Mobile App Providers Encouraged to Obtain User Consent Before Sharing Video Viewing Information with Any Third Party After Gannett Mega-damages VPPA Claim Moves Forward

Gannett

If you offer a mobile application that allows consumers to watch videos of any kind, and if you share that video-viewing information with an analytics firm, take careful note:  On April 29, in Yershov v. Gannett Satellite Information Network, Inc., No 15-1719, a panel of the First Circuit Court of Appeals that included retired Justice Souter took a very broad reading of the federal Video Privacy Protection Act (VPPA), and allowed a potentially mega-damages VPPA claim to proceed against the parent of the USA Today newspaper.

The VPPA, enacted in 1988 after a reporter printed a list of videos rented by then-Supreme Court nominee Robert Bork, is a video rental store-era statute containing terms like “video tape service provider.”  The legislative history shows that its framers had emerging technologies in mind, too, and Congress amended the statute just a few years ago to make it easier for streaming services to obtain user consent to share information with analytics firms for the purpose (among other things) of displaying targeted advertising.  If the furnisher of videos shares “information which identifies a person as having requested or obtained specific video materials,” and that “person” is a “renter, purchaser, or subscriber,” the company may be liable to all such “persons” to the tune of $1500 per violation, even absent any actual damages.

Several courts, including the Eleventh Circuit just a few months ago, held that simply downloading a mobile app does not make one a “subscriber.”  But the First Circuit disagreed:  “[B]y installing the app on his phone, thereby establishing seamless access to an electronic version of USA Today, [the plaintiff] established a relationship with Gannett that is materially different from what would have been the case had USA Today simply remained one of millions of sites on the web that [the plaintiff] might have accessed through a web browser.”  The 11th Circuit held apps to be no more “subscriber”-worthy than websites, but the First Circuit asked “[w]hy, after all, did Gannett develop and seek to induce downloading of the app,” if not to create a quantifiably different experience?

The First Circuit also took a broad view of what constitutes personally identifiable information under the VPPA.  It already was clear that video providers need not necessarily disclose an actual name, if they disclosed enough information that would allow the recipient to more or less discover that name.  In Yershov, the plaintiffs alleged that Gannett provided analytics firm Adobe with the unique device identifier of app users’ Android phones as well as GPS information showing where each user was located.  That, the court held, was enough.  It acknowledged that “there is certainly a point at which the linkage of information to identity becomes too uncertain, or too much yet-to-be-done, or unforeseeable detective work,” but thought that the plaintiffs has “plausibly alleged” enough knowledge by Adobe to get them over the hump. 

We encourage all mobile app providers, if users can view videos on the app, to determine if they are sharing video viewing information with any third party, and if so, whether they are obtaining user consent for that sharing in the manner called for under the VPPA. 

 

New Balance Takes a Run at Trans-Pacific Partnership to Protect Investment in “Made in USA” Branding

Massachusetts-based New Balance has long made “Made in the USA” a cornerstone claim for their athletic wear.  The graphic below, from the company’s website, explains exactly what New Balance means by “Made in the USA” – but recently, the company has taken further steps to make clear the importance of this claim to their brand.

file

As reported on NPR, New Balance has developed a shoe that is 100% made in the USA.  However, the company fears that the potential finalization of the Trans-Pacific Partnership (TPP), an international trade agreement that would reduce or eliminate tariffs for certain goods flowing to and from the U.S. and eleven other countries, including countries where many competitors make athletic shoes, could create new competitive pressures.  Because of the TPP, tariffs on shoes from countries such as Vietnam will eventually be eliminated, thereby making it cheaper to bring those products to the U.S.  Per New Balance’s argument, this would make it harder to compete with its U.S.-based factories – thus, the decision to oppose the deal.  Notably, TPP has yet to be finalized and there are hotly-contested views regarding trade on both sides of the political aisle.

This is just one example in which a trade deal can impact a company’s business decisions, including advertising claims.  If your company is interested in learning more about the potential impact of the TPP on your business,  please contact us to learn how Kelley Drye’s nationally-ranked International Trade Practice Group can help.

Federal Court Finds Amazon Liable for Kids’ In-App Purchases

Amazon AppsYesterday, a federal judge ruled that Amazon is liable for permitting unauthorized in-app purchases incurred by children.  Amazon is the last in a series of actions brought by the FTC against third-party platforms related to kids’ in-app charges (we previously blogged about the other two actions against Apple and Google here and here, which resulted in refunds to consumers totaling over $50 million).

FTC Allegations

The FTC first filed its complaint against Amazon in district court in July 2014, alleging that the billing of parents and other account holders for in-app purchases incurred by children “without having obtained the account holders’ express informed consent” violated Section 5 of the FTC Act.  Many of the apps offering in-app purchases were geared towards children and offered as “free” with no indication of in-app purchases.  These in-app charges generally ranged from $0.99 to $99.99, but could be incurred in unlimited amounts.  The FTC alleged that, while the app developers set the price for apps and in-app purchases, Amazon retained 30% of the revenue from every in-app sale.

In app purchaseThe complaint alleged that when Amazon first introduced in-app charges in November 2011, the default setting initially permitted in-app purchases without a passcode, unless this setting had been enabled by the user in the parental controls.  Following a firestorm of complaints by parents surprised to find these in-app charges, Amazon introduced a password prompt feature for in-app charges of $20 or more in March 2012.  This initial step, however, did not include charges that, in combination, exceeded $20.  In August 2012, the FTC notified Amazon that it was investigating its in-app billing practices.

Amazon began to require password prompts more frequently beginning in February 2013, only if the purchase initiated was over $20, a second in-app purchase was attempted within five minutes of the first, or when parental controls were enabled.  Even so, once a password was entered, in-app purchases were often authorized for the next hour.  Amazon continued to refine its in-app purchase process over the next few months, identifying that “In-App Purchasing” was available on an app’s description page, and adding a password requirement for all first-time in-app purchases, among other things.

The Court’s Order

The FTC moved for summary judgement in February 2016.  In it April 27 order, the court granted the FTC’s summary judgement motion finding that: (1) the FTC applied the proper three-prong legal test for determining unfair business practices (e.g., a substantial injury that is not reasonable to consumers, and not otherwise outweighed by countervailing benefits); (2) the FTC’s witness used to calculate money damages was timely disclosed, even though she was identified after the discovery cut-off date since the FTC made its intentions to seek monetary relief known from the beginning; and (3) Amazon’s business practices around in-app purchases violated Section 5. Continue Reading

Class Actions Under New Jersey Warranty Law Threaten to Turn Terms-of-Service Boilerplate Into Big Potential Risks

Do your Terms of Service preclude litigants from claiming consequential damages or attorneys’ fees? If new class action lawsuits in New Jersey are right, merely including these terms, and potentially many other disclaimers, violates New Jersey state law, and subjects you to a penalty of $100 per sale.

This interpretation of New Jersey’s 36 year-old Truth in Consumer Contract, Warranty and Notice Act (“TCCWNA”), N.J.S.A. 56:12-14, et seq., is certainly aggressive, and quite possibly wrong. But because the theoretical damages in these cases is so high, proving the theory wrong in court would entail significant risks.  The plaintiffs’ bar is counting on lawsuit targets preferring to settle.

TCCWNA precludes any “seller” from “offer[ing] to any consumer . . . or enter[ing] into any written consumer contract . . . or display[ing] any written consumer warranty, notice or sign . . . which includes any provision that violates any clearly established legal right of a consumer or responsibility of a seller . . . as established by State or Federal law at the time. . . .” A warranty may state generally under TCCWNA that certain of its exclusions may not apply in some jurisdictions, without specifying which provisions or which states those may be, but “[n]o consumer contract, notice or sign shall state that any of its provisions is or may be void, unenforceable or inapplicable in some jurisdictions without specifying which provisions are or are not void, unenforceable or inapplicable within the State of New Jersey.”

“Any person who violates [TCCWNA] shall be liable to the aggrieved consumer for a civil penalty of not less than $100.00 or for actual damages, or both at the election of the consumer, together with reasonable attorney’s fees and court costs.” Because the statute makes it unlawful merely to “display” a “notice or sign” that purports to disclaim a “clearly established legal right,” the argument is that a consumer is “aggrieved” under the statute merely by virtue of having seen the “notice or sign” before making a purchase, whether or not the consumer had any problems with the purchase.

In December 2015, the Third Circuit Court of Appeals issued an unpublished, non-precedential decision reversing dismissal of a TCCWNA class action where an extended-service warranty firm’s contract purported to preclude consumers from seeking attorney’s in lawsuits, because New Jersey law precludes waivers of statutory rights to fee awards. That decision has added new fuel to the TCCWNA fire.  New Jersey businesses are not happy, but no legislative fix has yet found any traction.

