Delta succeeds in dismissing California AG's first CalOPPA case

Posted by Nigel Howard on May 10, 2013

California Attorney General Kamala Harris failed in her first attempt to sue a company for failing to post a privacy policy on a mobile app.

Harris alleged that Delta Airlines violated the California Online Privacy Protection Act (“CalOPPA”) by failing to include a privacy policy on its mobile app. The lawsuit, in the California Superior Court in San Francisco, was the first enforcement action under CalOPPA since it came into force in 2004. 

On Thursday, the district court granted Delta’s motion to dismiss the complaint, concluding that the Airline Deregulation Act (ADA) pre-empts the state’s claims. The ADA provides that “a State….may not enact or enforce a law, regulation, or other provision having the force and effect of law related to a price, route, or service of an air carrier.” Courts have construed the scope of preemption by the ADA broadly, and the majority of courts which have considered the issue have held that the ADA preempts the application of state consumer protection laws to airlines. See Morales v. Trans World Airlines, 504 U.S. 374 (1992). The judge decided that the operation of a mobile app for air travel services is “related to price, route or service of an air carrier” and thus agreed with Delta’s argument that the California AG’s claim is pre-empted.

Continue Reading

Craigslist wins first step against screenscapers - lesson for drafting TOUs

Posted by Nigel Howard on May 06, 2013

On April 29, Craigslist was successful in fighting off a motion to dismiss filed by three screenscraping sites (3Taps, Padmapper and Lovely) in its pending litigation in the Northern District of California.   In Craigslist Inc. v. 3Taps Inc., No. CV 12-03816 (N.D. Cal.), Craigslist sued these sites, alleging that their scraping of Craigslist content violated the federal Computer Fraud and Abuse Act (and the Act’s California analogue); the Copyright Act, and the Lanham Act, and constituted a trespass to chattels.  Although not all of Craigslist’s claims survived the defendant’s motion to dismiss, its claims under the Computer Fraud and Abuse Act, some copyright claims, the reverse passing off claim, and the trespass claim did satisfy the required facial plausibility standard.  

The decision adds to the growing case law around screenscraping, and serves as a timely reminder of the fact that the language of a Web site’s terms of use (TOU) is an important factor in such cases.  In this case, Craigslist faces questions over whether it has standing to sue for copyright infringement because of the drafting of the content license in the Craigslist TOU.  The license grant provision in the Craigslist TOU is arguably ambiguous as to whether it provides for an “exclusive” license from users to Craigslist.  Citing Ninth Circuit case law, the order noted, “[O]nly the owner of an exclusive right under the copyright is entitled to sue for infringement.”  TOUs are often drafted with a non-exclusive license to user created content or with ambiguity as to exclusivity, and thus some Web site owners  may lack sufficient standing to bring copyright infringement claims in relation to some of the content on their sites.  Of course, it may not always be appropriate to request an exclusive license from users, but it is a question that all Web site owners should consider when preparing or maintaining their TOU.

ECPA Reform Bill Sails Through Senate Judiciary Committee

Posted by Kerry Monroe on April 26, 2013

Yesterday, a bill that would reform the Electronic Communications Privacy Act of 1986 ("ECPA") was approved by the Senate Judiciary Committee on a voice vote. Under ECPA, as it currently stands, police need only a subpoena, issued without approval by a judge, to access private e-mails that have already been opened or that are more than 180 days old. Under the reform bill, which was sponsored by Committee Chairman Patrick Leahy (D-Vt.) and Senator Mike Lee (R-Utah), police would have to obtain a search warrant before requiring providers of electronics communications services to provide them access to e-mails and other private online content, including Facebook messages.

Privacy advocates, including public interest organizations and Internet businesses, have long urged Congress to update ECPA to bring it in line with the myriad technological changes that have taken place since its enactment nearly 30 years ago, as well as consumers' evolving expectations of privacy in their electronic communications. A statement by Computer & Communications Industry Association president and CEO Ed Black reflects that widespread position: "This is a long overdue step toward bringing our online privacy laws closer to both our existing Fourth Amendment protections and our reasonable expectations for privacy. . . . Most people don't realize that six-month-old emails have different levels of privacy protection than newer emails." The Internet Association, an organization of prominent Internet businesses including Facebook, Google, and eBay, called the Senate Judiciary Committee's passage of the ECPA reform bill "a significant step in safeguarding the privacy of users' electronically stored content." The passage of the bill through the Judiciary Committee on a voice vote bodes well for its chances of being passed by the full Senate.

