598 F.Supp.3d 82
S.D.N.Y.2022Background
- Triller, Inc. operates a short-form video social app that requires account creation to post/like/comment; sign-up screen displays small hyperlinks to Terms of Service and Privacy Policy but does not force users to view them.
- Triller’s Privacy Policy discloses collection of "Personal Information" and "Usage Information," including videos viewed/liked, device identifiers, IP, and that it may share traffic/content-interaction data with third parties.
- Plaintiff Tamara Wilson (Illinois resident) used the app ~6 months (viewed, liked, commented) and alleges Triller assigns anonymized UIDs and transmits those UIDs plus viewing/profile/device data to Facebook and Appsflyer, which can allegedly re-identify users by combining data.
- Wilson sued on behalf of classes asserting claims under the CFAA, the VPPA (disclosure and retention), unjust enrichment, and the Illinois Consumer Fraud Act; Triller moved to dismiss under Rule 12(b)(6).
- The Court dismissed the CFAA claim with prejudice; dismissed the VPPA disclosure claim without prejudice but the VPPA retention (§2710(e)) claim with prejudice; dismissed unjust enrichment without prejudice; dismissed ICFA without prejudice.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| CFAA: whether Triller "exceeded authorized access" | Wilson: Triller installed/app contained code collecting more data than users expected and thus exceeded authorization by accessing device/computer data. | Triller: it collected data from app interactions with its own servers, not by accessing off-limits areas of the user’s device; misuse of data ≠ CFAA violation. | Dismissed with prejudice — no plausible allegation Triller accessed areas of a device "off limits" under Van Buren. |
| VPPA (disclosure): whether disclosed data is "personally identifiable information" (PII) | Wilson: even if anonymized, shared UID + viewing/profile/device data foreseeably allowed Facebook/Appsflyer to re-identify users; adopts recipient-dependent (Yershov) approach. | Triller: shared data was anonymized and not PII; adopting broad recipient-dependent standard would make PII limitless. | Dismissed without prejudice — pleadings fail to allege that the disclosed data actually identified Wilson or that her profile contained re-identifying info. |
| VPPA (retention §2710(e)): whether §2710(e) creates private remedy/injunctive relief | Wilson: alleges unlawful retention and seeks relief. | Triller: §2710(e) does not create a private cause of action; only §2710(b) contains liability language. | Dismissed with prejudice — no private right of action under §2710(e); injunctive relief not available absent statutory intent. |
| Unjust enrichment: whether contract bars quasi-contract claim | Wilson: she was unaware of/did not assent to Terms because links are inconspicuous; dispute over whether a contract formed. | Triller: Terms (including privacy disclosures) were conspicuous on sign-up and form a binding contract covering data collection/sharing, barring unjust enrichment. | Dismissed without prejudice — court finds Terms sufficiently conspicuous under Second Circuit precedent (Meyer) so contract likely governs, but plaintiff may amend to challenge formation. |
| Illinois Consumer Fraud Act (ICFA): whether ICFA applies | Wilson: alleges Illinois residence and online use implicates ICFA. | Triller: ICFA is not extraterritorial; plaintiff has insufficient Illinois contacts for the transaction. | Dismissed without prejudice — plaintiff pled only residency; insufficient allegations that the transaction occurred primarily and substantially in Illinois. |
Key Cases Cited
- Van Buren v. United States, 141 S. Ct. 1648 (2021) (statutory interpretation of "exceeds authorized access" under the CFAA)
- Yershov v. Gannett Satellite Info. Network, Inc., 820 F.3d 482 (1st Cir. 2016) (adopts broader, recipient-focused definition of VPPA PII)
- In re Nickelodeon Consumer Priv. Litig., 827 F.3d 262 (3d Cir. 2016) (adopts narrower, ordinary-person identification standard for VPPA PII)
- Eichenberger v. ESPN, Inc., 876 F.3d 979 (9th Cir. 2017) (discusses scope of VPPA PII and statutory meaning of "identifiable")
- Meyer v. Uber Techs., Inc., 868 F.3d 66 (2d Cir. 2017) (analyzes conspicuousness of app-based notice and assent to terms)
- Nicosia v. Amazon.com, Inc., 834 F.3d 220 (2d Cir. 2016) (examples of insufficiently conspicuous online contract notice)
- Sterk v. Redbox Automated Retail, LLC, 672 F.3d 535 (7th Cir. 2012) (statutory structure indicates VPPA private remedy limited to disclosure provision)
- Lexmark Int’l, Inc. v. Static Control Components, Inc., 572 U.S. 118 (2014) (framework for determining whether statute creates a private cause of action)