On Tuesday, the California Senate Judiciary Committee will hold a hearing to discuss SB-753, which, if adopted, would carve out from the California Consumer Privacy Act (CCPA)’s definition of “sale” certain data sharing for purposes of delivering advertising. As we’ve previously noted, the CCPA is intended to afford consumers the right to know when a company is selling their “personal information” by imposing certain disclosure and opt-out requirements on companies that engage in the sale of such information.

The “sale” definition in the CCPA, as it stands today, is broadly worded and includes essentially any distribution of data in return for value. As a result, there has been legitimate concern in the online advertising space—which involves data sharing among multiple parties—that the sharing of personal information for purposes of delivering targeted advertising would be viewed as a “sale” under the statute and trigger the CCPA’s compliance requirements.

SB-753, if adopted, would respond to these concerns by adding a new exemption to the CCPA’s definition of a sale. Specifically, a business would not be deemed to have sold personal information if:

Pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer.

SB-753 would also require the written contract to “prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business.”

Overall, the proposed amendment would have potentially positive implications for the AdTech industry by allowing businesses to share information to the extent necessary to show specific advertisements to the consumer. That said, the full parameters of the exemption remain unclear, including what exactly qualifies as “necessary,” and how the contract obligations might apply across the highly-distributed AdTech ecosystem. We anticipate these questions and others like it to be discussed at the upcoming hearing.

We will continue to closely track SB-753 and provide updates as they come.

Almost ten months after the California Consumer Protection Act was passed, companies are still trying to figure out what it means. To make things more complicated, over 40 bills have been introduced to make changes to the law, and the Attorney General is required to pass regulations on a number of provisions. How can companies deal with this moving target? Alysa Hutnik provides some tips in this podcast.

The Ad Law Access podcast is available now through Apple’s iTunesSpotifyGoogle PlaySoundCloud, and soon through other podcast services.

Last month, we wrote about the decision of the U.S. Court of Appeals for the Third Circuit in FTC v. Shire Viropharma Inc., holding that the FTC may only bring a case under Section 13(b) of the FTC Act when the FTC can articulate specific facts that a defendant “is violating” or “is about to violate” the law. We noted that the same issue in the context of a consumer protection action is likely headed to the U.S. Court of Appeals for the Eleventh Circuit in FTC v. Hornbeam Special Situations LLC.

This issue is also before the Ninth Circuit, where, in a concurring opinion Judge Diarmuid O’Scannlain in FTC v. AMG Capital Management, urged the Circuit to sit en banc to review what he see as wrongly-decided prior decisions that had allowed the FTC to pursue monetary damages in federal court under Section 13(b) of the FTC Act. The “text and structure of the statute unambiguously foreclose such monetary relief,” O’Scannlain wrote.

And now the issue is now teed up Seventh Circuit, which heard argument yesterday on the same issue in FTC v. Credit Bureau Center, LLC, et al., case numbers 18-2847 and 18-3310.

Some background: dating back to the 1980s, the FTC routinely used Section 13(b) as the basis to file lawsuits in federal court to stop allegedly deceptive, unfair, or anti-competitive conduct, and to seek permanent injunctive and monetary relief. Under Section 13(b), the FTC may seek an injunction in federal court “[w]henever the Commission has reason to believe … that any person, partnership, or corporation is violating, or is about to violate, any provision of law enforced by the [FTC].”

While in cases of pending acquisitions or ongoing fraud it may be clear that the FTC has reason to believe someone “is violating” or “is about to violate” the law, the FTC has also brought cases under Section 13(b) for claims arising from abandoned conduct. Shire, Hornbeam, and now Credit Bureau Center address the FTC’s authority to bring an action in federal court under Section 13(b) in these circumstances. Having lost in the Third Circuit in Shire, the FTC is looking for a different result in the Eleventh and Seventh Circuits, in order to bolster what the FTC views as a critically important aspect.

