InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Parties reach agreement to resolve data scraping allegations
On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)
As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.
9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”
9th Circuit says number generator does not violate TCPA
On November 16, the U.S. Court of Appeals for the Ninth Circuit upheld a district court’s dismissal of a proposed TCPA class action, holding that in order for technology to meet the definition of an “automatic telephone dialing system” (autodialer), the system must be able to “generate and dial random or sequential telephone numbers under the TCPA’s plain text.” Plaintiff claimed he began receiving marketing texts from the defendant after he provided his phone number to an insurance company on a website. Plaintiff sued alleging violations of the TCPA and asserting that the defendant used a “sequential number generator” to select the order in which to call customers who had provided their phone numbers. This type of number generator qualifies as an autodialer under the TCPA, the plaintiff contended, referring to a footnote in the U.S. Supreme Court’s ruling in Facebook v. Duguid (covered by a Buckley Special Alert), which narrowed the definition of an autodialer under the TCPA and said “an autodialer might use a random number generator to determine the order in which to pick phone numbers from a preproduced list.” Defendant countered, however, that its system is not an autodialer, and “that the TCPA defines an autodialer as one that must generate telephone numbers to dial, not just any number to decide which pre-selected phone numbers to call.”
The 9th Circuit was unpersuaded by the plaintiff’s argument, calling it an “acontextual reading of a snippet divorced from the context of the footnote and the entire opinion.” The appellate court pointed out that nothing in Facebook suggests that the Supreme Court “intended to define an autodialer to include the generation of any random or sequential number.” The 9th Circuit further explained that “[u]sing a random or sequential number generator to select from a pool of customer-provided phone numbers would not cause the harms contemplated by Congress.”
District Court: Unclear when networking site became aware of data scraping
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
9th Circuit says district court must reassess statutory damages in TCPA class action
On October 20, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess the constitutionality of a statutory damages award in a TCPA class action. Class members alleged the defendant (a multi-level marketing company) made more than 1.8 million unsolicited automated telemarketing calls featuring artificial or prerecorded voices without receiving prior express consent. The district court certified a class of consumers who received such a call made by or on behalf of the defendant, and agreed with the jury’s verdict that the defendant was responsible for the prerecorded calls at the statutorily mandated damages of $500 per call, resulting in total damages of more than $925 million. Two months later, the FCC granted the defendant a retroactive waiver of the heightened written consent and disclosure requirements, and the defendant filed post-trial motions with the district court seeking to “decertify the class, grant judgment as a matter of law, or grant a new trial on the ground that the FCC’s waiver necessarily meant [defendant] had consent for the calls made.” In the alternative, the defendant challenged the damages award as being “unconstitutionally excessive” under the Due Process Clause of the Fifth Amendment.
On appeal, the 9th Circuit affirmed most of the district court’s ruling, including upholding its decision to certify the class. Among other things, the appellate court determined that the district court correctly held that the defendant waived its express consent defense based on the retroactive FCC waiver because “no intervening change in law excused this waiver of an affirmative defense.” The appellate court found that the defendant “made no effort to assert the defense, develop a record on consent, or seek a stay pending the FCC’s decision,” even though it knew the FCC was likely to grant its petition for a waiver. While the 9th Circuit did not take issue with the $500 congressionally-mandated per call damages figure, and did not disagree with the total number of calls, it stressed that the “due process test applies to aggregated statutory damages awards even where the prescribed per-violation award is constitutionally sound.” Recognizing that Congress “set a floor of statutory damages at $500 for each violation of the TCPA but no ceiling for cumulative damages, in a class action or otherwise,” the appellate court explained that such damages “are subject to constitutional limitation in extreme situations,” and “in the mass communications class action context, vast cumulative damages can be easily incurred, because modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.” Accordingly, the 9th Circuit ordered the district court to reassess the damages in light of these concerns.
9th Circuit says telemarketing texts sent to mixed-use cells phones fall under TCPA
On October 12, a split U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of a TCPA complaint, disagreeing with the argument that the statute does not cover unwanted text messages sent to businesses. Plaintiffs (who are home improvement contractors) alleged that the defendants used an autodialer to send text messages to sell client leads to plaintiffs' cell phones, including numbers registered on the national do-not-call (DNC) registry. The plaintiffs contented they never provided their numbers to the defendants, nor did they consent to receiving text messages. The defendants countered that the plaintiffs lacked Article III and statutory standing because the TCPA only protects individuals from unwanted calls. The district court agreed, ruling that the plaintiffs lacked statutory standing and dismissed the complaint with prejudice.
