Class Action Complaints Strictly Interpret Privacy Policy Requirements

Tue, 27 Mar 2012 17:56:07 GMT

Several class action complaints have been filed in recent months against high-profile websites alleging technical violations of California's Shine the Light law. The complaints claim up to $3,000 in damages per California consumer.
The Shine the Light law is intended to address the sharing of personal information for direct marketing purposes by requiring businesses with California customers to either permit customers to opt out of sharing personal information for direct marketing purposes, or to have a process to tell customers what categories of information the company shares with what specific companies.
Although there are several ways to comply with Shine the Light, demonstrating compliance that excuses the requirements addressed in the lawsuits could require expensive discovery and thus could not be achieved through a motion to dismiss. Depending on a company's risk tolerance, it may be worthwhile to make certain changes to its privacy policy to head off these potentially expensive actions altogether.

Sussmann to speak at mobile and location privacy event

Tue, 13 Mar 2012 11:59:11 GMT

Perkins Coie partner Michael Sussmann will participate on a panel on "Phones, Drones & Social Networks: New Technologies and the Fourth Amendment after Jones" at Princeton University's Center for Information Technology Policy conference on "Mobile and Location Policy: A Technology and Policy Dialog."

The event will be held on April 13, 2012 at Lipton Hall, 108 West 3rd Street [between Sullivan & MacDougal Streets], New York University School of Law, NYC

Seventh Circuit Limits Scope of Private Rights of Action under the VPPA

Fri, 09 Mar 2012 17:07:32 GMT

The Video Privacy Protection Act (VPPA) applies certain restrictions to the use and disclosure of consumers' personally identifiable information by video tape service providers. On March 6, 2012, the Seventh Circuit Court of Appeals overturned a district court decision and held that the private right of action established under the VPPA did not apply to subsection (e), which requires the destruction of old records. Subsection (e) of the VPPA provides that "[a] person subject to" the statute must destroy customers' personally identifiable information "as soon as practicable," and no later than 1 year from the date the information is "no longer necessary for the purpose for which it was collected." In Sterk v. Redbox Automated Retail, LLC, plaintiffs alleged that Redbox did not need to retain their personally identifiable information for more than 90 days, since Redbox does not provide refunds for charges that are over 90 days old. Redbox filed a motion to dismiss, arguing that (1) the private right of action established under subsection (c) did not apply to the destruction requirement of subsection (e), and (2) even if it did apply, that the retention period had not run because Redbox also collected the information for marketing and advertising purposes. The district court denied the motion to dismiss, holding that the private right of action under subsection (c) applies to all of the VPPA provisions, including the destruction requirement in subsection (e). The factual argument regarding the purpose for which the information was collected was not addressed at this stage in the proceedings.

In overturning the district court decision, the Seventh Circuit Court of Appeals found that while the placement of the private right of action in subsection (c) may have been by accident, the "more plausible interpretation" is that the private right of action is limited to enforcing the disclosure restrictions that are placed immediately above it in subsection (b). The court commented that to hold otherwise would submit a judge to potential liability for improperly receiving information in evidence pursuant to a violation of subsection (d), despite the fact that judges have absolute immunity from suit for acts taken in their official capacity. In specifically addressing the requirement of subsection (e), the court reasoned that there could be no injury from a violation of subsection (e) unless the information that should have been destroyed was disclosed in violation of subsection (b). As the court explained, "[i]f, though not timely destroyed, it remained secreted in the video service provider's files until it was destroyed, there would be no injury." The court further held that the injury sustained from a violation of subsection (e) alone "is enormously attenuated, and it would be no surprise if Congress had decided - as the placement of the damages section suggests - not to provide a damages remedy."

This decision aligns the Seventh Circuit with the Sixth Circuit Court of Appeals, which had similarly held in a 2004 decision that only a violation of the disclosure restrictions in subsection (b) could form the basis of liability under the VPPA. In dictum, the Sixth Circuit Court of Appeals had noted that if the failure to timely destroy records resulted in harm to the consumer, the consumer could presumably bring a negligence action against the video tape service provider and benefit from the existence of subsection (e) by arguing negligence per se.

Digestible Law Rss Feed

Class Action Complaints Strictly Interpret Privacy Policy Requirements

Sussmann to speak at mobile and location privacy event

Seventh Circuit Limits Scope of Private Rights of Action under the VPPA