Inside Privacy - Updates on Developments in Global Privacy & Data Security

A judge in the Northern District of California recently agreed with the Seventh Circuit that the Video Privacy Protection Act ("VPPA") does not provide a private right of action premised solely on an allegedly unauthorized retention of information. 

Plaintiffs sued Sony Computer Entertainment America LLC ("SCEA") and Sony Network Entertainment International LLC ("SNEI") for alleged violations of the VPPA.  The VPPA limits the retention and disclosure of "personally identifiable information," including information about a person's requesting or obtaining video materials or services from a "video tape service provider."  Plaintiffs were a class of Sony customers whose video watching and gaming information the company allegedly retained for longer than 30 days. 

In addition to dismissing claims that Sony unlawfully retained plaintiffs' information, the court dismissed plaintiffs' claims (1) that SCEA unlawfully disclosed such information to SNEI and (2) that SNEI subsequently disclosed the information to unnamed third parties.  The court dismissed the first claim on the basis of the VPPA's "ordinary course of business" exception, which authorizes (among other things) disclosures made in the context of a "transfer of ownership."  Because SCEA had diclosed the alleged PII in connection with a transfer of "certain assets" to SNEI, the court held that the ordinary course of business exception applied.   

The court also dismissed the second disclosure claim, holding that the plaintiffs did not state that a disclosure was made, identify anyone to whom the disclosure was made, or state that the disclosure falls outside the scope of the VPPA. 

The Seventh Circuit held yesterday, in a decision written by Judge Posner, that damages are not available under the Video Privacy Protection Act (“VPPA”) for violations of the statute’s data deletion requirement, only for unlawful disclosures of video-viewing information. 

Subsection (b) of the VPPA prohibits knowing disclosure of personally identifiable information that identifies a person as having requested specific video materials from a video service provider.  Subsection (c) authorizes private actions, including statutory damages of $2,500.  Subsection (e) requires that old records be destroyed “no later than one year from the date the information is no longer necessary for the purpose for which it was collected.”  

Plaintiffs Kevin Sterk and Jiah Chung sued video-kiosk operator Redbox for both unlawful disclosure under subsection (b) and unlawful retention under subsection (e).  Judge Posner, observing that the VPPA “is not well drafted,” held that the more plausible interpretation is that subsection (c) was intended to enforce only the prohibition against disclosure.  Besides looking at the placement of subsection (c) immediately after subsection (b), the court noted that there is no injury and thus no need to award damages if the information, “though not timely destroyed, . . . remained secreted in the video service provider’s files until it was destroyed.”   Even though the statute permits liquidated damages, the court stated that such damages are meant only as a proxy for actual damages: if no injury results, “the only possible estimate of actual damages for violating subsection (e) would be zero.”

According to media reports, plaintiffs’ counsel plans to seek rehearing en banc and will also continue to pursue the disclosure claim against Redbox. 

Judge Mary McLaughlin of the Eastern District of Pennsylvania recently dismissed a class action complaint brought against CVS Pharmacy and CVS Caremark for selling information provided by prescription drug purchasers.  Notably, in its decision in Steinberg v. CVS Caremark Corp., the court found that information on a customer’s prescription drug and medical history “carries with it no compensable value at the individual level.”  

The plaintiffs, on behalf of a class of Pennsylvania prescription drug purchasers, brought claims under the Pennsylvania Unfair Trade Practices and Consumer Protection Law and for unjust enrichment and invasion of privacy.  The UTPCPL claim was based on defendants’ representations that they did not share customer information in violation of federal or state law.  Plaintiffs alleged that the defendants’ sale of information violated HIPAA, even though they conceded that the information the defendants sold was “de-identified.”  The information consisted of medical history, prescription drugs dispensed, dates of prescriptions, diagnoses, and physician names, but not of patient names, birth dates, or Social Security numbers. 

Plaintiffs argued, however, that the information shared could be “re-identified,” or associated with a specific person in violation of HIPAA.  The court found plaintiffs’ generalized warning of re-identification insufficient to show a HIPAA violation without demonstrating how the threat applied in the circumstances of the case: “The Court was referred to the name of an article in an academic journal discussing risks associated with re-identification of data, but counsel did not explain how or whether the theory applied to this case.” 