In Credit Bureau Center, the appellant argued that an Illinois federal court should not have entered a judgment for $5.2 million against a credit-monitoring company because Section 13(b) only permits the FTC to seek injunctive relief over the alleged wrongdoing. In response, the FTC argued that, while Section 13(b) expressly is limited to injunctions, the Seventh Circuit has recognized that “once you have the power to restrain and enjoin, you then have the power to impose other equitable remedies.” U.S. Circuit Judge Diane Sykes appeared skeptical, responding that “this whole authority that the FTC has claimed is purely by interpretation through the word ‘injunction” and “[t]hat may be how the agency operates, but that’s not mentioned anywhere in the statute.”

As we await word from the Eleventh, Ninth, and Seventh Circuits, we also are waiting to see whether the FTC will appeal the decision in Shire. Wins in the Eleventh and Seventh Circuits, and a refusal by the Ninth Circuit to take up the issue en banc, would obviously change that calculation, making it more likely that the FTC would seek cert and press its defense in support of the status quo.

A decision from Judge Preska in the Southern District of New York may change the trajectory of website accommodation cases in New York.

Website Accessibility Cases in New York Prior To This Decision

In 2017, Judge Weinstein in the Eastern District of New York denied the motion to dismiss in Blick Art, issuing a thirty-seven page opinion on why the plaintiff stated a valid claim under the Americans with Disabilities Act (ADA).

In 2018, at least 2,200 Title III website accessibility cases were filed in Federal Court, more than nearly tripling the over 800 cases filed in 2017.  New York became the venue of choice for most of those cases, with over 1,500 cases filed in New York Federal Courts in 2018.  The surge in ADA website cases filed in New York in 2018 is likely due to the decision in Blick Art.

The Apple Decision

Plaintiffs filing website accessibility cases in New York may have a new hurdle to face now.  On March 28, 2019, Judge Preska granted Apple’s motion to dismiss in the matter Mendez v. Apple. In her ten-page decision, Judge Preska found that plaintiff had not pleaded an injury in fact because “the purported injuries described lack all the requisite specificity.”

Judge Preska explained: “Plaintiff does not give a date that she tried to access the physical store or what good or service she was prevented from purchasing.  She does not identify sections of the website she tried to access but could not.  Finally, while general barriers are listed, she does not allege which one of them prevented her from accessing the store.”

Judge Preska then compares Ms. Mendez to the plaintiffs in Lawrence Feltzin, Lowell, PGA Tour, Gathers, Bernstein, and Kreisler, distinguishing Ms. Mendez’s vague pleadings with those of the other plaintiffs who sufficiently pleaded an injury in fact.  Although Ms. Mendez cited to Blick Art in her opposition briefing, the case is notably absent from Judge Preska’s opinion.

Finding Ms. Mendez most similar to the plaintiff in Lawrence Feltzin, where plaintiff provided “no details at all concerning any instance in which he allegedly encountered a violation,” Judge Preska concluded that plaintiff’s federal claims be dismissed for lack of standing.

Consequently, Judge Preska held that because Ms. Mendez’s New York State and New York City claims are governed by the same pleading requirements as the ADA, her entire complaint was dismissed for lack of standing.

In her concluding paragraph, Judge Preska issued a warning to serial filers like plaintiff’s counsel: “There is nothing inherently wrong with filing duplicative lawsuits against multiple defendants if the harms to be remedied do exist and are indeed identical.  But those who live by the photocopier shall die by the photocopier.  By failing specifically to assert any concrete injury, Plaintiff’s claims fail as a matter of law.”

Ms. Mendez’s lawsuit against Apple was filed by Joseph Mizrahi.  Mr. Mizrahi has filed over 800 federal website accommodation cases since 2017.

What does this mean for the future of website accessibility cases?

It is too early to determine the full impact of the Apple decision in New York however, Judge Preska has left the door open for owners and operators of websites to attack these complaints through a motion to dismiss when faced with a vague, duplicative claim where a specified injury is not pled.