FTC Releases Revised COPPA FAQs: Here's What's New

Posted by Lindsey Tonsager on April 25, 2013

The Federal Trade Commission has released its much anticipated revised COPPA FAQs.  Although these FAQs are not legally binding, they provide informal guidance to industry on staff's interpretations of the COPPA Rule. 

For the most part, the FAQs reiterate past guidance and emphasize key provisions of the new COPPA Rule and its Statement of Basis and Purpose.  However, here are 5 key things that the revised COPPA FAQs clarify:

  1. Operators are not legally required to obtain parental consent for certain information that was collected before the effective date of the new COPPA Rule and that was not considered “personal information” under the original COPPA Rule.  Specifically, parental consent is not required for the following categories of information that were collected before July 1, 2013:  (1) photos, videos, and audio files containing a child's image or voice; (2) screen or user names that function as online contact information (unless the operator combines them with new information after July 1, 2013); and (3) persistent identifiers (unless the operator continues to collect the persistent identifiers or combines them with new information after July 1, 2013).  (FAQ 4)
  2. Operators of child-directed sites and online services that do not target children as their primary audience may not block children from participating in the site or service altogether, although the operator may offer different activities to users based on age. (FAQ 38) This would seem to allow an operator to block the child from all interactive features that could enable the sharing of personal information, as long as the child can continue to use portions of the site that do not require or enable the sharing of personal information. 
  3. Third-party services that are integrated on child-directed sites will be deemed to have "actual knowledge" if, in the future, a formal industry standard or agreed-upon convention is developed under which sites or services signal their child-directed nature to integrated third parties.  However, the mere collection of a URL from a child-directed site or service is unlikely to constitute actual knowledge.  (FAQ 39)  This guidance builds on a blog post published by the FTC's Chief Technologist, Steve Bellovin.
  4. An operator of a child-directed site or service does not need to notify parents or obtain parental consent before collecting pictures from children, as long as it either blurs the child's facial features or prescreens and deletes photos of children before posting them online.  (FAQs 43-45)  (But don't forget to scrub for metadata as well -- photo metadata that contains precise geolocation information may trigger the COPPA Rule.)
  5. A third party who is integrated on a child-directed site may rely on the "support for internal operations" exception to support the third-party's own internal operations.  There actually was text in the final COPPA Rule's Statement of Basis and Purpose supporting this point, but the revised COPPA FAQs make this point crystal clear.  (FAQ 77)

In addition, the COPPA FAQs clarify how the COPPA Rule applies in the classroom:

Continue Reading

Utah, New Mexico, Arkansas are Latest States to Restrict Access by Employers or Schools to Personal Social Media Accounts

Posted by Michael Beder on April 18, 2013

After gaining prominence in 2012, state legislation restricting access to personal social media accounts by employers and schools has remained active.  Three more states have enacted their own restrictions thus far in 2013, and bills are pending in more than two dozen other states, according to the National Conference of State Legislatures. In 2012, Illinois and Maryland  enacted social media privacy laws restricting employers, Delaware and New Jersey enacted laws restricting academic institutions, and California and Michigan enacted both employer- and school-focused restrictions.

So far this year, Utah, New Mexico, and Arkansas have enacted their own restrictions. Utah enacted two laws — the Internet Employment Privacy Act and the Internet Postsecondary Education Privacy Act — as part of one bill, HB100, which was signed into law on March 26 and takes effect May 14. New Mexico enacted two separate bills — SB 371 and SB 422 — focusing on employers and post-secondary schools, respectively. Both bills were signed April 5 and take effect on June 14. In Arkansas, a bill imposing restrictions on public and private post-secondary schools was enacted as Act 998 on April 8.  Below is more information about each.

