• Marc Roth and Lindsay Conner to Serve as Faculty for PLI Information Technology Law Institute 2013

    The Practising Law Institute will hold its annual Information Technology Law Institute on April 11–12, 2013 in New York and on May 16–17, 2013 in San Francisco. The focus of this year’s seminar is Privacy and Cybersecurity, Mobile Advertising, Digital Distribution, Social Media and the Third Industrial Revolution, among many other issues impacting this rapidly evolving landscape.

    Manatt partner Marc Roth is co-chair of this year’s conference and will kick off the day with introductory remarks. He will also participate in a session titled, “Advertising Beyond the Web: Opportunities and Challenges for Mobile Devices, Tablets and Other Technology” along with co-presenter Lesley Fair of the FTC’s Bureau of Consumer Protection. They will discuss how traditional advertising rules apply to wireless devices; outline issues presented by consumers interacting with ads; and highlight top regulatory concerns in this area.

    Manatt partner Lindsay Conner will deliver a presentation on “The Innovative Influence of Digital Distribution for Books, Music, Films, Television, Videos and Other Content,” in which he will discuss how digital distribution is transforming intellectual property distribution; economic benefits from digital distribution; and the critical content issues behind Viacom v. YouTube, among other topics.

    In lieu of attending either in-person program, attendees can register for a webcast of the live PLI program on May 16–17, 2013, starting at 9:00 am Pacific. For more information or to register for this event, click here.

    back to top

    Data Security, Emerging Tech to Be Focus for FTC

    New Chairperson of the Federal Trade Commission Edith Ramirez has hit the ground running. Attending the International Association of Privacy Professionals Conference in Washington, D.C., Ramirez outlined priorities for her term.

    In addition to regulating companies for data security failures, Ramirez promised that the agency would focus on privacy in emerging technologies like the “Internet of Things,” such as cars and home appliances connected to the Internet. “No matter what we do at the FTC, the reality is that technology is just developing at a pace that we can barely keep up with,” Ramirez said at the conference. “We need to be conscious of this, and it absolutely needs further study, and I certainly want to make sure the agency is looking at all these developments.” She indicated that a workshop on the topic will be forthcoming.

    Ramirez cited enforcement of the Children’s Online Privacy Protection Act as another area of attention for the agency. She also noted that the mobile space is an area of “increasing importance” and a focus of the agency’s efforts.

    Ramirez, filling the shoes of outgoing Chairman Jon Leibowitz, said she plans to continue use of the Commission’s authority under Section 5 of the Federal Trade Commission Act to regulate unfairness. “I feel we’ve used that authority very judiciously, and I want to see us continue to do that.” However, she added, “that’s not a blank check for us to go after privacy violations.” When evaluating whether or not to take action, the agency will consider, “Is there a real harm? A harm that isn’t speculative?” she explained.

    Harm may include non-pecuniary harm, Ramirez said, using the example of last year’s enforcement action against a software designer and rent-to-own companies that rented computers loaded with spyware to consumers who then had their keystrokes captured and screen shots taken without their knowledge. “There I think it’s very clear that it falls within our unfairness authority,” Ramirez said. “There are harms that go beyond monetary harm.”

    Ramirez also indicated support for the progress of Do Not Track efforts and praised the elevation of “Privacy by Design” over the last few years. Companies have begun to shift perspective from a focus on privacy policies to other means of communicating with consumers about privacy, she said. “I’m really encouraged when I go out to Silicon Valley by the stories I hear about how seriously companies are taking privacy,” Ramirez told the audience. “I know that privacy professionals within companies are very pleased when they hear their engineers talking about finding privacy solutions.”

    Why it matters: Ramirez’s comments solidify a continued FTC focus on privacy issues, particularly related to children and COPPA, and the concerns raised by emerging mobile technology. Over the coming months – and ensuing workshops, enforcement actions, and investigations – the agency under her leadership will continue to take shape.

    back to top

    Mobile Payment Services Subject of New FTC Report

    The Federal Trade Commission has released a new report on the burgeoning world of mobile payment services, “Paper, Plastic…Mobile? An FTC Workshop on Mobile Payments,” that offers guidance for the industry.

