“Two Cops on the Beat is Nothing Unusual”: Ninth Circuit Reverses Panel Decision, Rules FTC Act’s “Common Carrier” Exemption is Activity-Based

On February 26, 2018, the U.S. Court of Appeals for the Ninth Circuit issued an en banc decision in FTC v. AT&T holding that the Federal Trade Commission (FTC) Act’s “common carrier” exemption is activity-based, reversing the panel’s decision that the exemption is status-based, which would have opened a large enforcement gap for telecommunications companies like AT&T. This is an important decision in terms of FTC jurisdiction: it means that the FTC can and will continue to regulate common carriers to the extent that they provide non-common-carrier services, such as mobile internet services.

Section 5 of the FTC Act gives the commission enforcement authority over unfair and deceptive acts or practices, but exempts “common carriers subject to the Acts to regulate commerce.” Unsurprisingly, the question of whether a company qualifies as a “common carrier” under the exemption is a loaded and complicated one. If an entity falls within the exemption, the FTC cannot bring an enforcement action against it for conduct it considers harmful to consumers. Conversely, companies that fall outside the exemption are subject to FTC regulation, leaving them open to liability for unfair or deceptive conduct, and requiring that they comply with a long list of FTC rules. Continue Reading

FTC Announces Settlement with PayPal for Alleged FTC Act and GLBA Violations by Venmo

On February 27, 2018, the Federal Trade Commission (FTC) announced1 that it had reached an agreement with PayPal to settle allegations that its peer-to-peer payment service, Venmo, engaged in deceptive acts and practices and violated the Gramm-Leach-Bliley Act (GLBA)’s Safeguards Rule2 and Privacy Rule.3 Since 2011, Venmo has offered peer-to-peer payment services through an app that consumers can download, link to their external bank accounts, and use to transfer and receive money to and from other users. In its complaint, the FTC alleged that PayPal, through Venmo, failed to adequately disclose that: (1) it could freeze or remove funds credited to a customer’s account; (2) the Default Audience Setting did not ensure that future transactions were visible only to chosen audiences; and (3) the Individual Audience Setting did not ensure that any single transaction was visible only to the chosen audience. The FTC also alleged that PayPal, through Venmo: (1) misrepresented that it protected consumers’ information with “bank-grade security systems;” (2) failed to protect the security, confidentiality, and integrity of customer information in violation of the GLBA’s Safeguards Rule; and (3) failed to send an adequate initial privacy notice to customers detailing its privacy policies and practices in violation of the GLBA’s Privacy Rule.4 Continue Reading

To Text or Not to Text? That Is the Question

Let’s face it: The residential phone line is on the verge of suffering the same fate as the 8-track tape. Anyone who doesn’t know what an 8-track tape is most assuredly uses a cell phone—and only a cell phone—to communicate. Email takes too long. And younger generations don’t even use the actual phone part of their cell phones.

The reality is that if you want to communicate with a very large segment of the U.S. population, you have to text. This explains why everyone is doing it. Doctors, dentists, veterinary practices, hair salons, airlines, car dealerships—businesses that make appointments—all send text reminders. Schools notify parents of school cancellations by texts. Hotels offer “virtual concierge” services entirely by texts. Retailers offer special discounts via texts. Should your business jump on the text message bandwagon? Maybe. The reward is high, but so is the risk.

Continue Reading

GDPR—Collective Actions Under the Privacy Banner

As application of the European Union’s (EU’s) General Data Protection Regulation (GDPR)1 quickly approaches, the enforcement authority of the European data protection authorities (DPAs) is rightfully on everyone’s mind. The power to issue monetary fines against non-compliant entities of up to four percent of the entity’s past year worldwide turnover is one of the GDPR’s most striking provisions.2 But, the GDPR also includes a provision that may prove to be equally important: giving individuals the right to bring collective legal action against non-compliant entities. If these collective actions become common, understanding by whom, under what grounds, and where these suits may be brought will be critical in assessing the importance of compliance and the benefits and risks of launching European data initiatives. Continue Reading

Illinois Appellate Court Holds That BIPA Plaintiffs Must Show Actual Harm

On December 21, 2017, the Illinois Second District Appellate Court dealt a significant blow to the recent wave of Illinois Biometric Information Privacy Act (BIPA) class actions, holding in Rosenbach v. Six Flags Entertainment Corp. that plaintiffs alleging mere procedural violations of BIPA, without “any injury or adverse effect,” are not “aggrieved” persons entitled to any relief—monetary or otherwise—under the statute.1

BIPA prohibits companies from collecting biometric information from individuals without notice and written consent.2 The Illinois legislature passed BIPA in 2008 in response to the growing use of biometric technology in the business and security screening sectors in Illinois.3 Specifically, lawmakers were concerned about companies like Pay By Touch—which, in the early 2000s, brought biometric authentication to payment systems —going bankrupt and, consequently, putting consumers’ sensitive personal information at risk.4 To that end, BIPA contains a private right of action that allows any person “aggrieved” by a violation of the act to bring a claim against the offending party for $1,000 or actual damages per negligent violation, and $5,000 or actual damages per intentional or reckless violation.5 Critically, the statute does not define “aggrieved” persons, which proved to have a decisive impact on the Rosenbach court’s ruling.

Continue Reading

Online Talent Agency Stars in FTC’s 30th COPPA Case

On February 5, 2018, the Federal Trade Commission (FTC) announced its most recent Children’s Online Privacy Protection Act (COPPA) case against Explore Talent, an online talent agency marketed to aspiring actors and models.1

According to the FTC’s complaint, the company provided a free platform for users to find information about auditions, casting calls, and other opportunities. Users could sign up for accounts and create publicly available, searchable profiles that included personal information such as names, email addresses, telephone numbers, and mailing addresses. The company’s privacy policy stated that it did not knowingly collect personal information from children under age 13 and that accounts for users under 13 had to be created by a legal guardian. In practice, however, users selected their “age range” during registration, which included options of 0-5 and 6-12 years old. On a later registration screen, the company specifically asked for users’ birthdates.

Continue Reading

LexBlog