Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Deconstructing Data Privacy Class Actions
Grace E. Tersigni Cliff Cantor KamberLaw, LLC Law Offices of Clifford A. Cantor, PC
DECONSTRUCTING DATA PRIVACY CLASS ACTIONS:
Roadmap
• Investigation
• Litigation
• Remediation
• Resolution
INVESTIGATION
• Consumer complaints
• Forensics
• Other sources include news reports, academic publications, and tipsters.
COMMON PRACTICES LEADING TO PRIVACY VIOLATIONS
• Website tracking
• Mobile tracking
• Data breaches
• ISP redirection
WEBSITE TRACKING
• Targets: first and third parties
• Practices: circumventing users’ browser controls
through:
– Adobe Flash LSOs aka Flash cookies
– HTML5
– CSS/browser cache hack
– Dom storage
– Browser history sniffing
– P3P compact policy spoofing
MOBILE DEVICE TRACKING
Unauthorized and unexpected
• location tracking; and
• collection and/or disclosure of personal
information.
– Targets include app developers; platform
providers; and third parties, i.e., metrics and
advertising companies
In re iPhone App. Litig., No. 5:11-MD-2250-LHK
• Claims under the California UCL, CLRA,
and FAL
• Geo-tagging – location services “off”
• iDevice data collection by 3rd parties
via apps
OTHER MOBILE DEVICE TRACKING CASES
• In RE: Google Android Consumer Privacy
Litigation, (N.D. Cal. pending)
(Android data collection by 3rd parties via
apps)
• Goodman v. HTC and Accuweather (W.D.
Wash.) (HTC cellphones & embedded
Accuweather app)
VIDEO STREAMING
• Congress enacted the Video Privacy
Protection Act, 8 U.S.C. § 2710, aka the
“Bork Act,” in 1988 so that consumers’
decisions about what videos they want to
watch would remain private.
VIDEO STREAMING, #2
The VPPA makes it illegal—subject to certain
narrow exceptions—for a video provider to
knowingly disclose information that identifies
a person as having requested or obtained
specific video materials or services, unless the
provider obtains the consumer’s explicit
written, informed consent for each disclosure.
18 U.S.C. §§ 2710(b)(1), (b)(2)(B).
VIDEO STREAMING, #3
• Violations are subject to a private right of
action in federal court.
• A federal court may award (A) actual
damages but not less than liquidated
damages of $2,500, (B) punitive damages,
(C) reasonable attorneys’ fees and litigation
costs, and (D) equitable relief.
18 U.S.C. § 2710(c).
WHO IS COVERED BY THE VPPA?
• VPPA defines “video tape service provider”
as “any person, engaged in the business,
in or affecting interstate or foreign
commerce, of rental, sale, or delivery of
prerecorded video cassette tapes or
similar audio visual materials…”
18 U.S.C. § 2710(a)(4) (emphasis added).
THE VPPA APPLIES TO DIGITAL DISTRIBUTION OF VIDEOS
“Indeed the Senate Report discusses
extensively the concept of privacy in an
evolving technological world. The court
concludes that Congress used ‘similar audio
video materials’ to ensure that VPPA’s
protections would retain their force even as
technologies evolve.”
In re Hulu Privacy Litigation, No. C 11-03764 LB (N.D. Cal. Aug. 10, 2012)
2012 VPPA AMENDMENTS
• The consumer’s initial written consent can now be obtained using
the Internet, provided that the consent is “separate and distinct
from any form setting forth other legal or financial obligations of
the consumer.”
• In other words, the consent cannot be buried in a long
privacy policy or terms and conditions.
More significantly, the VPPA Amendments permit the
consumer to choose between giving consent either: (1) in
advance for a set period of time — up to two years or until
consent is withdrawn, whichever is sooner; or (2) each
time disclosure is sought (as in the old version of the
statute).
DATA BREACHES
• Injury: Courts generally do not accept
theory that victims are at greater risk of
harm after data breach.
• Will this change with a sympathetic judge?
Note: To our knowledge, no federal judge
has yet been a victim of identity theft.
DATA BREACHES, #2
• Courts sometimes accept claims of failure
to inform about a security issue. Can be
an unfair or deceptive practice.
Bell v. Blizzard Entertainment, Inc.,
No. 12-9475 BRO (C.D. Cal. Jul. 11, 2013).
DATA BREACHES: Practical Need to Resolve
• A serious data breach generally needs to
be resolved with victims (employees,
customers, patients) as a business matter,
regardless of potential litigation.
