The latest issue of our Socially Aware newsletter is now available here.

In this issue of Socially Aware, our Burton Award-winning guide to the law and business of social media, we analyze a groundbreaking FTC complaint alleging deceptive practices online that could turn website Terms of Use into federal law; we summarize a U.S. Supreme Court copyright case that could impact existing technologies and future technological innovation; we discuss a ruling from Europe’s highest court that will aid copyright owners in the fight against illegal streaming sites; we report on new SEC guidance on social media use by investment advisers as it relates to testimonials; we take a look at the development of the Internet of Things and the many regulatory, privacy and security issues that go along with it; and we highlight a recent class action decision that potentially impacts any company that hosts videos on its website.

All this—plus a collection of thought-provoking statistics about digital music…

The Federal Trade Commission’s (FTC) announcement that it had filed a complaint against Jerk, LLC and its websites like “jerk.com” (“Jerk”) looks at first glance like a run-of-the-mill FTC Section 5 enforcement action involving allegedly deceptive practices online. But hidden in the facts of Jerk’s alleged misbehavior is a potentially significant expansion of the FTC’s use of its deception authority.

According to the FTC’s complaint, Jerk allegedly led consumers to believe that the profiles on its websites were created by other users of the website. The company also allegedly sold “memberships” for $30 a month that supposedly included features that would enable consumers to alter or delete their profiles, or to dispute false information in the profiles. Jerk also charged consumers a $25 fee to email Jerk’s customer service department, according to the FTC’s complaint.

The FTC alleges that Jerk created between 73.4 million and 81.6 million unique consumer profiles primarily using information such as names and photos pulled from Facebook through application programming interfaces, or APIs. The complaint states that “[d]evelopers that use the Facebook platform must agree to Facebook’s policies,” such as obtaining users’ explicit consent to share certain Facebook data and deleting information obtained from Facebook upon a consumer’s request. Continue Reading Jerked Around? Did the FTC’s “Jerk.com” Complaint Just Turn API Terms Into Federal Law?

Cisco estimates that 25 billion devices will be connected in the Internet of Things (IoT) by 2015, and 50 billion by 2020. Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates. 

In the first part of this two-part post, we examined the development of, and practical challenges facing businesses implementing, IoT solutions. In this second part, we will look at the likely legal and regulatory issues associated with the IoT, especially from an EU and U.S. perspective.

The Issues

In the new world of the IoT, the problem is, in many cases, the old problem squared. Contractually, the explosion of devices and platforms will create the need for a web of inter-dependent providers and alliances, with consequent issues such as liability, intellectual property ownership and compliance with consumer protection regulations. Continue Reading The Internet of Things Part 2: The Old Problem Squared

Another great post from our sister blog, MoFo Tech:

The potential for mobile payments is huge. So are the potential legal and regulatory hurdles.

Banks, retailers, and pundits are paying a lot of attention to mobile payments, which typically involve the use of smartphones and tablets to pay for purchases.  But a lack of mobile infrastructure has kept the use of mobile payments fairly low in the U.S.

The space is evolving quickly, however.  More infrastructure is being rolled out, while new software and cloud-based solutions are enabling payment processing without the need for a network of specialized in-store terminals.  For their part, consumers are already well equipped to take advantage of these developments.  Today, 61 percent of American consumers have smartphones or tablets, up from 48 percent last year, according to a recent study from Vantiv, a provider of payment processing strategies, and the Mercator Advisory Group, an independent research firm.

Many of these consumers are already using these devices as shopping tools—comparing in-store prices with online prices, researching products, downloading coupons, and discussing potential purchases with friends.  So it’s fair to assume that consumers will adopt mobile payments quickly as they become easier and more widespread.  By 2018, Mercator estimates, the value of mobile payments will increase sevenfold, to $362.8 million a year, up from $51.4 million today.

There’s a great deal of opportunity here.  But there’s also much to consider from a legal standpoint, because mobile payments represent the convergence of business, technology, and banking.  “You have to think about issues like the structure of the mobile payment offering, including the source and settlement of the funds to determine the applicable regulatory framework,” says Obrea Poindexter, a partner at Morrison & Foerster who leads the mobile payments group.  “There are technology issues relating to cybersecurity and authentication as well as regulatory issues, such as maintaining the privacy of consumer data and complying with anti-money laundering laws.”