What can online retailers, and those with brick-and-mortar presence in New Jersey, do to avoid becoming the next TCCWNA defendant?

One necessary step is to examine your terms and conditions carefully and consult counsel familiar with New Jersey consumer protection law. If a particular disclaimer of liability, though unenforceable in New Jersey, is otherwise important to you, TCCWNA allows you to keep it, but only if you expressly state that the disclaimer does not apply in New Jersey.  Most online retailers’ terms of service already contain special notifications about consumers’ rights under California’s “Shine the Light” marketing law; the bite of these recent TCCWNA suits may mean it is time to include special notifications to New Jersey consumers, too.

New Jersey’s TCCWNA wave also highlights the value of a well-drafted arbitration clause and inclusion of a provision requiring claims to be arbitrated individually, rather than on behalf of a class. New Jersey state courts are relatively unfriendly toward arbitration clauses, and will enforce them only if consumers received clear notice a contract contained an arbitration clause and class waiver.  We have a model arbitration provision that takes account of recent court decisions, and we can help you implement the provision in ways that maximize its potential for enforceability.

Jeffrey S. Jacobson is a partner in our New York and New Jersey offices and a former Chief Counsel to the New Jersey Attorney General.

CFPB, “Please”: Judge Rebuffs CFPB’s Attempt to Compel Documents Regarding For-Profit College Accreditation

books_apple

Last Thursday, a federal district court judge in D.C. denied the Consumer Financial Protection Bureau’s (CFPB) attempt to compel documents from the Accrediting Council for Independent Colleges and Schools (ACICS).  Rejecting the CFPB’s motion to enforce the Civil Investigative Demand (CID) against ACICS, the court held that “the CFPB lacks authority to investigate the process for accrediting for-profit schools” and thus could not compel ACICS to broadly produce policies and procedures related to the accreditation process.

On August 25, 2015, the CFPB issued a CID to ACICS for the stated purpose of “determin[ing] whether any entity or person has engaged or is engaging in unlawful acts and practices in connection with accrediting for-profit colleges.”  The CFPB also pointed to previous investigations of the lending practices of for-profit colleges as providing a basis for an investigation into the accreditation process itself.   Counsel for ACICS objected to the CID and filed a motion to set aside or modify the CID, but the CFPB declined and ultimately brought a motion to enforce the CID in court.

In its decision on Thursday, the court noted that, in determining whether to enforce a petition, the relevant standard is whether “the information sought is relevant to an investigation for a ‘lawfully authorized purpose.’”  The court further explained that under the Dodd-Frank Act, which created and authorized the CFPB, the Bureau was empowered to prevent “a covered person or service provider from committing or engaging in an unfair, deceptive, or abusive act or practice under Federal law in connection with any transaction with a consumer for a consumer financial product or service, or the offering of a consumer financial product or service.”  Because consumer financial laws do not “even tangentially implicate the accrediting process of for-profit colleges,” the court held that “the CID’s statement of purpose appears to concern a subject matter that is not within the statutory jurisdiction of the CFPB.”

The court addressed and rejected the Bureau’s argument that it could investigate ACICS for potential connections to private student lending practices as a “post-hoc justification” and a “bridge too far,” finding that “the accreditation process simply has no connection to a school’s private student lending practices.”  Finally, the court responded with a simple declaratory “Please” to the CFPB’s suggestion that it need not accept ACICS’s generalized description of its activities.  According to the court, the CFPB made clear that its inquiry was not limited to private student lending practices but rather concerned the accreditation process generally.  While the case is surely a victory for ACICS and a notable setback to the CFPB’s broad assertion of jurisdiction and authority, the court acknowledged that the CFPB may be able to seek information from ACICS related to potential violations of consumer financial laws by the schools it accredits, but held that the statement of purpose in the current CID was simply too broad.

It remains to be seen whether the CFPB will appeal the decision, narrow the CID consistent with the court’s direction, or abandon the matter altogether.