As we’ve predicted before, these types of cases are likely to continue despite Judge Preska’s favorable ruling in the Southern District of New York.  If you aren’t sure whether the ADA applies to your site or whether it’s accessible to the blind, now may be the time to find out. Getting a sense of whether your site can be navigated using a screen reader will provide a better sense of whether the site could be considered a “low hanging fruit” for plaintiffs to find.

 

A federal judge allowed a class-action lawsuit alleging Bose collected and shared data about its headphone users to proceed last week on the basis of deceptive advertising. The decision underscores the risks that internet of things (IoT) businesses can face if they fail to accurately communicate to consumers how a mobile app or “smart” product collects and uses personal data.

At issue in the case is an allegation that Bose offered a companion app for its wireless headphones that collected and transmitted data about consumers and their listening habits to a “third-party data miner without consumers’ knowledge or consent.”

While Bose apparently advertised the app as an enhancement to its headphones that enables a user to unlock additional features and functions, the consumer complaint alleged that Bose deceptively siphoned data about what a consumer was listening to, using the data to profile the consumer and share the information with third parties. In effect, the complaint accused Bose of intercepting communications between music streaming services and the consumer in violation of the federal Wiretap Act and an Illinois eavesdropping statute.

In her decision, Judge Andrea Wood of the US District Court for the Northern District of Illinois dismissed the majority of the claims against Bose, including the allegation that Bose had violated wiretapping laws, because “the app is in fact a known participant in—and intended recipient of—the communication….” By activating the app, the consumer effectively invites the app to join the conversation, even if the implications are not fully known or intended.

By contrast, Judge Wood accepted the allegation in the consumer complaint that Bose may have deceptively omitted material information about the app, contravening the Illinois Consumer Fraud and Deceptive Practices Act.

The allegation against Bose, whether or not ultimately proven, emphasizes the importance of upfront, transparent communications with consumers about how an IoT product or service linked to the internet collects, shares, and monetizes personal information. The case adds another data point that even if a data practice is not strictly illegal based on traditional privacy laws like the Wiretap Act, it can give rise to other consumer protection based claims, including in the form of class action lawsuits and regulatory scrutiny.

For a refresher on how mobile app providers can comply with consumer protection laws, visit the Federal Trade Commission’s Marketing your Mobile App guide.

This week, the FTC announced a settlement with UrthBox and its president that addresses two topics that we frequently cover on this blog: (1) free trials; and (2) incentivized reviews.

Free Trial

The FTC alleged that Urthbox offered a “free” trial of its snack boxes for a nominal shipping and handling fee. UrthBox TrialFor some consumers, the trial came with unexpected costs. Unless they took steps to cancel before the end of the trial, consumers were automatically charged for a six-month subscription. The FTC alleged that the terms of this automatic renewal were not adequately disclosed. Although the company made some improvements to the disclosures, the FTC found that the terms were not sufficiently conspicuous and that they failed to communicate certain important details.

The order prohibits the respondents from misrepresenting the terms of a free trial, and requires them to clearly make certain disclosures relating to the negative option feature, in accordance with the Restore Online Shoppers’ Confidence Act (or “ROSCA”). In addition, the company must provide consumers with a simple mechanism they can use to avoid charges for products that are offered through a negative option program. Finally, the order requires UrthBox to pay $100,000, which the FTC can use to provide refunds to affected consumers.

Incentivized Reviews

UrthBox conducted incentive programs to induce customers to post positive reviews on various sites. For example, when customers contacted the company’s customer service line, agents offered to send them a free snack box if they posted positive reviews on the BBB’s website. As a result of the program, the ratio of positive to negative reviews on that site jumped from 100% negative to 88% positive in the space of about a year. The company also ran similar incentives to generate positive reviews on Facebook, Instagram, Tumblr, and Twitter.

The order requires the company to take steps to ensure that reviewers who receive an incentive clearly and conspicuously disclose that they have received that incentive. For example, the company must get a signed statement from reviewers in which they acknowledge that they are required to make a disclosure, and the company must monitor reviewers to ensure compliance. In addition, the company must take steps to remove previously-posted reviews that do not include the required disclosures.

