Category: Information, Technologies and Telecom

Posted on by Sheila Raftery Wiggins

FTC Asserts ROSCA Claims Against Vonage Over Process To End Subscriptions & Vonage Settles For $100M

The Federal Trade Commission protects e-commerce consumers from “dark pattern” tactics which prevent consumers from cancelling their services.  Vonage agreed to pay $100 million – a record-breaking settlement amount – to the FTC to settle charges that it created a series of obstacles for its customers – both residential and business consumers – to cancel their service which included hidden termination fees.

In its Complaint filed in the United States District Court for the District of New Jersey on November 3, 2022, the FTC alleged that Vonage made it very easy to sign up but much harder to cancel a subscription contract, including by:

    • Eliminating cancellation options: Since 2017, Vonage allegedly made the decision to force customers to speak with a live “retention agent” in order to cancel service.  In contrast, customers could sign up for services online, over the phone, and through other venues.
    • Making cancellation process difficult:  The company allegedly: (1) made it difficult to find the phone number for the “retention agent” on the website, (2) failed to consistently transfer consumers to that number from the normal customer service number, (3) offered reduced hours the line was available, and (4) failed to provide promised callbacks.
    • Surprising customers with expensive fees when attempting to cancel:  Vonage allegedly charged early termination fees (“ETFs”) that were not clearly disclosed when the customer initially signed up for service.  At times, these ETFs were hundreds of dollars.
    • Charging customers who already cancelled service:  Vonage allegedly continued charging customers and then only provided partial refunds when customers complained.

In its Complaint, the FTC alleged that these actions violated Sections 13(b) and 19 of the Federal Trade Commission Act, 15 §U.S.C. 53(b), 57(b), and Section 5 of the Restore Online Shoppers’ Confidence Act (“ROSCA”), 15 U.S.C. § 8404.

ROSCA was passed and effective in 2010 in order to help promote consumer confidence for online commerce and thus requires the Internet to provide accurate information and give sellers an opportunity to fairly compete with one another for consumers’ business.  Section 2 of ROSCA, 15 U.S.C. § 8401.

Section 4 of ROSCA, 15 U.S.C. § 8403, generally prohibits charging consumers for goods and services sold in transactions effected on the Internet through a negative option feature, as that term is defined in the Commission’s Telemarketing Sales Rule (“TSR”), 16 C.F.R. § 310.2(w), unless the seller, among other things, (1) provides text that clearly and conspicuously discloses all material terms of the transaction before obtaining the consumer’s billing information, (2) obtains the consumer’s express informed consent for the charges, and (3) provides simple mechanisms for a consumer to stop recurring charges.  The TSR defines a negative option feature as a provision in an offer or agreement to sell or provide any goods or services “under which the consumer’s silence or failure to take an affirmative action to reject goods or services or to cancel the agreement is interpreted by the seller as acceptance of the offer.”  16 C.F.R. § 310.2(u).

In the Complaint, the FTC alleged that Vonage violated ROSCA by failing to:

    • provide required disclosures, including disclosing all material transaction terms such as the methods of cancelling services,
    • obtain express informed consent before charging the consumer’s credit card, debit card, bank account, or other financial account for products, and
    • provide a simple mechanism for stopping recurring charges.

Federal Trade Commission v. Vonage Holdings Corp., et al., No. 3:22-cv-06435 (D.N.J. Nov. 3, 2022).  The FTC will use the $100 million settlement to provide refunds to Vonage consumers.

ABCmouse – disclosure membership terms:  Similarly, in an earlier case, the FTC filed a Complaint against Age of Learning, Inc., which operates the children online learning program ABCmouse.  Federal Trade Commission v. Age of Learning, Inc., a corporation also d/b/a ABCmouse and ABCmouse.com, No. 2:20-cv-7996 (C.D. Cal. Sept. 1, 2020).  In that case, the FTC asserted that Defendant failed to disclose membership terms which led to consumers being charged without their consent, and the FTC settled with Defendant for $10 million.

Swifties and concertgoers – petition against Ticketmaster:  As recently as last week, Taylor Swift fans (a/k/a Swifties) and concertgoers petitioned for an investigation regarding fees charged and processes of the website operated by Ticketmaster.  Stay tuned!

In sum, companies should evaluate their e-commerce disclosures, fee structures, and process for providing/ending service.

Posted on by Sheila Raftery Wiggins

TCPA Class Action: Website Disclosure and Lead Marketers

The Ninth Circuit reviewed a website disclosure form – for a marketing website that generates leads – to determine when consumers assent to terms through interacting with a website.  The Ninth Circuit analyzed the factors of: (1) reasonably conspicuous notice, (2) manifestation of assent, and (3) use of the word – arbitration – in the notice itself.  Berman v. Freedom Financial LLC, 30 F.4th 849 (9th Cir. 2022).  Many similar federal court rulings concern websites in which the consumer is engaging in a transaction – such as buying a product – so Berman has a different factual basis because the marketing website was giving away free items as a means of obtaining leads for other companies.

In the facts underlying this case, Fluent is a digital marketing company that generates consumer leads for its clients by collecting information about consumers who visit Fluent’s websites.  Fluent offers free items via its websites such as gift cards and free product samples as an enticement to get consumers to provide their contact information and answer survey questions.  Fluent then uses the information it collects in targeted marking campaigns conducted on behalf of its clients.

Fluent asked the first plaintiff to: (1) “confirm her zip code” by clicking a button and then (2) click on a large button stating “this is correct, continue!”  Fluent asked the second plaintiff to: (1) confirm “gender” by clicking a large button and then (2) click the “continue” button.  Significantly, located in between these two buttons were two lines of text – in small gray font which was partially underlined – stating: “I understand and agree to the Terms and Conditions which includes mandatory arbitration and Privacy Policy.”

Defendants used the contact information provided by consumers like plaintiffs to conduct a telemarketing campaign on behalf of defendants.

Plaintiffs filed a TCPA class action on behalf of consumers who received unwanted calls or text messages from defendants during the telemarketing campaign.  Defendants filed a motion to compel arbitration which was denied.  The Ninth Circuit reviewed the denial of the motion.

The Ninth Circuit noted that the Federal Arbitration Act (“FAA”) limits the court’s role to determining whether a valid arbitration agreement exists and, if so, whether the agreement encompasses the dispute at issue.  Plaintiffs did not contest that the arbitration provision on the websites’ terms and conditions encompasses their TCPA claims.  Thus, the only legal issue was whether either plaintiff assented to the terms, including the arbitration agreement.

The Ninth Circuit first discussed whether New York or California law governs, and the result would be the same under either state’s law because both states require mutual consent.  Absent a showing of “actual knowledge” of the contract terms by the consumer-plaintiff, inquiry notice will result in a contract only if: (1) the website provides “reasonably conspicuous” notice and (2) the consumer makes an “unambiguous” manifestation of assent.  The Ninth Circuit ruled that neither condition is satisfied and analyzed:

  • Reasonably conspicuous notice:  Website users are entitled to assume that important provisions – such as those that disclose the existence of contractual terms – will be prominently displayed.  The Ninth Circuit looked at:
    • Font size: the size of the text in the disclosure was smaller than the font in the surrounding website elements
    • Color:  the gray color of the text containing the hyperlink to the full terms and conditions made the disclosure hard to read
    • Phrase:  the specific phrase used on the button that users click to agree to the terms and conditions was generically phrased as “continue”
    • Underlining: the underlining for the hyperlinks to the arbitration agreement did not sufficiently denote the hyperlink
  • Manifestation of assent:  The “continue” button did not indicate to the user what action would constitute assent to those terms and conditions.  Further, the text of the button itself gave no indication that it would bind plaintiffs to a set of terms and conditions.
  • Including “arbitration” in the notice:  Merely because the notice references the word “arbitration” is not enough because the key question is whether the plaintiffs can be deemed to have manifested their assent to the terms.

The Ninth Circuit affirmed the denial of the motion to compel arbitration.

In sum, websites should comply with the three bullet-point analysis – reasonably conspicuous, manifestation of assent, and use of “arbitration” in the notice – to create enforceable contracts via website disclosures.

Posted on by Duane Morris

Website Tracking Technology Risks

As companies take advantage of new technologies in their interactions with customers and employees, they need to be mindful of the risks associated with implementation of those types of systems. This is especially true in the realm of federal and state privacy statutes, which in some instances have been created recently to address privacy concerns. There are also existing laws that are now being applied in a different context.

Read the Law360 article on the Duane Morris LLP website.

Posted on by Sheila Raftery Wiggins

Biometric Data: Texas AG Sues Google

The Texas Attorney General sued Google for allegedly violating state laws by collecting biometric data on face and voice features without seeking the full consent of users as required under the Texas Capture or Use of Biometric Identifier Act (“CUBI”).  The complaint is another example of the role of individual states in protecting users’ information on the internet.

The Texas Attorney General (“AG”) alleges that:

    • Products:  Since at least 2015, Google collected data from Texans and “used their faces and voices to serve Google’s commercial ends” including features such as Google Photo’s “Face Grouping,” which uses facial-recognition software to group similar faces together to form a folder of photos for a particular person.  The AG also cites to the Nest Hub Max’s “Face Match” and Next products’ “voice-controlled personal assistant” as programs by which Google is able to collect biometric data from Texans.
    • No consent or opt out:  These features violate the CUBI because they do not request consent before use or give users the option to opt out of the software.
    • Storing data:  The AG asserts that Google is using and storing Texans’ information for further development and use.

The CUBI:

    • Inform and consent: The CUBI prohibits companies from collecting voice or face data for commercial purposes without first informing users.  The CUBI prohibits an entity from capturing a biometric identifier for commercial purposes unless the entity: (1) informs the individual before capturing the biometric identifier and (2) receives the individual’s consent to capture the biometric identifier.
    • Definition:  The CUBI defines “biometric identifier” as including: retina or iris scan, fingerprint, a record of hand or face geometry, or voiceprint (the CUBI does not apply to voiceprint data retained by financial institutions per 15 U.S.C. § 6809).
    • Penalty:  The CUBI permits the AG to bring an action.  Each violation is subject to a $25,000 penalty.

The AG’s action against Google is similar to the one brought against Facebook parent Meta earlier this year, also under the CUBI.  Further, Google previously agreed to pay $100 million to settle a class-action lawsuit in Illinois alleging the company’s face-grouping tool which allegedly violated Illinois privacy laws.

Posted on by Sheila Raftery Wiggins

TCPA: Consent by “Somebody” Insufficient To Avoid Liability

The “intended recipient” approach is no longer a viable argument when seeking to dismiss a TCPA claim at the initial pleading stage.  Blalack v. RentBeforeOwning.com, 2022 WL 7320045 (C.D. Cal. Oct. 11, 2022).

In Blalack, Defendant is a real estate listing service which markets rent-to-own properties to consumers.  Over a one year period, Defendant sent 108 telemarketing text messages to Plaintiff Jamie Blalack’s cell phone to solicit her to purchase a subscription to Defendant’s services.  Screenshots of text messages read:

    • “Thank You for Signing up for Property Alerts.”
    • “Good morning, Harry. Search for properties in 74063 now.” (Plaintiff’s name is not Harry, and 74063 is not Plaintiff’s zip code).
    • “Reply HELP for HELP – STOP to stop.”

Each text contains a link which led Plaintiff to Defendant’s site to sign up for the service.  Only some texts offer Plaintiff the opportunity to “opt out” of future messages.

Plaintiff asserts that she did not consent to receive the text messages or communications from Defendant and that she uses her cell phone primarily for residential purposes.  Plaintiff registered her cell phone on the Federal Do Not Call Registry (“DNC Registry”).  Plaintiff also sent Defendant a written cease and desist letter, but Defendant continued sending the texts for another month.

In this lawsuit, Plaintiff asserts claims under the Telephone Consumer Protection Act (“TCPA”), 47 U.S.C. § 227(c) seeking $500 per text, treble damages of $1500 per text, and injunctive relief.

Defendant filed a motion to dismiss, and the District Court denied these two arguments:

  • Residential purposes:  Defendant asserted that Plaintiff did not allege in the Complaint that her cell phone was used for residential purposes.  Yet, the District Court discussed:
    • 2003 FCC Order:  In 2003, the Federal Communications Commission’s  (“FCC”) Report and Order permits wireless subscribers  to participate in the DNC Registry.  Commission’s Report and Order, CG Docket No. 02-278, FCC 03-153, “Rules and Regulations Implementing the Telephone Consumer Protection Act of 1991;” 47 C.F.R. § 64.1200(e).
    • DNC Registry Presumption:  In this Circuit, several district courts held that the allegations that a cell phone number is registered on the DNC  Registry is sufficient to establish – at the pleading stage – the presumption that the number is a residential one.
  • Prior express consent:  Defendant asserted that Plaintiff consented to receiving Defendant’s text messages.  There is no liability if the person making the telephone solicitations has obtained the subscriber’s prior express invitation or permission which is evidenced by a signed written agreement between the consumer and seller which states that the consumer agrees to be contacted by this seller and includes the telephone number to which the calls may be placed.  There is no liability if the call or message is to a person with whom the caller has an established business relationship.  Defendant argued that Plaintiff did not elect to opt out of receiving the messages, even though some messages permitted Plaintiff to do so.  Yet, the District Court discussed:
    • FCC Regulation:  To demonstrate “prior express invitation or consent,” the FCC Regulations require evidence of a “signed, written agreement,” and the screenshots do not: (1) constitute such a signed agreement, 47 C.F.R. § 64.1200(c)(ii); or (2) demonstrate a “voluntary two-way communication” between Plaintiff and Defendant that constitutes and “established business relationship,” 47 C.F.R. § 64.1200(f)(5).
    • Jamie, not Harry: The text identifies the recipient by a different name – Harry.  This allegation supports that Plaintiff did not provide her prior permission for the communications.

The District Court denied Defendant’s motion to dismiss and noted that there are fact questions that cannot be resolved on a motion to dismiss and are to be addressed in discovery.

In sum, the “intended recipient” approach is no longer a viable argument when seeking to dismiss a TCPA claim at the initial pleading stage.

Posted on by Duane Morris

Does Tracking User Activity on Websites Violate Electronic Interception Laws?

A new wave of class action lawsuits filed in California, Pennsylvania and Florida target companies that use technologies to track user activity on their websites, alleging such practices, when done without obtaining a user’s consent, violate electronic interception provisions of various state laws. The two technologies at issue are: 1) session replay software and 2) coding tools embedded in chat features. Session replay software tracks a user’s interactions with the website—their clicking, scrolling, swiping, hovering and typing—and creates a stylized recording of those interactions and inputs. Coding tools create and store transcripts of the conversations users have in a website’s chat feature. The plaintiffs in this new string of class actions allege that recording their interactions with a website and sending that recording to a third party for analysis without their consent is an illegal invasion of their privacy.

Read the full Alert on the Duane Morris LLP website.

Posted on by Sheila Raftery Wiggins

Bank’s Clickwrap Agreement – Cross-Referencing Arbitration and Class Action Waiver Provisions – May Be Enforceable

The Second Circuit ruled that a “buried” hyperlink is not, alone, fatal to enforcing arbitration and class action waiver provisions contained in an agreement that is incorporated by cross-reference via a web-based contract.  Design, layout, and content of the webpage are significant factors to determining whether the contract terms were available and conspicuous, and thus enforceable.  Zachman v. Hudson Valley Federal Credit Union, No. 21-999 (2nd Cir. Sept. 14, 2022).

Clickwrap Agreement and Plaintiff’s Class Action Claims

In 2012, Plaintiff opened her bank account and received an Account Agreement.  In 2019, Plaintiff agreed to an Internet Banking Agreement (“IB-Agreement”) that incorporates by reference the revised Account Agreement.  The IB-Agreement requires the customer to click a button of the Agreement stating “I agree to the above terms and conditions.”

Plaintiff filed a class action complaint alleging that Defendant-Bank HVCU’s practice of collecting overdraft or insufficient funds on accounts that were not actually overdrawn violated: (1) New York General Business Law § 349 and (2) the Electronic Fund Transfer Act, 15 U.S.C. § 1693, et seq..

Clickwrap Agreement and Customers’ Access to Revised Account Agreement

HVCU filed a motion to dismiss and to compel arbitration, asserting:

  • the revised Account Agreement containing the arbitration agreement and class action waiver was published to its website which can be accessed via a hyperlink or via a “Resources” tab on HVCU’s website
  • a physical copy of the Account Agreement may be obtained by the customer requesting a copy be mailed or going to a brick-and-mortar HVCU branch.

HVCU did not:

  • implement a “banner” notification on the webpage
  • provide a summary of any changes to the Account Agreement on the webpage where the agreement is hyperlinked
  • otherwise indicate any changes had been made to the Account Agreement.

District Court: Did Plaintiff Have “Inquiry Notice” of the Provisions?

First, the District Court ruled that the district court, not an arbitrator, determines whether a valid arbitration agreement exists.  Second, the District Court ruled that HVCU did not establish that Plaintiff had actual notice or inquiry notice of the arbitration and class action waiver provisions.  The District Court concluded that the hyperlink to the revised Account Agreement appeared to be buried in the IB-Agreement and thus concluded that HVCU failed to establish that Plaintiff was put on inquiry notice of the arbitration and class action waiver provisions.  HVCU appealed.

Second Circuit: Website’s Layout, Content, and Design

The Second Circuit stated that the enforceability of a web-based agreement is a fact-intensive inquiry, which includes an evaluation of the visual evidence demonstrating “whether the website user has actual or constructive notice of the conditions” which often turns on “whether the design and content of th[e] webpage rendered the existence of terms reasonably conspicuous.”

Based on the evidence provided in support of the motion, the Second Circuit was unable to assess whether the relevant language and hyperlink are clear and conspicuous.  The Second Circuit ruled that the District Court’s conclusion that the provisions were “buried” in the IB-Agreement was inconsistent with the lack of evidence presented regarding the website’s layout and design.  The Second Circuit ruled that the District Court’s ruling was premature .

Significantly, the Second Circuit stated:

  • agreements may be incorporated by cross-reference via web-based contracts
  • as long as the layout and language of the website give the user reasonable notice that a click will manifest assent to an agreement, then clicking “I agree to the above terms and conditions” would bind Plaintiff to the IB-Agreement, along with the Account Agreements incorporated by reference
  • screenshots – of the webpage(s) used to register HVCU customers for online banking – will show the design and content of the IB-Agreement as presented to users and thus are relevant to whether Plaintiff assented to the agreement’s terms

In sum, a picture – or here, screenshots – is worth a thousand words and will help demonstrate that the parties mutually agreed to a clickwrap agreement.

Posted on by Sheila Raftery Wiggins

CISA Requests Public Comment for Regulations On Cyber Incident Reporting for Critical Infrastructure Act

The U.S. Cybersecurity and Infrastructure Security Agency (“CISA”) seeks public comment on structuring and implementing regulations for reporting requirements under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).  Comments may be submitted by November 14, 2022 through the Federal e-Rulemaking Portal: http://www.regulations.gov.  The CISA’s Request for Information is located at: https://www.federalregister.gov/documents/2022/09/12/2022-19551/request-for-information-on-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022

Posted on by Sheila Raftery Wiggins

Four New State Data Privacy Laws Take Effect In 2023

Data privacy laws take effect during 2023 in California, Virginia, Colorado, Utah, and Connecticut.  Specifically:

    • California Privacy Rights Act, effective January 1, 2023
    • Virginia Consumer Data Protection Act, effective January 1, 2023
    • Colorado Privacy Act, effective July 1, 2023
    • Connecticut Data Privacy Act, effective July 1, 2023
    • Utah Consumer Privacy Act, effective December 31, 2023

Other states are actively considering the implementation of a comprehensive privacy law.

