InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Federal Court Holds Combination of Clickwrap Agreement and 30-Day Right to Cancel Letter Made Arbitration Clause Clear to User
Recently, the U.S. District Court for the District of Colorado held that a clickwrap agreement combined with a follow up thirty-day right to cancel letter presented users with an arbitration clause in a reasonably conspicuous manner. Grosvenor v. Qwest Corp., No. 09-02848, 2012 WL 602655 (D. Colo. Feb. 23, 2012). The plaintiff brought suit against his internet service provider (ISP), Qwest Corporation, claiming that Qwest violated a lifetime price guarantee for the service. Qwest moved to compel arbitration. The court held that although the terms were not presented in the clearest manner, they were sufficiently conspicuous and provided an opportunity for a reasonable user to review them. The installation software provided to the plaintiff specifically mentioned the existence of an arbitration clause, directed the plaintiff to the ISP's website to review the agreement, and required that the plaintiff accept the terms before installing the software. The court raised concerns that once directed to the ISP website to review the arbitration terms, the plaintiff was required to click through two pages to find the terms. Despite this, the court stated that, as a matter of law, the multiple clicks requirement does not prevent contractual formation. Moreover, a follow up "Welcome Letter" sent to the plaintiff by the ISP again identified the arbitration clause and provided plaintiff with an opportunity to cancel the service within thirty days. The court decline to determine whether either the clickwrap agreement or the letter would be sufficient on their own, but together they rendered the contractual terms sufficiently clear for a reasonable user. In the end, the court found the arbitration agreement unenforceable on other grounds.
California Class Action Suits Allege Mislabeled Privacy Policy Links
In the last three months, five class action cases filed in California under the state’s “Shine a Light” statute have alleged that online businesses, including Microsoft Corp., CBS Interactive Inc., and Time Inc., failed to properly label links to their privacy policies. The five suits, all filed by a single firm, claim $3,000 per violation plus additional damages (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men's Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12). The "Shine a Light" statute, in effect since 2005, requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Each defendant company allegedly mislabeled links to their online privacy policies or otherwise failed to meet the statute’s requirements.
California AG and Mobile Platforms Agree to Require Privacy Policies for Apps
On February 22, California Attorney General Kamala Harris announced an agreement with six leading mobile platform companies to ensure that apps on those platforms have privacy policies. Privacy policies are already required under the California Online Privacy Protection Act, which governs commercial websites and online services that collect personal data from California residents. The new agreement also includes commitments from the six companies - Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion - to educate app developers about user privacy obligations.
White House Privacy Report Pushes for New Laws and Industry Self-Regulation
On February 23, the White House released a report on consumer privacy, setting out a Consumer Privacy Bill of Rights. The proposed Bill of Rights consists of seven broad principles, including individual control, security, and transparency of data use. The report asks Congress to codify the recommendations as a statute enforceable by the Federal Trade Commission, and identifies FTC enforcement as critical to ensuring privacy protections. Pending or absent congressional action, the report promises that the administration will work with the private sector to adopt new protections on voluntary basis. The administration will hold stakeholder forums to develop legally enforceable codes of conduct. Finally, the report addresses the need for international interoperability and coordination of enforcement.
NIST Publishes Recommendations for Establishing Governance Structure for Implementation of National Trusted Identities Strategy
On February 7, the National Institute of Standards and Technology (NIST) published a report with recommendations for developing a governance system to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC directs the federal government to work with private sector stakeholders to establish and maintain an identity ecosystem for internet transactions aimed at promoting trust, privacy, and security. The report summarizes comments received in response to a June 2011 Notice of Inquiry (NOI) that sought public input regarding the establishment and structure of a private sector-led steering group to implement the NSTIC. Based on those comments, stakeholder workshops, and best practices from similar governance efforts, the report presents recommendations in four areas: (i) steering group initiation, (ii) steering group structure, (iii) stakeholder representation, and (iv) international coordination. The report also includes a recommended charter to establish the steering group and notes that, subject to public comment and finalization of the approach outlined in the report, NIST intends to initiate a competitive grant program to fund a secretariat responsible for convening the initial steering group.
