Brewing Trouble: The Steep Price of Privacy Missteps

A recent high-profile breach at a women-focused dating app underscores how quickly a privacy misstep can escalate into lawsuits and reputational harm. The incident offers a cautionary tale for any company handling sensitive user data, especially where promises in a privacy policy do not match actual practices.

What Happened

The hacking incident and subsequent leaking of personal data last month at Tea Dating Advice, Inc. ("Tea"), the company behind the Tea app, triggered a spate of federal class-action lawsuits that have now been consolidated in the Northern District of California.

Tea suffered a breach involving 72,000 user images—including selfies and government IDs—and more than 1 million private messages. The breach has triggered consolidated federal class actions in the Northern District of California and separate lawsuits under Illinois’ Biometric Information Privacy Act (BIPA).

Plaintiffs allege that Tea misrepresented its privacy protections, promising in its policy to delete authentication data after review, but instead storing it unencrypted and without adequate access controls. They seek recovery under the California Consumer Privacy Act (CCPA), which allows statutory damages without proof of harm.

Why It Matters

Amid the deluge of high-profile data breaches and with regulators, plaintiffs’ attorneys and the public paying closer attention to data-handling practices, companies face significant legal, operational and reputational risks. This incident illustrates that technical safeguards, accurate representations and disciplined data retention practices are essential for risk management.

Action Steps for Businesses

1. Secure Sensitive Data – Encrypt, limit access, and audit regularly. Lack of these safeguards can not only cause a breach but also amplify legal exposure.
2. Limit Data Retention – Keep only what you need for a defined purpose and securely dispose of the rest.
3. Leverage Privacy Practices as a Competitive Advantage – Misrepresentations by a company about its privacy or security practices – such as claiming data will be deleted or used for a limited purpose when that is not the case – are ripe fodder for data protection regulators and potential plaintiffs. By contrast, strategic investments in security measures can help companies build trust with consumers.
4. Standardize Compliance – Companies operating in multiple states or countries should implement frameworks that meet requirements across multiple jurisdictions to avoid patchwork pitfalls.
5. Learn From Mistakes – After an incident response or near miss, analyze what went wrong and fix vulnerabilities.