Continue Reading A Smart Wallet

On January 24, 2014, in a case filed against Facebook by German consumer protection association VZBV, the Berlin Court of Appeal (“Court”) upheld a lower court ruling that Facebook’s “Friend Finder” function is unlawful. The Court agreed with the Berlin Regional Court’s 2012 decision that the Friend Finder function violates both German data protection law and unfair trade law, and re-affirmed the invalidity of several clauses in Facebook’s privacy notice and other online terms and conditions. VZBV has reported the ruling as a consumer victory, stating that the ruling recognizes that privacy is a consumer protection issue.

At the time of the original complaint, Facebook’s Friend Finder function invited users to “find friends from different parts of [their] life” by providing various pieces of information to the Facebook site, such as the schools their friends attended or the names of their friends’ current employers. Friend Finder also invited users to upload personal contacts from other platforms, including Skype and MSN, which enabled Facebook to add those contacts to its database and send them emails inviting them to join the social media platform. The complaint alleged that once Facebook had gathered this data, it could be used for other purposes, including commercial purposes. The Court held that Facebook had failed to provide adequate notice to users regarding this data import, and that its importing of non-users’ contact information constituted the collection of personal data of individuals who were not registered Facebook users without their knowledge or consent.

First, the Court established that German law applies to Facebook in this case because, although the social network’s European headquarters are based in Ireland, the U.S. parent company processes the applicable data and sets cookies on users’ computers located in Germany. The Court also pointed out that Facebook’s use of German service providers results in the application of German law. These facts distinguished the case from a recent ruling of the Schleswig-Holstein Administrative Court, which stated that Irish law—not German or U.S. law—applied to certain Facebook marketing activities in Germany because those activities were controlled from Ireland.

Turning to Friend Finder, the Court found that a breach of data protection law also constitutes a breach of the German Unfair Trade Act (“Unfair Trade Act”). More specifically, according to the Court, the fact that the Friend Finder function collected certain data without informing users or obtaining their consent, breached Germany’s Data Protection Act and Telemedia Act, and the subsequent use of such data for commercial purposes without notice or consent violated the Unfair Trade Act.

The Court also found that Facebook’s email invitations to non-users asking them to register with Facebook, without recipients’ prior explicit consent, amounted to unlawful email marketing under the Unfair Trade Act. The Court highlighted that Facebook itself was the sender of these emails, not Facebook’s users (as might be the case with other companies’ “tell-a-friend” marketing functions), and that Facebook users were deceived because they were unaware that the contact information they had uploaded to the service would be used to send emails to their contacts.

Finally, the Court found certain clauses in Facebook’s terms and conditions (Allgemeine Geschäftsbedingungen) and privacy terms (Datenschutzrichtlinien) to be invalid, for a variety of reasons. For example, Facebook’s terms and conditions granted the company a worldwide license to use works such as photographs and videos uploaded by users, and the wording of the terms would have permitted the marketing and sale of such materials to other companies for commercial use. The Court found such license to be invalid without obtaining users’ specific consent based on “clear” and “easy to understand” language. Various other provisions, including those that gave Facebook the right to unilaterally modify its privacy terms and other terms and conditions, were also found to be unclear and therefore invalid.

Facebook’s mechanism for obtaining consent to its privacy terms turned out to be critical to this case. Currently, consumer associations are only permitted to bring actions in Germany regarding privacy terms that are considered to be “general terms and conditions” and thereby subject to certain rules concerning standard terms and conditions. Where those rules apply, Germany’s unfair trade provisions are applied. For several years now, VZBV has been lobbying the German government to pass legislation permitting actions related to data protection to be brought directly, and indeed, the German government announced in February 2014 that a draft bill amending the German Injunctions Act is expected in April 2014.

The amendments to the German Injunctions Act are anticipated to extend the scope of certain of its provisions that permit consumer associations to initiate summary proceedings to defend individuals’ rights, so that such provisions cover data protection laws. If these amendments are made, then the Injunctions Act would provide a new legal basis for litigation in Germany related to privacy and data protection.

Our global privacy + data security group’s Data Protection Masterclass Webinar series is turning the spotlight on social media marketing and policies in January.

Please join Socially Aware contributors Christine Lyon and Karin Retzer, along with Ann Bevitt in our London office for a webinar that will examine the laws and regulations in the United States and Europe relating to consumer-facing issues that arise from the use of social media in advertising and marketing. This presentation will also address the challenges that employers and employees face resulting from the use of social media in the workplace and in the recruitment process.

Topics Will Include:

  • Privacy issues for social media advertising, blogging and tweeting
  • Data sharing in relation to social plug-ins
  • Data protection requirements for social media market research
  • Targeting and analytics
  • Social media policies
  • Monitoring of social media use, including misuse of social media by employees
  • Use of social media in the application process

Date & Time:

Tuesday, January 21, 2014

4:30 p.m. – 6:00 p.m. GMT
11:30 a.m. – 1:00 p.m. EST
8:30 a.m. – 10:00 a.m. PST

Speakers:

Registration:

To register for this webinar, please click here.

For more information, please contact Kay Burgess at kburgess@mofo.com or +44 20 7920 4067.

From our sister blog, MoFo Tech:

Widely applicable rules regarding consumer privacy disclosures in our increasingly mobile world are only now emerging. Government agencies, individual states, and professional associations are all weighing in on how mobile app developers should disclose how they collect, store, use, and protect the wide range of highly personal data being collected every day.

The Application Privacy, Protection, and Security Act of 2013, better known as the APPS Act, is intended to bring conformity to the unwieldy world of mobile app development. With a divided Congress struggling to pass even mandatory legislation, though, passage of any type of discretionary legislation this year seems unlikely, says D. Reed Freeman Jr., a partner with Morrison & Foerster in Washington, D.C. In the meantime, Freeman says, developers should focus on the Federal Trade Commission, “because even without congressional action, it has broad jurisdiction, and it has already brought cases and issued guidance on mobile privacy and data security.”

Charged with the intentionally broad mandate of guarding consumers from “deceptive” and “unfair” business practices, the FTC has been proactively applying its consumer protection laws across nearly all media, including mobile technology. A recent FTC policy document is especially revealing because it describes how the FTC expects disclosures of material facts to be made on mobile devices, “and privacy disclosures can certainly be material,” Freeman says.

So it’s up to the mobile app company to think carefully about the ways its program could surprise a reasonable user and disclose them appropriately. Freeman offers this rule of thumb:  “Would a reasonable consumer, under the circumstances, understand what information is being collected about her while she’s on a mobile device and what it is being used for?” If so, companies need to disclose those facts clearly and not bury them in EULAs or terms of use.

California’s Online Privacy Protection Act, passed in 2003, has taken consumer privacy one step further than the FTC has. It requires companies that operate commercial websites or online services and that collect personal information of any kind—including usernames and passwords—to prominently post a privacy policy somewhere on their homepage, says Andrew Serwin, a partner in Morrison & Foerster’s San Diego office.

And while California’s jurisdiction ends at the state line, its reach is often national, Serwin adds. “Companies with customers in all 50 states have to ask themselves whether they want to develop state-specific programs or apply standards across the board,” he says. Since the mobile world doesn’t recognize geographic boundaries, Serwin recommends that developers work toward the highest standards and beyond. “Privacy isn’t just a legal issue. It’s a brand issue,” he says.

Apart from knowing the law, businesses need to consider their own reputations and their customer relationships when collecting, using, and protecting personal information, Serwin says. For example, how could losing users’ passwords tarnish the company’s image in the market? “Current law doesn’t specifically cover that possibility, but,” he notes, “it may be in the company’s best interest to address these types of issues.”

Peer-to-peer (“P2P”) business models based on the Internet and technology platforms have become increasingly innovative.  As such models have proliferated, they frequently result in clashes with regulators or established market competitors using existing laws as a defensive tactic.  The legal battles that result illustrate the need for proactive planning and consideration of the likely legal risks during the early structuring phase of any new venture.

Collaborative consumption, or the “sharing economy” as it is also known, refers to the business model that involves individuals sharing their resources with strangers, often enabled by a third-party platform.  In recent years, there has been an explosion of these P2P businesses.  The more established businesses include online marketplaces for goods and services (eBay, Taskrabbit) and platforms that provide P2P accommodation (Airbnb, One Fine Stay), social lending (Zopa), crowdfunding (Kickstarter) and car sharing (BlaBlaCar, Lyft, Uber).  But these days, new sharing businesses are appearing at an unprecedented rate; you can now find a sharing platform for almost anything.  People are sharing meals, dog kennels, boats, driveways, bicycles, musical instruments – even excess capacity in their rucksacks (cyclists becoming couriers).

