In light of the recent uptick in litigation involving the decade-old Illinois Biometric Information Privacy Act (BIPA), the Illinois state legislature is now considering amending the Act to allow for business efficiency and to bring the Act back to what some believe to be its original intent. Continue Reading BIPA: Exemptions May Be On The Horizon For The Decade-Old Statute

Executive Summary and Takeaway. User agreements for websites and apps have become increasingly prevalent in recent years, and courts have had to adapt traditional rules of contract interpretation to the new digital frontier. On June 25, 2018, the First Circuit reversed a district court decision enforcing an arbitration clause contained in the terms of service for the defendant’s smartphone app, finding that those terms were not sufficiently “conspicuous” for a user to know that he or she had agreed to be bound by them. The First Circuit’s decision continues a trend of judicial hostility to arbitration clauses, and is notable for its scrutiny of the record below: the court studied in minute detail the design and content of the registration screen containing a hyperlink to the terms of service—including the size, shape, color, font, and location of the hyperlink—and concluded that the link to the terms of service failed “to grab the user’s attention.” Businesses with similar user agreements governed by Massachusetts law or that could potentially apply to Massachusetts consumers should review their websites and/or apps to ensure that their platforms disclose any terms of use in a clear and conspicuous manner in relation to the rest of the content on the screen.

Additional Background. To use the services provided by the defendant company (the “Company”) via its smartphone app, a customer must first register with the Company by creating an account. As part of the registration process, users are shown a screen that requests their payment information and notifies them that by creating an account they are agreeing to the Company’s Terms of Service and its Privacy Policy:

The words “Terms of Service & Privacy Policy” are in a clickable box that includes a hyperlink. Upon clicking on that hyperlink, the user is directed to a screen with two other links: one to the Terms of Service, and the other to the Privacy Policy. The user can view either document by clicking on the appropriate link.

Continue Reading First Circuit Invalidates Arbitration Clause in Mobil App User Agreement

California Penal Code section 632.7 imposes criminal liability and, pursuant to Penal Code section 637.2, civil liability upon persons who intercept or receive a communication involving a cellular or cordless telephone and record the communication without consent.  The section and its sister provision, Penal Code section 632, are popular among class action plaintiffs in California as a means to challenge the business practice of recording customer service calls.   

The appeal of section 632.7 to plaintiffs is that it may not require the subject communication be confidential, unlike section 632. The question is raised, though, if section 632.7 even applies to the parties to a cellular or cordless telephone call.  Subsection (a) of the provision states, in part:

Every person who, without the consent of all parties to a communication, intercepts or receives and intentionally records, or assists in the interception or reception and intentional recordation of, a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone, shall be punished by a fine [] or by imprisonment in a county jail [].

The provision can plausibly be read to mean that only third parties who intercept or receive a call involving others are subject to the law and that the law does not apply to the parties to the call. 

Unfortunately for defendants, the courts that have addressed the issue have ruled section 632.7 does apply to the call’s participants.  See, e.gSimpson v. Vantage Hospitality Group, Inc., No. 12-cv-04814-YGR, 2012 WL 6025772, at *5-6 (N.D. Cal. Dec. 04, 2012); Simpson v. Best Western Intern., Inc., No. 3:12–cv–04672–JCS, 2012 WL 5499928, at *6-9 (N.D. Cal. Nov. 13, 2012); Brown v. Defender Sec. Co., No. CV 12-7319-CAS PJWX, 2012 WL 5308964, at *4-5 (C.D. Cal. Oct. 22, 2012).  The courts found that the term “receives” in the section shows the provision’s applicability to call participants under the reasoning that during a call the participants “receive” communications from each other.  See, e.g., Best Western, 2012 WL 5499928 at *7-9 (so holding, though recognizing the plausibility that “receives” refers third parties who inadvertently receive communications by happenstance).

But, the federal district court decisions are not binding, and no published California appellate decision has held that section 632.7 applies to the parties to the communication.  Thus, it is still an arguable question in California whether the section applies to the communication’s participants.  The legislative history of the provision suggests it does not.

