InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
Parties reach agreement to resolve data scraping allegations
On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)
As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.
District Court says sellers may be vicariously liable for third-party TCPA violations
On December 5, the U.S. District Court for the Western District of Washington denied an online retail pharmacy’s (defendant) motion for summary judgment in a TCPA suit. According to the order, the defendant engaged with a third party to call potential customers and transfer leads who were interested in the defendant’s services to its inbound call center. The order further noted that the third party contracted with another company to generate leads. Like the third party, the company did not make any calls but contracted with one or more vendors to place calls. The plaintiff received two calls from a prerecorded message that introduced itself as a person with the company. After asking the plaintiff if anyone in the household used prescription medications, among other things, he was transferred to an employee of the defendant who identified the defendant company by name and tried to sell the plaintiff their services. The plaintiff sued the defendant, arguing that it was “vicariously liable” for calls he received from a telemarketer that transferred the calls to the defendant’s sales representative. The defendant argued it was not directly liable under the TCPA because it did not directly place the calls to the plaintiff. The defendant also said it was not vicariously liable for calls placed by vendors because those vendors did not have express or implied actual authority to place calls for the defendant.
According to the district court, courts may hold sellers such as the defendant vicariously liable for TCPA violations of third-party callers “where the plaintiff establishes an agency relationship, as defined by federal common law, between the defendant and the third-party caller.” The court further wrote that labeling the contracted company “an independent contractor in the agreement with [the defendant] does not foreclose a finding that an agency relationship existed.” The district court also noted that there was a “genuine issue” of material fact as to whether the defendant had an agency relationship with the contracted company’s vendor.
Social media platform awarded $365,000 in scraping suit
On December 8, the U.S. District Court for the Northern District of California enjoined a data trading company (defendant) from accessing a social media platform (plaintiff), and ordered it to pay $361,790 in attorney fees and $3,640 in court costs to the platform. According to the complaint, the defendant unlawfully scraped the profiles of over 90 million of the plaintiff’s users before selling the data. The complaint specifically alleged that the defendant sold “in-depth insights into the demographics and psychographics of influencers and their audiences.” The order enjoined the defendants from, among other things: (i) accessing or attempting to access the plaintiff’s platforms; (ii) developing, offering, and marketing software or computer code intended to automate the collection of data; and (iii) engaging in any activity that disrupts the plaintiff’s platforms.
Appellate court reverses BIPA decision
On November 30, the Illinois Court of Appeal for the Fourth Appellate District reversed and remanded a trial court’s decision to grant a defendant plating company’s motion for summary judgment in a Biometric Information Privacy Act (BIPA) suit. The plaintiff began working for the defendant in 2014. From the beginning of his employment, the plaintiff clocked into his job using a fingerprint, but the defendant did not have a written retention-and-destruction schedule for biometric data until 2018. The plaintiff was subsequently terminated and then filed suit claiming that the defendant violated BIPA by failing to establish a retention-and-destruction schedule for the possession of biometric information until four years after it first possessed the plaintiff’s biometric data. The trial court granted the defendant’s motion for summary judgment, finding that section 15(a) of BIPA established no time limits by which a private entity must establish a retention-and-destruction schedule for biometric data. The plaintiff appealed.
The appellate court reversed the trial court’s order, finding that Section 15(a) specified that a private entity “in possession of” biometric data must develop a written policy laying out its retention and destruction protocols, and the duty to develop a schedule is triggered by possession of the biometric data. The appellate court noted that its decision “is consistent with the statutory scheme, which imposes upon private entities the obligation to establish [BIPA]-compliant procedures to protect employees' and customers' biometric data.” The appellate court went on to note that it “can discern no rational reason for the legislature to have intended that a private entity ‘develop’ a ‘retention schedule and guidelines for permanently destroying’ (id. § 15(a)) biometric data at a different time from that specified in the notice requirement in section 15(b), which itself must inform the subject of the length of time for which the data will be stored (i.e., retained), etc.” The appellate court concluded “that the duty to develop a schedule upon possession of the data necessarily means that the schedule must exist on that date, not afterwards,” and stressed that this is “the only reasonable interpretation” in light of BIPA's “preventive and deterrent purposes.”
Furthermore, the appellate court rejected the defendant’s argument that “the statutory duty is satisfied so long as a schedule exists on the day that the biometric data possessed by a defendant is no longer needed or the parties’ relationship has ended," stating that the statutory language “belies this interpretation.”