    The agency focused on three areas of concern: dispute resolution, data security, and privacy.

    Dispute resolution in the mobile ecosystem can be extraordinarily complicated for consumers. “Mobile payment users may not recognize that their protections against fraudulent or unauthorized transactions can vary greatly depending on the underlying funding source,” the FTC explained. Because mobile purchases are funded from a variety of sources – a bank account, a credit card, or a mobile phone account, for example – each has a different dispute resolution process with varying protections. To limit consumer confusion, companies should “develop clear policies regarding fraudulent and unauthorized charges and clearly convey these policies,” the agency recommended.

    In addition, mobile phone bills present the potential for “cramming” or unauthorized charges, which are growing issues in the mobile ecosystem. Companies should provide “basic protections” for consumers, that include the ability to block all third-party charges on mobile accounts. They should also offer a clear explanation that third-party charges may be placed on an account with an explanation of how to block such charges, and they should establish clear and consistent processes to dispute charges and obtain reimbursement.

    Security is a second area of concern in the mobile payment ecosystem. “Mobile payment providers should increase data security as sensitive financial information moves through the payment channel, and encourage adoption of strong security measures by all companies in the mobile payments chain,” the FTC wrote.

    Finally, the agency turned to privacy. As mobile payment providers have access not only to a consumer’s financial information but other personal data on his or her mobile device, mobile payments pose potential privacy issues.

    To ensure consumer privacy, mobile companies must practice “privacy by design” and provide simplified choices and greater transparency for consumers, the agency advised.

    To read the FTC report, click here.

    Why it matters: The staff report is just the latest example of the FTC’s attention to the mobile ecosystem. It follows an enforcement action against a mobile app provider, a report recommending best practices for app developers issued in February and a report focused on mobile applications geared toward children last December. Industry members should be prepared to face scrutiny from the agency, which has made clear its intent to regulate the world of mobile payment services. As the report promised, the FTC will “continue to monitor mobile payment options, and to evaluate whether consumers have adequate protections and the information they need to make informed choices about these new and innovative services.”

    back to top

    Zip Back to Court: Massachusetts Court Reinvigorates Zip Code Lawsuit

    Retailers must now beware of collecting zip codes on both coasts and the possibility of consumer class action suits. Massachusetts’ highest court ruled that zip codes are personal information and that the law prohibiting retailers from requesting codes from credit card purchases was designed to protect their privacy.

    In 2011, Melissa Tyler, a customer of Michaels Stores, Inc., filed suit against the craft retailer. She claimed that the company violated a Massachusetts consumer protection law by requesting and recording her zip code while processing her credit card transaction. Tyler filed her suit just weeks after the seminal decision from the California Supreme Court in Pineda v. Williams-Sonoma, which held that retailers may not collect zip codes from consumers who use their credit cards, as they are considered “personal identification information” under the state’s Song-Beverly Credit Card Act.

    Giving hope to retailers, a federal court judge dismissed Tyler’s suit last year but gave the plaintiff the option of filing a request to certify questions about the statute to the Massachusetts Supreme Judicial Court, the state’s highest court.

    Answering the questions, the court determined that a zip code constitutes personal identification information for the purposes of the state law, G.L. c. 93, §105(a), and the term “credit card transaction form” applies equally to electronic and paper transaction forms. In addition – and most troubling for retailers – the court said that a plaintiff may bring an action for violation of the law absent identity fraud and still recover statutory damages.

    The district court judge reached the wrong conclusion about the intent of the statute, which has a “principal purpose…to guard consumer privacy in credit card transactions, not to protect against credit card identity fraud,” the court said. With that backdrop, “We see no reason to read into the statute a requirement that one be the victim of identity fraud in order to assert a claim under [the statute].”

    Elaborating on what a plaintiff must allege under the statute to establish injury or loss, the court said “the violation of the legal right that has created the unfair or deceptive act or practice must cause the consumer some kind of separate, identifiable harm arising from the violation itself.”

