Major Data Breach Settlement Between Uber and State AGs
By Richard P. Lawson, Partner, Consumer Protection
In one of the largest privacy settlements to date, the attorneys general from 50 states and the District of Columbia secured a $148 million settlement from their investigation into a November 2016 hack of driver data from Uber. As stated in a complaint filed by Iowa Attorney General Tom Miller, the investigation is a result of a 2016 hack of names and driver’s license information, where hackers accessed Uber information and then demanded payment to delete it. California Attorney General Xavier Becerra stated that the hackers demanded $100,000 to remain silent about the breach. According to Pennsylvania Attorney General Josh Shapiro, Uber did not report the breach until November 2017.
Attorneys general enforce data breach laws under two separate and distinct theories—data breach notification laws and laws prohibiting unfair and deceptive business practices—and both were present in this investigation.
Since the passage of the first data breach notification law by California in 2002, all states have now enacted data breach notification laws. Designed with an eye toward empowering consumers to take affirmative steps to protect themselves when their data has been compromised, application of these statutes does not require any intent or deceptive or unfair act on the part of a business. Rather, these statutes generally require companies to give notice to affected consumers within a set period of time. While conditions for what qualifies as a breach and the time periods for providing notice vary by state, the one-year delay between the ransom attack and the notice was clearly unacceptable to the attorneys general in this investigation.
In the lawsuit he filed as part of this investigation, Texas Attorney General Ken Paxton alleged that Uber violated the Texas Deceptive Trade Practices Act when it failed to implement reasonable security practices and failed to provide notice of the breach despite having made representations that consumers can “trust us with your information,” and that Uber “take[s] the security of your data seriously . . . [by using] technical safeguards like encryption, authentication, fraud detection, and secure software development to protect your information.” Deception cases under state laws usually do not require that the government show intent, but they do involve the government proving that the statements were material and likely to mislead a consumer.
As part of the settlement, Uber will have to:
- Comply with state data breach and consumer protection laws;
- Take precautions regarding data on third-party platforms;
- Implement strict password policies for employees;
- Develop and deploy an overall data security policy for all data that Uber collects;
- Hire an outside third-party to assess and report on Uber’s data security efforts; and
- Implement a corporate integrity program for employees to report issues that give them concern.
There are a few key takeaways for companies from this investigation. First, if you make any statements regarding your privacy policies and data security practices, you must follow through on them. The attorneys general were undoubtedly concerned by Uber’s statements that it could be trusted to handle private information. As to the notices, it is very important for companies to understand the full impact of their responsibilities in the event of a breach. The United States’ privacy laws are heavily dominated by the state-by-state patchwork of data breach notification laws. In the absence of an overarching privacy regime in the United States, state attorneys general take their roles in this space seriously. As mentioned above, the key goal under these laws is to get notice to consumers, and enforcers typically work well with companies that they see taking responsibility and taking action quickly.
back to top
Bedding Company Files Trademark Suit Against Amazon
By Jeffrey S. Edelstein, Partner, Advertising, Marketing and Media
Amazon infringed on Comphy’s trademark by posting results for “inferior third-party sheets” when consumers searched for terms like “comph” and “comphy” on the Amazon site, according to a new Illinois federal court complaint.
Comphy, a California-based bedding company, has been selling high-end luxury linens and bedding since 2003, with an initial focus on spas and the hospitality market. In response to demand, Comphy expanded its sales directly to consumers and filed for trademark protection for a host of products earlier this year.
According to the complaint, Amazon requested permission on multiple occasions to sell Comphy’s products on Amazon.com. Comphy rejected these solicitations, in part because “at least” one of its customer relationships would be lost as a result.
Despite the refusal to sell its products on the defendant’s site, Amazon “markets, promotes, offers to sell and sells inferior third-party products as ‘Amazon’s Choice for ‘comphy sheets,’” the plaintiff alleges. Moreover, “when ‘comphy’ is searched on defendant’s website…the algorithm populates a page of search results for inferior and unauthorized third-party sheets. The search results page does not indicate that Comphy-brand sheets are unavailable on Amazon.com.”
