Inside Privacy - Updates on Developments in Global Privacy & Data Security

A seller who authorizes a third-party telemarketer to market the seller’s goods or services may be held vicariously liable if the telemarketer violates the Telephone Consumer Protection Act (TCPA), the Federal Communications Commission held in a May 9 declaratory ruling.

The FCC’s ruling interprets two subsections of the TCPA. The first subsection — 47 U.S.C. § 227(b) — includes several restrictions, including a general prohibition on making calls to landline or mobile telephones using a prerecorded message without  the recipient’s prior express consent. Section 227(b)(3) allows individuals or companies to bring private lawsuits “based on a violation of this subsection” or the FCC’s implementing regulations.

A separate portion of the TCPA — 47 U.S.C. § 227(c) — authorizes the FCC to set up a national Do Not Call registry, which the FCC did in coordination with the Federal Trade Commission several years ago. Section 227(c)(5) authorizes private lawsuits by individuals who receive “more than one telephone call within any 12-month period by or on behalf of the same entity” in violation of the Do Not Call rules.

Last week’s declaratory ruling came in response to questions referred to the FCC by two federal courts in two separate TCPA-based lawsuits.

Continue Reading

On April 29, Craigslist was successful in fighting off a motion to dismiss filed by three screenscraping sites (3Taps, Padmapper and Lovely) in its pending litigation in the Northern District of California.   In Craigslist Inc. v. 3Taps Inc., No. CV 12-03816 (N.D. Cal.), Craigslist sued these sites, alleging that their scraping of Craigslist content violated the federal Computer Fraud and Abuse Act (and the Act’s California analogue); the Copyright Act, and the Lanham Act, and constituted a trespass to chattels.  Although not all of Craigslist’s claims survived the defendant’s motion to dismiss, its claims under the Computer Fraud and Abuse Act, some copyright claims, the reverse passing off claim, and the trespass claim did satisfy the required facial plausibility standard.  

The decision adds to the growing case law around screenscraping, and serves as a timely reminder of the fact that the language of a Web site’s terms of use (TOU) is an important factor in such cases.  In this case, Craigslist faces questions over whether it has standing to sue for copyright infringement because of the drafting of the content license in the Craigslist TOU.  The license grant provision in the Craigslist TOU is arguably ambiguous as to whether it provides for an “exclusive” license from users to Craigslist.  Citing Ninth Circuit case law, the order noted, “[O]nly the owner of an exclusive right under the copyright is entitled to sue for infringement.”  TOUs are often drafted with a non-exclusive license to user created content or with ambiguity as to exclusivity, and thus some Web site owners  may lack sufficient standing to bring copyright infringement claims in relation to some of the content on their sites.  Of course, it may not always be appropriate to request an exclusive license from users, but it is a question that all Web site owners should consider when preparing or maintaining their TOU.

A federal appellate court ruled last week that an Internet company was not liable for disclosing subscriber information pursuant to an invalid grand jury subpoena that appeared valid on its face.

In December 2008, Yahoo! received two grand jury subpoenas from a Georgia state prosecutor, seeking the name, address, and other identifying information associated with a user account.  The subpoenas were signed by a Georgia state court judge and court clerk.  Yahoo! complied with the subpoenas before the production deadline.

The Yahoo! account holder, Fayelynn Sams, filed a putative class action lawsuit.  Sams claimed that the subpoenas failed to comply with Georgia law, and therefore violated the Stored Communications Act.  The federal district court granted Yahoo!’s motion to dismiss, concluding that Yahoo! was statutorily immune from lawsuit.

On appeal, the Ninth Circuit affirmed the district court.  The Stored Communications Act states that “good faith reliance on . . . a grand jury subpoena” is a “complete defense” to a civil action under the SCA.  Writing for a unanimous three-judge panel, Judge Milan D. Smith, Jr. wrote that this defense is available when the defendant complies with a subpoena or other process “that appears valid on its face, in the absence of any indication of irregularity sufficient to put the defendant on notice that the subpoena may be invalid or contrary to applicable law.”  The defense is not available, the court wrote, “if the defendant actually knew that the subpoena (or other process) was invalid under the applicable law.”

Applying this legal standard to Sams’s lawsuit, the Ninth Circuit concluded that Yahoo! is immune because Sams pled no facts to lead to a plausible inference that Yahoo! knew that the subpoenas were invalid.  Moreover, the Court held that the subpoenas were objectively reasonable because “they bore all of the indicia of lawful authority.”

A Michigan appellate court ruled last week that state discovery rules provide adequate safeguards for anonymous online speech.  The opinion is a significant deviation from the rulings of other state courts, which have applied a First Amendment balancing test to determine whether to grant discovery requests for the identities of anonymous online speakers.

Thomas M. Cooley Law School sued several defendants for allegedly defaming the school online and issued subpoenas for their identities.  Defendant John Doe 1, who operated a website about the law school, sought a protective order and moved to quash the subpoena to his Internet service provider.   The trial court applied a First Amendment balancing test, first articulated by state appellate courts in New Jersey and Delaware, that considers factors including (1) whether the defendant is a person or entity who could be sued, (2) whether the plaintiff made a good-faith effort to serve the defendant with process, (3), whether the lawsuit could withstand a motion to dismiss, and (4) whether there is a reasonable likelihood that discovery would uncover information that would allow service of process.   Under this analysis, the state trial court denied the motion to quash and denied the protective order.

Continue Reading

As we previously blogged, in a case concerning retail chain Michaels Stores, the Supreme Judicial Court of Massachusetts (SJC) recently issued a broad ruling regarding the circumstances in which consumers may sue for collection of zip code information during credit card transactions under Massachusetts law.  Two separate putative class actions now have been filed under the same legal theory against Bed Bath & Beyond.

In its recent ruling, the SJC held that (1) a ZIP code is “personal identification information” within the meaning of the Massachusetts credit card privacy law; (2) a plaintiff may bring a lawsuit for a violation without showing identity fraud; and (3) “credit card transaction forms” could be construed to mean an in-store electronic form (e.g., a keypress form at the register).   The plaintiffs who have sued Bed Bath & Beyond claim that the housewares chain violates state law by collecting zip codes when customers make purchases by credit card at retail stores.   Both plaintiffs, one of whom was the named plaintiff in the case against Michaels Stores, filed in federal court in Massachusetts. 

The U.S. Supreme Court unanimously ruled on Tuesday that plaintiffs bringing class actions cannot escape federal jurisdiction by stipulating to seek less than $5 million in damages.  In a nine-page opinion, the Court held that plaintiff Greg Knowles had no power to speak for the proposed class when he stipulated in a lawsuit against Standard Fire Insurance Co. that he and the class would not ask for more than $5 million—the amount of damages that remove class actions from state court to federal court in accordance with the Class Action Fairness Act (“CAFA”).

The opinion stressed that stipulations must be binding, and the kind of stipulation that Knowles brought to keep his suit out of federal court could not be enforced against class members.  “Here, the precertification stipulation can tie Knowles’ hands because stipulations are binding on the party who makes them,” Justice Stephen Breyer wrote. “However, the stipulation does not speak for those Knowles purports to represent, for a plaintiff who files a proposed class action cannot legally bind members of the proposed class before the class is certified.”

The Court said such non-binding stipulations potentially could allow plaintiffs to subdivide a $100 million case into 21 cases just below $5 million in order to stay in state court. “Such an outcome would squarely conflict” with the class-action law’s intention that major cases go to federal court, the opinion said.

On Monday, the California Supreme Court, by a slim 4-3 majority, held that California’s Song-Beverly Credit Card Act of 1971 (“Song-Beverly”) does not apply to online purchases in which a product is downloaded electronically, finding that Apple was not liable under the statute for collecting plaintiff Krescent’s telephone number and address in order to complete credit card purchases of various digital downloads from the iTunes store.

In a lengthy opinion that considered the statutory text and legislative history, the Court overturned a lower court’s finding that Song-Beverly prohibited Apple from collecting personal identification information (“PII”) in connection with an online transaction.  Song-Beverly generally prohibits retailers from requesting or requiring as a condition to accepting credit card payment, that the cardholder be required to provide PII upon a credit card transaction form or otherwise.  In Pineda v. Williams Sonoma Stores—decided in early 2011—the California Supreme Court held that ZIP codes were PII, and that the defendant had violated Song-Beverly by requesting the plaintiff's ZIP code during a credit card transaction that took place in a traditional brick-and-mortar retail store, a decision that spurred a wave of Song-Beverly litigation in California.

In Krescent, the California Supreme Court determined that Song-Beverly was enacted by the California legislature with the intent of safeguarding consumer privacy while also protecting consumers and retailers from undue risk of fraud.  It then reasoned that online purchases are different from brick-and-mortar purchases: 

The safeguards against fraud that are provided in section 1747.08(d) are not available to the online retailer selling an electronically downloadable product.  Unlike a brick-and-mortar retailer, an online retailer cannot visually inspect the credit card, the signature on the back of the card, or the customer‘s photo identification.  Thus, … the key antifraud mechanism in the statutory scheme . . . has no practical application to online transactions involving electronically downloadable products.”