In the end, the court dismissed all three claims, determining that “the defendants neither sold information entitled to legal protection nor made any misrepresentations on which the plaintiffs justifiably relied . . . .”  Moreover, “the information the defendants sold to third parties does not carry a compensable value to the plaintiffs or constitute an invasion of privacy.”  The court also dismissed the claims with prejudice, finding that the plaintiffs had not presented a viable alternate theory of recovery.

Just under a year has passed since the California Supreme Court ruled that asking for a customer’s ZIP code during a credit card transaction violates California’s Song-Beverly Credit Card Act.  According to media reports, the court’s decision in Pineda v. Williams-Sonoma Stores, Inc. has spurred more than 200 suits against California retailers.  A roundup of recent developments in Song-Beverly Act litigation:

• A case against Brookstone had been dismissed in May 2010 on the ground that a ZIP code is not “personal identification information” within the meaning of Song-Beverly, but a state appellate court ruled [PDF] that the subsequent contrary decision in Pineda applied retroactively and that the suit against Brookstone could therefore proceed. 
• Both state and federal courts in California have now reaffirmed that Song-Beverly does not apply to online transactions (Gonor v. Craigslist, Inc. [PDF]; Salmonson v. Microsoft Corp. [PDF]).  According to Mehrens v. Redbox Automated Retail LLC [PDF], Song-Beverly does not apply to transactions conducted at self-service kiosks either.  The courts recognized that fraud prevention justifies the collection of ZIP codes in online and kiosk transactions. 
• A California federal court preliminarily approved a settlement under which Tiffany and Co. agreed to provide a voucher for either $10 off or free engraving to an estimated class of 90,000 customers; $142,000 in attorneys’ fees to class counsel; and $2,000 to the class representative.

Continue Reading

An Eastern District of Michigan judge held that a personal injury defendant could not discover the plaintiff’s private Facebook content under Rule 26(b) governing the discoverability of evidence.  Tompkins v. Detroit Metropolitan Airport, No. 2:10-cv-10413-BAF-RSW (E.D. Mich, Jan. 18, 2012).  Although—as the court noted—the private portions of a user’s Facebook account are not generally privileged or protected by common law privacy rights, “the Defendant does not have a generalized right to rummage at will through information that Plaintiff has limited from public view.”

The court required the defendant to make “a threshold showing that the requested information is reasonably calculated to lead to the discovery of admissible evidence” so as to avoid “the proverbial fishing expedition.”  The defendant proffered some of the plaintiff’s public postings as support, including photographs showing the plaintiff holding a dog and grocery shopping.  Because these pictures were not inconsistent with the plaintiff’s claims of injury, the defendant did not establish relevance. 

“If the Plaintiff’s public Facebook page contained pictures of her playing golf or riding horseback, Defendant might have a stronger argument for delving into the non-public section of her account,” the court noted.

A putative class action was filed on Monday against Amazon.com following an online hacking attack that potentially compromised the personal information of up to 24 million customers of its online shoe retailer Zappos.com.  An email sent to customers from Zappos.com’s CEO on Sunday assured users that full credit card information and other payment information was not impacted, but stated that names, email address, billing and shipping addresses, phone numbers, the last four digits of credit card numbers, and/or cryptographically scrambled passwords (but not actual passwords) may have been improperly accessed.

The complaint, filed in the United States District Court for the Western District of Kentucky (the location of the purportedly compromised servers), includes claims for violation of the Fair Credit Reporting Act, negligence, and invasion of privacy.  The complaint alleges that the named plaintiff and proposed class members now are subject to a heightened risk of identity theft and will have to spend time changing the passwords on their Zappos.com accounts as well as other accounts with the same or similar passwords.

On January 10, the U.S. Supreme Court ruled in CompuCredit Corp. et al. v. Wanda Greenwood et al. that the Credit Repair Organizations Act (“CROA”) does not override arbitration clauses in agreements between consumers and credit repair organizations.  The CROA prohibits credit repair organizations (i.e., companies that seek to improve a consumer’s credit history or provide financial counseling regarding a consumer’s credit history) from making false or misleading statements with respect to a consumer’s credit history or the company’s services, requires credit repair organizations to memorialize the services to be provided to a consumer in a written agreement that contains certain disclosures, and gives a consumer the right to cancel a contract with a credit repair organization.  The CROA is subject to enforcement by the Federal Trade Commission, state attorneys general, and private litigants.

