In recent years, courts have issued a host of rulings as to whether online or mobile users received adequate notice of and consented to user agreements or website terms when completing an online purchase or registering for a service. Some online agreements have been enforced, while others have not. In each case, judges have examined the circumstances behind the transaction closely, scrutinizing the user interface and how the terms are presented before a user completes a transaction. In general, most courts seek to determine whether the terms are reasonably conspicuous to the prudent internet user and whether the user manifested sufficient assent by signing up for a service or completing a transaction.

From the perspective of making a sign-up process as smooth as possible, there is often an interest in moving the reference to terms and conditions out of the main flow of user sign-ups.  However, as we were reminded recently by an Illinois court examining the interfaces of DVD rental company Redbox, one does so at risk of finding those terms to be unenforceable.

The Illinois court noted numerous shortcomings with Redbox’s electronic contracting process.  It found that because links to the relevant terms were not clearly and conspicuously displayed, customers did not have constructive notice that they were assenting to those terms when hitting the “Pay Now” button to rent a DVD at a kiosk or by signing into a Redbox account online. (Wilson v. Redbox Automated Retail, LLC, No. 19-01993 (N.D. Ill. Mar. 25, 2020)). As such, the court denied Redbox’s motion to compel arbitration of plaintiff’s claims.

Teami, LLC (“Teami”), a marketer of teas and skincare products, agreed to settle FTC charges alleging that its retained social media influencers did not sufficiently disclose that they were being paid to promote Teami’s products. The FTC’s Complaint also included allegations that Teami made unsupported weight-loss and health claims about its products, an issue that is beyond the scope of this blog post. The Stipulated Order for Permanent Injunction and Monetary Judgment was approved by a Florida district on March 17, 2020.

This settlement is significant in that it identifies clear steps that an advertiser can follow in the interest of avoiding similar FTC allegations of deception with respect to paid endorsers. Compliance in this area remains an ongoing concern as the FTC reiterated in a statement accompanying the settlement that: “[T]he Commission is committed to seeking strong remedies against advertisers that deceive consumers because deceptive or inaccurate information online prevents consumers from making informed purchasing decisions….”

Last week, Democratic Senators Ron Wyden and Sherrod Brown and Congresswoman Anna Eshoo sent a letter to FTC Chairman Joseph J. Simons urging the agency to investigate whether analytics firm Envestnet, Inc. (which operates Yodlee) was violating the FTC Act.

According to the letter, Yodlee is the largest consumer financial data aggregator in the United States.  It aggregates financial information from banks, credit card companies and other financial services providers with consumer consent, and maintains a database of credit and debit card transactions of tens of millions of consumers. The letter asserts that Yodlee is used by over 1,200 companies to offer online personal finance tools to consumers.  Yodlee offers its software and platform to fintech providers, banks, financial apps, consumers and others to help process financial data from various sources.

The crux of the letter claims that Envestnet sells access to such consumer data without meaningful notice to consumers of such sale.  The members of Congress reject Envestment’s position that consumer privacy is protected because the data it sells is anonymized, and claim that Envestnet does not inform consumers that their personal financial data is being sold, but rather relies on its partners to make such disclosures in privacy policies or terms of service. The letter asserts that this is not sufficient, as Envestnet does not appear to take any steps to ensure that its partners give such notice, and even if they did, such practices place the burden on consumers to find such a notice “buried in small print” and then search for a way to opt out of such data sharing.

Recently, the Ninth Circuit reinstated a $460,000 jury verdict against print-on-demand site Zazzle, Inc. (“Zazzle”) for willful copyright infringement, putting a final stamp (perhaps) on a long-running dispute that explored important DMCA safe harbor issues for online print-on-demand services. (Greg Young Publishing, Inc. v. Zazzle, Inc., No. 18-55522 (9th Cir. Nov. 20, 2019) (unpublished). The appeals court found that Zazzle’s anti-infringement oversight mechanisms were insufficient during the period of infringement when a number of the plaintiff’s Greg Young Publishing, Inc.’s (“GYPI”) visual art works were uploaded by users onto Zazzle’s site without authorization.

UPDATE: In September 2020, the parties settled the matter.

UPDATE: On August 23, 2019, the Third Circuit granted Amazon’s petition for rehearing en banc in the Oberdorf case.  As per the order, the opinion dated July 3, 2019 is vacated.

In early July, an appeals court ruled that Amazon should be considered a “seller” of goods under Pennsylvania products liability law and subject to strict liability for consumer injuries caused by the defective goods sold on its site by third-party vendors. (Oberdorf v. Amazon.com, No. 18-1041 (3rd Cir. July 3, 2019)). While the decision involved interpretation of Pennsylvania law – and Amazon has previously prevailed on the “seller” issue in various courts around the country in recent years – the ruling is still noteworthy as it was based upon § 402A Restatement (Second) of Torts (which other states may follow), and the ruling may signal a willingness to reinterpret the definition of “seller” in the modern era of online platforms. The decision also highlights the limits of immunity under Section 230 of the Communications Decency Act (CDA) for online marketplaces when it comes to products liability claims based on a site’s sales activity, as opposed to editorial decisions related to third-party product listings.