“Defendant’s actions are likely to cause and have caused actual confusion. Plaintiff has received complaints from retail customers, believing that they purchased actual, quality Comphy-brand sheets from Plaintiff via Amazon.com, about the poor quality of the sheets, or about the failure of the third-party vendor to provide ancillary products offered as an incentive to purchase sheets. The complaints made by third party retail customers are the direct result of Defendant’s unauthorized use of Plaintiff’s trademarks to lead customers to buy inferior third-party products.”
Asserting that Amazon’s actions are “causing irreparable damage to Plaintiff’s growing internet business,” Comphy’s complaint requests injunctive relief to stop the purported trademark violations, as well as treble damages (or, in the alternative, statutory damages for willful trademark counterfeiting of $2 million for each and every use of plaintiff’s trademarks).
To read the complaint in The Comphy Co. v. Amazon.com, click here.
Why it matters: The bedding company faces an uphill challenge to hold Amazon accountable for trademark infringement given case law from the U.S. Court of Appeals for the Ninth Circuit. There, a similar suit was filed by watchmaker Multi Time Machine, arguing that Amazon violated its trademark rights by displaying watches by other manufacturers in search results for “Multi Time Machine.” In concluding that the “search results page makes clear to anyone who can read English that Amazon carries only the brands that are clearly and explicitly listed on the web page,” the federal appellate panel affirmed summary judgment in favor of Amazon in 2015.
back to top
New York Court Gets Fresh With Juicemaker
By Richard P. Lawson, Partner, Consumer Protection
A New York federal court judge narrowed the scope of a consumer class action brought against Whole Foods and Freshbev over a line of juices marketed as “fresh.”
Gerard Campbell purchased several Freshbev juices at a Whole Foods store, including Ripe Craft Juice 12.2 Northeast Blend Cranberry Apple, Ripe Craft Juice 12 Cranberry Unsweetened and Fresh Juice Pineapple. He alleged he paid a premium for the drinks based on misrepresentations that the juices were unpasteurized, cold-pressed and fresh, and that the cranberry apple juice had more cranberry juice than apple juice.
Ruling on the defendants’ motion to dismiss, U.S. District Court Judge Frederic Block granted it in part while allowing other claims to move forward.
While determining that a plaintiff can maintain standing for injunctive relief where he pleads a future desire to buy the product at issue, the court dismissed Campbell’s claims for injunctive relief, as Campbell made no such claim.
Turning to the substantive issues, the court considered whether federal law preempted the plaintiff’s challenge to the defendant’s labeling. In the case of the “unpasteurized” claim, the court reviewed the Food and Drug Administration’s (FDA) nonbinding guidance for the juice industry, “Juice Hazard Analysis Critical Control Point Hazard and Controls Guidance.” The guidance defines pasteurization as “a heat treatment sufficient to destroy vegetative cells of pathogens,” and as the primary method for preventing pathogen contamination of juice. High pressure processing (HPP) alternatively destroys pathogens via pressure. The court found the guidance, together with other FDA documents, left an open question of fact as to whether any specific “unpasteurized” label is misleading where the product has been treated with an alternative to pasteurization but doesn’t provide additional information to consumers.
“Here, the labels of the Cranberry Apple and Pineapple juices purchased by plaintiff explain that the juices were treated with pressure,” the court wrote. “This provides the consumer with the requisite additional information. Therefore, the ‘unpasteurized’ labels on the juice products are not false or misleading, and plaintiff’s claims regarding this term are preempted.”
However, the Cranberry juice label—which did not explain that the drink was treated with pressure—lacked the necessary additional information, and Campbell’s claims based on that product survived.
The court next rejected the plaintiff’s contention that the “cold-pressed” label was misleading because the juices were treated with HPP after being cold-pressed. “Plaintiff’s claim is implausible,” the court said. “There is no ‘only’ or ‘exclusively’ modifier before ‘cold-pressed’ to indicate that the juice has been subjected to no other process. A reasonable consumer would not mistake the cold-pressed claim to be a claim that pressure was never applied to the juice products.”
Federal regulations govern the use of the word “fresh” on a label, and Judge Block found the defendants’ use of the term could be misleading given that the juices were treated by HPP. “In this context, juice treated with HPP cannot be described as fresh because juice is sold both with and without processing, so the term ‘fresh’ would imply that the juice is unprocessed,” the court wrote. “Whether a reasonable consumer would be misled by the term ‘fresh’ combined with additional language regarding the application of pressure is a question for the factfinder.”