    The court identified two types of injury or harm that might be caused by a merchant’s violation of the statute: “the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s personal identification information” and “the merchant’s sale of a customer’s personal identification information or the data obtained from that information to a third party.”

    In a footnote, the court was even more explicit. “In the present case, for example, if Michaels obtained a customer’s zip code, placed that information in a file (paper or electronic), and never used the information for any purposes thereafter, a consumer would not have a cause of action for damages [under the statute], even though Michael’s request for and saving of the zip code information may have violated [the law],” the court said.

    Because Tyler alleged that she received unwanted marketing materials as a result of Michaels’ collection and recording of her zip code, the court’s holding effectively reverses the district court’s decision.

    Turning to damages, the court acknowledged that the use of a consumer’s personal information in the two situations it described would not be likely to cause a quantifiable loss of money or property or measurable emotional distress. However, recovery would still be available.

    In the first situation, “receipt of unwanted marketing material as a result of a §105(a) violation represents an invasion of the consumer’s personal privacy causing injury or harm worth more than a penny, and the consumer is thus entitled to the minimum statutory damage award of twenty-five dollars,” the court said.

    In the second scenario, where a retailer sold a consumer’s personal information to a third party, the court said that disgorgement of a merchant’s profits would be an appropriate remedy. “It is a close approximation of the value of the consumer’s personal identification information on the open market and because such an award would remove any financial incentive to merchants to violate the statute.”

    To read the decision in Tyler v. Michaels Stores, click here.

    Why it matters: With two states now denying retailers the right to collect zip codes, similar suits should be expected in other states. Massachusetts-based retailers should also brace themselves to see suits pile up similar to those in the California courts after Pineda.

    back to top

    LinkedIn’s Privacy Suit Dismissed

    LinkedIn scored a victory recently when the court dismissed a privacy lawsuit claiming a data breach on the professional networking site was a result of the company’s failure to comply with industry security standards.

    Last summer, hackers accessed LinkedIn’s systems and posted approximately 6.5 million passwords on an unrelated site. Two LinkedIn users then filed suit against the site.

    But U.S. District Court Judge Edward Davila ruled that the putative class failed to demonstrate a “causal connection” between the alleged misrepresentations made in LinkedIn’s privacy policy and the harm suffered by users.

    The plaintiffs had each purchased an upgrade to “premium” membership and contended that they suffered economic harm as a result of the breach. According to them, they did not receive the full benefit of premium memberships and would not have paid the price had they known about the poor security. Analogizing to class actions where plaintiffs claim they would not have purchased a food product had they known that it was not as advertised on the product’s labeling, the court rejected their theory.

    “The user agreement and privacy policy are the same for the premium membership as they are for the non-paying basic membership,” Judge Davila wrote. “Any alleged promise LinkedIn made to paying premium account holders regarding security protocols was also made to non-paying members.”

    The plaintiffs paid a premium for advanced networking tools and capabilities – not for a particular level of security, the court said.

    Further, the plaintiffs did not argue that no security services were provided but said the security services were defective in some way. “This is not the case where consumers paid for a product, and the product they received was different from the one as advertised on the product’s packaging. Because plaintiffs take issue with the way in which LinkedIn performed the security services, they must allege ‘something more’ than pure economic harm,” the court held.

    To read the decision in In re LinkedIn User Privacy Litigation, click here.

    Why it matters: Although the decision is a victory for LinkedIn, Judge Davila dismissed the suit with leave to amend and provided some road markers for the plaintiffs should they choose to refile. In addition to explaining that the plaintiffs need to plead “something more” than pure economic harm, the court offered a suggestion about what that harm might be, like theft of personally identifiable information. Judge Davila also noted that the plaintiffs failed to mention that they actually read the alleged misrepresentations in the privacy policy, a requirement to support their claims.

    back to top

    Judge Halts NYC Soda Ban

    Just one day before the controversial ban on “giant soda” was set to impact New York City, a trial judge issued an injunction halting the law from taking effect as scheduled on March 12.

