New Media and Technology Law Blog

Site Cannot Compel Arbitration Based upon Later-Amended Terms without Showing Adequate User Notification of Change

A D.C. district court ruled that an eBay user did not assent to a later-added arbitration clause to the user agreement by virtue of a provision that stated eBay could amend the agreement at any time, as the user may not have received sufficient notice of the amendment. (Daniel v. eBay, Inc., No. 15-1294 (D.D.C. July 26, 2018)). Notably, the court declined to find adequate notice sufficient to demonstrate an agreement to arbitrate merely based on the fact that the amended user agreements were posted on eBay’s website (at least under Utah, Louisiana or Texas law). This case is interesting as many websites and services have added mandatory arbitration clauses to their terms in recent years, yet may have a stable of legacy users that agreed to a prior set of terms that did not contain such a provision.

In Daniel v. eBay, the plaintiff purchased an allegedly counterfeit watch in July 2015 from an eBay seller and was unable to resolve the issue, eventually bringing breach of contract and other claims against eBay and the seller.  eBay moved to compel arbitration based on plaintiff’s assent to the 1999 User Agreement, which did not have an arbitration clause but contained the change-in-terms clause (i.e., eBay may “amend this Agreement at any time by posting the amended terms on our site”). Because eBay later amended its user agreement in 2012 and 2015 to require arbitration pursuant to the change-in-terms clause, eBay argued that plaintiff agreed to the amendment and failed to opt out of the arbitration provision by mail within a certain time period. eBay also stated that it notified the plaintiff of the 2015 User Agreement via an email sent to his registered email address. In response, plaintiff contended that he never agreed to the 2012 and 2015 arbitration clauses because he never received notification of the amended user agreement.

At issue was whether plaintiff consented to and was bound by the later-added arbitration clause under either Utah, Texas or Louisiana law (the court did not resolve the choice of law issue as it believed the motion would be similarly decided in each of those jurisdictions).  The magistrate judge’s recommendation concluded that the plaintiff agreed to arbitrate because he accepted the 1999 user agreement which contained the change-in-terms provision.  However, the district court judge declined to adopt the magistrate’s recommendation and denied eBay’s motion to compel.

According to the court, a party may consent to a later-added arbitration clause if the party: (1) is notified about the arbitration clause; and (2) assents via continued use of the product or service.  Essentially, the court examined whether the agreement to arbitrate was a “remedy freely bargained for by the parties,” and reviewed the evidence regarding notice given to the plaintiff.

“Therefore, while a party need not necessarily sign a contract with a later-added arbitration clause in order to assent, the party cannot agree to a newly-added arbitration clause without personal notice of that provision.”

“This is not to say that eBay must prove that Mr. Daniel actually received notice. However, eBay must show and the record must reflect that it undertook specific efforts to send notice of the new arbitration provisions to Mr. Daniel on a certain date.”

Ultimately, the court found that eBay failed to establish that it notified plaintiff about the 2012 and 2015 amended user agreements containing the arbitration clauses.  The court first rejected the contention that plaintiff received notice when eBay posted the amended agreements on its website, noting that eBay did not provide any binding authority that such posts constituted notice sufficient to demonstrate an agreement to arbitrate.  The court then found that the record did not support eBay’s assertion that it sent notice of the 2015 amendment to plaintiff via email, concluding that eBay’s email exhibit was a form email purportedly sent to eBay users not directly addressed to plaintiff and there was a lack of evidence showing that an email was sent to the plaintiff – a statement that eBay had mailed a notice to all users was not sufficient.

The court’s opinion offers some lessons on building a record that establishes that users have been given notice of a later-added arbitration clause and that an actual mailing or attempt to mail have been directed personally to the user. These include such things as evidence of the company’s quality assurance controls to ensure that every customer received notice of a later-added arbitration provision or specific efforts to send notice of the new arbitration provisions to the user in question on a certain date.

