A few years ago, a wallet was pretty simple. You kept it in your back pocket or your purse, and it contained a driver's license, a few credit cards, and maybe some mad money to spend during a night on the town. You kept your wallet on you at all times; it never left your sight. If a stealthy pick-pocket ran off with your wallet, you could usually notice your wallet's absence pretty quickly, and file a police report that described your wallet and the suspected thief. Wallets are no longer that simple.
Thanks to Google Wallet, Apple Pay, and Samsung's LoopPay, wallets are no longer the familiar leather or Velcro laden accessory we grew up with. Instead of your back pocket, wallets are digitally nestled within your phone - complete with personally identifiable information, such as like addresses, phone numbers, email addresses, and credit account information. When that information is disclosed to others, the risk of identity theft rapidly increases. This is a lesson Google is learning first-hand as it faces a class action lawsuit from users of its Google Wallet program.
Google Wallet is an electronic payment processing service operated by Google to facilitate purchases of mobile device applications from the Google Play Store. Google Wallet is the only method by which apps may be purchased from the Play Store, and the service may also be used to pay for goods in traditional stores by tapping a phone, with Google Wallet installed, against special terminals at checkout counters. Alice Svenson, a Google Wallet customer, filed a class action suit in the Northern District of California against Google in September 2013,[1] alleging that the company failed to honor the privacy policies governing its Google Wallet program.
Svenson alleges that she used Google Wallet in May 2013 to buy the "SMS MMS to Email" App in the Play Store for $1.77. Svenson claims that Google then collected the $1.77 by debiting the payment instrument associated with Svenson's Wallet account and made her personal identifying information available to that particular App's vendor, YCDroid. In other words, Svenson claims she purchased an app from Google, and Google shared Svenson's personal information with a third-party, contrary to Google's privacy policy. At the time, Google's privacy policies allowed the company to share personal information only with explicit consent from the user, and only with domain administrators for legal and external processing purposes. Svenson alleges that, prior to her lawsuit, Google's practice was to ignore its own policy. She claims that whenever a user purchased an app in the Play Store, Google shared the user's personal information with the app vendor, making customers susceptible to identity theft.
Google's latest attempt to dismiss the lawsuit was unsuccessful. On April 1, 2015, U.S. District Judge Beth Labson Freeman denied Google's Motion to Dismiss for lack of subject matter jurisdiction and failure to state a claim. Judge Freeman ruled that Google Wallet users may try to show that Google "frustrated" the purpose of its own privacy policy by allowing "blanket, universal disclosure" of their personal information to app developers whenever they bought apps in Google's Play Store.
The Court's decision not to dismiss this class action could signal an interesting development in the world of data security. The Plaintiff, despite paying only $1.77 for the app in question, is seeking an order for Google to open its own wallet and pay $1,000 per violation regarding the disclosure of users' personal information, plus punitive damages. With class action status, the damages could amount to a sizable loss for Google.
So what is the lesson here? If the case proceeds to trial, we can expect the litigation to focus its attention on Google's data sharing habits, perhaps encouraging similar companies to review their data sharing habits as well. Google, like many other companies, is trying to broaden its presence in the digital payment arena and other areas that require it to collect and store tremendous amounts of customer financial data. Although digital payment systems like Google Wallet and Apple Pay are met with skepticism by some, many retailers and consumers are welcoming these programs with open arms as a method to save time and increase convenience at the checkout line. This market opportunity can be great for businesses, but it requires careful attention to how the business stores and shares data.
Each company entering this market will want to take a close look at its privacy policies, and make sure that its practices do not involve sharing personal information beyond that which is necessary. According to the lawsuit, Google's dissemination of personal information was its own doing, but the potential for third party hacking and acquisition of data should be on the radar also. It is not enough to play by your own rules; you also have to set up protections to make sure you are prepared for when, not if, a breach occurs. Building a solid privacy compliance program not only keeps your business on the straight and narrow in the eyes of your customers, it also serves as valuable litigation preparation too. If you are dragged into court, you want to have the best defense possible. Strong privacy compliance programs go a long way to provide that defense.
Only time will tell what consequences arise from the Google Wallet class action, but Judge Freeman's refusal to dismiss the case indicates that the lawsuit has some teeth. This case is certainly one to keep an eye on, and companies dealing with digital payment systems should take note of the need to follow policies that keep each customer's information inside his or her own wallet.
[1] Case No. 13-cv-04080-BLF.