A service provider seeking to take advantage of certain of the safe harbors under the Digital Millennium Copyright Act (DMCA) is required to designate an agent to receive takedown notices. The service provider is required to post the DMCA agent’s contact information on its website and to provide such information
Illinois Biometric Privacy Suit over Collection of Fingerprints Settled
Earlier this month, an Illinois state court approved a $1.5 million settlement in a class action against L.A. Tan Enterprises, Inc., operator (directly and through franchisees) of L.A. Tan tanning salons. The settlement resolved allegations that L.A. Tan violated the Illinois Biometric Information Privacy Act (BIPA) by collecting Illinois members’ fingerprints for verification during check-in without complying with BIPA’s notice and consent requirements. (See Sekura v. L.A. Tan Enterprises, Inc., No. 2015-CH-16694 (Ill. Cir. Ct. Cook Cty. First Amended Class Complaint filed Apr. 8, 2016)). Under the settlement, approximately 37,000 class members who had their fingerprints scanned at a L.A. Tan location in Illinois between a specified three-year period (Nov. 13, 2013 to August 11, 2016) will receive a pro rata share of the settlement. Moreover, L.A. Tan agreed to comply with BIPA in the future and ensure the compliance of its franchisees.
Website Design Implicated in Two Rulings on Enforceability of Online Terms – Highlights the Importance of Legal Review of Design Decisions
This past summer, we wrote about two instances in which courts refused to enforce website terms presented in browsewrap agreements. As we noted, clickthrough agreements are generally more likely to be found to be enforced. However, even the enforceability of clickthrough agreements is going to depend, in part, on how the user experience leading to the “agreement” is designed. Two recent decisions illustrate the importance of web design and the presentation of the “call to action” language in determining the enforceability of a site’s clickthrough terms.
In a decision from early November, a D.C. federal court ruled that an Airbnb user who signed up on a mobile device had assented to the service’s Terms and was bound to arbitrate his claims. (Selden v. Airbnb, Inc., 2016 WL 6476934 (D.D.C. Nov. 1, 2016)). Conversely, in a notable decision from late August, the Second Circuit refused to rule as a matter of law that the plaintiff was bound by the arbitration clause contained in Amazon’s terms and conditions because the plaintiff did not necessarily assent to and was on constructive notice of the terms when he completed the purchase in question. (Nicosia v. Amazon.com, Inc., 2016 WL 4473225 (2d Cir. Aug. 25, 2016)).
Claims against Cloud Storage Service Hinge on Grant of Rights Clause
In a dispute that touches on the intersection of copyright, contract law and cloud technology, the Second Circuit affirmed the dismissal of copyright claims against Barnes & Noble (“B&N”) related to ebook samples stored on a user’s B&N-provided cloud-based locker. Notably, the Second Circuit dismissed the case on contractual grounds, declining the opportunity to opine on two important modern copyright doctrines that are often implicated when users store copyrighted content on the cloud.
In Smith v. BarnesandNoble.com, LLC, 2016 WL 5845690 (2d Cir. Oct. 6, 2016), an author contracted with Smashwords, an online ebook distributor, to market his book. In accordance with this contract, the book was offered to B&N, which listed the book for sale on bn.com and made free samples available. When a B&N customer downloaded a free sample (or purchased an ebook) the content was stored on a cloud-based digital locker associated with the customer’s account from which the content could be downloaded to devices whenever and wherever the user wanted.
Know Thy Software Vendor: Website Operator Cannot Sidestep Copyright Infringement Claims over Link to Allegedly Infringing Software
Last month, a New York district court refused to dismiss most of the copyright infringement claims asserted against a website operator based on an allegation that the website linked to an infringing copy of plaintiff’s software stored on a third-party’s servers. (Live Face on Web, LLC v. Biblio Holdings LLC, 2016 WL 4766344 (S.D.N.Y., September 13, 2016)).
The software at issue allows websites to display a video of a personal host to welcome online visitors, explaining the website’s products or services and, ideally, capturing the attention of the visitor and increasing the site’s “stickiness.” A website operator/customer implements the software by embedding an HTML script tag to its website code to link the website to a copy of the software on the customer’s server or an outside server. When a user’s browser retrieves a webpage, a copy of the software is allegedly stored on the visitor’s computer in cache.
Liability under CDA Section 230? Recent Lawsuit Tries to Flip the Script against Social Media Service
UPDATE: In late October 2016, the parties notified the court that they were in discussions to settle the matter and would jointly stipulate to a dismissal of the action without prejudice. On November 2nd, the court dismissed the action.
Title V of the Telecommunications Act of 1996, also known as the “Communications Decency Act of 1996” or “CDA” was signed into law in February 1996. The goal of the CDA was to control the exposure of minors to indecent material, but the law’s passage provoked legal challenges and pertinent sections of the Act were subsequently struck down by the Supreme Court as unconstitutional limitations on free speech. Yet, one section of the CDA, §230, remained intact and has proven to encourage the growth of web-based, interactive services.
