Big Data & Wrongful Collection

Download Big Data & Wrongful Collection

Post on 28-Nov-2014




4 download

Embed Size (px)


Presented at NetDiligence Cyber Risk & Privacy Liability Forum in Santa Monica, Calif., Oct. 8-9, 2014.


<ul><li> 1. NetDiligenceCyber Risk &amp; PrivacyLiability ForumOctober 8-9, 20141</li></ul><p> 2. Big Data &amp;Wrongful Collection2 3. SpeakersLincoln BandlowmoderatorPartnerLathrop &amp; Gage LLPLos Angeles,CaliforniaDominique SheltonPartnerAlston &amp; Bird LLPLos Angeles,CaliforniaEmily TabatabaiPrivacy AttorneyOrrick, Herrington &amp;Sutcliffe LLPWashington, D.C.Christina TusanAttorneyFederal TradeCommission3 4. Five Big Data Reports in May 2014 May 1, 2014 - White House release Big Data led by John Podesta. See, Executive Office of the President, BigData: Seizing Opportunities, Preserving Values (Executive Office of the President, May 1,2014). May 1, 2014: White House releases technological feasibility Big Data report. See, Presidents Council ofAdvisors on Science and Technology, Big Data and Privacy: A Technological Perspective (the PCAST Report). May 15, 2014: The Senate released a report on malware. Senate Permanent Subcommittee onInvestigations, Online Advertising and Hidden Hazards to Consumer Security and Data Privacy (May 15,2014). May 21, 2014: CA AG came out with her report on privacy policies See, Atty Gen. Kamala D. Harris, MakingYour Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, (Cal. Dept ofJustice, May 21, 2014), available at . May 27, 2014: Data Broker report. See, F.T.C., Data Brokers: A Call for Transparency and Accountability (May27, 2014).4 5. May 2014 Reports5 6. Takeaways The Senate, FTC and CA AG are focused on Big Data andbehavioral tracking in particular. There is a renewed focus on transparency. Regulators areconcerned that consumers dont understand the advertising/data-brokerecosystem (i.e., the number of trackers on websites andmobile apps). Use of internal data-tagging can provide a method for companies toaccess to Big Data within companies. New laws will be proposed. FTC will be using Section 5 of the FTC Act to enforce.6 7. Behavioral Tracking Class Actions(Privacy Claims under The ElectronicCommunications Privacy, StoredCommunications Act and Wiretap Act)7 8. How Big are Do Not Track Class Actions? 195 Do Not Track class actions have been filed in the past 36months, and 12 mobile app class actions have been filed in the pasteight months. On June 11, 2013, the largest privacy class action was affirmed bythe 7th Circuit 1 billion exposure based on behavioral tracking. The plaintiffs bar is focusing on privacy class actions. The FTC has increased its enforcement activity. Based upon global and U.S. trends, more focus on privacy andtracking will occur in 2014.8 9. Do Not Track CasesWashington - 3Montana - 2California - 108 Arizona - 1Colorado - 1Minnesota- 1Wisconsin - 1Illinois - 8Missouri - 4Arkansas - 17Louisiana - 1Texas - 6Alabama - 2Michigan- 1 Rhode Island - 1Georgia - 4Florida - 4Ohio - 1Tennessee - 1Delaware - 2N. Carolina - 1New York - 13Massachusetts - 2Virginia - 1Maryland- 1Connecticut - 2New Jersey - 2Pennsylvania - 1Puerto Rico - 1District of Columbia - 29 10. How Many Big Data Companies Have Been Named? 121 Companies (62% of the 195 actions) have included Big Data companies e.g., dataanalytics, ad networks, exchanges, mobile marketing). Software company Carrier IQ (67 class actions). Analytic Companies: (32 class actions) Google (24 class actions) Other analytic companies(e.g., Kissmetrics, Flurry, Millenial Media, comScore) (8 classactions) Ad Networks and Ad Exchanges(21 class actions) Quantcast, Clearspring, Mobile Ringleader (no defunct), Traffic Marketplace, Interclick,Mob Clix, quattro, Admob, PulsePoint Cloud: Amazon (1) class action.10 11. Do Not Track Typical Class Action Claims11 12. Harris v. comScore Plaintiffs alleged tracking based upon downloadsof bundled software that did not disclose trackingtechnologies or comScores name. Plaintiffs alleged inadequate privacy disclosures. Sought to certify 10 million user class at $10,000statutory damages under the storedcommunications act.12 13. Harris v. comScore Key takeaways: Court held common questions of fact and lawpredominated. Plaintiffs could self-identify to become members of theclass Note: This is highly unusual and rarely permitted. Emails contained in comScores records were consideredsufficient to ascertain class members.Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).13 14. Harris v. comScore: June 11, 2013,7th Cir. Affirms Certification of -1 Billion Class14 15. Harris v. comScore $1 billion exposuresettled May 30, 2014 for $14 million15 16. In re Zynga Privacy Litig.,2014 U.S. App. Lexis 8662 (9th Cir. May 8, 2014) The Ninth Circuit affirmed the Northern District of Californias dismissal of two putative class actionsalleging Facebook Inc. and Zynga Game Network Inc. improperly shared consumers' personal informationwith advertisers, finding the social network giant and the gaming company didnt disclose the contents ofcommunications. Plaintiffs claimed that Facebook and Zynga claims violated the Wiretap Act and Stored CommunicationsAct by sharing referer headings (that included user ids and the web pages viewed by the user withadvertisers and other web analytic companies). The Stored Communications Act says that a service provider may divulge records and other informationpertaining to a customer, but may not divulge the contents of communications, the opinion said. Customerrecord information including the customers name, address and subscriber number, does not qualify ascontents under the federal law. The Ninth Circuit upheld the dismissal of the two class actions that alleged violations of the Wiretap Actand the Stored Communications Act sections of the Electronic Communications Privacy Act rulingthat the plaintiffs failed to state a claim because they didnt allege that either Facebook or Zynga disclosedthe contents of a communication, a necessary element of their ECPA claims, according to the opinion. Takeaway: No liability under ECPA for sharing referer headers alone with third parties.16 17. Find Out What Data You Are CollectingBecause the Plaintiffs Bar Is!Consider a tool like Ghostery - basic license is free17 18. Video Privacy Protection Act (VPPA)18 19. VPPA Background The VPPA prohibits disclosure of personallyidentifiable information (PII), includinginformation identifying a person asrequesting or obtaining specific videomaterial. 18 U.S.C. 2710, et seq. The VPPA does not define PII directly,stating that it includes information whichidentifies a person as having requested orobtained specific video materials orservices from a video tape serviceprovider. 18 U.S.C. 2710(a)(3). Thisincludes information shared with vendors,including subject matter categories. Somevendors argue that generic categories (e.g.,likes sports) are not PII.19 20. VPPA Background VPPA defines video tape service provider to mean any person,engaged in the business, in or affecting interstate or foreign commerce,of rental, sale, or delivery of prerecorded video cassette tapes orsimilar audio visual materials 18 U.S.C. 2710(a)(4). VPPA defines the term consumer to meanany renter, purchaser, or subscriber ofgoods or services from a video tapeservice provider. 18 U.S.C. 2710(a)(1).20 21. 2012 VPPA Amendment The VPPA was amended in December 2012 to allow video service providers to obtain consentelectronically over the internet for a 2-year advance period with certain requirements. Itrequires a separate consent (outside of a Terms of Use and Privacy Policy). Section 2710(b)(2)(B) was amended to permit electronic consent. Video Service Providers canshare information with the users informed consent as follows: written consent that Is in a form distinct and separate from any form setting forth other legal or financialobligations of the consumer; At the election of the consumer; Is given at the time the disclosure is sought; or Is given in advance for a set period of time, not to exceed 2 years or until consent iswithdrawn by the consumer, whichever is sooner and the video tape service provider has provided an opportunity, in a clear andconspicuous manner, for the consumer to withdraw on a case-by-case basis orto withdraw from ongoing disclosures, at the consumer's election.21 22. In re Hulu Privacy Litigation Background Case filed in 2011. August 2012: Two motions to dismiss based on lack ofharm and other statutory defenses failed. December 2013: Hulus motion for summary judgmentbased upon lack of harm failed. April 28, 2014: Hulus motion for summary judgment re: nodisclosures of PII under the VPPA granted as to comScoreclaims, denied as to Facebook.22 23. April 28, 2014, Hulu Court dismisses Plaintiffs comScoreclaims but denies MSJ as to Facebook Takeaways: Unique identifiers plus specific titles to data analytics firm nota disclosure of PII under the VPPA Facebook ID + specific video titles may be PII if Hulu knew thatcookies provided this data before user hit the Like button. Metrics and advertising not incident to the ordinary course ofbusiness Dicta: Unique identifiers depending on context could be PIIunder VPPA just not in this case.23 24. In re Hulu Privacy Litigation: Motion for ClassCertification Denied (June 17, 2014) Plaintiffs sought to certify a Facebook class: All Hulu and Facebook users that involved disclosures of Facebooksc_user cookie (i.e., Facebook cookie that relays information toFacebook for users that have checked the box to always stay loggedinto Facebook and use the same browser to access Hulu). Court denied class, without prejudice. Class not ascertainable.24 25. In re Nickelodeon Consumer Privacy Litig.,(D.N.J. July 2, 2014) (granting motion to dismiss) The claims were against Google and Viacom for data collectedthrough the Nickelodeon and other Viacom Apps. Google not aVTSP all claims dismissed. Viacom only disclosed anonymous