Google v. Oracle Headed Back Down

July 16th, 2015 by Joe Larsen

Among the many high-profile cases dealt with in its latest term, the Supreme Court denied Google’s petition for writ of certiorari in the case of Oracle America, Inc. v. Google, Inc., 750 F.3d 1339 (Fed. Cir. 2014).

Oracle’s predecessor in interest, Sun, conceived the idea to write a number of ready-to-use Java programs to perform common computer functions and to organize those programs into groups or “packages.” These packages allow programmers to use the pre-written code to build certain functions into their own programs, rather than write their own code to perform those functions from scratch. The idea was to create shortcuts for programmers. The actual Java “application programming interface” (“API”) packages, 37 of which were at issue in the Oracle v. Google case, each consist of two types of “source” code – declaring code and implementing code. The declaring code is the “expression that identifies the prewritten function” and “commands the computer to execute the associated implementing code. The implementing code gives the computer the step-by-step instructions for carrying out the declared function.” In addition, the Java API packages have a (three-dimensional) specific structure, sequence and organization.

Much of the industry discussion regarding this case revolves around the role played by APIs in smart phones and cloud computing. However, Oracle offers three different licenses for the Java API packages. Of these, the “General Public License” is free and provides that the licensee can use the packages – both the declaring and implementing code – but must “contribute back” its innovations to the public — an “open source” license. However, Google refused to agree to contribute back any of the new code that would be written. Therefore, Google decided to use the Java programming language to design its own virtual machine and to write its own implementation code for the functions in the Java API that were key to mobile devices, resulting in the Android platform, which grew to include 168 API packages – 37 of which correspond to the Java API packages at issue. With regard to these 37 packages, “Google believed Java application programmers would want to find the same 37 sets of functionality in the new Android system callable by the same names as used in Java.” To achieve this result, Google copied the declaring source code from these 37 packages verbatim, inserting that code into part of its Android software. In doing so, Google also copied “the elaborately organized taxonomy” of all the names of methods, classes, interfaces, and packages, that is, Google also duplicated the “structure, sequence and organization” of the 37 packages.

Google argued, and the trial court had held, that the replicated elements of the packages were not copyrightable because “there is only one way to write” the declaring code, and therefore the “merger” doctrine barred anyone from claiming copyright ownership. Further, the trial court held that the declaring code was not protectable because “names and short phrases cannot be copyrighted.” With regard to the overall structure of the Java API packages, the trial court had found that because it is a “command structure, a system or method of operation” to carry out pre-assigned functions, it was not entitled to copyright protection.

The court of appeals rejected all of these arguments, reversed on the copyrightability issue and remanded on the issue of fair use. With regard to the declaring source code, the court held that the merger doctrine only applied when there are a limited number of ways to express an idea, and the idea is said to “merge” with its expression. The court noted that, under Ninth Circuit law, the doctrine of merger is an affirmative defense to infringement, not an element of copyrightability. In addition, the court rejected application of merger to the case because the Android declaring code, the method and class names “could have been different from the names of their counterparts in Java and still have worked.” Further, the trial court had erred by focusing its merger analysis on the options available to Google at the time of copying, whereas copyrightability is to be evaluated at the time of creation, not at the time of infringement.

The court of appeals then quickly disposed of the “short phrases” argument by noting that while “words and short phrases such as names, titles and slogans” are not subject to copyright protection, the question is whether “those phrases are used creatively.” The court analogized to the opening paragraphs of “A Tale of Two Cities,” which is nothing but a string of short phrases. Oracle was not seeking copyright protection for a specific short phrase or work, but for 7,000 lines of declaring code. The court similarly dismissed Google’s claim that the declaring code it copied fell within the “scenes-a-faire” doctrine because they are “standard, stock, or common to a topic.” Essentially, Google’s argument here is that “because programmers have become accustomed to and comfortable with using the groupings in the Java API packages, those groupings are so commonplace as to be indispensable to the expression of an acceptable programming platform.”

The court again noted that the analysis must be on the external factors that dictated “Sun’s selection of classes, methods and code – not upon what Google encountered at the time it chose to copy those groupings and that code.” The court’s analysis of this “non-literary” aspect of Oracle’s claimed copyright – the structure, sequence and organization of the API packages — is more complex and reveals a circuit split. The trial court had relied upon Lotus Development Corp. v. Borland Int’l, Inc., 49 F.3d 807 (1st Cir. 1995), aff’d without opinion by equally divided court, 516 U.S. 233 (1996), to hold that the Java API packages were a “method of operation” and therefore not copyrightable. In addition to distinguishing Lotus on its facts, the court noted that the Ninth Circuit has reached the exact opposite conclusion, finding that copyright protects the expression of a process or method. Id. at 19. Rather, the Ninth Circuit uses the Second Circuit’s “abstraction-filtration-comparison” analysis when assessing whether the non-literal elements of a computer program constitute protectable expression. Indeed, no other circuit follows the First Circuit in this regard.

