Affiliate Disclosure
If you buy through our links, we may get a commission. Read our ethics policy.

Apple facing class action lawsuit over alleged iTunes & Apple Music data sale

Residents of Rhode Island and Michigan lead the suit, which maintains that Apple profits unjustly by releasing what users play in iTunes and on Apple Music to other companies, and also allowing third-party app developers direct access to what tracks are in users' iTunes library.

A class action suit has been filed against Apple in the US District Court, Northern District of California, on behalf of all Apple users, by three residents of Rhode Island and Michigan. Leigh Wheaton, Jill Paul and Trevor Paul, claim that Apple profits from releasing the extensive demographic data it has about its users, their full names, ages, and addresses, plus their history of music listening preferences.

The suit is pegged to Apple's recent Las Vegas billboard promoting privacy. "The statement on the billboard is plainly untrue, however," says the filing, "because... none of the information pertaining to the music you purchase on your iPhone stays on your iPhone."

Lawyers for the plaintiffs are seeking $250 for Wheaton and every user allegedly affected, plus $5,000 to the complainants. The suit does not establish how many people would be involved beyond "tens of thousands", but the filing says that the "aggregate amount in controversy exceeds $5,000,000."

To support the claim that Apple "sells, rents, transmits and/or otherwise discloses, to various third parties" this information, the suit includes details of such information being available to buy. Significantly, the data is not sold by Apple nor limited to it.

"For instance," says the suit, "the Personal Listening Information of 18,188,721 'iTunes and Pandora Music Purchasers,' residing across the United States (including in Michigan and Rhode Island), is offered for sale on the website of Carney Direct Marketing."

Screenshot of broker firm CDM's apparent sale of iTunes user data (source: court filing)

A second company, SRDS, is cited as offering the same information, which consists of highly detailed demographic data.

Separately, the case claims that Apple provides data to iOS developers. "For example, using the MPMediaQuery.songsQuery() function of the MediaPlayer Framework API," continues the suit, "developers are able to grant themselves access to metadata that identifies the titles of all of the songs that a particular user of their application has purchased on iTunes."

To support this, the plaintiffs detail how on January 13, 2016, iOS developer Ben Dodson filed a bug report to Apple saying that the current system could allow details of a user's entire music database to be revealed. Dodson wrote about his bug report on his blog at the time.

According to the lawsuit, this bug was not addressed by Apple until eight months later "on or about September 13, 2016," when iOS 10 was released. It further says that Apple then effectively just included a notice informing users that their data would be used this way.

Apple has not yet commented on the lawsuit.