On appeal, the majority disagreed, stating that the plaintiffs did not expressly consent to receiving texts messages from the defendants and that their alleged injuries are particularized. In determining that the plaintiffs had statutory standing under sections 227(b) and (c) of the TCPA, the majority rejected the defendants’ argument that the TCPA only protects individuals from unwanted calls. While the defendants claimed that by operating as home improvement contractors the plaintiffs fall outside of the TCPA’s reach, the majority determined that all of the plaintiffs had standing to sue under § 227(b), “[b]ecause the statutory text includes not only ‘person[s]’ but also ‘entit[ies].’” With respect to the § 227(c) claims, which only apply to “residential” telephone subscribers, the appellate court reviewed whether a cell phone that is used for both business and personal reasons can qualify as a “residential” phone. Relying on the FCC’s view that “a subscriber’s use of a residential phone (including a presumptively residential cell phone) in connection with a homebased business does not necessarily take an otherwise residential subscriber outside the protection of § 227(c),” and “in the absence of FCC guidance on this precise point,” the majority concluded that a mixed-use phone is “presumptively ‘residential’ within the meaning of § 227(c).”
Writing in a partial dissent, one judge warned that the majority’s opinion “usurps the role of the FCC and creates its own regulatory framework for determining when a cell phone is actually a ‘residential telephone,’ instead of deferring to the FCC’s narrower and more careful test.” The judge added that rather than “deferring to the 2003 TCPA Order which extended the protections of the national DNC registry to wireless telephones only to the extent they were similar to residential telephones, a reasonable interpretation of the TCPA, the majority has leaped over the FCC’s limitations to provide its own, much laxer, regulatory framework and procedures that broadly allow anybody who owns a cell phone to sue telemarketers under the TCPA.”
9th Circuit affirms $20.8 million disgorgement award
On August 24, the U.S. Court of Appeals for the Ninth Circuit affirmed a $20.8 million disgorgement award and agreed with a district court’s decision to hold the defendants jointly and severally liable. The defendants appealed the district court’s 2021 final judgment of disgorgement, which ordered them to disgorge more than $20.8 million in an action concerning money that was collected from investors for a cancer treatment center that was never built. As previously covered by InfoBytes, the district court’s order followed a 2020 U.S. Supreme Court ruling (covered by InfoBytes here), in which the high court examined whether the SEC’s statutory authority to seek “equitable relief” permits it to seek and obtain disgorgement orders in federal court. The Supreme Court ultimately held that the SEC may continue to collect disgorgement in civil proceedings in federal court as long as the award does not exceed a wrongdoer’s net profits, and that such awards for victims of the wrongdoing are equitable relief permissible under § 78u(d)(5). The Supreme Court vacated the original $26.7 million judgment and remanded to the lower court to examine the disgorgement amount in light of its opinion. Of the nearly $27 million raised, the SEC alleged the defendants misappropriated approximately $20 million of the funds through payments to overseas marketing companies and to salaries. To calculate the final disgorgement award, the court subtracted what it determined were “legitimate expenses,” including $2.2 million in administrative expenses and $3.1 million in business development expenses, from the nearly $27 million raised.
On appeal, the 9th Circuit reviewed the proper method of calculating disgorgement as an equitable remedy in an SEC enforcement action and found “no error with the district court’s factual findings as to the illegitimate expenses or with the district court’s disgorgement award.” In so finding, the 9th Circuit explicitly rejected appellants argument that disgorgement was improper because the venture resulted in “no revenues and no profit,” finding that such a result “would not produce an equitable remedy.” The appellate court also determined that because the common law “permit[s] liability for partners engaged in concerted wrongdoing,” the district court did not err in holding both defendants jointly and severally liable where there was evidence the appellant in question “played an integral role” in the fraudulent scheme.
9th Circuit to rehear en banc whether tribal lenders can arbitrate RICO claims
On June 6, a majority of nonrecused active judges on the U.S. Court of Appeals for the Ninth Circuit vacated a previously issued opinion that said tribal lenders could arbitrate Racketeer Influenced and Corrupt Organizations Act (RICO) class action claims, saying it will rehear the case en banc. As previously covered by InfoBytes, last September the 9th Circuit panel majority concluded that “an agreement delegating to an arbitrator the gateway question of whether the underlying arbitration agreement is enforceable must be upheld unless that specific delegation provision is itself unenforceable.” The panel reviewed whether California residents who received loans from an online lender were allowed to pursue class RICO claims based on allegations that they were charged interest rates exceeding state limits from lenders claiming tribal immunity. The district court granted class certification and ruled that the entire arbitration agreement, including provisions containing a class action waiver, was unenforceable. On appeal, the panel majority cited to the U.S. Supreme Court’s decision in Rent-A-Center, West, Inc. v. Jackson, which determined, among other things, that when a party challenges an entire agreement—not just an arbitration provision—deciding “gateway” issues such as enforceability must be delegated to an arbitrator. “[W]hen there is a clear delegation provision, that question is . . . for the arbitrator to decide so long as the delegation provision itself does not eliminate parties’ rights to purse their federal remedies,” the majority wrote. The dissenting judge held, however, that the panel majority “misunderstood the effect of the choice-of-law provisions in the agreements,” arguing that the provisions curtail an arbitrator’s authority by allowing application of “only tribal law and a small and irrelevant subset of federal law,” thus preventing an arbitrator “from applying the law necessary to determine whether the delegation provisions and the arbitration agreements are valid.” He further contended that the panel majority’s decision diverged from decisions reached by several sister circuits, which “have consistently condemned the arbitration agreements embedded in tribal internet payday loan agreements, including those used by the very same lenders as in this case.”
