3rd Circuit Ruling in FTC v. Wyndham Affirms Broad Governmental Authority Under Section 5

In a much anticipated decision, the Third Circuit recently upheld the Federal Trade Commission’s exercise of authority to fine and take other measures against businesses that fail to abide by the “standard of care” for data security. Federal Trade Commission v. Wyndham Worldwide Corporation, No. 14-3514 (3d Cir. Aug. 24, 2015). Wyndham challenged the FTC’s actions arguing that negligent security practices were not an “unfair practice” and that the FTC failed to provide adequate notice of what constituted the standard of care in this context. The Third Circuit, like the trial court before it, disagreed. It held that Wyndham’s negligent data security practices were an “unfair” business practice under 15 U.S.C. § 45(a), otherwise known as § 5 of the FTC Act, because it “publishe[d] a privacy policy to attract customers who are concerned about data privacy, fail[ed] to make good on that promise by investing inadequate resources in cyber security, and thereby expose[d] its unsuspecting customers to substantial financial injury, and retains the profits of their business.”

The Third Circuit rejected Wyndham’s due process, lack of notice of standard of care argument, holding that Wyndham was not entitled to know with ascertainable certainty the FTC’s interpretation of what cyber security practices are required by § 45(a) – to know what practices are required by the standard of care. The Court explained that Wyndham had adequate notice of the standard of care because § 45(n) of the Act defines it using usual tort cost-benefit analysis. See United States v. Carroll Towing Co., 159 F.2d 169, 173 (2d Cir.1947). Nothing more is required to satisfy due process concerns in this context.

Prior to the Wyndham decision, courts generally held that the economic loss rule precludes a claim for negligent data security practices. E.g., Sony Gaming Networks & Customer Data Sec. Breach Litig., 996 F. Supp. 2d 942, 967-973 (S.D. Cal. 2014) (dismissing such claims under both Massachusetts and California law on the basis of lack of a “special relationship”). The question remains open whether Wyndham defines a special relationship and tort duty that would preclude application of the economic loss rule. Keep an eye on this space for further developments.

In Highly Watched Case, U.K. Court Allows Google-Safari Consumer Privacy Case to Proceed

A March 27 U.K. Appellate Court ruling against Google could have significant implications in the U.K., and potentially serve as persuasive authority in other jurisdictions, as the international community continues to implement and interpret consumer protection laws with respect to data privacy.

Three years ago, Google, Inc. agreed to pay $22.5 million to settle a privacy suit filed by the Federal Trade Commission (FTC) in the United States District Court of the Northern District of California. The FTC alleged that Google collected personal information from users of Apple, Inc.’s Safari web browser, despite representing to those users that it would not collect their data unless they consented to the collection.

According to the FTC, despite Google’s representations, the company exploited an exception to Safari’s default browser settings, allowing it to place a temporary cookie on the users’ computer. Thereafter, Google would use the temporary cookie as a way of placing more permanent advertising tracking cookies. The FTC charged that Google’s misrepresentations and continued use of targeted advertising to Safari users constituted a breach of a previous settlement agreement between the FTC and Google, in which Google agreed not to misrepresent the extent to which consumers can exercise control over information collection.

In a similar suit filed in 2013 in the U.K., a group of Safari users alleged that Google violated their data privacy rights by using the same method—what the United Kingdom Court of Appeal called the “Safari Workaround.” Google appealed an adverse ruling in a lower court, and argued to the U.K. Court of Appeal that (1) the users cannot bring a claim against Google under U.K.’s Data Protection Act (DPA) because they did not suffer any financial harm and (2) that Google was unaware that it was tracking the users’ information.

Last week, the U.K. Court of Appeal rejected both of Google’s arguments, holding that a claim under the DPA is not limited to only financial injuries, and that Google undoubtedly “became aware of it during the relevant period but chose to do nothing about it until the effect of the ‘Safari Workaround’ came into the public domain[.]”

We will be keeping a close eye on application of this ruling, and any ripple effects elsewhere as global privacy protections evolve.

