Deconstructing Data Privacy Class Actions

Grace E. Tersigni Cliff Cantor KamberLaw, LLC Law Offices of Clifford A. Cantor, PC

DECONSTRUCTING DATA PRIVACY CLASS ACTIONS:

Roadmap

• Investigation

• Litigation

• Remediation

• Resolution

INVESTIGATION

• Consumer complaints

• Forensics

• Other sources include news reports, academic publications, and tipsters.

COMMON PRACTICES LEADING TO PRIVACY VIOLATIONS

• Website tracking

• Mobile tracking

• Data breaches

• ISP redirection

WEBSITE TRACKING

• Targets: first and third parties

• Practices: circumventing users’ browser controls

through:

– Adobe Flash LSOs aka Flash cookies

– HTML5

– CSS/browser cache hack

– Dom storage

– Browser history sniffing

– P3P compact policy spoofing

MOBILE DEVICE TRACKING

Unauthorized and unexpected

• location tracking; and

• collection and/or disclosure of personal

information.

– Targets include app developers; platform

providers; and third parties, i.e., metrics and

advertising companies

In re iPhone App. Litig., No. 5:11-MD-2250-LHK

• Claims under the California UCL, CLRA,

and FAL

• Geo-tagging – location services “off”

• iDevice data collection by 3rd parties

via apps

OTHER MOBILE DEVICE TRACKING CASES

• In RE: Google Android Consumer Privacy

Litigation, (N.D. Cal. pending)

(Android data collection by 3rd parties via

apps)

• Goodman v. HTC and Accuweather (W.D.

Wash.) (HTC cellphones & embedded

Accuweather app)

VIDEO STREAMING

• Congress enacted the Video Privacy

Protection Act, 8 U.S.C. § 2710, aka the

“Bork Act,” in 1988 so that consumers’

decisions about what videos they want to

watch would remain private.

VIDEO STREAMING, #2

The VPPA makes it illegal—subject to certain

narrow exceptions—for a video provider to

knowingly disclose information that identifies

a person as having requested or obtained

specific video materials or services, unless the

provider obtains the consumer’s explicit

written, informed consent for each disclosure.

18 U.S.C. §§ 2710(b)(1), (b)(2)(B).

VIDEO STREAMING, #3

• Violations are subject to a private right of

action in federal court.

• A federal court may award (A) actual

damages but not less than liquidated

damages of $2,500, (B) punitive damages,

(C) reasonable attorneys’ fees and litigation

costs, and (D) equitable relief.

18 U.S.C. § 2710(c).

WHO IS COVERED BY THE VPPA?

• VPPA defines “video tape service provider”

as “any person, engaged in the business,

in or affecting interstate or foreign

commerce, of rental, sale, or delivery of

prerecorded video cassette tapes or

similar audio visual materials…”

18 U.S.C. § 2710(a)(4) (emphasis added).

THE VPPA APPLIES TO DIGITAL DISTRIBUTION OF VIDEOS

“Indeed the Senate Report discusses

extensively the concept of privacy in an

evolving technological world. The court

concludes that Congress used ‘similar audio

video materials’ to ensure that VPPA’s

protections would retain their force even as

technologies evolve.”

In re Hulu Privacy Litigation, No. C 11-03764 LB (N.D. Cal. Aug. 10, 2012)

2012 VPPA AMENDMENTS

• The consumer’s initial written consent can now be obtained using

the Internet, provided that the consent is “separate and distinct

from any form setting forth other legal or financial obligations of

the consumer.”

• In other words, the consent cannot be buried in a long

privacy policy or terms and conditions.

More significantly, the VPPA Amendments permit the

consumer to choose between giving consent either: (1) in

advance for a set period of time — up to two years or until

consent is withdrawn, whichever is sooner; or (2) each

time disclosure is sought (as in the old version of the

statute).

DATA BREACHES

• Injury: Courts generally do not accept

theory that victims are at greater risk of

harm after data breach.

• Will this change with a sympathetic judge?

Note: To our knowledge, no federal judge

has yet been a victim of identity theft.

DATA BREACHES, #2

• Courts sometimes accept claims of failure

to inform about a security issue. Can be

an unfair or deceptive practice.

Bell v. Blizzard Entertainment, Inc.,

No. 12-9475 BRO (C.D. Cal. Jul. 11, 2013).

DATA BREACHES: Practical Need to Resolve

• A serious data breach generally needs to

be resolved with victims (employees,

customers, patients) as a business matter,

regardless of potential litigation.