Illinois Federal Court Holds That False-CMI Claims Fail Where the CMI is Not on the Same Webpage as the Copyrighted Text
On February 8, the U.S. District Court for the Northern District of Illinois dismissed a false-copyright management information (CMI) claim because the allegedly false CMI was not on the same webpage as the text at issue. Personal Keepsakes, Inc. v. Personalizationmall.com, Inc., No. 1:11-cv-05177, 2012 WL 414803 (N.D. Ill. Feb. 8, 2012). The plaintiff used a website to sell keepsake items that incorporated poetry it had written and copyrighted. Competing websites later copied that poetry and incorporated it into their own products. The plaintiff sued these competitors after discovering that their website terms and conditions suggested that they, not the plaintiff, had copyrighted the poems. The plaintiff claimed that by doing so, its competitors violated the Digital Millennium Copyright Act’s prohibition on “conveying” false CMI. The court disagreed, however, and held that because plaintiff had not posted the CMI in close proximity to the poems, it was not “conveyed” with the poems and could not form the basis of a false-CMI claim as a matter of law.
FTC Warns That Mobile Background Screening Apps May Violate FCRA
On February 7, the FTC announced that it had warned three mobile application marketers that their mobile background screening applications may be violating the Fair Credit Reporting Act (FCRA). The FTC described some of the six applications at issue as including criminal record histories, which are a type of information typically used in employment and tenant screening. While the FTC has not made a determination as to whether these firms are violating FCRA, it reminded the companies that if they have reason to believe the mobile applications include information about individuals’ character, reputation, or personal characteristics that is used or expected to be used for purposes such as employment, housing or credit, the marketers and their customers must comply with FCRA. Under FCRA, firms that assemble or evaluate such information to provide to third parties qualify as consumer reporting agencies and are required to (i) take reasonable steps to ensure the user of each report has a “permissible purpose” to use the report, (ii) take reasonable steps to ensure the maximum possible accuracy of the information conveyed in its reports, and (iii) provide users of its reports with information about their obligations under the FCRA.
New York Federal Court Affirms Enforceability Of Terms Of Service Available By Hyperlink
On January 24, the U.S. District Court for the Southern District of New York held in Fteja v. Facebook Inc., No. 11-918, 2012 WL 183896 (S.D.N.Y. Jan. 24, 2012), that an experienced Internet user received adequate notice to be bound by Facebook’s Terms of Service when he pushed a button indicating his assent to the terms, which were available via a hyperlink near the button. The user had sued Facebook in New York state court for allegedly wrongly terminating his account. When Facebook removed the case to federal court and moved to transfer the action to the Northern District of California, citing the mandatory forum selection clause in its Terms of Service, the user argued that the Terms were unenforceable because he never saw or agreed to them. The court granted Facebook’s motion to transfer after finding that Facebook’s signup process “reasonably communicated” the Terms despite a second step, clicking the hyperlink, being required to view the Terms.
FTC Settles Claims Against Negative-Option Sales Operators
On February 1, the Federal Trade Commission (FTC) announced a settlement with two individuals alleged to have operated businesses that improperly collected consumer information and then used that data to enroll consumers in negative-option programs that promised to match consumers with payday lenders. The FTC claimed the operators enrolled consumers in the payday lender matching program without consumer consent and refused to provide promised refunds. Under the settlement agreement, the individuals must pay nearly $10 million and will be prohibited from marketing secured loan products. The agreement also bars the individuals from making certain misrepresentations and prohibits the conduct at issue.
CFPB Releases First Semi-Annual Report, Director Testifies Before Senate Banking Committee
On January 31, the Consumer Financial Protection Bureau (CFPB) released its first semi-annual report to Congress and CFPB Director Richard Cordray appeared before the Senate Banking Committee. The report reviews the CFPB's structure and purpose, and provides a general overview of the CFPB's activities to date. The report also identifies consumer "shopping challenges" by product category (i.e., challenges that consumers face when shopping for mortgages, credit cards, and student loans), and identifies the CFPB's planned activities for the next six months.
Issues raised during the Senate hearing included: (i) prepaid card regulation, (ii) the definition of "abusive" as it is used in the Dodd-Frank Act, (iii) the "ability to pay" rule required by Dodd-Frank, and (iv) treatment of privileged information during the examination process. First, the Director acknowledged the importance of innovation in the card market, but also noted that regulation of credit and debit cards likely have pushed the market towards prepaid cards. He noted legislation sponsored by Senator Menendez to regulate the prepaid card market, and said the Bureau would welcome legislation addressing prepaid card issues. Second, consistent with his statements to the House Financial Services Committee, the Director reported that a rulemaking to further define the term "abusive" is not currently on the CFPB's agenda. Third, Director Cordray did not provide insight into the CFPB's view of the "ability to repay" rule, noting that at this time the Bureau has not prepared a draft rule. Finally, Director Cordray indicated support for a legislative fix to protect legal privileges applicable to documents and information that could be requested by the CFPB during the course of its examinations.