Yesterday’s Wall Street Journal featured a substantial article on the growth of quantum computing, and the risks and opportunities it presents. It is a thoughtful article, and a must-read for people interested in the area. We have been working with clients in the area, and identified it as an area of increasing importance in our blog’s 2017 and 2018 year-end reflections on what’s ahead. Much work is being done as we speak to both advance quantum computing and to deal with the challenges it presents to the existing information system infrastructure. (For more information on the race to build a quantum computer and post-quantum cryptography, see the NIST Quantum Revolution page). We will continue to keep readers apprised of significant new developments as they occur.
Three recent court decisions affirmed the robust immunity under the Communications Decency Act (CDA), 47 U.S.C. §230(c), for online providers that host third-party content: the Second Circuit’s decision in Herrick v. Grindr LLC, No. 18-396 (2d Cir. Mar. 27, 2019) (summary order), the Wisconsin Supreme Court’s opinion in Daniel v. Armslist, LLC, No. 2017AP344, 2019 WI 47 (Wis. Apr. 30, 2019), and the Northern District of California’s decision in P.C. Drivers Headquarters, LP v. Malwarebytes Inc., No. 18-05409 (N.D. Cal. Mar. 6, 2019). Continue Reading
This month, an Illinois district court considered another in the series of web scraping disputes that have been working their way through our courts. In this dispute, CouponCabin, Inc. v. PriceTrace, LLC, No. 18-7525 (N.D. Ill. Apr. 11, 2019), CouponCabin alleged that a competitor, PriceTrace, scraped coupon codes from CouponCabin’s website without authorization and displayed them on its own website.
After discovering PriceTrace’s scraping activities, CouponCabin sent PriceTrace a cease and desist letter demanding that PriceTrace stop scraping data from CouponCabin’s website. CouponCabin alleged that PriceTrace continued to access and scrape data from CouponCabin’s website even after the C&D letter was sent. As a result, CouponCabin brought several causes of action against PriceTrace, including claims under the Computer Fraud and Abuse Act (CFAA), tortious interference and breach of contract.
The court found that CouponCabin’s C&D letter had revoked PriceTrace’s access to its site and that PriceTrace’s alleged continued access to the website plausibly stated a violation of the CFAA’s “unauthorized access” provision (18 U.S.C. §1030(a)(2)(C)). Ultimately, however, the court dismissed the CFAA claims with leave to amend, due to plaintiff’s failure to plead the requisite amount of damage or loss as required to maintain a civil action under the CFAA.
“CouponCabin is simply alleging that PriceTrace was able to circumvent CouponCabin’s website security, with no allegation that such evasion impairs or harm the website. Absent allegation of impairment, CouponCabin has merely alleged that PriceTrace accessed CouponCabin’s website without authorization.”
UPDATE: Both bills failed to be reported out of committee by March 28, 2019 and were not debated during this year’s legislative session.
In the wake of the Illinois Supreme Court decision that held that claimants need only allege a procedural violation to have standing to bring an action under the Illinois Biometric Information Privacy Act (BIPA) and the continued wave of BIPA-related litigation, the Illinois legislature is considering an amendment to BIPA that would strip the statute of its private right of action. SB2134, as currently written, would amend BIPA by deleting the private right of action and instead provide for enforcement under the Department of Labor (for violations concerning employment-related biometric data collection) or generally by the state attorney general under the state’s consumer protection statute. The end result would be a statute similar to Texas and Washington’s biometric privacy bills which may only be enforced by the respective state attorney general. [Note: There is also another BIPA amendment pending, HB3024, which would expand the definition of “biometric identifier” to include “an electrocardiography result from a wearable device” in an effort to keep up with the latest technologies]. Continue Reading
Senators Brian Schatz (D) and Roy Blunt (R) recently introduced S.847, the “Commercial Facial Recognition Privacy Act of 2019,” a bill that would, subject to certain important exceptions, generally prohibit the commercial use of facial recognition technology to identify and track consumers without consent. The bill, as drafted would place limitations on the third-party sharing of collected faceprint data, as well as require covered entities to meet certain minimum data security standards. As this bill wends its way through Congress (it has been referred to the Committee of Commerce, Science and Transportation), it is worth watching because it is a bipartisan bill with a narrow scope that has garnered the early conceptual support of Microsoft and other technology companies. Continue Reading
This Monday, the Supreme Court unanimously ruled in Fourth Estate Public Benefit Corp. v. Wall-Street.com, LLC, 586 U.S. ____ (Mar. 4, 2019), that a copyright owner may commence an infringement suit only when the Copyright Office determines whether or not to register a copyright, as opposed to when the owner submits an application and fee for registration. The widely-followed case resolves a simple question, but has far-reaching practical implications for U.S. copyright litigation. Continue Reading
In a recent blog post, we wrote about how the Second Circuit found the arbitration clause in a web service’s terms and conditions unenforceable because the user did not have reasonable notice of the terms that were communicated via a hyperlink in a post-sale email. In contrast, a New York district court recently upheld an arbitration clause in Coinbase’s account registration process and granted its motion to compel arbitration concerning claims brought by a user (Sultan v. Coinbase, Inc., No. 18-934 (E.D.N.Y. Jan. 24, 2019)).
