The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Class Action Lawsuit Filed Against Eighteen Companies For Allegedly Distributing Privacy-Invading Mobile Applications

Last week, a class action lawsuit was filed against eighteen technology and social networking companies in Texas federal district court for allegedly distributing privacy-invading mobile applications ("apps"). Opperman et. al. v. Path, Inc. et. al, Case No. 1:12-cv-00219-SS (W.D. Tex. March 12, 2012). The companies sued were Path, Twitter, Apple, Facebook, Beluga, Yelp!, Burbn, Instagram, Foursquare Labs, Gowalla, Foodspotting, Hipster, LinkedIn, Rovio Mobile Oy, ZeptoLab, Chillingo, Electronic Arts, and Kik Interactive. The 152-page class action complaint begins with an adage from Robert Fulghum’s book, All I Really Need to Know I Learned in Kindergarten: "Don’t take things that aren’t yours." The platitudes continue. The plaintiffs allege that the defendants, through these apps, "surreptiously harvest, upload and illegally steal the owner’s address book data without the owner’s knowledge or consent." Due to the ubiquity of wireless networks, the end result is that the defendants have "quite literally, turned the address book owners’ wireless mobile device into mobile radio beacons broadcasting and publicly exposing the unsuspecting device owner’s address book data to the world." The plaintiffs are thirteen Austin-area residents and primarily iPhone users. They have collectively installed all of the defendants’ apps that are allegedly conducting illegal reconnaissance on the information contained in their address books, including contact names, phone numbers, physical and email addresses, job titles, and birthdays. The illicit apps include the usual suspects such as Facebook, Twitter, and Foursquare, in addition to popular games such as Angry Birds and Cut the Rope.

The plaintiffs and the putative class members accordingly seek injunctive, equitable, statutory, and monetary relief for, inter alia, invasion of privacy and violations of numerous provisions of state and federal law, including the Electronic Communication Privacy Act (18 U.S.C. §§ 2701, et. seq.), the Computer Fraud and Abuse Act (18 U.S.C. § 1030(g)), along with violations of the Racketeer Influenced & Corrupt Organizations Act (including 18 U.S.C. § 1343 (wire fraud), §§ 1961-64 (civil liability for racketeering activities and conspiracies), and § 2314 (transportation of stolen property)). The putative class includes all owners of iOS- or Android-based wireless mobile devices who acquired any application that "without the owner’s prior effective consent accessed, copied, uploaded, transferred, broadcast and/or otherwise used any portion of the owner’s address book data . . . that the owner had transferred onto the owner’s wireless mobile device."

A copy of the complaint can be found here.

Leave a comment

New Developments on Canadian Anti-Spam Law

The Canadian Radio-television and Telecommunications Commission (CRTC) has made and registered its Electronic Commerce Protection Regulations for the Anti-Spam Act (CASL), which is expected to come into force in 2012.  The newly released regulations set out the information to be included in, and the form of, commercial electronic messages (CEMs), and information to be included in a request for consent.  The regulations also address how to get consent for the installation of computer programs.

The CRTC has responded to a select few of the broad-ranging concerns raised by businesses on the draft regulations during last year’s consultation phase.  Businesses will find there is a bit more flexibility in the “must-have” information they set out in CEMs, and when they seek consent to send them.  This implicitly recognizes that:

  • businesses operating online are not all created equal:  they do not all have the same contact capabilities, in terms of either human or online resources; and
  • CEMs are are not all created equal:  an email may be easy (relatively speaking) to load up with prescribed information, but online communications come in many forms, and some are not as adaptable to detailed information and contact requirements.

The following points compare the final regulations to the draft regulations (the latter in parentheses).  When sending a CEM or seeking consent, businesses may do the following.

  • simply include the name by which they carry on business (rather than both that and their legal name);
  • include their mailing address, and either a staffed or voicemail phone number, email address or web address (rather than the physical and mailing address, plus all of the above, plus any other electronic address);
  • include the information in the above point on a website that “is readily accessible” (rather than via a single click);
  • use an unsubscribe mechanism that can be “readily performed” (rather than “performed in no more than two clicks or other method of equivalent efficiency”);
  • simply indicate that the person whose consent is sought can withdraw their consent (no need to indicate the means to do so).

Despite the above points of flexibility, there is no denying that the Act and regulations will impose much higher requirements for CEMs than many businesses are prepared for.  This notably includes U.S. businesses operating in Canada who are familiar with, and compliant with, CAN-SPAM.  As we explained in a previous post, CAN-SPAM and CASL are different in several very important ways.  CASL has a broader application, clear reach outside Canada, higher standard for consent, and higher penalties.

In short, any business sending CEMs to Canadians needs to become informed about the CASL requirements and take steps to become compliant.

