New Media and Technology Law Blog

Ninth Circuit Rejects VPPA Claims of Roku Channel User, Declining to Adopt Broad Definition of PII

In a decision that clarified aspects of the video privacy landscape, the Ninth Circuit affirmed the dismissal of an action alleging a violation of the Video Privacy Protection Act (VPPA) based on an assertion that ESPN’s WatchESPN Roku channel had shared a user’s Roku device number and video viewing history with a third-party analytics company for targeted advertising purposes.  (Eichenberger v. ESPN, Inc., No. 15-35449 (9th Cir. Nov. 29, 2017)).  The appeals court found that such a disclosure of a device identifier did not constitute “personally identifiable information” (PII) under the VPPA.  In doing so, the court declined to take a broad interpretation of the 1980s era statute originally aimed at video stores, but which in recent years has been applied to online video streaming services and mobile and video streaming apps. Continue Reading

U.S. Court Orders Coinbase to Share Information about Account Holders with the IRS but Limits to Transactions over $20,000

A U.S. federal district court judge on Tuesday, November 29 ordered Coinbase Inc., the largest cryptocurrency exchange and storage platform in the world, to provide information about certain of its account holders to the U.S. Internal Revenue Services (IRS).  Information pertaining to as many as 14,355 account holders and 8.9 million transactions could be covered in this order, according to estimates provided by Coinbase.  The full order by Judge Jacqueline Scott Corley of the U.S. District Court for the Northern District of California can be found here.

While a significant milestone in a protracted legal battle between Coinbase and the IRS, the order handed down by Judge Corley is considerably narrower than what the IRS had originally requested.  The information Coinbase must provide is limited to the holder’s name, date of birth, taxpayer identification number (TIN), and address; the date, amount, type of transaction, post-transaction balance, and names of counterparties to any transaction covered by the order; and periodic account statements for the covered accounts.  Significantly, only account holders that have bought, sold, sent, or received cryptocurrency worth $20,000 or more in any tax year from 2013 to 2015 are covered by the order.  Continue Reading

Third Class Action for Tezos ICO

For the third time this month, the Tezos blockchain project is the subject of a class action complaint for claims arising from their $232 million July initial coin offering (“ICO”). Consistent with both prior lawsuits, the plaintiffs allege that the Tezos ICO constituted the unregistered, non-exempt offer and sale of securities in violation of the federal securities laws.

As a general rule ICO tokens may be securities and, if so, must be registered with the SEC or qualify for an exemption in order to be offered or sold within the United States. Violations expose issuers not just to the risk of SEC enforcement, but also the possibility of liability under Section 12(a)(1) of the Securities Act, a private right of action that provides recessionary damages on a strict liability basis for those that purchase their tokens directly from the issuer of an unregistered public offering.

Recent remarks by SEC Chairman Jay Clayton have led to speculation that meaningful SEC intervention in the ICO marketplace may be soon forthcoming. If this spate of Tezos lawsuits is any indication, the plaintiff’s bar could get there well before the regulators do.

Appeals Court Affirms Dismissal on Standing Grounds of Biometric Privacy Suit over Videogame Facial Scan Feature

With the flood of Illinois biometric privacy suits lodged against employers in recent months, and multiple biometric privacy suits against social media and other mobile platforms currently pending over the use of photo tagging functions, 2017 has been a busy year in this area.  In a notable circuit court level ruling this week, the Second Circuit affirmed the dismissal of Illinois biometric privacy claims against a videogame maker related to a feature in the NBA 2K videogame series that allows users to scan their faces and create a personalized avatar for in-game play. (Santana v. Take-Two Interactive Software, Inc., No. 17-303 (2nd Cir. Nov. 21, 2017) (Summary Order)).

Although the court remanded the case to give plaintiffs leave to amend the complaint, the dismissal is still a resonant victory for Take-Two and demonstrates that the Article III standing requirements under Spokeo can be an important limitation on claims based on bare procedural violations of the notice and consent provisions of the Illinois Biometric Information Privacy Act, 740 Ill. Comp Stat. 14/1 (“BIPA”).

As discussed in our prior post on the lower court’s opinion, the Santana case concerns the MyPlayer feature in the NBA 2K15 and NBA 2K16 videogames, which allows users to scan their own faces to create personalized virtual basketball avatars that can be used during gameplay (including during multiplayer games, if the gamer so chooses). To create the avatars, the game platform’s cameras scan the user’s face and head from various angles and then convert this data into a virtual player that resembles the user.

To create a MyPlayer avatar, a gamer must first agree to the following terms, which are presented on the viewer’s television screen or monitor:

Your face scan will be visible to you and others you play with and may be recorded or screen captured during gameplay. By proceeding you agree and consent to such uses and other uses pursuant to the End User License Agreement. www.take2games.com/eula

The plaintiffs made no allegations that their faceprints were disseminated or used for any other purpose outside of the game (for which they gave consent), or that their biometric data was wrongfully accessed by hackers or other third parties. Rather, they contended that Take-Two failed to comply with various provisions of BIPA, such as providing written notice of its data retention policies regarding gamers’ faceprints and maintaining adequate data security.

Generally speaking, under BIPA an entity cannot collect, capture, purchase, or otherwise obtain a person’s “biometric identifier” or “biometric information,” unless it first:

(1) informs the subject in writing that a biometric identifier is being collected;

(2) informs the subject in writing of the specific purpose and length of term for which a biometric identifier or biometric information is being collected, stored, and used; and

(3) receives a written release executed by the subject.

Take-Two moved to dismiss for lack of Article III standing and for failure to state a cause of action under the statute.  The district court granted the motion on both grounds and dismissed the action with prejudice.   Plaintiffs appealed, and in a summary order, the Second Circuit affirmed on standing grounds and remanded with instructions to enter a dismissal without prejudice, granting plaintiffs leave to amend.

The court initially found that Take-Two’s alleged procedural violations of BIPA’s notice provisions failed to raise a material risk of harm that would give plaintiffs Article III standing. It concluded that Take-Two indisputably informed users that the MyPlayer feature required a “face scan” that would be visible to other players during online gameplay and that such notice was sufficient to meet BIPA’s notice requirements.

The court similarly held that Take-Two’s alleged violations of related BIPA provisions failed to raise a material risk of harm:

“Plaintiffs allege that Take-Two did not inform them of the duration that it would hold their biometric data, as BIPA requires. However, plaintiffs have not shown that this violation, if true, presents a material risk that their biometric data will be misused or disclosed. Plaintiffs have not alleged that Take-Two has not or will not destroy their biometric data within the period specified by the statute, and accordingly have alleged only a bare procedural violation. Likewise, although Take-Two did not notify the plaintiffs of its [data retention schedule], plaintiffs do not allege that Take-Two lacks such protocols, that its policies are inadequate, or that Take-Two is unlikely to abide by its internal procedures. There is accordingly no material risk that Take-Two’s procedural violations have resulted in plaintiffs’ biometric data being used or disclosed without their consent.”

Going forward, the plaintiffs may have a difficult time filing an amended complaint that can survive dismissal, particularly given the lower court’s previous adverse opinion and the appeals court’s language finding “unpersuasive” plaintiffs’ “attempt to manufacture an injury.”

Although not the first court to dismiss a lawsuit allegedly technical violations of BIPA for lack of Article III standing, Santana is the first appeals court to do so, and such reasoning, even if contained in a non-precedential summary order, may be influential in other jurisdictions considering similar issues under BIPA.

We will continue to monitor developments in biometric privacy and technology.

SEC Chairman Jay Clayton’s Remarks on ICOs

In his remarks at a recent Practicing Law Institute program on securities regulation, Securities and Exchange Commission Chairman Jay Clayton once again addressed Initial Coin Offerings, or ICOs.  Mr. Clayton highlighted several issues in particular, including that in his view there is a lack of information about many online platforms that list and trade virtual coins or tokens offered and sold in ICOs, and that trading of tokens on these platforms is susceptible to price manipulation and other fraudulent trading practices. Continue Reading

YouTube Protected by CDA Immunity over Claims That It Provided Material Support to Terrorists

Following the reasoning of several past decisions, a California district court dismissed claims against Google under the Anti-Terrorism Act (ATA), 18 U.S.C. § 2333, for allegedly providing “material support” to ISIS by allowing terrorists to use YouTube  (temporarily, before known accounts are terminated) as a tool to facilitate recruitment and commit terrorism.  (Gonzalez v. Google, Inc., 2017 WL 4773366 (N.D. Cal. Oct. 23, 2017)). The court rejected the plaintiffs’ arguments that Google provided the terrorists with material support by allowing them to sign up for accounts (or regenerate shuttered accounts) and then allegedly serve targeted ads alongside such posted videos.  It ruled that even careful pleadings cannot change the fact that, in substance, plaintiffs’ attempt to hold Google liable as a publisher of the terrorist’s detestable content was barred by Section 230 of the Communications Decency Act (“CDA Section 230” or “CDA”).    Continue Reading

California Court Enjoins Canadian Court’s Global De-listing Order to Google as Contrary to CDA

In a decision that sets up a potential international comity showdown, a California district court granted Google’s request for a preliminary injunction preventing enforcement in the U.S. of a Canadian court order that compelled Google to globally de-list certain search results of a former distributor that had allegedly used its websites to unlawfully sell the defendant Equustek Solutions’s (“Equustek”) intellectual property. (Google LLC v. Equustek Solutions Inc., 2017 WL 5000834 (N.D. Cal.  Nov. 2, 2017)).

In granting Google’s request for a preliminary injunction, the court found that Google likely satisfied all three elements of qualifying for immunity under Section 230 of the Communications Decency Act, 47 U.S.C. §230(c)(1) (the “CDA” or “Section 230”) as a service provider that linked to third-party content, and that the Canadian court’s order implicated online free speech concerns.  Indeed, the court concluded its opinion with language that surely buoyed many online providers and open internet advocates that had previously expressed concerns about the extraterritorial effort of the Canadian order:

“By forcing intermediaries to remove links to third-party material, the Canadian order undermines the policy goals of Section 230 immunity and threatens free speech on the global internet.”

Continue Reading

Controversial “Gripe Site” Protected (Again) by the Communications Decency Act and Defeats Novel Copyright Attack with Website “Browsewrap” License to User Generated Content

The controversial consumer gripe site, RipoffReport.com, is at it again.  The First Circuit recently affirmed a lower court’s ruling that RipoffReport.com was entitled to immunity under Section 230 of the Communications Decency Act, 47 U.S.C. §230(c)(1) (the “CDA” or “Section 230”) for defamation-related claims based on certain user posts on its site. (Small Justice LLC v. Xcentric Ventures LLC, 2017 WL 4534395 (1st Cir. Oct. 11, 2017)). This is the latest in a string of victories for RipoffReport.com on that issue. In this case, RipoffReport.com also successfully relied on its website “terms of use” to fend off a novel copyright attack from the plaintiff, the successor-in-interest to the copyright in the user postings at issue.   Continue Reading

Supreme Court Denies Appeals of Notable Data Scraping, Computer Fraud Decisions from Ninth Circuit

This past week, the Supreme Court denied the petitions for certiorari in two noteworthy Ninth Circuit decisions that had interpreted the scope of liability under the federal Computer Fraud and Abuse Act (CFAA) in the context of wrongful access of company networks by employees and in instances involving unwanted data scraping from publicly available websites. (See Power Ventures, Inc. v. Facebook, Inc., 844 F.3d 1058 (9th Cir. 2016), cert. denied (Oct. 10, 2017); Nosal v. U.S., 828 F.3d 865 (9th Cir. 2016) (Nosal II), cert. denied (Oct. 10, 2017)).   Power Ventures involved a social media aggregation service that scraped Facebook user data with the permission of the user. There, the appeals court had held that while a violation of the terms of use of a website—without more—cannot be the basis for liability under the CFAA, a commercial entity that accesses a public website after permission has been explicitly revoked can be civilly liable under the CFAA.  In Nosal II, the Ninth Circuit had ruled that a former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violated the CFAA.

With the Court declining to review, this important pair of rulings about the breadth of CFAA liability will stand.  What will be interesting – especially with respect to the nuanced issues surrounding CFAA liability for data scraping – is how the Ninth Circuit will clarify or refine its Power Ventures holding when it considers the appeal of the recent landmark decision from the Northern District of California in hiQ Labs, Inc. v. LinkedIn, Corp., 2017 WL 3473663 (N.D. Cal. Aug. 14, 2017), a ruling that distinguished Power Ventures and appeared to limit the applicability of the CFAA as a tool against scraping.

 

Ninth Circuit Rejects Claim That Amazon’s Terms and Conditions Are an Unconscionable Contract

In an unpublished opinion, the Ninth Circuit affirmed a lower court’s ruling that had sent a putative class action against Amazon over its pricing practices to arbitration, as per Amazon’s terms of service. (Wiseley v. Amazon.com, Inc., No. 15-56799 (9th Cir. Sept. 19, 2017) (unpublished)).  In finding that Amazon’s “Conditions of Use” were not unconscionable and presented in a reasonable manner, this holding differs from a Second Circuit decision from last year that declined to compel arbitration because reasonable minds could disagree regarding the sufficiency of notice provided to Amazon.com customers when placing an order through the website. (On remand, a New York magistrate judge ruled that the court should grant Amazon’s motion to compel arbitration on other grounds based upon the plaintiff’s constructive knowledge of the terms.) Continue Reading

LexBlog