Finally, the court moved Campbell’s challenge to the name “Cranberry Apple” forward. The defendants’ label violated federal regulations because it implied the product has more cranberry juice than apple, and the ingredient statement on the back could not save the product name, the court found.
To read the memorandum and order in Campbell v. Whole Foods, click here.
Why it matters: This is a mixed bag for the defendants. The court’s ruling put an end to some of the plaintiff’s false advertising claims but allowed others based on the labeling of the juice products to move forward.
back to top
Lack of Disclosures Remains Problematic for Social Media Influencers
By Jesse M. Brody, Partner, Advertising, Marketing and Media
A new class action charges brands with paying social media influencers to promote their products while failing to ensure appropriate disclosures were made.
The lawsuit names seven Israeli brands (and references companies such as Adidas, Mini Cooper, and Grey Goose), claiming that their social media subterfuge was intentional and often targeted minors. The influencers themselves were not named in the actions.
Advertisers and their influencer partners have struggled in recent years to fulfill the requirements set forth by the Federal Trade Commission (FTC) in the Endorsement Guides and by other regulators, in part due to a belief that sponsored posts—with a “#ad” or “#spon” label—will turn off consumers, who are seeking authenticity.
To date, smaller companies and micro-influencers have escaped regulatory oversight while the FTC focuses on the players with larger followings—think Kardashians and professional athletes—while larger companies have experienced fallout when a high-profile influencer faces a scandal. Some companies are even paying for fake followers in an effort to keep their numbers up and the brand relevant.
Read more about the lawsuit here.
Why it matters: The debate surrounding oversight of social media influencers continues to rage on. Some argue that consumers are so accustomed to sponsorship on social media that they easily recognize it for what it is, regardless of whether a disclosure is attached. Other members of the industry have pushed back against what they see as selective enforcement where regulators have ignored sponsored content on television or music videos and instead have seemingly solely focused on social media.
back to top
First Ringless Voicemail Message TCPA Decision Sides With Plaintiff
By Kristin E. Haule, Associate, Litigation | Christine M. Reilly, Chair, TCPA Compliance and Class Action Defense
A federal judge in Michigan is the first to declare in a published dispositive opinion that a ringless voicemail message (RVM) is a “call” regulated by the Telephone Consumer Protection Act (TCPA). In an opinion issued on July 16, 2018, in Saunders v. Dyck O’Neal, U.S. District Judge Gordon J. Quist of the U.S. District Court, Western District, Michigan, noted Congress’ broad descriptor “any” in prohibiting “any call,” and noted that the Federal Communications Commission (FCC) and the Supreme Court have generally construed the TCPA broadly in ruling that new and emerging telephone technologies are governed by the TCPA, including voicemail messages, text messages and email-initiated text messages. Judge Quist also noted that plaintiff received the notifications and listened to the voicemails on her phone, so the practical effect is the same, regardless of whether her phone rang before the voicemail was left. In Judge Quist’s view, a contrary holding would be “absurd.”
RVMs are a relatively new technology, typically seen in the debt collection context, whereby messages are sent directly to the consumer’s voicemail, with the intention that the consumer’s phone does not ring (though sometimes it may). The technology generally works by sending a signal to “busy” the phone line, which causes the message to be routed directly to the voicemail server, which is generally separate from the telephone line. Companies that sell and utilize the technology have argued that RVMs are not “calls” pursuant to the TCPA because the message is sent directly to the voicemail server, as opposed to the phone line. Voicemail servers are not “common carrier” services, but “enhanced information services,” which are exempt from the TCPA. Opponents argue that RVMs are just as invasive as phone calls, not functionally different from a text message, and cost the consumer the same time and money to access as regular phone calls. Until Judge Quist, no federal or state judge had weighed in on the controversy, at least not in a published opinion, though there have been other TCPA cases involving this technology.
Defendant Dyck O’Neal had apparently left approximately 30 such voicemail messages on Saunders’ voicemail over the course of a year in connection with an outstanding debt. Defendant had used the VoApps system to deliver the voicemails. Plaintiff brought suit, seeking to represent a nationwide class of individuals who received these RVMs. Defendant moved for summary judgment on the theory that its RVMs were not “calls” regulated by the TCPA, to no avail.
