A class of consumers sued Amazon.com, Inc. on Wednesday, claiming the technology company secretly tracked and sold their sensitive data without their consent.
Plaintiff Felix Kolotinsky brought the class action lawsuit with a demand for a jury trial in the US District Court for the Northern District of California San Francisco Division on behalf of a group of California residents who claim the company’s data collection practices violate California state law.
Kolotinsky alleged that the collected data includes “timestamped geolocation data that reveals where a consumer lives and works” as well as personal information regarding consumers’ religious beliefs, sexual orientation and medical history. The lawsuit states that the putative class members did not give Amazon permission to collect or sell such data and that there was no mechanism available for them to opt out of the company’s data collection practice.
The plaintiff claims that the collecting and selling of such sensitive information violates §638.51 and §502 of the California Penal Code. §638.51 prohibits the installation of “pen registers” without prior court approval, and the statute defines a “pen register” as a “device or process that records or decodes dialing, routing, addressing, or signalling information transmitted by an instrument or facility from which a wire or electronic communication is transmitted, but not the contents of communication.” Kolotinsky claims that Amazon’s software development kit (SDK) qualifies as a pen register because it timestamped information about consumers’ geographic locations as well as information that could be used to identify consumers, such as device fingerprint data, from the consumers’ cell phones.
§502, known as the Comprehensive Computer Data Access and Fraud Act (CDAFA), protects consumers “from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” The plaintiff argued that the class members’ cell phones are “computers” or “computer systems” within the CDAFA’s meaning since they can be used with external files and can perform functions including arithmetic, data storage, and communication. Kolotinsky asserts that Amazon knowingly accessed the putative class members’ devices without permission and therefore violated the CDAFA.
An SDK is a code that platforms can provide to developers to build apps, allowing for various development tools to be stored in one place. Consumers, however, have noted concerns that the installation of an SDK into a mobile device allows platforms to track the device owner’s personal data. In August 2024, a class action lawsuit brought against communications company Twilio alleged that the company’s SDK violated multiple statutes, including the CDAFA. The putative class argued that Twilio secretly collected sensitive data from its consumers, such as their email addresses, names, and fingerprint data. Litigation in the case is still underway.
Consumer protection and data privacy concerns have elevated in recent years, with numerous consumers and US states filing lawsuits against companies like Google, Apple and Allstate. Last week, the European Consumer Organization asked EU authorities to investigate whether Meta is violating consumer and data protection laws by using ambiguous terms and confusing interfaces that prevent users from consenting freely to data collection.
