IBM Sued Again In Storm Over Weather Channel Data Sharing

IBM has been sued again for allegedly allowing third-party ad partners to collect personal data without consent via videos on its Weather Channel website.

In the absence of a comprehensive federal privacy law, the complaint [PDF] claims Big Blue violated America's Video Privacy Protection Act (VPPA), enacted in 1988 in response to the disclosure of Supreme Court nominee Robert Bork's videotape rental records.

IBM was sued in 2019 by then Los Angeles City Attorney Mike Feuer over similar allegations: That its Weather Channel mobile app collected and shared location data without disclosure. The IT titan settled that claim in 2020. A separate civil action against IBM's Weather Channel was filed in 2020 and settled in 2023.

This latest legal salvo against alleged Weather Channel-enabled data collection takes issue with the sensitive information made available through the company's website to third-party ad partners mParticle and AppNexus/Xandr (acquired by Microsoft in 2022). The former provides customer analytics, and the latter is an advertising and marketing platform.

The complaint, filed on behalf of California plaintiff Ed Penning, contends that by watching videos on the Weather Channel website, those two marketing firms received Penning's full name, gender, email address, precise geolocation, the name, and the URLs of videos he watched, without his permission or knowledge.

It explains that the plaintiff's counsel retained a private research firm last year to analyze browser network traffic during video sessions on the Weather Channel website. The research firm is said to have confirmed that the website provided the third-party ad firms with information that could be used to identify people and the videos that they watched.

The VPPA prohibits video providers from sharing "personally identifiable information" about clients without their consent.

• Intel sued over Raptor Lake voltage instability
• Arecibo telescope might have failed because of weak sockets
• Killer app for AI is still years away, says industry analyst
• Cisco scores a perfect CVSS 10 with critical flaw in its wireless system

The complaint points out that email addresses and geolocation data can be used to identify people.

It also observes that precise geolocation data can be used to "track consumers to sensitive locations, including places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, medical facilities, and welfare and homeless shelters."

Furthermore, it calls out how location data can be used to "identify which consumers' mobile devices visited reproductive health clinics," which raises the possibility of legal consequences for those seeking healthcare and for providers in some US states.

The lawsuit aspires to be certified as a class action. Under the VPPA, a successful claim allows for actual damages (if any) and statutory damages of $2,500 for each violation of the law, as well as attorney's fees.

VPPA claims have become enough of a thorn in the side of the marketing industry that the Interactive Advertising Bureau, a trade group for marketers, has published a litigation defense guide. It suggests several ways companies can mitigate the legal risk: "(1) removing the tracker from audio-visual materials, (2) obfuscating or removing video title information, (3) taking measures to ensure the information collected is not identifiable, or (4) obtain consent either in real time (upon each video viewed or shared) or in advance (but note that consent expires after 2 years)."

IBM did not respond to a request for comment.

The US Federal Trade Commission has made it clear that ad companies collecting data through SDKs and APIs must obtain valid consumer consent and has pursued enforcement action against alleged scofflaws Avast, X-Mode/Outlogic, and InMarket to make that point.

The watchdog agency, however, may be muzzled under the pending Trump administration, which, according to billionaire backer Elon Musk, plans to fire FTC Chair Lina Khan next year. ®