In his ruling Monday, Judge Quist adopted plaintiff’s viewpoint, criticizing the argument that RVMs are “enhanced information services” exempt from the TCPA as an “attempt[] to blur the law,” and explaining that although voicemail is regulated generally as an information service, when connected to a “call,” it “can be considered” under the TCPA, citing to several older cases holding that unanswered calls and the resulting voicemails are still “calls” within the TCPA’s definition. Judge Quist did not elaborate on what “call” an RVM is “connected” to, however.
The FCC has not yet opined on whether this new technology constitutes a “call” governed by the TCPA and has made no specific regulations regarding RVMs. All About the Message, LLC, filed a petition with the FCC in 2017 seeking a declaratory ruling that the technology was not regulated by the TCPA, but after thousands of consumers filed comments in opposition, it withdrew its petition. This was not the first attempt to gain clarity from the FCC. VoApps also filed a petition with the FCC in 2014, but it was also withdrawn prior to a ruling.
At the time of publication of this alert, no notice of appeal has been filed. To read the full opinion in Saunders v. Dyck O’Neal, click here.
Why it matters: Saunders is perhaps an attempt at a “commonsense” approach to RVMs—if traditional voicemails and text messages are “calls” regulated by the TCPA, then RVMs should be similarly regulated. But because RVMs are not ostensibly connected to any common carrier “call,” Judge Quist’s decision could be vulnerable to review. In the meantime, we expect competing views on this issue from other courts. Companies would be well-advised to ensure that they have proper consent under the TCPA when using RVM technology until there is further clarity on whether the technology will be covered by the TCPA. Manatt’s TCPA compliance and class action defense team will continue to report on this emerging area of law.
back to top
Court Rules: PAGA Claim Doesn’t Require Injury
Why it matters
A Private Attorneys General Act (PAGA) claim based on the failure to provide and maintain accurate wage statements as required by the California Labor Code does not require proof of injury, a California appellate panel has ruled. After Terri Raines was terminated by Coastal Pacific Food Distributors, she sued for age and disability discrimination, as well as violations of the Labor Code based on allegedly unlawful wage statements. A trial court granted summary judgment in favor of the employer, but the panel reversed. Raines’ representative PAGA claim for civil penalties based on a violation of Labor Code Section 226(a) did not require proof of injury or a knowing and intentional violation, the court said. “This is true even though these two elements are required to be proven when bringing an individual claim for damages or statutory penalties under section 226(e),” the panel wrote. “Because the trial court erroneously required proof of injury on the PAGA claim, the grant of summary judgment was improper.” Although employers should be concerned about potential PAGA liability where the plaintiff does not have to prove an injury, the panel also noted that trial courts retain discretion as to whether or not to award civil penalties under the statute.
Detailed discussion
Coastal Pacific Food Distributors hired Terri Raines as a billing clerk in 1998 and terminated her employment in 2014. Raines filed suit, alleging age discrimination, disability discrimination and, in an amended complaint, violations of the California Labor Code. Specifically, she claimed the employer failed to furnish employees with accurate itemized wage statements showing the applicable hourly rates in effect during the pay period and the corresponding number of hours worked at each hourly rate, as required by Section 226(a).
Section 226(e) authorizes an “employee suffering injury as a result of a knowing and intentional failure by an employer to comply with subdivision (a)” to recover damages or statutory penalties. Raines sought to recover both statutory penalties on an individual basis and civil penalties on a representative basis under the Private Attorneys General Act (PAGA).
The parties settled the discrimination claims and focused on the PAGA wage statement claim. They stipulated that over a 15-month period, Coastal Pacific did not include the overtime hourly rate of pay on wage statements. The statements did include both the number of overtime hours worked by the employee and the total overtime pay, however.
Coastal Pacific argued that in order to obtain civil penalties under PAGA, Raines was required to prove she suffered an injury, and could not do so. Even though the overtime hourly rate of pay was not listed on the wage statements, because the number of overtime hours worked and the total overtime pay both appeared, the overtime hourly rate was “readily ascertainable” under the “reasonable person” standard because it required only simple math to calculate, the employer told the court.