Resolution might include:

– Identity theft insurance

– Fund for future damages

– Security audits and updates

ISP REDIRECTION

ISP redirection of customer communications

• ISP wiretapping with DPI devices

• Claims:

– Electronic Communications Privacy Act;

– Computer Fraud and Abuse Act

– (electronic wire-tapping and trespass)

MALWARE that steals private information

Don’t do this.

Federal court in Chicago recently certified one of largest

classes ever in adversarial litigation.

Allegation: Defendant loaded malware onto Internet

users’ computers; constantly collected files, passwords,

etc. Claims: violations of Stored Communication Act;

Electronic Communications Privacy Act; Computer Fraud

and Abuse Act.

Harris v. ComScore, Inc., No. 11-5807, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013).

UDAP STATUTES: The “unfair” prong

The Federal Trade Commission Act of 1914

prohibits “unfair or deceptive acts or

practices in or affecting commerce.”

15 U.S.C. § 45(a)(1) (emphasis added).

Courts tend to focus on “deceptive,”

not “unfair.” Now, renewed interest

in “unfair.”

FTCA STANDARD FOR “UNFAIR”

For the FTC to find an act or practice “unfair,” at a

minimum the act or practice must

• cause (or be likely to cause) substantial injury to

consumers;

• which is not reasonably avoidable by the consumers

themselves; and

• not outweighed by countervailing benefits to

consumers or to competition.

15 U.S.C. § 15(n).

WASHINGTON’S UDAP STATUTE: New interest in “unfair” prong

Washington’s Consumer Protection Act (CPA) prohibits

“unfair or deceptive acts or practices …” RCW § 19.86.020.

• Courts focused on “deceptive.” From 1983 to 2013, not a

single Wash. case dealt with “unfair.” Then, in 2013, state

supreme court held:

“The ‘or’ between ‘unfair’ and ‘deceptive’ is disjunctive.

… Our statute clearly establishes that unfair acts or

practices can be the basis for a CPA action.”

Klem v. Wash. Mut. Bank, 176 Wn. 2d 771, 787 (Wash. 2013).

WASHINGTON LAW Standard for “unfair”

• No current standard for “unfair.”

• 30-year-old case:

a) Whether practice is within penumbra of common-law,

statutory, or other established concept of unfairness;

b) Whether it is immoral, unethical, oppressive, or

unscrupulous;

c) Whether it causes substantial injury to consumers (or

competitors or businesses).

Magney v. Lincoln Mut. Sav. Bank, 34 Wn. App. 45, 57 (Wash. App. 1983).

WASHINGTON LAW Standard for “deceptive”

• Long-time standard for “deceptive”:

• An act or practice is “deceptive” if it has the

capacity to deceive a substantial portion of

the public.

– Klem v. Wash. Mut. Bank, 176 Wn. 2d 771, 787 (Wash. 2013)

– Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn. 2d 778, 785 (Wash. 1986)

WAYS TO REDUCE RISK OF PRIVACY LITIGATION – #1

• Carefully determine what data you

collect, store, and/or release

– To or about customers, business

partners, vendors, credit bureaus

– To or about employees

– To targeted advertisers

WAYS TO REDUCE RISK OF PRIVACY LITIGATION – #2

• Secure your data against breaches.

– In-house data [accidental release, hacking, theft, disgruntled employee]

– Data on laptops

– Data on phones

– Data accessible remotely

– Data in “cloud”

WAYS TO REDUCE RISK OF PRIVACY LITIGATION – #3

• Is the data you collect, store, and/or

release consistent with expectations?

– Is it consistent with your advertising?

– Is it consistent with contractual expectations?

– Is it consistent with your “Terms of Use”?

– Is it consistent with your Privacy Policy?

PRIVACY AND SECURITY AUDITS

• Get regular privacy audits and security that include

– Computer usage

– Internet usage

– Employee privacy

– Customer privacy

– Risk assessment

USE OF ALTERNATIVE DISPUTE RESOLUTION

Companies with direct first-party

relationships with consumers can avoid

many consumer class actions. How?

– Use mandatory arbitration agreements

with a class-action waiver.

– Caution: Unconscionability can

invalidate the agreement.

WIDELY INVALIDATED PRIOR TO 2011

Until 2011, the supreme courts of may

states invalidated mandatory arbitration and

class-action waivers on the ground that they

immunized companies from liability.

