Tag: online

California District Court Holds that Providing Cellphone Number for an Online Purchase Constitutes “Prior Express Consent” Under TCPA – Telephone Consumer Protection Act

DrinkerBiddle

 

A federal district court in California recently ruled that a consumer who voluntarily provided a cellphone number in order to complete an online purchase gave “prior express consent” to receive a text message from the business’s vendors under the TCPA. See Baird v. Sabre, Inc., No. CV 13-999 SVW, 2014 WL 320205 (C.D. Cal. Jan. 28, 2014).

In Baird, the plaintiff booked flights through the Hawaiian Airlines website. In order to complete her purchase, the plaintiff provided her cellphone number. Several weeks later she received a text message from the airline’s vendor, Sabre, Inc., inviting the plaintiff to receive flight notification services by replying “yes.” The plaintiff did not respond and no further messages were sent. The plaintiff sued the vendor claiming that it violated the TCPA by sending the single text message.

The central issue in Baird was whether, by providing her cellphone number to the airline, the plaintiff gave “prior express consent” to receive autodialed calls from the vendor under the TCPA. In 1992, the FCC promulgated TCPA implementing rules, including a ruling that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”). In support of this ruling, the FCC cited to a House Report stating that when a person provides their phone number to a business, “the called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.” Id. (citing H.R.Rep. No. 102–317, at 13 (1991)).

The court found that, while the 1992 FCC Order “is not a model of clarity,” it shows that the “FCC intended to provide a definition of the term ‘prior express consent.’” Id. at *5. Under that definition, the court held that the plaintiff consented to being contacted on her cellphone by an automated dialing machine when she provided the number to Hawaiian Airlines during the online reservation process. Id. at *6. Under the existing TCPA jurisprudence, a text message is a “call.” Id. at *1. Furthermore, although the plaintiff only provided her cellphone number to the airline (and not to Sabre, Inc., the vendor), the court concluded that “[n]o reasonable consumer could believe that consenting to be contacted by an airline company about a scheduled flight requires that all communications be made by direct employees of the airline, but never by any contractors performing services for the airline.” Id. at *6. The Judge was likewise unmoved by the fact that the plaintiff was required to provide a phone number (though not necessarily a cellphone number) to complete the online ticket purchase. Indeed, the court observed that the affirmative act of providing her cellphone number was an inherently “voluntary” act and that, had the plaintiff objected, she could simply have chosen not to fly Hawaiian Airlines. Id.

Baird does not address the October 2013 TCPA regulatory amendments that require “prior express written consent” for certain types of calls made to cellular phones and residential lines (a topic that previously has been covered on this blog). See 47 CFR § 64.1200(a)(2), (3) (emphasis added). “Prior express written consent” is defined as “an agreement, in writing, bearing the signature of the person called that clearly authorizes the seller to deliver or cause to be delivered to the person called advertisements or telemarketing messages using an automatic telephone dialing system or an artificial prerecorded voice, and the telephone number to which the signatory authorized such advertisements or telemarketing messages to be delivered.” 47 CFR § 64.1200(f)(8). Whether the Baird rationale would help in a “prior express written consent” case likely would depend on the underlying facts such as whether the consumer/plaintiff agreed when making a purchase to be contacted by the merchant at the phone number provided, and whether the consumer/plaintiff provided an electronic signature. See 47 CFR § 64.1200(f)(8)(ii).

Nonetheless, Baird is a significant win for the TCPA defense bar and significantly reduces TCPA risk for the defendants making non-telemarketing calls (or texts) to cellphones using an automated dialer (for which “prior express consent” is the principal affirmative defense). If that cellphone number is given by the consumer voluntarily (and, given the expansive logic of Baird, we wonder when it could be considered “coerced”), the defendant has obtained express consent. Baird leaves open a number of questions worth watching, including how far removed the third-party contractor can be from the company to whom a cellphone number was voluntarily provided. Judge Wilson seemed to think it was obvious to the consumer that a third-party might be utilized by an airline to provide flight status information, but how far does that go? We’ll be watching.