Whereas previous FTC orders addressing endorsements were more general in nature, recent orders include more detail about exactly what steps the FTC expects companies to take to ensure compliance. Some of these steps go beyond what most companies are currently doing. Whether or not your company should adopt some of the requirements in these orders will depend on your circumstances, but the orders provide good examples of what practices are likely to be considered “safe.”

The Danish and Polish data protection authorities issued their first GDPR fines last month. The cases serve as indicators of the kinds of technical violations enforcement officials are looking to deter as they police the EU’s new privacy regulation.

In Denmark, Datatilsynet recommended fining the taxi company Taxa 4×35 nearly $180,000 for failing to delete records on 9 million taxi rides after they were no longer needed.  Article 5 of the GDPR discourages companies from holding on to data that they no longer need:  “personal data shall be … adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’); …” and “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed … (‘storage limitation’).”

In Taxa 4×35’s case, the company allegedly sought to comply with Article 5 by anonymizing its data after two years. In practice, the company only removed customer names from its database, keeping other data points such as customer phone numbers and ride histories for five years for purposes of business analytics.

The Datatilsynet said this procedure was insufficient. The data protection authority found that phone numbers still permit identification of a data subject, meaning that Taxa 4×35 did not properly anonymize its records.  Furthermore, the Datatilsynet rejected Taxa 4×35’s explanation that its technical systems did not allow preservation of ride history data without an associated phone number.  “One cannot set a deletion deadline, which is three years longer than necessary, simply because the company’s system makes it difficult to comply with the rules in the Data Protection Regulation,” the data protection authority wrote.

Meanwhile, Poland’s Personal Data Protection Office (UODO) fined digital marketing company Bisnode €220,000 for failing to notify 6 million people about its data scraping activities.  The UODO said that Bisnode was required to notify data subjects that it was pulling their publicly-available personal data from public sources in accordance with Article 14 of the GDPR, which mandates notice to data subjects where personal data was not obtained from the data subject.

UODO noted that of the data subjects Bisnode did notify, 13 percent objected to the data processing. “This shows how important it is to properly fulfill the information obligations in order to exercise the rights we are entitled to in accordance with the GDPR,” UODO wrote.

In response to UODO’s inquiries, Bisnode pointed to a notice it had posted on its website, apparently explaining to UODO it would be far too costly to notify data subjects directly. UODO rejected such an approach: “[w]hile having the contact data to particular persons, the controller should have fulfilled the information obligation in relation to them,” UODO wrote in a press release.

These actions by the Danish and Polish authorities are just the latest in an increasing number of GDPR-related enforcement actions so far in 2019.

The FDA and FTC jointly issued warning letters to three companies selling CBD products online.  The letters allege violations of the Federal Food, Drug, and Cosmetic Act (“FDCA”) and the Federal Trade Commission Act (“FTCA”).  Although this is the first time the FDA and FTC have issued joint warning letters relating to CBD, the FDA has been involved in CBD enforcement for the past few years.

Since the passing of the 2018 Farm Bill, which descheduled hemp and hemp derivatives under the federal Controlled Substances Act, the FDA has become the primary federal regulator relative to foods, drugs, cosmetics, and dietary supplements that contain CBD from hemp.  The FDA’s most visible enforcement on CBD products to date has been in the form of warning letters issued to online retailers of products labeled as dietary supplements that feature aggressive disease treatment claims. The FDA also tested CBD products in conjunction with warning letters issued in 2015 and 2016 to determine whether they contained the CBD levels listed on the labels.

In the letters from last week, the FDA turned its focus onto various CBD products marketed online as “drugs,” including “CBD Salve,” “CBD Oil,” “CBD for Dogs,” “Hemp Oil,” “CBD Softgels,” “Liquid Gold Gummies (Sweet Mix),” “Liquid Gold Gummies (Sour Mix),” and “blue CBD Crystals Isolate 1500mg.”  The FDA determined that the companies’ websites contained claims about their CBD products that established them as unapproved “drugs” under section 201(g)(1) of the FDCA. The letters also referenced the FTC’s substantiation standard, stating the FTC had concerns that certain efficacy claims that were made may not be substantiated by competent and reliable scientific evidence. They also warned that violations of the FTCA may result in legal action seeking a Federal District Court injunction or Administrative Cease and Desist Order, possibly including a requirement to pay back money to consumers.

As noted above, these letters are unique, as it is the first time the FDA has issued a joint FDA/FTC warning letter relating to CBD. This is also the first time the FDA has referenced the FTC’s substantiation standard or threaten any specific penalty for violations of the FTCA.  For companies marketing CBD, it is important to keep in mind that although the market has flourished despite a host of regulatory uncertainties, it is the regulators’ opinion that the rules regarding advertising and health claims are clear.  Competent and reliable scientific evidence remains the standard.

Over the last few years, however, the FTC’s health claim enforcement has featured several false cure-type products. Cases against Regenerative Medical Group, Cellmark, iV Bars, and Nobetes challenged unproven representations for products promising to treat Parkinson’s disease, macular degeneration, cancer, multiple sclerosis, and diabetes.  Although we have yet to see the FTC announce any settlements relating to CBD products, these letters signal that FDA is not alone in its concern over aggressive CBD treatment claims.

The warning letters can be found here:

FTC Chairman Joe Simons recently acknowledged the Commission’s plan to use its authority under Section 6(b) of the FTC Act to examine the data practices of large technology companies.  In written responses to questions from members of the U.S. Senate Commerce Committee following in-person testimony in November 2018, Chairman Simons confirmed that plans were underway to gather information from tech companies, though the specific targets or areas of focus remained under consideration.

As described by the FTC, Section 6(b) of the FTC Act “plays a critical role in protecting consumers,” and broadly authorizes the Commission to obtain information – or “special reports” – about certain aspects of a company’s business or industry sector.  Companies that are the focus of an FTC study pursuant to Section 6(b) must respond to a formal order issued by the Commission that, similar to a civil investigative demand, can include a series of information and document requests.  The information obtained through the order may then be the basis for FTC studies and subsequent industry guidance or rulemaking.

The revelation of the pending 6(b) orders comes amid concerns from federal and state lawmakers and regulators about transparency relating to “Big Data” practices and online data collection, and the use of artificial intelligence and machine-learning algorithms in decision-making.  In remarks this week to attendees of an Association of National Advertisers conference, Chairman Simons noted a potential lack of transparency in the online behavioral advertising context and “the fact that many of the companies at the heart of this ecosystem operate behind the scenes and without much consumer awareness.”

 

 

In February 2018, I reported on a 20-state objection brief, filed with the U.S. Supreme Court, asking the Court to reverse the approval of the class action settlement in Gaos v. Google.  That deal would have distributed a few million dollars to nonprofit groups, while the AGs wanted money paid to real people, even if that meant holding a lottery to do it.  Today, although the Supreme Court reversed the settlement, it did so on standing grounds and did not address whether a class action can be settled solely through “cy pres” settlements to non-profits.

The Supreme Court cited its recent Spokeo v. Robins decision in which it held that plaintiffs must allege concrete harm, and not just a bare statutory violation, in order to have Article III standing to sue in federal court.  Spokeo was not the Court’s most edifying decision and lower courts have split wildly on what it means in practice.  The Court’s decision today didn’t address that split; it just told the lower courts to analyze the Gaos plaintiffs’ standing in light of Spokeo without opining on the issue one way or the other.

Justice Thomas dissented alone.  He expressed his disagreement with Spokeo, believing that if Congress made conduct illegal, violating that statute suffices to confer standing.  He then said he would have reversed the settlement.  In Justice Thomas’s view, if a settlement provides no benefit to class members, and looks to be solely a means to extinguish a claim, courts should not approve it.

Perhaps the biggest takeaway from today’s decision, therefore, is that eight of the nine Justices think differently from Justice Thomas on this issue.  How differently, only time will tell.