Last week, toymaker Mattel announced that it was not moving forward with its Aristotle product, which has been described as a “kid-focused smart hub.” The device was an artificial intelligence babysitter that could “switch on a night light to soothe a crying baby [and] was also designed to keep changing its activities, even to the point where it could help a preteen with homework.”  This is not the first time that Mattel has struggled with the integration of technology into its products.  Mattel’s product development was scrutinized a couple of years ago when it announced its “Hello Barbie,” which contained an embedded microphone in the doll’s belt, to record a child’s response to the doll’s questions. The child’s responses were then sent back to Mattel through the doll’s WiFi capabilities.  Mattel released the doll and had to immediately go on the defense of integrating this technology into its toys.

Mattel’s decision to not move forward with the Aristotle shows how much the climate for products that provide pathways into our homes and personal lives has changed in the last few years. That is, recent litigation and legislation have made it clear to many companies that the risk of holding customers’ personal data may not be worth the damage done if they fail to protect that data.

A court’s decision from last week provides further evidence of how rapidly the climate is changing for the commercial storage of personal data.  Rent-to-own stores, and the relationship they share with their customers, have been the subject of a substantial amount of privacy litigation.  For example, on October 28, 2015, we addressed an insurance coverage case involving a rental store’s tender of its defense of two lawsuits under three primary insurance policies and three umbrella policies. The underlying complaints in those cases involved allegations that Aspen Way installed software on its computers that it rented out to monitor their use.  Specifically, it was alleged that Aspen Way used this software, which could secretly monitor users by taking pictures and monitoring keystrokes, to help it repossess computers when its customers defaulted on their lease agreements.

On October 3, 2017, the District Court for the Northern District of Georgia revisited the thorny privacy issues presented when rent-to-own stores install this monitoring software.  In Peterson v. Aaron’s, 2017 WL 4390260 (N.D. Ga. Oct. 3, 2017), the plaintiffs obtained computers for their law firm that they allege had software allowing Aaron’s to obtain their private information without their consent.  The Complaint filed in this litigation contained allegations that Aaron’s worked with a third-party developer that allowed Aaron’s “to locate and shut down a computer in the event of theft or missed payment.”  The Plaintiffs claim they were unaware this software was installed on their computers.

Aaron’s filed a motion for summary judgment which was granted based on the following reasoning:

  • Standing:  A seen in a number of privacy cases, the first and most burdensome hurdle for plaintiffs is whether they have standing to bring suit based under Spokeo v. Robins, 136 S. Ct. 1540, 1543 (2016). Here, the District Court, as seen with a number of other decisions in data breach and related cases, found a plaintiff must show (1) that they have suffered an “injury-in-fact;” (2) that there is a causal connection between the injury and the defendants’ alleged actions; and (3) that the injury will be redressed by a favorable decision.

In applying the Spokeo standard, the District Court first found one of the plaintiffs did not meet this standard when he was not on the lease for the laptop and, therefore, was found not to have a “legally protected interest.” The District Court found the plaintiff that leased the computer suffered harm when the computers were put into “Detective Mode” which logged screenshots and keystrokes. Consequently, at least one of the plaintiffs was able to establish standing and survive Aaron’s motion on this point.

  • Intrusion Upon Seclusin Claim: While applying Oklahoma law (where the plaintiff was located when he was allegedly injured) the plaintiff was required to prove that there was “(1) an intrusion upon his privacy, and (2) that a reasonable person would find it highly offensive.”

Aaron’s argued it is entitled to judgment because there was no intrusion on the plaintiff’s property because the plaintiff did not have a reasonable expectation of privacy in his computer because the computer was leased for a business and was not intended for personal uses. The District Court rejected Aaron’s position that there are no property rights for lessees because “[a] lessee in possession of property expects reasonably similar levels of privacy as an owner.” The District Court also found the fact that the computer was used by employees for business purposes (“employees have less privacy expectations”) to be irrelevant since the plaintiff himself used the computer in addition to other employees. Lastly, the District Court rejected Aaron’s argument that the plaintiff waived his expectation of privacy since he was in default on his lease of the computer.

The District Court also found sufficient evidence that a reasonable person would find the monitoring of the laptop to be offensive.

  • Aiding and Abetting: In finding the plaintiff may be able to meet the elements of an intrusion upon seclusion claim, the plaintiff must also show Aaron’s had the requisite knowledge about this conduct.

Here, Aaron’s franchises made the decision to monitor the laptops. Therefore, to hold Aaron’s liable, the plaintiff must show Aaron’s had knowledge of the alleged wrongful conduct. The District Court found the plaintiff failed to show Aaron’s had the requisite knowledge that its franchisees monitored the plaintiff’s laptop. On this point, the District Court granted Aaron’s motion for summary judgment.

It is important to note that Aaron’s only escaped liability because it did not monitor the customers.  The franchisers may still be found liable for monitoring customers.  Even though Aaron’s was entitled to judgment in this case when it was found Aaron’s did not have the requisite amount of knowledge that its customers were being monitored, the growing body of privacy law appears to be having a direct impact on product development for many American companies.   For example, in speaking about the decision concerning Mattel’s Aristotle this week, Mattel publicly stated the the decision was made by the company’s new chief of technology officer that “conducted an extensive review of the Aristotle product and decided that it did not fully align with Mattel’s new technology strategy.”  Now more than ever, companies are having to determine if developing products using this technology is worth the amount of safeguards that must be in place once these products have gathered customers’ personal data.