California Enacts Comprehensive Privacy Reform

On June 29, 2018, the State of California enacted the California Consumer Privacy Act of 2018 (the “Act”). The Act establishes the right of residents of California to:

  • know what personal information is being collected about them;
  • know whether their information is sold or disclosed and to whom;
  • limit the sale of their personal information;
  • access their information held by others; and
  • obtain equal service and price, even if they exercise their privacy rights.

The Act will also allow consumers to have their data erased and will establish opt-in consent for persons under 16.

The Act, which is the first of its kind in the United States, was inspired by the recent European Union’s General Data Protection Regulation (GDPR) which became effective in May of 2018 and provides similar rights to EU citizens.

The Act applies to businesses doing business in California that collect personal information and satisfy one of these three requirements:

  1. have $25M+ in annual revenues,
  2. derive 50%+ of its revenues from selling consumer data, or
  3. annually buy, receive, sell or share for commercial purposes the personal information of 50,000 or more consumers.

The third prong threshold will ensnare even small retailers as a company with 137 unique transactions per day will be covered.

The Act allows enforcement by the Attorney General and will establish a Consumer Privacy Fund to support the purposes of the Act.  The Act also provides a new private right of action for data breaches including a right to seek statutory damages of $100 to $750 per violation.  Suit may be brought individually or as part of a class action.

A link to the new law may be found here.

Comments { 0 }

California Supreme Court Rules That Yelp Cannot Be Ordered to Remove Online Reviews

In a July 2, 2018 plurality opinion (the “Opinion”), the California Supreme Court (the “Court”) vacated an order directing Yelp Inc., a non-party to the underlying defamation lawsuit, to remove certain consumer reviews posted on its website.  The Court thereby reversed the 1st District Court of Appeal and San Francisco Superior Court, which had rejected Yelp’s arguments that the default judgment injunction violated its due process rights and ran afoul of Section 230 of the Communications Decency Act of 1996 (47 U.S.C. § 230).

“Our analysis of the statute begins with an uncontroversial observation: Yelp could have promptly sought and received section 230 immunity had plaintiffs originally named it as a defendant in this case. There is no doubt that Yelp is a ‘provider or user of an interactive computer service’ within the meaning of section 230(c)(1). … The question here is whether a different result should obtain because plaintiffs made the tactical decision not to name Yelp as a defendant. Put another way, we must decide whether plaintiffs’ litigation strategy allows them to accomplish indirectly what Congress has clearly forbidden them to achieve directly. We believe the answer is no.”  Hassell v. Bird, S235968 *21-22. 

“The immunity provisions within section 230 ‘have been widely and consistently interpreted to confer broad immunity against defamation liability for those who use the Internet to publish information that originated from another source.’” Id. at 14.

“The Court of Appeal erred in regarding the order to Yelp as beyond the scope of section 230. That court reasoned that the judicial command to purge the challenged reviews does not impose liability on Yelp. But … the Court of Appeal adopted too narrow a construction of section 230. In directing Yelp to remove the challenged reviews from its website, the removal order improperly treats Yelp as ‘the publisher or speaker of . . . information provided by another information content provider.’ (§ 230(c)(1).) The order therefore must be revised to comply with section 230.”  Id. at *2.

Comments { 0 }

Use of Competing Trademark in Metatags Supports Finding of Trade Dress Infringement

The Ninth Circuit, in a published opinion issued on May 10, 2018, affirmed in part and reversed in part the Oregon district court’s preliminary injunction prohibiting Skechers USA, Inc. from selling shoes that allegedly infringe and dilute adidas America, Inc.’s Stan Smith trade dress and Three-Stripe mark.

“Affirming in part, the panel held that the district court did not abuse its discretion in issuing the preliminary injunction as to adidas’s claim the Skechers’s Onix shoe infringed on adidas’s unregistered trade dress of its Stan Smith shoe. The panel concluded that adidas was likely to succeed on the merits of this claim because the trade dress was nonfunctional, the trade dress had acquired secondary meaning, and there was a substantial likelihood of confusion between the parties’ products.”