The Internet and, more specifically, social media platforms and mobile technology has brought about this economic and cultural shift.  Some commentators are almost evangelical about the potential disruption to traditional economic models that the sharing economy provides, and it’s clear that collaborative consumption offers a compelling proposition for many individuals.  It helps people to make money from under-utilized assets and tap into global markets; it gives people the benefits of ownership but with reduced costs and less environmental impact; it helps to empower the under-employed; and it brings strangers together and offers potentially unique experiences.  There’s clearly both supply and demand, and a very happy set of users for a great many of these new P2P services.

However, not everyone is in favor of the rapid growth of this new business model.  Naturally, most of the opposition comes from incumbent businesses or entrenched interests that are threatened by the new competition or those that have genuine concerns about the risk posed by unregulated entrants to the market.  Authorities and traditional businesses are challenging sharing economy businesses in a variety of ways, including arguing that the new businesses violate applicable laws, with accommodation providers and car-sharing companies appearing to take the brunt of the opposition to date.

Bed Surfing

One of the most successful P2P marketplaces, San Francisco-founded Airbnb is a platform that enables individuals to rent out part or all of their house or apartment.  It currently operates in 192 countries and 40,000 cities.  Other accommodation-focused P2P models include One Fine Stay, a London-based platform that allows home owners to rent out empty homes while they are out of town.

Companies such as these have faced opposition from hoteliers and local regulators who complain that home owners using these platforms have an unfair advantage by not being subject to the same laws as a traditional hotel.  City authorities have also cited zoning regulations and other rules governing short-term rentals as obstacles to this burgeoning market.  It has been reported that some residents have been served with eviction notices by landlords for renting out their apartments in violation of their leases, and some homeowner and neighborhood associations have adopted rules to restrict this type of short-term rental.

These issues are not unique to the United States.  Commentators have reported similar resistance with mixed responses from local or municipal governments in cities such as Barcelona, Berlin and Montreal.

It’s not particularly surprising that opposition to P2P accommodation platforms would come from existing incumbent traditional operators after all, that’s typical of most new disruptive business models in the early stages before mainstream acceptance.  But the approaches taken by P2P opponents illustrate that most regulations were originally devised to apply to full-time commercial providers of goods and services, and apply less well to casual or occasional providers.

This has consequences for regulators, who are likely to have to apply smarter regulatory techniques to affected markets.  Amsterdam is piloting such an approach to accommodation-sharing platforms, realizing the benefits that a suitably-managed approach to P2P platforms could have on tourism and the local economy.

Car Sharing

Companies that enable car-sharing services have also faced a barrage of opposition, both from traditional taxi companies and local authorities.  In many U.S. cities, operators such as Lyft and Uber have faced bans, fines and court battles.

It was reported in August 2013 that eleven Uber drivers and one Lyft driver were recently arrested at San Francisco airport on the basis of unlawful trespassing offenses.  In addition, during summer 2013, the Washington, D.C. Taxicab Commission proposed new restrictions that would prevent Uber and its rivals from operating there.  Further, in November 2012, the California Public Utilities Commission (“CPUC”) issued $20,000 fines against Lyft, SideCar and Uber for “operating as passenger carriers without evidence of public liability and property damage insurance coverage” and “engaging employee-drivers without evidence of workers’ compensation insurance.

All three firms appealed these fines, arguing that outdated regulations should not be applied to peer-rental services, and the CPUC allowed the companies to keep operating while it drafted new regulations, which were eventually issued in July 2013.  In August 2013, the Federal Trade Commission intervened and wrote to the Commissions arguing that the new rules were too restrictive and could stifle innovation.  The CPUC rules (approved on September 19, 2013) require operators to be licensed and meet certain criteria including in terms of background checks, training and insurance.  The ridesharing companies will be allowed to operate legally under the jurisdiction of the CPUC, and will now fall under a newly created category called “Transportation Network Company.”

Some operators have structured their businesses in an attempt to avoid at least some of the regulatory obstacles.  For example, Lyft does not set a price for a given journey; instead, riders are prompted to give drivers a voluntary “donation.”  Lyft receives an administrative fee in respect of each donation.  In addition, in its terms, Lyft states that it does not provide transportation services and is not a transportation carrier; rather, it is simply a platform that brings riders and drivers together.  In BlaBlaCar’s model, drivers cannot make a profit, just offset their actual costs, which helps to ensure that drivers are not considered to be traditional taxi drivers, thereby helping them avoid the regulation that applies to the provision of taxi services.