California appellate court upholds judgment in RFDCPA suit
On November 23, the California Court of Appeal for the Fourth Appellate District upheld a summary judgment ruling for a creditor over allegations that it violated the Rosenthal Fair Debt Collection Practices Act (RFDCPA). The plaintiff, the widow of a former patient of the defendant doctor, asserted claims against the doctor and his professional corporation (collectively, “defendants”) alleging that they were debt collectors within the meaning of the RFDCPA. The plaintiff alleged that the defendants violated the RFDCPA by sending “multiple bills and making incessant” phone calls seeking payment for services provided to her husband before he died. The plaintiff requested that the defendants stop contacting her and seek payment through insurance and the hospital. The defendants used two different companies for its third-party billing services, and those companies sent invoices to the plaintiff, who responded that payment inquiries for her deceased husband should only be submitted to the insurance company and the medical center. The trial court granted the defendants’ motion for summary judgment, ruling they did not meet the statute’s definition of a debt collector.
The appellate court affirmed, finding that “a medical service provider that exclusively uses an unaffiliated, third-party billing service to collect payment for services rendered to patients” is not a “debt collector” within the meaning of the RFDCPA. The court found that although the RFDCPA “applies to those who collect debts on behalf of themselves,” the law still requires that a defendant “must regularly and in the ordinary course of business ‘engage in’ debt collection” for liability to attach. The appellate court emphasized that it was not holding that “a creditor may never be vicariously liable for the actions of a debt collector on an agency theory.” Instead, the plaintiff carried “the burden to demonstrate a triable issue of material fact on the existence of such an agency relationship, and she failed to do so on this record.”
Supreme Court asked to stay judgment holding that HEROES Act does not authorize the creation of the DOE’s student debt relief plan
Recently, the DOJ filed an application on behalf of the Department of Education (DOE) asking the U.S. Supreme Court to stay a judgment entered by the U.S. District Court for the Northern District of Texas in an action related to whether the agency’s student debt relief plan violated the Administrative Procedure Act’s (APA) notice-and-comment rulemaking procedures. As previously covered by InfoBytes, the district court held that while the HEROES Act expressly exempts the APA’s notice-and-comment obligations, the district court stressed that the HEROES Act “does not provide the executive branch clear congressional authorization to create a $400 billion student loan forgiveness program,” and, moreover, does not mention loan forgiveness. On December 1, the U.S. Court of Appeals for the Fifth Circuit denied the DOE’s motion for stay pending appeal.
In its application, the DOE argued that the plaintiffs never asserted that the debt relief plan exceeded the education secretary’s statutory authority. Instead, the DOE argued, the plaintiffs alleged only that they were improperly denied the opportunity to comment on the plan, stressing that while the district court recognized that the HEROES Act expressly exempts the APA’s notice-and-comment obligations, it went further by holding that the plan went beyond the secretary’s authority. “The district court profoundly erred by raising and deciding a claim that respondents did not assert and could not have asserted,” the DOE stressed, further adding that the plaintiffs did not claim that providing debt relief to other borrowers would inflict injury on them. Beyond this, the secretary’s plan “falls squarely within the plain text of his statutory authority,” the DOE asserted. The DOE requested that the Supreme Court stay the district court’s judgment, or in the alternative, defer the application pending oral argument and treat it as a petition for certiorari before judgment, grant the petition, and hear the case along with a second separate action, discussed below, involving a challenge to an injunction that temporarily prohibits the Secretary of Education from discharging any federal loans under the agency’s student debt relief plan.
As previously covered by InfoBytes, on December 1, the Supreme Court agreed to hear the Biden administration’s appeal of an injunction entered by the U.S. Court of Appeals for the Eighth Circuit. The 8th Circuit held that “the equities strongly favor an injunction considering the irreversible impact the Secretary’s debt forgiveness action would have as compared to the lack of harm an injunction would presently impose,” and pointed to the fact that the collection of student loan payments and the accrual of interest have both been suspended. (Covered by InfoBytes here.) The 8th Circuit’s opinion followed a ruling issued by the U.S. District Court for the Eastern District of Missouri, which dismissed an action filed by state attorneys general from Nebraska, Missouri, Arkansas, Iowa, Kansas, and South Carolina for lack of Article III standing after concluding that the states—which attempted “to assert a threat of imminent harm in the form of lost tax revenue in the future”— failed to establish imminent and non-speculative harm sufficient to confer standing. In an unsigned order, the Supreme Court deferred the Biden administration’s application to vacate, pending oral argument. Oral arguments are scheduled for February 28, 2023.