Adidas America, Inc. v. Skechers USA, Inc.No. 16-35204, *2 (from staff summary).

The court relied in part on Skechers’ use of adidas Stan Smith metatags in support of its findings that there was a likelihood of confusion and that the Stan Smith trade dress had acquired secondary meaning.

“‘[P]roof of copying strongly supports an inference of secondary meaning.’ Vision Sports, Inc. v. Melville Corp., 888 F.2d 609, 615 (9th Cir. 1989). Skechers placed metadata tags on its website that directed consumers who searched for ‘adidas Stan Smith’ to the page for the Onix shoe. ‘Using another’s trademark in one’s metatags is much like posting a sign with another’s trademark in front of one’s store.’ Brookfield Commc’ns, Inc. v. W. Coast Entm’t Corp., 174 F.3d 1036, 1064 (9th Cir. 1999).”

Adidas America, Inc., supra, at *10.  As to likelihood of confusion, the Ninth Circuit found that “the evidence supports an inference that Skechers intended to confuse consumers; it not only created a nearly identical shoe to the Stan Smith, but then used metadata tags to direct consumers who searched for ‘adidas stan smith’ to the Onix web page.3”  Id. at *12.

“Relying on Multi Time Machine, Inc. v. Amazon.com, Inc., 804 F.3d 930 (9th Cir. 2015), Skechers argues that its use of metadata tags clearly identifying the source of the product being sold is indicative only of an intent to compete, not an intent to infringe. This reliance is misplaced. In Multi Time, a watch manufacturer brought an action alleging that an online retailer’s listing of competitors’ products in response to a search for the manufacturer’s mark constituted trademark infringement. Id. at 934–35. Because the defendant there did not create any of the competing products, the use of the metadata was not probative of its intent to exploit the existing secondary meaning of a competitor’s mark or trade dress. Id. at 936–37. Here, however, Skechers’s use of the metadata is probative of its attempt to capitalize on the Stan Smith by both creating and selling the similar-looking Onix.”

Id. at *12 n.3.

Comments { 0 }

TILG Prevails Before Ninth Circuit, Panel Finds Use Of Fictitious “From” Names Does Not Make E-Mail Header Materially False or Misleading Where Names Do Not “Spoof” Identities of Individuals Known to Recipient and are Accompanied by Accurate Domain Names and Subject Lines That Make Clear E-Mail is Commercial in Nature

On March 6, 2018 in Silverstein v. Keynetics, Inc. the United States Court of Appeals for the Ninth Circuit affirmed the dismissal of a putative class action lawsuit brought under California Business & Professions Code section 17529.5, also known as the California email law (the “Email Law”).  The crux of the case was that the plaintiff received LinkedIn messages which were falsified within the meaning of the Email Law in that the individual sender names (e.g., Liana Christian) were allegedly made up names.

Kavon Adli and Seth Wiener of The Internet Law Group (TILG) represented 418 Media, LLC and Lewis Howes, two of the four prevailing Defendants-Appellees in the action.

California Business and Professions Code section 17529.5 governs unsolicited commercial email. It provides in pertinent part that it is unlawful for a person or entity to advertise in a commercial e-mail advertisement either sent from California or sent to a California electronic mail address under any of the following circumstances:

(1) The e-mail advertisement contains or is accompanied by a third-party’s domain name without the permission of the third party.

(2) The e-mail advertisement contains or is accompanied by falsified, misrepresented, or forged header information.[1] This paragraph does not apply to truthful information used by a third party who has been lawfully authorized by the advertiser to use that information.

Cal. Bus. & Prof. Code § 17529.5(a).  The statute provides for liquidated damages of one thousand dollars ($1,000) for each unsolicited commercial e-mail advertisement transmitted in violation of section 17529.5, up to one million dollars ($1,000,000) per incident.