Resolution might include:
– Identity theft insurance
– Fund for future damages
– Security audits and updates
ISP REDIRECTION
ISP redirection of customer communications
• ISP wiretapping with DPI devices
• Claims:
– Electronic Communications Privacy Act;
– Computer Fraud and Abuse Act
– (electronic wire-tapping and trespass)
MALWARE that steals private information
Don’t do this.
Federal court in Chicago recently certified one of largest
classes ever in adversarial litigation.
Allegation: Defendant loaded malware onto Internet
users’ computers; constantly collected files, passwords,
etc. Claims: violations of Stored Communication Act;
Electronic Communications Privacy Act; Computer Fraud
and Abuse Act.
Harris v. ComScore, Inc., No. 11-5807, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013).
UDAP STATUTES: The “unfair” prong
The Federal Trade Commission Act of 1914
prohibits “unfair or deceptive acts or
practices in or affecting commerce.”
15 U.S.C. § 45(a)(1) (emphasis added).
Courts tend to focus on “deceptive,”
not “unfair.” Now, renewed interest
in “unfair.”
FTCA STANDARD FOR “UNFAIR”
For the FTC to find an act or practice “unfair,” at a
minimum the act or practice must
• cause (or be likely to cause) substantial injury to
consumers;
• which is not reasonably avoidable by the consumers
themselves; and
• not outweighed by countervailing benefits to
consumers or to competition.
15 U.S.C. § 15(n).
WASHINGTON’S UDAP STATUTE: New interest in “unfair” prong
Washington’s Consumer Protection Act (CPA) prohibits
“unfair or deceptive acts or practices …” RCW § 19.86.020.
• Courts focused on “deceptive.” From 1983 to 2013, not a
single Wash. case dealt with “unfair.” Then, in 2013, state
supreme court held:
“The ‘or’ between ‘unfair’ and ‘deceptive’ is disjunctive.
… Our statute clearly establishes that unfair acts or
practices can be the basis for a CPA action.”
Klem v. Wash. Mut. Bank, 176 Wn. 2d 771, 787 (Wash. 2013).
WASHINGTON LAW Standard for “unfair”
• No current standard for “unfair.”
• 30-year-old case:
a) Whether practice is within penumbra of common-law,
statutory, or other established concept of unfairness;
b) Whether it is immoral, unethical, oppressive, or
unscrupulous;
c) Whether it causes substantial injury to consumers (or
competitors or businesses).
Magney v. Lincoln Mut. Sav. Bank, 34 Wn. App. 45, 57 (Wash. App. 1983).
WASHINGTON LAW Standard for “deceptive”
• Long-time standard for “deceptive”:
• An act or practice is “deceptive” if it has the
capacity to deceive a substantial portion of
the public.
– Klem v. Wash. Mut. Bank, 176 Wn. 2d 771, 787 (Wash. 2013)
– Hangman Ridge Training Stables, Inc. v. Safeco Title Ins. Co., 105 Wn. 2d 778, 785 (Wash. 1986)
WAYS TO REDUCE RISK OF PRIVACY LITIGATION – #1
• Carefully determine what data you
collect, store, and/or release
– To or about customers, business
partners, vendors, credit bureaus
– To or about employees
– To targeted advertisers
WAYS TO REDUCE RISK OF PRIVACY LITIGATION – #2
• Secure your data against breaches.
– In-house data [accidental release, hacking, theft, disgruntled employee]
– Data on laptops
– Data on phones
– Data accessible remotely
– Data in “cloud”
WAYS TO REDUCE RISK OF PRIVACY LITIGATION – #3
• Is the data you collect, store, and/or
release consistent with expectations?
– Is it consistent with your advertising?
– Is it consistent with contractual expectations?
– Is it consistent with your “Terms of Use”?
– Is it consistent with your Privacy Policy?
PRIVACY AND SECURITY AUDITS
• Get regular privacy audits and security that include
– Computer usage
– Internet usage
– Employee privacy
– Customer privacy
– Risk assessment
USE OF ALTERNATIVE DISPUTE RESOLUTION
Companies with direct first-party
relationships with consumers can avoid
many consumer class actions. How?
– Use mandatory arbitration agreements
with a class-action waiver.
– Caution: Unconscionability can
invalidate the agreement.
WIDELY INVALIDATED PRIOR TO 2011
Until 2011, the supreme courts of may
states invalidated mandatory arbitration and
class-action waivers on the ground that they
immunized companies from liability.