9th Circuit affirms lower court’s decision in TCPA suit
On June 10, the U.S. Court of Appeals for the Ninth Circuit affirmed a lower court’s ruling on summary judgment that an individual’s text messages sent to a financial institution provided the express consent required under the TCPA to be contacted via an autodialer system. According to the opinion, the plaintiff, who was not a customer of the defendant, sent 11 text messages to the defendant’s short code number. Ten of the messages were unrelated to the defendant’s business, and the plaintiff’s messages were replied to with an automated message providing instructions about how to stop receiving text messages and how to contact the defendant. The remaining text message from the plaintiff to the defendant consisted of the word “STOP” to which the defendant replied with the response that plaintiff is not subscribed and will not receive alerts. These reply texts were the only text messages the defendant sent to the plaintiff’s mobile phone. Based on these facts, the plaintiff filed suit in the District of Connecticut, alleging that the defendant violated the TCPA by replying to his text messages using an automatic call-generating capability without obtaining the plaintiff’s consent. The defendant filed a motion to dismiss on procedural grounds, and plaintiff voluntarily withdrew the suit and subsequently sued in the District of Hawaii under similar facts and claims. The court granted the defendant’s motion for summary judgment, ruling that each of the texts sent to the defendant by the plaintiff constituted prior express consent to receive reply texts. The court also awarded attorneys’ fees to defendant as “costs” under Federal Rule of Civil Procedure 41(d).
The 9th Circuit agreed with the district court’s determination that the plaintiff “expressly consented to receive reply text messages.” With respect to the awarding of attorney’s fees, the appellate court recognized a circuit split on the issue of whether Rule 41(d) costs included attorney’s fees, and held that, (i) “costs” under Rule 41(d) does not include attorney’s fees as a matter of right and (ii) for purposes of the TCPA, “cost” does not include attorney’s fees because “it is undisputed that the TCPA does not provide for the award of attorney’s fees to the prevailing party.”
9th Circuit says CFPB can seek restitution in action against payday lender
On May 23, the U.S. Court of Appeals for the Ninth Circuit upheld a district court’s judgment finding an online loan servicer and its affiliates liable for a deceptive loan scheme. However, the appellate court vacated the district court’s order, which had imposed a $10 million civil penalty (rather than the requested penalty of over $50 million) and had declined the CFPB's request for $235 million in restitution. As previously covered by InfoBytes, in 2018, the district court ordered the defendants to pay the civil penalty for offering high-interest loans in states with usury laws barring the transactions after determining in September 2016 that the online loan servicer was the “true lender” of the loans that were issued through entities located on tribal land (covered by a Buckley Special Alert). At the time, the district court found that a lower statutory penalty was more appropriate than the CFPB’s requested amount because the Bureau failed to show the company “knowingly violated the CFPA” or acted “recklessly.” In rejecting the Bureau’s requested restitution amount, the district court found that the agency had not put forth any evidence that the defendants “intended to defraud consumers or that consumers did not receive the benefit of their bargain from the [program]” for restitution to be an appropriate remedy.
According to the 9th Circuit, the district court applied the wrong legal analysis in 2018 when it assessed only a $10 million civil money penalty against the defendants and no restitution payments to consumers harmed by the improper loans. By applying federal common law choice-of-law principles, the appellate court declined to apply tribal law, holding that state laws applied to the loans, thus rendering them invalid. The appellate court determined that the defendants acted recklessly when they attempted to collect on invalid debts after counsel advised in 2013 that such actions were likely illegal. While the defendants shut down the tribal lending program for new loans, the 9th Circuit said they continued to collect on existing loans. “We conclude that from September 2013 on, the danger that [defendants’] conduct violated the statute was ‘so obvious that [defendants] must have been aware of it,’” the appellate court wrote. Noting that penalties for “reckless” violations under tier two were appropriate beginning September 2013, the appellate court ordered the district court to recalculate the civil penalty on remand. The 9th Circuit also directed the district court on remand to reconsider the appropriate restitution without relying on irrelevant considerations that motivated its earlier decision, including (i) whether defendants acted in bad faith; and (ii) “whether consumers received the benefit of their bargain.” Moreover, the appellate court held that the district court erred by stating “that the ‘proposed restitution amount [should be] netted to account for expenses.’”
The 9th Circuit also concluded that the district court was correct in holding one of the individual defendants personally liable for the company’s conduct. Furthermore, the appellate court held that the defendants’ argument that the structure of the Bureau is unconstitutional did not affect the validity of the lawsuit (which was filed when the Bureau was headed by lawfully appointed former Director Richard Cordray), writing that, as in Collins v. Yellen (covered by InfoBytes here), “the unlawfulness of the removal provision does not strip the Director of the power to undertake the other responsibilities of his office.”