This week, the FTC entered into a proposed settlement with Unrollme Inc. (“Unrollme”), a free personal email management service that offers to assist consumers in managing the flood of subscription emails in their inboxes. The FTC alleged that Unrollme made certain deceptive statements to consumers, who may have had privacy concerns, to persuade them to grant the company access to their email accounts. (In re Unrolllme Inc., File No 172 3139 (FTC proposed settlement announced Aug. 8, 2019).

This settlement touches many relevant issues, including the delicate nature of online providers’ privacy practices relating to consumer data collection, the importance for consumers to comprehend the extent of data collection when signing up for and consenting to a new online service or app, and the need for downstream recipients of anonymized market data to understand how such data is collected and processed.  (See also our prior post covering an enforcement action involving user geolocation data collected from a mobile weather app).

In early July, Ticketmaster reached a favorable settlement in its action against a ticket broker that was alleged to have used automated bots to purchase tickets in bulk, thus ending a dispute that produced notable court decisions examining the potential liabilities for unwanted scraping and website access. (Ticketmaster L.L.C. v. Prestige Entertainment West Inc., No. 17-07232 (C.D. Cal. Final Judgment July 8, 2019)).

In the litigation, Ticketmaster alleged that the defendant-ticket broker, Prestige, used bots and dummy accounts to navigate Ticketmaster’s website and mobile app to purchase large quantities of tickets to popular events to resell for higher prices on the secondary market. Under the terms of the settlement, Prestige is permanently enjoined from using ticket bot software to search for, reserve or purchase tickets on Ticketmaster’s site or app (at rates faster than human users can do using standard web browsers or mobile apps) or circumventing any CAPTCHA or other access control measure on Ticketmaster’s sites that enforce ticket purchasing limits and purchasing order rules.  Prestige is also barred from violating Ticketmaster’s terms of use or conspiring with anyone else to violate the terms, or engage in any other prohibited activity.

During the 2016 election, certain Russian operatives used fake social media profiles to influence voters and also created bot accounts to add likes to and share posts across the internet.  And more recently, in January 2019, the New York Attorney General and Office of the Florida Attorney General announced settlements with certain entities that sold fake social media engagement, such as followers, likes and views.  Moreover, many of the social media platforms have had recent purges of millions of fake accounts.  Thus, it’s clear that bots and automated activity on social media platforms has been on everyone’s radar…including state legislators’ too.

Indeed, California passed a chatbot disclosure law (SB-1001) last September that makes it unlawful for persons to mislead users about their artificial bot identity in certain circumstances, and it is only now coming into effect on July 1st.  In essence, the purpose of law was to inform users when they are interacting with a virtual assistant or chatbot or automated social media account so that users could change their behavior or expectations accordingly.  Entities that may interact online or via mobile applications with their customers regarding commercial transactions via a chatbot on their own website or automated account on another platform should certainly take note of the new California law’s disclosure requirements.

This month, an Illinois district court considered another in the series of web scraping disputes that have been working their way through our courts.  In this dispute, CouponCabin, Inc. v. PriceTrace, LLC, No. 18-7525 (N.D. Ill. Apr. 11, 2019), CouponCabin alleged that a competitor, PriceTrace, scraped coupon codes from CouponCabin’s website without authorization and displayed them on its own website.

After discovering PriceTrace’s scraping activities, CouponCabin sent PriceTrace a cease and desist letter demanding that PriceTrace stop scraping data from CouponCabin’s website.  CouponCabin alleged that PriceTrace continued to access and scrape data from CouponCabin’s website even after the C&D letter was sent. As a result, CouponCabin brought several causes of action against PriceTrace, including claims under the Computer Fraud and Abuse Act (CFAA), tortious interference and breach of contract.

The court found that CouponCabin’s C&D letter had revoked PriceTrace’s access to its site and that PriceTrace’s alleged continued access to the website plausibly stated a violation of the CFAA’s “unauthorized access” provision (18 U.S.C. §1030(a)(2)(C)).  Ultimately, however, the court dismissed the CFAA claims with leave to amend, due to plaintiff’s failure to plead the requisite amount of damage or loss as required to maintain a civil action under the CFAA.

“CouponCabin is simply alleging that PriceTrace was able to circumvent CouponCabin’s website security, with no allegation that such evasion impairs or harm the website. Absent allegation of impairment, CouponCabin has merely alleged that PriceTrace accessed CouponCabin’s website without authorization.”