In CompuCredit Corp., the plaintiffs alleged that CompuCredit violated the CROA by representing to consumers that its credit card could be used to rebuild poor credit histories.  The plaintiffs sought to invalidate an arbitration clause in CompuCredit’s card agreement based on language in the CROA requiring a credit repair organization to inform consumers of their right “to sue a credit repair organization that violates the [CROA].”  The Court held that such language was too “obtuse” to invalidate arbitration clauses, relying on the general preference for the enforceability of arbitration clauses grounded in the Federal Arbitration Act and applicable Court precedent.

Class action lawsuits are increasingly being brought against organizations that have suffered data breaches, as well as against companies that are alleged to have allowed third parties access to online or mobile users’ confidential information without authorization (for example the recent Del Vecchio v. Amazon and Low v. LinkedIn cases).  A repeated issue in these cases is what kind of harm plaintiffs must allege to state a cognizable claim.  To the extent sufficient harm can be pled, what related legal issues loom on the horizon, such as proof of causation, the definition of “reasonable security,” the applicability of federal statues, and class certification efforts?  Simon Frankel and Mali Friedman from Covington and David Navetta from InformationLawGroup will be discussing these issues, examining several prominent cases to look for trends (including cases such as LinkedIn, which Covington has litigated), and providing practical steps your organization can take to help mitigate these risks.   

The Webinar, which is hosted by IAPP, will take place this Friday, December 16 from 1:00-2:30 pm EST.  You can register here.

Last week, a federal judge denied a motion to dismiss a putative class action brought under the Telephone Consumer Protection Act (TCPA) against Citibank concerning its transmission of text messages.  The case -- Ryabyshchuk v. Citibank N.A., -- is notable because one of the issues it addresses is whether an entity that transmits a text message to confirm a consumer’s opt out request has transmitted the message without the consumer’s prior express consent.  The Mobile Marketing Association’s Guidelines for text message campaigns advises that such confirmation messages should be sent.  In the ruling, Judge Irma Gonzalez of the Southern District of California held that Citibank could be liable for two messages: the first that allegedly inviting the applicant to call to discuss a credit card application, and the second that allegedly confirmed the consumer’s request to opt out of receiving future messages.  The consumer sought to opt out of receiving future messages after receiving the first text message from Citibank.

Continue Reading

The Ninth Circuit reversed the district court’s approval of a class action settlement last Monday in Nachshin v. AOL, remanding the two-year old case back to the district court for a new round of settlement negotiation and approval. No. 10-55129 (9th Cir. Nov. 21, 2011).  The class action was brought in 2009, alleging that the Internet company violated the Electronic Communications Privacy Act (ECPA) when it inserted footers containing promotional messages into e-mails sent by its users. The complaint also alleged unjust enrichment, breach of contract, and violations of state law.

The problem with the settlement was not that the class representatives failed to adequately represent class members, as in the Second Circuit’s recent decision in the latest iteration of the Tasini v. New York Times case, or that the interests of the members of the proposed class (all 66 million of them) were too factually and legally different to proceed in a class action, as in the Ninth Circuit’s recent decision in Ellis v. Costco Wholesale Corp. Instead, the Ninth Circuit reversed the settlement on the less common ground that it provided for distributions from the settlement fund to charities that were unrelated to the claims underlying the lawsuit.

Continue Reading

Judge Koh of the District Court for the Northern District of California recently granted LinkedIn’s motion to dismiss with leave to amend in Low v. LinkedIn.  Covington represents LinkedIn in this case, in which Plaintiff alleges that he suffered injury by virtue of LinkedIn’s purported transmittal of a unique UserID to certain third parties as a portion of a URL referrer header.

The Court held that the plaintiff had not alleged sufficient injury-in-fact to satisfy Article III standing, because “Plaintiff has failed to put forth a coherent theory of how his personal information was disclosed or transferred to third parties, and how it has harmed him.”  In making this determination, the Court rejected Plaintiff’s theories of  “emotional” and “economic” harm.

