On October 21, the U.S. District Court for the Eastern District of California held that email addresses are personal identification information (PII) under California’s Song-Beverly Credit Card Act. Capp v. Nordstrom, Inc., No. 13-660-MCE-AC, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013). In this case, a customer sued a retailer on behalf of a putative class after the retailer sought the customer’s email address in connection with a credit card transaction to provide the customer with an electronic receipt. The customer alleged that the retailer subsequently used the email address to send unsolicited marketing materials. Following the California Supreme Court’s ruling in Pineda v. Williams Sonoma, in which the court held that a ZIP code is part of a person’s address and constitutes PII, the court here predicted that the state supreme court also would hold that an email address constitutes PII. Citing the statute’s broad terms and its overarching objective to protect the personal privacy of consumers who make purchases with credit cards, the district court held that the alleged conduct directly implicated the purposes of the statute. The district court also rejected the retailer’s argument that, if email addresses constitute PII, then the customer’s claim would be preempted by the CAN-SPAM Act, which regulates unsolicited commercial electronic mail, i.e. “spam.” The court held that the Song-Beverly Act claims were not subject to the CAN-SPAM Act’s express preemption clause because the Song-Beverly Act applies only to email addresses and does not regulate the content or transmission of email messages.
Recently, the Court of Civil Appeals of Alabama upheld an agreement executed electronically, overturning a trial court’s order invalidating a divorce agreement on the grounds that the agreement filed with the court was executed electronically. Ex parte Mealing, No. 2120973, 2013 WL 5776053 (Ala. Civ. App. Oct. 25, 2013). In this case, a husband asked the trial court to vacate a divorce agreement he had willingly entered without legal representation, claiming that his wife’s attorney orchestrated an agreement more favorable to the wife. The trial court decided that the divorce agreement was invalid because it was signed electronically. The appellate court disagreed and held that the trial court erred in relying on an alternative basis—one not even presented by the husband—in an attempt to create for itself an opportunity to render equitable judgment of the matter. The court explained that relevant court rules allow for electronic signatures, and that there was no contention from the husband that the electronic signatures were shams or false. The appellate court directed the trial court to set aside its order and reinstate the electronically signed divorce agreement.
Recently, the New York Appellate Division, Second Department, held that out-of-state defendants in a medical malpractice case were not subject to the New York court’s personal jurisdiction based on an Internet advertisement viewed in New York and a subsequent series of email and phone contacts between the New York resident patient and the out of state defendants. Paterno v. Laser Spine Inst., No 2011-4654, 2013 WL 5629871 (N.Y. App. Div. Oct. 16, 2013). In this case, the New York trial court had dismissed a medical malpractice suit filed in New York against a Florida-based medical provider over services rendered in Florida, holding that the medical service provider did not transact business in New York. On appeal the Appellate Division agreed, holding that although a defendant need not be physically present in the state to “transact any business” there in satisfaction of New York’s statutory requirements for personal jurisdiction, the totality of the circumstances presented did not provide a basis for exercising long-arm jurisdiction over the medical service provider. The appellate court rejected the patient’s argument that the provider had actively solicited business in New York through an online advertisement, holding that the provider’s website was passive in nature and that there was no indication it facilitated the purchase of any goods or services. The appellate court also concluded that a series of email and phone contacts between the patient and the provider did not constitute “business activity” and were not sufficiently “purposeful” for jurisdictional purposes.
On October 16, new rules took effect that require businesses to obtain express written consent before making certain telemarketing calls to customers. The rules arise from a February 2012 Report and Order issued pursuant to the Telephone Consumer Protection Act (TCPA), in which the Federal Communications Commission (FCC): (i) required that businesses obtain prior express written consent for all autodialed or prerecorded telemarketing calls to wireless numbers and residential lines, (ii) allowed consumers to opt out of future robocalls during a robocall, and (ii) limited permissible abandoned calls on a per-calling campaign basis. While the consumer opt-out and abandoned calls limitations are already in effect, compliance with the express written consent requirement was not mandated until now. The rules require that the written consent be signed and be sufficient to show that the customer: (i) receives “clear and conspicuous disclosure” of the consequences of providing the requested consent and (ii) having received this information, agrees unambiguously to receive such calls at a telephone number the consumer designates. In addition, the rules require the written agreement to be obtained “without requiring, directly or indirectly, that the agreement be executed as a condition of purchasing any good or service.” The FCC rule allows electronic or digital forms of signatures obtained in compliance with the E-SIGN Act—e.g. agreements obtained via a compliant email, website form, text message, telephone keypress or voice recording—to satisfy the written requirement. The FCC also removed an exemption that allowed businesses to demonstrate consent based on an “established business relationship” between the caller and customer.