Next Steps

Further regulations are expected from Industry Canada before CASL comes into force.

Businesses and industry associations have called on the government to introduce even more flexibility to reduce the impact of CASL on their operations, while still meeting the government’s anti-spam priorities.  One of the frequent “asks” has been for some lead time prior to entry into force CASL to allow businesses to prepare their databases and operations.  Others have requested that the government use its regulation-making authority to exclude certain types of CEMs, and CEMs sent under certain circumstances, from the requirements of the Act.

It remains to be seen whether the government will introduce new exceptions, or more flexibility, under regulations to come either before or after CASL comes into effect – expected later this year.

Leave a comment

Commerce Department Launches Multistakeholder Process for Consumer Privacy Codes of Conduct

In response to the White House’s February 23, 2012 release of Consumer Data Privacy in a Networked World:  A Framework for Protecting and Promoting Innovation in a Global Digital Economy ("Framework"), the Commerce Department’s National Telecommunications and Information Administration ("NTIA") has issued a request for public comments on the consumer data privacy issues to be addressed through voluntary, yet legally enforceable, codes of conduct that implement the Consumer Privacy Bill of Rights outlined in the Framework.  NTIA is seeking comments from all interested stakeholders, including consumer groups, industry, academia, law enforcement agencies, and international partners.  Comments are due on March 26, 2012.

Interested parties may submit comments on any consumer privacy-related topic, though NTIA’s request indicates that the Framework’s transparency principles in privacy notices for mobile applications ("apps"), particularly apps that feature location-based services, are among the agency’s highest priorities.  Other highlighted areas for comment include cloud computing, online services directed toward teens and children, trusted identity systems, and the use of technologies, such as browser-based cookies, to collect personal data.

NTIA also seeks comment on how the multistakeholder process can be structured to ensure openness, transparency, and consensus-building among a diverse group of interested parties.  These comments represent the initial step of a process aimed at developing voluntary codes of conduct that will be enforced by the Federal Trade Commission.



Leave a comment

Oregon Supreme Court Holds Insufficient Injury to Allow Negligence Claim in Data Breach Suit

On February 24, the Oregon Supreme Court held that absent any allegations that stolen personal information was used or viewed by a third party, plaintiffs had not suffered an injury that would support a negligence claim or an action under Oregon’s Unlawful Trade Practices Act in Paul v. Providence Health System-Oregon. 

The breach at issue occurred in 2005, when an employee left disks and tapes containing medical records for 365,000 patients in the employee’s car and those disks and tapes were stolen.  Some of the records went back 20 years, and contained Social Security numbers and medical information.   In 2006, the defendant settled with the Oregon Attorney General and agreed to pay credit monitoring costs to affected patients for two years and over $95,000 to the Attorney General.  In 2007, the trial court granted the defendant’s motion to dismiss, taking into account that several plaintiffs had been at least partially compensated via the attorney general settlement, and holding that the plaintiffs’ claimed damages were premised on the risk of future injury rather than actual present harm.

Plaintiffs argued that they had suffered financial loss in the form of past and future costs of credit monitoring, maintaining fraud alerts, and notifying various government agencies regarding the theft, as well as possible future costs related to identity theft.  They also argued that they had suffered damages by the emotional distress caused by the theft of the records.   The Supreme Court however found not only that there was no evidence that the plaintiffs had suffered any financial loss as a result of the breach, but also that there was no evidence that the records had ever been accessed or viewed.  The Court also noted that its decision to dismiss the claims were in line with many other decision by courts in other jurisdictions, such as Pisciotta v. Old Nat. Bancorp out of the Seventh Circuit and Ruiz v. Gap from the Ninth Circuit.



Leave a comment

FTC to Host Workshop on Advertising Disclosures Online and in Mobile Media May 30

Yesterday the Federal Trade Commission announced that it will host a day long workshop open to the public on May 30 to explore whether new guidance is needed for advertising disclosures made both online and in mobile media.  The workshop will address the Dot Com Disclosures and how potential revisions could illustrate clear and conspicuous disclosures in the online and mobile advertising environment.  The FTC started seeking input on how to revise the Dot Com Disclosures to account for changes in technology since the guidance was originally issued last year.  

Topics to be addressed include:

– How can effective disclosures be made in social media and on mobile devices, especially when space is limited for disclosures? 

– When can disclosures provided separately from an initial advertisement be considered adequate?

– What are available options when consumers use devices that do not allow downloading or printing terms of an agreement?

– How can short, effective and accessible privacy disclosures be made on mobile devices?

The FTC also seeks suggestions of topics of discussion and original research.  Requests and recommendations can be sent to  Additional information is available here.