E.g.,
• Discover Bank v. Superior Court, 36 Cal. 4th 148 (Cal. 2005).
• Scott v. Cingular Wireless, 160 Wn. 2d 843 (Wash. 2007).
REASON FOR INVALIDATING
Example of reasoning:
“[W]hen … disputes … predictably involve
small amounts of damages, … then … the
waiver becomes in practice the exemption of
the party from responsibility for its own fraud
…”
Discover Bank v. Superior Court, 36 Cal. 4th 148, 162-163 (Cal. 2005) (original quotation marks and brackets omitted).
CHANGE OF LANDSCAPE – 2011
In 2011, U.S. Supreme Court held that, in a
case raising state-law claims, the Federal
Arbitration Act preempted state-court bans on
arbitration / class-action waivers:
– “Arbitration is a matter of contract, and the
FAA requires courts to honor parties’
expectations.”
AT&T Mobility LLC v. Concepcion, 563 U.S. __,
131 S. Ct. 1740, 1752 (2011) (Scalia, J.) (5-4).
CAN ARBITRATION CLAUSE BLOCK FEDERAL CLAIM?
• What about relying on an arbitration
clause and class-action waiver to block a
federal claim in court?
• Would Congress have intended the Federal
Arbitration Act to override prior and
subsequent federal laws expressly
granting a private right to sue?
YES
Yes:
“We consider whether a contractual waiver of
class arbitration is enforceable … when the
plaintiff’s cost of individually arbitrating a federal
statutory claim exceeds the potential recovery. …
No Contrary congressional command requires us
to reject the waiver of class arbitration.”
American Express Co. v. Italian Colors Restaurant, 133
S. Ct. 2304, 2307, 2309 (2013) (Scalia, J.) (5-4).
AMEX DISSENT
Dissent in Amex:
“The owner of a small restaurant (Italian Colors) thinks
that American Express (Amex) has used its monopoly
power to force merchants to accept a form contract
violating the antitrust laws. … The monopolist gets to use
its monopoly power to insist on a contract effectively
depriving its victims of all legal recourse.”
…
American Express Co. v. Italian Colors Restaurant,
133 S. Ct. 2304, 2313 (2013) (dissent).
AMEX DISSENT, CONTINUED
Dissent in Amex:
“The owner of a small restaurant (Italian Colors) thinks that American Express (Amex) has used its monopoly power to force merchants to accept a form contract violating the antitrust laws. … The monopolist gets to use its monopoly power to insist on a contract effectively depriving its victims of all legal recourse. …
Here is a nutshell version of today’s opinion,
admirably flaunted … : Too darn bad.”
American Express Co. v. Italian Colors Restaurant, 133 S. Ct. 2304, 2313 (2013) (dissent).
CAN “ADR” CLAUSE BE INVALID?
May an arbitration provision or class-action
waiver be invalidated?
Yes, “upon such grounds as exist at law or
in equity for the revocation of any
contract.”
9 U.S.C. § 2 (Federal Arbitration Act)
CAN “ADR” CLAUSE NOT APPLY?
Sometimes an arbitration provision or class-
action waiver will not apply.
When?
WHEN? – #1
Sometimes an arbitration provision or class-
action waiver will not apply.
When?
1. When a party to litigation is not a
party to the agreement to arbitrate
[Wrinkes: successor, agent, parent,
sub …]
WHEN? – #2
Sometimes an arbitration provision or class-action waiver will not apply.
When?
1. When a party to litigation is not a party to the agreement to arbitrate [Wrinkes: successor, agent, parent, sub …]
2. When the scope of the agreement to
arbitrate does not cover the dispute at
issue.
INDUSTRIES USING “ADR” CLAUSES TO BLOCK LITIGATION
Industries: Use of arbitration provisions & class-action waivers (case law just since July 2013):
Credit cards Banking / lending Software
Cellphone service Telecomm Internet service providers
Cable TV Employment
Consulting Construction Investment / brokerage
CBAs Internet / technology Insurance
Real estate Publishing Health plans
Franchising Biotech ERISA plans
Debt settlement Credit reporting Legal
BASICS OF RESOLVING A CLASS ACTION
A class action, like any litigation, may be
resolved by
– motion (e.g., summary judgment);
– trial; or
– settlement.
• Settlement reduces litigation expenses
and uncertainties and allows control
over remedies.
