A new $5m lawsuit filed by Kyle Zak of Illinois says Bose unlawfully sold intimate user data to third parties without notice or permission.

The ‘Connect’ app enables extra features for select Bose headsets and speakers in the QuietComfort, QuietControl, SoundLink and SoundSport ranges. It also allegedly violates the US federal Wiretap Act and state laws against consumer fraud. Reuters reports that

After paying $350 for his QuietComfort 35 headphones, Zak said he took Bose’s suggestion to “get the most out of your headphones” by downloading its app, and providing his name, email address and headphone serial number in the process.

Zak’s suit claims that Bose relayed data about listening habits and preferences to companies such as Segment.io, who specialize in data analytics. At a minimum, one would expect Bose to collect lists of songs, audiobooks and podcasts. Even basic analysis of title keywords, let alone lyrics, can yield incredibly intimate insights into personalities, behavior, health conditions, and political or religious beliefs. Crucially, the overarching problem was apparently that

“Customers were not getting notice or giving consent to have this type of data leave their phone to go to Bose, or to third-parties,” said Christopher Dore, a lawyer at Edelson. He added that because a data mining company was picking up the Bose information, the small details of what Zak and others have listened to could have been resold by that company far and wide — but it’s not clear to whom. “We don’t know where the data could have gone after that,” Dore said.

Bose’s PR response on April 20 was, “we’ll fight the inflammatory, misleading allegations made against us […] we don’t wiretap your communications, we don’t sell your information, and we don’t use anything we collect to identify you – or anyone else – by name.”