A federal judge allowed a class-action lawsuit alleging Bose collected and shared data about its headphone users to proceed last week on the basis of deceptive advertising. The decision underscores the risks that internet of things (IoT) businesses can face if they fail to accurately communicate to consumers how a mobile app or smart” product collects and uses personal data.

At issue in the case is an allegation that Bose offered a companion app for its wireless headphones that collected and transmitted data about consumers and their listening habits to a third-party data miner without consumers’ knowledge or consent.”

While Bose apparently advertised the app as an enhancement to its headphones that enables a user to unlock additional features and functions, the consumer complaint alleged that Bose deceptively siphoned data about what a consumer was listening to, using the data to profile the consumer and share the information with third parties. In effect, the complaint accused Bose of intercepting communications between music streaming services and the consumer in violation of the federal Wiretap Act and an Illinois eavesdropping statute.

In her decision, Judge Andrea Wood of the US District Court for the Northern District of Illinois dismissed the majority of the claims against Bose, including the allegation that Bose had violated wiretapping laws, because the app is in fact a known participant in—and intended recipient of—the communication….” By activating the app, the consumer effectively invites the app to join the conversation, even if the implications are not fully known or intended.

By contrast, Judge Wood accepted the allegation in the consumer complaint that Bose may have deceptively omitted material information about the app, contravening the Illinois Consumer Fraud and Deceptive Practices Act.

The allegation against Bose, whether or not ultimately proven, emphasizes the importance of upfront, transparent communications with consumers about how an IoT product or service linked to the internet collects, shares, and monetizes personal information. The case adds another data point that even if a data practice is not strictly illegal based on traditional privacy laws like the Wiretap Act, it can give rise to other consumer protection based claims, including in the form of class action lawsuits and regulatory scrutiny.

For a refresher on how mobile app providers can comply with consumer protection laws, visit the Federal Trade Commission’s Marketing your Mobile App guide.