The court also reversed the trial court’s finding that in order for at least some of the Java Code to run on Android, Google was required to provide the same command system using the same names, taxonomy and functional specifications. The trial court had held “Google replicated what was necessary to achieve a degree of interoperability but no more, taking care to provide its own implementations.” However, the cases relied upon by the trial court involved copying in order to do reverse-engineering, that is, in order to understand the functional aspects of the copyrighted works – and then created new products that would work with them. Indeed, Google designed Android so that it would not be compatible with the Java platform.

The court of appeals finally remanded on the defense of fair use, holding that, even under a correct reading of the law, there were fact issues on the fair use factors, particularly whether Google’s use was necessary to work within a language that had become an industry standard. Now that the Supreme Court has denied cert, we may expect to see several years of litigation, doubtless followed by further appeals, on whether Google’s use of the API’s was “fair.” Both Google and Oracle have publically stated that they are committed to the litigation, and the stakes could hardly be higher.

If You Want Coverage for a Data Breach, You Need Cyber Liability Insurance

July 13th, 2015 by Lisa Henderson

The Connecticut Supreme Court recently issued an opinion which provides further confirmation that commercial general liability (CGL) policies do not apply to provide coverage for most data breaches. In the case of Recall Total Info. Mgmt., Inc. v. Fed. Ins. Co., 317 Conn. 46 (2015), the court affirmed the judgment of the Appellate Court that there was no coverage available under the “personal injury” coverage of the CGL policy issued by Federal Insurance Company (Federal) and the umbrella liability policy issued by Scottsdale Insurance Company (Scottsdale). The relevant provisions in the umbrella liability policy were identical, in relevant part, to those in the CGL policy.

Factual Background

The circumstances resulting in the data breach are somewhat unusual. In October 2003, Recall Total Information Management, Inc. (Recall) entered into a vital records storage agreement with International Business Machines (IBM) whereby Recall agreed to transport and store various electronic media belonging to IBM. Recall then sub-contracted the transportation services to Executive Logistics, Inc. (Ex Log). Under the subcontract, Ex Log was required to name Recall as an additional insured on its CGL and umbrella liability policies.

On February 23, 2007, Ex Log dispatched a transport van to move computer tapes from an IBM facility in New York to another location. During transport, a cart containing the tapes fell out of the back of the van near a highway exit ramp. The parties agreed that approximately 130 of the tapes were removed from the roadside by an unknown person and never recovered. The lost tapes contained employment data for approximately 500,000 past and present IBM employees. The information included social security numbers, birthdates and contact information.

After being notified that the tapes had been lost, IBM immediately took steps to prevent harm from any dissemination of the personal information. The steps included notification to potentially affected employees and the establishment of a call center to answer inquiries regarding the lost data. IBM also provided the potentially affected employees with one year of credit monitoring to protect against identity theft. IBM claimed more than $6,000,000 in mitigation costs.

Recall settled IBM’s claim for mitigation costs, and then sought indemnification from Ex Log. Ex Log sought coverage under its policies for the indemnification claim, which was denied. Following the denial of coverage, Recall and Ex Log entered into a settlement in which Ex Log signed a promissory note in favor of Recall for $6,419,409.79 and assigned all of its rights under the policies to Recall. Recall then filed suit against Federal and Scottsdale, asserting several claims including breach of contract. The trial court granted the carriers’ motions for summary judgment, concluding that the losses were not covered under either the “property damage” or “personal injury” provisions of the policies.

No “Property Damage”

Recall chose not to appeal the trial court’s decision that the loss of the tapes was not “property damage.”  The trial court concluded that the lost data was intangible property, which was expressly excluded from coverage. Most CGL policies issued after 2001 specifically provide that “electronic data is not tangible property.” See ISO Form No. CG 00 01 10 01.

No “Personal Injury”

However, Recall did appeal the trial court’s decision that the loss of the tapes did not constitute a “personal injury.”  The policies define “personal injury” to include “injury, other than bodily injury, property damage or advertising injury, caused by an offense of…electronic, oral, written or other publication of material that…violates a person’s right of privacy.” Recall Total Info. Mgmnt. v. Federal Ins. Co., 147 Conn. App. 450, 462 (Conn. App. Ct. 2014). Recall alleged that this provision was satisfied because “[b]y virtue of the loss and theft of the IBM tapes…the personal information that was stored on the tapes, including social security information and other private data, has been published to the thief and/or other persons unknown…thereby subjecting [Recall] to potential claims and liability…including liability for the cost of notifying the persons whose data was lost and for providing credit monitoring services to persons who requested it.” Id.

The Appellate Court found that the dispositive issue was whether the information contained on the tapes had been published. 147 Conn. App. at 462. The Appellate Court further found that, regardless of the precise definition of publication, access is a necessary prerequisite to the communication or disclosure of personal information. Id. at 463. The Appellate Court took notice of evidence that the lost tapes were not of the type that could be read by a personal computer. Id. The Appellate Court further pointed to the complete lack of facts in the record suggesting that the personal information was actually accessed by someone. Id. at 462. Accordingly, it held that Recall’s settlement with IBM was not covered under the “personal injury” provisions of the policies because there was no evidence of publication of the data. Id. at 463.

