the “Grow you network” and “Google Accounts … LinkedIn.com is asking for some information from your Good Account” screens. The court did not buy the class plaintiffs’ argument and found it did not suggest that LinkedIn circumvented a technical or code-barrier.
UCL claim fails because the class plaintiffs failed to allege they actual read the misrepresentations that allegedly caused their injury.
The UCL prohibits “any unlawful, unfair or fraudulent business act or practice.” The claim requires actual reliance and injury, specially that LinkedIn’s misrepresentation or nondisclosure was the immediate cause of the class plaintiffs’ injuries. To make the reliance showing, however, the class plaintiffs had to allege they actually read the challenged representations. None of them had. All they pleaded was that the registered for LinkedIn and that endorsement emails were sent to their email contacts with their authorization. This doomed the UCL claim.
Takeaways
After all that, the only claim that survived is the common law right of publicity claim. As the judge noted:
[T]he second and third endorsement emails could injure users’ reputations by allowing contacts to think that the users are the types of people who spam their contacts or are unable to take the hint that their contacts do not want to join their LinkedIn network. … Therefore, individuals who receive second and third email invitations to join LinkedIn after declining the one or two previous email invitations to join LinkedIn from the same sender may become annoyed at the sender, which could be professional or personally harmful.
The judge threw out the federal wiretapping and stored communications act claims, but allowed the right of publicity claim to proceed as a class, for now at least. “This type of injury, using an individual’s name for personalized marketing purposes, is precisely the type of harm that California’s common law right of publicity is geared toward preventing,” the court noted.
Though this right to publicity claim is a California common-law claim, this case will be interesting to watch, and it has the potential to change the way companies use account holders’ email contacts or, at very least, the amount of emails they sent their account holders’ email contacts.
This might be asking too much, but I hope this somehow gets LinkedIn to stop reminding me who of my contacts is having a birthday. Better yet, stop reminding them that I am having a birthday. It is just not something I care to have my professional network reminded.