big data & wrongful collection

Download Big Data & Wrongful Collection

If you can't read please download the document

Post on 28-Nov-2014




4 download

Embed Size (px)


Presented at NetDiligence Cyber Risk & Privacy Liability Forum in Santa Monica, Calif., Oct. 8-9, 2014.


  • 1. NetDiligenceCyber Risk & PrivacyLiability ForumOctober 8-9, 20141

2. Big Data &Wrongful Collection2 3. SpeakersLincoln BandlowmoderatorPartnerLathrop & Gage LLPLos Angeles,CaliforniaDominique SheltonPartnerAlston & Bird LLPLos Angeles,CaliforniaEmily TabatabaiPrivacy AttorneyOrrick, Herrington &Sutcliffe LLPWashington, D.C.Christina TusanAttorneyFederal TradeCommission3 4. Five Big Data Reports in May 2014 May 1, 2014 - White House release Big Data led by John Podesta. See, Executive Office of the President, BigData: Seizing Opportunities, Preserving Values (Executive Office of the President, May 1,2014). May 1, 2014: White House releases technological feasibility Big Data report. See, Presidents Council ofAdvisors on Science and Technology, Big Data and Privacy: A Technological Perspective (the PCAST Report). May 15, 2014: The Senate released a report on malware. Senate Permanent Subcommittee onInvestigations, Online Advertising and Hidden Hazards to Consumer Security and Data Privacy (May 15,2014). May 21, 2014: CA AG came out with her report on privacy policies See, Atty Gen. Kamala D. Harris, MakingYour Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, (Cal. Dept ofJustice, May 21, 2014), available at . May 27, 2014: Data Broker report. See, F.T.C., Data Brokers: A Call for Transparency and Accountability (May27, 2014).4 5. May 2014 Reports5 6. Takeaways The Senate, FTC and CA AG are focused on Big Data andbehavioral tracking in particular. There is a renewed focus on transparency. Regulators areconcerned that consumers dont understand the advertising/data-brokerecosystem (i.e., the number of trackers on websites andmobile apps). Use of internal data-tagging can provide a method for companies toaccess to Big Data within companies. New laws will be proposed. FTC will be using Section 5 of the FTC Act to enforce.6 7. Behavioral Tracking Class Actions(Privacy Claims under The ElectronicCommunications Privacy, StoredCommunications Act and Wiretap Act)7 8. How Big are Do Not Track Class Actions? 195 Do Not Track class actions have been filed in the past 36months, and 12 mobile app class actions have been filed in the pasteight months. On June 11, 2013, the largest privacy class action was affirmed bythe 7th Circuit 1 billion exposure based on behavioral tracking. The plaintiffs bar is focusing on privacy class actions. The FTC has increased its enforcement activity. Based upon global and U.S. trends, more focus on privacy andtracking will occur in 2014.8 9. Do Not Track CasesWashington - 3Montana - 2California - 108 Arizona - 1Colorado - 1Minnesota- 1Wisconsin - 1Illinois - 8Missouri - 4Arkansas - 17Louisiana - 1Texas - 6Alabama - 2Michigan- 1 Rhode Island - 1Georgia - 4Florida - 4Ohio - 1Tennessee - 1Delaware - 2N. Carolina - 1New York - 13Massachusetts - 2Virginia - 1Maryland- 1Connecticut - 2New Jersey - 2Pennsylvania - 1Puerto Rico - 1District of Columbia - 29 10. How Many Big Data Companies Have Been Named? 121 Companies (62% of the 195 actions) have included Big Data companies e.g., dataanalytics, ad networks, exchanges, mobile marketing). Software company Carrier IQ (67 class actions). Analytic Companies: (32 class actions) Google (24 class actions) Other analytic companies(e.g., Kissmetrics, Flurry, Millenial Media, comScore) (8 classactions) Ad Networks and Ad Exchanges(21 class actions) Quantcast, Clearspring, Mobile Ringleader (no defunct), Traffic Marketplace, Interclick,Mob Clix, quattro, Admob, PulsePoint Cloud: Amazon (1) class action.10 11. Do Not Track Typical Class Action Claims11 12. Harris v. comScore Plaintiffs alleged tracking based upon downloadsof bundled software that did not disclose trackingtechnologies or comScores name. Plaintiffs alleged inadequate privacy disclosures. Sought to certify 10 million user class at $10,000statutory damages under the storedcommunications act.12 13. Harris v. comScore Key takeaways: Court held common questions of fact and lawpredominated. Plaintiffs could self-identify to become members of theclass Note: This is highly unusual and rarely permitted. Emails contained in comScores records were consideredsufficient to ascertain class members.Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).13 14. Harris v. comScore: June 11, 2013,7th Cir. Affirms Certification of -1 Billion Class14 15. Harris v. comScore $1 billion exposuresettled May 30, 2014 for $14 million15 16. In re Zynga Privacy Litig.,2014 U.S. App. Lexis 8662 (9th Cir. May 8, 2014) The Ninth Circuit affirmed the Northern District of Californias dismissal of two putative class actionsalleging Facebook Inc. and Zynga Game Network Inc. improperly shared consumers' personal informationwith advertisers, finding the social network giant and the gaming company didnt disclose the contents ofcommunications. Plaintiffs claimed that Facebook and Zynga claims violated the Wiretap Act and Stored CommunicationsAct by sharing referer headings (that included user ids and the web pages viewed by the user withadvertisers and other web analytic companies). The Stored Communications Act says that a service provider may divulge records and other informationpertaining to a customer, but may not divulge the contents of communications, the opinion said. Customerrecord information including the customers name, address and subscriber number, does not qualify ascontents under the federal law. The Ninth Circuit upheld the dismissal of the two class actions that alleged violations of the Wiretap Actand the Stored Communications Act sections of the Electronic Communications Privacy Act rulingthat the plaintiffs failed to state a claim because they didnt allege that either Facebook or Zynga disclosedthe contents of a communication, a necessary element of their ECPA claims, according to the opinion. Takeaway: No liability under ECPA for sharing referer headers alone with third parties.16 17. Find Out What Data You Are CollectingBecause the Plaintiffs Bar Is!Consider a tool like Ghostery - basic license is free17 18. Video Privacy Protection Act (VPPA)18 19. VPPA Background The VPPA prohibits disclosure of personallyidentifiable information (PII), includinginformation identifying a person asrequesting or obtaining specific videomaterial. 18 U.S.C. 2710, et seq. The VPPA does not define PII directly,stating that it includes information whichidentifies a person as having requested orobtained specific video materials orservices from a video tape serviceprovider. 18 U.S.C. 2710(a)(3). Thisincludes information shared with vendors,including subject matter categories. Somevendors argue that generic categories (e.g.,likes sports) are not PII.19 20. VPPA Background VPPA defines video tape service provider to mean any person,engaged in the business, in or affecting interstate or foreign commerce,of rental, sale, or delivery of prerecorded video cassette tapes orsimilar audio visual materials 18 U.S.C. 2710(a)(4). VPPA defines the term consumer to meanany renter, purchaser, or subscriber ofgoods or services from a video tapeservice provider. 18 U.S.C. 2710(a)(1).20 21. 2012 VPPA Amendment The VPPA was amended in December 2012 to allow video service providers to obtain consentelectronically over the internet for a 2-year advance period with certain requirements. Itrequires a separate consent (outside of a Terms of Use and Privacy Policy). Section 2710(b)(2)(B) was amended to permit electronic consent. Video Service Providers canshare information with the users informed consent as follows: written consent that Is in a form distinct and separate from any form setting forth other legal or financialobligations of the consumer; At the election of the consumer; Is given at the time the disclosure is sought; or Is given in advance for a set period of time, not to exceed 2 years or until consent iswithdrawn by the consumer, whichever is sooner and the video tape service provider has provided an opportunity, in a clear andconspicuous manner, for the consumer to withdraw on a case-by-case basis orto withdraw from ongoing disclosures, at the consumer's election.21 22. In re Hulu Privacy Litigation Background Case filed in 2011. August 2012: Two motions to dismiss based on lack ofharm and other statutory defenses failed. December 2013: Hulus motion for summary judgmentbased upon lack of harm failed. April 28, 2014: Hulus motion for summary judgment re: nodisclosures of PII under the VPPA granted as to comScoreclaims, denied as to Facebook.22 23. April 28, 2014, Hulu Court dismisses Plaintiffs comScoreclaims but denies MSJ as to Facebook Takeaways: Unique identifiers plus specific titles to data analytics firm nota disclosure of PII under the VPPA Facebook ID + specific video titles may be PII if Hulu knew thatcookies provided this data before user hit the Like button. Metrics and advertising not incident to the ordinary course ofbusiness Dicta: Unique identifiers depending on context could be PIIunder VPPA just not in this case.23 24. In re Hulu Privacy Litigation: Motion for ClassCertification Denied (June 17, 2014) Plaintiffs sought to certify a Facebook class: All Hulu and Facebook users that involved disclosures of Facebooksc_user cookie (i.e., Facebook cookie that relays information toFacebook for users that have checked the box to always stay loggedinto Facebook and use the same browser to access Hulu). Court denied class, without prejudice. Class not ascertainable.24 25. In re Nickelodeon Consumer Privacy Litig.,(D.N.J. July 2, 2014) (granting motion to dismiss) The claims were against Google and Viacom for data collectedthrough the Nickelodeon and other Viacom Apps. Google not aVTSP all claims dismissed. Viacom only disclosed anonymous information ( e.g., anonymoususername; IP address; browser setting; unique device identifier;operating system; screen