Continue Reading

The Ninth Circuit revived a putative class action alleging that ADT Security Services violated the California Invasion of Privacy Act (“CIPA”) by recording the plaintiff’s phone call to the company without consent, remanding the case to allow the plaintiff to file an amended complaint. In a published opinion, the panel wrote that while it agreed with the district court that plaintiff’s complaint failed to state a plausible claim upon which relief could be granted, it would nevertheless remand the case in order to give the plaintiff an opportunity to allege that he reasonably expected that his call was confidential. “In an abundance — perhaps an overabundance — of caution, we remand this case to the district court for it to consider allowing the plaintiff to amend his complaint in a manner that would satisfy federal pleading standards,” the opinion said.

John Faulkner brought his putative class action in California state court in February 2011, alleging that ADT recorded his phone conversation with a company representative without his consent in violation of CIPA, Cal. Penal Code § 632. The plaintiff specifically alleges that he called ADT in March 2010 to dispute a charge the company assessed, and that, when he was transferred to the company’s technical line, he heard periodic beeping sounds during his conversation. When he inquired about the sounds, he was told that the conversation was being recorded, according to his complaint.

A judge in the Northern District of California dismissed the case in May 2011, holding that Faulkner’s conversation was not “confidential” because he had no objectively reasonable expectation that the call would not be overheard or recorded, and that he had failed to allege circumstances that would support an expectation of privacy in his call. 

Continue Reading

Federal law does not preempt a California telephone privacy statute, according to a ruling this week by a federal magistrate judge.

Plaintiffs Laura McCabe and Latroya Simpson brought a putative class action lawsuit against InterContinental Hotels, alleging that the company recorded or monitored telephone calls made to its reservations number without notifying callers. The plaintiffs claim that InterContinental violated the California Invasion of Privacy Act ("CIPA"), which prohibits intentional interception and recording of telephone communications without consent from all parties.

InterContinental moved to dismiss the complaint, asserting that the federal Communications Act preempts CIPA by “occupying the field” of telecommunications regulation and leaving no room for states to regulate telephone recording.  In an opinion on Tuesday, Magistrate Judge Nathanael M. Cousins, of the U.S. District Court for the Northern District of California, rejected that argument, concluding that federal law does not preclude states from regulating interstate communications. 

InterContinental also argued that the California law conflicts with the federal Wiretap Act that requires only one party to provide consent for call monitoring.  Judge Cousins disagreed, holding that the laws do not conflict merely because CIPA is more stringent. 

The decision is the latest in a series of conflicting decisions on Wiretap Act preemption.  We discuss the others here.

Yesterday the Fifth Circuit ruled in Garcia v. City of San Laredo that personal cell phones are not “facilities” under the Stored Communications Act (SCA), agreeing with a growing number of courts that have reached the same conclusion.  In reaching this decision, the court rejected the claim of plaintiff Garcia, a former police dispatcher for the City of San Laredo, that the City had improperly accessed text messages and images stored on her cell phone in violation of the SCA.

Generally speaking, to be liable under the SCA, a defendant must have gained unauthorized access to a facility through which an electronic communication service is provided (or exceeded authorized access) and must thereby have accessed electronic communications while held in electronic storage.

In interpreting the meaning under the SCA of the phrase “facility through which an electronic communication service is provided,” the Fifth Circuit observed that past cases holding that the SCA covered the seizure of a computer used to operate an electronic bulletin board system or applying the SCA to internet service providers were “not helpful” to plaintiff establishing that an individual’s computer, laptop, or mobile device fits the statutory definition.  Rather, the court looked to the Eleventh Circuit’s decision in United States v. Steiger, which held that a hacker’s access of an individual’s computer hard drive was beyond the reach of the SCA.  The Garcia court also agreed with the conclusions of a number of district courts (including Judge Lucy Koh’s decision in in re iPhone Application Litigation, which we wrote about here), that the relevant "facilit[ies'" that the SCA is designed to protect are not computers that enable the use of an electronic communication service, but instead are facilities that are operated by electronic communication service providers and used to store and maintain electronic communications.

The Garcia court further held that even if plaintiff’s cell phone somehow were considered to be a “facility” under the statute, her text messages and photos still would not fall under the SCA’s precise definition of “electronic storage,” a term which, the Fifth Circuit explained "emcompasses only the information that has been stored by an electronic communication service provider."