With respect to emotional harm, the court noted that Plaintiff was “unable to articulate a theory of what information had actually been transmitted to third parties, how it had been transferred to third parties, and how LinkedIn had actually caused him harm.”  Similarly, in considering Plaintiff’s theory of economic harm, the Court held that Plaintiff’s allegations were “too abstract and hypothetical to support Article III standing,” citing a growing body of precedent, including Judge Koh’s own recent decision in In re iPhone Application Litigation, in which courts have held that the unauthorized collection of personal information does not create an economic loss.  Quoting Specific Media, the Court observed that Plaintiff had failed to allege how he was foreclosed from capitalizing on the value of his personal data or how he was “deprived of the economic value of [his] personal information simply because [his] unspecified personal information was purportedly collected by a third party.”

Continue Reading

Last week, the California Attorney General brought its first suit under California’s environmental marketing law, which restricts the labeling of plastic food or beverage containers as “biodegradable.” The Attorney General claims that a plastics company’s statements that its microbial additive results in the “first truly biodegradable and recyclable” plastic bottle and that the bottle will break down in less than five years in a typical landfill or compost environment is false because it takes hundreds of years for plastics to biodegrade.  In addition, the Attorney General claims that the company’s recycling claim is deceptive because the Association of Post Consumer Plastic Recyclers considers the company’s microbial additive to be a “destructive contaminant” that can weaken the bottle’s strength.  The company has responded that it stands by its technology and it claims.

The law, which will expand to cover all plastic products beginning in 2013, could discourage companies from developing innovative environmental solutions, since the law effectively prohibits companies from making certain environmental claims about their products. 

A federal district court in Michigan recently held that the federal CAN-SPAM Act preempts Michigan’s anti-spam law.  Unlike the federal law, Michigan’s statute offers individuals who receive unsolicited commercial email, or “spam,” a private cause of action.  The decision, by Judge Janet T. Neff of the Western District of Michigan in Hafke v. Rossdale Group, LLC, is one of only a few court opinions construing the scope of state laws preempted by the federal CAN-SPAM Act.

The federal Controlling the Assault of Non-Solicited Pornography And Marketing Act (or CAN-SPAM Act), enacted in 2003, regulates the transmission of spam email.  For violations meeting specified criteria, it provides for criminal penalties and permits civil enforcement by the Federal Trade Commission and other federal agencies, Internet Service Providers, and state attorneys general.  It does not, however, permit individuals who have received unwanted email to bring suit. 

Therefore, those who have wished to bring suit for receiving unwanted spam have looked to states’ anti-spam laws, such as that of Michigan.  However, CAN-SPAM contains an express “preemption” provision, meaning it specifies the circumstances under which states may or may not regulate the same subject matter as the federal statute.  CAN-SPAM states that it supersedes state law “that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception.”  It also states that it does not preempt state laws “that are not specific to electronic mail” or those that “relate to acts of fraud or computer crime.”

In Hafke, the court had to interpret whether CAN-SPAM preempted the Michigan anti-spam law.  To reach a decision, the judge first reviewed the handful of prior cases on the scope of CAN-SPAM’s preemption.  Those cases, relying on CAN-SPAM’s preservation of state laws that prohibit “falsity or deception,” have differentiated state laws regulating “base error” from state laws regulating tortious conduct or material misrepresentations -- the courts have held that CAN-SPAM preempts the first kind of laws but not the second.  Building on those decisions, the judge held that because the Michigan law does not by its text require falsity or deception and because the plaintiff alleged only “technical” violations, CAN-SPAM barred the plaintiff’s claim.

Your company has just launched an innovative new social media service, and you’ve received fanfare from the press, increased website traffic, and a spike in advertising revenues.  In short, the service is a complete success — until you’re served with a class action complaint seeking millions of dollars in damages and a civil investigative demand from the FTC.  What did you do wrong, and what can you do to get out of this mess?

That’s the question that I recently explored as a part of a panel at the summer meeting of the Virginia Bar Association on the benefits and risks of social media.  On the panel, we discussed the many ways that social media has influenced law and policy over the past few months and highlighted what businesses and their lawyers need to understand about privacy issues online in order to avoid litigation and regulatory enforcement. 

One of the main reasons that companies face litigation and investigations in the social media area is that they haven’t fully evaluated the information that they are collecting through social media and how that information is (or could be) used.  That is why the discussion on privacy today is coalescing around the concept of “privacy by design,” which Kashmir Hill at Forbes recently described as companies “bak[ing] privacy into their products” rather than considering privacy only reactively.  (You can read more about privacy by design here.)

Continue Reading

As we previously noted here and here, locational privacy continues to be an area of ongoing interest.  Yesterday, a New Jersey appeals court ruled that a husband’s privacy rights were not invaded when his wife put a GPS tracking device in his car. 

In Villanova v. Innovative Investigations, Inc., A-0654-10T2 (N.J. Sup. Ct. App. Div. July 7, 2011), the plaintiff sued an investigative firm that had advised his then-wife to install a GPS tracking device in his car.  The appeals court upheld the dismissal of the plaintiff’s tort claim for intentional or negligent invasion of his right to privacy, finding that there was no evidence that Villanova was tracked while driving “the vehicle into a private or secluded location that was out of public view and in which he had a legitimate expectation of privacy.”  Because Supreme Court precedent establishes that people traveling on public roadways have no reasonable expectation of privacy in their movements, there was no intrusion into the plaintiff’s seclusion. 

Villanova dealt with surveillance by private investigators, and private investigators in New Jersey say that the decision is a welcome clarification of the law.  The Supreme Court will be revisiting this issue in the context of government surveillance next term, when it takes up United States v. Jones.  At issue in Jones: whether the police are required to obtain a warrant before installing a GPS tracking device on a person’s car. 

In a decision with broad application, the Supreme Court held last Wednesday that the Federal Arbitration Act preempts state law rules that classify class action waivers in consumer contracts as unconscionable and therefore unenforceable.  The holding in AT&T Mobility LLC v. Concepcion, No. 09-893 (April 27, 2011) sweeps away a major barrier to enforcing arbitration agreements between businesses and consumers that had been erected by judicial decisions in California and several other states. The Supreme Court has made clear that where a consumer has entered into a contract that contains an arbitration provision, that consumer must submit to arbitration any dispute that falls within the scope of that agreement – even where the arbitration provision contains the type of class action waiver that many states had previously disfavored as unconscionable.

The Supreme Court's decision may have significant implications for web publishers, many of whom require users to agree to arbitration of claims arising out of terms of use and/or privacy policies as a condition of using their sites.  For instance, courts in California--whose law was specifically at issue in AT&T Mobility--had taken the approach that the presence of a class action waiver in an arbitration clause was almost sure to render the clause unconscionable and unenforceable.  Some cases in California that have considered whether arbitration clauses in "clickwrap" agreements are enforceable have relied heavily on California's law regarding class waivers.  Those decisions no longer appear to state good law after AT&T Mobility. 

For more information about the AT&T Mobility decision, please see our Client Alert. 

As we've described in this recent article, the past year has witnessed a surge in privacy litigation that shows no signs of easing.   Many of these suits involve allegations that defendants have used Flash local shared objects ("Flash cookies") for the purpose of tracking Internet users' browsing activity. Flash cookies differ from traditional browser cookies in that they are stored outside the browser and may be immune to browser privacy controls.  Also, as explained in a widely cited article [PDF], Flash cookies can be used to recreate deleted brower cookies (a practice known as browser cookies "respawning").  Citing these characteristics, plaintiffs in more than a dozen class action cases have alleged that certain companies use Flash cookies in order to circumvent users' browser privacy controls, allegedly in violation of federal and state law.

As noted in this previous post, many of the suits have settled.  But at least one company, the ad network Specific Media, appears poised to continue to contest the suit [PDF] filed against it last August in the Central District of California.  On February 17, Specific Media moved [PDF] to dismiss the case, arguing (among other things) that even if the plaintiffs' allegations were true, they have failed to show that they have suffered any legally significant injury.  Here, Specific Media contends that the plaintiffs have not sufficiently alleged that the use of Flash cookies caused them to suffer a concrete and particularized "injury in fact," which is required to bring suit in federal court.  This argument has been raised in numerous other cases arising from the alleged collection and sharing of information online for advertising purposes. 

Earlier this month, the plaintiffs filed what, to our knowledge, is the first fully articulated theory of standing in cases of this kind.  In their opposition [PDF] to the motion to dismiss, the plaintiffs argue that Specific Media's use of Flash cookies hurt them in two ways.  First, the plaintiffs assert that the use of Flash cookies for tracking--which, the plaintiffs contend, Specific Media did surreptiously--deprived them of the economic value of their personal information.  Second, they contend that the use of Flash cookies affected the performance of their computers and their web browsing experience.  Specifically, the plaintiffs claim that the use of Flash cookies caused websites in Specific Media's ad network to load more slowly than they otherwise would have.  Specific Media's reply brief is due early next month.       

