X Corp faces Dutch privacy class action over MoPub data trading

Make way for another Dutch class action privacy damages lawsuit -- this one targeting the company formerly known as Twitter (now X Corp); and MoPub, the mobile ad platform it used to own (before selling it to AppLovin at the start of last year), which is accused of "illegal trafficking" of millions of app users' personal data.

While X no longer owns MoPub it was the owner and operator of the mobile adtech during the period the litigation targets -- including several years when the EU's General Data Protection Regulation (GDPR) was in application.

The suit, which is an opt out (rather than an opt in) class claim, alleges the MoPub adtech platform unlawfully tracked app users, collecting people's data as they used third party software such as games, period trackers and dating apps, and then sharing/trading what could be very sensitive personal data on users with scores of companies without the individuals' knowledge or consent -- something the plaintiffs contend is a clear violation of the GDPR.

The pan-EU data protection regime regulates how people's information can be processed -- putting an obligation on companies to have a valid legal basis for any operations they carry out that involve personal data.

The plaintiffs in the suit are seeking compensation from X Corp on behalf of 10 million Dutch adults and one million children who are estimated to have used apps which embedded MoPub's trackers (circa 30,000 free apps). They also want unlawfully collected data to be deleted.

"Between [October] 2013 and [December] 2021, advertising platform MoPub and X Corp (formerly known as Twitter) unlawfully collected and exchanged user data from over 30,000 free mobile applications in the Netherlands. In addition to Wordfeud, Buienradar, Vinted, Shazam and Duolingo, these included numerous fitness apps such as MyFitnessPal, menstruation apps, dating apps such as Grindr and Happn, games for children such as My Talking Tom and apps centered on the Bible or apps targeting Muslims," they wrote in a press release.

"For eight years, even if users never sent a tweet, the free apps enabled X. Corp and MoPub to collect and share their personal data. Consumers did not know with whom and for what purpose X. Corp and MoPub did so. For example, MoPub shared personal data and data about sexual orientation, child desire or religious beliefs on the ad market. This data was then traded on to thousands of parties. They collected far more information than necessary, violating the most important law surrounding the protection of personal data: the GDPR."

The litigation against X Corp, which begun proceedings today via a summons issued at a court in Rotterdam, is being brought by a not-for-profit data protection foundation, called Stichting Data Bescherming Nederland, (SDBN).

Discussing the suit in a phone call, SDBN's president, Anouk Ruhaak, pointed to an enquiry undertaken in recent years by Norway's data protection authority into the gay dating app Grindr, which drew on an earlier investigation of third party apps conducted by Norway's Consumer Council that had uncovered evidence of widespread and "unexpected" data sharing -- including with MoPub.

"Grindr collects massive amounts of data, it's quite concerning, but MoPub was one of the ways in which they do that. And so that's how this came to light. It was kind of known by the regulator already. It just hasn't been well regulated," she explained. "[Our claim it that it's] absolutely impossible to even get meaningful consent for this. They also, in many cases, didn't even try. But meaningful consents would be giving a list of all the companies you're about to share the data with, to the user, and that goes into the 1000s. So yeah, that's not possible.

"Every individual app may have had terms and conditions that said something about data being shared. But those were hosted by the app. Whereas the collector of the data is not the app, it's MoPub. And so even if the app developer themselves have mentioned we installed MoPub and they may be collecting data, MoPub is a controller here, and so they have an obligation, for themselves, to also check that consent has been given -- and they've never done that. So just that on its own is a massive violation of GDPR. The fact that it's then been shared out to 1,000s of companies that user was unaware of, of course, that's another violation."

"Our goal is really to fix a broken internet and to uphold privacy rights," Ruhaak also told TechCrunch. "My sense is -- and I may be very wrong about this -- but my sense is unless it becomes too expensive to violate the GDPR companies will continue to violate it."

Should the suit prevail, she suggests damages could be in the order of several billion euros -- i.e. if individuals are awarded a few hundred euros apiece. Although she said it's hard to predict how high damages might go given some "uncharted territory".

"Regarding the damages, this is still a little bit of uncharted territory -- we haven't seen these kinds of class actions play out all the way through the higher courts. However, in individual cases, where individual claimants went to court, we see judges award anywhere between €250 and €500 per person," she noted. "So it could potentially put some actual pressure on companies like X Corp."

