Pandora’s Box Opened Over Privacy

I came across two seemingly unrelated items today that actually go together like peanut butter and chocolate. The first is this class action complaint recently filed in California against Pandora Media, Inc. Pandora is a music site that analyzes the music you like (using some sort of process that I don’t understand) and makes recommendations of other artists whose music is similar. It’s pretty cool. But the complaint alleges that Pandora’s use of user information is decidedly uncool. And worse yet, the complaint says that the way Pandora uses that information violates Pandora’s own privacy policy. According to the complaint, here’s what Pandora’s privacy policy says:

We also may use and share non-personally identifiable information, such as general demographic or location information, or information about the computer or device from which you access the Service. The use and disclosure of such information is not subject to any restrictions under this Privacy Policy. Additionally, we may de-identify personally identifiable information and share it in a de-identified or aggregated form with third parties, advertisers and/or business partners in order to analyze Service usage, improve the Pandora Services and your listener experience, or for other similar purposes.

But, according to the complaint, Pandora’s mobile app is integrated with any number of “advertising libraries” that gather lots of personally identifiable information. The complaint also notes that Pandora shares each user’s “unique device identifier” or “UDID.” According to the complaint, this is a dangerous combination. We will see what comes of this case. It will no doubt have an element of “yes UDID”; “no we didn’t quality to it.

And that brings us to the other item that caught my attention. It’s a piece from PC World that advocates writing privacy policies that people can understand. It also links to the first truly honest privacy policy which is very well done. But the point is worth considering. Maybe the best way to avoid being a class action defendant is to lay out in clear English what information you collect and what you do with it. Oh, and it will help if you, you know, actually follow that policy.