We will continue to watch the Specific Media case closely, as it may prove to be the first of the Flash cookies cases to yield a decision on whether plaintiffs in these kinds of cases may pursue their claims in federal court. 

Two of the country’s largest video rental services, Netflix and Redbox, have been sued for allegedly violating the federal Video Privacy Protection Act (“VPPA”).  The plaintiffs in both suits contend that the rental services stored information about their rental histories for long after that information had ceased being “necessary” to provide the services for which customers had signed up, in violation of the VPPA.  The Netflix complaint also alleges that the company unlawfully maintained the information even after customers had cancelled subscriptions to the service.

One central issue in both cases will be the question of the point at which information collected by a company is “no longer necessary for the purpose for which it was collected" -- specifically, with respect to Netflix, whether it was reasonable for it to retain subscriber information after cancellation of the service.  

The answer to this question about the substantive requirements of the VPPA may also have ramifications beyond the law of video privacy.  As we have previously detailed, the FTC’s recent staff report on consumer privacy recommended that businesses do more to incorporate substantive privacy protections at every stage of a product’s lifecycle.  The FTC, which characterized this approach as “privacy by design,” stressed the importance of limited data retention.

Continue Reading

According to an article written by Jeff Swiatek in the Indianapolis Star, an Indiana judge has ruled that the state's reporters' shield law does not prevent two newspapers from being compelled in a lawsuit to disclose identifying information about online commenters in their Web forums.  The ruling is the first considering the application of the state's shield law to a media entity's online forum.

The plaintiff in the lawsuit alleges that commenters on websites run by two newspapers and a television station in Indianapolis posted harmful and false information about him.  He sought to compel the media companies to reveal technical information concerning the anonymous commenters so that he could obtain their identities and proceed in a suit against them.  Although the media organizations are not the targets of the suit, they resisted revealing the commenters' technical identifying information.  

Like many states, Indiana has a "reporters' shield law," which protects reporters from being compelled by courts from revealing the identities of their sources in certain situations.   Indiana's law states that reporters (including print, television, and radio reporters) cannot be forced to disclose the identity of the source of any information procured or obtained in the course of reporting for their employing media organization, regardless of whether the information is published/broadcast or not.  The judge ruled that the shield law does not prevent newspapers from revealing identifying information concerning commenters in their online forums (as opposed to a more traditional source).  He has not yet ruled on whether the television station must turn over information concerning the commenters as well.  

The application of state shield laws to online activities has been controversial since many of the laws, such as Indiana's, were passed long before the development of the Internet.  Although the judge's decision construes Indiana law, it provides an important datapoint as traditional media businesses develop approaches to privacy for online forums and state judges consider how to apply their shield laws in the Internet age.

Today the District Court for the Northern District of Alabama dismissed the class action lawsuit filed against our client, Cable One, Inc., for lack of subject matter jurisdiction because the named plaintiff lacked standing.  The litigation arose out of a limited test of NebuAd Inc.’s “deep packet inspection” technology, which was used to create anonymous, non-sensitive interest categories for subscribers for the purpose of serving targeted ads.  Of six putative class actions filed against Internet service providers in connection with tests of this NebuAd technology, this is the only one to be dismissed to date. 

Cable One initially was sued in the Northern District of California along with NebuAd, Inc., and five other ISPs—Bresnan Communications, CenturyTel, Embarq, Knology, and Wide Open West.  Covington's team of Simon Frankel and Mali Friedman secured the dismissal of that complaint against Cable One in October 2009 for lack of personal jurisdiction. 

Plaintiff’s counsel then filed a complaint against Cable One in Alabama (where Cable One was alleged to have allowed NebuAd to conduct its test). In the course of responding to discovery, plaintiff’s counsel stipulated to dismiss with prejudice the Computer Fraud and Abuse Act (“CFAA”) claim and related common law claims—the first dismissal of a CFAA claim in any lawsuit involving the NebuAd technology.  The Covington team of Eric Bosset and Andrew Bernie, along with Frankel and Friedman, also established in discovery that the named plaintiff lacked standing to sue on the remaining claim brought under the Electronic Communications Privacy Act (“ECPA”).  The court disposed of the action on Covington's motion to dismiss today.

