Litigation

On Monday, the U.S. District Court for the District of Kansas ruled that the named plaintiff for a putative class of CareCentrix employees whose personal information was compromised had alleged enough harm for standing under Spokeo, Inc. v. Robins.  The case is Hapka v. CareCentrix, Inc.

In early 2016, a phishing attack compromised

On November 3, Judge Vince Chhabria of the U.S. District Court of the Northern District of California held that federal law does not bar the California Public Utilities Commission (CPUC) from requiring telecommunications companies to hand over, under an adequate protective order, confidential subscriber data to The Utility Reform Network (TURN) as part of an investigation into state market competitiveness.

However, Judge Chhabria also rejected a motion for summary judgment filed by CPUC and TURN because it has not yet been demonstrated that the proposed protective order would, in fact, adequately protect the companies from competitive harm.  Because such protection is a necessary predicate to avoiding a conflict with FCC regulations, Judge Chhabria reasoned, the adequacy of the protective order must be determined before CPUC can force companies to turn over such sensitive data.
Continue Reading California Judge Upholds CPUC Order to Share Confidential Subscriber Data, But Subject to Adequate Protective Order

On Monday, a panel of the Ninth Circuit unanimously ruled that Section 230 of the Communications Decency Act (“CDA”) protected Yelp from liability relating to an allegedly defamatory user-generated review.  In doing so, the Court rejected several attempts by the Plaintiff to plead around the CDA’s broad immunity provisions by accusing Yelp of playing a

In an opinion released today, the Ninth Circuit dismissed the Federal Trade Commission’s (“FTC”) lawsuit against AT&T for violating Section 5 of the FTC Act due to its throttling practices.  AT&T’s practice of throttling the speed of customers with unlimited data plans once they reached a certain data usage threshold had been challenged by the FTC as both unfair and deceptive under Section 5.  The Ninth Circuit reversed the district court’s prior ruling denying AT&T’s motion to dismiss on the ground that AT&T was a common carrier and therefore exempt from Section 5 of the FTC Act.
Continue Reading Ninth Circuit Dismisses FTC’s Throttling Suit Against AT&T

Courts continue to grapple with how to apply existing privacy laws to new (and even not-so-new) technology. The recent Ninth Circuit decision, affirming the Northern District of California’s decision to dismiss a proposed class action suit against Pandora for disclosure of listener music preferences in violation of Michigan’s Preservation of Personal Privacy Act (PPPA), resolved the narrow question before it while explicitly leaving others open. Although Pandora can continue to disclose listener preference data publicly, subject to its Terms of Use, the decision leaves unsettled how broadly this right could apply, and how current and future technologies could impact that right.

After certifying to the Michigan Supreme Court the questions of whether Pandora is in the business of “renting” or “lending” sound recordings, and if the plaintiff  (Peter Deacon) is a “customer” of Pandora under the PPPA, the Ninth Circuit adopted the Michigan court’s interpretation that Pandora, through its free, ad-supported service, is not in the business of renting or lending sound recordings and that Deacon is not a customer under the PPPA.
Continue Reading Users of Pandora’s Free Service Are Not Customers Under Michigan Privacy Statute, But Questions Remain

Last week, the Third Circuit adopted a narrow definition of “personally identifiable information,” or “PII,” under the Video Privacy Protection Act (“VPPA”), joining the majority of district courts that have addressed similar issues.  The VPPA defines PII as information that “identifies a person as having [obtained a video]” from a video tape service provider (“VTSP”).

In an appeal from the multi-district litigation In re Nickelodeon Consumer Privacy Litigation, the Third Circuit ruled that digital identifiers such as MAC addresses and IP addresses are not PII because the statutory definition of that term “applies only to the kind of information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” 
Continue Reading Third Circuit Takes Narrow View of PII Under the VPPA

The Supreme Court released its highly anticipated decision yesterday in Spokeo, Inc. v. Robins, which addresses whether plaintiffs have standing to pursue statutory damages even in the absence of actual harm under the Fair Credit Reporting Act (“FCRA”).  As we previously reported, the case was expected to have significant down-stream implications for standing in privacy class action litigation, because numerous privacy-related federal laws have been construed to allow statutory damages even in the absence of actual injury (e.g., the Telephone Consumer Protection Act).
Continue Reading Supreme Court Issues Highly Anticipated Spokeo Decision

In two cases last week, two courts entered widely divergent rulings on the central question of the specific definition of “personally identifiable information,” or “PII,” under the Video Privacy Protection Act (“VPPA”).  The VPPA defines PII as information that “identifies a person as having [obtained a video]” from a video tape service provider (“VTSP”).

In Yershov v. Gannett, the First Circuit took a broad view of that definition, deciding that even information such as unique device IDs in connection with GPS coordinates can be PII.  In Perry v. CNN, issued just a few days before Yershov, a federal district court in Georgia took a far more limited view under Eleventh Circuit precedent, holding that MAC addresses are not PII because they are tied to devices, not specific individuals. 
Continue Reading Video Privacy Protection Act Rulings in Gannett and CNN Reach Opposite Conclusions

Last week, the Seventh Circuit handed down another friendly ruling for data breach class action plaintiffs, reversing a district court’s dismissal of a class action complaint over a 2014 data breach at P.F. Chang’s restaurants.  In reversing the district court’s holding that the plaintiffs had not demonstrated Article III standing, the Seventh Circuit ruled that the risk of future fraudulent charges and identity theft created by the breach as reported by P.F. Chang’s constituted a “certainly impending” future injury sufficient to confer Article III standing.  This decision builds on an earlier ruling from the Seventh Circuit that revived a data breach suit filed against Neiman Marcus, and will create further incentives for future plaintiffs to file data breach class action lawsuits in the federal courts of Illinois, Indiana, and Wisconsin, when jurisdictionally possible.

Continue Reading Seventh Circuit, Relying on Defendant’s Post-Breach Statements, Allows Data Breach Class Action to Proceed