E.g.,

• Discover Bank v. Superior Court, 36 Cal. 4th 148 (Cal. 2005).

• Scott v. Cingular Wireless, 160 Wn. 2d 843 (Wash. 2007).

REASON FOR INVALIDATING

Example of reasoning:

“[W]hen … disputes … predictably involve

small amounts of damages, … then … the

waiver becomes in practice the exemption of

the party from responsibility for its own fraud

…”

Discover Bank v. Superior Court, 36 Cal. 4th 148, 162-163 (Cal. 2005) (original quotation marks and brackets omitted).

CHANGE OF LANDSCAPE – 2011

In 2011, U.S. Supreme Court held that, in a

case raising state-law claims, the Federal

Arbitration Act preempted state-court bans on

arbitration / class-action waivers:

– “Arbitration is a matter of contract, and the

FAA requires courts to honor parties’

expectations.”

AT&T Mobility LLC v. Concepcion, 563 U.S. __,

131 S. Ct. 1740, 1752 (2011) (Scalia, J.) (5-4).

CAN ARBITRATION CLAUSE BLOCK FEDERAL CLAIM?

• What about relying on an arbitration

clause and class-action waiver to block a

federal claim in court?

• Would Congress have intended the Federal

Arbitration Act to override prior and

subsequent federal laws expressly

granting a private right to sue?

YES

Yes:

“We consider whether a contractual waiver of

class arbitration is enforceable … when the

plaintiff’s cost of individually arbitrating a federal

statutory claim exceeds the potential recovery. …

No Contrary congressional command requires us

to reject the waiver of class arbitration.”

American Express Co. v. Italian Colors Restaurant, 133

S. Ct. 2304, 2307, 2309 (2013) (Scalia, J.) (5-4).

AMEX DISSENT

Dissent in Amex:

“The owner of a small restaurant (Italian Colors) thinks

that American Express (Amex) has used its monopoly

power to force merchants to accept a form contract

violating the antitrust laws. … The monopolist gets to use

its monopoly power to insist on a contract effectively

depriving its victims of all legal recourse.”

…

American Express Co. v. Italian Colors Restaurant,

133 S. Ct. 2304, 2313 (2013) (dissent).

AMEX DISSENT, CONTINUED

Dissent in Amex:

“The owner of a small restaurant (Italian Colors) thinks that American Express (Amex) has used its monopoly power to force merchants to accept a form contract violating the antitrust laws. … The monopolist gets to use its monopoly power to insist on a contract effectively depriving its victims of all legal recourse. …

Here is a nutshell version of today’s opinion,

admirably flaunted … : Too darn bad.”

American Express Co. v. Italian Colors Restaurant, 133 S. Ct. 2304, 2313 (2013) (dissent).

CAN “ADR” CLAUSE BE INVALID?

May an arbitration provision or class-action

waiver be invalidated?

Yes, “upon such grounds as exist at law or

in equity for the revocation of any

contract.”

9 U.S.C. § 2 (Federal Arbitration Act)

CAN “ADR” CLAUSE NOT APPLY?

Sometimes an arbitration provision or class-

action waiver will not apply.

When?

WHEN? – #1

Sometimes an arbitration provision or class-

action waiver will not apply.

When?

1. When a party to litigation is not a

party to the agreement to arbitrate

[Wrinkes: successor, agent, parent,

sub …]

WHEN? – #2

Sometimes an arbitration provision or class-action waiver will not apply.

When?

1. When a party to litigation is not a party to the agreement to arbitrate [Wrinkes: successor, agent, parent, sub …]

2. When the scope of the agreement to

arbitrate does not cover the dispute at

issue.

INDUSTRIES USING “ADR” CLAUSES TO BLOCK LITIGATION

Industries: Use of arbitration provisions & class-action waivers (case law just since July 2013):

Credit cards Banking / lending Software

Cellphone service Telecomm Internet service providers

Cable TV Employment

Consulting Construction Investment / brokerage

CBAs Internet / technology Insurance

Real estate Publishing Health plans

Franchising Biotech ERISA plans

Debt settlement Credit reporting Legal

BASICS OF RESOLVING A CLASS ACTION

A class action, like any litigation, may be

resolved by

– motion (e.g., summary judgment);

– trial; or

– settlement.

• Settlement reduces litigation expenses

and uncertainties and allows control

over remedies.

