Yesterday, the U.S. Supreme Court granted certiorari and agreed to consider Campbell-Ewald Company v. Gomez, in which the U.S. Court of Appeals for the Ninth Circuit held that a consumer’s failure to accept an advertiser’s settlement offer that would fully satisfy the consumer’s claim did not render moot either the consumer’s individual claim under the Telephone Consumer Protection Act (TCPA) or his putative class action, arising from the alleged transmission of unsolicited automated text messages.
Continue Reading Supreme Court to Consider Whether A Settlement Offer for Complete Relief Moots a Plaintiff’s TCPA Claim

A federal judge in the Northern District of California recently certified his denial of AT&T’s Motion to Dismiss the Federal Trade Commission’s (FTC’s) complaint alleging that AT&T misled consumers by limiting its “unlimited” data plan for mobile customers. This means that AT&T will now be able to appeal that decision to the Ninth Circuit.
Continue Reading FTC’s Throttling Case Against AT&T to be Heard by Ninth Circuit

Last week AT&T filed a Reply in support of its Motion to Dismiss challenging the Federal Trade Commission’s (FTC’s) attempt to exercise jurisdiction over the company pursuant to Section 5 of the FTC Act.

As we previously reported, the FTC filed a complaint against AT&T alleging that the company misled consumers by reducing the data speeds for its unlimited mobile data plan customers (i.e., the alleged “throttling program”).  AT&T filed a Motion to Dismiss the complaint in January, arguing that the FTC lacked jurisdiction over the company because its “status” as a common carrier places it squarely within the common carrier exemption to Section 5 of the FTC Act.  The FTC responded that the common carrier exception is a narrow, “activity-based” exception that excludes an entity “only to the degree it is engaged in common carrier activities and not because of its general ‘status’ as a common carrier.”
Continue Reading AT&T: FTC Lacks Jurisdiction Even Under “Activity-Based” Interpretation of the Common Carrier Exemption

China’s principal internet regulator, the Cyberspace Administration of China (“CAC”), announced this week that China will move forward new legislation to combat the improper collection, use, and sale of personal information. The new legislation, announced during an interview of a senior CAC official by state-owned Xinhua News, is reportedly being drafted by CAC, the Ministry

On the heels of a number of well-publicized data security breaches, a White House data breach proposal, and California’s recent changes to its data breach notification statute, New York Attorney General Eric Schneiderman has announced that he will propose legislation to strengthen New York’s data breach notification law.   The legislation had not been made public as of the date of publication, but the Attorney General has stated publicly that he anticipates it will include the following elements:

  • Private InformationDefinition.  The legislation would expand the definition of “private information” that, if breached, requires notice to New York residents.  According to the Attorney General, “private information” should be defined to “include both the combination of an email address and password and an email address in combination with a security question and answer,” as well as “medical information, including biometric information, and health insurance information.”  It is worth noting that the White House proposal unveiled earlier this week also would cover these data elements, and there are some existing state laws that already cover these data elements.  For example, California’s recent amendments to its data breach statute require notice of certain breaches involving “[a] user name or email address, in combination with a password or security question that would permit access to an online account.”  In addition, several states, including California and Texas, have breach notification statutes that cover certain types of medical information.
  • “Reasonable” Data Security Requirement.  Consistent with the approach that a number of other states (including, most recently, California) have taken, the legislation would impose an affirmative obligation on companies to reasonably safeguard “private information,” including through appropriate administrative, technical, and physical safeguards.  Massachusetts and Nevada are among the states that have imposed more prescriptive data security obligations.
  • Safe Harbor.  Schneiderman’s press release provides that “New York should offer a safe harbor if a company adopts a heightened form of security. . . . Once [an entity implements a data security plan that meets the standard], an entity would be required to attain a certification and, upon doing so, would be granted the benefit of a safe harbor that could include an elimination of liability altogether.”   It is not clear based on the Attorney General’s press release, but we presume that this safe harbor would pertain to the obligation to maintain reasonable data security safeguards and not from other obligations.  In addition, Schneiderman’s proposal would legislate that entities that obtain independent third-party audits and certifications annually showing compliance with New York’s reasonable data security requirements should receive for use in litigation a rebuttable presumption of having reasonable data security.
    Continue Reading New York Attorney General Unveils Data Breach Proposal

On October 21, 2014, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (“LIBE Committee”) voted the Italian Giovanni Buttarelli as top candidate for the post of European Data Protection Supervisor (EDPS).  Mr. Buttarelli spent the last five years as Assistant Supervisor to the current  EDPS, Mr. Peter Hustinx. 

Referred to as the

Making good on its warnings that mobile apps will be an enforcement priority under the revised Children’s Online Privacy Protection Act (“COPPA”) Rule, the FTC has announced two settlements with mobile app developers:

  1. TinyCo., the developer of several child-directed mobile apps, will pay $300,000 to settle charges that it violated COPPA by collecting children’s email