Traditional players embracing the new model

Interestingly, not all traditional players are taking a completely defensive approach.  From recent investment decisions, it appears that some companies appreciate that it could make sense for them to work closely with their upstart rivals, rather than oppose them.  For example, in 2011, GM Ventures invested $13 million in RelayRides and, in January 2013, Avis acquired Zipcar, giving Avis a stake in Wheelz, a P2P car rental firm in which Zipcar has invested $14 million.

The incentive for incumbent operators to embrace P2P models will likely vary by sector.  Perhaps it’s no surprise that this is best illustrated in the car rental industry, where there already exists a financial “pull” and a regulatory “push” towards greener and more sustainable models of service provision.

Legal and Regulatory Issues

Lawmakers and businesses around the world are currently grappling with how to interpret existing laws in the context of P2P sharing economy business models and considering whether new regulation is required.  For example, the European Union is preparing an opinion on collaborative consumption in the light of the growth of P2P businesses there.  One hopes that European policy makers focus more on incentivizing public investment in P2P projects via grants or subsidies than on prescriptive regulation of the sector.

Importantly, however, it’s a particular feature of the market for P2P platforms that much of the regulatory activity tends to be at the municipal or local level, rather than national.  This tends to make for a less cohesive regulatory picture.

In the meantime, anyone launching a social economy business will need to consider whether and how various thorny legal and regulatory issues will affect both the platform operator and the users of that platform.  Often, this may mean tailoring services to anticipate particular legal or regulatory concerns.

  • Consumer protection.  Operators will need to consider the extent to which their platforms comply with applicable consumer protection laws, for example when drafting appropriate terms of use for the platform.
  • Privacy.  Operators will need to address issues of compliance with applicable privacy laws in terms of the processing of the personal data of both users and users’ customers, and prepare appropriate privacy policies and cookie notices.
  • Employment.  Where services are being provided, the operator will need to consider compliance with any applicable employment or recruitment laws, e.g., rules governing employment agencies, worker safety and security, and minimum wage laws.
  • Discrimination.  Operators will need to consider potential discrimination issues, e.g., what are the consequences if a user refuses to loan their car or provide their spare room on discriminatory grounds, for example due to a person’s race or sexuality?  Could the operator attract liability under anti-discrimination laws?
  • Laws relating to payments.  One key to success for a P2P business model is to implement a reliable and effective payment model.  But most countries impose restrictions on certain types of payment structures in order to protect consumers’ money.  Where payments are made via the P2P platform rather than directly between users, operators will need to address compliance with applicable payment rules, and potentially deal with local payment services laws.  Fundamentally, it needs to be clear whose obligation it is to comply with these laws.
  • Taxation.  Operators will need to consider taxation issues that may apply – both in terms of the operator and its users.  Some sectors of the economy – hotels, for example – are subject to special tax rates by many cities or tax authorities.  In such cases, the relevant authorities can be expected to examine closely – and potentially challenge, or assess municipal, state or local taxes against – P2P models that provide equivalent services.  In some places, collection of such taxes can be a joint and several responsibility of the platform operator and its users.
  • Safety and security.  When strangers are being brought together via a platform, security issues will need to be addressed.  Most social economy businesses rely on ratings and reciprocal reviews to build accountability and trust among users.  However, some platforms also mitigate risks by carrying out background and/or credit checks on users.  Airbnb also takes a practical approach, employing a full-time Trust & Safety team to provide extra assurance for its users.
  • Liability.  One of the key questions to be considered is who is legally liable if something goes wrong.  Could the platform attract liability if a hired car crashes or a host’s apartment is damaged?
  • Insurance.  Responsibility for insurance is also a key consideration.  The issue of insurance for car-sharing ventures made headlines in April 2013 when it was reported that a Boston resident had crashed a car that he had borrowed via RelayRides.  The driver was killed in the collision and four other people were seriously injured. RelayRides’ liability insurance was capped at $1 million, but the claims potentially threaten to exceed that amount.  Given these types of risks, some insurance companies are refusing to provide insurance coverage if policyholders engage in P2P sharing.  Three U.S. states (California, Oregon and Washington) have passed laws relating to car sharing, placing liability squarely on the shoulders of the car-sharing service and its insurers.
  • Industry-specific law and regulation.  Companies will need to consider issues of compliance with any sector-specific laws, whether existing laws or new regulations that are specifically introduced to deal with their business model (such as crowd-funding rules under the JOBS Act in the United States, and P2P lending rules to be introduced shortly in the United Kingdom).  As noted above, some social economy businesses have already experienced legal challenges from regulators, and as collaborative consumption becomes even more widely adopted, regulatory scrutiny is likely to increase.  Accordingly, rather than resist regulation, the best approach for sharing economy businesses may be to create trade associations for their sector and/or engage early on with lawmakers and regulators in order to design appropriate, smarter policies and frameworks for their industry.