Continue Reading

Covington Event: Insurance Coverage for Employment-Related Liabilities

Posted by Lindsey Tonsager on April 09, 2013

Employees’ use of social media and other online services in their professional and personal lives has increased the risk of an employee bringing claims against a current or former employer.  In the past three years, for example, employers have had to defend against claims related to ownership of social media accounts used by former employees and claims that an employer’s social media policy violates the National Labor Relations Act.  “Bring-your-own-device” policies that allow employees to use personal smartphones, tablets, and other devices to access the employer’s e-mail systems and computer networks have raised questions about employees’ rights to privacy and employers’ obligations to comply with law and protect their confidential information.  Employer-employee disputes may increase as states adopt legislation prohibiting employers from requesting that employees provide access to personal online accounts, such as social networking profiles, instant messages, e-mails, and texts.  California, Illinois, Maryland, and Michigan each have passed laws restricting employer access to employees’ online accounts, and similar legislation has been introduced in more than thirty states. 

Ensuring that your company has appropriate insurance coverage is a critical step in managing the risk of these kinds of claims.  Join us, along with Marsh Risk Consulting ― a global leader in insurance broking and risk management, for an interactive discussion that will cover the legal and practical issues facing corporate policyholders in connection with employment-related claims and liabilities.  The presentation will be held on Wednesday, April 17, 2013, from 3:00-4:30 pm at Covington & Burling, New York Times Building, 620 Eighth Avenue, New York, New York, 10018-1405.  A cocktail reception will follow the presentation.  There is no charge, but please RSVP to 202-662-6440 or RSVP9@cov.com by April 12th if you wish to attend.

5 Privacy and Data Security Measures That Can Protect Your Company Against Trade Secret Theft

Posted by Lindsey Tonsager on April 05, 2013

At a recent forum in New York, a team of Covington lawyers addressed the growing concern among companies that their most valuable assets could leave the building on a thumb drive in an employee’s pocket or be disclosed through an employee’s use of a social media site.  Addressing this threat involves many disciplines beyond trade secret law, including employment, employee benefits and executive compensation, white collar crime, corporate and securities, insurance coverage, and crisis management.  This post identifies five proactive ways in which companies can use comprehensive privacy programs and robust data security measures to help prevent and respond to an insider’s intentional or inadvertent disclosure of confidential company information.

  1. Internal Privacy and Data Security Principles:  By specifying how the company collects, uses, discloses, and protects personal data of its customers and employees, internal privacy and data security policies can help companies identify who needs access to confidential data, how this data should be secured, and procedures for effectively deleting or destroying data once it is no longer needed by the company. 
  2. Internet Access and Use Policies:  Many companies implemented employee policies in the 90s governing how employees may access and use the Internet and the company’s computer networks.  However, these policies should be updated as new technologies that may increase the disclosure of confidential company information, such as peer-to-peer programs and third-party mobile applications, emerge.   
  3. Social Media Policies:  Social media policies typically govern how employees may use social media for work purposes, and, in some cases, set forth guidelines for employee use of personal social media accounts as well.  While these policies help to remind employees that they should be cautious when using social media to avoid the disclosure of confidential or proprietary company information, employers need to ensure that these policies are consistent with federal labor laws and state laws restricting an employer’s ability to request access to an employee’s personal online accounts.
  4. Robust Protections in Service Provider Agreements:  Confidentiality clauses and nondisclosure agreements with service providers are common and important.  But robust privacy and data security provisions can provide additional protection and mitigate the risk of a breach, especially where the service provider will handle your customer’s personal information.   
  5. Bring Your Own Device (“BYOD”) Policies:  Employers increasingly are allowing employees to use their personal smartphones, tablets, and other devices to access work e-mail accounts and the employer’s computer network.  While both employers and employees can benefit from this approach, companies need to make sure that their bring-your-own-device policies provide employees adequate notice and allow employers to implement appropriate data security measures, such as remote wiping tools.

FTC Annual Report Reveals Identity Theft -- Not Privacy -- Is Top Consumer Complaint

Posted by Kerry Monroe on February 27, 2013

Yesterday the FTC released its annual report of consumer complaints, highlighting identity theft as the leading category of complaints, with 18% of the total.  The 2012 report analyzes complaints received by the FTC, certain other federal agencies, state law enforcement agencies, and non-governmental organizations such as the Better Business Bureau.  After identity theft, consumers filed the most complaints about debt collection (10%); banks and lenders (6%); shop-at-home and catalog sales (6%); prizes, sweepstakes and lotteries (5%); impostor scams (4%); Internet services (4%); auto-related complaints (4%); telephone and mobile services (4%); and credit cards (3%).