REQUIREMENTS FOR CLASS ACTION SETTLEMENTS

A class action may be settled in federal court only after:

– the judge directs notice in a reasonable manner

to all class members who would be bound;

– class members have an opportunity to object;

– the judge holds a hearing and determines that

the settlement is “fair, reasonable, and

adequate.”

Fed. R. Civ. P. 23(e).

COMMON FORMS OF RELIEF

Common forms of relief included in privacy settlements:

• Payments (or credits, for current customers)

– To all class members; or

– To class members who submit a claim.

• Injunctive relief

– Changing the challenged practice;

– Purging of data collected under old practice;

– Identity-theft protection / insurance.

• Cy pres fund

– Establish fund for “as near as possible” remedy in addition to

or in lieu of relief to individual class members.

DIRECT PAYMENT VS. CLAIMS PROCESS

• Payments to all class members:

– Pro: Everyone who was affected gets some relief

– Con: Amount may be nominal, which can annoy your customers

– Con: You may not know names & addresses

• Payments to only those who submit a claim:

– Pro: Fewer payments means each payment will be larger and more meaningful to recipient

– Pro: Claimants are self-identifying; you know names & addresses

– Con: Relief is likely to go to only a small fraction of class

BEST PRACTICES

Evolving best practices for claims process

• Use a robust notice program

• Differentiate the notice of settlement from junk mail or spam

• Make the claims process streamlined

– Choice: online or mail

– Claim web-page should be clear and simple:

Check, Check, Check, Submit.

– Claims administrator should work with claimants whose

claims are deficient

In re Baby Products

Approval – evolving standards or errant case law?

Some new case law indicates a settlement might not be

approved unless the judge knows either a minimum

amount to be paid or a total amount to be paid.

“We vacate the District Court’s orders approving the

settlement … Most importantly, it did not know the

amount of compensation that will be distributed

directly to the class.”

In re Baby Prod’s Antitrust Litig., 708 F.3d 163, 175

(3rd Cir. 2013).

PRIVACY SETTLEMENTS WITH CY PRES COMPONENT

It may be difficult to distribute funds directly to intended beneficiaries – i.e., the class members.

• Judges allow distributing funds for their next best use,

a purpose (often charitable) reasonably approximating

the interests pursued by the class.

– The term “cy pres” comes from the Norman French

expression cy près comme possible, which means

“as near as possible.”

NEW CASES ON SETTLEMENTS WITH CY PRES COMPONENT – #1

The Ninth Circuit requires that cy pres beneficiaries be

tethered to the nature of the lawsuit, the objectives of

the underlying statutes, and the interests of the class.

• In settling a class action alleging deceptive practices,

donation of $5.5 million to provide food for the indigent

was unacceptable. An appropriate cy pres recipient would

be an organization dedicated to protecting consumers from

deceptive practices.

Dennis v. Kellogg Co., 697 F.3d 858, 867 (9th Cir. 2012).

NEW CASES ON SETTLEMENTS WITH CY PRES COMPONENT– #2

In the Ninth Circuit, the cy pres distribution must “bear

a substantial nexus to the interests of the class

members …”

In a case involving online privacy, forming a new entity

to receive and distribute cy pres funds to other entities

that promote the causes of online privacy will benefit

class members and passes muster.

Lane v. Facebook, Inc., 696 F.3d 811, 821 (9th Cir.

2012), petition for cert. filed (Jul. 26, 2013).

NEW CASES ON SETTLEMENTS WITH CY PRES COMPONENT – #3

In the Ninth Circuit, if the cy pres donation is a dollar

amount of goods as opposed to cash, the settlement

should specify how the goods are to be valued – i.e.,

retail, wholesale, at cost?

And if the defendant already donates to charities, the

settlement should specify whether the cy pres donation

is in addition to what the company previously budgeted.

Dennis v. Kellogg Co., 697 F.3d 858, 867 (9th Cir. 2012).

COUPON SETTLEMENTS

“Coupon” components of class-action

settlements are disfavored. Such

settlements are treated critically in statute

and case law.

In re HP Inkjet Printer Litig., 716 F.3d 1173

(9th Cir. 2013).

WHEN YOU GET BACK TO THE OFFICE: To Do

(1) Find out what personal data you

collect/store and why.

(2) Find out to whom you give or sell the

data and who has access to it.

(3) Ask: Is this consistent with everyone’s

reasonable expectations (employees,

customers, web users, vendors, the

public, …)?