The decision of the Connecticut Supreme Court is the most recent in which a court has determined that the “publication” requirement for “personal injury” coverage is not met under the circumstances of a data breach. In the case of Zurich Am. Ins. Co. v. Sony Corp. of Am., No. 651982/2011 (N.Y. Sup. Ct. Feb. 21, 2014), the court held that coverage was not triggered where the “publication” was not an intentional act committed by the insured, but instead was the result of a criminal act of a third-party hacker. While these courts have focused on different aspects of the “publication” requirement, the end results are in line with the generally accepted principle that the CGL policy is not intended to provide cyber liability coverage. This intent is reflected in a set of exclusions issued by the Insurance Services Office (ISO) in May 2014 that bar coverage for claims “arising out of any access to or disclosure of any person’s or organization’s confidential or personal information.” The message is clear that cyber liability insurance is a necessary part of any business’s insurance portfolio.

Uber Privacy Policy Challenged by EPIC Letter to FTC

June 26th, 2015 by Meegan Brooks

On Monday, the Electronic Privacy Information Center (EPIC) filed a complaint urging the Federal Trade Commission (FTC) to investigate Uber Technologies Inc.’s business practices, and in particular, its new privacy policy, which goes into effect July 15. Although Uber described its new policy as an attempt to clarify its existing terms, while also providing for “potential new use cases,” the complaint claims that Uber’s updated privacy policy is an unlawful and deceptive trade practice.

Among other things, the complaint asks the FTC to halt Uber’s collection of user location data when it is unnecessary to provide a service; to halt Uber’s collection of user contact list information; and to require that ride information be deleted once the ride is completed.

Uber announced its new privacy policy in a blog post on May 28, explaining that its privacy counsel from Hogan Lovells LLP had reviewed the company’s privacy practices and recommended simplifying the privacy policy. “In the interest of transparency,” however, the post also described “potential new use cases” that would be permitted under the new policy.

EPIC’s complaint is centered on two of these new uses. First, Uber’s new policy would allow the app to track users’ locations when the app is running in the background, which Uber explained would help “get people on their way more quickly.” Second, the policy would allow Uber to access users’ contact lists and send promotional messages to users’ friends and family.

The new policy states:

• Location Information: When you use the Services for transportation or delivery, we collect precise location data about the trip from the Uber app used by the Driver. If you permit the Uber app to access location services through the permission system used by your mobile operating system (“platform”), we may also collect the precise location of your device when the app is running in the foreground or background. We may also derive your approximate location from your IP address.

• Contacts Information: If you permit the Uber app to access the address book on your device through the permission system used by your mobile platform, we may access and store names and contact information from your address book to facilitate social interactions through our Services and for other purposes described in this Statement or at the time of consent or collection.

For both the tracking and the promotional features, the post promises that “users will be in control: they will be able to choose whether to share the data with Uber.” Citing this language, EPIC has alleged that Uber has deceptively reassured customers that they would be in control of their data when the update policy actually deprives them of that control.

According to EPIC’s complaint, while iOS phones can disable the contact-syncing option by changing the contacts setting on their phones, the Android mobile platform does not offer any comparable setting. Similarly, the Android platform does not allow users to modify data location settings for individual apps—so if a user wants to bar Uber from tracking a user’s location while the app was running in the background, the user would need to turn off location data for all apps. Again, however, Uber will notify customers before it begins tracking their information in the background, so that they have the option of opting out. The complaint also says that by sending unsolicited texts to customers and people on their contact lists, Uber may be violating the Telephone Consumer Protection Act (TCPA).

The policy explains:

Most mobile platforms (iOS, Android, etc.) have defined certain types of device data that apps cannot access without your consent. And these platforms have different permission systems for obtaining your consent. The iOS platform will alert you the first time the Uber app wants permission to access certain types of data and will let you consent (or not consent) to that request. Android devices will notify you of the permissions that the Uber app seeks before you first use the app, and your use of the app constitutes your consent…

Additionally, even when a customer has opted out of tracking, the revised policy would allow Uber to track customers based on their IP addresses. According to the complaint, this is an unfair business practice because users are not given the option of opting out of this kind of tracking.

Once the new policy takes effect, Uber will be able to collect and store various information about its users, including: location data, contact information, transaction information, usage and preference information, device information and information regarding calls and messages between riders and drivers. Notably, Uber is not unique in accessing this kind of data—it is common, for example, for apps to track customers’ locations based on their IP addresses. Because apps in many industries regularly access the kinds of data being used by Uber, and because of the current lack of regulations in this area, any action that the FTC may decide to take will likely have effects extending outside of the rideshare industry.

The FTC has not yet indicated whether it is investigating Uber’s practices. That said, the Commission has shown an increased interest in privacy issues surrounding peer-to-peer businesses. Earlier this month, for example, the Commission hosted a workshop entitled “The Sharing Economy,” which examined competition, consumer protection and economic issues arising in the sharing economy and considered whether and how existing regulatory frameworks can be responsive to sharing economy business models while maintaining appropriate consumer protections.

The Buck Stops Here: CEOs Held Most Accountable by Directors for Major Data Breaches

June 4th, 2015 by Scott Lyon

According to a recent joint survey of nearly 200 directors of public companies by the New York Stock Exchange and Veracode, CEOs are most likely to be held responsible in the event of a major data breach, ahead of the chief information officer (CIO), chief information security officer (CISO), and board members themselves. This trend appears to recognize the critical role of top level management in ensuring that cyber security is made an enterprise-wide priority and that sufficient resources are being allocated to address potential vulnerabilities before a breach occurs.