Plaintiff made the following allegations in the second amended complaint, all of which were assumed true for purposes of the motion to dismiss:

  • Plaintiff is a member of the group “C, Linux and Networking Group” on LinkedIn, a professional networking website. Through his membership in that group, he received commercial emails that came from fictitiously named senders through the LinkedIn group email system.
  • Plaintiff alleged that the text in the “from” name field in the email headers is “false and/or deceptive” in that defendants “insert[ed] a false name into the email header…” For example, the “from” names include “Liana Christian,” “Whitney Spence,” “Ariella Rosales,” and “Nona Paine,” none of which identify any real person associated with any defendant. Further, plaintiff alleges that the emails “claim to be from actual people…”
  • The bodies of the emails contain links to five web pages. Plaintiff alleged that these links “go through clickbank.net,” which is owned and operated by defendant Click Sales, and that Click Sales is a wholly owned subsidiary of defendant Keynetics. He also alleged that defendant 418 Media owns one of the web pages and that defendant Lewis Howes, an individual, owns and operates 418 Media.

In this case, plaintiff alleged that the emails at issue violated section 17529.5(a)(1) because the emails were sent from the linkedin.com domain, even though LinkedIn did not authorize the use of its domain and was not the actual sender of the emails. He further alleged the emails violated section 17529.5(a)(2) because the “from” names are “false” and that Defendants “insert[ed] a false name into the email header in an attempt to trick the recipient into opening the email.”

The District Court dismissed Silverstein’s second amended complaint with prejudice on the ground that his claims under California Business & Professional Code § 17529.5 were preempted by the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 U.S.C. § 7701 et seq. (CAN-SPAM Act).  The CAN-SPAM Act’s express preemption provision provides in pertinent part that it “supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.” 15 U.S.C. § 7707(b) (emphasis added). Congress carved out from preemption state laws that proscribe ‘falsity or deception’ in commercial e-mail communications.” Gordon v. Virtumundo, Inc., 575 F.3d 1040, 1061 (9th Cir. 2009). In Gordon, the Ninth Circuit held that the CAN-SPAM Act’s exception from preemption for laws prohibiting “falsity” and “deception” refers to “‘traditionally tortious or wrongful conduct.’” Id. at 1062 (citing Omega World Travel, Inc. v. Mummagraphics, Inc., 469 F.3d 348, 354 (4th Cir. 2006)). Thus, in order to escape preemption, “the false or deceptive information in a commercial email must be material.” Silverstein v. Keynetics, Inc., 2016 WL 3479083, at *4 (citing Gordon, 575 F.3d at 1062).

The Ninth Circuit affirmed the District Court’s dismissal, holding as follows:

The e-mails’ use of the LinkedIn.com domain name is not materially false or misleading within the meaning of the CAN-SPAM Act. See Gordon v. Virtumundo, 575 F.3d 1040, 1062–64 (9th Cir. 2009). Although LinkedIn itself did not send the e-mails, LinkedIn has an automatic e-mail feature that allows LinkedIn group members to communicate with each other. The parties do not dispute that the e-mails actually originated from the LinkedIn.com domain, and that the senders of the e-mails would have to have been members of LinkedIn to send the e-mails.

Silverstein at most has alleged that other LinkedIn users violated the terms of LinkedIn’s user agreement by using the LinkedIn domain to contact him and other group members with unauthorized spam or advertising. However, the senders’ conduct does not make use of the LinkedIn domain name materially false or misleading because the e-mails did come from a LinkedIn member. Accordingly, use of the domain does not rise to the level of “traditionally tortious or wrongful conduct,” as required to escape CAN-SPAM Act preemption. See Gordon, 575 F.3d at 1062 (quoting Omega World Travel, Inc. v. Mummagraphics, Inc., 469 F.3d 348, 354 (4th Cir. 2006)).

