A decision from Judge Preska in the Southern District of New York may change the trajectory of website accommodation cases in New York.

Website Accessibility Cases in New York Prior To This Decision

In 2017, Judge Weinstein in the Eastern District of New York denied the motion to dismiss in Blick Art, issuing a thirty-seven page opinion on why the plaintiff stated a valid claim under the Americans with Disabilities Act (ADA).

In 2018, at least 2,200 Title III website accessibility cases were filed in Federal Court, more than nearly tripling the over 800 cases filed in 2017.  New York became the venue of choice for most of those cases, with over 1,500 cases filed in New York Federal Courts in 2018.  The surge in ADA website cases filed in New York in 2018 is likely due to the decision in Blick Art.

The Apple Decision

Plaintiffs filing website accessibility cases in New York may have a new hurdle to face now.  On March 28, 2019, Judge Preska granted Apple’s motion to dismiss in the matter Mendez v. Apple. In her ten-page decision, Judge Preska found that plaintiff had not pleaded an injury in fact because “the purported injuries described lack all the requisite specificity.”

Judge Preska explained: “Plaintiff does not give a date that she tried to access the physical store or what good or service she was prevented from purchasing.  She does not identify sections of the website she tried to access but could not.  Finally, while general barriers are listed, she does not allege which one of them prevented her from accessing the store.”

Judge Preska then compares Ms. Mendez to the plaintiffs in Lawrence Feltzin, Lowell, PGA Tour, Gathers, Bernstein, and Kreisler, distinguishing Ms. Mendez’s vague pleadings with those of the other plaintiffs who sufficiently pleaded an injury in fact.  Although Ms. Mendez cited to Blick Art in her opposition briefing, the case is notably absent from Judge Preska’s opinion.

Finding Ms. Mendez most similar to the plaintiff in Lawrence Feltzin, where plaintiff provided “no details at all concerning any instance in which he allegedly encountered a violation,” Judge Preska concluded that plaintiff’s federal claims be dismissed for lack of standing.

Consequently, Judge Preska held that because Ms. Mendez’s New York State and New York City claims are governed by the same pleading requirements as the ADA, her entire complaint was dismissed for lack of standing.

In her concluding paragraph, Judge Preska issued a warning to serial filers like plaintiff’s counsel: “There is nothing inherently wrong with filing duplicative lawsuits against multiple defendants if the harms to be remedied do exist and are indeed identical.  But those who live by the photocopier shall die by the photocopier.  By failing specifically to assert any concrete injury, Plaintiff’s claims fail as a matter of law.”

Ms. Mendez’s lawsuit against Apple was filed by Joseph Mizrahi.  Mr. Mizrahi has filed over 800 federal website accommodation cases since 2017.

What does this mean for the future of website accessibility cases?

It is too early to determine the full impact of the Apple decision in New York however, Judge Preska has left the door open for owners and operators of websites to attack these complaints through a motion to dismiss when faced with a vague, duplicative claim where a specified injury is not pled.

As we’ve predicted before, these types of cases are likely to continue despite Judge Preska’s favorable ruling in the Southern District of New York.  If you aren’t sure whether the ADA applies to your site or whether it’s accessible to the blind, now may be the time to find out. Getting a sense of whether your site can be navigated using a screen reader will provide a better sense of whether the site could be considered a “low hanging fruit” for plaintiffs to find.


A federal judge allowed a class-action lawsuit alleging Bose collected and shared data about its headphone users to proceed last week on the basis of deceptive advertising. The decision underscores the risks that internet of things (IoT) businesses can face if they fail to accurately communicate to consumers how a mobile app or “smart” product collects and uses personal data.

At issue in the case is an allegation that Bose offered a companion app for its wireless headphones that collected and transmitted data about consumers and their listening habits to a “third-party data miner without consumers’ knowledge or consent.”

While Bose apparently advertised the app as an enhancement to its headphones that enables a user to unlock additional features and functions, the consumer complaint alleged that Bose deceptively siphoned data about what a consumer was listening to, using the data to profile the consumer and share the information with third parties. In effect, the complaint accused Bose of intercepting communications between music streaming services and the consumer in violation of the federal Wiretap Act and an Illinois eavesdropping statute.

In her decision, Judge Andrea Wood of the US District Court for the Northern District of Illinois dismissed the majority of the claims against Bose, including the allegation that Bose had violated wiretapping laws, because “the app is in fact a known participant in—and intended recipient of—the communication….” By activating the app, the consumer effectively invites the app to join the conversation, even if the implications are not fully known or intended.

