InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
California Class Action Suits Allege Mislabeled Privacy Policy Links
In the last three months, five class action cases filed in California under the state’s “Shine a Light” statute have alleged that online businesses, including Microsoft Corp., CBS Interactive Inc., and Time Inc., failed to properly label links to their privacy policies. The five suits, all filed by a single firm, claim $3,000 per violation plus additional damages (Boorstein v. CBS Interactive Inc., Cal. Super. Ct., No. 476015, complaint filed 12/28/11; Boorstein v. Men's Journal LLC, Cal. Super. Ct., No. 475697, complaint filed 12/22/11; Miller v. Hearst Communications, C.D. Cal., No. 12-733, complaint filed 1/27/12; Murray v. Time Inc., N.D. Cal., No. 12–431, notice of removal filed 1/26/12; Smith v. Microsoft Corp., Cal. Super. Ct., No. 476413, complaint filed 1/9/12). The "Shine a Light" statute, in effect since 2005, requires businesses that collect California residents’ personal data and then share that data for marketing purposes to disclose or allow consumers to opt out of that sharing. Each defendant company allegedly mislabeled links to their online privacy policies or otherwise failed to meet the statute’s requirements.
California AG and Mobile Platforms Agree to Require Privacy Policies for Apps
On February 22, California Attorney General Kamala Harris announced an agreement with six leading mobile platform companies to ensure that apps on those platforms have privacy policies. Privacy policies are already required under the California Online Privacy Protection Act, which governs commercial websites and online services that collect personal data from California residents. The new agreement also includes commitments from the six companies - Amazon, Apple, Google, Hewlett-Packard, Microsoft, and Research in Motion - to educate app developers about user privacy obligations.
White House Privacy Report Pushes for New Laws and Industry Self-Regulation
On February 23, the White House released a report on consumer privacy, setting out a Consumer Privacy Bill of Rights. The proposed Bill of Rights consists of seven broad principles, including individual control, security, and transparency of data use. The report asks Congress to codify the recommendations as a statute enforceable by the Federal Trade Commission, and identifies FTC enforcement as critical to ensuring privacy protections. Pending or absent congressional action, the report promises that the administration will work with the private sector to adopt new protections on voluntary basis. The administration will hold stakeholder forums to develop legally enforceable codes of conduct. Finally, the report addresses the need for international interoperability and coordination of enforcement.
NIST Publishes Recommendations for Establishing Governance Structure for Implementation of National Trusted Identities Strategy
On February 7, the National Institute of Standards and Technology (NIST) published a report with recommendations for developing a governance system to implement the National Strategy for Trusted Identities in Cyberspace (NSTIC). The NSTIC directs the federal government to work with private sector stakeholders to establish and maintain an identity ecosystem for internet transactions aimed at promoting trust, privacy, and security. The report summarizes comments received in response to a June 2011 Notice of Inquiry (NOI) that sought public input regarding the establishment and structure of a private sector-led steering group to implement the NSTIC. Based on those comments, stakeholder workshops, and best practices from similar governance efforts, the report presents recommendations in four areas: (i) steering group initiation, (ii) steering group structure, (iii) stakeholder representation, and (iv) international coordination. The report also includes a recommended charter to establish the steering group and notes that, subject to public comment and finalization of the approach outlined in the report, NIST intends to initiate a competitive grant program to fund a secretariat responsible for convening the initial steering group.
Illinois Federal Court Holds That False-CMI Claims Fail Where the CMI is Not on the Same Webpage as the Copyrighted Text
On February 8, the U.S. District Court for the Northern District of Illinois dismissed a false-copyright management information (CMI) claim because the allegedly false CMI was not on the same webpage as the text at issue. Personal Keepsakes, Inc. v. Personalizationmall.com, Inc., No. 1:11-cv-05177, 2012 WL 414803 (N.D. Ill. Feb. 8, 2012). The plaintiff used a website to sell keepsake items that incorporated poetry it had written and copyrighted. Competing websites later copied that poetry and incorporated it into their own products. The plaintiff sued these competitors after discovering that their website terms and conditions suggested that they, not the plaintiff, had copyrighted the poems. The plaintiff claimed that by doing so, its competitors violated the Digital Millennium Copyright Act’s prohibition on “conveying” false CMI. The court disagreed, however, and held that because plaintiff had not posted the CMI in close proximity to the poems, it was not “conveyed” with the poems and could not form the basis of a false-CMI claim as a matter of law.