Over 78 percent of the directors surveyed by the NYSE were outside directors serving on one to three executive boards in a myriad of industries, including financial services, technology, and healthcare. Although more than 80% of the respondents stated that cyber security matters are discussed at nearly every meeting, 66% responded that they were less than confident in their company’s ability to secure against cyberattacks. One particularly alarming response was that 20% indicated that cyber security was only discussed after either an internal incident or incident within the same industry.

This reactive response is also reflected in the priorities associated with new technology-based products and services. Security risks were ranked 4th in the list of top concerns for new products and services, behind revenue potential, competitive differentiation, and development costs. Part of the problem is that directors perceive enhanced security as detrimental to customer perception of their products. As one director commented, “The more you increase security, the less user friendly” the product or service becomes. However, in the event of a breach of security, directors identified “brand damage due to customer loss” as their primary fear, behind the cost of responding to a breach and the loss of competitive advantage due to disclosure of strategic plans or proprietary designs. This is indicative of the critical balancing act companies face when pushing the boundaries of innovation – they need a product secure enough that customers feel safe using it, while at the same time keeping security features unobtrusive enough not to interfere with the customer’s perception.

Although directors are becoming increasingly aware of the threats and consequences of cyberattacks, the survey also illustrates a knowledge gap between directors and the product design process. More than 2/3 of the directors believed that most or all of their web and mobile applications had been evaluated for potential cyber security vulnerabilities before being made available to customers; however, separate studies by SANS and IDG Research have indicated that a majority of enterprise software applications are never assessed for vulnerabilities (possibly as high as 62% according to IDG Research).

As reports surface of major breaches traced to third-party vendors, 72% of responding directors indicated that they were concerned or very concerned about the risk of third-party software. However, the potential risks extend beyond software vulnerabilities and also encompass the internal security processes of vendors who are given access to a company’s networks, as in the case of the HVAC provider whose stolen network credentials allegedly resulted in the initial intrusion at Target. One director in the survey expressed concern with a company’s “inability to know whether customers and suppliers who use our systems have adequately secured their own access points.”

While the report drew attention to the threat faced by CEOs who do not adequately address cyber security threats, it also emphasized the importance of qualified CISOs capable of managing and communicating cyber security information to directors and management. In addition to technical skills and experience, directors also stated that business acumen and strong communication skills were key qualities they look for in a CISO. In order to communicate effectively with board members, respondents stated that CISOs should discuss cyber security in terms of high-level security strategy descriptions and risk metrics, rather than overly detailed technical descriptions.

Ultimately, boards of directors and management are recognizing that executive-level commitment and sufficient allocation of resources are critical for a mature cyber security program. As enterprises re-assess their own information security capabilities and communicate their expectations to third-party vendors, CISOs are being called upon to assume greater business responsibility and engage in aspects of the business outside of the traditional IT functions. This will involve a change in traditional business methodologies, emphasizing security and privacy-by-design principles, increasing supply chain oversight, and facilitating effective communication among management so that all key players are capable of making informed decisions over the cyber security matters for which they will ultimately be held responsible.

Supreme Court to Resolve Circuit Split on Whether Rule 68 Offer Moots

May 27th, 2015 by Scott Lyon

SCOTUS has accepted certiorari in a matter that may meaningfully impact the volume of consumer class actions, particularly where the damages are set by statute.  Currently there is a split among federal circuit courts whether a Rule 68 offer of judgment can moot a class plaintiff’s individual claims and thereby extinguish a class action.  The forthcoming SCOTUS decision in Campbell—Ewald Company v. Gomez may resolve this split and determine whether a Rule 68 offer of judgment can moot a class action.

However, even in the Seventh Circuit where a Rule 68 offers can moot a class, a plaintiff can sidestep the offer merely by filing a boilerplate motion for class certification with or soon after the complaint.  Therefore, if SCOTUS wishes to meaningfully reform current consumer class action practice, it will also need to rule that a plaintiff cannot sidestep a proper Rule 68 offer of judgment merely by filing a boilerplate motion for class certification.

Sedgwick’s Class Action Task Force takes a closer look at the events leading to SCOTUS accepting certiorari in Campbell—Ewald Company v. Gomez in the PDF attached here.

Post by Moises Melendez – Partner, Sedgwick LLP

Nevada Broadens Definition of Personal Information for Purpose of Encryption and Breach Notices

May 20th, 2015 by Scott Lyon and Nora Wetzel

On May 13, Nevada passed a new law (A.B. 179) expanding the definition of “personal information” to include a natural person’s first name or initial and last name in combination with: 1) medical and health insurance identification numbers; 2) user names, unique identifiers or email addresses in combination with passwords, access codes or security questions and answers that would permit access to an online account; and 3) driver’s authorization card numbers. The broader “personal information” definition applies to Nevada’s breach notice and security measure laws, which regulate both the collection of personal information of Nevada residents as well as data collectors doing business in the State of Nevada. (N.R.S. 603A.210, 603A.220).  However, the definition of “personal information” only applies to the specified data elements “when the name and data elements are not encrypted.”