The “From” names were also not materially false or misleading, as Silverstein did not allege that the individuals listed in the “From” field were actually known to him and that the senders misappropriated those names. Cf., e.g., Hoang v. Reunion, No. C-08-3518 MMC, 2010 WL 1340535, at *6 (N.D. Cal. Mar. 31, 2010) (holding that a § 17529.5 claim was not barred by Gordon where “plaintiffs allege that each plaintiff received an e-mail indicating the sender was an actual person known to such recipient, when, in fact, the e-mails were sent by defendant”). Nor did Silverstein allege that the “From” names deceived him as to the nature of the e-mails. It is hard to see how they could have, given that the “From” names were adjacent to clearly commercial subject lines, such as “How a newbie banked $5K THIS WEEK . . . What Nobody Told You About.”

In short, the use of fictitious “From” names does not make an e-mail header materially false or misleading within the meaning of the CAN-SPAM Act where those names do not “spoof” the identities of individuals known to the recipient and are accompanied by accurate domain names and subject lines that make it clear the e-mail is commercial in nature. Therefore, Silverstein’s claim is preempted by the CAN-SPAM Act.

Links to the applicable Ninth Circuit and District Court opinions are:

[1] The Email Law does not define the term “header information.” In Kleffman v. Vonage Holdings Corp., 49 Cal. 4th 334, 340 n.5 (2010), the California Supreme Court applied the CAN-SPAM Act’s definition of header information, which is “the source, destination, and routing information attached to an electronic mail message, including the originating domain name and originating electronic mail address, and any other information that appears in the line identifying, or purporting to identify, a person initiating the message.” (citing 15 U.S.C. § 7702(8)).

Comments { 0 }

Statute Restricting Publication of Age-Related Information by Online Entertainment Employment Service Providers Found Unconstitutional

On February 20, 2018, the U.S. District Court for the Northern District of California granted plaintiff IMDb.com, Inc.’s motion for summary judgment and permanently enjoined the State of California from enforcing AB 1687 on the grounds that it violates the First Amendment.  IMDb.com, Inc. v. Becerra, No. 16-cv-06535-VC, 2018 U.S. Dist. LEXIS 27898, *10.

AB 1687, codified at California Civil Code § 1798.83.5, states in pertinent part as follows:

“A commercial online entertainment employment service provider that enters into a contractual agreement to provide employment services to an individual for a

subscription payment shall not, upon request by the subscriber, do either of the following:  

(1) Publish or make public the subscriber’s date of birth or age information in an online profile of the subscriber.

(2)  Share the subscriber’s date of birth or age information with any Internet Web sites for the purpose of publication.”

Cal. Civ. Code § 1798.83.5(b).

Defendant State of California and defendant-intervenor SAG-AFTRA argued that AB 1687 should be considered a regulation of voluntary commercial contracts rather than a speech restriction.  The court disagreed, finding that it is in fact a direct restriction on speech since the law “prohibits certain speakers from publishing certain truthful information…because of concerns that a third party might use that information to engage in [age discrimination].”  IMDb.com, supra, at *3. 

Applying strict scrutiny, the defendants were required to prove that AB 1687 “furthers a compelling interest and is narrowly tailored to achieve that interest.”  Id. at *5-6.  The court held that the law failed to withstand strict scrutiny since there was no evidence that California explored less-speech-restrictive alternatives (id. at *7) and since the law was both over and under-inclusive (id. at *8). 

A link to the opinion may be found here.

Comments { 0 }

CDA Immunity Against Right of Publicity Claims Upheld

Interactive service providers can breathe a little easier now since the California Supreme Court has decided not to disturb an August 9, 2017 decision by the California Court of Appeals applying Communications Decency Act (“CDA”) Section 230 protections for interactive service providers to right of publicity claims.  A California Superior Court judge’s decision not to dismiss a right of privacy claim threatened to create another vulnerability in CDA Section 230 protections for website hosts.  While the Superior Court judge properly applied Section 230 to many of these claims, the judge’s decision that Section 230 does not apply to right of publicity claims could have opened the door to further lawsuits seeking to stifle online criticism.  Fortunately, the California Court of Appeals’ decision to reverse the Superior Court remains the law in California.