On October 1, the Oregon Secretary of State published a final rule to implement numerous changes to the state’s notaries public regulations, including providing for electronic notarizations and electronic journals. The Secretary also released a summary of the changes. Notaries may notarize documents electronically after informing the Secretary of State of the format the notary will use by submitting notice via email, using the Electronic Notarization Notice form, along with an example of an electronic notarization. Any change to the way a notary conducts electronic notarizations—e.g. new vendor, new technology, changed appearance—requires a notary to provide notice of the change to the Secretary of State. A notary also may document an electronic notarization in either a paper or electronic journal, or both. The new rules took effect on September 1, 2013.
Delaware Federal Court Holds No Harm From Third-Party Cookies’ Collection Of Personal Information, Dismisses Broad Consumer Privacy Suit
On October 9, the U.S. District Court for the District of Delaware dismissed a broad, consolidated action against an Internet company alleged to have circumvented an Internet browser’s cookie blocker to collect personally identifiable information (PII) from the browser’s users. In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 12-2358, slip op. (D. Del. (Oct. 9, 2013). The court held that the plaintiffs lacked Article III standing because they had not sufficiently alleged an injury-in-fact The court reasoned that while plaintiffs provided some evidence that the PII at issue has some value to the individual, they did not sufficiently allege that their ability to extract that value was diminished by the alleged collection by a third party. Despite its standing holding, the court continued its analysis and dismissed each of the plaintiffs federal and state privacy claims on the merits. The court held, for example, that the plaintiffs’ claims that the collection of URLs violated the Electronic Communications Privacy Act failed because URLs are not “contents” as defined by that Act. The court also held that the plaintiffs failed to identify any impairment of the performance or functioning of their computers and could not sustain a claim under the Computer Fraud and Abuse Act.
On October 4, the U.S. District Court for the Central District of California denied certification of a putative class of consumers that had alleged a major retailer’s policy of requiring online customers to provide their telephone numbers or addresses in connection with credit card purchase transactions violated the Song-Beverly Credit Card Act. Leebove v. Wal-Mart Stores, Inc., No. 13-1024, slip op. (C.D. Cal. Oct. 4, 2013). The court held that the commonality requirement for class certification was not satisfied. The court explained that the relevant provision of the Act prohibits collecting certain information from a “cardholder,” which includes only “natural persons,” and held that an individualized inquiry would need to be made regarding whether the card used by each class member was issued as a consumer or business card. The court further reasoned that individual inquiries would be required to determine whether each class member’s claim was barred under an exception that allows retailers to request certain otherwise prohibited personal information for use in shipping, delivering, servicing, or installing the purchased items.
California Court Holds Website Link To Fair Usage Policy Not Conspicuous Enough To Indicate Limits to Term “Unlimited”
On October 4, the California Court of Appeal held that the disclosure of limits to an “unlimited” calling plan in a linked Fair Usage Policy was not sufficiently conspicuous to support a lower court’s judgment as a matter of law that the calling plan was not misleading. Chapman v. Skype, Inc., B241398, 2013 WL 5502960 (Cal. Ct. App. Oct. 4, 2013). The putative class action complaint alleged violations of California’s Unfair Competition Law, false advertising law, and Consumer Legal Remedies Act, in addition to common law intentional and negligent misrepresentation and unjust enrichment claims. The calling plan in question was advertised as “unlimited,” but included a link to a Fair Usage Policy that explained that the plain was limited to 6 hours per day, 10,000 minutes per month, and 50 numbers called each day. The defendant argued that it had adequately disclosed these limits, but the plaintiff claimed that the terms in the Fair Usage Policy contradicted the word “unlimited” in the plan’s description. The trial court had dismissed all claims without leave to amend. The Court of Appeal held that plaintiff had adequately alleged violations of the statutory provisions, and should be permitted to amend her complaint as to her inadequately pled common law claims. The court concluded that the plaintiff had alleged sufficient facts to create a question of fact as to whether consumers were likely to be deceived by the plan terms, noting that under the applicable laws the plaintiff did not need to show that the use of the word “unlimited” was actually false, but rather that such use was misleading. The court thus instructed the trial court to vacate its order sustaining the defendant’s demurrer as to the statutory claims, and to allow plaintiff to amend the complaint as to the common law claims.
On September 27, California became the first state to enact online tracking legislation, which requires website operators to disclose how they respond to “do not track” signals or other mechanisms that provide consumers a choice regarding the collection of personally identifiable information about an individual consumer’s online activities over time and across different sites or online services. The bill requires operators to disclose whether other parties have access to a consumer’s personally identifiable information when a consumer uses the operator’s site or service. The state also enacted SB 46, which expands the state’s data breach notice law (i) to apply to certain personal information that would permit access to an online account—user name or email address, in combination with a password or security question and answer, and (ii) to require that in such cases, security breach notification be made by sending notice using a method other than email. Both bills take effect on January 1, 2014.
On October 1, three payment network providers proposed that industry stakeholders collaborate on a token-based global security standard for online and mobile commerce. To meet growing consumer demand for secure digital transactions, the providers propose replacing traditional account numbers with a digital payment “token” for online and mobile transactions. They argue that tokens provide an additional layer of security and eliminate the need for merchants, digital wallet operators or others to store account numbers. The proposed standard used to generate tokens would be based on existing industry standards and would be available to all payment networks and other payment participants. The providers identify the following as key elements of the proposed standard: (i) new data fields to provide richer information about the transaction, which can help improve fraud detection and expedite the approval process, (ii) consistent methods to identify and verify a consumer before replacing the traditional card account number with a token, and (iii) a common standard designed to simplify the process for merchants for contactless, online or other transactions. The proposed standard incorporates comments from card issuers and merchants, and the participants intend to seek further collaboration from standard-setting bodies and other stakeholders.
On September 25, Senator Jay Rockefeller (D-WV) released letters he recently sent to 12 popular “personal finance, health, and family-focused websites” for assistance in an ongoing Senate Commerce Committee investigation into the way data brokers collect and share personal information. According to Senator Rockefeller, the letters were sent in part because “several data brokers have refused to disclose to the Committee specific sources of consumer data, preventing the Committee from fully understanding how the industry operates.” Senator Rockefeller began this investigation in October 2012 with letters to a number of data brokers. In connection with this latest round of letters, the Senator states that “hundreds of thousands of websites that gather information directly from consumers may be a source of consumer information for data brokers,” and that he believes some websites’ privacy policies “leave room for sharing a consumer’s information with data brokers or other third parties.” The Senate investigation parallels an investigation by members of the House of Representatives and the FTC’s ongoing activity with regard to data brokers.
On September 25, the FTC announced the settlement of its first case against a debt collector for using text messaging to attempt to collect debts in an allegedly unlawful manner. The complaint, filed on August 23, alleged that an individual and the two debt collection companies he controlled violated the FDCPA and FTC Act when the companies failed to disclose in English- and Spanish-language text messages and phone calls that the companies were debt collectors and that they falsely portrayed themselves as law firms. The FTC also alleged that the defendants illegally revealed debts to the consumers’ family members, friends, and co-workers. To resolve the FTC’s claims, the companies agreed to pay a $1 million civil penalty, agreed not to send text messages omitting the disclosures required by law and agreed to obtain a consumer’s express consent before contacting them by text message. The defendants are also barred from falsely claiming to be law firms and from falsely threatening to sue or take any action – such as seizure of property or garnishment – that they do not actually intend to take.
On September 23, California Governor Jerry Brown signed SB 568, which prohibits an operator of a website, online service, online application, or mobile application from (i) marketing or advertising certain products or services to a minor and (ii) knowingly using, disclosing, compiling, or allowing a third-party to use, disclose, or compile, the personal information of a minor for the purpose of marketing or advertising specified types of products or services. The provisions apply to marketing provided by an advertising service if the operator notifies the service that the website, online service, or application is directed to minors. The bill also requires operators to permit a minor, who is a registered user of the operator’s website, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted on the operator’s website, service, or application by the minor. The law provides exceptions for content or information posted by a third-party, or if (i) any other provision of state or federal law requires the operator or third party to maintain the content or information or (ii) the operator anonymizes the content or information. The law is effective January 1, 2015.
On September 18, the U.S. District Court for the Western District of Washington held that an employee’s computer, issued by the employer, is not a “facility” subject to protections of the Stored Communications Act. Roadlink Workforce Solutions, L.L.C. v. Malpass, No. 13-5459, 2013 WL 5274812 (W.D. Wash. Sept. 18, 2013). In this case, an employer sued a former employee for allegedly copying and then deleting certain information from an employer-issued computer before leaving to work for a competitor. The employer claimed a private right of action under the Stored Communications Act based on its allegation that the former employee intentionally exceeded his authorization to access a “facility through which an electronic communication service” it provided, and obtained and altered an electronic communication while it was in electronic storage. The court held that the employer-issued computer was not a facility through which an electronic communication service is provided, citing to previous decisions holding that including personal computing devices within the definition of “facility” would render other parts of the SCA illogical. The court reasoned that the plaintiff’s definition of facility would mean that any web site accessed on the computer would be a “user” of the communication service provided by the computer, and exempt from the SCA because of the exception for communications “of or intended for” that website. The court also held that the employer failed to demonstrate that the files accessed were in electronic storage because emails that have been opened but not deleted to not fit the SCA’s definition of “storage.” The court dismissed the employer’s SCA claim and a claim under the Computer Fraud and Abuse Act, but retained jurisdiction over certain state claims.