In a Divided Opinion, California Supreme Court Squashes End Run around CDA Immunity That Sought to Compel a Non-Party Online Platform to Remove Defamatory Content

In a closely-followed dispute, the California Supreme Court vacated a lower court order, based upon a default judgment in a defamation action, which had directed Yelp, Inc. (“Yelp”), a non-party to the original suit, to take down certain consumer reviews posted on its site. (Hassell v. Bird, No. S235968, 2018 WL 3213933 (Cal. July 2, 2018)).  If the plaintiffs had included Yelp as a defendant in the original suit, such a suit would have likely been barred by Section 230 of the Communications Decency Act (“CDA” or “CDA Section 230”); instead, the plaintiffs adopted a litigation strategy to bypass such legal immunities.  In refusing to allow plaintiff’s “creative pleading” to avoid the CDA, the outcome was a win for online companies and platforms that host user-generated content (“A Case for the Internet,” declared Yelp). Continue Reading

Illinois Biometric Privacy Suit over Employee Fingerprinting Remanded for Lack of Standing

An Illinois district court remanded to state court for lack of standing a biometric privacy suit brought by employees over the collection and storage of individuals’ fingerprints allegedly in violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1 (“BIPA”). (Aguilar v. Rexnord, LLC, No. 17 CV 9019 (N.D. Ill. July 3, 2018)).  This decision echoes other recent rulings where federal courts have found a lack of Article III standing in disputes where employees claimed procedural violations of BIPA over the knowing collection of fingerprints for timekeeping purposes, absent any claims of wrongful sharing or disclosure.  See e.g., Howe v. Speedway LLC, No. 17-07303 (N.D. Ill. May 31, 2018) (even if failing to provide certain disclosures and obtain his written authorization prior to collecting and storing plaintiff’s fingerprints may constitute a violation of BIPA, such procedural violations did not cause an injury in fact where the employee was aware of the nature and purpose of collection); Goings v. UGN, Inc., No. 17-9340 (N.D. Ill. June 13, 2018) (remanding BIPA claims for lack of Article III standing because claims were too abstract and employee was aware he was providing fingerprint data to his employers and did not claim any non-consensual disclosure of such data).  Continue Reading

CFAA and Breach of Contract Claims Dismissed in Website Data Scraping Suit

This past week, an Illinois district court dismissed, with leave to amend, claims relating to a competitor’s alleged scraping of sales listings from a company’s website for use on its own site. (Alan Ross Machinery Corp. v. Machinio Corp., No. 17-3569 (N.D. Ill. July 9, 2018)).

The court dismissed a federal Computer Fraud and Abuse Act (CFAA) claim that the defendant accessed the plaintiff’s servers “without authorization,” finding that the plaintiff failed to plead with specificity any damage or loss related to the scraping and did not allege that the unlawful access resulted in monetary damages of $5,000 or more as required to maintain a civil action under the CFAA.  In the court’s view, the “mere copying of electronic information from a computer system is not enough to satisfy the CFAA’s damage requirement.”  The court also dismissed plaintiff’s breach of contract claims, concluding that defendant did not have notice of the plaintiff’s website terms and conditions based upon an unenforceable browsewrap agreement. Continue Reading

Illinois Biometric Privacy Suit Survives Dismissal Based on Harm from Alleged Disclosure of Data to Outside Vendor

Last December, an Illinois appellate court, in the Rosenbach v. Six Flags decision (2017 IL App (2d) 170317 (Dec. 21, 2017)), dismissed biometric privacy claims lodged against theme park operators for collecting fingerprints to authenticate season-pass holders allegedly in violation of the notice and consent provisions of Illinois’s Biometric Information Privacy Act (BIPA), which regulates the collection, retention, and disclosure of personal biometric identifiers and biometric information.  BIPA expressly provides that “any person aggrieved by a violation” of the BIPA may pursue money damages and injunctive relief against the offending party.  In interpreting what “aggrieved” means under BIPA, the Rosenbach court ruled that a “person aggrieved by a violation of [the] Act” must allege some harm (“[A] plaintiff who alleges only a technical violation of the statute without alleging some injury or adverse effect is not an aggrieved person under…the Act”).  While federal courts have weighed in on whether litigants have Article III standing when asserting mere procedural violations of BIPA’s consent and data retention requirements, it was not clear if such procedural violations, without any showing of harm or data misuse, were actionable under the statute.  Rosenbach was the first time an Illinois appellate court weighed in on the meaning of an “aggrieved” party under BIPA.