By contrast, Judge Wood accepted the allegation in the consumer complaint that Bose may have deceptively omitted material information about the app, contravening the Illinois Consumer Fraud and Deceptive Practices Act.

The allegation against Bose, whether or not ultimately proven, emphasizes the importance of upfront, transparent communications with consumers about how an IoT product or service linked to the internet collects, shares, and monetizes personal information. The case adds another data point that even if a data practice is not strictly illegal based on traditional privacy laws like the Wiretap Act, it can give rise to other consumer protection based claims, including in the form of class action lawsuits and regulatory scrutiny.

For a refresher on how mobile app providers can comply with consumer protection laws, visit the Federal Trade Commission’s Marketing your Mobile App guide.

This week, the FTC announced a settlement with UrthBox and its president that addresses two topics that we frequently cover on this blog: (1) free trials; and (2) incentivized reviews.

Free Trial

The FTC alleged that Urthbox offered a “free” trial of its snack boxes for a nominal shipping and handling fee. UrthBox TrialFor some consumers, the trial came with unexpected costs. Unless they took steps to cancel before the end of the trial, consumers were automatically charged for a six-month subscription. The FTC alleged that the terms of this automatic renewal were not adequately disclosed. Although the company made some improvements to the disclosures, the FTC found that the terms were not sufficiently conspicuous and that they failed to communicate certain important details.

The order prohibits the respondents from misrepresenting the terms of a free trial, and requires them to clearly make certain disclosures relating to the negative option feature, in accordance with the Restore Online Shoppers’ Confidence Act (or “ROSCA”). In addition, the company must provide consumers with a simple mechanism they can use to avoid charges for products that are offered through a negative option program. Finally, the order requires UrthBox to pay $100,000, which the FTC can use to provide refunds to affected consumers.

Incentivized Reviews

UrthBox conducted incentive programs to induce customers to post positive reviews on various sites. For example, when customers contacted the company’s customer service line, agents offered to send them a free snack box if they posted positive reviews on the BBB’s website. As a result of the program, the ratio of positive to negative reviews on that site jumped from 100% negative to 88% positive in the space of about a year. The company also ran similar incentives to generate positive reviews on Facebook, Instagram, Tumblr, and Twitter.

The order requires the company to take steps to ensure that reviewers who receive an incentive clearly and conspicuously disclose that they have received that incentive. For example, the company must get a signed statement from reviewers in which they acknowledge that they are required to make a disclosure, and the company must monitor reviewers to ensure compliance. In addition, the company must take steps to remove previously-posted reviews that do not include the required disclosures.

Whereas previous FTC orders addressing endorsements were more general in nature, recent orders include more detail about exactly what steps the FTC expects companies to take to ensure compliance. Some of these steps go beyond what most companies are currently doing. Whether or not your company should adopt some of the requirements in these orders will depend on your circumstances, but the orders provide good examples of what practices are likely to be considered “safe.”

The Danish and Polish data protection authorities issued their first GDPR fines last month. The cases serve as indicators of the kinds of technical violations enforcement officials are looking to deter as they police the EU’s new privacy regulation.

In Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly $180,000 for failing to delete records on 9 million taxi rides after they were no longer needed.  Article 5 of the GDPR discourages companies from holding on to data that they no longer need:  “personal data shall be … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); …” and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’).”

In Taxa 4×35’s case, the company allegedly sought to comply with Article 5 by anonymizing its data after two years. In practice, the company only removed customer names from its database, keeping other data points such as customer phone numbers and ride histories for five years for purposes of business analytics.

The Datatilsynet said this procedure was insufficient. The data protection authority found that phone numbers still permit identification of a data subject, meaning that Taxa 4×35 did not properly anonymize its records.  Furthermore, the Datatilsynet rejected Taxa 4×35’s explanation that its technical systems did not allow preservation of ride history data without an associated phone number.  “One cannot set a deletion deadline, which is three years longer than necessary, simply because the company’s system makes it difficult to comply with the rules in the Data Protection Regulation,” the data protection authority wrote.

Meanwhile, Poland’s Personal Data Protection Office (UODO) fined digital marketing company Bisnode €220,000 for failing to notify 6 million people about its data scraping activities.  The UODO said that Bisnode was required to notify data subjects that it was pulling their publicly-available personal data from public sources in accordance with Article 14 of the GDPR, which mandates notice to data subjects where personal data was not obtained from the data subject.

UODO noted that of the data subjects Bisnode did notify, 13 percent objected to the data processing. “This shows how important it is to properly fulfill the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR,” UODO wrote.