Conclusion

Erasmus said, “There is no joy in possession without sharing.”  Thanks to collaborative consumption, millions of strangers are now experiencing both the joy – and the financial benefits – of sharing their resources.  However, the legal challenges will need to be carefully navigated in order for the sharing economy to move from being merely disruptive to become a firmly established business model.

On April 12, 2013, the UK’s Office of Fair Trading (OFT), the UK regulator for consumer affairs and competition, announced that it was launching an investigation into children’s web- and app-based games. In particular, the OFT is looking into whether such games comply with the Consumer Protection from Unfair Trading Regulations 2008 (“Regulations”), and are not misleading or aggressive (for example, directly encouraging children to buy something or to pester their parents or other adults to buy something on their behalf). The investigation is expected to take six months to complete, and will take into account views from mobile app platform operators and other businesses operating in this market, together with the views of parents and consumer groups.

The investigation was launched in response to reports of children racking up substantial bills on so-called “free” online and app-based games. For example, in March 2013, it was reported that a 5-year-old boy amassed a bill of £1,700 in just 15 minutes via add-ons while playing the “free” game “Zombies vs Ninja.” There are thousands of games like this that are marketed as being free to download but, once the user starts playing, present advertising encouraging the user to pay to get access to extra levels or to receive in-game extras such as virtual coins, gems or other tokens.

The OFT estimates that, as of April 9, 2013, 80 of the 100 top-grossing Android apps were free to download, yet raised revenue through these kinds of in-app purchases. Although platforms will often enable password protection to restrict in-app purchases, such measures will not prevent purchases by children who know their parents’ password or by parents who, at the request of their children, insert their password without appreciation of the risks.

The Regulations, which implement the Unfair Commercial Practices Directive 2005/29/EC, state that unfair commercial practices are prohibited. A commercial practice is deemed to be unfair if it contravenes the requirements of professional diligence and materially distorts, or is likely to materially distort, the economic behavior of the consumer with regard to the product. Aggressive commercial practices are those that impair the average consumer’s freedom of choice or conduct through the use of harassment, coercion or undue influence, and that thereby cause, or are likely to cause, the consumer “to take a transactional decision he would not have taken otherwise.” Undue influence includes exploiting a position of power in relation to the consumer.

The Regulations clearly provide that it is unfair to include in an advertisement a direct exhortation to children to buy advertised products, or persuade their parents or other adults to buy advertised products for them. Breach of the Regulations can lead to criminal penalties such as a fine or imprisonment for up to two years.

The OFT has made it clear that no company that is included in its investigation should be assumed to have broken the Regulations. In addition, the OFT has stated that it does not wish to ban in-app purchases, but rather to determine whether they are compliant with the Regulations in order to ensure that children are protected. Nevertheless, the OFT has indicated that it will take enforcement action against offending companies if necessary. The outcome of the OFT’s investigation is expected to be published in October 2013.

In the meantime, a number of guides have appeared providing advice to parents on how to block in-app purchases (including guidance published by the UK communications regulator, Ofcom), and at least one major app distributor has added in-app purchase warnings to its app store listings. This could be the key to future settings: allowing users to filter out in-app purchase applications when downloading them.

It will be interesting to see what approach the OFT decides to take as a result of its investigation, and where it believes responsibility should lie. Should parents be expected to take more control over their children’s gaming activities or should providers be required to do more, e.g., by providing more information warning users on the nature of these “freemium” apps contained within their stores?

Lastly, note that this investigation may have consequences for game providers operating elsewhere in Europe. Because the Regulations are based on EU law, other EU regulators will be watching the progress of the OFT investigation closely to consider whether they, too, need to scrutinize games providers’ compliance with the equivalent laws in their territories.