Currently, the United States does not have a federal data privacy law.  In May 2022, a bipartisan group of legislators introduced the American Data Privacy and Protection Act (“ADPPA”), which includes federal preemption of state laws with some exceptions, such as a limited private right of action for certain privacy violations.

As we enter the last quarter of 2022, make preparations to comply with the new state data privacy laws.

Posted on by Sheila Raftery Wiggins

“Imminent” Harm Gives Standing to Phishing Attack Victim Against Employer

In a precedential ruling, the Third Circuit reinstated a class action lawsuit filed by a former employee who was required to provide sensitive personal and financial information to her employer which was then released on the dark web following a phishing attack, despite the employer’s statement that it would take appropriate measures to protect the information.   In Clemens v. ExecuPharm Inc., No. 21-1506 (3d Cir. Sept. 2, 2022), the Third Circuit:

    • overturned the District Court’s dismissal of the action for which the District Court found that Plaintiff failed to allege that she experienced actual identity theft or fraud
    • rejected the contention that a risk of identity theft or fraud cannot qualify as sufficiently “imminent” to establish standing to bring a lawsuit

Plaintiff, a former employee of Defendant, was required as a condition of her employment to provide sensitive personal and financial information, such as her social security number, bank and financial account numbers, tax information, her passport, and information about her husband and child.  Plaintiff’s employment agreement states that Defendant would “take appropriate measures to protect the confidentiality and security” of this information.

After Plaintiff left Defendant’s employment, a hacking group used a phishing attack in March 2020 to install malware on Defendant’s servers, stealing sensitive information about current and former employees including Plaintiff.  Either because Defendant refused to pay or for other reasons, the company’s data – including 123,000 files and 162 gigabytes of data – was released on the dark web, as confirmed by screenshots taken by an intelligence firm.

Plaintiff promptly took actions, including: (1) enrolling in Defendant’s complimentary one-year credit monitoring services, (2) transferring her account to a new bank, and (3) placing fraud alerts on her credit reports.

Plaintiff filed a class action lawsuit asserting claims for breach of contract, breach of implied contract, negligence, negligence per se, breach of confidence, and breach of fiduciary duty.  Plaintiff alleged that she sustained injuries as a result of the data breach – primarily the risk of identity theft and fraud – in addition to the investment of time and money to mitigate potential harm.

The District Court dismissed the case, stating that Plaintiff had not yet experienced actual identity theft or fraud, and thus she had no standing to bring this action.

First, the Third Circuit analyzed that to sustain an injury-in-fact in order to have standing to bring a lawsuit, the injury must be “actual or imminent” which indicates that Plaintiff need not wait until she has actually sustained the feared harm in order to seek judicial redress.  Instead, Plaintiff can file suit when the risk of harm becomes imminent: “meaning it poses a substantial risk of harm – versus hypothetical in the data breach context.”  Id. at  10.  The Third Circuit discussed that there are many factors to determine whether a risk is “imminent,” including whether:

    • the data breach was intentional
    • the data was misused
    • the nature of the information accessed through the data breach could subject a plaintiff to a risk of identity theft

Second, the Third Circuit cited to U.S. Supreme Court cases which ruled that an intangible injury – which is an injury that does not represent a purely physical or monetary harm to a plaintiff – may be a “concrete” injury.

Third, the Third Circuit analyzed the employment agreement in which Defendant expressly contracted to “take appropriate measures to protect the confidentiality and security” of this information.

Thus, the Third Circuit is permitting the class action to proceed in the District Court.

 

© 2009- Duane Morris LLP. Duane Morris is a registered service mark of Duane Morris LLP.

The opinions expressed on this blog are those of the author and are not to be construed as legal advice.

Proudly powered by WordPress