IBM's Weather Company leaked my personal info to analytics, thunders netizen

A lawsuit brought against IBM's Weather Company claims the website "knowingly and willfully disclosed its users’ personally identifiable information – including a record of every video viewed by the user – to unrelated third parties, mParticle and AdNexus," now known as Microsoft's Xandr.

The complaint [PDF], filed in June in a federal district court in New York City, was amended this week to address deficiencies in the original filing. It alleges violations of the Video Privacy Protection Act (VPPA), of the Maryland Wiretapping And Electronic Surveillance Act, and unjust enrichment.

Plaintiff Lisa Addi, a resident of Maryland, claims that when visiting weather.com in May and June, her "full name, gender, e-mail address, precise geolocation, the name of the videos she watched, and the URLs of videos she watched – which listed the name of the video – were disclosed by [IBM's Weather Company] to third parties, mParticle and AdNexus/Xandr."

This is the basis for the alleged violation of the VPPA, passed in 1988 after Supreme Court nominee Robert Bork's video rental history was published. Congress has yet to enact a comprehensive federal privacy law and so many recent online privacy claims have sought redress under the VPPA, for lack of options.

• IBM sells off cloud business – yes, we mean Weather.com
• Apple dev roundup: Weather data meets privacy, and other good stuff
• IBM says GenAI can convert that old COBOL code to Java for you
• IBM launches Watsonx to help enterprises streamline workers out the door

According to the National Law Review, there were at least 70 VPPA violations alleged last year against websites that offer online videos and use third-party tracking and analytics tools. Some of these cases have been dismissed, others have not.

A federal case in New York, Martin v. Meredith Corporation et al, involving website data collection via Facebook Pixel was dismissed earlier this year because the video title was not disclosed – a necessary element for a VPPA claim. Thus, Addi's lawsuit explicitly states that URLs passed to IBM's analytics partners included the name of the video viewed.

The complaint against IBM also asserts this information was "intercepted in real time" by the third-party ad firms, forming the basis of the wiretapping claim.

A 2022 decision by the US Ninth Circuit Court of Appeals in Javier v. Assurance IQ, LLC and ActiveProspect Inc. [PDF] held that certain uses of online tracking technology without prior consent may violate California's wiretapping laws.

Whether that applies to Maryland law remains to be seen. In 2021, a Florida court said in Jacome v. Spirit Airlines that the Florida Security of Communications Act doesn't apply to session replay software used for website analytics.

The complaint against IBM, which announced the sale of the Weather Company in August, says that the law firm representing Addi hired a private research company to review the website and its data transmission. The firm claims to have observed that mParticle receives: Video Name, URL, Playlist, Geolocation, Gender, Name, and Advertising ID. And AdNexus/Xandr is said to receive the same but without the URL or Playlist.

mParticle, and Microsoft did not immediately respond to requests for comment.

An IBM spokesperson told The Register, "The Weather Company is fully committed to user privacy. We comply with all applicable privacy laws and regulations, and monitor upcoming ones to help ensure compliance. We are transparent about how we collect and use data in order to provide our services, and we provide users with this information in our Privacy Policy, privacy settings and notices on our apps and websites."

The sale of the Weather Company is expected to close by the end of Q1 2024. ®