Previously, the definition of “personal information” only included a natural person’s name when combined with a Social Security number, driver’s license or other identification card number, or an account or credit card number together with the security code or password necessary to permit access to a financial account.  Importantly, Nevada’s expanded definition includes both information often defined as “personal health information” (i.e. medical and health insurance identifiers) as well as computer access credentials (i.e. user names and passwords).  Given how many businesses assign their users unique identifiers and/or maintain email addresses with passwords for their users, this new law may impose significant obligations on companies maintaining Nevada residents’ personal information or doing business in the state.

Consequently, businesses maintaining Nevada residents’ personal information or doing business in Nevada should confirm they are compliant with the new Nevada law which goes into effect July 1, 2015.  Nevada requires a data collector to implement reasonable security measures, left undefined, to protect any Nevada resident’s personal information.  Under Nevada law, a data collector is broadly defined to include any entity or association (including universities, banks, and government agencies) that “handles, collects, disseminates or otherwise deals with nonpublic personal information.” Companies doing business in Nevada that accept payment cards in connection with the sales of goods or services must comply with the Payment Card Industry Data Security Standards.

A key element of Nevada’s data security requirements is its treatment of encrypted data.  Under both the original and newly expanded definition, encrypted data is not included within the definition of “personal information.”  In addition, any data collector doing business in the State of Nevada is required to encrypt personal information when transferring the data electronically (excluding fax transmissions) or when moving data storage devices containing personal information beyond the “logical or physical controls of the data collector.”  N.R.S. 603A.215(5)(b) defines the types of encryption deemed sufficient to satisfy Nevada law.

Any business maintaining records containing Nevada residents’ “personal information,” as newly expanded, or otherwise doing business in Nevada should ensure they have reasonable security measures in place.  Businesses which have not yet implemented reasonable security measures should do so such that they are in place by July 1, 2015.  In addition, the common threat of data breaches should encourage businesses maintaining Nevada resident’s personal information to prepare for data breaches by mapping their current data and maintaining up-to-date records of the types of data they maintain.  If a data breach occurs, businesses must assess whether any personal information of a Nevada resident, as newly defined by Nevada state law, was subject to the breach and notify the Nevada residents in accordance with Nevada state law.

In-Store Monitoring: How to Enjoy the Benefits of Tracking While Minimizing Potential Privacy Issues

May 18th, 2015 by Meegan Brooks

In the latest example of the conflict between technological innovation and privacy concerns, the Federal Trade Commission (FTC) reached a settlement agreement last month with Nomi Technologies, Inc.

Nomi is a startup whose technology allows retail merchants to analyze aggregate data about consumer traffic in the merchants’ stores. Although different companies track this data in different ways, it is generally done by monitoring signals emitted from a mobile phone to see where a device moves over time. Nomi’s technology can tell a retailer where a customer walks in a store, or whether she is a repeat customer; it is not able to identify her personally.

Notwithstanding heavy criticism from the public and privacy advocates for invading customers’ privacy by tracking their movement without their consent, the FTC’s action was not brought pursuant to any privacy law or privacy-based right. Instead, the FTC’s action amounted to a run-of-the-mill consumer deception claim. The FTC alleged that Nomi misled consumers by falsely promising to provide mechanisms for consumers to opt-out of tracking and be notified when their information is being tracked. The proposed settlement prohibits the startup from misrepresenting people’s options for controlling whether information about them or their devices is collected, used, disclosed or shared. Notably, it did not impose notice and consent requirements for retail trackers or offer more specific guidance for retailers who track their customers.

The FTC’s decision, which was split 3-2, highlights the tension between allowing emerging retail technologies to grow and innovate, and the potential privacy risks that come with allowing companies to track consumers. The dissenters argued that the FTC should have refrained from bringing this action, given the immateriality of the representation, the lack of evidence of consumer harm and the potential chilling effect to other innovative startups.

Lack of Formal Guidance for Retailers

Even though thousands of retailers currently use some type of in-store tracking technology, the FTC has not yet issued formal standards for how retailers should use this technology without violating customers’ right to privacy.

Still, the FTC has made its interest in this area clear. Over the last several years, the FTC has published several guidance documents related to mobile phone tracking more generally, which touched on retailers’ tracking of their customers. Last spring, the FTC hosted a seminar dedicated to the in-store tracking technology, including the different kinds of technology available and the privacy concerns with each. The Nomi action was just the latest reflection of the FTC’s increasing concern with this issue.

Days after the Nomi settlement, Ashkan Soltani, chief technologist at the FTC, blogged about the policy trade-offs in retail tracking. Soltain emphasized a point that was also clear in the FTC’s majority opinion in Nomi: “Retail tracking has many benefits for retailers and consumers alike. Stores are able to better understand the behaviors and preferences of their shoppers, and individuals in turn receive better service.” For example, by knowing where customers walk in a store, retailers are able to improve store layouts and reduce customer wait times.

