On November 5, the Court of Appeal of Louisiana, Fourth Circuit, affirmed a trial court’s holding that it lacked personal jurisdiction over a dispute that involved only one sale of goods over the Internet to a Louisiana-based customer. BioClin BV v. MultiGyn USA, LLC, No. 2012-CA-0962, 2013 WL 5935233 (La. Ct. App. Nov. 5, 2013). A Dutch company appealed a trial court’s decision to dismiss for lack of personal jurisdiction the company’s suit against a Florida based web-retailer for infringement. On appeal, the court affirmed, holding that the company failed to establish that the defendant’s one-time sale of goods into Louisiana over the Internet subjected the defendant to that state’s courts, and that “extenuating personal jurisdiction would not comport with the notions of fair play and substantial justice.” Relying on the sliding scale established in Zippo Mfg. Co. v. Zippo Dot Com, Inc., 952 F. Supp. 1119, to assess whether a website has minimum contacts with a forum state sufficient to invoke personal jurisdiction, the appeals court explained that the “mere creation of a website, does not constitute purposeful availment of the forum benefits,” nor does a one-time sale of goods through that website into the state.
This week, two Senate Committees—Homeland Security and Governmental Affairs and Banking, Housing and Urban Affairs—held hearings to hear from regulators and other stakeholders about how virtual currencies fit within the existing regulatory framework, and to assess whether there is a need to alter that framework in response to potential risks presented by emerging virtual currency technologies. The hearings followed an inquiry initiated by Senate Homeland Security leaders over the summer. Senators who participated in the hearings did not indicate any desire to move quickly to establish new federal regulations to address potential risks presented by innovation in virtual currencies. Rather, the lawmakers generally expressed a desire not to inhibit continued innovation, while supporting market participants who want to play by the rules and protecting the market from those who do not. In both hearings, FinCEN Director Jennifer Shasky Calvery described her agency’s ability to address the BSA/AML and terrorism financing risks presented by virtual currencies by employing FinCEN’s existing statutory authority and regulatory tools. Similarly, during the Senate Banking hearing, the Conference of State Bank Supervisors expressed confidence in the ability of state regulators to address consumer protection and other risks posed by virtual currencies through the existing state regulatory framework and processes. Still, committee members raised broader questions about the how to define or categorize virtual currencies (e.g. as a currency versus as a security) and the impact of such a classification on a range of other issues including monetary policy and tax administration. The breadth of the issues, which may need to be addressed by a range of government actors, formed the basis of Senate Homeland Security Committee Chairman Tom Carper’s (D-DE) call for a “whole government” approach to virtual currency.
Look Before You Invest: Bitcoins, Virtual Currencies, Emerging Payment Products, and Regulatory Compliance
Margo H.K. Tank, Michael Zeldin, and Ian C.B. Spear, attorneys with BuckleySandler LLP in Washington DC, advise financial institutions on electronic financial services, mobile payments, prepaid access and virtual payment methods, in the areas of anti-money laundering, privacy, trade sanctions, and regulatory compliance.
Emerging payment products, such as Bitcoin, present tantalizing investment opportunities. The claim that these products are “unregulatable,” or “free of the power of the state” increases the temptation to participate, because if true, regulatory uncertainty associated with traditional financial industries would be eliminated. Notwithstanding these claims, virtual currency laws and regulations seem primed to explode. Acknowledging that “virtual currency systems offer ‘legitimate’ financial services,” the Department of Justice, for example, has investigated and prosecuted illegal activities involving virtual currencies. As a result, risk-related issues like money laundering, terrorist financing, and economic and trade sanctions remain critical to evaluating investments in emerging payment products. To understand why, consider how the emerging payments industry is regulated now and what additional regulation might emerge.
