InfoBytes Blog
Filter
Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
District Court orders evidence showing customer agreed to arbitration clause in clickwrap agreement
On April 15, the U.S. District Court for the Northern District of California ordered a defendant “teledentristry” practice to file a declaration evidencing a clickwrap agreement that shows that the plaintiff assented to an arbitration agreement in an addendum to a retail installment contract. The plaintiff filed a putative class action claiming the defendant failed to comply with consumer protection licensing requirements and made misleading and false representations to consumers about the scope of its services and the provided dental care. The defendant moved to compel arbitration, stating that when customers create an account on the defendant’s website, they are required to affirmatively check a clickwrap checkbox to provide informed consent and must agree to the defendant’s terms and conditions before finalizing the registration process. The checkbox is not pre-checked, the defendant stated, and customers can view the full terms and conditions when clicking on the hyperlinks for each policy. The defendant maintained that if the plaintiff had clicked on the “Informed Consent” hyperlink, he would have been presented with the arbitration clause. The defendant also claimed that its servers log customers’ electronic assent to the terms and conditions and provided evidence purportedly showing that the plaintiff accepted the terms and conditions. The plaintiff countered that he did not assent to the arbitration agreement.
The arbitration dispute concerns whether the plaintiff assented to the arbitration agreement, whether the agreement is valid and enforceable, and whether the agreement delegates questions of arbitrability to the arbitrator and not the court. According to the court, the defendant failed to show sufficient evidence that the plaintiff agreed to the arbitration agreement and stated it will issue a ruling once the defendant provides additional evidence showing what the plaintiff would have seen when he allegedly assented to the clickwrap agreement, as well as “the circumstances under which [plaintiff] received and allegedly assented to the addendum to the retail installment contract.” The court’s order also granted plaintiff’s motion to further amend the complaint but denied plaintiff’s motion to remand on the grounds that the Class Action Fairness Act of 2005 conferred subject-matter jurisdiction upon the court.
EU Court of Justice rules consumer protection agencies can sue companies for GDPR violations
On April 28, the Court of Justice of the European Union (CJEU) issued an opinion concluding that consumer protection associations are permitted to bring representative actions against infringements of personal data protection “independently of the specific infringement of a data subject’s right to the protection of his or her personal data and in the absence of a mandate to that effect.” According to the judgment, Germany’s Federal Union of Consumer Organisations and Associations brought an action for an injunction against a global social media company’s Ireland division for allegedly infringing on General Data Protection Regulation (GDPR) rules governing the protection of personal data, the combat of unfair commercial practices, and consumer protection when offering users free games provided by third parties. Germany’s Federal Court of Justice called into question whether a consumer protection association has standing to bring proceedings in the civil courts against infringements of the GDPR without obtaining a mandate from users whose data was misused. Germany’s Federal Court of Justice also observed that the GDPR could be inferred to read that “it is principally for the supervisory authorities to verify the application of the provisions of that regulation.”
In its ruling, CJEU concluded that consumer protection associations in the EU can bring representative actions against the social media company for alleged violations of the GDPR, writing that the GDPR “does not preclude national legislation which allows a consumer protection association to bring legal proceedings, in the absence of a mandate conferred on it for that purpose and independently of the infringement of specific rights of the data subjects, against the person allegedly responsible for an infringement of the laws protecting personal data . . . where the data processing concerned is liable to affect the rights that identified or identifiable natural persons derive from that regulation.” Permitting associations to bring representative actions is “consistent with the objective pursued by the GDPR . . . in particular, ensuring a high level of protection of personal data,” CJEU stated.