Retailers looking to protect customer privacy should look to both Soltani’s blog and the FTC’s cell phone tracking reports for advice. Each reiterates that to best strike the balance between information and privacy, companies should disclose what information they are taking and how they plan on using it, and should ask for customers’ consent. Below are several considerations that apply specifically to the retail context:

1. Individual Identification

Currently, the predominant use for tracking information is to track customers in the aggregate. Although this is done by using unique identifiers to track each individual phone over time and across locations, each phone’s owner remains anonymous in this process.

However, the technology is available to track customers on a more individual basis. When a customer signs into a commercial hotspot, her MAC address can give a retailer access to her name and other WiFi networks she has used, and can “link” the customer’s online and in-store shopping behavior. Although it is unclear whether any companies collect or use this information, accessing this more personal information would clearly elevate privacy concerns related to in-store tracking. Notably, both dissenters in the Nomi case emphasized that Nomi’s technology did not provide the company with information about individual consumers, which suggests that they may have applied different analyses had Nomi been tracking individual customers.

Several efforts are currently being made to randomize phones’ wireless identifiers, so that retailers are not able to track individuals across multiple trips to multiple stores. For example, some smartphone manufacturers have attempted to build in features that limit retail tracking by randomizing the phone’s wireless identifier; according to Soltani, however, the effectiveness of these technologies is somewhat limited. The Internet Engineering Task Force (an Internet standards body) is currently working to achieve the same goal.

2. Consent

Although the FTC has not yet required that retailers obtain customers’ consent before tracking their locations, its recent publications in this area suggest that receiving consent is an effective way to minimize privacy risks.

Notably, it is much easier to receive customer consent for some kinds of tracking technology than others. Soltani distinguished active monitoring, which “is typically performed by the service the device is communicating with, such as by the cellular provider or by the WiFi hotspot the device is connected to,” and passive monitoring, which intercepts signals from the device as it communicates or searches for other devices and networks. Typically, customers are required to agree to terms and conditions before the retailer can use active monitoring; for example, by signing a cellular service contract or by connecting to a WiFi hotspot.

By creating a loyalty program application or offering free in-store WiFi, stores can offer benefits to their customers while also receiving their consent to data tracking. Another option, which is currently used by Apple, Macy’s, Coca-Cola, and Procter & Gamble, is known as proximity marketing. This is an opt-in system that allows retailers to send promotions to customers who are in the proximity of their stores.

Several smartphone location technology companies also allow customers to opt out of data tracking through an opt-out website, This website is one aspect of The Mobile Location Analytics Code of Conduct, which was created by analytics companies in October 2013 to assuage customers’ privacy concerns. Additionally, the Code also calls for companies to obtain consent before collecting customers’ personal information. Although the FTC praised the Code for “[recognizing] consumer concerns about invisible tracking in retail spaces and [taking] a positive step forward in developing a self-regulatory code of conduct,” this code is not legally enforceable. Following the Nomi decision, however, analytics companies could be liable for deceiving consumers by claiming to comply with the Code but then failing to actually do so.

3. Notice

Notice is closely intertwined with consent. By not imposing a notice requirement on Nomi, the FTC — at least for the meantime — seems to have signaled that retailers are not required to notify their customers that they are being tracked through their cell phones. However, both Soltani’s blog post and the FTC’s recent cell phone guidance publications treat notice as a best practice.

As with consent, customers normally receive notice before signing up for a cell phone contract, opening a retailers’ phone app or joining a wireless hotspot. Unlike with these forms of active monitoring, however, customers are generally not notified before being tracked through passive monitoring.

Notice may prove difficult for retailers who use passive monitoring. Although retailers can notify many of its customers by posting signs within their stores, this would not notify every person being tracked because the tracking technology also pulls cell phone signals from people passing by the storefront. To solve this problem, Soltani suggests that passive retail analytics technology devices begin to automatically notify users to the existence of mobile retail tracking and allow them to temporarily join in order to opt-out.

4. Other Ideas from Nomi

Until the FTC issues more concrete guidance in this area, retailers should at least make sure to follow the FTC’s guidance in Nomi by fulfilling any promises they make regarding privacy. Although Nomi provides rather than uses tracking services, the same legal principles apply to retailers. Retailers should act in accordance with every part of their privacy policies by respecting customers’ opt-out options and heeding any statements about what kind of information they collect or how they use that information.

Given that the law in this area is rapidly evolving, retailers should consult with legal counsel before implementing data tracking technology in their stores.

California’s Song-Beverly “Consumer Perception Test” in Jeopardy — Will Retailers in California Be Barred from Requesting Any Personal Information from Consumers at the Point-of-Sale?