Cross v. Facebook should have been a simple CDA Section 230 defense win for Facebook against a musician attempting to silence critics.  Jason Cross, a musician that performs under the alias of “Mikel Knight”, has been subjected to criticism for alleged mistreatment of his sales team.  Cross filed a lawsuit in Tennessee against both the critics and Facebook.  Cross also sued Facebook in California seeking removal of critical Facebook pages and identification of those responsible for the Facebook pages.  Ordinarily, such attempts to attack a social network for a user’s exercise of their free speech rights would be prevented by the Communications Decency Act, Section 230.  CDA Section 230 shields interactive service providers (“ISP”) from liability based on user-generated content when the ISP acts as a passive conduit for people to post their ideas.  Section 230 is considered crucial for online free speech, as requiring website hosts to review and censor all user content would limit the ability to provide open forums for users and would have chilling effects on user speech.

Cross’ complaint against Facebook regarding the negative user content was only remarkable for the result.  The Superior Court rejected Cross’s other charges against Facebook for breach of contract, negligent misrepresentation, negligent interference with economic advantage, and promissory estoppel.  The surprise came when the Superior Court determined Cross could prevail in his claims that Facebook made commercial use of Cross’s name and likeness by placing advertisements on a web page hosting critical content.  The Superior Court stated that a person’s publicity rights are intellectual property under state law, and intellectual property infringement claims are not protected by the CDA.  The trial court’s holding indicated that any speech on social media that was about a real person and that was published on a website containing advertising could be subject to a right of publicity claim.  In so deciding, the Superior Court failed to follow well-established First Amendment limits to the right of publicity and the immunities granted by the CDA.

The Appeals Court rejected these assertions, also noting Cross’s publicity right complaints did not apply to Facebook since the web page advertisements did not use Cross’s name or likeness, and Facebook neither created nor was promoted by any of the posted advertisements.  While the Appeals Court did not address Facebook’s First Amendment claims, it did require Cross’s complaint be dismissed and required Cross to pay Facebook’s attorney fees for defending of the lawsuit under California’s anti-SLAPP laws.  These laws were created to discourage “strategic lawsuits against public participation” where a meritless lawsuit is filed to stifle speech regarding an issue of public interest.  While 2017 has seen a number of cases eroding the protections provided by Section 230 of the Communications Decency Act, Cross v. Facebook ensures that a mere right of publicity complaint will not be enough to strip an ISP of its protections.

Read more here»

Comments { 0 }

New Requirements for California Continuity or “Negative Option” Programs

On September 28, 2017, SB-313 was approved by Governor Jerry Brown effective July 1, 2018.  This most recent update to the law that governs how businesses may provide automatic renewal services to customers in the state comes in response to complaints regarding continuity programs under existing law.

Businesses that offer subscription-based services including through a website to California consumers must comply with Cal. Bus. & Prof. Code sections 17600-17606 by making certain disclosures regarding automatic renewal terms.  There are also federal laws applicable to subscription services, such as the Federal Trade Commission Act (15 U.S.C. § 41) which requires clear and honest disclosures regarding the company’s automatic renewal policies.  The Federal Trade Commission and state Attorneys General may also prosecute companies under 15 U.S.C. sections 8401-8405 for failure to comply with regulations applying to post-transaction charges and negative option features that include subscription services.

California’s new law requires a separate, stand-alone form for the consumer to review and approve to authorize subscription services through a third-party account such as a credit or debit card. The customer acknowledgment should include the terms of the automatic renewal agreement, the cancellation policy and how the consumer can cancel the service in a format the consumer can retain.  Businesses offering free trials must include a statement of how to cancel the services and allow the consumer to cancel the service before the consumer is charged for the good or service.  The statute also requires timely, simple and cost-effective cancellation mechanisms, such as toll-free phone numbers, mailing addresses and email addresses.  If there is to be a material change in the terms of the automated service, the business will need to provide the consumer clear and conspicuous notice of the change along with retainable cancellation instructions.