In response to UODO’s inquiries, Bisnode pointed to a notice it had posted on its website, apparently explaining to UODO it would be far too costly to notify data subjects directly. UODO rejected such an approach: “[w]hile having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them,” UODO wrote in a press release.

These actions by the Danish and Polish authorities are just the latest in an increasing number of GDPR-related enforcement actions so far in 2019.

The FDA and FTC jointly issued warning letters to three companies selling CBD products online.  The letters allege violations of the Federal Food, Drug, and Cosmetic Act (“FDCA”) and the Federal Trade Commission Act (“FTCA”).  Although this is the first time the FDA and FTC have issued joint warning letters relating to CBD, the FDA has been involved in CBD enforcement for the past few years.

Since the passing of the 2018 Farm Bill, which descheduled hemp and hemp derivatives under the federal Controlled Substances Act, the FDA has become the primary federal regulator relative to foods, drugs, cosmetics, and dietary supplements that contain CBD from hemp.  The FDA’s most visible enforcement on CBD products to date has been in the form of warning letters issued to online retailers of products labeled as dietary supplements that feature aggressive disease treatment claims. The FDA also tested CBD products in conjunction with warning letters issued in 2015 and 2016 to determine whether they contained the CBD levels listed on the labels.

In the letters from last week, the FDA turned its focus onto various CBD products marketed online as “drugs,” including “CBD Salve,” “CBD Oil,” “CBD for Dogs,” “Hemp Oil,” “CBD Softgels,” “Liquid Gold Gummies (Sweet Mix),” “Liquid Gold Gummies (Sour Mix),” and “blue CBD Crystals Isolate 1500mg.”  The FDA determined that the companies’ websites contained claims about their CBD products that established them as unapproved “drugs” under section 201(g)(1) of the FDCA. The letters also referenced the FTC’s substantiation standard, stating the FTC had concerns that certain efficacy claims that were made may not be substantiated by competent and reliable scientific evidence. They also warned that violations of the FTCA may result in legal action seeking a Federal District Court injunction or Administrative Cease and Desist Order, possibly including a requirement to pay back money to consumers.

As noted above, these letters are unique, as it is the first time the FDA has issued a joint FDA/FTC warning letter relating to CBD. This is also the first time the FDA has referenced the FTC’s substantiation standard or threaten any specific penalty for violations of the FTCA.  For companies marketing CBD, it is important to keep in mind that although the market has flourished despite a host of regulatory uncertainties, it is the regulators’ opinion that the rules regarding advertising and health claims are clear.  Competent and reliable scientific evidence remains the standard.

Over the last few years, however, the FTC’s health claim enforcement has featured several false cure-type products. Cases against Regenerative Medical Group, Cellmark, iV Bars, and Nobetes challenged unproven representations for products promising to treat Parkinson’s disease, macular degeneration, cancer, multiple sclerosis, and diabetes.  Although we have yet to see the FTC announce any settlements relating to CBD products, these letters signal that FDA is not alone in its concern over aggressive CBD treatment claims.

The warning letters can be found here:

FTC Chairman Joe Simons recently acknowledged the Commission’s plan to use its authority under Section 6(b) of the FTC Act to examine the data practices of large technology companies.  In written responses to questions from members of the U.S. Senate Commerce Committee following in-person testimony in November 2018, Chairman Simons confirmed that plans were underway to gather information from tech companies, though the specific targets or areas of focus remained under consideration.

As described by the FTC, Section 6(b) of the FTC Act “plays a critical role in protecting consumers,” and broadly authorizes the Commission to obtain information – or “special reports” – about certain aspects of a company’s business or industry sector.  Companies that are the focus of an FTC study pursuant to Section 6(b) must respond to a formal order issued by the Commission that, similar to a civil investigative demand, can include a series of information and document requests.  The information obtained through the order may then be the basis for FTC studies and subsequent industry guidance or rulemaking.

The revelation of the pending 6(b) orders comes amid concerns from federal and state lawmakers and regulators about transparency relating to “Big Data” practices and online data collection, and the use of artificial intelligence and machine-learning algorithms in decision-making.  In remarks this week to attendees of an Association of National Advertisers conference, Chairman Simons noted a potential lack of transparency in the online behavioral advertising context and “the fact that many of the companies at the heart of this ecosystem operate behind the scenes and without much consumer awareness.”



