This blog is the second of a two-part series. In the first installment, I explained how retailers use beacon technology, and more recently, audio beacon technology, to expand communications with consumers while tailoring such communications to consumers’ surroundings.1 Despite the successes retailers have experienced as a result of the implementation of the technology, consumers have recently voiced concerns—some going as far as instituting lawsuits—regarding their privacy.2 Specifically, users of mobile applications with integrated audio beacon technology have alleged that the technology “listens in” and “records” users’ private conversations without their knowledge.3 In this blog post, I will discuss the applicability of both federal and state privacy law to concerns that have been voiced with respect to audio beacon technology.
Federal Electronic Communications Privacy Act (“ECPA”)
The use of audio beacon technology implicates the ECPA, 18 U.S.C. § 2511. The relevant portion of the statute reads:
Except as otherwise specifically provided in this chapter any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication….shall be punished as provided in subsection (4) or shall be subject to suit as provided in subsection (5).4
“[I]ntercept” means the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.5 “[C]ontents”, when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.6 Of course, the prohibition does not apply where the intercepting party is a party to the communication or where one of the parties to the communication has given prior consent to such interception.7
Because audio beacon technology is still in its early stages, there is a lack of apparent case law addressing the specific issues presented by the use of the technology. From the plain reading of the federal statute, it seems that some providers of audio beacon technology do not trigger the oral communications facet of ECPA, making adequacy of consent in this respect a non-issue.8 For example, one provider of the technology, TONE, explains on its website, “Unlike other technologies, TONE doesn’t need to record what you’re watching or listening to, what’s going on in the room, or your private conversations. Our technology ONLY listens for our TONEs, ensuring your valuable privacy!”9 If understood correctly, it seems that TONE’s audio beacon technology would not qualify as “interception” of oral communications as defined by the statute. While a mobile app user’s microphone is in fact accessed by the app in order to pick up audio beacon signals within the mobile device’s range, and presumably oral conversation is “picked up,” the content of such conversation is never acquired. If TONE’s technology functions as its website articulates, the technology is unable to interpret the “substance, purport, or meaning of that communication,” and is therefore not actionable under the ECPA.10
As for other providers who do not make explicitly clear how their audio technology functions (and TONE, if its technology does not truly function as articulated), it seems that the oral communications facet of the ECPA may be triggered, in which the focus of legal analysis becomes adequacy of the user’s consent to interception.11 Furthermore, it is unclear whether TONE’s audio beacon technology triggers the electronic communication facet of the ECPA. If a court were to employ a liberal reading of the statute, a beacon sending a signal and a user’s microphone receiving that signal may constitute an “electronic communication,” and the application’s use of such communication to send tailored notifications to the user may constitute “interception.”12 Likewise, if this is the case, the focus of the legal analysis becomes adequacy of the user’s consent to interception.13
While the Golden State Warriors app does request permission to access a user’s microphone, federal courts have made clear that a party may consent to the interception of only part of a communication or to the interception of only a subset of its communications.16 In order to limit risk concerning the app’s access of a users’ microphones, it is important that users are given notice of what exactly they are consenting to – and it is a lack of this adequate notice that the plaintiffs in the suit against the Golden State Warriors complain of.17
In order to mitigate risk of liability under the ECPA, companies should ensure that their apps inform users of the circumstances in which their microphones are accessed (e.g., only while the app is open vs. in the background while the app is running, etc.), the types of communications that are accessed (e.g., does it have the capability to interpret oral communications?), as well as the purpose of such access (e.g., to tailor advertisements that are sent to users’ mobile devices).
Applicability of State Law
Federal statute is only preemptive of state law in situations where there is no state law on the subject of conversation interception, or state law is less strict.18 For example, because Michigan’s privacy law is stricter than the ECPA, any claims brought to state court in Michigan will be analyzed under the stricter Michigan law.19
Under Michigan law: Any person who is present or who is not present during a private conversation and who wilfully [sic] uses any device to eavesdrop upon the conversation without the consent of all parties thereto, or who knowingly aids, employs or procures another person to do the same in violation of this section, is guilty of a felony punishable by imprisonment in a state prison for not more than 2 years or by a fine of not more than $2,000.00, or both.20
Furthermore, “[e]avesdrop” or “eavesdropping” means to overhear, record, amplify or transmit any part of the private discourse of others without the permission of all persons engaged in the discourse.21 “Person” means any individual, partnership, corporation or association.22 While an intercepting party can avoid liability under 18 U.S.C. § 2511 by obtaining consent of one party to a communication, Michigan law requires consent from all parties to a communication.23 Additionally, Michigan law does not contain the caveat regarding “content” of communications as in federal law, and it seems that the “transmission” of any discourse—whether the meaning of such discourse is understood or not—could be considered eavesdropping.24
While there is scant case law regarding the meaning of “wilfully [sic] uses any device to eavesdrop upon the conversation without the consent of all parties thereto,” there are two possible interpretations, depending on the application of willful. In one interpretation, “wilfully” may only apply to “uses any device,” in which a company may be liable to third parties engaging in conversations with app users, because the third parties’ consent would not have been obtained.25 In another interpretation, “wilfully” may apply to the entire clause “uses any device to eavesdrop” (emphasis added), in which a company would likely not be liable to third parties, because in using the users’ microphone, the company does not possess the intention of listening in on the “discourse” of others.26 Because a violation of MCL § 750.539c has potential for criminal consequences, it can be inferred that due to the rule of lenity, the interpretation most favorable to the defendant (in which “wilfully” applies to the entire clause) would be read into the statute.