    The New York City Board of Health approved the law last fall which banned the sale of beverages “sweetened with sugar or another caloric sweetener that contain more than 25 calories per 8 fluid ounces,” as applied to drinks sold in containers larger than 16 ounces.

    Industry groups including the American Beverage Association and the National Restaurant Association challenged the law, arguing it was an unconstitutional violation of the separation of powers doctrine because the Board exceeded its authority and impermissibly trespassed on legislative jurisdiction.

    After reviewing the history of the Board of Health – beginning with its creation in the 1698 City charter and detailing each revision to the current date – Manhattan Supreme Court Justice Judge Milton A. Tingling agreed.

    “In looking at the history of the Charter, the intention of the legislature with respect to the Board of Health is clear. It is to protect the citizens of the city by providing regulations that prevent and protect against communicable, infectious, and pestilent diseases,” he wrote.

    Major amendments to the Charter and the Board’s power occurred at times of heightened public illness, Judge Tingling wrote, when a rise in immigration brought new diseases to the city and at the time of the AIDS epidemic in 1989.

    “However, one thing not seen in any of the Board of Health’s powers is the authority to limit or ban a legal item under the guise of ‘controlling chronic disease,’ as the Board attempts to do herein. The Board of Health may supervise and regulate the food supply of the City when it affects public health, but the Charter’s history clearly illustrates when such steps may be taken, i.e., when the City is facing imminent danger due to disease. That has not been demonstrated herein.”

    Not only did the Board overstep its bounds, Judge Tingling said, but the law itself was poorly written and “is laden with exceptions based on economic and political concerns.” Convenience stores like 7-11 are not covered by the law as part of a group of businesses exempt from all Board of Health regulations, for example, and drinks that contain 51 percent milk – even high-fat milkshakes and lattes – are also exempt.

    Even affording the Board “every degree of judicial deference,” Judge Tingling said the law “is arbitrary and capricious because it applies to some but not all food establishments in the City, it excludes other beverages that have significantly higher concentrations of sugar sweeteners and/or calories on suspect grounds, and the loopholes inherent in the Rule, including but not limited to no limitations on refills, defeat and/or serve to gut the purpose of the Rule.”

    To uphold the law would “not only violate the separation of powers doctrine, it would eviscerate it,” he concluded. “Such an evisceration has the potential to be more troubling than sugar sweetened beverages.”

    To read the order in New York Coalition of Statewide Hispanic Chambers of Commerce v. The New York City Board of Health and Mental Hygiene, click here.

    Why it matters: The decision “provides a sigh of relief” for the soft drink industry and retailers impacted by the law, Christopher Gindlesperger, a spokesperson for the American Beverage Association, told The New York Times. “With this ruling behind us, we look forward to collaborating with city leaders on solutions that will have a meaningful and lasting impact on the people of New York City,” he said. But the fight isn’t over. Mayor Michael R. Bloomberg, who championed the law, immediately vowed to appeal the decision. “We believe that the judge’s decision was clearly in error, and we believe we will win on appeal,” Mayor Bloomberg said at a press conference about the court’s opinion. “People are dying every day. This is not a joke. This is about real lives.”

    back to top

    Most Read Stories

    In case you missed any, here are our top 10 most widely read stories in February:

    1. “Starbucks, Kraft Battle Over Coffee Claims

    2. “ ‘Business Coaching’ Defendants Settle with FTC

    3. “Size Really Does Matter – At Least for Subway Sandwiches

    4. “The FTC and the Mobile Ecosystem: Enforcement Action, Report, and Educational Materials

    5. “CARU Chides Kraft for Kids’ Sweepstakes

    6. “Orange Juice Plaintiff’s Suit Dismissed as ‘Much Ado’ over Fresh Squeezed Claims

    7. “NAI to Adopt Mobile Privacy Guidelines

    8. “News from the Capital: VPAA Amendment Becomes Law, New Mobile Privacy Bill Introduced

    9. “California Lawmakers Consider Privacy

    10. “Report: FTC’s Report on Alcohol Industry’s Online Marketing to Be Released This Summer

    back to top