Article By:

Of:

Drinker Biddle & Reath LLP

California Continues to Shape Privacy Standards: Song-Beverly Act Extended to Email Addresses

Womble Carlyle

 

Executive Summary: California retailer restricted from requiring a customer email address as part of a credit card transaction. We knew that asking for zip codes is intrusive personal questioning, and now asking for email has been added to the list.

California’s Song-Beverly Credit Card Act (Cal. Civ. Code Sec. 1747 et seq.) (“Song-Beverly Act” or “Act”) restricts businesses from requesting, or requiring, as a condition to accepting credit card payments that the card holder provide “personal identification information” that is written or recorded on the credit card transaction form or otherwise. “Personal identification information” means “information concerning the cardholder,other than information set forth on the credit card, and including, but not limited to, the card holder’s address and telephone number.” The California Supreme Court has previously ruled that zip codes are also “personal identification information” under the Song-Beverly Act. See Pineda (Jessica) v. Williams-Sonoma Stores, Inc., 2011 Cal. LEXIS 1502 (Cal. Feb. 10, 2011).

Recently, a United States federal district court in California expanded “personal identification information” to include email addresses in a decision denying retailer Nordstrom’s motion to dismiss claims it violated the Song-Beverly Act. The plaintiff sued Nordstrom for collecting his email address as part of a credit card transaction at one of its California stores in order to email him a receipt, then subsequently using his email address to send him frequent, unsolicited marketing emails. See Capp v. Nordstrom, Inc., 2013 U.S. Dist. LEXIS 151867, 2013 WL 5739102 (E.D. Cal. Oct. 21, 2013).

Raising a case of first impression under California law, Nordstrom claimed that email addresses are not “personal identification information” under the Song-Beverly Act, so the Act did not apply. The court disagreed with Nordstrom and found the opposite based on the California Supreme Court’s earlier ruling in Pineda. Nordstrom’s argument that email addresses can readily be changed, unlike zip codes, and consumers can have multiple email addresses was not persuasive. The court held that an email address regards a card holder in a more personal and specific way than a zip code. Unlike a zip code that refers to the general area where a card holder works or lives, email permits direct contact with the consumer and implicates their privacy interests. The court concluded that the collection of email addresses is contrary to the Song-Beverly Act’s purpose to guard against misuse of personal information for marketing purposes. In particular, the plaintiff’s allegation that his email address was collected to send him a receipt and then used to send him promotional emails directly implicates the protective purposes of the Act as interpreted in Pineda.

Pineda held that zip codes are personal information for purposes of the Song-Beverly Act, and therefore a brick and mortar retailer violated the Act when it requested and recorded such data. In the Pineda decision, the California Supreme Court found that zip codes, like the card holder’s address expressly called out as “personal identification information” under the Act, were unnecessary to completing the credit card transaction and inconsistent with the protective purpose of the Act. This is especially true when a zip code is collected to be used with the card holder’s name in order to locate the card holder’s address, permitting a retailer to locate indirectly what it is prohibited from obtaining directly under the Act.

Nordstrom also argued that the plaintiff’s claims under the Song-Beverly Act were preempted by the federal “Controlling the Assault of Non-Solicited Pornography and Marketing Act” (better known as the CAN-SPAM Act), but the court disagreed. While the CAN-SPAM Act contains a preemption provision, it only preempts state laws that regulate the manner in which email messages are sent and their content, both of which are not regulated under the Song-Beverly Act.

Retailer tip: The federal court issuing this most recent decision recommends waiting to request an email address (or a zip code) until after the consumer has the receipt from their credit card transaction in hand, and then sending the consumer emails only in conformance with the CAN-SPAM Act.

In the wake of Pineda, retailers faced class action lawsuits for requesting consumer zip codes at check out. This new decision could have a similar effect.

Article by:

Of:

Womble Carlyle Sandridge & Rice, PLLC

New Online Privacy Policy Requirements Take Effect January 1, 2014

VedderPriceLogo

 

California Online Privacy Protection Act (CalOPPA)

Owners of websites, online services or mobile applications (apps) that can be accessed or used by California residents should ensure their compliance with the new amendments to the California Online Privacy Protection Act of 2003 (CalOPPA) by the law’s January 1, 2014 effective date.  The borderless nature of the Internet makes this law applicable to almost every website or online service and mobile application.  Accordingly, companies should review and revise their online privacy policies to ensure compliance with the new law and avoid potentially significant penalties.