Following Rosenbach, we speculated whether the decision would curb the wave of BIPA class actions asserting procedural violations filed against employers and businesses that used biometrics to authenticate employees or customers; the answer to that question remains in flux, with subsequent rulings falling both ways.  For example, at least two Illinois trial courts followed Rosenbach in dismissing BIPA claims, though without intensive analysis of the issue. See: Rottner v. Palm Beach Tan, Inc., No. 15-CH-16695 (Ill. Cir. Ct. Mar. 2, 2018) (bound by Rosenbach‘s holding that neither liquidated damages nor injunctive relief is authorized under BIPA when the only injury alleged is a statutory violation; court stated that plaintiff allowed defendants to scan her fingerprint and there had been no publication of plaintiffs private information to sustain injury to a privacy right); Sekura v. Krishna Schaumburg Tan, Inc., No. 16-CH-04945 (Ill. Cir. Ct. Jan. 16, 2018) (brief order dismissing claims “[f]or the reasons outlined in Rosenbach”) (on appeal).

However, the recent California district court ruling in the Facebook biometric privacy litigation parted company with a reading of Rosenbach that would require a litigant to show an “actual” injury beyond the invasion of privacy rights outlined under BIPA and instead ruled that the plaintiffs had “sufficiently alleged” an intangible injury to a privacy right to be “aggrieved” under BIPA. It should be noted that the California court did look differently at Rosenbach and other cases involving voluntary fingerprinting where individuals knew that their biometric data would be collected before they accepted services as opposed to the social media photo tagging situation where such plaintiffs allege that they were not put on adequate notice that biometric data could be collected from uploaded photos.

This past month, in a notable ruling, an Illinois appellate court followed Rosenbach yet still declined to dismiss a suit brought by a former employee who asserted BIPA and negligence claims, among others, against a senior living center (“Defendant” or “Smith”) and its time clock vendor over the scanning of her fingerprints onto an employee biometric timekeeping device. (Dixon v. The Washington and Jane Smith Community – Beverly, No. 17-8033 (N.D. Ill. May 31, 2018)).  Specifically, the complaint alleged that Smith required new employees to have their fingerprints scanned by the defendant Kronos’s fingerprint scanner and entered into a database so employees could be authenticated when clocking in and out.  According to the plaintiff, Smith, among other things, failed to give adequate notice or obtain written consent before colleting her fingerprints, or post a biometric data retention policy.  Moreover – and really the allegation that pushed the complaint over the line – plaintiff claimed that, in addition to collecting and storing her biometric information, Smith also “systematically disclosed” that information to Kronos, the out-of-state, third-party vendor of Smith’s biometric time clocks, without informing her that it was doing so. Continue Reading

Court Denies TRO against Data Scraper That Accessed Private Database via Registered Accounts

This past week, a Texas district court denied a bid from a web service for a temporary restraining order (TRO) to enjoin a competitor that allegedly scraped a large amount of proprietary data from its closed site via several user accounts. (BidPrime, LLC v. SmartProcure, Inc., No. 18-478 (W.D. Tex. June 18, 2018)). While tempting to draw a general legal conclusion about the permissibility of scraping from this decision, the decision was in fact based on the judgement of the court that scraping was unlikely to continue during the pendency of the litigation.

Nonetheless, the dispute highlights the host of legal issues that can arise when an entity accesses a website or database to scrape data for competitive or other reasons using user credentials or fake accounts or proxies to mask its true identity. For example, the plaintiff BidPrime, LCC (“BidPrime”) sought injunctive relief based upon claims under the federal Computer Fraud and Abuse Act (CFAA) and state law counterpart, state trade secret law, and breach of contract, among others. Whether such claims are viable are of course dependent on the specific facts and circumstances of the dispute, the restrictions contained in the website terms of use, what countermeasures and demands the website owner made to the web scraper to prevent unwanted access, and the state of the current interpretation of applicable law. This decision did not analyze these factors beyond concluding that ongoing scraping was unlikely. Continue Reading

New York State Court Declines to Compel Arbitration, Cites Purported Ambiguities in Mobile Contracting Process

Courts are increasingly taking a magnifying glass to electronic contracting processes, particularly how the presentation of the terms of service and call to action are displayed.  As such, companies might take a second look at their own user registration and e-commerce purchase processes to ensure they offer reasonably conspicuous notice of the existence of contract terms and obtain manifestation of assent by the user to those terms.  Courts will generally enforce clickwrap style agreements as long as the layout and language of the site or mobile app give the user reasonable notice that a click will manifest assent to an agreement.  Last year, the Second Circuit, in the notable Meyer opinion, blessed Uber’s mobile contracting process, but in considering a similar Uber platform, a New York state court late last month declined to compel the arbitration of user claims due to what the court considered an “ambiguous registration process.”  (Ramos v. Uber Technologies, Inc., 2018 NY Slip Op 28162 (N.Y. Sup. Ct. Kings Cty. May 31, 2018)).  Such conflicting rulings highlight the importance of web design in determining if a service’s terms are deemed enforceable. Continue Reading