Recently, the Court of Civil Appeals of Alabama upheld an agreement executed electronically, overturning a trial court’s order invalidating a divorce agreement on the grounds that the agreement filed with the court was executed electronically. Ex parte Mealing, No. 2120973, 2013 WL 5776053 (Ala. Civ. App. Oct. 25, 2013). In this case, a husband asked the trial court to vacate a divorce agreement he had willingly entered without legal representation, claiming that his wife’s attorney orchestrated an agreement more favorable to the wife. The trial court decided that the divorce agreement was invalid because it was signed electronically. The appellate court disagreed and held that the trial court erred in relying on an alternative basis—one not even presented by the husband—in an attempt to create for itself an opportunity to render equitable judgment of the matter. The court explained that relevant court rules allow for electronic signatures, and that there was no contention from the husband that the electronic signatures were shams or false. The appellate court directed the trial court to set aside its order and reinstate the electronically signed divorce agreement.
On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.
Recently, the New York Appellate Division, Second Department, held that out-of-state defendants in a medical malpractice case were not subject to the New York court’s personal jurisdiction based on an Internet advertisement viewed in New York and a subsequent series of email and phone contacts between the New York resident patient and the out of state defendants. Paterno v. Laser Spine Inst., No 2011-4654, 2013 WL 5629871 (N.Y. App. Div. Oct. 16, 2013). In this case, the New York trial court had dismissed a medical malpractice suit filed in New York against a Florida-based medical provider over services rendered in Florida, holding that the medical service provider did not transact business in New York. On appeal the Appellate Division agreed, holding that although a defendant need not be physically present in the state to “transact any business” there in satisfaction of New York’s statutory requirements for personal jurisdiction, the totality of the circumstances presented did not provide a basis for exercising long-arm jurisdiction over the medical service provider. The appellate court rejected the patient’s argument that the provider had actively solicited business in New York through an online advertisement, holding that the provider’s website was passive in nature and that there was no indication it facilitated the purchase of any goods or services. The appellate court also concluded that a series of email and phone contacts between the patient and the provider did not constitute “business activity” and were not sufficiently “purposeful” for jurisdictional purposes.
On October 16, new rules took effect that require businesses to obtain express written consent before making certain telemarketing calls to customers. The rules arise from a February 2012 Report and Order issued pursuant to the Telephone Consumer Protection Act (TCPA), in which the Federal Communications Commission (FCC): (i) required that businesses obtain prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines, (ii) allowed consumers to opt out of future robocalls during a robocall, and (ii) limited permissible abandoned calls on a per-calling campaign basis. While the consumer opt-out and abandoned calls limitations are already in effect, compliance with the express written consent requirement was not mandated until now. The rules require that the written consent be signed and be sufficient to show that the customer: (i) receives “clear and conspicuous disclosure” of the consequences of providing the requested consent and (ii) having received this information, agrees unambiguously to receive such calls at a telephone number the consumer designates. In addition, the rules require the written agreement to be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” The FCC rule allows electronic or digital forms of signatures obtained in compliance with the E-SIGN Act—e.g. agreements obtained via a compliant email, website form, text message, telephone keypress or voice recording—to satisfy the written requirement. The FCC also removed an exemption that allowed businesses to demonstrate consent based on an “established business relationship” between the caller and customer.
On October 1, the Oregon Secretary of State published a final rule to implement numerous changes to the state’s notaries public regulations, including providing for electronic notarizations and electronic journals. The Secretary also released a summary of the changes. Notaries may notarize documents electronically after informing the Secretary of State of the format the notary will use by submitting notice via email, using the Electronic Notarization Notice form, along with an example of an electronic notarization. Any change to the way a notary conducts electronic notarizations—e.g. new vendor, new technology, changed appearance—requires a notary to provide notice of the change to the Secretary of State. A notary also may document an electronic notarization in either a paper or electronic journal, or both. The new rules took effect on September 1, 2013.