9th Circuit revives data breach class action against French cryptocurrency wallet provider
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
On appeal, the 9th Circuit concluded that dismissal was improper because the French wallet provider’s contracts with California were sufficient to establish jurisdiction under the “purposeful availment” framework. The appellate court explained that because the French wallet provider sold roughly 70,000 wallets in the state, collected California sales tax, and shipped wallets directly to California addresses, the “facts suffice to establish purposeful availment because [the French wallet provider’s] contacts with the forum cannot be characterized as ‘random, isolated, or fortuitous.’” However, the 9th Circuit limited the claims to only those brought by California residents under the state’s consumer protection laws. A forum-selection clause in the French wallet provider’s privacy policy and terms of use documents provided that disputes would be subject to the exclusive jurisdiction of French courts, the appellate court said, which was enforceable except with respect to the class claims of California residents brought under California law “because it violated California public policy against waiver of consumer rights under California’s Consumer Legal Remedies Act.”
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”
Hair clinic must pay $500,000 to resolve data breach
On November 21, the U.S. District Court for the Central District of California granted final approval to a $500,000 class action settlement resolving allegations that a ransomware attack and data breach exposed the personal information of over 100,000 of the defendant hair-restoration clinic’s customers. According to the order, the plaintiffs alleged that defendant violated California's consumer protection statutes by failing to: (i) protect consumers' personal information; (ii) notify them quickly enough about the breach; and (iii) monitor its network for vulnerabilities and breaches. The order provided attorneys’ fees of $262,500, and awards of $1,250 each to the class representatives.
District Court issues judgment against company for marketing fake high-yield CDs
On December 9, the U.S. District Court for the Southern District of New York entered a final stipulated final judgment and order against a Delaware financial-services company operating in Florida and New York along with its owner (collectively, “defendants”) for engaging in deceptive acts under the Consumer Financial Protection Act related to its misleading marketing representations when advertising high-yield healthcare savings CD accounts. As previously covered by InfoBytes, the Bureau’s 2020 complaint alleged that defendants engaged in deceptive acts or practices by: (i) falsely representing that consumers’ deposits into the high yield CD accounts would be used to originate loans for healthcare professionals, when in fact, the company never used the deposits to originate loans for healthcare professionals, never sold a loan to a bank or secondary-market investor, and never entered into a contract with a buyer or investor to purchase a loan; (ii) concealing the company’s true business model by falsely representing that the consumers’ deposits, when not being used to originate healthcare loans, would be held in an FDIC- or Lloyd’s of London-insured account or a “cash alternative” or “cash equivalent” account, when in reality, consumers’ deposits were, among other things, invested in securities; (iii) misleading consumers into believing that the accounts their funds were being deposited into functioned like traditional savings accounts when in fact, consumers’ deposits were actively traded in the stock market or used in securities-backed investments; and (iv) falsely representing that past high yield CD accounts allegedly paid interest at rates between 5 percent and 6.25 percent prior to 2019 when in fact, the company did not offer CDs until August 2019, and “consumers’ principals was neither guaranteed nor insured.” The complaint noted that since August 2019, the company took more than $15 million from at least 400 consumers.
The settlement provides for a comprehensive consumer redress plan that would require defendants to refund approximately $19 million to approximately 400 depositors. Further, pursuant to the order, the defendants are required to return the money that each affected consumer deposited into a certain account in a manner consistent with the advertised terms of the product, namely, the principal along with an average per year interest rate of about 6 percent. The proposed order also permanently bans the defendants from engaging or assisting others in any deposit taking activities and requires defendants to pay a civil money penalty to the Bureau in the amount of $391,530.
FTC takes action against debt relief operation
On November 30, the FTC announced an action against three individuals and their affiliated companies (collectively, “defendants”) for allegedly participating together in a credit card debt relief scheme since 2019. The FTC alleged in its complaint that the company violated the FTC Act and the Telemarketing Sales Rule (TSR) by using telemarketers to call consumers and pitch their deceptive scheme, falsely claiming to be affiliated with a particular credit card association, bank, or credit reporting agency and promising they could improve consumers’ credit scores after 12 to 18 months. The defendants also allegedly misrepresented that the upfront fee, which in some cases was as high as $18,000, was charged to consumers’ credit cards as part of the overall debt that would be eliminated, and therefore consumers would not actually have to pay this fee. The District Court for the Middle District of Tennessee granted the Commission’s request to temporarily shut down the scheme operated by the defendants and froze their assets. The complaint requests, among other things, a permanent injunction to prevent future violations of the FTC Act and the TSR by the defendants.