CFAA Claim Dismissed in Scraping Suit, While Contract Claim Survives

This month, an Illinois district court considered another in the series of web scraping disputes that have been working their way through our courts. In this dispute, CouponCabin, Inc. v. PriceTrace, LLC, No. 18-7525 (N.D. Ill. Apr. 11, 2019), CouponCabin alleged that a competitor, PriceTrace, scraped coupon codes from CouponCabin’s website without authorization and displayed them on its own website.

After discovering PriceTrace’s scraping activities, CouponCabin sent PriceTrace a cease and desist letter demanding that PriceTrace stop scraping data from CouponCabin’s website. CouponCabin alleged that PriceTrace continued to access and scrape data from CouponCabin’s website even after the C&D letter was sent. As a result, CouponCabin brought several causes of action against PriceTrace, including claims under the Computer Fraud and Abuse Act (CFAA), tortious interference and breach of contract.

The court found that CouponCabin’s C&D letter had revoked PriceTrace’s access to its site and that PriceTrace’s alleged continued access to the website plausibly stated a violation of the CFAA’s “unauthorized access” provision (18 U.S.C. §1030(a)(2)(C)). Ultimately, however, the court dismissed the CFAA claims with leave to amend, due to plaintiff’s failure to plead the requisite amount of damage or loss as required to maintain a civil action under the CFAA.

“CouponCabin is simply alleging that PriceTrace was able to circumvent CouponCabin’s website security, with no allegation that such evasion impairs or harm the website. Absent allegation of impairment, CouponCabin has merely alleged that PriceTrace accessed CouponCabin’s website without authorization.”

Tags: breach of contract, browsewrap, CFAA unauthorized access, screen scraping, web scraping

Recent Bill Introduced in Illinois Legislature Would Curtail BIPA Litigation

By Jeffrey Neuburger on March 27, 2019 Posted in Biometrics, Legislation, Privacy

In the wake of the Illinois Supreme Court decision that held that claimants need only allege a procedural violation to have standing to bring an action under the Illinois Biometric Information Privacy Act (BIPA) and the continued wave of BIPA-related litigation, the Illinois legislature is considering an amendment to BIPA that would strip the statute of its private right of action. SB2134, as currently written, would amend BIPA by deleting the private right of action and instead provide for enforcement under the Department of Labor (for violations concerning employment-related biometric data collection) or generally by the state attorney general under the state’s consumer protection statute. The end result would be a statute similar to Texas and Washington’s biometric privacy bills which may only be enforced by the respective state attorney general. [Note: There is also another BIPA amendment pending, HB3024, which would expand the definition of “biometric identifier” to include “an electrocardiography result from a wearable device” in an effort to keep up with the latest technologies]. Continue Reading

Tags: BIPA amendment, Illinois Senate bill

Bipartisan Facial Recognition Privacy Bill Introduced in Congress

By Jeffrey Neuburger on March 26, 2019 Posted in Biometrics, Legislation, Privacy

Senators Brian Schatz (D) and Roy Blunt (R) recently introduced S.847, the “Commercial Facial Recognition Privacy Act of 2019,” a bill that would, subject to certain important exceptions, generally prohibit the commercial use of facial recognition technology to identify and track consumers without consent. The bill, as drafted would place limitations on the third-party sharing of collected faceprint data, as well as require covered entities to meet certain minimum data security standards. As this bill wends its way through Congress (it has been referred to the Committee of Commerce, Science and Transportation), it is worth watching because it is a bipartisan bill with a narrow scope that has garnered the early conceptual support of Microsoft and other technology companies. Continue Reading

Tags: facial recognition privacy bill, facial recognition technology, federal legislation, FTC enforcement

Registrations, not Applications: Supreme Court Says Copyright Owners Must Wait to Sue

By Kevin Milewski on March 6, 2019 Posted in Copyright

This Monday, the Supreme Court unanimously ruled in Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC, 586 U.S. ____ (Mar. 4, 2019), that a copyright owner may commence an infringement suit only when the Copyright Office determines whether or not to register a copyright, as opposed to when the owner submits an application and fee for registration. The widely-followed case resolves a simple question, but has far-reaching practical implications for U.S. copyright litigation. Continue Reading

Tags: copyright, federal registration, infringement action, registration approach

Digital Currency App’s Electronic User Agreement Held Enforceable

By Jeffrey Neuburger on February 1, 2019 Posted in Contracts, Digital Currency, Mobile

In a recent blog post, we wrote about how the Second Circuit found the arbitration clause in a web service’s terms and conditions unenforceable because the user did not have reasonable notice of the terms that were communicated via a hyperlink in a post-sale email. In contrast, a New York district court recently upheld an arbitration clause in Coinbase’s account registration process and granted its motion to compel arbitration concerning claims brought by a user (Sultan v. Coinbase, Inc., No. 18-934 (E.D.N.Y. Jan. 24, 2019)).

This case sheds further light on the do’s and don’ts of online electronic contracting and the enforceability of app-based terms and conditions. The decision reinforces the point that for purposes of establishing a binding agreement with a user – particularly in the context of a mobile app – simplicity and clarity of the user interface is desired. And, in particular, this case reinforces the point that has been illustrated in many cases before that the design of user registration pages should be done with the input of legal analysis as to likely enforceability. Continue Reading

Tags: assent, consumer interface, enforceability, mobile app terms, online contracting

New York City Considers Facial Recognition Bill — Will New York Be the Next Forum for Biometric Privacy Litigation?

By Stephanie Kapinos on January 31, 2019 Posted in Biometrics, Legislation, Privacy

UPDATE: Subsequent to the introduction of the New York City Council biometric privacy bill, on March 5, 2019 members of the Florida legislature introduced the “Florida Biometric Information Privacy Act” (SB 1270). The statute generally follows the Illinois Biometric Information Privacy Act (BIPA) regarding notice and consent requirements and notably provides for a private right of action and the availability of statutory damages. As with the New York City bill, we will follow the progress of the Florida bill, as well as other pending biometric privacy legislation (e.g., Montana’s HB 645, which was introduced on March 1, 2019 and is another BIPA-like bill, but only allows enforcement by the state attorney general).

In light of the recent decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), it is worth remembering that late last year, New York City Council members Ritchie Torres (and additional co-sponsors) introduced a bill for the city council to consider that would regulate the use of biometric technology in New York City. Bill Int. No. 1170 (the “Bill”) would amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York and require businesses (but not governmental actors) to give notice to customers if they are collecting “biometric identifier information.” The Bill, which contains some similar provisions to the Illinois Biometric Information Privacy Act (“BIPA”), includes a private right of enforcement but avoids the statutory standing issue litigated in Rosenbach by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action.” If enacted, this bill could lead to a deluge of individual and class action suits in New York based on biometric activity. Continue Reading

Tags: biometric privacy, Facial recognition, local law, New York City Council bill, notice

Notice of Terms via Buried Link within a Post-Sale Email Unenforceable

By Jeffrey Neuburger on January 30, 2019 Posted in Contracts, Online Commerce

In Starke v. SquareTrade, Inc., No. 17-2474, 2019 WL 149628 (2d Cir. Jan. 10, 2019), the Second Circuit affirmed a ruling that denied a web service’s motion to compel arbitration, finding that the user did not have reasonable notice of the arbitration provision contained in the terms and conditions that were communicated via a hyperlink in a post-sale email.

File this latest opinion declining to enforce a service’s terms under Crowded Interface, Unclear Prompts and Muddled Process.

While the court recognized that a party has a duty to read a contract, it stressed that this does not morph into a duty to “ferret out contract provisions when they are contained in inconspicuous hyperlinks,” particularly where, as in this case, the user was presented with multiple documents, each containing different sets of terms. This dispute was reminiscent of a Second Circuit case we wrote about in 2012, where the court held that a buy now-agree later process did not provide sufficient notice to consumers of an arbitration provision contained in the post-sale terms. Continue Reading

Tags: agree now - terms later contract, Electronic Contracting

Fair Use in Flux: Second Circuit TVEyes Ruling May Have a Lasting Effect on Fair Use Analysis

By Kevin Milewski on January 28, 2019 Posted in Copyright, Technology, Television, Video

Fair use can be one of the most difficult issues that copyright lawyers have to address due to decades of varying court rulings applying the multi-factor balancing test, particularly in the face of new technologies that use, modify, and aggregate data in ways not envisioned under the Copyright Act. The Second Circuit’s February 2018 fair use decision in the dispute between Fox News Network, LLC (“Fox”) and TVEyes, Inc. (“TVEyes”) added yet another wrinkle to fair use jurisprudence when the court emphasized market effect over transformative use, seemingly a departure from recent trends in the application of the balancing test. (See Fox News Network, LLC v. TVEyes, Inc., 883 F.3d 169 (2d Cir. 2018)). In recent weeks, the Supreme Court denied TVEyes’ petition for certiorari, leaving in place the appeals court’s decision; and Fox and TVEyes settled the case, stipulating that TVEyes may no longer make available, distribute, or publicly perform or display Fox’s copyrighted video content.

TVEyes is likely to be an important decision for future fair use cases within the Second Circuit. Continue Reading

Tags: aggregation, fair use, transformative use, video

Illinois Supreme Court Rules Actual Injury Not Needed to Be an “Aggrieved” Party under Biometric Privacy Law

By Jeffrey Neuburger on January 25, 2019 Posted in Biometrics, Privacy

In a long-awaited decision, the Illinois Supreme Court issued its ruling in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), on whether a person “aggrieved” by a violation of the Illinois Biometric Information Privacy Act (“BIPA”) must allege some actual injury or harm beyond a procedural violation to have standing to bring an action under the statute. Since the Court took the appeal in May 2018, businesses have been waiting for the answer to this important question, as the robust wave of Illinois biometric privacy suits against Illinois-based employers and other businesses continued apace and several Illinois courts issued disparate interpretations about what it means to be “aggrieved” under the statute.

In a disappointment to many of the defendants in pending cases, a unanimous Court in Rosenbach reversed the appellate court and ruled that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have standing to sue under BIPA. The outcome was not a complete surprise, as previous courts (such as a California federal court and an Illinois appellate court) had ruled or expressed in dicta that mere technical violations of BIPA were sufficient under the statute. Continue Reading

Tags: aggrieved party, biometric privacy, BIPA, standing