Privacy not ‘all or nothing,’ in consumer data case

A federal judge advanced Wednesday most of a proposed class action against online payment processor Stripe accusing it of violating privacy laws by tracking, collecting and selling the personal data and web activity of customers that use its service.

While Stripe notified consumers that it gathers and stores their information, U.S. District Judge Yvonne Gonzalez Rogers in Oakland found that consumers didn't agree to have their data sold to third parties.

"While plaintiffs initially consented to Stripe's initial collection of the issue data, that consent is not unlimited," she wrote.

Stripe and its defense attorneys at Munger, Tolles & Olson LLP didn't respond to requests for comment. Silver v. Stripe, 20-cv-08196 (N.D. Cal., filed Nov. 20, 2020).

The lawsuit was filed in November by a plaintiff who used grocery delivery service Instacart. He alleged Stripe secretly collected his private information and created a profile on him that it then sold to other merchants. Stripe provides payment processing services to Instacart.

When consumers visit a merchant's website to make a purchase, Stripe begins tracking them to gather information on their devices, finances and online purchasing habits, according to the complaint filed in the Northern District of California. The company then aggregates all of the data into consumer profiles, which include financial risk scores that affect consumers' ability to make future purchases.

Stripe maintained that users agree to its practices in Instacart's privacy policy. It pointed to a disclosure stating, "We may share your information when we believe that the disclosure is reasonably necessary."

But in an order dismissing some claims and allowing others to proceed, Gonzalez Rogers found that consumers didn't consent to Stripe's disclosure of their information to the company's merchants.

Instacart's privacy policy, the judge held, only informs consumers that their information would be disclosed to third parties in limited situations, such as assisting with the prevention or detection of fraud. She sided with consumers that Stripe compiled and disseminated sensitive data, rejecting claims that they had no reasonable expectation of privacy to the information.

"Privacy is not an 'all or nothing' proposition," she wrote.

Gonzalez Rogers agreed with Stripe, however, that Instacart's privacy policy bars claims related to the collection of data.

Instacart utilizes a "sign-in wrap" agreement in which its checkout page requires users to agree to its terms of service to place an order. The judge concluded that the contract is enforceable because consumers were provided opportunities to review the privacy policy and ultimately agreed to it anyway.

"They were told the consequences that would follow from clicking the button, including their acceptance of the privacy policy," she wrote. "Plaintiffs decided to place an order after being made aware."

Plaintiffs' attorneys at Gutride Safier LLP did not respond to requests for comment.

Data brokers have largely been free to gather and sell consumer data as long as they secure consent, but federal and state officials have increasingly scrutinized the practice.

The Federal Trade Commission on Tuesday said that it will move away from consent governing the collection and monetization of personal information to minimizing data tracking.