The plaintiff countered that she was not required to demonstrate an injury in order to recover under Section 226, and even if she was, the incorrect wage statements were sufficient to establish an injury.
Siding with the employer, the trial court ruled that Raines had not suffered an injury, as required for the individual claim under Section 226(e), because the hourly overtime rate could be determined from the wage statement by simple math. The court also held that an injury was necessary for the PAGA claim, granting summary judgment in favor of Coastal Pacific.
The appellate panel rendered a mixed decision. First, the court addressed Raines’ individual claim for statutory penalties under Section 226(e). A plaintiff is “injured” under this provision of the Labor Code “if the accuracy of any of the items enumerated in section 226(a) cannot be ascertained from the four corners of the wage statement,” including the hourly rate.
Raines told the court she could not normally do division in her head and the calculation of the hourly overtime rate presented a relatively complex mathematical problem that most people could not readily do in their heads, meaning she was injured by the missing overtime hourly rate of pay.
“We reject this argument,” the panel wrote. “Here, one can determine the hourly overtime rate ‘from the wage statement alone.’ It can be ‘promptly and easily’ determined by simple arithmetic. The mathematical operation required is division, which is taught in grade school. Although many people cannot perform the calculation in their heads, it can be easily performed by use of a pencil and paper or a calculator; no additional documents or information are necessary.”
Since the plaintiff could not show a triable issue of fact as to the requisite injury, the appellate court affirmed summary judgment in favor of Coastal Pacific on Raines’ individual claim for statutory penalties under Section 226(e).
However, the court reversed on the plaintiff’s PAGA claim. Courts are split on the question of whether a PAGA claim for a violation of Section 226(a) requires the same showing of injury as an individual claim for statutory penalties under Section 226(e). PAGA is concerned only with civil penalties, while Section 226(e) provides for damages or statutory penalties, the panel noted, and case law has historically distinguished between statutory penalties and civil penalties.
“In this context, PAGA is concerned with collecting civil penalties for the violation of section 226(a), not the damages or statutory penalties provided for in section 226(e),” the court wrote, rejecting the employer’s argument that “no injury” amounts to “no violation.”
“[D]amages and civil penalties have different purposes; these different purposes may well explain the Legislature’s reasoning. Damages are intended to be compensatory, to make one whole. Accordingly, there must be an injury to compensate. On the other hand, ‘Civil penalties, like punitive damages, are intended to punish the wrongdoer and to deter future misconduct.’ An act may be wrongful and subject to civil penalties even if it does not result in injury.”
Concerns about an employer being punished where no injury occurred are also mitigated by the fact that trial courts have discretion in awarding civil penalties and may reduce the award for technical violations that cause no injury, the panel noted.
“Because the trial court incorrectly found an employee must suffer an injury in order to bring a PAGA claim, it erred in granting summary adjudication on Raines’s PAGA claim,” the court concluded.
To read the opinion in Raines v. Coastal Pacific Food Distributors, Inc., click here.
back to top
Fifth Circuit Pins Down Insignia Ban
Why it matters
The U.S. Court of Appeals, Fifth Circuit, affirmed a ruling from the National Labor Relations Board (NLRB or Board) that a ban on pins violated Section 8(a)(1) of the National Labor Relations Act (NLRA), and held that In-N-Out Burger failed to overcome the presumption that a blanket ban on insignia is unlawful under the statute. The fast-food chain required employees to adhere to a dress code that included a prohibition on wearing “any type of pin or stickers.” In April 2015, a worker at a Texas location wore a “Fight for $15” pin and was instructed to remove it. He filed a charge with the NLRB, which agreed that the dress code violated the NLRA. The federal appellate panel affirmed, finding that the public image exception relied on by the employer was “exceedingly narrow” and that the employer’s interest in maintaining a unique public image did not constitute “special circumstances” sufficient to justify the no-pin rule. The court noted that the fact In-N-Out Burger requires employees to wear company-issued buttons twice a year didn’t help its case.
Detailed discussion
To demonstrate solidarity with the “Fight for $15” campaign—a national movement advocating for a $15-per-hour minimum wage, the right to form a union without intimidation and other improvements for low-wage workers—an employee at an Austin, TX, In-N-Out Burger wore a “Fight for $15” button to work.
