Recent news that the U.S. Justice Department obtained telephone records for two months covering more than 100 journalists working for the Associated Press has prompted lawmakers to propose new statutes meant to strengthen protections against the kinds of requests that our Jeff Kosseff described as “undermin[ing]” the “entire Fourth Estate.”
A seller who authorizes a third-party telemarketer to market the seller’s goods or services may be held vicariously liable if the telemarketer violates the Telephone Consumer Protection Act (TCPA), the Federal Communications Commission held in a May 9 declaratory ruling.
The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.
A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.
Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.
The Federal Trade Commission has sent letters to more than 90 different companies who develop mobile apps that the FTC claims may be directed to children. The letters emphasize that the FTC has not evaluated the apps or the companies’ practices to determine if they comply with the current or revised COPPA Rule. Instead, the letters remind these companies that if their apps collect, use, or disclose children's images and voices, mobile device identifiers, and other types of "personal information," they must bring their apps into compliance with the revised COPPA Rule by July 1, 2013.
The letters were sent to US companies and foreign companies that the FTC claims direct their apps to children in the US. The letters focus on the collection of persistent identifiers and photographs, videos, and audio containing a child’s image or voice. The FTC did not identify the companies receiving the letters, but made templates of the different versions available on its website, including a letter to: (1) US companies with apps that collect persistent identifiers; (2) US companies with aps that collect videos, images, or audio of kids; (3) foreign companies with apps that collect persistent identifiers; and (4) foreign companies with apps that collect videos, images, or audio of kids.
The letters suggest that the FTC could continue to focus attention on kid-directed mobile apps once the revised COPPA Rule takes effect. In February 2012 and December 2012, the FTC released reports analyzing hundreds of kid-directed mobile apps and concluding that many app developers could be doing more to provide clear and complete notice of their privacy practices. And earlier this year the FTC entered into a consent decree with mobile app developer Path for alleged COPPA violations.
In dim Mexican restaurants, behind abandoned schools, and on nameless suburban street corners, I met some of the bravest people that I have ever known.
And I can't tell you the name of a single one of them.
During my seven years as a professional journalist, these sources gave me information about government corruption, nonprofit mismanagement, and corporate malfeasance. They had little to gain and much to lose, including their jobs, savings, and freedom. All they asked was that I promise not to reveal their names, even if compelled by a court. I obliged, and they took me at my word.
Countless other journalists have made such confidentiality promises for more than a century. Although the journalists faced the prospect of jail, they knew that they could challenge a subpoena in court and force the government to explain why its need for the information outweighs the public interest in maintaining confidentiality.
That entire system collapsed yesterday when it became public that the U.S. Justice Department had obtained call records for more than 20 telephone extensions of Associated Press journalists.
Businesses should take note of this week’s decision in Gormley v. Nike, Inc., a lawsuit under California’s Song-Beverly Credit Card Act, in which plaintiffs allege that Nike violated the Act by requesting ZIP codes from them during credit card transactions in Nike’s retail stores. Judge Susan Illston of the Northern District of California denied Nike's motion for summary judgment, holding that genuine issues of material fact existed as to whether the plaintiffs reasonably would have perceived Nike’s request for ZIP codes as suggesting that providing that information was a condition of being able to use a credit card.
Nike argued that the specifications for its point-of-sale (“POS”) software, as well as store policies and procedures, showed that any request for ZIP codes would have occurred after a credit card transaction was complete; thus, no reasonable consumer would have believed that his or her ZIP code was being requested as a condition ofbeing able to use a credit card. However, the court noted that the specifications for the POS software suggested that the software would prompt a cashier to request a ZIP code after the “receipt had started printing.” The court therefore concluded that “under the POS system in place during the relevant time period, it was possible for a cashier to request a customer’s ZIP code prior to giving the customer his or her receipt and merchandise.”
As businesses explore options for complying with Song-Beverly, they should consider the holding of the Nike case.
California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.
Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004.
On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.
On Tuesday, Senators Carl Levin (D-MI), John McCain (R-AZ), Jay Rockefeller (D-WV), and Tom Coburn (R-OK) introduced the “Deter Cyber Theft Act.”
