Articles Posted in Consumer Law

Published on:

Do you monitor what personal information companies access and store when you visit a website?  Do you wish you had more ability to know what companies do with such data?  In 2018, user data privacy rights have become a major topic for discussion. Starting with Europe’s enactment of the General Data Privacy Regulation earlier in the year, and California’s passing of the Consumer Privacy Act, we have seen many changes in the online legal world.  The trend continues, with internet giants now lobbying for a federal regulatory scheme, which would ease the number of laws they have to comply with if each state follows California and enacts its own user privacy legislation.  In this blog, we will provide an overview of the recent changes.

After California passed a law this year, which grants consumers greater data privacy rights, there has been much backlash from technology giants.  Facebook, Google, Microsoft, and IBM are currently lobbying officials in Washington for a federal privacy law that would overrule California’s legislation.  These technology giants are hoping for such legislation to be passed through Congress, as the lobbyists would influence how the law is written, giving them discretion over their ability to use personal data and information.  Because federal law on such a matter would supersede state law, California’s user privacy law may become naught.

According to Ernesto Falcon of Electronic Frontier Foundation, a user rights group, the strategy of Facebook, Google, and Microsoft here is “to neuter California[‘s law] for something much weaker on the federal level.  The companies are afraid of California because it sets the bar for other states.”  As user data and information is such a key part of the business model of the social media companies – who use such information to sell advertisements – they want as much freedom as possible to collect and exploit such data.

Published on:

For this week’s blog post, we will continue with the topic of recent Supreme Court decisions that are affecting the business, e-commerce, and internet world.  Specifically, we will discuss Ohio v. American Express, a case involving the Sherman Antitrust Act and major credit card companies.

In the United States, credit card use is composed mainly of four cards: Visa (45%), American Express (26.4%), MasterCard (23.3%), and Discover (5.3%).  In 2010, the government and 17 states sued American Express, Visa, and Mastercard, alleging that the credit card companies were unreasonably restraining trade and therefore violating the Sherman Antitrust Act.  The government claimed that the credit card companies’ “anti-steering provisions” suppressed competition from rival credit card networks. These anti-steering provisions were between the credit card companies and merchants, and prohibited merchants from “steering” cardholders at the point-of-sale to use cards with lower merchant transaction fees.  Notably, American Express charged the highest transaction fee for merchants.

In fact, both Visa and MasterCard settled with the government in a consent decree in 2011 to change their anti-steering provisions.  American Express, however, continued to litigate up until the Supreme Court case was decided on June 25, 2018. American Express’s business model is different than most credit card companies, which generate revenue mainly from the credit portion of the transactions.  It instead focuses on offering better rewards to consumers than other credit cards, typically attracting a higher-spending for the wealthier consumer.  It then generates the majority of its revenue from merchant fees, arguing that higher merchant fees are justified by the higher spending clientele that it brings to merchants (AmEx also has a higher minimum spending amount for cardholders than other credit cards).

Published on:

On May 30, 2018, the California State Senate voted to pass a bill that will ensure net neutrality on the internet in the State of California.  With the FCC’s repealing of Obama-era net neutrality rules going into effect on June 11, 2018, California’s bill will provide for continued net neutrality protection.  Officially known as Senate Bill 822, the senate passed SB 822 by a vote of 23-12.  The bill will next go to the State Assembly to be voted on by the end of August.  If the bill passes the Assembly, it must finally be signed by Governor Jerry Brown in order to become law.

If made into law, the bill will prohibit Internet Service Providers (ISPs) from manipulating internet traffic.  Net neutrality rules ensure that ISPs cannot slow down or block access to certain websites, or give some websites and content quicker access speeds than others.  Preventing willful alteration by ISPs of internet connections between devices and sources of content is the key focus of net neutrality rules.  SB 822 will also allow the state to supervise commercial interconnection deals between corporate customers and ISPs to ensure that corporate customers are not taken advantage of by ISPs’ dominant market power.  Interconnection arrangements typically occur between content providers such as YouTube and Netflix, and ISPs such as Spectrum or AT&T.

