On October 6, 2015, the European Union’s highest court (the “ECJ”) issued an order (the “Order”) invalidating the 15-year-old U.S.-EU Safe Harbor Program (the “Program”). Schrems v. Data Prot. Comm’r, E.C.J., No. C-362/14. The Program allowed U.S. companies to transfer EU citizens’ data to the U.S. by self-certifying to the U.S. Department of Commerce privacy principles similar to those contained in the EU Data Protection Directive (95/46/EC). The basis for the Order was that the Program didn’t safeguard personal data against surveillance by the U.S. government and didn’t allow sufficient redress to EU citizens whose privacy had been breached by such surveillance. The case was initiated by Austrian law student Max Schrems against Facebook in Ireland where Facebook’s European operations are headquartered. The case was referred to the ECJ by Ireland’s High Court after the Irish Office of the Data Protection Commissioner said it didn’t need to examine the complaint about data transfers made by Facebook Ireland Inc. because the transfers were done in accordance with the Program. The ECJ found that U.S. authorities could ignore the privacy protections of the Program and could “access the personal data transferred from the member states to the United States and process it in a way incompatible, in particular, with the purposes for which it was transferred, beyond what was strictly necessary and proportionate to the protection of national security.” The European Commission has stated publicly that any transfer of data from European Economic Area in the last 15 years that relied on the Safe Harbor Program may be subject to legal challenge. While approximately 4,400 U.S. companies are certified under the Program, the Order would not prevent the continued transfer of data by those with alternative means for data transfers in place, such as binding corporate rules or model contracts.
NINTH CIRCUIT HOLDS NETFLIX’S VIEWING HISTORY DISCLOSURES ON SUBSCRIBERS’ TELEVISIONS DO NOT VIOLATE VIDEO PRIVACY PROTECTION ACT
On July 31, 2015, in Mollett v. Netflix, Inc., No. 12-17045, the Court of Appeals for the Ninth Circuit affirmed the order of the United States District Court for the Northern District of California dismissing claims brought under the Video Privacy Protection Act (“VPPA”), 18 U.S.C. § 2710, and California Civil Code § 1799.3 by two plaintiffs on behalf of themselves and other similarly-situated Netflix subscribers. Plaintiffs allege that Netflix violated the statutes by permitting certain disclosures about their viewing history to third-parties, namely, subscribers’ family, friends and guests. The claims were directed at Netflix’s display of a subscriber’s video queue and “recently watched” video titles on a subscriber’s television when Netflix is activated. Netflix brought a motion to dismiss for failure to state a claim on the grounds that, inter alia, disclosures of personal information are made to subscribers themselves and therefore permissible. The Ninth Circuit stated that:
“The interpretation of this section of the VPPA is an issue of first impression for this Circuit. The VPPA was enacted in 1988 in response to the Washington City Paper’s publication of then-Supreme Court nominee Robert Bork’s video rental history. [citation omitted] The paper had obtained (without Judge Bork’s knowledge or consent) a list of the 146 films that the Bork family had rented from a Washington, D.C.-area video store. Id. Members of the Judiciary Committee “denounced the disclosure” and Congress acted swiftly to enact the VPPA . . . ‘[t]o preserve personal privacy with respect to the rental, purchase or delivery of video tapes or similar audio visual materials.’ Id. at *7.”
The Ninth Circuit dismissed plaintiffs’ claims. “The VPPA prohibits a ‘video tape service provider’ from knowingly disclosing ‘personally identifiable information’ about one of its consumers ‘to any person,’ and provides for liquidated damages in the amount of $2,500 for violation of its provisions.’ . . . The Act provides several exceptions to the disclosure prohibition, [including] allowing disclosure of a consumer’s video rental history to the consumer himself. . .” Id. at *8. The Ninth Circuit held that the disclosure alleged by the plaintiffs is a disclosure “to the consumer” that is permitted by the Act. Id. at *9:
“The fact that a subscriber may permit third parties to access her account, thereby allowing third parties to view Netflix’s disclosures, does not alter the legal status of those disclosures. No matter the particular circumstances at a subscriber’s residence, Netflix’s actions remain the same; it transmits information automatically to the device that a subscriber connected to her Netflix account. The lawfulness of this disclosure cannot depend on circumstances outside of Netflix’s control.”
Id. at *12. The Ninth Circuit applied the same analysis to dismiss the claims under California’s video privacy statute, Civil Code § 1799.3.