Despite the close attention of regulators and the press to the privacy policies of Internet sites and services, including mobile applications, the number of consumer complaints concerning these entities remains relatively low.  Of the total number of complaints, Internet information services received 1.79%, social networking services received 0.25%, Internet gaming received 0.12%, and mobile applications and other mobile downloads received just 0.02%.  Consumers appear to be far more troubled with identity theft and fraud-related issues, which, combined, accounted for 70% of consumer complaints in 2012.

Bill Would Set Federal Restrictions on Employer, School Access to Personal Online Accounts

Posted by Michael Beder on February 08, 2013

A bill reintroduced in the U.S. House of Representatives on Wednesday would prohibit employers and schools from requesting or demanding access to employees’ or students’ personal social-media accounts.

The bill, titled the “Social Networking Online Protection Act,” would bar employers from requesting or requiring that employees or job applicants provide the employer access to personal e-mail or social-networking accounts.  The bill also would bar employers from firing or otherwise retaliating against an employee or applicant for refusing or complaining about such a request. Violations would carry a civil penalty of up to $10,000, and the bill would authorize the Secretary of Labor to seek an injunction against practices that violate the law.

The bill would establish similar protections for students or applicants at colleges and K-12 schools receiving federal funds. 

Continue Reading

FTC Settles Deception, COPPA Charges Against Social Networking App Path

Posted by Lindsey Tonsager on February 03, 2013

Path, a social networking mobile app, has agreed to enter into a settlement with the Federal Trade Commission (“FTC”) regarding charges that the company deceived consumers by collecting contact information from users’ mobile address books without notice and consent.  The agreement also resolves charges that the company violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting personal information from children under  13 years old without parental notice and consent.  Path did not admit any liability by entering into the consent decree, which is for settlement purposes only.

The FTC alleged that the Path application included an “Add Friends” feature that allowed users to make new connections within the app.  Users were given three options when using the “Add Friends” functionality:  “Find friends from your contacts,” “Find Friends from Facebook,” or “Invite friends to join Path by email or SMS.”  Regardless of which option was chosen, Path automatically collected and stored contact information from the address book on the user’s mobile phone.  The FTC argued that this practice was contrary to representations made in the company’s privacy policy that only certain technical information, such as IP address, browser type, and site activity information, was automatically collected from the user.  Under the settlement, Path agreed to implement a comprehensive privacy program and obtain biennial, independent privacy assessments for the next twenty years. 

Continue Reading

FFIEC Proposes Social Media Guidance

Posted by Mike Nonaka on January 26, 2013

On January 22, 2013, the Federal Financial Institutions Examination Council proposed guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by depository institutions.  The proposed guidance would not impose additional compliance obligations on institutions.  Instead, the guidance is intended to help financial institutions understand potential consumer compliance, legal, reputation, and operational risks associated with the use of social media, along with expectations for managing those risks. 

The proposed guidance defines “social media” as “a form of interactive online communication in which users can generate and share content through text, images, audio, and/or video.”  The FFIEC warns that social media can impact a depository institution’s risk profile by increasing the risk of harm to consumers, compliance and legal risk, operational risk, and reputational risk. 

Continue Reading

New Jersey Restricts Colleges' Access to Students' Personal Accounts, Considers Similar Protections for Employees

Posted by Michael Beder on December 12, 2012

New Jersey earlier this month became the latest state to bar college and university officials from demanding access to students’ or applicants’ personal online accounts.  Gov. Chris Christie signed the law, which takes effect immediately, on Dec. 3.

Under the new law, which applies to public and private higher-education institutions, schools cannot require a student or applicant to “in any way provide access” to “a personal account or service through an electronic communications device,” nor may schools “in any way inquire as to whether a student or applicant” has a social-media account. Schools may not retaliate against students who refuse to provide access to their accounts, and the law voids any agreement to waive the statute’s protections.