Massachusetts appears to have followed California’s lead in opening a litigation floodgate over ZIP code collection at the point of sale. In 2011, the California Supreme Court held in Pineda v. Williams-Sonoma Stores, Inc., 246 P.3d 612 (Cal. 2011), that a retailer illegally collects personal identification information (PII) when it requests and records ZIP codes from customers paying by credit card. More than 240 class action lawsuits followed.

The Massachusetts Supreme Judicial Court’s recent opinion in Tyler v. Michaels Stores, Inc. (No. SJC-11145) could bring a similar wave of litigation. The Tyler opinion strongly suggests retailers operating in Massachusetts should end the practice of collecting ZIP codes during credit card transactions, and foreshadows future litigation based on this practice. Like the Pineda court, the Massachusetts Supreme Court concluded that a ZIP code constitutes PII under Massachusetts’s credit card PII statute, G.L. c. 93, § 105(a) (“the Credit Card law”). More important for retailers, however, is the Court’s ruling that a plaintiff may bring an action for violation of privacy rights absent identity fraud. This ruling could make Massachusetts the next venue for an explosion of “ZIP code” litigation, and, as we note below, provide reason for retailers to review PII collection policies nationwide.

Massachusetts’s Credit Card law, which closely tracks California’s Song-Beverly Act, prohibits businesses “that accept[] a credit card for a business transaction” to “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.” PII is defined as including, but is not limited to, a credit card holder’s address or telephone number. Similar to California’s statute, the Credit Card law does not apply where a business asks for PII for “shipping, delivery or installation of purchased merchandise or services or for a warranty when such information is provided voluntarily.” A violation of the Credit Card law constitutes an unfair and deceptive trade practice, as defined in G.L. c. 93A, § 2.

The March 11, 2013 opinion came in response to three questions certified by the United States District Court for the District of Massachusetts, where the Tyler case was pending. Plaintiff Melissa Tyler brought the putative class action claiming, among other things, that Michaels collected her ZIP code and then used her name and ZIP code to figure out her address for marketing purposes. While the district court granted Michaels’s motion to dismiss, the court agreed to certify three questions to the Massachusetts Supreme Court:

  1. Does a ZIP code constitute PII under the Credit Card law?
  2. Can a plaintiff bring an action for such a privacy right violation absent identity fraud under the Credit Card law?
  3. Do the words “credit card transaction form” refer equally to an electronic or paper transaction form under the Credit Card law?

Looking at the text of the statute and its legislative history, the Massachusetts Supreme Court determined that the principal purpose of the Credit Card law “is to guard consumer privacy in credit card transactions,” and answered all three certified questions in the affirmative (Slip Opn. At 4,6). Like the California Supreme Court in Pineda, the Massachusetts Supreme Court reasoned that a ZIP code is PII because a ZIP code, when combined with the consumer’s name, provides retailers with enough information to identify the consumer’s address or telephone number, “the very information [the law] expressly [prohibits]”(Id. at 4).

The Massachusetts Supreme Court’s answer that a plaintiff may bring an action for violation of the Credit Card law absent identity fraud is important for retailers, as it opens the door to litigation based on a wide range of injuries (or lack of actual injuries). To bring a claim, the Court instructed plaintiffs to allege a “separate and identifiable ‘injury’ resulting from the allegedly unfair or deceptive conduct,” and provided two examples of such injuries: (1) “actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of the consumer’s [PII]” and (2) “the merchant’s sale of a customer’s [PII] or the data obtained from that information to a third party”(Id. at 5-6). These examples flowed directly from the Court’s conclusion that the primary purpose of the statute is to protect consumer privacy, not to protect against identity fraud.

While these types of injuries may now suffice to justify actions in Massachusetts state court, it remains to be seen whether they will satisfy Article III, which governs standing in federal court. Regardless, the Tyler decision creates a definite litigation risk for retailers in Massachusetts for alleged violations of the Credit Card law, which provides for damages and reasonable attorneys’ fees to successful plaintiffs. Even if the aftermath of Tyler puts retailers in the same position as Pineda put retailers in California, there are strategies under Massachusetts law that retailers can deploy to minimize exposure.

While two state decisions hardly make for a trend, the writing certainly appears to be on the wall that courts may view ZIP codes as PII, particularly given the rise of privacy litigation in recent years. Because many states have statutes on the books like California’s Song-Beverly Act and Massachusetts’s Credit Card law, the time may be right for retailers and other businesses to review ZIP code (or PII) collection policies more widely.