The Ninth Circuit’s opinion may be found at the following link: http://cdn.ca9.uscourts.gov/datastore/opinions/2015/06/15/13-55666.pdf
California Court of Appeals Holds Personal Identification Information Protections Under Song-Beverly Credit Card Act Inapplicable to Online Purchase Where Buyer Elects to Pick Up Goods at Seller’s Store
The California Court of Appeals recently held in Ambers v. Beverages & More, Inc. (“BevMo”), Case No. B257487 (Cal. Ct. App., 2nd Dist., order entered May 4, 2015), that Civil Code section 1747.08 of the Song-Beverly Credit Card Act did not apply to an online purchase where the buyer elected to pick up the merchandise at the seller’s store. The court affirmed the lower court’s judgment in favor of defendant BevMo. This decision is in the wake of the California Supreme Court’s decision in Apple v. Superior Court (Krescent), 56 Cal. 4th. 128 (2013), in which the court held that the Song-Beverly Credit Card Act was inapplicable to an online transaction involving a downloadable product.
Section 1747.08, subdivision (a) provides:
Except as provided in subdivision (c), no person, firm, partnership, association, or corporation that accepts credit cards for the transaction of business shall do any of the following:
- Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to write any personal identification information upon the credit card transaction form or otherwise.
- Request, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the person, firm, partnership, association, or corporation accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise.
- Utilize, in any credit card transaction, a credit card form which contains preprinted spaces specifically designated for filling in any personal identification information of the cardholder.
“Personal identification information” is defined in section 1747.08, subdivision (b), as “information concerning the cardholder, other than information set forth on the credit card, and including, but not limited to, the cardholder’s address and telephone number.”
Section 1747.08, subdivision (c), sets forth certain exceptions to the statutory prohibitions. Subdivision (c)(4) allows personal identification information (“PII”) to be collected if it “is required for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information relating to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.”
Plaintiff Ambers alleged he was required to provide PII to complete his online purchase, in violation of Song-Beverly.
The appellate court referenced Apple, supra, in which the court found the statute inapplicable to an online transaction because the collection of PII by online retailers could serve a legitimate purpose such as fraud prevention. Brick-and-mortar retailers, by contrast, could verify identity at the time of purchase without requiring the collection of PII. For example, they could compare the signature on the credit card transaction form with the signature on the back of the card.
Here, the appellate court found the reasoning in Apple applicable to an online credit card transaction where the merchandise is picked up at the store, because ownership of the merchandise passes immediately upon completion of the online purchase, and not when it is picked up at the store. Without obtaining Ambers’ PII, BevMo would have had no means of verifying that Ambers was an authorized user of the credit card number entered on BevMo’s website before the purchase transaction was completed.
Finally, the court rejected Ambers’ argument that presentation at pickup of his identification and the credit card he had used to complete the online purchase was sufficient antifraud protection for BevMo. The court reasoned that such presentation alone would not provide sufficient recourse if the transaction later proved to be fraudulent.
Under existing California Penal Code Section 528.5, a person who knowingly and without consent credibly impersonates another person via the Internet or other electronic means in order to harm, intimidate, threaten, or defraud a third person is guilty of a public offense punishable by a fine not exceeding one-thousand dollars, or by imprisonment in a county jail not exceeding one year, or both. Section 528.5 includes a private right of action.
California Assembly Bill 695 would add Section 1708.87 to the California Civil Code, creating a new private right of action against a person who knowingly and without consent credibly impersonates another person via the Internet or by other electronic means.
The proposed legislation:
- would provide standing to the impersonated person, any person whose likeness is used and any person induced to believe that the defendant is the person being impersonated, provided the plaintiff suffers general or special damages as described in Civil Code Section 48a,
- omits the specific intent requirement of Penal Code Section 528.5 and its application of the compensatory damages and equitable relief provisions of California’s Comprehensive Computer Data Access and Fraud Act (Penal Code Section 502), and
- would authorize courts to award reasonable attorneys’ fees and court costs to a prevailing plaintiff, in contrast with Penal Code Section 528.5 in which attorney fees are available in any civil action by reference to Section 502, paragraph (2) of subdivision (b).
As with Penal Code Section 528.5, under proposed Section 1708.87:
- An impersonation is considered “credible” if another person would reasonably believe, or did reasonably believe, that the defendant was or is the impersonated person, and
- “Electronic means” includes opening an email account or creating an account or profile on a social network using another person’s name.
The text of the proposed legislation may be found here.
Kavon Adli, founder and managing attorney of The Internet Law Group, was quoted in the April 29, 2015 International Business Times article entitled “Pirate Floyd Mayweather, Manny Pacquiao Streams Expected To Cause Big Headache For HBO, Showtime.”
The article is available at the following link:
On March 18, 2015, the Court of Appeals of the Second Circuit held that the Communications Decency Act of 1996 shields defendant GoDaddy.com, LLC from defamation liability based upon allegations that false statements about the plaintiffs in a Union newsletter were published on a website hosted on GoDaddy’s servers. The Court affirmed the judgment of the United States District Court for the Southern District of New York in favor of GoDaddy on its Federal Rule 12(b)(6) motion to dismiss, which also dismissed labor law claims against the Teamsters Union Local 456. In pertinent part, the Court held:
Accepting as true all of the allegations in the complaint, GoDaddy is immune from the Riccis’ defamation claims under a provision of the Communications Decency Act of 1996: “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” 47 U.S.C. § 230(c)(1). Preemption is express: “No cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.”