While it seems that there is no case that directly deals with this issue, State Farm Fire & Cas. Co. v. Couvier somewhat speaks to the mens rea required for liability under MCL § 750.539c. According to State Farm, which principally dealt with insurance coverage, the defendant violated MCL § 750.539c if he placed a surveillance device in the plaintiff’s apartment with the deliberate purpose or intent to use it for surveillance, or so used it.27 From this reading, it seems that the court employed the interpretation in which “willful” applies to the entire clause (in which a company would likely not be liable to third parties), however it should be noted that there are number of differences between the issues addressed in State Farm and the potential issues that companies faced in their use of audio-beacon technology.
The court’s interpretation of “willful” is especially crucial if a company’s app is incapable of “hearing” signals sent by beacons without “hearing” users’ conversations. In such cases, if the court only applies “willful” to “uses any device,” the use of audio beacon technology in Michigan (and states with similar statutes) may simply be illegal in all circumstances due to the implausibility of gaining the consent of all individuals who orally communicate with the user. Under this reading, such companies would be at risk for not only civil liability to third parties, but also criminal liability.28 Notwithstanding these penalties and/or damages paid to third parties, companies would likely experience negative perception from the public and a decrease in their user-base of their app, likely resulting in a decrease in revenue.
Companies subject to liability in states with stricter privacy laws than federal law should ensure that their technology operates in a way which would not trigger state law.
Nicole Spiteri, Audio Beacon Technology: Is the Potential for Increased Sales Worth the Risk?, MBELR BLOG (Nov. 13, 2016), https://www.mbelr.org/audio-beacon-technology-is-the-potential-for-increased-sales-worth-the-risk/. ↩
Complaint at 6-7, Satchell v. Sonic Notify, Inc., No. 3:16-cv-04961-EDL (N.D. Cal. filed Aug. 29, 2016). ↩
Id. § 2511(1)(a) (emphasis added). ↩
18 U.S.C. § 2510(4) (emphasis added). ↩
Id. § 2510(8). ↩
18 U.S.C. § 2511(2)(d). ↩
See, e.g., TONE, www.thetoneknows.com (last visited Sept. 16, 2016). ↩
See 18 U.S.C. §§ 2510, 2511. ↩
See 18 U.S.C. § 2511(2)(d). ↩
See 18 U.S.C. §§ 2510, 2511. ↩
See 18 U.S.C. § 2511(2)(d). ↩
Complaint at 27, Satchell v. Sonic Notify, Inc., No. 3:16-cv-04961-EDL (N.D. Cal. Aug. 29, 2016). ↩
Id. at 28 (emphasis added). ↩
In re Google Inc., 2013 WL 5423918, 12 (N.D. Cal. 2013) (quoting In re Pharmatrack, Inc., 329 F.3d 9, 19) (internal quotations marks omitted). ↩
Id. at 13 (explicit consent not obtained when Terms of Service suggested that content may be intercepted under a different set of circumstances for a different purpose); Watkins v. L.M. Berry & Co., 704 F.2d 577, 582 (11th Cir. 1983) (“It is the task of the trier of fact to determine the scope of the consent and to decide whether and to what extent the interception exceeded that consent.”). ↩
Roberts v. Americable Intern. Inc., E.D.Cal.1995, 883 F.Supp. 499. ↩
M.C.L. § 750.539c (M.C.L. § 750.539h gives individuals right to a civil action for violation of § 750.539c). ↩
Id. § 750.539a(2). ↩
Id. § 750.539a(4). ↩
Id. § 750.539a(2). ↩
See M.C.L. § 750.539c. ↩
State Farm, 575 N.W.2d 331, 333 (Mich. App. 1998). ↩
See M.C.L. § 750.539 ↩