For more information on private actions challenging online data collection practices, please see our recent publication in the Intellectual Property and Technology Law Journal and E-Alert. 

Ringleader Digital -- an online advertising firm specializing in the mobile market -- has agreed to settle two putative class actions that were filed against it last fall.  The plaintiffs alleged that Ringleader violated the federal Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as well as various state privacy and consumer protection laws, by using HTML5 software to track users' online activities.  Under the proposed settlement agreement [PDF], Ringleader will pay $30,000 to the named plaintiffs in both actions and $670,000 in attorneys' fees.  The proposed agreement also provides for significant injunctive relief.

This is the second notable settlement of a privacy litigation in the past three months.  As we discussed in a previous post, online marketing firms Quantcast and Clearspring settled several privacy suits arising from the alleged use of "Flash cookies" to track users' browsing activities for advertising purposes.  As with the Quantcast/Clearspring settlement, the settlement announced in the Ringleader cases is somewhat surprising given the strong defenses Ringleader appeared to have to the asserted claims and the limited release obtained.  Eric Bosset, Simon Frankel, Mali Friedman, and I recently published an article in the Intellectual Property & Technology Law Journal that details some of those defenses.        

Continue Reading

We recently covered the Red Flag Program Clarification Act of 2010 in a blog post and client alert.  The Act was intended to narrow the scope of the Federal Trade Commission’s Red Flags rule, which imposes requirements on creditors and financial institutions to detect and deter identity theft.  Prior to the Act’s passage, the American Bar Association had commenced litigation against the FTC regarding the rule’s application to attorneys.  The litigation is presently in the U.S. Court of Appeals for the District of Columbia Circuit, and in court papers filed on Friday, January 20, 2011, the FTC provided its initial interpretation of the Act’s impact on the rule. 

The FTC argued that the Act does not provide a blanket exemption for all attorneys, contrary to the ABA’s contention and the district court’s ruling.  Pursuant to the Act, an attorney could be subject to the Red Flags rule if he or she satisfies the definition of “creditor” under the Equal Credit Opportunity Act and regularly obtains consumer reports in connection with credit transactions, furnishes information to consumer reporting agencies in connection with credit transactions, or lends money to or on behalf of a person unless the loan is for expenses incidental to the services provided by the attorney.  In addition, the Act authorizes the FTC to subject any person to the rule if the FTC determines, by rulemaking, that the person “offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.”  The FTC pointed to these two provisions, as well as the absence of legislative history supporting a blanket exemption for any profession, in arguing that the Act does not support the ABA’s position that attorneys should be categorically exempt from the rule. 

The ABA’s responsive brief is due on February 3, 2011. 

Yesterday, the U.S. Supreme Court refused to reconsider Shlahtichman v. 1-800 Contacts Inc., in which the U.S. Court of Appeals for the Seventh Circuit held that an email confirmation of an online purchase is not “electronically printed” for purposes of the Fair and Accurate Credit Transactions Act of 2003 (“FACTA”).  Among other restrictions, FACTA prohibits merchants who accept credit cards as payment from printing the expiration date on any receipt provided to the purchaser at the point of sale or transaction. This prohibition applies only to receipts that are “electronically printed.” 

The plaintiff, Eduard Shlahtichman, sued 1-800 Contacts, alleging that the company’s email confirmation violated FACTA because it listed his credit card's expiration date.  After considering the issue, the district court dismissed the case, strongly suggesting that FACTA does not apply to e-commerce because emailed receipts are not "electronically printed."  On appeal, the Seventh Circuit agreed with the district court, finding that the ordinary meaning of the term “electronically printed” reaches only those receipts that are printed on paper, and that the use of the term "electronic" did not broaden the scope of the statute beyond paper receipts.

Shlahtichman is one in a series of cases in which courts are struggling to determine the extent to which laws enacted before e-commerce was as widespread as it is today should apply in today's information economy.