District Court grants class certification in FDCPA suit
On April 27, the U.S. District Court for the Western District of Pennsylvania granted a plaintiff’s motion for class certification in an action against a consumer debt buyer (defendant) for allegedly violating the FDCPA by stating that a judgment may be awarded prior to the expiration of a settlement offer, even though a collection lawsuit was not filed. According to the opinion, the plaintiff received a collection letter from the defendant that offered a “discount program” for his “Legal Collections account without any further legal action,” which had to be accepted within a month. The letter also stated that “[a] judgment could be awarded by the court before the expiration of the discount offer listed in this letter,” despite the fact that at the time the letter was received, there were no pending court cases in which a judgment could be entered against the plaintiff. After receiving the letter, the plaintiff filed suit, alleging that the defendant violated the FDCPA by making false, misleading, and deceptive misrepresentations about the debt. Among other things, the defendant argued that the size of the class would be impossible to ascertain because identifying class members would require individualized inquiries into who received a letter and when. By holding that the FDCPA violation occurred when a letter was sent rather than when it was received, the court rejected the defendant’s argument and ruled instead that individualized inquiry is not necessary. According to the district court, “[r]eviewing this information will, of course, require some level of individualized inquiry. But the need for file-by-file review to identify class members is not fatal to class certification.” The district court further noted that “[c]ourts and parties must be able to determine accrual dates with some degree of certainty,” and “[t[he date of receipt may often be impossible to determine, particularly where the recipient is an individual as opposed to a commercial entity.”
4th Circuit will not revive investors’ data breach case
On April 21, the U.S. Court of Appeals for the Fourth Circuit affirmed a district court’s dismissal of a securities suit against a hotel corporation (defendant) alleging that they misled the plaintiffs regarding data vulnerabilities connected to a major breach of customers’ personal information. According to the opinion, two years after merging with another hospitality corporation, the defendant “learned that malware had impacted approximately 500 million guest records in the [hospitality corporation’s] guest reservation database.” An investor filed a putative class action against the defendant and nine of its officers and directors, alleging that its failure to disclose severe vulnerabilities in the hospitality corporation’s IT systems rendered 73 different public statements false or misleading in violation of Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) and SEC Rule 10b-5. The district court granted the defendant’s motion to dismiss with prejudice and concluded that the plaintiffs “‘failed to adequately allege a false or misleading statement or omission, a strong inference of scienter, and loss causation,’ which doomed the claim under Section 10(b) and Rule 10b-5 as well as the secondary liability claim [under Section 20(a) of the Exchange Act].” The investor appealed, dropping its challenge to 55 of the statements but maintaining its challenge to the other 18.
On appeal, the 4th Circuit agreed with the district court that the defendant’s statements about the importance of cybersecurity were not misleading with respect to the quality of its cybersecurity efforts. The appellate court found that “[t]he ‘basic problem’ with the complaint on this point is that ‘the facts it alleges do not contradict [the defendant’s] public disclosures,’” and that reiterating the “basic truth” that data integrity is important does not mislead investors or create a false impression. The appellate court also noted that the complaint “concedes that [the defendant] devoted resources and took steps to strengthen the security of hospitality corporation’s systems,” and that the company included “such sweeping caveats that no reasonable investor could have been misled by them.” The appellate court concluded that the defendant “certainly could have provided more information to the public about its experience with or vulnerability to cyberattacks, but the federal securities laws did not require it to do so.”
District Court dismisses state law claims concerning scanned email allegations
On April 26, the U.S District Court for the Northern District of California granted a defendant tech company’s motion for reconsideration to dismiss a plaintiffs’ Washington Privacy Act (WPA) claims that it shared customer data with third parties without first obtaining consent. According to the amended complaint, the defendant allegedly misrepresented its privacy and security practices in violation of federal and state law by, among other things, sharing customer data with unauthorized third parties (some of which suffered data breaches), using customer data to develop products and services to sell to other companies, and falsely promising it complied with privacy and confidentiality standards. Plaintiffs alleged the company scanned 400 billion customer emails to obtain insights for its API, which it then sold to others.
In its prior ruling, the court dismissed plaintiffs’ Wiretap Act and Stored Communications Act claims but allowed the WPA claims to proceed. The defendant then filed a motion for partial reconsideration, arguing that the WPA claim is also premised on the same scanned email theory as with the other two claims that were already dismissed. The court agreed that the plaintiffs failed to sufficiently allege that their emails were scanned and dismissed the WPA claims without leave to amend because the “interception or disclosure of a communication” was necessary “in order for the conduct to be actionable.”
California Court of Appeal: Including extraneous language in FCRA disclosure may constitute willful violation
On April 19, the California Court of Appeal for the Fourth Appellate District reversed a trial court’s summary judgment order and held that the inclusion of extraneous language in an employer’s FCRA disclosures to job applicants may constitute willful violation of the FCRA. The plaintiff filed a putative class action against the defendant employer, contending that it willfully violated the FCRA by providing job applicants with a disclosure that included extraneous language unrelated to the topic of consumer reports. The plaintiff alleged that the disclosure violated the FCRA’s requirement for providing a standalone disclosure informing the applicant that the employer may obtain the applicant’s consumer report when making a hiring decision upon applicant’s consent. The defendant filed a motion for summary judgment arguing that no reasonable jury could find that the plaintiff’s FCRA violation was willful, because the erroneous disclosure form was the result of a drafting mistake that took place when the defendant modified a sample disclosure provided by a consumer reporting agency to ensure compliance with the FCRA. The trial court granted the defendant’s motion, finding that any non-compliance resulted from a drafting was an inadvertent error.
On appeal, the Court of Appeal reversed and remanded with instructions that the trial court deny the motion for summary judgment. The appellate court found that “a reasonable jury could find that [the employer] acted willfully because it violated an unambiguous provision of the FCRA.” The Court of Appeal noted that that there’s evidence that at least one of the defendant’s employees was aware that the extraneous language would be included in the disclosure form. In addition, the continuous use of the allegedly problematic disclosure form for nearly two years could signify recklessness. The Court of Appeal reasoned further that the defendant’s “continued and prolonged use” of the “problematic” disclosure form “suggest[ed] that it had no proactive monitoring system in place to ensure its disclosure was FCRA-complaint.”
Nevada Supreme Court affirms ruling in default notice suit
On April 7, the Nevada Supreme Court denied a petition for rehearing and reaffirmed its prior conclusion that, under Nevada law, when a notice of rescission is recorded after a notice of default, the rescission cancels the acceleration triggered by the notice of default, and resets a statutory 10-year period for automatically clearing a lien on real property. NRS § 106.240 “provides a means by which liens on real property are automatically cleared from the public records after a certain period of time,” and specifically “provides that 10 years after the debt secured by the lien has become ‘wholly due’ and has remained unpaid, ‘it shall be conclusively presumed that the debt has been regularly satisfied and the lien discharged.’” The specific question before the Nevada Supreme Court was what effect a notice of rescission has on NRS § 106.240’s 10-year period when the notice is recorded after a notice of default. The Nevada Supreme Court upheld the lower court’s decision determining that “because a notice of rescission rescinds a previously recorded notice of default, the notice of rescission ‘effectively cancelled the acceleration’ triggered by the notice of default, such that NRS 106.240’s 10-year period was reset.”
District Court allows state claims concerning the use of individuals’ likenesses in online ads to proceed
On April 19, the U.S. District Court for the Northern District of California denied a motion to dismiss in a putative class action alleging a California-based website operator violated various Ohio, Indiana, and California state laws by appropriating individuals’ names and likenesses and using this information in online teaser profile advertisements. Plaintiffs contended that the “teasers” violated their rights of publicity, and that memberships give users access to data including location history, family members, court records, employment information, and more. Plaintiffs further stated that “they ‘did not consent to the commercial use of their personal information and personas to promote subscriptions to a website with which they have no relationship.’” Defendant moved to dismiss on numerous grounds, including lack of standing.
In denying the motion to dismiss, the court ruled that plaintiffs have Article III standing to sue and that plaintiffs sufficiently pleaded a cognizable injury in “that their names, likenesses, and related information have commercial value and were being used for a commercial purpose.” The court also reviewed the adequacy of pleadings with respect to the alleged state violations and concluded, among other things, that the defendant’s teasers “are not subject to statutory exceptions for newsworthiness or public interest information.” As to the defendant’s alleged violations of California’s Unfair Competition Law (UCL), the court considered whether the California Consumer Privacy Act (CCPA) “immunizes [defendant’s] behavior from UCL liability.” According to the defendant, the CCPA generally obligates businesses to notify California residents when personal information is being used, it also “contains an express exemption for the use of publicly available data.” Because this conduct is allegedly permitted by the CCPA, the defendant argued, it cannot violate the UCL. The court disagreed, writing that “all that these provisions of the CCPA do are exempt publicly available data from special notification and disclosure rules that the statute itself imposes on companies that collect Californians’ data. . . . They do not expressly or impliedly set aside privacy-based tort claims or related UCL claims.”
Florida court grants sovereign immunity to lender and company officials
On April 11, a Florida county court concluded that a defendant lender and certain company officials were entitled to sovereign immunity in a case concerning alleged usury claims. The plaintiff claimed the lender used its supposed federally-recognized tribal affiliation to escape state usury regulations. The court dismissed the complaint, however, finding that the lender is an “arm of the tribe” under a six-prong test established by the U.S. Court of Appeals for the Tenth Circuit in Breakthrough Management Group, Inc. v. Chukchansi Gold Casino & Resort. The test determines whether sovereign immunity should apply by examining, among other factors, an entity’s creation, the amount of control a tribe has over the entity, and the financial relationship between the tribe and the entity. According to the court, the defendant’s evidence suggests that the tribe created the defendant as a business entity “to generate and contribute revenues” to the tribe’s general fund. The court found that insufficient detail was presented to support the plaintiff’s assertion that the defendant pays a relatively small percentage of its gross revenues to the tribe. The court added that the plaintiff also failed to present evidence proving that large portions of the defendant’s revenue were distributed to non-tribal entities. In dismissing the case with prejudice, the court also dismissed claims against three individual defendants because they were entitled to sovereign immunity. The court concluded that the plaintiff’s allegations demonstrated that the individuals committed the alleged wrongs in their capacities as employees and officers and therefore the “real party in interest” is the lender.
District Court approves final $85 million class action privacy settlement despite objections
On April 21, the U.S. District Court for the Northern District of California granted final approval of an $85 million class action settlement resolving privacy and data security allegations against a video conferencing provider. As previously covered by InfoBytes, consolidated class members claimed the company violated several California laws, including invasion of privacy, the “unlawful” and “unfair” prongs under the Unfair Competition Law, implied covenant of good faith and fair dealing, and unjust enrichment, among others. According to the more than 150 million class members (defined as individuals who “registered, used, opened or downloaded the [company’s] [m]eetings [a]pplication”), the company unlawfully shared their personal data with unauthorized third parties, failed to prevent unwanted and unauthorized meeting disruptions, and misrepresented the strength of its end-to-end encryption measures. Under the terms of the final settlement, the company will establish an $85 million fund to pay valid claims, fees and expenses, service payments, and taxes, and will make several major changes to its practices to “improve meeting security, bolster privacy disclosures, and safeguard consumer data.” Among other things, the settlement stipulates that the company will “provide in-meeting notifications to make it easier for users to understand who can see, save and share [their] information and content by alerting users when a meeting host or another participant uses a third-party application during a meeting.” Additionally, the company will educate users about available security features and ensure its privacy statement discloses the ability of users to share user data with third parties through integrated third-party software, record meetings, and/or transcribe meetings.
The court considered several objections raised by certain class members, including concerns argued on behalf of a subclass of users who used the meeting application “as part of a business that was legally or contractually required to maintain client confidentiality as part of the services the business provided.” According to these objectors, the individual payment amounts are inadequate for individuals who held sensitive meetings. The court countered that the objectors’ claims did not differ from other class members and that the recovery is intended to cover users who did not receive the benefit of their bargain with the company, and not for “special harm arising from a duty to maintain client confidentiality.”