 

Image courtesy of Flickr by Carlos Luna

FTC Charges Data Broker with Theft of Consumers’ Information and Money from Accounts

According to a recent Federal Trade Commission complaint, a data broker sold sensitive personal information of hundreds of thousands of consumers – including Social Security and bank account numbers – to scammers who allegedly debited millions from their accounts.  The complaint alleges that data broker LeapLab bought payday loan applications of financially strapped consumers, and then sold that information to marketers whom it knew had no legitimate need for it. At least one of those marketers, Ideal Financial Solutions – a defendant in another FTC case – allegedly used the information to withdraw millions of dollars from consumers’ accounts without their authorization.

PVCY BLOG_FTCAccording to the FTC’s website and the complaint, these defendants would collect hundreds of thousands of payday loan applications from payday loan websites.  These website applications, including those bought and sold by LeapLab, contained consumers’ sensitive financial information, names, addresses, phone numbers, Social Security numbers and bank account numbers including routing numbers.

The FTC’s complaint alleges that certain non-lender third parties included marketers that made unsolicited sales offers to consumers via email, text message, or telephone calls.  According to the FTC’s complaint, the defendants had reason to believe these marketers had “no legitimate need” for the sensitive information they were selling. The defendants in the case are alleged to have violated the FTC Act’s prohibition on unfair practices.

The FTC notes that it files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the FTC that a proceeding is in the public interest.  We will monitor this case and provide further updates of interest.

Image courtesy of Flickr by John Taylor.

FTC Approves Final Order Requiring Snapchat to Implement a Stronger Privacy Policy

The Federal Trade Commission (FTC) recently approved a final order settling charges against Snapchat, Inc. (Snapchat), the developer of a mobile application that allows users to exchange impermanent photographs, referred to by Snapchat as “snaps” (the “FTC order”).

When Snapchat was launched in May 2012, users were sending approximately twenty-five snap images per second.  By November 2013, that figure surged to nearly four hundred million snaps per day, and continues to grow.  Many attribute Snapchat’s immense popularity to the intuitive user interface, the scarcity effect tied to the vanishing snaps, and Snapchat’s promise that images and video sent through the application would be irretrievably destroyed and not digitally archived after viewing.

SnapchatLogoIn May 2013, the Electronic Privacy Information Center (EPIC) filed a complaint with the FTC alleging that Snapchat deceptively mislead consumers to believe that snaps would be destroyed within seconds of viewing when, in fact, they are stored on users’ phones in a relatively accessible form and can be easily captured by way of “screen-shotting” the image.  EPIC further claimed that Snapchat failed to establish and enforce security measures to protect user data.

The FTC order settles EPIC’s allegations and forbids Snapchat from misrepresenting (1) the extent to which a snap is deleted after being viewed; (2) the extent to which Snapchat is capable of detecting or notifying senders when a recipient has saved a snap; and (3) the steps taken by Snapchat to protect against misuse of user information.

The final order also directs Snapchat to implement a privacy program that will be monitored for the next twenty years.  Additionally, Snapchat agreed to revise its privacy policy to address privacy risks and to protect the confidentiality of information about its users, including names, addresses, online contact information, telephone numbers, IP addresses, geo-location, usernames, and passwords.  The revised Snapchat privacy policy now provides that Snapchat “can’t guarantee that messages will be deleted within a specific timeframe” and that, even after a snap is deleted from Snapchat’s server, it “may remain in backup for a limited period of time.”  Snapchat also now warns that, “there may be ways to access messages while still in temporary storage on recipients’ devices or, forensically, even after they are deleted.”

The final order furthers the FTC’s recent efforts to ensure that companies in the post smart phone era describe mobile applications truthfully and uphold privacy promises to end users.  The approval of the final order could well inspire other applications like Slingshot (Facebook’s answer to Snapchat), and Whisper and Secret (applications that allow users to make anonymous confessions) that promise anonymity and privacy to reassess the way in which current privacy policies are drafted and enforced.

Image courtesy of Wikimedia Commons