information ( e.g., anonymoususername; IP address; browser setting; unique device identifier;operating system; screen resolution; browser version). Not PIIunder the VPPA. Leave to amend granted for VPPA claim and intrusion uponseclusion against Viacom. Wiretap and SCA claims dismissed withprejudice.25 26. More VPPA Case to Come Six VPPA Class Action Lawsuits were filed in February September 2014: February 17, 2014: Perry v. Cable News Network, Inc. et al., No. 1:14-cv-1194 (N.D. Ill.): On August 25, 2014, theUnited States District Court for the Northern District of Illinois entered an order transferring this case to the UnitedStates District Court for the Northern District of Georgia based upon the stipulation of the parties. The order wasexecuted on September 12, 2014. February 19, 2014: Ellis v. The Cartoon Network Inc., No. 1:14-cv-00484,(N.D. Ga): On June 6, 2014, The CartoonNetwork filed a motion to dismiss on the grounds that (1) the disclosure of a serial number for a machine alone is notPII under the VPPA; (2) the VPPA does not apply because the plaintiff is not a consumer as defined by the VPPA; and(3) the plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yetbeen set. March 13, 2014: Locklear v. Dow Jones, No. Case 1:14-mi-99999-UNA (N.D. Ga): On June 23, 2014, Dow Jones filed amotion to dismiss, on the grounds that (1) the disclosure of a serial number for a machine alone is not PII under theVPPA; (2) the VPPA does not apply because the plaintiff is not a consumer as defined by the VPPA; and (3) theplaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet been set.26 27. More VPPA Case to Come March 28, 2014: Eichenberger v. ESPN, No. 2:14-cv-00463 (W.D. Washington): On July 31,2014, ESPN filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege anydisclosure of PII and (2) that plaintiff is not a consumer under the VPPA. The motion is fullybriefed, but a hearing has not yet been set. June 9, 2014: Robinson v. Disney, No. 14-cv-4146 (S.D. N.Y.): On August 23, 2014, plaintiffsfiled an amended complaint to properly name the Disney entity sued. On September 12,2014, Disney filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege anydisclosure of PII and (2) that plaintiff is not a consumer under the VPPA. Disney hasrequested oral argument, but a hearing has not yet been set. August 22, 2014: Austin-Spearman v. AMC Network Entertainment LLC, No. 14-cv-6840 (S.D.N.Y.): On September 15, 2014, the court entered an order extending the time for AMC toanswer or move to dismiss the complaint until October 23, 2014.27 28. VPPA Cases Filed in February September 201428 29. VPPA Compliance: Degrees of RiskKeep video titles in referrer headers and use plugins that have tracking capabilities.Use a landing page similar to Netflix to obtain user consent electronically.Use subject matter of video in referrer headers (e.g., engineering, transport, shipping).Obtain informed written consent per the VPPA.Do not use titles of videos in referrer headers.Do not use social networking plug-ins.29 30. Takeaways Plaintiffs bar are attracted to privacy claims thatcarry statutory damages. They have been able to overcome motions todismiss based on lack of Article III standing byalleging statutory violations. More litigation is likely to follow.30 31. Text Messaging CampaignsTelephone Consumer Protection Act Risks andMini-State TCPAs31 32. FCC New Regulations Effective October 16, 2013 Prior express written consent is needed beforecommercial telemarketing texts may be sent. User must agree to receive autodialed text messagesand evidence understanding that agreement is not acondition of using the service. 47 C.F.R. 64.1200 TCPA Class actions were up 70% last year. Accordingto InsideARM 785 TCPA cases filed in 2012; 1385 filedin 2013.32 33. MobilePrivacy Disclosures and Security33 34. Regulatory Initiatives Regarding Mobile Apps34 35. Regulatory Initiatives Regarding Mobile AppsCA AG, FTC and EU Article 29 Working Group Guidance35 36. Regulatory Initiatives Regarding Mobile AppsFive Mobile Guidances Were Released in 2013:All Call for Just in Time/Short Form Notice CA AG Guidance issued 1/10/2013 FTC Guidance issued 2/1/2013 Article 29 Working Group issued 3/2013 NTIA Guidance issued 7/ 2013 DAA Guidance issued 7/2013 Just in Time/Short Form Notice: Notice for collection of sensitive data must beJust in Time, in short form, above and beyond the privacy policy. PII: includes unique identifiers.36 37. In re Fandango(FTC Announced Settlement March 28, 2014) Failure to secure mobile app credit card information. Alleged unreasonable security for failure to Validate Secured Socket Layer (SSL) to prevent interventionby hackers when users used open networks. Provide sufficient protection for data while at rest.37 38. Practice Pointer: Focus on Readability Use icons California AG and FTCrecommend it. See e.g., CA AG Making Your Privacy PracticesPublic at p. 10 See also, CA AG Privacy on the Go at p. 11(Graphics or...</p>