The Legislative History of Penal Code Section 632.7

The primary concern of the provision’s sponsors was the threat posed to the privacy of communications that travelled over the “airwaves” when either a cellular or cordless telephone was used.  The fear being that technological advances allowed such communications to be intercepted by third parties.  The sponsors felt that innocent interception or reception of a communication travelling over the air should not be punished, but that intentionally recording an intercepted or received call improperly intruded on privacy.  It was believed that Penal Code sections 632.5 and 632.6, which respectively prohibit maliciously eavesdropping on telephone communications over cellular and cordless telephones, did not address calls intercepted without malice but which were recorded. 

The intent of section 632.7 was thus to punish third parties who receive or intercept a call between other parties and record the call.  The author of the law, in explaining its purpose, wrote that there is a lower expectation of privacy for cellular and cordless communications travelling over the air, but that “this does not mean that persons who use cellular or cordless telephones may reasonably anticipate that their conversations will be both intercepted and recorded.”  Author Lloyd G. Connelly’s Statement of Intent, Assem. Bill No. 2465 (1992), p. 1.  (Emphasis original.)  He further explained:

While there may be utility in retaining relatively unimpeded access to the public ‘air waves,’ there is no value in permitting private telephone conversations that employ the ‘air waves’ to be indiscriminately record[ed].  AB 2465 strikes the appropriate balance.  The innocent, merely curious, or non-malicious interception of cellular or cordless telephone conversation will remain legal.  However, it will be illegal to record the same conversationsId.  (Emphasis added.)

That the section is intended to punish only the conduct of strangers to the call is further supported by then Sacramento County District Attorney Steven White who proposed to Connelly legislation in this area.  White advocated that the new statute was needed to “criminalize the recording of an intercepted cordless or cellular phone call.”  Letter to Assembly members Phil Isenberg and Lloyd Connelly (Nov. 5, 1991), p. 2.  He was motivated by a publicized incident in which a third party intercepted and recorded a conversation between two businessmen discussing a deal involving a third businessman. Id

Other contemporaneous pieces of the legislative history further suggest the provision was meant to apply only to calls that were both eavesdropped upon and recorded.  The Department of Finance summarized the bill as creating a new crime for the “willful interception and recording of virtually all types of transmitted communications between cellular telephones, cordless telephones, cellular and cordless telephones, cellular and landline telephones, and cordless and landline telephones.”  Dept. of Finance, Analysis of Assem. Bill No. 2465 (June 1, 1992), p. 1. (Emphasis added.)   The Senate Judiciary Committee in explaining the legal landscape at the time wrote “there is currently no statute prohibiting a person from intercepting and intentionally recording a communication transmitted via cellular or cordless telephones.”  Sen. Judiciary Com., Analysis of Assem. Bill No. 2465 (1991–1992 Reg. Sess.), p. 2. (Emphasis added.)  Assemblyman Connelly’s press release announcing the introduction of the legislation characterized it as “legislation to outlaw the intentional eavesdropping and recording of cellular and cordless telephone conversations.”  Author Lloyd G. Connelly’s Press Release (February 4, 1992), p. 1. (Emphasis added.)  But see Flanagan v. Flanagan, 27 Cal.4th 766, 771 n. 2 (2002) (stating in dictum and without analysis of the legislative history or otherwise that section 632.7 “prohibits intentionally intercepting or recording communications involving cellular telephones and cordless telephones”).   

Absent from the legislative history is an intent to regulate the conduct of the parties to the communication.  Indeed, the Legislature does not appear to have even considered the circumstance where a party to a communication records the communication.  Rather, the overwhelming focus of the legislative history is on third parties who intentionally or by accident receive a call between two other parties. 

Based on the Legislative History, Penal Code Section 632.7 Should Not Apply to the Parties to a Communication

In light of the legislative history, the term “receives” in section 632.7 is best read as not encompassing an intended recipient of a communication (i.e., a party to the call), but rather as referring to third parties who incidentally receive telecommunication signals, such as through the use of scanning equipment or other technology.  If the term “receives” were meant to include anyone who hears a communication including the participants to the call, then the term “intercepts” in the section becomes unnecessary.  One who “intercepts” a communication necessarily “receives” it as well.  A stronger interpretation that reconciles the legislative history with the terms of the provision and avoids superfluity is one that recognizes the term “intercepts” to be a signal of the law’s intent to regulate third party eavesdroppers.  Under this view, the language of the section comprises a cogent whole where “intercepts” refers to intentional eavesdroppers and “receives” refers to accidental eavesdroppers.    