May 8th, 2015 by Meegan Brooks and Stephanie Sheridan

On May 5, 2015, the Ninth Circuit certified for the California Supreme Court the issue of whether the Song-Beverly Credit Card Act (“the Act”) prohibits retailers from requesting a customer’s personal information at the point-of-sale (POS) after the customer has already paid, even if a reasonable consumer would not interpret the request as a condition for paying by credit card.
The case, Davis v. Devanlay Retail Group, concerns retailer Lacoste’s practice of requesting customers’ ZIP codes after the customer’s card has already been swiped. The lower court, like courts in a number of other district court cases, interpreted the statute to impose a “reasonableness” standard. Because a reasonable customer would not believe that she is required to share her information once her card has been swiped, the lower court determined that Lacoste did not violate the Act.
Plaintiff argues that “the consumer perception standard” has been improperly read into the Act by district courts, and that the law prohibits retailers from requesting any information while the customer is at the POS, regardless of whether the customer believes that she is required to share her information. According to Plaintiff’s counsel Gene Stonebarger, who has brought many suits pursuant to Song-Beverly, the Act even prohibits retailers from collecting information from customers who offer it, or to enroll customers in a store loyalty program.
The Ninth Circuit’s Order
The three-judge panel — which consisted of Judges Consuela Callahan, Milan Smith and Paul Watford — found the statute’s language, legislative history and case law to be ambiguous, and noted that each could be interpreted to support Plaintiff’s broad interpretation of the Act. The relevant portion of the statute, which appears in Civil Code § 1747.08, states that businesses shall not “[r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information [PII]. …” The court noted that although this text suggests that the Act broadly prohibits any information requests, the grammatical rule used in reaching that interpretation had been rejected by California Courts of Appeal in other Song-Beverly cases. In Absher v. AutoZone, for example, a California Court of Appeal explicitly interpreted the disputed portion of the Act to “prohibit[] merchants from requesting or requiring credit card customers to write personal identification information on a credit card form as a condition precedent to accepting payment by credit card.”
The court also found that while many district courts have cited Florez v. Linens ’n Things as endorsing an objective consumer perception test, the Florez opinion is ambiguous and could also be read to hold that Song-Beverly prohibits all requests for information “in conjunction with” credit card transactions:
[W]e also find it plausible that the passage means Song-Beverly prohibits requests for PII that are “in conjunction with the use of a credit card” … We note that the Florez court does not appear to have actually applied an objective test in deciding the case … [A portion of Florez concerning the timing of a request] cuts against interpreting Florez to endorse an objective consumer perception test [and] suggests instead that Song-Beverly prohibits requests for PII that a consumer might interpret as a condition to payment by credit card, even if it would not be objectively reasonable to do so.
The court also explained that the court in Florez never explained how to determine whether a request for information was made “in conjunction with the use of a credit card,” and that a request made after the customer returns a customer’s credit card may not fall into that category.
At oral argument in March 2015 (attended by these authors), the panel seemed compelled by Plaintiff’s strict reading of the statute, but also emphasized the issues that would arise if retailers were never allowed to request customer information at the POS. Judge Callahan, who described herself as an “expert shopper,” noted that it would be “absurd” for the law to require customers who want to sign up for a store’s mailing list to first put their cards away and then walk away from the POS before they could legally sign up to receive information they desired. Justice Smith joked that Plaintiff wanted shoppers to “go to the bathroom … or do three somersaults” before being able to share their information.
The court’s order notes that a broad construction of Song-Beverly, as proposed by Plaintiff, “could have a significant impact on the practices of thousands of California retailers.” Although this statement was in reference to retailers who request information after the transaction, a broad construction of the Act would impact any retailer that requests information “in conjunction with” the use of a credit card. In effect, the statute could become a strict liability prohibition against any information requests at the POS during credit card transactions.
Certification to the Supreme Court
It is rare for the California Supreme Court to receive requests, and even rarer for them to accept them — the Court decided two civil cases resulting from Ninth Circuit certifications in 2014, three in 2013, and none in 2012. Although the Court is not required to accept a certified issue, the Court will likely accept the Ninth Circuit’s request, given the significance of the issue to many retailers and the current lack of guidance in this area. If the Supreme Court does accept the case, it will have the authority to reformulate the question presented to it by the Court, or to explore additional issues. Assuming the Court does accept the Devanlay issue, the case will be added to the Court’s regular civil docket, which means that it is likely to be a year or more before the Court hands down its decision.
If the Supreme Court adopts Plaintiff’s broad interpretation of the Act, retailers who currently request customer information at the POS may also be subject to retroactive lawsuits. In the month after the Supreme Court decided that ZIP codes are “personal information” under Song-Beverly in the 2011 Pineda v. Williams-Sonoma Stores, Inc. decision, for example, 106 class-action lawsuits were filed based on transactions that occurred before the decision was issued. If the Supreme Court again decides to apply its ruling retrospectively, retailers could be liable for any requests for information made in the year leading up to the decision. 
Retailers are advised to consult counsel with expertise in this area for guidance as to “best practices” in light of this new development.

New FCC Rules on CPNI Will Impact ISP’s and Businesses Who Rely on Internet Tracking Data

April 2nd, 2015 by Jia-Ming Shang

By now, most people know that in its recent Open Internet Order adopted on February 26, 2015, the FCC reclassified internet access services as common carrier “telecommunications services” subject to FCC jurisdiction under the Telecommunications Act of 1996.  The Order imposes a new regulatory framework on internet providers and, among many other things, augurs a sea change in how internet providers and their business partners may use certain data, including a class of information called Customer Proprietary Network Information (“CPNI”).