Adobe's Flash Player includes a local storage feature that enables websites and applications to remember consumer data, such as log-in credentials and form information.  However, media and data companies' use of this feature, which is sometimes referred to as a "Flash cookie," has been the subject of a number of recent lawsuits.  Specifically, plaintiffs allege that defendants used the local storage feature to keep regular HTTP cookies alive, even after a user deleted them.  

Earlier this week, Adobe announced that it is taking steps to improve consumers' control over the information that is stored in local storage.  This move follows the FTC's request in its recently released preliminary staff report for companies to "create better tools to allow consumers to control the collection and use of their online browsing data."  Adobe's announcement is another example that industry is taking the FTC's call for "do-not-track" mechanisms seriously. 

Last week, the Ninth Circuit issued two opinions in connection with the theft of an unencrypted laptop that contained personal information about Starbucks employees.  First, the court held in a published opinion that Starbucks employees whose names, addresses and Social Security numbers were on the stolen computer could show that they had suffered enough injury to sustain their claim for purposes of getting into federal court.  Specifically, the court found that the increased risk of identity theft satisfies the requirement that plaintiffs show an injury so long as there is a “credible threat of harm” that is “both real and immediate, not conjectural or hypothetical.”  The court also found that “generalized anxiety and stress” are other kinds of harm that could satisfy the requirement.

Although the Starbucks employees satisfied the injury requirement, a second, unpublished Ninth Circuit opinion issued the same day indicated that they had not shown damages -- a key issue in privacy litigation.  “The mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” held the court. (We have elsewhere reported on the challenges that individuals affected by security breaches face in establishing damages.)  The Ninth Circuit also found that the Starbucks employees failed to show the existence of an implied contract under Washington law.

The State of Vermont is petitioning the Supreme Court to review a Court of Appeals decision holding that the State’s prescription confidentiality law is unconstitutional.

The law at issue prohibits regulated entities from selling or using records containing prescriber-identifiable information—i.e., information linking prescribers to prescriptions for particular drugs—for marketing or promoting prescription drugs, unless the prescriber consents.

The Court of Appeals for the Second Circuit ruled that the law is an impermissible restriction on commercial speech under the First Amendment, reversing and remanding the district court.  This ruling is being compared to two First Circuit decisions upholding prescription confidentiality laws in Maine and New Hampshire.

In its petition, Vermont points to other States that have considered legislation to restrict the commercial use of prescriber-identifiable data, and urges the Supreme Court to weigh in to provide States and other regulators with “guidance as to the scope of their ability to allow individual Americans to control access to and use of their information.”

On the eve of the reported settlement of the Flash cookie litigation by Quantcast and Clearspring, Covington alum Kashmir Hill reports at Forbes about an online practice that could be the next "Flash cookie" among privacy advocates:  web history sniffing.

According to the Complaint (PDF) filed last week in federal court in California, a Netherlands company called Midstream Media illicitly collected information about users' web histories on its network of "YouPorn" websites.  The litigation claims that Midstream used a JavaScript security flaw to determine whether particular pages had been visited by particular browser, apparently to track which users had also visited its competitors' sites.

Like other online privacy litigation litigation that we've seen this year, the Midstream plaintiffs' case relies on state consumer protection statutes and the Computer Fraud and Abuse Act, or CFAA -- which existed long before both history sniffing and video streaming.  Even with the creative license that comes from extending these laws to the Internet, it's not at all clear that the plaintiffs will be able to succeed.

Continue Reading

Courts have started to address the tricky -- but important -- question of whether IP addresses are personal information in which users have a right to privacy -- statutory or otherwise. 

Most recently, the U.S. District Court for the District of Columbia found that “Internet subscribers do not have an expectation of privacy in their subscriber information as they already have conveyed such information to their Internet Service Providers.”  (MediaPost provided good coverage of the decisions.) The district court declined to quash a subpoena that had been issued to an ISP seeking subscriber information. 

But just two days earlier, Switzerland’s highest court had held that IP addresses are personal data protected by under Switzerland’s data privacy laws.  It found that the privacy rights of ISP subscribers outweigh the intellectual property interests of copyright holders.  The New Jersey Supreme Court has also held that subscribers have a privacy interest in their IP addresses.  Invoking the New Jersey Constitution’s protections against unreasonable search and seizure, the court required a lawful subpoena to access subscriber information provided to an individual’s Internet service provider.  The court noted that its decision was dependent on existing technology and practices.