Read more here»

Comments { 0 }

Inclusion in Text Message of Link to Mobile App Prevents Dismissal of Putative Telephone Consumer Protection Act (TCPA) Lawsuit

On October 11, 2017 the U.S. District Court for the Northern District of California, San Jose District, denied a motion to dismiss a putative Telephone Consumer Protection Act (the “TCPA”) class action based on a text message confirming plaintiff’s registration for defendant’s rewards program.  At issue was the effect of having included a link to defendant Häagen-Dazs’ mobile app.  Subject to limited exceptions, 47 C.F.R. §64.1200(a)(2) (2013) requires “prior express written consent” whenever a text or call to a cellular phone using an automatic telephone dialing system introduces an advertisement or constitutes telemarketing.

The TCPA regulations define “advertisement” as “any material advertising the commercial availability or quality of any product, goods, or services” and “telemarketing” as “the initiation of a . . . message for the purpose of encouraging the purchase or rental of, or investment in, property, goods or services . . . .”

San Pedro-Salcedo v. Haagen-Dazs Shoppe Co., 2017 U.S. Dist. LEXIS 168532, *5 (quoting 47 C.F.R. §64.1200(f)(1) and (12)).  Distinguishing cases in which further action was required to complete registration, the court held:

If the registration for Häagen-Dazs Rewards was completed before the receipt of the text and without the need to download Defendants’ app, then Defendants’ message to “Download our app here,” arguably constitutes an advertisement for the commercial availability of Defendants’ app. Construing the alleged facts in the light most favorable to Plaintiff, the Court finds Plaintiff’s allegations sufficient at the pleading stage.

Id. at *6-7.  A link to the opinion may be found here.

Comments { 0 }

Court Enjoins Linkedin From Blocking Scraper

Plaintiff hiQ Labs’ business model involves providing information to businesses about their workforces based on statistical analysis of publicly available information on profiles of LinkedIn users. After several years of tolerating hiQ’s access and use of its data, defendant LinkedIn issued a cease and desist letter and attempted to block hiQ’s ability to access the profile information. In response, hiQ initiated a declaratory relief action alleging that LinkedIn’s actions constitute unfair business practices under Cal. Bus. & Prof. Code § 17200 et seq., and asserting common law tort and contract claims.  The plaintiff also moved for a preliminary injunction allowing it to access LinkedIn profiles pending resolution of the dispute.  On August 14, 2017, the Northern District of California granted the requested injunction, holding that:

The balance of hardships tips sharply in hiQ’s favor. hiQ has demonstrated there are serious questions on the merits. In particular, the Court is doubtful that the Computer Fraud and Abuse Act may be invoked by LinkedIn to punish hiQ for accessing publicly available data; the broad interpretation of the CFAA advocated by LinkedIn, if adopted, could profoundly impact open access to the Internet, a result that Congress could not have intended when it enacted the CFAA over three decades ago. Furthermore, hiQ has raised serious questions as to whether LinkedIn, in blocking hiQ’s access to public data, possibly as a means of limiting competition, violates state law.

A link to the opinion may be found here:

hiQ Labs Inc. v. LinkedIn Corporation (Case No. 17-cv-03301-EMC), Order Granting Preliminary Injunction

Comments { 0 }

Canada Supreme Court Rejects Facebook’s California Forum Selection Clause

The forum selection clause in Facebook’s terms of use specifies that disputes with Facebook users must be resolved in California according to California law. By order issued today, the Supreme Court of Canada finds Facebook’s forum selection clause to be unenforceable:

https://scc-csc.lexum.com/scc-csc/scc-csc/en/item/16700/index.do

Comments { 0 }