REQUIREMENTS FOR CLASS ACTION SETTLEMENTS
A class action may be settled in federal court only after:
– the judge directs notice in a reasonable manner
to all class members who would be bound;
– class members have an opportunity to object;
– the judge holds a hearing and determines that
the settlement is “fair, reasonable, and
adequate.”
Fed. R. Civ. P. 23(e).
COMMON FORMS OF RELIEF
Common forms of relief included in privacy settlements:
• Payments (or credits, for current customers)
– To all class members; or
– To class members who submit a claim.
• Injunctive relief
– Changing the challenged practice;
– Purging of data collected under old practice;
– Identity-theft protection / insurance.
• Cy pres fund
– Establish fund for “as near as possible” remedy in addition to
or in lieu of relief to individual class members.
DIRECT PAYMENT VS. CLAIMS PROCESS
• Payments to all class members:
– Pro: Everyone who was affected gets some relief
– Con: Amount may be nominal, which can annoy your customers
– Con: You may not know names & addresses
• Payments to only those who submit a claim:
– Pro: Fewer payments means each payment will be larger and more meaningful to recipient
– Pro: Claimants are self-identifying; you know names & addresses
– Con: Relief is likely to go to only a small fraction of class
BEST PRACTICES
Evolving best practices for claims process
• Use a robust notice program
• Differentiate the notice of settlement from junk mail or spam
• Make the claims process streamlined
– Choice: online or mail
– Claim web-page should be clear and simple:
Check, Check, Check, Submit.
– Claims administrator should work with claimants whose
claims are deficient
In re Baby Products
Approval – evolving standards or errant case law?
Some new case law indicates a settlement might not be
approved unless the judge knows either a minimum
amount to be paid or a total amount to be paid.
“We vacate the District Court’s orders approving the
settlement … Most importantly, it did not know the
amount of compensation that will be distributed
directly to the class.”
In re Baby Prod’s Antitrust Litig., 708 F.3d 163, 175
(3rd Cir. 2013).
PRIVACY SETTLEMENTS WITH CY PRES COMPONENT
It may be difficult to distribute funds directly to intended beneficiaries – i.e., the class members.
• Judges allow distributing funds for their next best use,
a purpose (often charitable) reasonably approximating
the interests pursued by the class.
– The term “cy pres” comes from the Norman French
expression cy près comme possible, which means
“as near as possible.”
NEW CASES ON SETTLEMENTS WITH CY PRES COMPONENT – #1
The Ninth Circuit requires that cy pres beneficiaries be
tethered to the nature of the lawsuit, the objectives of
the underlying statutes, and the interests of the class.
• In settling a class action alleging deceptive practices,
donation of $5.5 million to provide food for the indigent
was unacceptable. An appropriate cy pres recipient would
be an organization dedicated to protecting consumers from
deceptive practices.
Dennis v. Kellogg Co., 697 F.3d 858, 867 (9th Cir. 2012).
NEW CASES ON SETTLEMENTS WITH CY PRES COMPONENT– #2
In the Ninth Circuit, the cy pres distribution must “bear
a substantial nexus to the interests of the class
members …”
In a case involving online privacy, forming a new entity
to receive and distribute cy pres funds to other entities
that promote the causes of online privacy will benefit
class members and passes muster.
Lane v. Facebook, Inc., 696 F.3d 811, 821 (9th Cir.
2012), petition for cert. filed (Jul. 26, 2013).
NEW CASES ON SETTLEMENTS WITH CY PRES COMPONENT – #3
In the Ninth Circuit, if the cy pres donation is a dollar
amount of goods as opposed to cash, the settlement
should specify how the goods are to be valued – i.e.,
retail, wholesale, at cost?
And if the defendant already donates to charities, the
settlement should specify whether the cy pres donation
is in addition to what the company previously budgeted.
Dennis v. Kellogg Co., 697 F.3d 858, 867 (9th Cir. 2012).
COUPON SETTLEMENTS
“Coupon” components of class-action
settlements are disfavored. Such
settlements are treated critically in statute
and case law.
In re HP Inkjet Printer Litig., 716 F.3d 1173
(9th Cir. 2013).
WHEN YOU GET BACK TO THE OFFICE: To Do
(1) Find out what personal data you
collect/store and why.
(2) Find out to whom you give or sell the
data and who has access to it.
(3) Ask: Is this consistent with everyone’s
reasonable expectations (employees,
customers, web users, vendors, the
public, …)?