In February 2018, I reported on a 20-state objection brief, filed with the U.S. Supreme Court, asking the Court to reverse the approval of the class action settlement in Gaos v. Google.  That deal would have distributed a few million dollars to nonprofit groups, while the AGs wanted money paid to real people, even if that meant holding a lottery to do it.  Today, although the Supreme Court reversed the settlement, it did so on standing grounds and did not address whether a class action can be settled solely through “cy pres” settlements to non-profits.

The Supreme Court cited its recent Spokeo v. Robins decision in which it held that plaintiffs must allege concrete harm, and not just a bare statutory violation, in order to have Article III standing to sue in federal court.  Spokeo was not the Court’s most edifying decision and lower courts have split wildly on what it means in practice.  The Court’s decision today didn’t address that split; it just told the lower courts to analyze the Gaos plaintiffs’ standing in light of Spokeo without opining on the issue one way or the other.

Justice Thomas dissented alone.  He expressed his disagreement with Spokeo, believing that if Congress made conduct illegal, violating that statute suffices to confer standing.  He then said he would have reversed the settlement.  In Justice Thomas’s view, if a settlement provides no benefit to class members, and looks to be solely a means to extinguish a claim, courts should not approve it.

Perhaps the biggest takeaway from today’s decision, therefore, is that eight of the nine Justices think differently from Justice Thomas on this issue.  How differently, only time will tell.

Last week, in Cline v. Touchtunes Music Corp., No. 18-1756,  the Second Circuit Court of Appeals upheld a Manhattan district judge’s decision to approve a low-cost class action settlement in what the judge termed a “nuisance” case, while basically zeroing out the $100,000 fee requested by the plaintiffs’ class counsel.

Defendants who have faced silly but not entirely motionable class actions can momentarily enjoy the schadenfreude of watching a plaintiff’s law firm come away with nothing for its efforts.  The problem with decisions like Cline, however, is that they may make plaintiffs’ counsel more hesitant to settle a cheap case on cheap terms.  For the class action defense bar, raising potential settlement costs is nothing to celebrate.

The facts of Cline are almost too silly to merit repeating.  The defendant provided a digital jukebox application to (for example) bars and restaurants.  Patrons could pay money to play songs, and the app’s terms told the patrons clearly that their songs weren’t guaranteed to play and that no refunds would be provided under any circumstances.  What the terms didn’t disclose, however, is that the restaurant manager had the ability to manually skip songs.  The plaintiff, ostensibly on behalf of a class of people whose songs were skipped, sued for the lost value—about 40 cents each—of not hearing the songs be played.

The defendant, after two tries, couldn’t quite get the whole suit dismissed.  A highly experienced district judge left alive a false advertising claim for the non-disclosure.  At that point, early last year, the parties agreed to a settlement.  About 166,000 patrons whose songs weren’t played, and for whom the defendant had contact information, received a code by email good for one free song play on any of the defendant’s jukeboxes.  Other people could file claims for codes, and 2,200 people did so.

The plaintiff’s counsel sought a $100,000 fee for themselves and a $2,000 incentive fee for the plaintiff.  The judge approved the settlement but not these fees.  He rejected the incentive award and, in place of the $100,000 fee, which plaintiffs’ counsel contended was their “lodestar” of hours worked, the judge instead granted a fee of 20 cents per song code that class members actually redeem within the one-year expiration period.  That fee is likely to be less than $1,000.  The plaintiffs’ counsel appealed that reduction, but the Second Circuit upheld it in a summary order, finding that the district judge acted within his discretion, especially in a “coupon”-type settlement.

What should not be lost in any analysis of Cline is this key statement in the Second Circuit’s opinion:  “[C]lass counsel’s lodestar fee application was not supported by contemporaneous billing records, and…no substantial explanation had been provided for a $10,000 ‘consulting fee’ for which reimbursement was sought.”  The Second Circuit thus reinforced that plaintiffs’ counsel absolutely can still seek lodestar-based fees even when settling for coupons or in-kind goods, provided that they support those fees with appropriate billing detail.

If plaintiffs’ counsel try to tell you that they don’t want to enter into a coupon or in-kind settlement because Cline makes them fearful of receiving no fee in the case, therefore, remind them that the problem in Cline wasn’t the settlement structure; it was the law firm’s failure to document its fees.  Don’t make that mistake, and Cline shouldn’t be an issue.  Low-value cases like Cline still should be able to settle on low-value terms.