Delaware Federal Court Holds No Harm From Third-Party Cookies’ Collection Of Personal Information, Dismisses Broad Consumer Privacy Suit
On October 9, the U.S. District Court for the District of Delaware dismissed a broad, consolidated action against an Internet company alleged to have circumvented an Internet browser’s cookie blocker to collect personally identifiable information (PII) from the browser’s users. In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 12-2358, slip op. (D. Del. (Oct. 9, 2013). The court held that the plaintiffs lacked Article III standing because they had not sufficiently alleged an injury-in-fact The court reasoned that while plaintiffs provided some evidence that the PII at issue has some value to the individual, they did not sufficiently allege that their ability to extract that value was diminished by the alleged collection by a third party. Despite its standing holding, the court continued its analysis and dismissed each of the plaintiffs federal and state privacy claims on the merits. The court held, for example, that the plaintiffs’ claims that the collection of URLs violated the Electronic Communications Privacy Act failed because URLs are not “contents” as defined by that Act. The court also held that the plaintiffs failed to identify any impairment of the performance or functioning of their computers and could not sustain a claim under the Computer Fraud and Abuse Act.
On October 4, the U.S. District Court for the Central District of California denied certification of a putative class of consumers that had alleged a major retailer’s policy of requiring online customers to provide their telephone numbers or addresses in connection with credit card purchase transactions violated the Song-Beverly Credit Card Act. Leebove v. Wal-Mart Stores, Inc., No. 13-1024, slip op. (C.D. Cal. Oct. 4, 2013). The court held that the commonality requirement for class certification was not satisfied. The court explained that the relevant provision of the Act prohibits collecting certain information from a “cardholder,” which includes only “natural persons,” and held that an individualized inquiry would need to be made regarding whether the card used by each class member was issued as a consumer or business card. The court further reasoned that individual inquiries would be required to determine whether each class member’s claim was barred under an exception that allows retailers to request certain otherwise prohibited personal information for use in shipping, delivering, servicing, or installing the purchased items.
California Court Holds Website Link To Fair Usage Policy Not Conspicuous Enough To Indicate Limits to Term “Unlimited”
On October 4, the California Court of Appeal held that the disclosure of limits to an “unlimited” calling plan in a linked Fair Usage Policy was not sufficiently conspicuous to support a lower court’s judgment as a matter of law that the calling plan was not misleading. Chapman v. Skype, Inc., B241398, 2013 WL 5502960 (Cal. Ct. App. Oct. 4, 2013). The putative class action complaint alleged violations of California’s Unfair Competition Law, false advertising law, and Consumer Legal Remedies Act, in addition to common law intentional and negligent misrepresentation and unjust enrichment claims. The calling plan in question was advertised as “unlimited,” but included a link to a Fair Usage Policy that explained that the plain was limited to 6 hours per day, 10,000 minutes per month, and 50 numbers called each day. The defendant argued that it had adequately disclosed these limits, but the plaintiff claimed that the terms in the Fair Usage Policy contradicted the word “unlimited” in the plan’s description. The trial court had dismissed all claims without leave to amend. The Court of Appeal held that plaintiff had adequately alleged violations of the statutory provisions, and should be permitted to amend her complaint as to her inadequately pled common law claims. The court concluded that the plaintiff had alleged sufficient facts to create a question of fact as to whether consumers were likely to be deceived by the plan terms, noting that under the applicable laws the plaintiff did not need to show that the use of the word “unlimited” was actually false, but rather that such use was misleading. The court thus instructed the trial court to vacate its order sustaining the defendant’s demurrer as to the statutory claims, and to allow plaintiff to amend the complaint as to the common law claims.
On September 27, California became the first state to enact online tracking legislation, which requires website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different sites or online services. The bill requires operators to disclose whether other parties have access to a consumer’s personally identifiable information when a consumer uses the operator’s site or service. The state also enacted SB 46, which expands the state’s data breach notice law (i) to apply to certain personal information that would permit access to an online account—user name or email address, in combination with a password or security question and answer, and (ii) to require that in such cases, security breach notification be made by sending notice using a method other than email. Both bills take effect on January 1, 2014.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.