Finally, the inclusion of facsimile transmissions among the communications subject to the law (Penal Code § 632.7(c)(3)), would be odd if the law is intended to apply to the parties to a communication.  A facsimile transmission necessarily results in a recording of the communication.  Under an interpretation where the section applies to the parties to the communication, any fax would subject the recipient, if not both the recipient and the sender, to liability.  This unreasonable result dissipates, however, if the law is understood as penalizing only those who intercept a communication between others.

Ultimately, though some case law may be to the contrary, the legislative history of section 632.7 provides a good faith basis to argue that the section does not apply to the parties to the telephonic communication.  Of course, businesses are best served by not getting entangled in the statute in the first place.  The author would be happy to discuss steps businesses can take to try to avoid suit under sections 632.7 or 632 offline.

On Tuesday, June 11, 2013, the Seventh Circuit denied comScore’s appeal from the district court’s ruling granting class certification, thereby allowing a class of tens of millions of plaintiffs from around the world to proceed to trial as a class action suit.  In re comScore, Inc., No. 13-8007 (7th Cir. June 11, 2013).

ComScore is an internet research company that monitors the usage of consumers who install comScore’s software and sells the data its collects to its clients who in turn use the data for marketing research and analysis of online behavior. To induce consumers to install its software, comScore bundles the software with free programs such as screensavers and games. Upon downloading the free programs, consumers are simultaneously prompted to download the monitoring software.  During installation of the software, consumers are presented with a Downloading Statement and a link to the User License Agreement which contains terms governing which information the software will collect from users’ computers and how that information will be used. 

ComScore’s monitoring software captures a variety of information about a consumer’s computer such as the names of every file on the computer and information entered onto a web browser, including user names, passwords, credit card numbers, bank account numbers, and phone numbers.  In the Downloading Statement, however, comScore assures consumers that it makes “commercially viable efforts to automatically filter confidential personally identifiable information . . .  and to purge [its] databases of such information.” 

Consumers, Mike Harris and Jeff Dunstan (“Plaintiffs”) brought a putative class action against comScore alleging violations of the Stored Communications Act (“SCA”), the Electronic Communications Privacy Act (“ECPA”) and the Computer Fraud and Abuse Act (“CFAA”) for improperly obtaining and using personal information of consumers after they downloaded and installed comScore’s software.   Specifically, Plaintiffs asserted that comScore exceeded the scope of consumers’ consent to monitoring in the User License Agreement by among other things intercepting confidential personal information and failing to purge the confidential information from its databases.

The District Court’s Opinion

Addressing each of the Rule 23 mandatory requirements, the district court granted certification of a class consisting of “all individuals who have had, at any time since 2005, downloaded and installed comScore’s tracking software into their computers via one of comScore’s third party bundling partners” for all three federal statutory claims. See Harris v. comScore, Inc., No. 11 C 5807, 2013 WL 1339262 (N.D. Ill. Apr. 2, 2013)

Commonality

 Importantly, the district court found numerous questions relevant to the alleged statutory violations could be resolved on a class wide basis.  The court rejected comScore’s argument that the scope of consent provided by the class members was an individualized inquiry, stating that where consent was manifested though the adoption of a form contract, such as the Downloading Statement and User License Agreement, and each class member engaged in a substantively identical process to download the software, the scope of consent determination was common across the class.  Further, the court reasoned that because the ECPA, the SCA and the CFAA only required proof of one incident of the software exceeding the scope of consent to establish a violation, the fact that the data collection varied for each individual depending on their use did not defeat the commonality element because the software collects certain data, such as the names of every file located on a user’s computer, from every user.

Ascertainability

Additionally, the district court ruled that Plaintiffs satisfied the Rule 23 ascertainability requirement, which requires the plaintiff to show that the class members are easily identifiable, despite the fact that at least a portion of class members are identifiable only through submission of individual affidavits. 

In allowing ascertainbility to be determined through a combination of company records and individual affidavits, the district court diverges from recent federal court opinions cautioning against “approving a method that would amount to no more than ascertaining by potential class members say so.”  Marcus v. BMW of North Am., LLC, 687 F.3d 583 (3d Cir. 2012); See also, In re Wal-Mart Stores, Inc. Wage & Hour Litig., No. C 06-2069, 2008 WL 413749, *8 (N.D. Cal. Feb. 13, 2008) (finding that where “Wal-Mart’s database did not provide records of either termination or the dates employees made themselves available for final payment . . . the proposed subclass was not ascertainable”); Deitz v. Comcast Corp., No. C06-06352, *8 (N.D. Cal. July 11, 2007) (finding the class unascertainable where the defendant’s records did not keep track of which subscribers owned cable ready TV boxes); Dumas v. Albers Medical, Inc., No. 03-0640, 2005 WL 2172030, *6 (W D. Mo. Sept. 7, 2005) (finding the class unascertainable where no records exist which would allow the class members to be identified); In re Onstar Contract Litig., 278 F.R.D. 352, 373 (E.D. Mich. 2011) (finding that the class was not ascertainable because very few class members could be identified through the data maintained by Onstar and the remaining member identification would require individual inquiries).

Predominance and Superiority

comScore argued that the statute of limitations raised individual issues which precluded class treatment because the SCA, ECPA and CFAA all had two year statutes of limitations subject to the discovery rule and, therefore, an individualized inquiry would be required to determine when each plaintiff discovered the alleged violation.  The district court, however, disagreed stating that comScore’s data collection is ongoing, therefore, those individuals with the software still installed are still within the limitations period.  Further, the district court reasoned that discovery of the information being collected by the software required analysis of the program’s computer code and it is unlikely that many class members would have the requisite knowledge about computers to discovery the violation thereby triggering the statute of limitations. 

Finally, the district court rejected comScore argument that the issue of whether each individual suffered damage or loss from comScore’s actions precluded certification, finding the SCA and the ECPA provided statutory damages for which only a violation must be established.  The district court further noted that although the CFAA required proof of loss aggregating at least $5000 in value, “individual factual damage issues do not provide a reason to deny class certification when the harm to each plaintiff is too small to justify resolving the suits individually.” 

 Implications

The district court’s decision granting class certification and the Seventh Circuit subsequent denial of comScore’s Rule 23(f) petition creates significant challenges for companies involved with data collection and opens the door for a wave of statutory based privacy class action lawsuits.  We suspect this will not be the last substantive ruling in this case, and will continue tracking the matter and updating our readers.

On April 8, 2013, the United States District Court for the Central District of California denied the plaintiff’s motion for class certification in Torres v. Nutrisystem, Inc., SACV 12-01854-CJC (JPRx), a lawsuit alleging Nutrisystem violated California Penal Code sections 632 and 632.7.

Penal Code section 632 prohibits the surreptitious recording of confidential communications made over a telephone. Section 632.7 prohibits the surreptitious recording of communications involving a cellular phone. Torres alleged that Nutrisystem secretly recorded a confidential cell-phone conversation she had with the company in August 2012. During the class period Nutrisystem did record calls when customers called its 1-800 number, but at the outset of the call it provided a welcome message that disclosed the call may be monitored or recorded for quality and training purposes. However, callers could bypass the disclosure by hitting any button during the welcome message.

In denying class certification, the court found that Torres did not meet the commonality requirement of Federal Rule of Civil Procedure 23(a) and did not satisfy the predominance requirement of Rule 23(b)(3). The thrust of the court’s ruling was that the disclosure during the welcome message undermined the commonality of the class and raised individualized issues as to whether the putative class members had an objectively reasonable expectation of privacy or consented to the recording. Issues such as whether and when class members heard the disclosure and the impact the disclosure may have had on their expectations or consent created uncommon and individualized issues.

But the court also suggested that commonality and predominance may be lacking even absent the disclosure issue. For instance, the court hinted that common issues may be lacking given that it is now well-known that businesses may record customers’ communications with their customer service representatives and that certain customers may therefore expect their calls to be recorded even absent a disclosure that the call may be recorded. The court also stated that even if customers had an expectation of confidentiality, individualized issues may arise as the trier of fact would still need to determine if such expectation was objectively reasonable, which in turn is informed by idiosyncratic facts, such as the length of the class member’s relationship with the defendant and prior interactions with the defendant.

Finally, although the commonality prerequisite was not met in any event, the court also found that Torres did not satisfy Rule 23(b)(2), which allows for class treatment when injunctive or declaratory relief would apply to the class generally. The provision was not satisfied because the issue had become moot as Nutrisystem reconfigured its welcome message so that the pending disclosure could not be bypassed and Nutrisystem was not likely to allow the disclosure to be bypassed in the future.