In Our Deepest Moments of Zen, We Are Being Tracked
Calm is a popular guided meditation app that seeks to help you “stress less,” “sleep more,” and “live mindfully.” It also tells lots of unknown third parties that you’re depressed without your consent. People order food through DoorDash and swipe on the dating app Tagged, but it’s collecting their geolocation without disclosing it.
That’s alleged in a series of recently filed federal class actions in the Northern District of San Francisco against cloud computing software companies Twilio, Verve Group and Amplitude. The three lawsuits were filed by Chicago’s Edelson law firm and make claims under the U.S. Wiretap Act, California Wiretap Act, and California Invasion of Privacy Act (CIPA).
It says that Twilio, a data mining company that makes a SDK, or software development kit, siphons data from millions of people. In the case of Calm, which uses Twilio’s SDK, the app prompts people to answer questions about how they are feeling, so if they say they are feeling anxious, third parties will know about that. It also collects a lot more information, such as time-stamped geolocation.
“Twilio collects consumers’ in-app search terms, search results, keystrokes, button presses, page views, and consumers’ names and email addresses. This data reveals consumers’ likes, interests, and information about other behavioral attributes,” according to one of the lawsuits.
Twilio also collects names and email addresses and brags about maintaining “the complete activity history of each customer across web,” according to the lawsuit.
Collectively, this information can reveal inferences such as medical conditions and sexual orientation, the lawsuit states.
In the case of Verve Group, which embeds its software in the Tagged dating app, it allows developers to suck up data from 2 billion consumer devices around the world, according to Edelson. With DoorDash, Amplitude’s SDK allows third parties to get their hands on people’s eating habits.
Over 11,00 apps have SDKs, and pretty much everyone collects data. That’s no surprise. The problem is that users are not told that their data is being collected by an unknown third party. Twilio isn’t mentioned in Calm’s privacy policy. As a result, consumers can’t consent or opt out of the data collection. To be clear, the apps themselves have not been sued, just the aforementioned cloud computing companies.
But how have the courts landed on this privacy issue?
California federal courts appear to be mixed on similar wiretapping claims. Lawsuits claiming a live chatbot illegally intercepted data and customer service calls under the California Invasion of Privacy Act were dismissed, but CIPA violations are not being alleged in the lawsuit against Twilio, only Verve Group and Amplitude. Separate lawsuits against Google and Peloton claiming they violated state and federal wiretapping laws recently survived motions to dismiss.