Nebraska Amends Data Breach Notification Law

Last week, Nebraska Governor Pete Ricketts signed into law LB 835, which makes the following amendments to the state’s data breach notification statute:

  • Adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
  • Requires notice to the Nebraska Attorney General no later than notice is provided to Nebraska residents.
  • Clarifies that data is not considered encrypted, defined as “converted by use of an algorithmic process . . . into a form in which the data is rendered unreadable or unusable without use of a confidential process or key,” if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.

The amendments take effect July 20, 2016. Recognizing the breadth of information consumers store online, Nebraska will become the fifth state, joining California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials. We will continue to track and keep you apprised of updates to state breach notification statutes.

Never Say Never, And Other Lessons from Kanye

We didn’t comment when Kanye West interrupted Taylor Swift at the MTV Video Music Awards. And we’ve stayed silent during his other controversies. But when Kanye gets sued over false advertising, we can stay silent no longer. (After all, we’ve previously posted about Kim Kardashian’s Ad Law troubles.) This week, a disgruntled fan filed a putative class action accusing Kanye and his business partner Jay Z of fraudulently inducing consumers to subscribe to Tidal, a subscription-based music service owned by the two artists.

Earlier this year, Kanye announced that he would release his long-anticipated album, The Life of Pablo, exclusively on Tidal. In February, Kanye tweeted: “My album will never never never be on Apple. And it will never be for sale… You can only get it on Tidal.” (That’s four “nevers” in 107 characters, if you’re counting.) Fans took this seriously, and rushed to sign up. In just over a month, Tidal’s subscriber base tripled, potentially saving the service from collapse.

Kanye

Less than two months after Kanye promised the album would never (x4) be available anywhere else, it became available on Apple Music, on Spotify, and on Kanye’s own online marketplace. Many fans became angry that they had signed up for Tidal based on Kanye’s promise, and one of them filed a lawsuit. The complaint alleges that the representations of exclusivity constitute false advertising, and that they have had a “grave impact” on the privacy of the millions of subscribers who were “uniformly tricked” into handing over their private data and credit card information. The complaint asks the court to grant damages, disgorgement of profits, and restitution. In addition, the plaintiff wants Tidal to delete information it has collected from subscribers and to cancel the negative option aspects of outstanding free trials.

It’s too early to tell how this case will turn out, but the issues raised by the complaint aren’t unique to celebrities. We’ve often worked with companies that get excited about the launch of a new product or service, and want to make far-reaching promises. For example, a company may promise that something will always be exclusive, that a feature will always be free, or that some things never change. Think carefully about making these promises because some consumers will take you at your word. If the market changes and you want to go back on your promises, those consumers may not be forgiving.

FTC’s “All Natural” Cases Are More About “All” Than “Natural”

All Natural

The Federal Trade Commission announced last week filing of four consent decrees and an administrative complaint relating to companies selling various personal care products – shampoos, sunscreens, moisturizers – featuring claims such as “all natural” or “100% natural.”  The FTC alleges that these claims were false or misleading because all of the products at issue contain one or more synthetic ingredients.

Companies that have fought consumer class actions relating to natural claims and followers of FDA’s rulemaking regarding natural claims on food products are well aware that calling something “natural” can be a lightning rod.  However, FTC has previously opted to stay above the fray, as it did when declining to include “natural” as a defined term in the revised Green Guides.  So, what’s this enforcement all about?

Simply put, it’s more about “all” than about “natural.” Based on the complaints released, the FTC’s concern is that the companies falsely stated that their products contained only natural ingredients when, in fact, they did not.  There is no discussion in the complaints about the manufacturing processes that the products undergo or whether the ingredients could be of either natural or synthetic origin.  In short, the FTC did not need to delve into how any other agency defines “natural” and did not do so.

Rather, these cases are important for two main reasons: First, they underscore the agency’s position that where advertising conveys that a product meets a certain threshold, i.e., “all” or “no,” the agency expects the products to meet those standards.  Second, although the FTC has not engaged on the “natural” issue before this, it is not afraid to use its authority on such claims to prevent alleged deception.

 

 

Privacy Shield Pierced? Article 29 Working Party Expresses Concern with Agreement

Privacy ShieldThe Article 29 Working Party (The Working Party), which includes representative data protection authorities from each EU member country and the European Data Protection Supervisor, issued a 58-page opinion yesterday that flagged perceived shortcomings of the draft EU-U.S. Privacy Shield (Privacy Shield). Privacy Shield was slated to replace the now defunct Safe Harbor, and is the updated framework designed to permit organizations to legally transfer EU personal data to the United States. Taking into account applicable law, the recent European Court of Justice decision in the Schrems case, and the current international context, the Working Party praised the improvements of Privacy Shield, but criticized its overall lack of clarity and accessibility.