Over the last few years, website operators, search engines and other interactive services have enjoyed a relative stable period of CDA immunity under Section 230 of the Communications Decency Act (CDA) from liability associated with user-generated content. Despite a few outliers, Section 230 has been generally interpreted by most courts to protect website operators and other “interactive computer services” against claims arising out of third-party content.
However, a recent dispute involving a Snapchat feature known as “Discover” raises new questions under the CDA. The feature showcases certain interactive “channels” from selected partners who curate content daily. Last month, a parent of a 14-year old filed a putative class action against Snapchat claiming that her son was exposed to inappropriately racy content, particularly since, as plaintiff alleges, Snapchat does not tailor its feeds for adult and younger users. (Doe v. Snapchat, Inc., No. 16-04955 (C.D. Cal. filed July 7, 2016)). The complaint asserts that while Snapchat’s terms of service prohibit users under 13 from signing up for the service, it does not include any warnings about any possible “offensive” content on Snapchat for those under 18, beyond stating some “Community Guidelines” about what types of material users should not post in “Stories” or “Snaps.”
Mobile App VPPA Suit Survives Spokeo Standing Challenge
In Yershov v. Gannett Satellite Information Network, Inc., a user of the free USA Today app alleged that each time he viewed a video clip, the app transmitted his mobile Android ID, GPS coordinates and identification of the watched video to a third-party analytics company to create user profiles for the purposes of targeted advertising, in violation of the Video Privacy Protection Act (VPPA). When we last wrote about this case in May, the First Circuit reversed the dismissal by the district court and allowed the case to proceed, taking a more generous view as to who is a “consumer” under the VPPA.
On remand, Gannett moved to dismiss the complaint again for lack of subject matter jurisdiction, contending that the complaint merely alleges a “bare procedural violation” of the VPPA, insufficient to establish Article III standing to bring suit under the standard enunciated in the Supreme Court’s Spokeo decision. In essence, Gannett contended that the complaint does not allege a concrete injury in fact, and that even if it did, the complaint depends on the “implausible” assumption that the third-party analytics company receiving the data maintains a “profile” on the plaintiff.
California Legislature Nearing Final Debate of Biometric and Geolocation Data Security Bill
UPDATE: Prior to the close of the legislative session, the amended AB 83 failed to make it out committee.
With the session ending on August 31st, the California legislature is debating a bill (AB 83) that would expand data security requirements for businesses that maintain personal information of California residents to include, among other things, protection for geolocation and biometric data. Under existing law (Cal. Civ. Code §1798.81.5(b)), a person or business that owns, licenses, or maintains a California resident’s “personal information,” must implement and maintain “reasonable security procedures and practices appropriate to the nature of the information.” The current law also lists multiple types of covered “personal information.”
Browsewrap Agreement Held Unenforceable – Website Designers Take Note!
In Nghiem v Dick’s Sporting Goods, Inc., No. 16-00097 (C.D. Cal. July 5, 2016), the Central District of California held browsewrap terms to be unenforceable because the hyperlink to the terms was “sandwiched” between two links near the bottom of the third column of links in a website footer. Website developers – and their lawyers – should take note of this case, part of an emerging trend of judicial scrutiny over how browsewrap terms are presented. Courts have, in many instances, refused to enforce browsewraps due to a finding of a lack of user notice and assent. In this case, the most recent example of a court’s specific analysis of website design, a court suggests that what has become a fairly standard approach to browsewrap presentment fails to achieve the intended purpose.
CFAA Double Feature: Ninth Circuit Issues Two Important Decisions on the Scope of Liability Related to Data Scraping and Unauthorized Access to Employer Databases
UPDATE: On January 18, 2019, the Ninth Circuit affirmed the award of damages and injunctive relief in favor of Facebook. (Facebook, Inc. v. Power Ventures, Inc., No. 17-16161 (9th Cir. Jan. 18, 2019) (unpublished)). The California district court in 2017 had awarded Facebook almost $80,000 in CFAA damages, representing only the period after Facebook sent its cease and desist letter to the defendant and including expenses both for technical measures to block Power Ventures from accessing Facebook servers and expenses for negotiating with Power Ventures to voluntarily stop its activities and destroy the data. The lower court also granted Facebook’s request for a permanent injunction barring defendant from, among other things, accessing Facebook for a commercial purpose without permission.
- Unauthorized Access: A former employee, whose access has been revoked, and who uses a current employee’s login credentials to gain network access to his former company’s network, violates the CFAA. [U.S. v. Nosal, 2016 WL 3608752 (9th Cir. July 5, 2016)]
- Data Scraping: A commercial entity that accesses a public website after permission has been explicitly revoked can be civilly liable under the CFAA. However, a violation of the terms of use of a website, without more, cannot be the basis for liability under the CFAA, a ruling that runs contrary to language from one circuit level decision regarding potential CFAA liability for screen scraping activities (See e.g., EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003)). [Facebook, Inc. v. Power Ventures, Inc., No. 13-17102 (9th July 12, 2016)]
This past week, the Ninth Circuit released two important decisions that clarify the scope of liability under the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. The Act was originally designed to target hackers, but has lately been brought to bear in many contexts involving wrongful access of company networks by current and former employees and in cases involving the unauthorized scraping of data from publicly available websites.