The net neutrality rules would also ban third-party paid prioritization, as well as application-specific differential pricing.  Paid prioritization occurs when content providers pay ISPs a fee in order to ensure that users have higher access speeds to their websites than competitors’ websites.  ISPs claim that preventing this business model may cause an increase in the price that consumers pay for internet service.  Differential pricing is when goods or services are offered at different price points to different consumers.  For example, a company such as Microsoft may charge a higher fee to corporate customers for Microsoft Office software than to a personal user who purchases the software for use at home.  Differential pricing comes into play in the net neutrality laws with regards to user access to applications, content, and platforms (ACP).

Published on:

In general, internet commerce transpires on the national and international levels. Naturally, data protection is an important concern for private and public agencies.  The European Union’s remaining members are currently in the process of another process to protect data with the “General Data Protection Regulation” (GDPR) set to take effect next year. This differs from the previous Privacy Shield in some respects, as it is broader, and expands beyond the European Union and deals with any individual that may have a shred of a connection to the European Union. So, what is GDPR? What does it require? Also, what are the consequences for non-compliance?

What is the GDPR?

The GDPR grants the following as rights to a data subject (i.e., a user): breach notification; right to access a copy of personal data free of charge in electronic format; right to be forgotten; data portability, allowing transmission to another provider; privacy by design for systems; and data protection officers in cases where constant monitoring of data subjects on a large scale may occur, or for special categories of data regarding criminal convictions.

Published on:

Spam, for those lucky enough to be unfamiliar about it, are those unsolicited commercial emails that often clutter up inboxes with offers of sales and services that range from the reliable to the questionable.  Due to the issues presented to consumers, Congress, in its wisdom, enacted a law called the CAN-SPAM Act, and began enforcing it in 2004. First, what is the CAN-SPAM Act and what does it prohibit?  Second, as a federal law, does the CAN-SPAM Act override, or preempt those laws a state may already have in place?  How can you tell if that may happen?

What is the CAN-SPAM Act?

The CAN-SPAM Act places prohibitions on transmission of any email that contains false or misleading headers or “from” lines.  For example, a business that is not Facebook, and has nothing to do with Facebook, would be prohibited from sending an email with the subject “Your Facebook account has been compromised” or send an email from www.facebook.com.  In addition, this law places a requirement for three disclosures: (1) clear and conspicuous identification that the message is an advertisement or solicitation; (2) clear and conspicuous notice of the opportunity to decline to receive further commercial email messages from the sender; and (3) a valid physical postal address of the sender.  This is done, in part, due to the interest of the legislation in helping consumers under the principle that they should not be misled and should have a right to say no to unsolicited commercial emails.

Published on:

Class certification can be a complicated issue that does not just rely on fulfilling the usual requirements. For example, in Gass v Best Buy Co., Inc., an issue of fact had to be determined in order to confirm the class action certification.

What was the court’s decision in Gass v. Best Buy Co., Inc.?

Gass v. Best Buy Co., Inc. was a class action that failed due to the way plaintiffs’ claim was brought.  In this case, multiple parties brought separate lawsuits against Best Buy claiming that its practices were against the Song-Beverly Credit Card Act. The claimants then merged their claims. The “class” claimed to be representing [a]ll persons from whom Defendant requested and recorded personal identification information in conjunction with a credit card transaction… and a subclass of those who were asked for their information relating to the pre-enrollment . . . in Defendant’s Reward Zone program in conjunction with a credit card transaction.” The Song-Beverly Credit Card Act says that companies may not request or require, as a condition to accepting the credit card, the cardholder to provide personal identification information. The practices in question were: (1) when employees asked customers for additional information if they agreed to be in the Rewards program; (2) when customers were asked for their phone number if they forgot their member cards; and (3) if a card failed to swipe on a charge over $100, the customer would be asked for a zip code in order to look up his/her information. First, the court determined that these requests for identification were not illegal. Second, since the requests for information were not a violation, the court ruled that plaintiffs could not be certified as a class. This was because the definition of those affected was overbroad and included customers who may not have suffered any violation. The court ruled that, if the plaintiffs wished to pursue a specific violation, each could proceed individually.

Published on:

The CAN-SPAM Act is the federal act that preempts state anti-spam laws. In response to this federal statute, California, and many other states have passed similar anti-spam laws. Do you have a new company that needs to market to a broader community? Will your company create an email list to reach out to new users, customers, or clients? Then you should be aware of the federal and state laws and how they can create liability.

What is the CAN-SPAM Act?

The CAN-SPAM Act mostly focuses on unsolicited commercial email. It stands for Controlling the Assault of Non-Solicited Pornography and Marketing. This federal law prohibits any commercial email that is fraudulent or deceptive and requires all email messages to include an opt-out option for the recipients. Although, the law is focused on companies that disguise the source or purpose of the email, the impetus for passing the bill was the growing cost problem for those receiving mass amounts of emails such as non-profit companies, educational facilities, and other businesses with limited server space. However, this law “only provides a private cause of action to internet service providers that have been adversely affected by prohibited commercial e-mails, and does not extend a cause of action to the recipients of such e-mails.” See Hypertouch, Inc. v. ValueClick, Inc., 192 Cal. App. 4th 805, 123 Cal. Rptr. 3d 8 (2011). Therefore, it is up to the states to determine whether individual recipients of spam can bring suit against companies or individuals.

Published on:

In an online penny auction, participants purchase bids for a fee, with each bid placed on a particular item increasing the price of the item by a small increment (e.g., one penny) and extending the bidding period for that item by a few seconds. The last participant to place a bid before the bidding period ends pays the website the final price for the item. Unlike traditional online auction websites like eBay, all penny auction participants must pay to play. Thus, it is common for losing bidders to spend significant amounts of money, but receive nothing of value. In this sense, critics have likened penny auctions to gambling.

Are Penny Auctions Considered Gambling?

In general, bid fees are paid to the penny auction website, rather than pooled and awarded to the winner, so a bid is not technically a “bet” or “wager.” As such, existing gambling legislation probably does not apply, so consumers are protected from illegal gambling charges. Moreover, under California law, whether online gambling is an illegal “lottery” depends in part on the degree of chance involved—specifically, whether the game is “dominated by chance.” While penny auctions involve chance, the element of strategic bidding, based on factors like remaining time to bid and expected website traffic, weighs against finding that the auctions constitute illegal lotteries.

Published on:

In these days, many people spend time on their electronic devices to become members of internet dating services. Many companies are now providing online dating services to their members. In general, the online dating services require their members to submit a profile, which may include personal information (e.g., name, email address, date-of-birth, and photos). As a result, the internet dating service may be sued by its members or third parties for various legal claims.

What Are the Typical Legal Claims Against Internet Dating Services?

In recent years, the internet dating services have been targets of lawsuits.  In some cases, the internet dating service may facilitate sexual encounters between its members, which can lead to its member being arrested for having sex with a minor.  In other cases, the members defame, harass, stalk, or bully each other.  In these cases, the courts have enforced or dismissed the civil claims against the internet dating service for various reasons.  The typical claims against the internet dating service may be for breach of contract, negligence, deceptive trade practice, Lanham Act violation, failure to warn, invasion of privacy, defamation, or fraud.  It is important to note that each of the aforesaid claims requires specific elements and supporting evidence to pass muster in court.  See The Perils and Pitfalls of Online Dating for more information.

Published on:

The purchase of commercial general liability and umbrella insurance policies are ways to protect your business from liability. However, these types of policies have not adapted to protect policyholders from certain types of cyber liability.  This issue was recently exposed in a case against Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc. (collectively “Urban Outfitters”). Urban Outfitters found itself with no suitable insurance coverage when facing several lawsuits for privacy infringement that resulted from credit card transactions. Many businesses collect customer data and infringements of customer privacy may not be covered by traditional insurance policies. Do you run a business that collects consumer data? Are you unsure how far your insurance coverage extends in protecting against consumer data breaches? If so, then you may contact us to speak to an attorney about whether you should obtain cyber liability insurance.

What Was the Issue in the Urban Outfitters Case?

In OneBeacon America Insurance Company v. Urban Outfitters, et al., Urban Outfitters was sued in three different states for consumer privacy breaches. Urban Outfitters was sued because of its practice of collecting consumer zip code information when processing credit card transactions. This practice violated multiple consumer privacy laws. Urban Outfitters then looked to its insurance company to defend the multiple lawsuits. However, the insurance company claimed that its general liability policy did not cover that kind of privacy breach. The federal court in Pennsylvania agreed, and held that the insurance company was not obligated to defend Urban Outfitters in any of the lawsuits. The general liability policy only covered “oral or written publication of material that violates a person’s right of privacy,” and even though Urban Outfitters violated consumer privacy, it never published that material.