The legal process could also take several years -- SDBN says it does not expect a ruling until 2026 at the earliest -- assuming X Corp does not seek to settle the suit. (X Corp was contacted via email about the lawsuit. In what appears to be an automated response it sent the following message: "Busy now, please check back later.")

Per Ruhaak, X did engage in some "back and forth" with the plaintiffs initially, seeking more information and seeming open to talks on a possible settlement. But the now Elon Musk-owned company subsequently withdrew the offer to talk -- "and that's when we decided to go to court", she added.

The legal action against X is being funded by a London-based global alternative asset manager called Orchard Global Capital Group. SDBN also has another privacy class action against Amazon in train (that one funded by US-based Longford Capital Management Group). Ruhaak told TechCrunch a third strategic litigation is underway although it's not releasing any details of that yet.

"We started this foundation with the goal to do strategic litigation but not necessarily just class actions," she said. "At the moment, we have two class actions in process, and then we have a third one that I can't really talk about it yet -- that will probably launch very soon... We're also looking into other ways to do strategic litigation, for instance, through injunctions."

Yesterday we reported on a separate class action-style suit targeting Google's adtech in the Netherlands that's seeking compensation for alleged breaches of the bloc's GDPR. Meta's adtech is also facing class-action privacy litigation in the Northern European market.

More privacy suits are likely to follow in the Netherlands, especially, as litigation funders spot opportunities to cash in thanks to a new opt-out class action regime the country brought in when it implemented an EU directive on collective redress. (Other EU Member States may apply the directive differently so the bloc could end up with a patchwork of more and less class action-friendly countries.)

Similar foundations to SDBN are popping up behind other Dutch privacy damages suits. Per Ruhaak, that reflects requirements in the local law to ensure people's interests are well represented within the class -- and she said raising awareness about the privacy violations is a key piece of the work they're undertaking.

All these suits share the stated goal of not only obtaining compensation for consumers affected by the alleged privacy violations but forcing reform of privacy-hostile adtech business models which operate by tracking and profiling web users at vast scale.

While complaints against consentless adtech are nothing new in the EU, and some were even lodged with data protection regulators the very moment the GDPR entered into application (back in May 2018), it's fair to say enforcement against surveillance ads has been slow and painstaking -- meaning widespread and even systemic flouting of the EU's data protection framework has the been left to continue unchecked in the meanwhile.

For example, it was only at the start of this year that a major GDPR decision against Meta's tracking and profiling of web users was handed down for lacking a proper legal basis. After that the tech giant took a few months to switch to another legal basis (still not consent) -- which the EU's top court has since stipulated is unlawful for its purpose. And despite years of privacy complaints and a string of decisions and rulings Meta continues to operate services in the EU that track and profile web users for ad targeting by default, without asking permission.

In August the adtech giant did finally announce it intends to switch to consent for the ad processing -- but has yet to do so.

This ongoing lack of enforcement on Meta's consentless ads has led to a recent intervention by Norway's DPA which banned it from running tracking ads without consent locally. Meta's response to that? Not to comply with the ban; rather it sued to try to obtain an injunction against it...

Asked whether the growing wave of privacy class actions in the EU is a response to the failure of regional data protection regulators to rein in privacy-hostile adtech business models, Ruhaak suggested both tracks -- regulatory enforcement and privacy litigation -- have a place.

"The regulator's portion of this is that they can investigate and they can hand out fines. But that doesn't compensate people for the loss they have incurred, or the violation of their privacy rights. And so that's where we come in," she suggested. "In addition to that, we often find that the regulator is incredibly overwhelmed by the enormous amount of work to be done on this. And so the enforcement of privacy rights is often not perfect. And so that's, I think, another role for us... [to] come in and do another part."

"That's something we really saw in, for instance, the Amazon case that we launched in June -- where the regulator in Luxembourg already fines Amazon for almost the exact same violations and Amazon has to pay that fine but has also continued doing things that they were fined for. And so that is an opportunity for us to come in and be like, okay, if that wasn't enough, we will launch our own class action and put additional pressure on Amazon to change the way it's doing data collection and storage."

This report was updated to correct a reference to Orchard Global Capital Group after we were initially told it was a London-based private equity firm -- actually it's a global alternative asset manager