Bank’s Clickwrap Agreement – Cross-Referencing Arbitration and Class Action Waiver Provisions – May Be Enforceable

The Second Circuit ruled that a “buried” hyperlink is not, alone, fatal to enforcing arbitration and class action waiver provisions contained in an agreement that is incorporated by cross-reference via a web-based contract.  Design, layout, and content of the webpage are significant factors to determining whether the contract terms were available and conspicuous, and thus enforceable.  Zachman v. Hudson Valley Federal Credit Union, No. 21-999 (2nd Cir. Sept. 14, 2022).

Clickwrap Agreement and Plaintiff’s Class Action Claims

In 2012, Plaintiff opened her bank account and received an Account Agreement.  In 2019, Plaintiff agreed to an Internet Banking Agreement (“IB-Agreement”) that incorporates by reference the revised Account Agreement.  The IB-Agreement requires the customer to click a button of the Agreement stating “I agree to the above terms and conditions.”

Plaintiff filed a class action complaint alleging that Defendant-Bank HVCU’s practice of collecting overdraft or insufficient funds on accounts that were not actually overdrawn violated: (1) New York General Business Law § 349 and (2) the Electronic Fund Transfer Act, 15 U.S.C. § 1693, et seq..

Clickwrap Agreement and Customers’ Access to Revised Account Agreement

HVCU filed a motion to dismiss and to compel arbitration, asserting:

  • the revised Account Agreement containing the arbitration agreement and class action waiver was published to its website which can be accessed via a hyperlink or via a “Resources” tab on HVCU’s website
  • a physical copy of the Account Agreement may be obtained by the customer requesting a copy be mailed or going to a brick-and-mortar HVCU branch.

HVCU did not:

  • implement a “banner” notification on the webpage
  • provide a summary of any changes to the Account Agreement on the webpage where the agreement is hyperlinked
  • otherwise indicate any changes had been made to the Account Agreement.

District Court: Did Plaintiff Have “Inquiry Notice” of the Provisions?

First, the District Court ruled that the district court, not an arbitrator, determines whether a valid arbitration agreement exists.  Second, the District Court ruled that HVCU did not establish that Plaintiff had actual notice or inquiry notice of the arbitration and class action waiver provisions.  The District Court concluded that the hyperlink to the revised Account Agreement appeared to be buried in the IB-Agreement and thus concluded that HVCU failed to establish that Plaintiff was put on inquiry notice of the arbitration and class action waiver provisions.  HVCU appealed.

Second Circuit: Website’s Layout, Content, and Design

The Second Circuit stated that the enforceability of a web-based agreement is a fact-intensive inquiry, which includes an evaluation of the visual evidence demonstrating “whether the website user has actual or constructive notice of the conditions” which often turns on “whether the design and content of th[e] webpage rendered the existence of terms reasonably conspicuous.”

Based on the evidence provided in support of the motion, the Second Circuit was unable to assess whether the relevant language and hyperlink are clear and conspicuous.  The Second Circuit ruled that the District Court’s conclusion that the provisions were “buried” in the IB-Agreement was inconsistent with the lack of evidence presented regarding the website’s layout and design.  The Second Circuit ruled that the District Court’s ruling was premature .

Significantly, the Second Circuit stated:

  • agreements may be incorporated by cross-reference via web-based contracts
  • as long as the layout and language of the website give the user reasonable notice that a click will manifest assent to an agreement, then clicking “I agree to the above terms and conditions” would bind Plaintiff to the IB-Agreement, along with the Account Agreements incorporated by reference
  • screenshots – of the webpage(s) used to register HVCU customers for online banking – will show the design and content of the IB-Agreement as presented to users and thus are relevant to whether Plaintiff assented to the agreement’s terms

In sum, a picture – or here, screenshots – is worth a thousand words and will help demonstrate that the parties mutually agreed to a clickwrap agreement.

CISA Requests Public Comment for Regulations On Cyber Incident Reporting for Critical Infrastructure Act

The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) seeks public comment on structuring and implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Comments may be submitted by November 14, 2022 through the Federal e-Rulemaking Portal:  The CISA’s Request for Information is located at:

Four New State Data Privacy Laws Take Effect In 2023

Data privacy laws take effect during 2023 in California, Virginia, Colorado, Utah, and Connecticut.  Specifically:

    • California Privacy Rights Act, effective January 1, 2023
    • Virginia Consumer Data Protection Act, effective January 1, 2023
    • Colorado Privacy Act, effective July 1, 2023
    • Connecticut Data Privacy Act, effective July 1, 2023
    • Utah Consumer Privacy Act, effective December 31, 2023

Other states are actively considering the implementation of a comprehensive privacy law.

Currently, the United States does not have a federal data privacy law.  In May 2022, a bipartisan group of legislators introduced the American Data Privacy and Protection Act (“ADPPA”), which includes federal preemption of state laws with some exceptions, such as a limited private right of action for certain privacy violations.

As we enter the last quarter of 2022, make preparations to comply with the new state data privacy laws.

“Imminent” Harm Gives Standing to Phishing Attack Victim Against Employer

In a precedential ruling, the Third Circuit reinstated a class action lawsuit filed by a former employee who was required to provide sensitive personal and financial information to her employer which was then released on the dark web following a phishing attack, despite the employer’s statement that it would take appropriate measures to protect the information.   In Clemens v. ExecuPharm Inc., No. 21-1506 (3d Cir. Sept. 2, 2022), the Third Circuit:

    • overturned the District Court’s dismissal of the action for which the District Court found that Plaintiff failed to allege that she experienced actual identity theft or fraud
    • rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently “imminent” to establish standing to bring a lawsuit

Plaintiff, a former employee of Defendant, was required as a condition of her employment to provide sensitive personal and financial information, such as her social security number, bank and financial account numbers, tax information, her passport, and information about her husband and child.  Plaintiff’s employment agreement states that Defendant would “take appropriate measures to protect the confidentiality and security” of this information.

After Plaintiff left Defendant’s employment, a hacking group used a phishing attack in March 2020 to install malware on Defendant’s servers, stealing sensitive information about current and former employees including Plaintiff.  Either because Defendant refused to pay or for other reasons, the company’s data – including 123,000 files and 162 gigabytes of data – was released on the dark web, as confirmed by screenshots taken by an intelligence firm.

Plaintiff promptly took actions, including: (1) enrolling in Defendant’s complimentary one-year credit monitoring services, (2) transferring her account to a new bank, and (3) placing fraud alerts on her credit reports.

Plaintiff filed a class action lawsuit asserting claims for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, and breach of fiduciary duty.  Plaintiff alleged that she sustained injuries as a result of the data breach – primarily the risk of identity theft and fraud – in addition to the investment of time and money to mitigate potential harm.

The District Court dismissed the case, stating that Plaintiff had not yet experienced actual identity theft or fraud, and thus she had no standing to bring this action.

First, the Third Circuit analyzed that to sustain an injury-in-fact in order to have standing to bring a lawsuit, the injury must be “actual or imminent” which indicates that Plaintiff need not wait until she has actually sustained the feared harm in order to seek judicial redress.  Instead, Plaintiff can file suit when the risk of harm becomes imminent: “meaning it poses a substantial risk of harm – versus hypothetical in the data breach context.”  Id. at  10.  The Third Circuit discussed that there are many factors to determine whether a risk is “imminent,” including whether:

    • the data breach was intentional
    • the data was misused
    • the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft

Second, the Third Circuit cited to U.S. Supreme Court cases which ruled that an intangible injury – which is an injury that does not represent a purely physical or monetary harm to a plaintiff – may be a “concrete” injury.

Third, the Third Circuit analyzed the employment agreement in which Defendant expressly contracted to “take appropriate measures to protect the confidentiality and security” of this information.

Thus, the Third Circuit is permitting the class action to proceed in the District Court.


California Passes Bill for Social Media Protections for Minors

California’s bill would require companies that provide online services or products “likely to be accessed by children” – defined as any individual under the age of 18 – to adhere to heightened privacy and data protection standards.

The California Age-Appropriate Design Code Act, A.B. 2273, passed in the California Legislature.  The bill is expected to be signed by the Governor and go into effect July 1, 2024.

The anticipated law applies to “businesses” which are for-profit organizations that do business in California and: (1) have revenue of more than $25 million, or (2) derive 50% or more of its annual revenue from selling consumers’ personal information, or (3) buys/receives for commercial purposes the personal information of more than 50,000 consumers/households/devices.  In summary, A.B. 2273 requires:

  • Default privacy settings:  Companies must configure default privacy settings to the highest possible level of privacy and provide privacy information and other policies prominently in terms that children can understand.
  • No use of minor’s personal information:  Companies will be banned from using children’s personal information “for any reason other than a reason for which the personal information was collected, unless the business can demonstrate a compelling reason that use of the personal information is in the best interests of children,” according to the legislation.
  • Attorney General’s authority:  A.B. 2273 permits the Attorney General to seek an injunction or civil penalty against companies that violate the Act.  Negligent violations could result in a penalty of up to $2,500 per affected child, and intentional violations could result in a penalty of up to $7,500 per affected child, according to the bill.  Currently, the bill does not provide a private right of action.

In sum, the bill: (1) increases technology regulation, (2) aims to provide more online privacy protections for minors, and (3) will cause companies to increase privacy, legal, and engineering resources to meet the bill’s requirements.

TCPA: Health Care Exemption

The U.S. District Court, Northern District of Illinois recently held that a plaintiff’s Telephone Consumer Protection Act (“TCPA”) suit survived a motion to dismiss due to a lack of an established patient-provider relationship, when ruling on the health care exemption in the context of phone calls from an eye care provider.  The consumer had made an inquiry with the eye care provider but did not receive care, and thus, the exemption may not apply.

In Murtoff v. MyEyeDr. LLC, the Plaintiff sent an email to Defendant asking about the cost of a new pair of eyeglasses.  Plaintiff then began receiving automated phone calls from Defendant and its corporate entity regarding scheduling eye exams.  Plaintiff asked that the call stop, but they continued.

Plaintiff filed a putative class action, alleging violations of the TCPA.  Defendants filed a partial motion to dismiss regarding the part of the claim that relied on the lack of prior express written consent, asserting that the calls were health care messages.

The District Court analyzed that the Federal Communications Commission (“FCC”) has issued two health care exemptions for the TCPA, one of which was potentially applicable to this case.  Similar to the Federal Trade Commission’s (“FTC”) health care exception to its Telemarketing Sales Rule, the 2012 exemption covers any call that “Delivers a ‘health care’ message made by, or on behalf of, a ‘covered entity’ or its ‘business associate.”  To determine whether the exemption applies, the District Court then analyzed the factors set forth in Zani v. Rite Aid, which includes whether the call: (1) “concerns a product or service that is inarguably health-related”; (2) “was made by or on behalf of a health care provider to a patient with whom she has an established health care treatment relationship”; and (3) “concerns the individual health care needs of the patient recipient.” 

Significantly, the District Court noted that: (1) for the second factor, Plaintiff only made an inquiry regarding the cost of eyeglasses and thus never consummated a health care treatment relationship and (2) for the third factor, the calls regarding scheduling an eye exam were generic and not individualized as to Plaintiff.  Thus, the District Court ruled that – for purposes of a motion to dismiss – Plaintiff stated a claim that the calls were made without express prior written consent.

Lessons:  First, merely being a health care business is not, alone, sufficient to invoke the TCPA health care exemption.  Second, the exemption may not apply to a generalized message which is not specific to this patient or to this category of patients.