Continue Reading

NLRB Finds DISH Network Social Media Policy Unlawful

Posted by Lindsey Tonsager on November 18, 2012

The National Labor Relations Board (NLRB) continues to be active in considering whether companies' social media policies run afoul of U.S. labor laws.  In the latest decision implementing the approach reflected in a series of NLRB reports analyzing employer social media policies under the National Labor Relations Act (NLRA), an administrative law judge found that it is impermissible for DISH Network to have a social media policy that prohibits employees from using social media platforms to (1) make disparaging or defamatory comments about DISH Network or (2) engage in negative electronic discussions during “Company time.” 

Citing its decision in Costco, which we blogged about here, the decision found that the social media policy would reasonably tend to chill employees in the exercise of their Section 7 rights.  As in Costco, DISH Network's policy apparently did not contain an exception for NLRA-protected activity.

 

New California Laws Restrict Employer, College Access to Personal Social-Media Content

Posted by Michael Beder on September 28, 2012

California is the latest state to enact legislation restricting the circumstances under which employers or schools can demand access to employees’ or students’ personal social media accounts.

California Gov. Jerry Brown signed two bills into law on Sept. 27.  The first, A.B. 1844, bars employers from requiring or requesting that employees or job applicants disclose personal social media usernames or passwords, access personal social media accounts in the employer’s presence, or otherwise “[d]ivulge any personal social media.” Employers are barred from firing or otherwise retaliating against anyone who refuses to comply with a request that is prohibited under the law. Employers may require employees to disclose information needed to access employer-issued devices and may request access to personal social media the employer reasonably believes is relevant to a misconduct investigation.

S.B. 1349 creates parallel protections for students, prospective students and student groups at public and private colleges and universities.

Continue Reading

NLRB Finds Costco Social Media Policy Unlawful

Posted by Dan Kahn on September 20, 2012

A three-member panel of the National Labor Relations Board (NLRB) found that it is impermissible for Costco’s social media policy to ban employees from making electronic postings that damage the reputation of the company or anyone else.  The NLRB held that policy was not permissible because Costco employees could reasonably assume that it prohibited communications protected by the National Labor Relations Act (NLRA), such as communications critical of the company’s treatment of its employees.

Continue Reading

Judge Dismisses Putative Class Action Against "Who's-Who of Social Media Companies"

Posted by Elizabeth Katz on August 31, 2012

A court in Texas recently dismissed a lawsuit it described as “an aspiring class action against a veritable who’s-who of social media companies.”  The Plaintiffs in Opperman v. Path claimed that the Defendants improperly used their smartphone apps to copy, upload, and store Plaintiffs’ address book information without their consent.

According to the court, the Plaintiffs’ first Complaint was over 150 pages, cited a confusing jumble of Texas, California, and federal laws, contained material that was repetitive and unnecessary, and showed “a general attitude of smug pomposity.”  Although the court had stated that it hoped the Plaintiffs’ Amended Complaint would fix these problems, it found that the Amended Complaint was more than twice as long and full of the same problems, leading the court to theorize that the Plaintiffs had “the court of public opinion in mind” when drafting it.

The court held that, because of these flaws, both versions of the Complaint violated Federal Rule of Civil Procedure 8(a)(2), which requires “a short and plain statement of the claim showing that the pleader is entitled to relief.”  Consequently, he dismissed the Complaints without prejudice, allowing the Plaintiffs to file a Second Amended Complaint within twenty days.  The judge warned, however, that if the next complaint does not comply with the “letter and spirit” of the Federal Rules, it will be dismissed with prejudice, ending the case. 

Twitter Appeals Ruling Requiring It to Produce User's Tweets and Subscriber Information

Posted by Elizabeth Katz on August 30, 2012

Earlier this week, Twitter appealed a New York state judge’s ruling that required the company to produce an Occupy Wall Street protestor’s tweets, email address, and certain subscriber information.  The trial court judge had reasoned that the public nature of Twitter meant that the defendant lacked privacy interests in his tweets and that the government’s request satisfied the requirements of the Stored Communications Act.  Moreover, the trial court held that the protester lacked standing to challenge the subpoena.  For more detail about the trial court’s ruling, see Inside Privacy’s previous coverage

Twitter’s appeal consists of six primary arguments that fall within two key issues.  First, Twitter makes several arguments regarding why the protestor has standing under New York law and the SCA to challenge the subpoena issued to Twitter.  According to Twitter, New York law grants the protester standing because he has a proprietary interest in his tweets, as established in Twitter’s Terms of Service.  And the SCA provides standing under 18 U.S.C. § 2704(b), which allows a user who receives notice of a subpoena for account records to “file a motion to quash such subpoena . . . in the appropriate . . . state court.”

Second, Twitter argues that the protester’s tweets are protected by the Fourth Amendment to the U.S. Constitution and Article I, § 12 of the New York Constitution. Because the government cannot publicly access the tweets, Twitter claims, the protester maintains a reasonable expectation of privacy in them. (The government acknowledged that the tweets are no longer visible on the Twitter platform. It is unclear whether the tweets were deleted or are no longer visible for some other reason, such as that only the 3,200 most recent tweets remain visible.) Moreover, according to Twitter, even if the tweets are publicly available, case law suggests that public information that allows law enforcement to draw mere inferences about a citizen’s thoughts and associations is entitled to Constitutional protection.

The appellate brief is available here.

Illinois Prohibits Employers from Requesting Employees' Social Networking Passwords

Posted by Mike Nonaka on August 03, 2012

On August 1, Illinois became the second state in the country to prohibit employers from requesting or requiring employees to provide their passwords for social networking accounts.  As reported in this blog, Maryland adopted similar legislation in April.  The bill (HB 3782) was signed into law by Illinois Governor Pat Quinn and will become effective on January 1, 2013. 

The legislation amends the Illinois Right to Privacy in the Workplace Act to make unlawful an employer’s request or requirement that an employee or prospective employee provide “any password or other related account information in order to gain access to the employee’s or prospective employee’s account or profile on a social networking website….”  The term “social networking website” means an Internet-based service that allows individuals to (1) construct a public or semi-public profile within a bounded system, created by the service; (2) create a list of other users with whom they share a connection within the system; and (3) view and navigate their list of connections and those made by others within the system.  The legislation makes clear that emails are not included in the term “social networking website.” 

Legislation to prohibit employer access to employee social networking information currently is being considered in several states, including Washington, New Jersey, California, and Colorado.

European Data Protection Supervisor Issues Opinion on Children's Privacy

Posted by Lindsey Tonsager on July 27, 2012

The European Data Protection Supervisor ("EDPS") has issued an opinion on Europe's strategy for protecting children on the Internet.  The European Commission consults with the EDPS on a variety of data protection issues.  However, the opinions of the EDPS are not legally binding. 

Among other things, the EDPS expressed support for: 

  • The implementation of technical tools, such as age-appropriate default privacy settings, to enhance the privacy of children online.     
  • Clear notice about the impact a change to a default setting would have on a child's privacy and the potential harm it may cause. In particular, the EDPS suggested that in some circumstances a child might not be permitted to change the default settings, or might change the defaults only with parental consent, stating that the "extent to which a child may change the default privacy settings should also be linked to the age and level of maturity of the child.  It should be explored to what extent, and within which age group, parental consent would be required to validate a change of privacy settings." 
  • A requirement that service providers inform children about the level of sensitivity of each piece of information they provide when creating an online profile and about the potential risks or harms they may encounter when such information is disclosed to a defined group of people or to the public. 
  • A restriction on industry's ability to create online behavioral advertising segments that target children.
  • A legal mandate for industry to deploy an EU-wide reporting tool for content that is harmful to children.

 

Continue Reading

Twitter to Appeal NY Ruling that It Must Hand over Occupy Protestor's Tweets

Posted by Laura Brookover on July 24, 2012

Twitter has announced that it will appeal a New York state judge’s ruling that the company must hand over an Occupy Wall Street protestor’s tweets to the Manhattan district attorney.  The defendant was charged with disorderly conduct for his participation in a protest march in October 1, 2011.  Following that incident, the district attorney subpoenaed Twitter for the defendant’s tweets over several months in the fall of 2011.  The defendant unsuccessfully challenged the subpoena in trial court, and Twitter is taking up the appeal.    

The trial court judge found that the Fourth Amendment did not apply to the government’s subpoena.  The defendant had no privacy interests in his tweets, the judge held, because of the public nature of the Twitter platform.  Pointing out that the “very nature and purpose of Twitter” is to share messages with a broad online audience, the judge concluded that the “defendant’s contention that he has privacy interests in his Tweets . . . [is] without merit.”

Continue Reading

Older Posts