The Act would require the Director of National Intelligence (“DNI”) to provide relevant congressional committees with an annual report on “foreign economic and industrial espionage in cyberspace.” The report would require the DNI to identify “foreign countries that engage in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” and “priority foreign countries”—those countries that the DNI “determines engage in the most egregious economic or industrial espionage in cyberspace.” The bill specifies that the DNI must identify foreign countries pursuant to the Act if the foreign government “engages in economic or industrial espionage in cyberspace with respect to trade secrets or proprietary information owned by United States persons” or “facilitates, supports, fails to prosecute, or otherwise permits such espionage by” its citizens or residents or entities organized under its laws or subject to its jurisdiction.
An important vote in the European Parliament has been postponed for the second time. The vote of the LIBE committee, the lead committee for the proposed EU General Data Protection Regulation, which was initially scheduled for the end of April, had already been postponed until the end of May 2013 (see InsidePrivacy European Parliament's Lead Committee for the Proposed EU General Data Protection Regulation Postpones Vote, March 21, 2013).
Now, Mr. Albrecht, the rapporteur for the proposal in the European Parliament, has announced that in view of the huge number of proposed amendments, the May date is no longer tenable. A new date for the vote has not yet been scheduled, but Mr. Albrecht still aims at voting on the proposed Regulation before the summer break. Despite some progress made, numerous compromises still have to be struck before the European Parliament can start negotiations with the Council, which also still has to agree on a common position.
On April 29, Craigslist was successful in fighting off a motion to dismiss filed by three screenscraping sites (3Taps, Padmapper and Lovely) in its pending litigation in the Northern District of California. In Craigslist Inc. v. 3Taps Inc., No. CV 12-03816 (N.D. Cal.), Craigslist sued these sites, alleging that their scraping of Craigslist content violated the federal Computer Fraud and Abuse Act (and the Act’s California analogue); the Copyright Act, and the Lanham Act, and constituted a trespass to chattels. Although not all of Craigslist’s claims survived the defendant’s motion to dismiss, its claims under the Computer Fraud and Abuse Act, some copyright claims, the reverse passing off claim, and the trespass claim did satisfy the required facial plausibility standard.
The decision adds to the growing case law around screenscraping, and serves as a timely reminder of the fact that the language of a Web site’s terms of use (TOU) is an important factor in such cases. In this case, Craigslist faces questions over whether it has standing to sue for copyright infringement because of the drafting of the content license in the Craigslist TOU. The license grant provision in the Craigslist TOU is arguably ambiguous as to whether it provides for an “exclusive” license from users to Craigslist. Citing Ninth Circuit case law, the order noted, “[O]nly the owner of an exclusive right under the copyright is entitled to sue for infringement.” TOUs are often drafted with a non-exclusive license to user created content or with ambiguity as to exclusivity, and thus some Web site owners may lack sufficient standing to bring copyright infringement claims in relation to some of the content on their sites. Of course, it may not always be appropriate to request an exclusive license from users, but it is a question that all Web site owners should consider when preparing or maintaining their TOU.
The Federal Trade Commission (FTC) has voted unanimously to retain the July 1, 2013 effective date for its revisions to the rule implementing the Children’s Online Privacy Protection Act (COPPA). As we previously wrote, the FTC adopted significant revisions to the COPPA rule in December 2012 and established a July 1, 2013 effective date. In recent weeks, nineteen consumer groups signed a letter opposing any delay in the effective date, while approximately twenty industry associations signed a letter arguing in favor of extending the effective date. In late April, the FTC published updated Frequently Asked Questions on its website to provide additional guidance for complying with the revised COPPA rule.
Today, the Commission responded to the industry associations’ letter and informed them that it would retain the July 1, 2013 effective date. The Commission acknowledged that the revised rule “does impose new obligations on child-directed sites and services,” but explained that, “in selecting an effective date of July 1, 2013, the Commission determined that six months would be adequate time for such operators to assess whether third parties collect personal information through their site or service.”
Although the Commission did not extend the effective date, it did pledge to “exercise prosecutorial discretion in enforcing the Rule, particularly with respect to small business that have attempted to comply with the Rule in good faith in the early months” following July 1.