Ricci v. Teamsters Union Local 456, 2015 WL 1214476, at *5.
The Court noted that it has “never construed the immunity provisions of the Communications Decency Act, but other courts have applied the statute to a growing list of internet-based service providers” including GoDaddy. Id. at *7 (citing, e.g., Klayman v. Zuckerberg, 753 F.3d 1354 (D.C. Cir. 2014); Doe v. MySpace, Inc., 528 F.3d 413 (5th Cir. 2008); Chi. Lawyers’ Comm. for Civil Rights Under Law, Inc. v. Craigslist, Inc., 519 F.3d 666, 672 (7th Cir. 2008)). Specifically, the Court held:
“None of this means, of course, that the original culpable party who posts defamatory messages would escape accountability. . . . Congress made a policy choice, however, not to deter harmful online speech through the separate route of imposing tort liability on companies that serve as intermediaries for other parties’ potentially injurious messages.” … In short, a plaintiff defamed on the internet can sue the original speaker, but typically “cannot sue the messenger.”
Id. at *6-7 (quoting Zeran v. Am. Online, Inc., 129 F.3d 327, 330-31 (4th Cir. 1997) and Craigslist 519 F.3d at 672).
On March 18, 2015, the Federal Trade Commission (“FTC”) released two videos advising consumers what to do if their email has been hacked or their computer has been hijacked by malware. The FTC advises victims of email hacking to: (i) update or install security software, (ii) change passwords if the account can be accessed, (iii) check with the email provider to find out how to restore the account if it is not accessible, and (iv) let family and friends know the email account was hacked. It advises victims of malware hijacking to: (i) stop shopping, banking, and entering passwords online until the computer is cleaned and restored, (ii) update security software, (iii) change passwords used for bank accounts, email accounts, and all other important accounts, and (iv) make sure the operating system and Internet browser are set to update automatically.
LivingSocial Not Entitled to Immunity Under § 230 of the Communications Decency Act Where It Creates, Develops Content Available On Its Site
On March 16, 2015, the U.S. District Court for the Southern District of California held that LivingSocial may be liable to a former vendor-partner for state trademark, false advertising, and unlawful business practice claims stemming from its participatory role in creating a confusing marketing promotion that harmed its former vendor-partner. The campaign caused consumers to erroneously believe that poor performance by a third party was actually attributable to plaintiffs’ business. This led to unwarranted, disparaging reviews about plaintiffs’ business online. LivingSocial moved to dismiss plaintiffs’ state trademark, false advertising, and unlawful business practice claims on the ground that it was entitled to immunity under the Communications Decency Act of 1996 (“CDA”), 47 U.S.C. § 230(c)(1) as a provider of interactive computer services. CDA § 230 affords interactive computer service providers immunity from liability for allegedly improper and illegal content created by third parties. The Court rejected this argument, drawing a “reasonable inference” that LivingSocial was responsible for creating or developing content on its website – thus jeopardizing CDA § 230 immunity. LivingSocial also moved to dismiss plaintiffs’ federal trademark and false advertising claims on the ground that it was entitled to the Lanham Act’s safe harbor provision for online advertisers, which protects innocent infringers. However, the Court found no indication LivingSocial was entitled to the innocent infringer defense, since LivingSocial was aware of plaintiffs’ existence from a prior business relationship with plaintiffs. The Court dismissed the federal trademark claim, without prejudice, on procedural grounds.
On February 26, 2015, the Federal Communications Commission (“FCC”) voted by a 3-2 margin to adopt the FCC’s Open Internet Order, which sets rules forbidding Internet Service Providers (“ISPs”) from: (i) blocking legal content, applications, services, or non-harmful devices, (ii) throttling lawful Internet traffic on the basis of content, applications, services, or non-harmful devices, or (iii) allowing paid prioritization that favors some lawful Internet traffic over other lawful traffic in exchange for consideration of any kind (i.e. no “fast lanes”). The rules preserve the concept of “net neutrality”, which is the idea that ISPs should be required to provide neutral and open access to all Internet users, rather than manage different types of Internet traffic in different ways and for different rates.
On February 12, 2015, Facebook implemented a new policy that provides users the option to designate a “legacy contact” to manage their accounts after death. The legacy contact will be able to write a post to be displayed at the top of the decedent’s memorialized Timeline, respond to new friend requests, and update the account’s profile picture and cover photo. However, the contact will not be able to see the decedent’s private messages.