FTC Explores Rules About Commercial Surveillance and Data Security Practices

By: Sheila Raftery Wiggins

The Federal Trade Commission (“FTC”) announced that it is exploring rules to address commercial surveillance and lax data security. The FTC seeks public comment on the harms stemming from commercial surveillance and whether new rules are needed to protect people’s privacy and information.

Commercial surveillance is the business of collecting, analyzing, and profiting from information about people. The business of commercial surveillance can prompt companies to collect large quantities of consumer information, even though consumers only proactively share a small amount of this information. For example, companies reportedly surveil consumers while they are connected to the internet, including obtaining access to many aspects of the consumer’s online activities and physical movements/location.

The FTC’s concerns about commercial surveillance include:

  • Children: Some surveillance-based services may be addictive to children and lead to a wide variety of mental health and social harms.
  • Discrimination: There are concerns that the algorithms that underlie commercial surveillance may be prone to errors or bias which results in discrimination against consumers based on legally protected characteristics like race, gender, religion, and age, harming their ability to obtain housing, credit, employment, or other critical needs.
  • Condition for service: Some companies require consumers to sign up for surveillance as a condition for service. After consumers sign up, some companies change their privacy terms going forward to allow for more expansive surveillance.

For nearly 20 years, the FTC used its existing authority to bring many enforcement acts against companies for privacy and data security violations. The FTC is now exploring rules to: (1) establish clear privacy and data security requirements and (2) grant the FTC with authority to seek financial penalties for first-time violations.

The public will also have an opportunity to share their input on these topics, including during a virtual public forum on September 8, 2022.

TCPA Ruling: Fax Inviting Recipient to Take a Survey for Money Is Not An “Unsolicited Advertisement”

The Second Circuit ruled that an unsolicited faxed invitation to participate in a market research survey in exchange for money does not constitute an “unsolicited advertisement” under the Telephone Consumer Protection Act, 47 U.S.C. § 227 (“TCPA”).  Bruce Katz, M.D., P.C. v. Focus Forward, LLC, No. 21-1224 (2nd Cir. Jan. 6, 2022).

Plaintiff is a professional corporation that provides medical services.  Defendant is a market research company.  In 2019, Defendant sent Plaintiff two unsolicited faxes, addressed to the “Nurses” and “Practitioners,” seeking participants in “market research surveys” and offering $150 to participate in a “telephone interview.”

Plaintiff filed a putative class action alleging violations of the TCPA.  The TCPA prohibits the use of “any telephone facsimile machine, computer, or other device to send, to a telephone facsimile machine, an unsolicited advertisement.”  An “unsolicited advertisement” is defined by the statute as “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission.”

The regulations of the Federal Communications Commission (“FCC”), implementing the TCPA, contain an identical definition of “unsolicited advertisement.”  In 2006, the FCC promulgated a rule that construes the TCPA as specifically proscribing any faxed surveys that “serve as a pretext to an advertisement.”

In Katz, the Second Circuit reasoned that: (1) the two faxes “plainly do not advertise the availability of any property, goods, or services” and therefore “cannot reasonably be construed” as unlawful advertisements and (2) the word “property” does not appear to include money, as the word is used in the TCPA.

The Second Circuit noted that its holding may not necessarily extend to all communications, including faxed surveys, offering the recipient both money and services because such communications could incur liability under the TCPA depending on the specific content of the communication.

The Second Circuit declined to adopt the reasoning of the Third Circuit in Fischbein v. Olson Research Group, 959 F.3d 559 (3d Cir. 2020), which ruled that such faxes are advertisements because the “offer of payment in exchange for participation in a market survey is a commercial transaction, so a fax highlighting the availability of that transaction is an advertisement under the TCPA.”  Thus, the Second Circuit held that – based on the statutory text, legislative history, and FCC implementation of the TCPA – an invitation to participate in a survey, without more, is not an unsolicited advertisement under the TCPA.

Lesson:  An invitation to participate in a survey should be drafted to avoid offering “property, goods, or services” which may fall within the meaning of a “unsolicited advertisement” under the TCPA.

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress