Data Privacy
Illinois Federal Court Upholds Class Action Over Shutterfly Use of Facial Recognition Technology
By Allison Mielke, Young Conaway Stargatt & Taylor, LLP
The U.S. District Court for the Northern District of Illinois recently denied a motion to dismiss a putative class action against the web-based photograph company Shutterfly, Inc. for allegedly breaching the Illinois Biometric Information Privacy Act (BIPA). At issue was whether Shutterfly could, without informing individuals, capture and store biometric information collected from photographs uploaded to its website. The court determined that while photographs themselves were excluded from BIPA protection, the biometric data obtained from the photographs constituted “biometric information” and was protected under the law. The court also held that the plaintiffs need not have pled actual damages in order to state a claim for a violation of the BIPA. With few courts having interpreted the scope of biometric privacy laws, this case may be a harbinger of litigation to come.
Google Referrer Header Privacy Opinion by 9th Circuit
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The U.S. Court of Appeals for the 9th Circuit recently affirmed the decision of the U.S. District Court for the Northern District of California to approve a cy pres–only settlement in a breach-of-privacy class action against Google in In re Google Referrer Header Privacy Litigation, No. 15-15858 (9th Cir. Aug. 22, 2017). When a Google Search user clicks on a search result, the website to which the user is directed receives the Uniform Resource Locator of the previous page, which includes the user’s search terms. Among other causes of action raised, the plaintiffs alleged that this search-term sharing violated the Stored Communications Act. A settlement reached among the parties called for Google to pay $5.3 million to six cy pres recipients that agreed to use the funds to promote public education and research regarding privacy on the internet.
The court of appeals noted that cy pres settlements are appropriate where a fund is “non-distributable” because it would be too burdensome and costly to prove the individual claims and handle payments to claimants. The court found that applied here because the Google class members likely would receive a de minimis amount of mere cents. One challenge raised by objecting class members was that the cy pres recipients involved the alma maters of class counsel and entities that had previously received settlements from Google. The court of appeals found there had been sufficient transparency and nothing more than allegations suggesting impropriety in the recipients’ selection, but one dissenting-in-part judge would have remanded for further review of the recipients’ selection.
Massachusetts Court Finds Stored Communications Act Does Not Block Estate Access to Decedent’s Email Account
By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP
The Massachusetts Supreme Judicial Court recently held that the Stored Communications Act (SCA) does not prohibit an email-services provider from disclosing an intestate decedent’s email account to the estate’s personal representatives. Ajemian v. Yahoo!, Inc., No. SJC-12237 (Mass. Oct. 16, 2017). A state probate and family court had granted summary judgment in favor of Yahoo!, Inc., which contended that the SCA prohibited it from disclosing the email account of a 43-year-old decedent to his siblings, who were the personal representatives of the estate. The Supreme Judicial Court noted that the SCA permits voluntary disclosure to an agent of, or upon the lawful consent of, the account holder. While the personal representatives did not constitute agents of the decedent because they were appointed by the probate court, the court concluded they could give lawful consent because the SCA evidenced no federal intent to preempt state probate and common-law rights. That was sufficient to deny summary judgment in favor of Yahoo on the basis of the SCA, but did not necessarily mean disclosure would ultimately be granted. Yahoo also argued that the terms of service that governed the account authorized Yahoo to refuse access to the personal representatives. Finding the record insufficient on whether those terms evidenced an enforceable contract, the high court remanded for further proceedings.
Electronic Contracting
Arizona Smart Contract Law Attracting Blockchain Companies
By John Ottaviani, Partridge Snow & Hahn LLP
Arizona’s recent law change to confirm the validity of smart contracts is reaping economic development benefits. Several blockchain companies, including Sweetbridge, Aperio, and Dash Core Team, have located their headquarters or operations to Arizona. The new law, passed in March 2017, amended the Arizona Electronic Transactions Act to confirm that signatures and records or contracts secured through blockchain technology have the same legal effect as other electronic contracts and records.
Cybersecurity
FTC Settles with Lenovo Over Laptop Privacy
By William R. Denny, Potter Anderson & Corroon LLP
On September 5, 2017, the U.S. Federal Trade Commission and 32 state attorneys general agreed to settle charges against Lenovo, Inc., one of the world’s largest software manufacturers, that the company harmed consumers by pre-loading its laptops with third-party software that compromised security protections. The software, VisualDiscovery, was intended to deliver ads to consumers, which it did by inserting itself as a “man in the middle” between the user’s browser and websites that the user accessed. The FTC alleged that consumers had not consented to the installation, and that the software gave its manufacturer, Superfish, Inc., the ability to access all of the consumer’s sensitive information transmitted over the internet. It also allegedly used an insecure method to replace digital certificates on websites, thereby depriving consumers of the ability to detect which websites were spoofed or malicious. This is another instance, similar to FTC claims against Wyndham Hotels and Resorts and LabMD, Inc., in which the FTC has charged a company with “unfair” acts or practices in or affecting commerce, in violation of Section 5 of the FTC Act, based on its failure to implement adequate security. Furthermore, the charges against Lenovo do not allege specific consumer harm, but only that the conduct “caused or was likely to cause substantial injury to consumers.” By defining its mandate to include enforcement of reasonable data security and by pressing cases even in the absence of demonstrable consumer harm, the FTC has further cemented its role as the primary enforcer of data security in the U.S.