This case sheds further light on the do’s and don’ts of online electronic contracting and the enforceability of app-based terms and conditions. The decision reinforces the point that for purposes of establishing a binding agreement with a user – particularly in the context of a mobile app – simplicity and clarity of the user interface is desired. And, in particular, this case reinforces the point that has been illustrated in many cases before that the design of user registration pages should be done with the input of legal analysis as to likely enforceability. Continue Reading
UPDATE: Subsequent to the introduction of the New York City Council biometric privacy bill, on March 5, 2019 members of the Florida legislature introduced the “Florida Biometric Information Privacy Act” (SB 1270). The statute generally follows the Illinois Biometric Information Privacy Act (BIPA) regarding notice and consent requirements and notably provides for a private right of action and the availability of statutory damages. As with the New York City bill, we will follow the progress of the Florida bill, as well as other pending biometric privacy legislation (e.g., Montana’s HB 645, which was introduced on March 1, 2019 and is another BIPA-like bill, but only allows enforcement by the state attorney general).
UPDATE: Both the Florida and Montana bills died in committee this past spring.
In light of the recent decision by the Illinois Supreme Court in Rosenbach v. Six Flags Entertainment Corp., 2019 IL 123186 (Ill. Jan. 25, 2019), it is worth remembering that late last year, New York City Council members Ritchie Torres (and additional co-sponsors) introduced a bill for the city council to consider that would regulate the use of biometric technology in New York City. Bill Int. No. 1170 (the “Bill”) would amend Section 1, Chapter 5 of Title 20 of the Administrative Code of the City of New York and require businesses (but not governmental actors) to give notice to customers if they are collecting “biometric identifier information.” The Bill, which contains some similar provisions to the Illinois Biometric Information Privacy Act (“BIPA”), includes a private right of enforcement but avoids the statutory standing issue litigated in Rosenbach by providing that “any person who[se] biometric identifier information was collected, retained, converted, stored or shared in violation of [the law] may commence an action.” If enacted, this bill could lead to a deluge of individual and class action suits in New York based on biometric activity. Continue Reading
Last Friday, the Illinois Supreme Court ruled in the long-awaited Rosenbach case that an individual does not have to plead an actual injury or harm, apart from the statutory violation itself, in order to have statutory standing to sue under the Illinois Biometric Information Privacy Act (BIPA). The Illinois Supreme Court ruling will allow procedural BIPA violations to proceed (and multiply) in state court – and has reportedly already prompted parties to settle such actions. However, recent rulings in federal court have offered a divergent interpretation of the related, but different Article III standing issue. Continue Reading
In Starke v. SquareTrade, Inc., No. 17-2474, 2019 WL 149628 (2d Cir. Jan. 10, 2019), the Second Circuit affirmed a ruling that denied a web service’s motion to compel arbitration, finding that the user did not have reasonable notice of the arbitration provision contained in the terms and conditions that were communicated via a hyperlink in a post-sale email.
File this latest opinion declining to enforce a service’s terms under Crowded Interface, Unclear Prompts and Muddled Process.
While the court recognized that a party has a duty to read a contract, it stressed that this does not morph into a duty to “ferret out contract provisions when they are contained in inconspicuous hyperlinks,” particularly where, as in this case, the user was presented with multiple documents, each containing different sets of terms. This dispute was reminiscent of a Second Circuit case we wrote about in 2012, where the court held that a buy now-agree later process did not provide sufficient notice to consumers of an arbitration provision contained in the post-sale terms. Continue Reading