CPNI is defined as “(A) information that relates to the quantity, technical configuration, type, destination, location, and amount of use of a telecommunications service subscribed to by any customer of a telecommunications carrier, and that is made available to the carrier by the customer solely by virtue of the carrier-customer relationship; and (B) information contained in the bills pertaining to telephone exchange service or telephone toll service received by a customer of a carrier.”  See 2007 FCC CPNI Order.

Outside of telecom insiders, most people have probably never heard of CPNI or the FCC’s specific regulations on their use.  But later this month, new rules on collection, disclosure, consent and use of CPNI in the internet context will be take center stage as the FCC decides whether and to what extent previously-exempt internet service providers and their business partners are bound by CPNI rules that phone and cable companies have observed for years.

Of course, the Devil’s in the details.  Current CPNI rules, for example, prevent phone companies from sharing the phone numbers a customer calls or receives without express consent.  How that rule translates in the internet context, where the entire notion of internet marketing relies on some measure of tracking, is less clear.  But some restrictions on the current system is likely, with the FCC indicating that many of the same consumer privacy concerns applicable to phone companies are present with internet providers:

[c]onsumers’ privacy needs are no less important when consumers communicate over and use broadband Internet access than when they rely on [telephone] services.  As broadband Internet access service users access and distribute information online, the information is sent through their broadband provider.  Broadband providers serve as a necessary conduit for information passing between an Internet user and Internet sites or other Internet users, and are in a position to obtain vast amounts of personal and proprietary information about their customers. Absent appropriate privacy protections, use or disclosure of that information could be at odds with those customers’ interests.

Feb. 26, 2015 Open Internet Order, para. 463.

In short, if your business relies on or uses tracking data on consumer internet traffic or behavior in any way (e.g., customized ad buys, cookies, big data algorithms, mobile payments processing), there’s a good chance that the forthcoming new CPNI rules will affect you in some way.

For now, ISP’s have a reprieve, and the FCC has stated that it will forbear from applying its existing rules because they are “not well suited to broadband Internet access service.”  In particular, the FCC found that existing rules are more focused on concerns that have been associated with voice telephone service and do not address many of the types of sensitive information to which broadband providers (more so than phone companies) are likely to have access.

These comments suggest the possibility that the new CPNI rules may be more strict than the current ones for phone companies.  FCC Chairman Tom Wheeler has announced that the agency will hold a workshop on April 28 for stakeholders to discuss details, with final rules probably coming out in Q3 or Q4 of 2015.

Second Circuit Joins Chorus In Favor Of CDA Immunity

April 1st, 2015 by Afigo Fadahunsi

In Ricci v., the United State Court of Appeals for the Second Circuit affirmed a dismissal of defamation claims against, a website host, invoking the immunity and preemption provisions of the Communications Decency Act (“CDA”), 47 U.S.C. § 230. The lawsuit against GoDaddy stemmed from an “offline” dispute between the Ricci plaintiffs and the Teamsters’ Union, to which Mr. Ricci belonged. Following Mr. Ricci’s refusal to endorse the union president at the time, Ricci endured various forms of retaliation from union leadership, including the union’s publication of newsletters containing offensive and defamatory statements about the Riccis. The newsletters were posted onto a website hosted on GoDaddy’s servers.

In the Complaint, the Ricci’s acknowledged that GoDaddy had no role in creating the alleged defamatory letters. Rather, the Riccis sought to impose liability upon GoDaddy because it hosted the website on which the newsletters were republished, refused to remove the newsletters, and refused to investigate the plaintiffs’ complaints about the statements in the newsletters. The trial court dismissed the Riccis’ suit based on CDA immunity, and the Second Circuit affirmed.

The CDA shields hosts like GoDaddy from publisher liability (with respect to third-party or user-generated web content) when it acts in the capacity as the provider of an interactive computer service. Section 230 offers broad protection to website operators and courts have typically rejected any interpretation that renders meaningless the core immunity provided by Section 230(c), or clouds the vision of an uninhibited and open Internet. Section 230(c)(1) provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by an information content provider.” Section 230(e)(3) further states that “[n]o cause of action may be brought and no liability may be imposed under any State or local law that is inconsistent with this section.”

In its first opinion construing the immunity provisions of the CDA, the Second Circuit made three critical points in its ruling: First, “a plaintiff defamed on the internet can sue the original speaker, but typically cannot sue the messenger.” The Riccis’ should have pursued defamation claims only against the union, and not against GoDaddy. Second, GoDaddy did not play a role in creating the alleged defamatory newsletters. Since GoDaddy was sued in its capacity as a provider of an “interactive computer service,” it is immune from defamation liability under the CDA. Third, an interactive computer service like GoDaddy can win a Section 230 lawsuit on a motion to dismiss. According to the court, although preemption under the CDA is an affirmative defense, “it can still support a motion to dismiss if the statute’s barrier to suit is evident from the face of the complaint.” The court found that the defect was patently evident in the Riccis’ case.

About Us
Sedgwick provides trial, appellate, litigation management, counseling, risk management and transactional legal services to the world’s leading companies. With more than 350 attorneys in offices throughout North America and Europe, Sedgwick's collective experience spans the globe and virtually every industry. more >

Subscribe via RSS Feed
Receive blog updates via email: