The National Football League’s Buffalo Bills, no strangers to disappointment on the field, are now a cautionary tale for mobile marketers. Last week, a federal judge in the Middle District of Florida approved a class settlement agreement over alleged violations of the Telephone Consumer Protection Act (“TCPA” 47 U.S.C. §227, et seq.), stemming from text messages sent by the Bills to fans who had explicitly signed up to receive texts from the team.
According to the complaint filed in October 2012, Bills fan Jerry Wojcik visited the Bills website to read news about the team and learned about the Bills text alerts program, under which fans could sign up to receive team news by text message. The program was explicitly opt-in; only fans who signed up would receive text messages. Further, subscribers could cancel their subscriptions at any time. The program description was quite specific, reading, in part: “You will be opted in to receive 3-5 messages per week for a period of 12 months. Text STOP to cancel.”
Mr. Wojcik signed up for the text program and began receiving texts. One week, he allegedly received 6 messages. Another week, he allegedly received 7. Noting that the program terms had stated that he would receive 3-5 messages per week, he sued, on behalf of himself and all others similarly situated, alleging a massive violation of the TCPA and seeking damages of up to $1500 for every text above the permitted 5/week. A year and a half later, the parties have agreed to a settlement potentially worth as much as $3 million (depending on the number of claimants who come forward), including approximately $500,000 in attorneys’ fees and costs for Wojcik’s lawyers.
Showing posts with label Class Actions. Show all posts
Showing posts with label Class Actions. Show all posts
Wednesday, April 23, 2014
Friday, December 13, 2013
Song Beverly Strikes Again: Email Address Collection Added to Potentially Worrisome Activity
As we've previously blogged, retailers who sell products to consumers in California and Massachusetts, as well as a number of other states, run the risk of costly class action lawsuits if they collect customer zip codes in connection with purchase of goods by credit card. The prohibitions in those states, as we've explained, often go beyond zip codes, and can include -- in California, for example -- any information that does not appear on the face of the credit card.
A recent decision by the United States District Court in California involved the collection of e-mail addresses in credit card transactions, and found against a retailer on a motion dismiss -- propelling the case to trial. That decision adopted what some might call an inordinately expansive interpretation of the underlying law by the Supreme Court of California, and made things far worse by adding an apparent misreading of the statute to the mix. Not for the faint of heart, but certainly important for the prudent direct marketer who hopes to avoid costly and sometimes bogus lawsuits, the decision helps underscore the risks faced by even the most diligent companies -- risks high enough that companies are often forced to settle when they know in their heart of hearts that they're right.
Friday, October 25, 2013
California Ups the Ante On Privacy Policy Disclosures
For the past decade, California law has set the template for commercial website privacy policies. With the passage of a new law, set to take effect January 1, 2014, the state has updated the disclosures required of any commercial website operator who collects personally identifiable information from California residents.
California’s Online Privacy Protection Act. In 2003, California became the only state to require all websites that collect personal information (“PII”) from visitors – in this case, California residents – to post a privacy policy. Until then, there was no generally applicable privacy policy requirement under either state or federal law, and, to this day, neither the other states nor the federal government have imposed such a requirement. Federal privacy policy requirements have been limited to specific kinds of information (such as under Children’s Privacy Protection Act) or industries (under the Health Insurance Portability and Accountability Act). Under the 2003 law, Internet sites need to identify the “categories” of personally identifiable information collected about “individual consumers”; describe the “categories” of third parties with whom the information may be shared; disclose (if there is one) any process for individuals to review or request changes to their personal information; explain how notice is given to consumers of changes in the privacy policy; and post the policy’s effective date. The definition of PII is more expansive than encountered in data breach statutes, and includes email addresses, partial addresses (including street names and towns), and first and last names. The privacy policy also must be “conspicuously” posted, as defined by the statute.
Now, however, the law has been significantly expanded.
California’s Online Privacy Protection Act. In 2003, California became the only state to require all websites that collect personal information (“PII”) from visitors – in this case, California residents – to post a privacy policy. Until then, there was no generally applicable privacy policy requirement under either state or federal law, and, to this day, neither the other states nor the federal government have imposed such a requirement. Federal privacy policy requirements have been limited to specific kinds of information (such as under Children’s Privacy Protection Act) or industries (under the Health Insurance Portability and Accountability Act). Under the 2003 law, Internet sites need to identify the “categories” of personally identifiable information collected about “individual consumers”; describe the “categories” of third parties with whom the information may be shared; disclose (if there is one) any process for individuals to review or request changes to their personal information; explain how notice is given to consumers of changes in the privacy policy; and post the policy’s effective date. The definition of PII is more expansive than encountered in data breach statutes, and includes email addresses, partial addresses (including street names and towns), and first and last names. The privacy policy also must be “conspicuously” posted, as defined by the statute.
Now, however, the law has been significantly expanded.
Wednesday, May 29, 2013
Meditations On the Consumer Class Action: Statutory Penalties
To know the consumer class action is to fear it. Any online marketer or other retailer that has gone through a class action lawsuit – even if it prevails in the end – no doubt has scars and legal bills to show for it. Because the stakes are so high, even winning a class action case at trial may leave retailers limping and still in great peril. Numerous class actions have settled after the appeal from a defendant’s successful summary judgment motion because, even if the odds of winning on appeal were good, the downside risk of losing was large enough to make the gamble unthinkable. And the range of potential consumer class action lawsuits often seems overwhelmingly diverse. Is your “sale price” really a “sale price”? Is there enough fruit in your fruit roll-ups? Did you collect customer zip codes in credit card transactions?
While it is impossible for online and direct marketers to insulate themselves fully from an increasingly litigious world, there are rational steps you can take to help prevent your company from becoming "low hanging fruit" for class action lawyers. This is the first in a series of articles on just that subject, and it focuses on state consumer protection, marketing, and privacy laws that have per violation penalties. The recent Michaels Stores case in Massachusetts involved just such a law.
While it is impossible for online and direct marketers to insulate themselves fully from an increasingly litigious world, there are rational steps you can take to help prevent your company from becoming "low hanging fruit" for class action lawyers. This is the first in a series of articles on just that subject, and it focuses on state consumer protection, marketing, and privacy laws that have per violation penalties. The recent Michaels Stores case in Massachusetts involved just such a law.
Thursday, April 25, 2013
Beyond California and Massachusetts: Will Collecting Zip Codes Invite Class Actions Across the United States?
Although California and Massachusetts have stolen the spotlight with high profile cases banning zip code collection in connection with credit card purchases, thirteen other states and the District of Columbia have similar laws. With voracious class action attorneys circling, it is critical for retailers to know their legal obligations in these jurisdictions and, if necessary, adjust their privacy practices and policies.
Yet, because these statutes are to varying degrees vague, untested, and archaic, compliance can be difficult. At the same time, the risks could scarcely be higher. Hundreds of companies have already been ensnared in consumer class action lawsuits in California and Massachusetts, and the litigation floodgates may now open in other states as well. And the math is simple. With penalties as high as $1,000 every single time a zip code, address, or telephone number is collected illegally--for periods going back as far as six years--even a relatively small company could face a liability in the millions or tens of millions of dollars. You're also likely to be required to pay the plaintiffs' legal fees if you lose, which are often as much as one-third of the penalty calculation.
Yet, because these statutes are to varying degrees vague, untested, and archaic, compliance can be difficult. At the same time, the risks could scarcely be higher. Hundreds of companies have already been ensnared in consumer class action lawsuits in California and Massachusetts, and the litigation floodgates may now open in other states as well. And the math is simple. With penalties as high as $1,000 every single time a zip code, address, or telephone number is collected illegally--for periods going back as far as six years--even a relatively small company could face a liability in the millions or tens of millions of dollars. You're also likely to be required to pay the plaintiffs' legal fees if you lose, which are often as much as one-third of the penalty calculation.
Tuesday, March 19, 2013
The Perils of Zip Code Collection Reach Massachusetts
On March 11, 2013, the Supreme Court of Massachusetts joined California in prohibiting the collection and retention of customer zip codes by retailers in connection with credit card transactions. In Tyler v. Michaels Stores, Inc., the Court based its decision on Massachusetts General Law ch. 93, § 105(a), which provides that retailers cannot “write, cause to be written, or require that a credit card holder write personal identification information not required by the credit card issuer, on the credit card transaction form.” Like California, the Massachusetts court interpreted "personal identification information" so broadly as to include mere zip codes.
Background. In 2011, the Supreme Court of California sent shock waves through the retail industry when it ruled in Pineda v. Williams Sonoma Stores, Inc. that zip codes constituted “personal identification information” under California Civil Code § 1747.08 that could not be collected and retained in connection with credit card transactions except in very limited instances. The prohibition against collection of personal identification information applied even if zip codes were requested, but not required, to complete a purchase. As a result of the decision, retailers selling to California consumers have faced costly class action lawsuits (with claims for as much as $1,000 per violation) even if no actual damages or injury could be shown. And while the Supreme Court of California recently held in Apple, Inc. v. Superior Court, that this prohibition did not apply to online transactions involving digitally downloaded products, the Court was careful to state that it was reserving judgment as to whether it applied to “any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer”—explaining that “we express no view on whether the statute governs mail order or telephone order transactions...”
Background. In 2011, the Supreme Court of California sent shock waves through the retail industry when it ruled in Pineda v. Williams Sonoma Stores, Inc. that zip codes constituted “personal identification information” under California Civil Code § 1747.08 that could not be collected and retained in connection with credit card transactions except in very limited instances. The prohibition against collection of personal identification information applied even if zip codes were requested, but not required, to complete a purchase. As a result of the decision, retailers selling to California consumers have faced costly class action lawsuits (with claims for as much as $1,000 per violation) even if no actual damages or injury could be shown. And while the Supreme Court of California recently held in Apple, Inc. v. Superior Court, that this prohibition did not apply to online transactions involving digitally downloaded products, the Court was careful to state that it was reserving judgment as to whether it applied to “any other transactions that do not involve in-person, face-to-face interaction between the customer and retailer”—explaining that “we express no view on whether the statute governs mail order or telephone order transactions...”
Wednesday, February 16, 2011
Arbitration Clauses, Class Actions and State Tax
What a funny combination of terms. You might be asking what state tax has to do with arbitration and class action suits. Two recent court decisions illustrate the connection.
In particular, a “bad day” for a corporate executive is receiving the complaint and summons for a class action lawsuit. While there have been fewer class action lawsuits in connection with state taxes than there have been in other areas of the law, the plaintiff’s bar has looked at state tax as a development opportunity and has commenced suits for inappropriate collection of state taxes. The basis commonly used for such a suit is that the state’s unfair and deceptive trade practices statute is violated by the collection of sales tax if such tax is not due. For example, a company might be collecting tax on food in a state in which food is not taxable. A better example would be collecting tax on Internet access, which is prohibited under a federal statute, the Internet Tax Freedom Act, 47 U.S.C. § 151n (1998) (“ITFA”), as amended, unless a state is grandfathered.
AT&T found out the hard way about class action lawsuits in the state tax area. It was collecting tax on Internet access services. Under the ITFA, it was prohibited from collecting such tax in all but a few states. Thus, as I wrote in my blog post of September 17, 2010, AT&T was slammed with a class action lawsuit, and settled for payment of millions of dollars of attorneys’ fees and other costs.
In particular, a “bad day” for a corporate executive is receiving the complaint and summons for a class action lawsuit. While there have been fewer class action lawsuits in connection with state taxes than there have been in other areas of the law, the plaintiff’s bar has looked at state tax as a development opportunity and has commenced suits for inappropriate collection of state taxes. The basis commonly used for such a suit is that the state’s unfair and deceptive trade practices statute is violated by the collection of sales tax if such tax is not due. For example, a company might be collecting tax on food in a state in which food is not taxable. A better example would be collecting tax on Internet access, which is prohibited under a federal statute, the Internet Tax Freedom Act, 47 U.S.C. § 151n (1998) (“ITFA”), as amended, unless a state is grandfathered.
AT&T found out the hard way about class action lawsuits in the state tax area. It was collecting tax on Internet access services. Under the ITFA, it was prohibited from collecting such tax in all but a few states. Thus, as I wrote in my blog post of September 17, 2010, AT&T was slammed with a class action lawsuit, and settled for payment of millions of dollars of attorneys’ fees and other costs.
Friday, September 17, 2010
The Conservative Approach of Over-Collection of Sales Tax Is Perilous
Many companies (and their advisors) believe there is no harm in “over-collecting” sales tax and, therefore, erring on the side of collection of tax in gray areas. But that is a very risky course of action, as AT&T recently found out.
It seems that AT&T was collecting sales and use tax on Internet service it provided to customers. It did so, despite the federal Internet Tax Freedom Act, 47 U.S.C. § 151 n. (1998), as extended and amended by the Internet Tax Nondiscrimination Act, P.L. 108-435 (2004) and the Internet Tax Freedom Act Amendments Act of 2007, P.L. 110-108 (2007), which prohibits states from imposing taxes on Internet access, with the exception of certain grandfathered states. Even a company of the size of AT&T apparently got it wrong, since it continued to collect tax on Internet access in all states. Its customers reacted, and commenced a class action law suit against AT&T.
AT&T recently settled the lawsuit with the class action plaintiffs at significant expense to AT&T. See In re AT&T Mobility Wireless Data Services Sales Litigation, MDL No. 2147, Case No. 10 C 2278 (N.D. Ill. Aug.11, 2010). While AT&T is not obligated to refund to the plaintiffs any amounts not refunded to AT&T by a state, it is required to seek such refunds. If it obtains a refund, AT&T, of course, must distribute the amounts it receives to its customers, but it doesn’t have to dip into its own pocket to do so.
So, you say, what is the harm to AT&T? As part of the settlement, AT&T is required to pay the cost of notice to each member of the class. Given the size of the class, this likely will be a substantial cost. In addition, AT&T must pay a contingency fee to the lawyers for the class action plaintiffs, which is generally based on the value of the settlement, and can be millions of dollars. Thus, far from being an income neutral proposition for AT&T, AT&T’s decision to collect tax created a large expense to it.
The conclusion to be drawn is that retailers need to be very careful to make sure they get it right. To simply err on the side of over-collection may prove to create substantial exposure. Rather, the true amount due must be collected. If a retailer gets in a bind by over-collecting, the state will not compensate the retailer for its additional expenses.
It seems that AT&T was collecting sales and use tax on Internet service it provided to customers. It did so, despite the federal Internet Tax Freedom Act, 47 U.S.C. § 151 n. (1998), as extended and amended by the Internet Tax Nondiscrimination Act, P.L. 108-435 (2004) and the Internet Tax Freedom Act Amendments Act of 2007, P.L. 110-108 (2007), which prohibits states from imposing taxes on Internet access, with the exception of certain grandfathered states. Even a company of the size of AT&T apparently got it wrong, since it continued to collect tax on Internet access in all states. Its customers reacted, and commenced a class action law suit against AT&T.
AT&T recently settled the lawsuit with the class action plaintiffs at significant expense to AT&T. See In re AT&T Mobility Wireless Data Services Sales Litigation, MDL No. 2147, Case No. 10 C 2278 (N.D. Ill. Aug.11, 2010). While AT&T is not obligated to refund to the plaintiffs any amounts not refunded to AT&T by a state, it is required to seek such refunds. If it obtains a refund, AT&T, of course, must distribute the amounts it receives to its customers, but it doesn’t have to dip into its own pocket to do so.
So, you say, what is the harm to AT&T? As part of the settlement, AT&T is required to pay the cost of notice to each member of the class. Given the size of the class, this likely will be a substantial cost. In addition, AT&T must pay a contingency fee to the lawyers for the class action plaintiffs, which is generally based on the value of the settlement, and can be millions of dollars. Thus, far from being an income neutral proposition for AT&T, AT&T’s decision to collect tax created a large expense to it.
The conclusion to be drawn is that retailers need to be very careful to make sure they get it right. To simply err on the side of over-collection may prove to create substantial exposure. Rather, the true amount due must be collected. If a retailer gets in a bind by over-collecting, the state will not compensate the retailer for its additional expenses.
Tuesday, March 16, 2010
Think You’re Safe Storing or Releasing “Anonymized” Data? Think Again.
Anonymity is increasingly difficult to safeguard, and direct marketers that collect, maintain, share, and use customer information should take note of a recent class action settlement by Netflix than stemmed from the company's disclosure of an "anonymized" customer database.
Most federal and state privacy and data security statutes focus on the protection of "personally identifiable information," such as names, addresses, telephone numbers, financial account numbers, social security numbers, and email addresses. In response to such laws, many companies strip personally identifiable information from databases containing sensitive information. Once stripped of identifiers, the theory goes, the risks of identity theft or violations of consumer privacy rights resulting from disclosure of the data (whether purposeful or not) are eliminated. Some companies may even conclude that the data may be shared for marketing or "data mining" purposes without violating their privacy policies or applicable laws.
According to the Electronic Privacy Information Center, however, "computer scientists have revealed that this 'anonymized' data can easily be re-identified, such that the sensitive information may be linked back to an individual."
Most federal and state privacy and data security statutes focus on the protection of "personally identifiable information," such as names, addresses, telephone numbers, financial account numbers, social security numbers, and email addresses. In response to such laws, many companies strip personally identifiable information from databases containing sensitive information. Once stripped of identifiers, the theory goes, the risks of identity theft or violations of consumer privacy rights resulting from disclosure of the data (whether purposeful or not) are eliminated. Some companies may even conclude that the data may be shared for marketing or "data mining" purposes without violating their privacy policies or applicable laws.
According to the Electronic Privacy Information Center, however, "computer scientists have revealed that this 'anonymized' data can easily be re-identified, such that the sensitive information may be linked back to an individual."
Subscribe to:
Posts (Atom)
Posts