Businesses often include mandatory arbitration clauses in their pre-dispute dealings with customers to prevent costly consumer class actions in favor of streamlined (often individual) arbitration.  The Federal Arbitration Act (“FAA”) makes such arbitration agreements “valid, irrevocable, and enforceable, save upon such grounds as exist at law or in equity for the revocation of any contract.”  Relying on the FAA, the Supreme Court has defended business enforcement of such clauses against state- and judge-made exceptions.  For example, the Supreme Court has held that the FAA preempts state laws that pose obstacles to its enforcement, prevents courts from invalidating an arbitration agreement on the basis of the cost to arbitrate exceeding the potential recovery, and requires courts to enforce contractual provisions that delegate to an arbitrator the determination of whether an arbitration agreement applies to a dispute.  As a result, the existence and enforcement of mandatory, individual arbitration agreements have become more commonplace in consumer-facing industries.

Democratic senators are seeking to change this by introducing a bill that would narrow the FAA by prospectively barring pre-dispute arbitration agreements and class-action waivers in consumer, employment, antitrust, and civil rights disputes.  In these four areas, the proposed legislation, entitled The Forced Arbitration Injustice Repeal Act of 2019 (the “FAIR Act”), S. 635, H.R. 1423, would also override agreements to have arbitrators determine arbitrability or the FAIR Act’s applicability to the dispute, opting instead for courts to determine these issues under federal law.

The FAIR Act likely faces the same opposition from Republicans that have defeated similar proposals, including the renditions of the “Arbitration Fairness Act” that were rejected from 2007 through 2018.  Although the FAIR Act may garner attention in the current political climate, in large part due to its employment-related provisions, it likely faces an uphill battle in the current Republican-controlled Senate and White House. But it’s a bill that’s worth keeping an eye on.  We’ll continue to post updates on any key developments.

The FTC recently announced a $5.7 million settlement with app developer Musical.ly for COPPA violations associated with its app (now known as TikTok)—the agency’s largest-ever COPPA fine since the enactment of the statute. The agency charged the app company, which allows users to create and share videos of themselves lip-syncing to music, with unlawfully collecting personal information from children.

To create a TikTok profile, users must provide contact information, a short bio, and a profile picture. According to the FTC, between December 2015 and October 2016, the company also collected geolocation information from app users. In 2017, the app started requiring users to provide their age, although it did not require current users to update their accounts with their age. By default, accounts were “public,” allowing users to see each other’s bios (which included their grade or age). It also allowed users to see a list of other users within a 50-mile radius, and gave users the ability to direct message other users. Many of the songs available on the app were popular with children under 13.

The FTC further alleged that Musical.ly received thousands of complaints from parents asserting that their child had created the app account without their knowledge (and noted an example of a two-week period where the company received more than 300 such complaints). The agency also noted that while the company closed the children’s accounts in response, it did not delete the users’ videos or profile information from its servers.

The FTC’s Complaint focused on practices spanning from 2014 through 2017. Musical.ly was acquired by ByteDance Ltd. in December 2017, and merged with the TikTok app in August 2018.

COPPA identifies specific requirements for operators who collect personal information from children under 13, including obtaining consent from parents prior to collection and providing information about collection practices for children’s data. Online services subject to the rule generally fall into two categories: (1) sites that are directed to children and collect personal information from them; and (2) general audience sites that have actual knowledge that they are collecting personal information from children. Civil penalties for violations of COPPA can be up to $41,484 per violation.

According to the FTC, Musical.ly’s app fell into both categories:

  1. The company included music and other content appealing to children on the app. For example, many of the songs included on the app were popular with children under 13, and the app used “colorful and bright emoji characters” that could appeal to children.
  2. Once the company began collecting the ages of its users, Musical.ly had actual knowledge that some of its users were under the age of 13. In spite of this, the company did not obtain consent from the parents of users under the age of 13, or comply with other COPPA requirements.

FTC Commissioners Chopra and Slaughter issued a joint statement on the settlement, pointing out that FTC staff had uncovered disturbing practices of a company willing to pursue growth at the expense of endangering children. They also noted that previously, FTC investigations typically focused on individual accountability in limited circumstances, rather than pursuing broader enforcement against company leaders for widespread company practices. The Commissioners further indicated that as the FTC continues to pursue legal violations going forward, it is time to “prioritize uncovering the role of corporate officers and directors” and to “hold accountable everyone who broke the law.”

This settlement indicates that the FTC continues to prioritize privacy enforcement—particularly where vulnerable audiences, such as children, are involved. Future FTC enforcement actions could signal an expanded approach to individual liability, including with respect to larger companies.

The case is also a good reminder of the value in performing robust privacy due diligence when considering acquiring an entity, and meaningfully assessing the risk of a company’s data practices before adding them to the portfolio. A widely popular business with significant data assets may not look as attractive once civil penalties and injunctive terms are added to the mix.