The next day, another worker also wore the button and was called into the manager’s office, where he was instructed to remove the button. The employee filed an unfair labor practice charge with the NLRB. An administrative law judge (ALJ) determined the employer violated the NLRA, and on appeal, the Board affirmed.
In-N-Out appealed again, this time to the Fifth Circuit. The employer explained that the company strictly enforces its uniform and appearance rules to promote a consistent public image across its 300 locations, including a nine-element uniform and a prohibition found in the employee handbook that states, “Wearing any type of pin or stickers is not permitted.”
Notwithstanding this rule, however, the employer required employees to wear company-issued buttons twice a year. During the Christmas season, employees must wear buttons stating “Merry Christmas/In-N-Out Hamburgers/No Delay.” In April, workers wear buttons soliciting donations to the In-N-Out Foundation, a nonprofit organization established by the company’s owners that focuses on preventing child abuse and neglect.
The employer argued that its interest in maintaining a unique public image and its concern with ensuring food safety constituted “special circumstances” sufficient to justify the no-pin rule. But the Fifth Circuit was not persuaded.
“Since the Act’s earliest days, it has been recognized that Section 7 protects the right of employees to wear items—such as buttons, pins, and stickers—relating to terms and conditions of employment (including wages and hours), unionization, and other protected matters,” the federal appellate panel wrote. “Accordingly, an employer that maintains or enforces a rule restricting employees from displaying such items commits an unfair labor practice in violation of Section 8(a)(1).”
The Board has created a “narrow” exception to this rule if an employer can demonstrate “special circumstances sufficient to outweigh [its] employees’ Section 7 interests and legitimize the regulation of such insignia, then the right of employees to wear these items ‘may give way.’” The “special circumstances” exception is applied only in a limited number of situations, including where it would “unreasonably interfere with a public image that the employer has established, as part of its business plan, through appearance rules for its employees.”
In addition, a rule that infringes on employees’ Section 7 right to wear protected items is presumptively invalid, the panel noted, and it is the employer’s burden to overcome that presumption. In-N-Out Burger was unable to overcome this presumption and demonstrate the “special circumstances” required, the court found.
“In-N-Out failed to demonstrate a connection between the ‘no pins or stickers’ rule and the company’s asserted interests in preserving a consistent menu and ownership structure, ensuring excellent customer service, and maintaining a ‘sparkling clean’ environment in its restaurants,” the court said. Further, “In-N-Out’s requirement that its employees wear the Christmas and In-N-Out Foundation buttons undercut its claim that ‘special circumstances’ required employee uniforms to be button-free.”
“If the employee uniform—which In-N-Out describes as an integral component of its overall public image—changes several times each year, then either the company’s interest in maintaining a ‘consistent’ public image is not as great as it suggests, or, alternatively, the uniform does not play as critical a role in maintaining that public image as In-N-Out claims,” the panel wrote. “As the Board observed, the Christmas and In-N-Out Foundation buttons are appreciably larger and ‘significantly more conspicuous’ than the ‘Fight for $15’ buttons. Since the addition of larger, more noticeable buttons to employee uniforms does not interfere with In-N-Out’s public image, the Board permissibly concluded that allowing employees to wear smaller buttons protected by Section 7, such as the ‘Fight for $15’ buttons, would not unreasonably interfere with the company’s public image.”
Nor did In-N-Out’s argument about maintaining food safety sway the Fifth Circuit. “In-N-Out’s ‘no pins or stickers’ rule banned all buttons other than its own, ‘without regard to their safety.’ Accordingly, even if In-N-Out had demonstrated a genuine basis for its food safety concerns—which it did not—it failed to show that its rule was ‘narrowly tailored’ to that concern,” the court said.
“With respect to the ‘Fight for $15’ buttons, the ALJ examined those buttons, as well as the company-issued buttons, and ‘[d]iscern[ed] no apparent, significant difference in safety.’ The Board also noted that In-N-Out’s managers did not make ‘any effort to examine’ the ‘Fight for $15’ buttons for safety issues before restricting employees from wearing them, which indicates that the company’s food safety argument is a ‘post hoc invention[].’”
The panel affirmed the NLRB’s order.
To read the opinion in In-N-Out Burger, Inc. v. NLRB, click here.
back to top