October 01, 2019

MONTH-IN-BRIEF: Internet Law & Cyber-Security

Juliet Moringiello, Sara Beth A.R. Kohut

Data Privacy

FTC and NY AG Obtain Record Settlement of Alleged COPPA Violations

By Jaclyn C. Weissgerber, Young Conaway Stargatt & Taylor, LLP

Google LLC and its subsidiary YouTube will pay a total of $170 million to the Federal Trade Commission (FTC) and the New York Attorney General (NY AG) to settle claims that YouTube violated the Children’s Online Privacy Protection Act, also known as COPPA.  This settlement sets the record as the largest financial remedy for COPPA violations since COPPA was enacted in 1998; the prior record was $5.7 million.

COPPA requires that child-directed websites and online services provide notice and obtain parental consent before collecting personal information from children under age 13.  In the complaint filed with the United States District Court for the District of Columbia, the FTC and NY AG alleged that YouTube, which marketed itself as a top web-destination for kids, violated COPPA because it did not properly notify parents and obtain their consent before collecting and using their children’s personal information.  Specifically, the complaint alleged that YouTube collected “persistent identifiers” such as cookies that are used to track viewers over time and across websites, and used that data to deliver targeted ads to children, from which it earned millions.

Besides paying the $170 million penalty, YouTube has also agreed to create a system for the channels on its platform to identify child-directed content so that those viewers will no longer be tracked for advertising purposes, and to provide COPPA training to employees responsible for managing YouTube channels.  

EU Court Holds Right to Be Forgotten Applies Only In EU

By Melissa Hall, MacRoberts LLP

On September 24, 2019, the European Court of Justice (Court) gave a landmark ruling which clarified the territorial reach of the ‘right to be forgotten’. The relevant case involved Google, and the French supervisory authority, CNIL. In high-level terms, the Court held that a search engine provider is not required to remove links to information in all versions of its search engine available worldwide when dealing with a right to be forgotten request. Instead, it is only required to remove links on the versions of its search engine intended for use in the EU member states, and to adopt measures to ensure the effective protection of individuals’ fundamental rights by preventing a user located in the EU from accessing the personal data through the search engine’s international domain names (e.g. geo-blocking). Though the decision was made under the former 1995 EU Data Protection Directive, it will have implications under the new General Data Protection Regulation (GDPR) also.

California Supreme Court Decision Could Force Changes in Website Practices

By John Ottaviani

In a case that may have far-reaching implications for commercial websites, the California Supreme Court recently lowered the bar for alleging standing in discrimination cases.  In an unanimous opinion in White v. Square, Inc., No. S249248 (Cal. Aug. 12, 2019), the California Supreme Court held that a person who visits a business’s website with an intent to use its services, and who encounters terms or conditions that exclude the person from full and equal access to its services, has standing to sue under the state’s Unruh Civil Rights Act, with no further requirement that the person enter into an agreement or transaction with the business.  In this case, the plaintiff is a bankruptcy attorney who, before agreeing to Square’s terms of service, discovered a provision prohibiting the service’s use by bankruptcy attorneys.

Although technically an occupation discrimination case, the decision has implications for websites, especially those subject to the California law, which may now be open to discrimination claims for various other practices, including inadequate accessibility or discriminatory website terms of use.  If read broadly, the lower bar suggests that such websites may be vulnerable to class action lawsuits, as the plaintiffs will be able to demonstrate standing without having to enter into terms of use that often purport to shift the dispute venue to arbitration.  Even if the defendants can ultimately prevail, such suits will be costly, which may force businesses to make their websites more accessible and terms of service less discriminatory in order to avoid such suits.  It remains to be seen how broadly the case will be interpreted.

Juliet Moringiello

Commonwealth Professor of Business Law, Widener University Commonwealth Law School

Juliet Moringiello is the Commonwealth Professor of Business Law at Widener University Commonwealth Law School in Harrisburg, PA, where she teaches Property, Bankruptcy, Secured Transactions, Sales, and a seminar on Cities in Crisis. She earned her B.S.F.S. at Georgetown University, her J.D. at Fordham University School of Law, and her LL.M in Legal Education at Temple University School of Law. Professor Moringiello is Chair of the Pennsylvania Bar Association Business Law Section, a Uniform Law Commissioner for Pennsylvania, and a member of the American Law Institute. She is also a Fellow of the American College of Commercial Finance Lawyers and has held several leadership positions in the American Bar Association Business Law Section.

Sara Beth A.R. Kohut

Co-Chair; Cybersecurity, Privacy, and Data Protection Group; Young Conaway

Sara Beth’s practice focuses on advising legal representatives for future claimants in connection with asbestos mass tort insolvency matters and settlement trusts. She has also represented national and local businesses in cases involving intellectual property, corporate and commercial issues in the federal and state courts in Delaware. Sara Beth has advised clients on strategies for protecting intellectual property rights and complying with obligations governing the privacy and security of sensitive data. She currently co-chairs Young Conaway’s Cybersecurity, Privacy, and Data Protection group.