New Media and Technology Law Blog

Some Interesting CDA Section 230 Developments: A Novel FCRA Victory, a Negligent Design Exception and a Startling New State Law

In the past month, there have been some notable developments surrounding Section 230 of the Communications Decency Act (“CDA” or “Section 230”) beyond the ongoing debate in Congress over the potential for legislative reform. These include a novel application of CDA in a FCRA online privacy case (Henderson v. The Source for Public Data, No. 20-294 (E.D. Va. May 19, 2021)) and the denial of CDA immunity in another case involving an alleged design defect in a social media app (Lemmon v. Snap Inc., No. 20-55295 (9th Cir. May 4, 2021), as well as the uncertainties surrounding a new Florida law that attempts to regulate content moderation decisions and user policies of large online platforms.   Continue Reading

Supreme Court Ends Long-Running Circuit Split over CFAA “Exceeds Authorized Access” Issue, Adopting a Narrow Interpretation That Will Reverberate in Scraping Disputes and Litigation over Departing Employees

In a closely-watched appeal, the Supreme Court, in a 6-3 decision, reversed an Eleventh Circuit decision and adopted a narrow interpretation of “exceeds unauthorized access” under the Computer Fraud and Abuse Act (CFAA), ruling that an individual “exceeds authorized access” when he or she accesses a computer with authorization but then obtains information located in particular areas of the computer – such as files, folders, or databases – that are off limits to him or her. (Van Buren v. United States, No. 19-783, 593 U.S. ___ (June 3, 2021)). The majority equated “exceed[ing] authorized access” with the act of “entering a part of a system to which a computer user lacks access privileges,” rejecting the Government’s contention that a person who is authorized to access information from a protected computer for certain purposes violates CFAA Section 1030(a)(2) by accessing the computer with an improper purpose or motive. Put simply, the court’s view suggests a “gates-up-or-down” approach where the CFAA prohibits accessing data one is not authorized to access.

Although the case involved a criminal conviction under the CFAA, Van Buren gave the Supreme Court the opportunity to resolve a long-standing circuit split and heavily-litigated issue that arose in both criminal and civil cases under the CFAA’s “unauthorized access” provision. This provision of the CFAA is routinely pled in cases against former employees that have accessed proprietary data in their final days of employment for an improper purpose (e.g., for use in their new job or competing venture). It is also a common claim in disputes involving unwanted web scraping. On the latter point, the Court’s narrow interpretation of the “exceeds authorized access” provision would appear to be right in line with the narrow interpretations of the CFAA enunciated by the Ninth Circuit in its blockbuster hiQ opinion, which held that that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access “without authorization” under the CFAA and in its Power Ventures precedent, which held that, in the context of unwanted data scraping, a violation of the terms of use of a website, without more, cannot be the basis for civil liability under the CFAA. Continue Reading

The President Revokes Prior Administration’s Executive Order on CDA Section 230

On May 14, 2021, President Biden issued an executive order revoking, among other things, his predecessor’s action (Executive Order 13295 of May 28, 2020) that directed the executive branch to clarify certain provisions under Section 230 of the Communications Decency Act (“Section 230” or the “CDA”) and remedy what former President Trump had claimed was the social media platforms’ “selective censorship” of user content and the “flagging” of content that does not violate a provider’s terms of service. The now-revoked executive order had, among other things, directed the Commerce Department to petition for rulemaking with the FCC to clarify certain aspect of CDA immunity for online providers (the FCC invited public input on the topic, but did not ultimately move forward with a proposed rulemaking) and requested the DOJ to draft proposed legislation curtailing the protections under the CDA (the DOJ submitted a reform proposal to Congress last October). Continue Reading

Plaid Federal Electronic Surveillance Claims Dropped, Privacy Claims Survive

On April 30, 2021 a California district court trimmed various federal privacy-related claims, including the Computer Fraud and Abuse Act (CFAA) claim, from a highly-visible, ongoing putative class action against fintech services company Plaid Inc. (“Plaid”), but allowed other state law privacy claims to go forward.  The lawsuit involves Plaid’s alleged collection and use of consumers’ banking login credentials and later processing and selling of such financial transaction data to third parties without adequate notice or consent (Cottle v. Plaid Inc., No. 20-3056 (N.D. Cal. Apr. 30, 2021).

The court’s decision did not delve deeply in the merits of the CFAA claim, as it was dismissed on procedural grounds; similarly, resolution of the major issues of the case about invasion of privacy and the adequacy of consent to access consumers’ bank accounts and collect/aggregate data was not achieved at this early stage of the litigation.  Thus, this case is just beginning and is certainly one to watch to see how the unsettled areas of mobile privacy and CFAA “unauthorized access” are further developed. Continue Reading

Landmark Fair Use Victory at the Supreme Court in Software Case

In a narrowly drawn, yet significant decision, the Supreme Court reversed the Federal Circuit and ruled that Google LLC’s (“Google”) copying of some of the Sun Java Application Programming Interface (API) declaring code was a fair use as a matter of law, ending Oracle America Inc.’s (“Oracle”) infringement claims over Google’s use of portions of the Java API code in the Android mobile platform. (Google LLC v. Oracle America, Inc., No. 18-956, 593 U.S. ___ (Apr. 5, 2021)).  In reversing the 2018 Federal Circuit decision that found Google’s use of the Java API packages was not fair use, the Supreme Court, in a 6-2 decision (Justice Barrett did not take part in the case) found where Google reimplemented the Java user interface, taking only what was needed to allow outside developers to work in a new and transformative mobile smartphone program, Google’s copying of the Sun Java API was a fair use as a matter of law. This decade-long dispute had been previously dubbed “The World Series of IP cases” by the trial court judge, and like many classic series, this one culminated in a winner-take-all Game 7 at the highest court.

Oracle is one of the most notable Supreme Court decisions affecting the software and technology industry in recent memory since, perhaps, the Court’s 2010 Bilski patent opinion, its 2012 Jones decision on GPS tracking, privacy and the Fourth Amendment and its 2005 Grokster decision on copyright inducement in the peer-to-peer network context, and certainly the most notable decision implicating fair use since its well-cited 1994 Campbell decision that expounded on the nature of “transformative” use. It was no surprise that this case attracted a stack of amicus briefs from various technology companies, organizations, and academia. In the months following oral argument, it was difficult to discern how the Court would decide the case – would it be on procedural grounds based on the Federal Circuit’s standard of review of the jury verdict on fair use, on the issue of the copyrightability of the Java API packages, directly on the fair use issue, or some combination.  The majority decision is a huge victory for the idea that fair use in the software context is not only a legal defense but a beneficial method to foster innovation by developing something transformative in a new environment on top of the functional building blocks that came before. One has to think hard to recall an opinion involving software and technology that referenced and applied the big picture principles of copyright – “to stimulate artistic creativity for the general public good,” as the Supreme Court once stated in a prior case – so indelibly into the fair use analysis.

The decision is also notable for the potential impact on copyright’s “transformative use test.” By considering Google’s intent for using the Java API code, the Court’s discussion of what constitutes a “transformative” use appears to diverge somewhat from recent Circuit Court holdings outside the software context.  The decision may redirect the transformative use analysis going forward, or future decisions may cabin the holding to the software context. Continue Reading

Noteworthy Trends in Privacy and Data Security

Our Practical Law article, “Trends in Privacy and Data Security: 2020,” has recently been published. The article provides an overview of the past year’s privacy and data security legal developments and predictions to look out for in 2021.

Mobile App Platform Entitled to CDA Immunity over State Law Claims Related to In-App Purchases of Loot Boxes

Happy Silver Anniversary to Section 230 of Communications Decency Act (“CDA” or “Section 230”), which was signed into law by President Bill Clinton in February 1996. At that time, Congress enacted CDA Section 230 in response to case law that raised the specter of liability for any online service provider that attempted to moderate its platform, thus discouraging the screening out and blocking of offensive material. As has been extensively reported on this blog, the world of social media and user-generated content is supported by protections afforded by Section 230. Now, 25 years later, the CDA is at a crossroads of sorts and its protections have stoked some controversy. Yet, as it stands, Section 230 continues to provide robust immunity for online providers.

In a recent case, Google LLC (“Google”) successfully argued for the application of Section 230, resulting in a California district court ­dismissing, with leave to amend, a putative class action alleging consumer protection law claims against the Google Play App Store.  The claims concerned the offering for download of third party mobile video games that allow users to buy Loot Boxes, which are in-app purchases that contain a randomized assortment of items that can improve a player’s chances at advancing in a videogame.  The plaintiffs claimed these offerings constituted illegal “slot machines or devices” under California law.  (Coffee v. Google LLC, No. 20-03901 (N.D. Cal. Feb. 10, 2021)). Continue Reading

Group of Democratic Senators Release Latest CDA Reform Bill

With the change in administrations in Washington, there has been a drive to enact or amend legislation in a variety of areas. However, most initiatives lack the zeal found with the bipartisan interest in “reining in social media” and pursuing reforms to Section 230 of the Communications Decency Act (CDA).  As we have documented,, the parade of bills and approaches to curtail the scope of the immunities given to “interactive computer services” under CDA Section 230 has come from both sides of the aisle (even if the justifications for such reform differ along party lines). The latest came on February 5, 2021, when Senators Warner, Hirono and Klobuchar announced the SAFE TECH Act.  The SAFE TECH Act would limit CDA immunity by enacting “targeted exceptions”  to the law’s broad grant of immunity. Continue Reading

LexBlog

This website uses third party cookies, over which we have no control. To deactivate the use of third party advertising cookies, you should alter the settings in your browser.

OK