May 02, 2019

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

Federal Court in South Carolina Dismisses COPPA Suit Against Google Entities

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

A federal court in South Carolina recently dismissed a proposed class action against Google, LLC, Youtube, LLC, and their parent company Alphabet, Inc., for alleged violations of the federal Children’s Online Privacy Protection Act (COPPA). In Manigault-Johnson v. Google, LLC, C.A. No. 2:18-cv-1032-BHH (D. S.C. Mar. 31, 2019), a proposed class action brought by South Carolinians alleged that the defendants violated COPPA and other laws by improperly collecting the personal identifying information of children who viewed videos on smart phone apps and websites, and then selling that information for advertising purposes.

Among other reasons for dismissal, the District Court found that the plaintiffs lacked standing because they alleged violation of the California state constitutional right to privacy, but the class named no plaintiff who was a California resident with standing to raise the claim. The court also questioned whether the collection of data from persons who voluntarily used the defendants’ platforms could sufficiently state a claim for intrusion upon seclusion. Although the court did not reach whether COPPA preempted the state law claims, it described the complaint as an apparent attempt to use state law to privately sue under COPPA, the enforcement of which is exclusively reserved to the U.S. Federal Trade Commission and state attorneys general. 

Colorado Court Upholds Phone Search Where Passcode Voluntarily Provided

By Sara Beth A.R. Kohut, Young Conaway Stargatt & Taylor, LLP

The Supreme Court of Colorado has upheld a cell phone search made after a suspect voluntarily provided his passcode to police. In People v. Davis, No. 18SA267 (Colo. Apr. 8, 2019) (en banc), Shaun Davis was arrested on murder charges. He provided the passcode to his locked cell phone so that police could call his girlfriend to pick up her car, which Davis had driven to the location where he was arrested. Davis did not expressly limit police use of his passcode and the police did not contact the girlfriend.

The police later obtained a search warrant for the phone and used the passcode to unlock it for the search. Davis moved to suppress his passcode statements and evidence obtained on the phone. The trial court granted suppression under the Fourth Amendment on the basis that Davis had given only limited consent to unlock the phone to call his girlfriend but the search exceeded that consent.

On appeal, the Supreme Court held that Davis had no legitimate expectation of privacy in his passcode because he voluntarily provided it to police. Accordingly, because the police had both a valid warrant to search the phone and the passcode to access its contents, execution of the warrant did not violate the Fourth Amendment.

Court Partially Dismisses Claims Against Bose for Creepy Data Collection

By Antonia Dumas, Xpan Law Group

The U.S. District Court for the Northern District of Illinois has partially dismissed claims against Bose over its data collection practices in connection with the use of an application and its wireless products. Zak v. Bose Corp., No. 1:2017cv02928 (N.D. Ill. Mar. 31, 2019).  Bose filed a motion to dismiss the complaint of a class of consumers who bought Bose wireless products and downloaded and used the Bose Connect mobile application (the “App”). The App allows users to connect to their Bose wireless product via bluetooth and display media information (i.e. track title, artist and album) from the audio streaming platform used (here Spotify). However, the class claimed that Bose: (i) intercepted the user-to-Spotify communications of media information; (ii) automatically transmitted the data (with other personal identifiers) to third-parties (including a data miner, Segment.io) without the consumer’s knowledge or consent; and (iii) accessed the data (as a customer of Segment.io) to link the information to a particular user (by product serial and registration numbers) to create a user profile and track their music listening habits.

The court dismissed claims under the federal Wiretap Act and Illinois’ Eavesdropping Statute, mainly due to its finding that Bose was a party to the communications via the App. However, the claims of deceptive practices (under the Illinois Consumer Fraud and Deceptive Practices Act) and unjust enrichment against Bose survived. An issue of fact remains as to whether Bose committed a deceptive act when it omitted and concealed the above information (on the packaging of its wireless products and on its website) because it knew consumers would not otherwise purchase the products.  

Digital Currency

FinCEN Takes Action Against a Peer-to-Peer Virtual Currency Exchange

By Stephen T. Middlebrook, Womble Bond Dickinson

On April 18th, FinCEN assessed a civil money penalty against Eric Powers for failure to register as a money services business, have a written anti-money laundering plan and file suspicious activity and other required reports with the government.  Mr. Powers ran a peer-to-peer cryptocurrency exchange, conducted 1700 transactions over 21 months, and traded millions of dollars’ worth of bitcoin with a number of customers, including people doing business on the Silk Road, the infamous dark market for drugs and other contraband.

NY AG Investigates Cryptocurrency Exchange Bitfinex and Related Stablecoin Tether

By Stephen T. Middlebrook, Womble Bond Dickinson

The New York Attorney General announced an investigation into cryptocurrency exchange Bitfinex and its related stablecoin Tether.  The AG alleges that Bitfinex has lost access to over $850 million dollars of co-mingled client and corporate funds.  In order to cover up the losses, the AG contends that Bitfinex took $900 million from reserve funds that supposedly backed the stablecoin Tether. 

Arkansas Amends UETA to Specifically Address Blockchain

By Stephen T. Middlebrook, Womble Bond Dickinson

Arkansas enacted amendments to its version of the Uniform Electronic Transactions Act (UETA) to specifically address blockchain technology.  While UETA is technology-neutral and thus already covers electronic records and contracts which make use of a blockchain, Arkansas nonetheless modified their law to make that application explicit.  The act specifies that a blockchain must secure data with cryptography, be immutable and auditable and provide “an uncensored truth.”  Unfortunately, blockchain technology which fails to meet these cryptic requirements will now fall out of the protections of UETA.  The act also states that smart contracts, which are pieces of code which may run on a blockchain and automate processes and performance of agreements, are now considered commercial contracts.  Any contract that contains a smart contract term “shall not be denied legal effect, validity or enforceability.”  The latter provision should make for some interesting case law.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.