FTC Warns That Mobile Background Screening Apps May Violate FCRA
On February 7, the FTC announced that it had warned three mobile application marketers that their mobile background screening applications may be violating the Fair Credit Reporting Act (FCRA). The FTC described some of the six applications at issue as including criminal record histories, which are a type of information typically used in employment and tenant screening. While the FTC has not made a determination as to whether these firms are violating FCRA, it reminded the companies that if they have reason to believe the mobile applications include information about individuals’ character, reputation, or personal characteristics that is used or expected to be used for purposes such as employment, housing or credit, the marketers and their customers must comply with FCRA. Under FCRA, firms that assemble or evaluate such information to provide to third parties qualify as consumer reporting agencies and are required to (i) take reasonable steps to ensure the user of each report has a “permissible purpose” to use the report, (ii) take reasonable steps to ensure the maximum possible accuracy of the information conveyed in its reports, and (iii) provide users of its reports with information about their obligations under the FCRA.
New York Federal Court Affirms Enforceability Of Terms Of Service Available By Hyperlink
On January 24, the U.S. District Court for the Southern District of New York held in Fteja v. Facebook Inc., No. 11-918, 2012 WL 183896 (S.D.N.Y. Jan. 24, 2012), that an experienced Internet user received adequate notice to be bound by Facebook’s Terms of Service when he pushed a button indicating his assent to the terms, which were available via a hyperlink near the button. The user had sued Facebook in New York state court for allegedly wrongly terminating his account. When Facebook removed the case to federal court and moved to transfer the action to the Northern District of California, citing the mandatory forum selection clause in its Terms of Service, the user argued that the Terms were unenforceable because he never saw or agreed to them. The court granted Facebook’s motion to transfer after finding that Facebook’s signup process “reasonably communicated” the Terms despite a second step, clicking the hyperlink, being required to view the Terms.
FTC Settles Claims Against Negative-Option Sales Operators
On February 1, the Federal Trade Commission (FTC) announced a settlement with two individuals alleged to have operated businesses that improperly collected consumer information and then used that data to enroll consumers in negative-option programs that promised to match consumers with payday lenders. The FTC claimed the operators enrolled consumers in the payday lender matching program without consumer consent and refused to provide promised refunds. Under the settlement agreement, the individuals must pay nearly $10 million and will be prohibited from marketing secured loan products. The agreement also bars the individuals from making certain misrepresentations and prohibits the conduct at issue.
CFPB Releases First Semi-Annual Report, Director Testifies Before Senate Banking Committee
On January 31, the Consumer Financial Protection Bureau (CFPB) released its first semi-annual report to Congress and CFPB Director Richard Cordray appeared before the Senate Banking Committee. The report reviews the CFPB's structure and purpose, and provides a general overview of the CFPB's activities to date. The report also identifies consumer "shopping challenges" by product category (i.e., challenges that consumers face when shopping for mortgages, credit cards, and student loans), and identifies the CFPB's planned activities for the next six months.
Issues raised during the Senate hearing included: (i) prepaid card regulation, (ii) the definition of "abusive" as it is used in the Dodd-Frank Act, (iii) the "ability to pay" rule required by Dodd-Frank, and (iv) treatment of privileged information during the examination process. First, the Director acknowledged the importance of innovation in the card market, but also noted that regulation of credit and debit cards likely have pushed the market towards prepaid cards. He noted legislation sponsored by Senator Menendez to regulate the prepaid card market, and said the Bureau would welcome legislation addressing prepaid card issues. Second, consistent with his statements to the House Financial Services Committee, the Director reported that a rulemaking to further define the term "abusive" is not currently on the CFPB's agenda. Third, Director Cordray did not provide insight into the CFPB's view of the "ability to repay" rule, noting that at this time the Bureau has not prepared a draft rule. Finally, Director Cordray indicated support for a legislative fix to protect legal privileges applicable to documents and information that could be requested by the CFPB during the course of its examinations.
New Jersey Updates Title Recordation Laws
On January 17, New Jersey enacted a 2010-2011 session bill, A2565, to modernize the state's title recordation laws to permit the use of electronic documents and to reorganize and streamline the state's recordation requirements. Given that the federal E-sign Act and the New Jersey Uniform Electronic Transactions Act both authorize the acceptance of electronic alternatives to paper documents and encourage the development of systems that accept electronic documents, the bill updates state law to, for example, (i) broaden the definition of "document" and "recorded" to allow for electronic recordation; (ii) delete statutory references to separate sets of books or separate databases for different kinds of documents; (iii) remove requirements for marginal notation of documents; and (iv) require development of standard formats for electronic documents.