A Busy Month in the Facebook Photo Tagging Biometric Privacy Dispute

As discussed in past posts about the long-running Facebook biometric privacy class action, users are challenging Facebook’s “Tag Suggestions” program, which scans for and identifies people in uploaded photographs for photo tagging. The class alleges that Facebook collected and stored their biometric data without prior notice or consent in violation of the Illinois Biometric Information Privacy Act (BIPA), 740 Ill. Comp. Stat. 14/1 et seq.  While other technology companies face BIPA actions over photo tagging functions, In Re Facebook is the headliner of sorts for BIPA litigation, being the most closely-watched and fully-litigated.

There have been a host of new developments in this case as the parties continued to joust when the prospect of a trial was looming.  Earlier this month, a California district court denied both parties’ motions for summary judgment and found that a “multitude of factual disputes” barred judgment as a matter of law for either side.   (In re Facebook Biometric Information Privacy Litig., No. 15-03747 (N.D. Cal. May 14, 2018)).  The court’s prior orders over the past several years provide the context for the denial of summary judgment and the court’s refusal to revisit procedural rulings. See: In re Facebook Biometric Info. Privacy Litig., 185 F. Supp. 3d 1155 (N.D. Cal. 2016) (declining to enforce California choice of law provision in user agreement and applying Illinois law and refusing to find that the text of BIPA excludes from its scope all information involving photographs); Patel v. Facebook Inc., 290 F. Supp. 3d 948 (N.D. Cal. 2018) (declining to dismiss based on lack of Article III standing); In re Facebook Biometric Info. Privacy Litig., No. 15-03747, 2018 WL 1794295 (N.D. Cal. Apr. 16, 2018) (certifying Illinois user class and refusing Facebook’s renewed arguments to dismiss on procedural grounds).  Continue Reading

Unanticipated Mobile Data Leaks Remain an Ongoing Issue

There has been a lot of attention in the media lately with respect to the Facebook/Cambridge Analytica issue and its fall-out (including today’s coverage of the announcement that Facebook suspended almost 200 apps pending a more complete investigation in whether any user data was misused). As part of that discussion, Apple’s CEO Tim Cook has been one of many voices criticizing Facebook’s practices.  It is interesting then to note then that Apple is quietly beginning to enforce long-standing and long-ignored rules in the Apple iOS developer’s agreement and App Store Review Guidelines that, except for two limited exceptions, precluded an app publisher from sharing information collected from users on their phones with third parties. According to a recent article in 9to5mac.com, Apple is now removing those apps from the app store that are sharing data in violation of these restrictions.

It will be interesting to see how this all plays out and whether this development captures the media’s attention the way the Facebook episode did.  This latest episode highlights that instances of consumer data accessed by third parties in the mobile context is an issue that may be broader than first thought.

Researchers May Challenge the Constitutionality of the CFAA “Access” Provision as Applied to Web Scraping

Such Scraping “Plausibly Falls within the Ambit of the First Amendment”

The Ninth Circuit is currently considering the appeal of the landmark hiQ decision, where a lower court had granted an injunction that limited the applicability of the federal Computer Fraud and Abuse Act (CFAA) to the blocking of an entity engaging in commercial data scraping of a public website.  While we wait for that decision, there has been another fascinating development regarding scraping, this time involving a challenge to the CFAA brought by academic researchers.  In Sandvig v. Sessions, No. 16-1368 (D.D.C. Mar. 30, 2018), a group of professors and a media organization, which are conducting research into whether the use of algorithms by various housing and employment websites to automate decisions produces discriminatory effects, brought a constitutional challenge alleging that the potential threat of criminal prosecution under the CFAA for accessing a website “without authorization” (based upon the researchers’ data scraping done in violation of the site’s terms of use) violates their First Amendment rights.

In a preliminary decision, a district court held that the plaintiffs have standing and allowed their as-applied constitutional challenge to the CFAA to go forward with regard to the activity of creating fictitious accounts on web services for research purposes.  The decision contains vivid language on the nature of the public internet as well as how the plaintiffs’ automated collection and use of publicly available web data would not violate the CFAA’s “access” provision even if a website’s terms of service prohibits such automated access (at least with respect to the facts of this case, which involves academic or journalistic research as opposed to commercial or competitive activities). Continue Reading

LexBlog