Previously, CalOPPA required the owner of any website or online service operated for commercial purposes (an “operator”) that collects California residents’ personally identifiable information (PII) to conspicuously post a privacy policy that met certain content requirements, including identifying the types of PII collected and the categories of third parties with whom that information is shared. The new law requires that companies subject to CalOPPA provide the following additional disclosures in their privacy policies.

  • How an operator responds to “do not track” signals from Internet browsers and any other mechanism that provides consumers a choice regarding the collection of PII about an individual consumer’s online activities over time and across third-party websites and online services.  A company may satisfy this requirement by revising its privacy policy to include the new disclosures or by providing a clear and conspicuous hyperlink to a webpage that contains a description of any program or protocol the company follows to provide consumers a choice about tracking, including the effects of the consumer’s choice.
  • An affected company must disclose to users whether third parties may collect PII about a user’s online activities over time and across different websites when a consumer uses the operator’s website or online service. However, an operator is not required to disclose the identities of such third parties.

The California law does not require that operators honor a user’s “do not track” signals. Instead, operators must only provide users with a disclosure about how the website or mobile app will respond to such mechanisms. “Do not track” mechanisms are typically small pieces of code, similar to cookies, that signal to websites or mobile apps that the user does not want his or her website or app activities tracked by the operator, including through analytics tools, advertising networks, and other types of data collection and tracking practices.  Further, the Privacy Enforcement and Protection Unit of the California Office of the Attorney General recently stated that the required disclosures should not be limited to tracking simply for online behavioral advertising purposes, but those disclosures must extend to any other purpose for which online behavioral data is collected by a business’s website (e.g., market research, website analytics, website operations, fraud detection and prevention, or security).

A violation of the law can result in a civil fine of up to $2,500 per incident. The California Attorney General maintains that each noncompliant mobile app download constitutes a single violation and that each download may trigger a fine.

Given that most company websites will have California visitors, companies should consider taking the following steps to ensure compliance with the CalOPPA amendments by January 1, 2014:

  • Identify the tracking mechanisms in place on your company’s websites and online services, including (a) the specific types of PII collected by the tracking mechanism and (b) whether users have the option to control whether and how the mechanisms are used and how the website responses responds to “do not track” signals by seeking input from those familiar with your website, including (i) technicians and developers who understand the mechanics of how the website operates, including how it responds to “do not track signals,” (ii) financial and marketing personnel who understand how user PII is monetized, and (iii) any other stakeholders who access or handle user PII.
  •  Review the practices of any third parties that have the ability to track users on your website. To draft the new disclosures, you will need to understand how those third parties track your users and whether they are capable of doing so before or after the users leave your service.
  • Incorporate the information identified above to modify your online privacy policy to include the required behavioral tracking disclosures.
  • Retain the prior version of the policy in your records, including the date on which each version was posted to the site. The new version should have an updated effective date to distinguish it from the previous version.

Expansion of California’s Data Breach Notification Requirements

Under another new law taking effect on January 1, 2014, California will expand its data breach notification requirements by adding new types of information to the definition of “personal information” under California Civil Code §§ 1798.29 and 1798.82. The new law requires notification if a California resident’s personal information is compromised, and, as with CalOPPA, the breach notification requirements apply regardless of the location of the organization that sustains the breach.  Therefore, to the extent that your business collects and retains California residents’ PII, then the amended California breach notification law would apply.

Previously, the California law required notification of a data breach in the event of the unauthorized access to or disclosure of an individual’s name, in combination with that individual’s (i) Social Security number, (ii) driver’s license or California ID number, (iii) account, credit or debit card number, together with a security or access code, (iv) medical information, or (v) health information, where either the name or the other piece of information was not encrypted. Under the new definition, “personal information” will also include “[a] user name or email address, in combination with a password or security question and answer that would permit access to an online account.”