The Working Party identified these key points of particular concern:

  • Material Omissions:  Key data provisions, such as the Data Integrity and Purpose Limitation principal, are not reflected in draft adequacy decision. To cure this deficiency, the Working Party recommended a glossary of terms and definitions in the Privacy Shield F.A.Q.
  • Bulk U.S. Government Data Collection:  The U.S. representations do not exclude bulk, indiscriminate personal data collection originating from the EU. The Working Party opinion recommended further safeguards to ensure interferences caused by U.S. surveillance programs are necessary in a democratic society.
  • Ombudsman Details:  The powers and position of the new Ombudsperson are not detailed. The U.S. had committed to an new Ombudsperson who would be independent from the U.S. intelligence authorities and serve as an oversight mechanism for national security interference. The Working Party recommended further clarification on the position and powers of this new Ombudsperson.
  • Clarity on Accountability Process:  The annual joint review mechanism lacks clarity regarding the precise arrangements of the parties. Under the adequacy decision, the annual joint review mechanism would ensure U.S. accountability to commitments through an annual review by the European Commission and U.S. Department of Commerce and would involve Data Protection Authorities, U.S. national security authorities, and the independent Ombudsperson, where appropriate. The Working Party recommended and welcomed agreement on the elements of the joint review well in advance of the first review.

Now that the Working Party has issued this opinion, the European Commission is likely to incorporate many of the proposed changes into a revised adequacy decision for approval by the Commission. To that end, Commissioner Jourová stated that “the Commission will work to swiftly include [the regulators’ useful recommendations] in its final decision.” While the Commission has the discretion to proceed on the current draft adequacy decision, the Data Protection Authorities maintain the authority to investigate and ultimately restrict data transfers where a non-EU country does not meet the “adequacy” standard for privacy protection under EU law.

Associate Ilunga Kalala contributed to this post. Mr. Kalala is admitted only in Maryland. He is practicing under the supervision of principals of the firm who are members of the D.C. Bar

Are You Covered? Fourth Circuit Finds CGL Insurance Coverage for Data Breach

InsuranceAs data breaches have continued to grow over the past few years, interest in cyber insurance coverage has grown along with it.  This week, the Fourth Circuit upheld a lower court’s ruling in Travelers Indemnity Co. of America v. Portal Healthcare Solutions, LLC, finding that a commercial general liability (CGL) insurance policy covered the cost to defend claims regarding a data breach.

In an unpublished opinion, a panel of the Fourth Circuit affirmed the Virginia District Court’s August 2014 decision that Travelers Indemnity Co. was obligated to defend Portal Healthcare Solutions in a class action lawsuit pending in New York state court.  The underlying class action alleged that Portal failed to secure a server containing confidential records of patients at a New York hospital, leaving the records available to view online for more than four months without a password.  Two patients discovered their records online following an internet search, but there was no evidence that any third parties viewed the information.

In looking at the four corners of the complaint and the underlying CGL insurance policy, the Fourth Circuit agreed that the mere availability of the private medical information online constituted “publication” under the CGL policy’s provision providing coverage for “electronic publication” of material regarding a person’s private life, thereby triggering the duty to defend.

Although the decision is favorable to policyholders, there are a number of important caveats.  For instance, insurance policy language can vary substantially between carriers, and the unpublished decision is not binding on other courts.  Notably, the decision contrasts a 2015 holding by the Connecticut Supreme Court finding that a CGL policy did not cover a loss of computer tapes containing employee personal information when there was no evidence of personal loss, no evidence that any third party ever accessed the information, and thus no “publication” of the information as required by the CGL policy.

In recent years, it has become increasingly difficult for policyholders to secure coverage for data breaches under CGL policies given the continuing trend of “electronic data” exclusions.  Moreover, CGL policies often contain express language clarifying that electronic data does not qualify as “tangible property,” a prerequisite for a finding of “property damage” under such policies.

Given that these policy limitations are becoming more prevalent, companies hoping to have coverage in the event of a data breach should evaluate whether their current policy appropriately covers cyber and data breach risks, or whether they may need to obtain a separate cyber liability policy specifically tailored to cover such risks.

LexBlog