Accordingly, if your business or organization collects this type of information, then it should consider undertaking the following proactive measures to reduce the risk and magnitude of a potential data breach:

  • Periodically and systematically delete nonessential personal information. By deleting obsolete PII and other sensitive information, businesses can significantly reduce the risk of a breach.  Retaining such obsolete legacy PII serves no business purpose, but only adds unnecessary exposure and potential liability.
  • Conduct a PII inventory and perform a risk assessment of your security measures.  Identify what PII is being collected by your organization, where it is retained, who has access to the PII and  the security measures to protect the PII.  Ensuring that sufficient protections are in place may not prevent every incident, but they can reduce the possibility of an incident occurring in the first place and limit the disruption to your business if there is a breach.
  • Limit the disclosure of PII to third parties only when necessary to provide services or products. You can be equally responsible for a data breach notification if the person or entity who experiences the data breach was a third party who received PII from you. Any vendor or third party with whom you share PII should contractually represent and warrant that they have in place certain standards for protecting that information and agree to indemnify your company for any loss that results from a breach.

 

Article by:

Of:

Vedder Price

Can Law Firms Get Business From the Internet?

Correct Consults Logo

 

Yes, but…

Law firms can absolutely get business from the Internet when armed with a strong plan and backed by an appropriate investment.

How Has Internet Marketing for Lawyers Changed?

The Internet is no longer dominated by single industry websites that people simply visit and read. Today, consumers can interact.  They can browse a website, look at and comment on a firm’s Social Media pages, view a law firm’s rating and write their own review.

Business from the Web

A few years ago, a law firm could set up a website, do some on-page search engine optimization (SEO) work, add a few links and get site rankings and cases. Today, search engines look at a variety of factors to determine if a site has value. Search engines look at content to ensure that it is relevant and has true value. They look at visitor activity. They analyze incoming links for quality and relevance. They look at a law firm’s online presence, including other websites and social signals.

The potential for attracting new clients through the Web is tremendous. While other advertising mediums are shrinking, the Web’s growth continues to be explosive. Law firms that take the right approach and are selective in choosing their vendors are drawing more clients and cases to their firm.

What Should Law Firms Seek in a Web Marketing Vendor?

Law firm SEO vendors who have been watching the Internet as it changes know what it takes to make a practice succeed online. When searching for the right vendor, look for one with proven success and a team of experts.

Successful Internet marketing for lawyers requires more than just a designer with an eye for professional flair. The vendor should customize websites and SEO campaigns. Some of the larger vendors employ great salespeople, but clients are provided with cookie-cutter designs and template SEO processes.

Your marketing provider should be legal specific. The firm should not have to push the vendor through projects to get work accomplished. The vendor should understand and be able to easily navigate the world of legal marketing. The vendor should have licensed attorneys who understand and can navigate the ethics of law firm marketing. Prior to hiring us, one of our clients had been forced to spend more than twelve painful months and significant staff-time to launch his site.

Look for a Web marketing company with sufficient staff to support your campaign.  The staff should include professional designers, attorney content managers, programmers, a Social Media team, marketing consultants and strong account managers.

The best vendors are those that endeavor to be a law firm’s partner, not just a vendor. When you find a company that gives your firm the personalized attention it needs, they can be a true asset. This type of vendor will grow with your firm instead of making a sale to you and then going down the street to sell to your competitors. They commit to your firm’s long-term success and return on investment.

What Kind of Return Does Internet Marketing for Law Firms Offer?

If law firms are partnering with the right SEO vendor, there can be huge return on investments for the firm. One of our clients, Ken Hardison, receives a 10 to 1 return on every dollar he invests.  Another client recently settled a case the firm acquired from the Internet for close to $10M. Our Motor Vehicle Accident, Social Security, Workers’ Compensation, Family Law and Bankruptcy clients receive several cases from the Web each month.

Today, very few prospective clients go to the Yellow Pages to find a lawyer or law firm; they search on the Internet first. Achieving a successful ROI through online marketing takes time and strategy, but there are solid results available to those to who invest properly. We work hard for our clients to rank high in the search engines and have compelling websites so they will get the call.

Article by:

Consultwebs.com, Inc.

Of:

LeAnna Easterday