California Senate Passes SB 383 Expanding The Song-Beverly Credit Card Act to Online Transactions of Downloadable Content

This post was written by Lisa Kim and Jasmine Horton.

On January 30, 2014, the California Senate approved SB 383, which amends the Song-Beverly Credit Card Act (Song-Beverly Act) to apply to online credit card transactions of electronic downloadable content (e.g., music, videos). Originally crafted to apply to all online credit card transactions, the bill has been resurrected in pared-down form from its death in the Senate last May.

The revised SB 383 allows online merchants to collect personal information, such as zip codes and street addresses, in connection with online credit card transactions of electronic downloadable products, provided that the information is: (1) used only for fraud detection and prevention purposes, (2) destroyed after use, and (3) not shared unless obligated by law to do so. The bill also allows for the collection of additional personal information only if the consumer elects to provide it, and if s/he is informed of the purpose and intended use of the requested information, and has the ability to opt out before the online transaction is complete.

The Song-Beverly Act, as it currently stands, prohibits merchants from asking for any personal identification information, other than a form of personal identification (e.g., driver’s license), in order to complete a credit card transaction. While there are specific exceptions to this rule, such as allowing zip codes at gas pumps and personal information when it's incidental to the transaction (i.e., for shipping and delivery purposes), it is unclear whether such prohibitions apply to online transactions where there is no actual human interaction. Indeed, in February of last year, the California Supreme Court held that Song-Beverly did not apply to online transactions involving downloadable products. See Apple Inc. v. Superior Court, 56 Cal.4th 128 (2013).

SB 383 is in direct response to the Apple case, but given its narrow application to just downloadable products, it still does not answer the question of whether the Act applies to other online transactions, such as those where the product is mailed to the consumer or picked up in the store. Many trial courts are holding that it does not, and plaintiffs are challenging these decisions in the appellate courts. See e.g., Salmonson v. Apple, Cal. Court of Appeals, Case No. B253475 (appealing court decision that Song-Beverly Act did not apply to online transactions picked up at store); Ambers v., 9th Circuit Case No. 13-55953 (appealing court’s decision that Song-Beverly Act did not apply to online purchase shipped to customer). Arguably, since the Legislature had the opportunity in the original bill to apply the Act to all online transactions and yet chose not to do so, online merchants may have some additional legislative history to assist them in upholding these rulings.

We will be keeping our eyes on this bill as it moves through the Assembly. It will be interesting to see whether the pending appeals impact the development of this legislation, and vice versa.

Judge Narrows App Litigation, But Lets Plaintiffs Press On

This post was written by Christopher G. Cwalina, Paul Bond, and Christine E. Nielsen.

A recent decision in ongoing litigation over mobile application practices shows how difficult the defense of privacy class actions can be. Even if the defense wins dismissal of some causes of action, the survival of any cause of action may force the defendant into costly discovery.

On June 12, U.S. District Judge Lucy Koh granted in part and dismissed in part Motions to Dismiss filed in the iPhone Application Litigation MDL in the Northern District of California, case no. 5:11-md-02250. In this case, plaintiffs claimed defendants violated plaintiffs’ privacy rights by unlawfully allowing third-party applications to collect and use personal information, including location information, from users’ mobile devices without consent. Plaintiffs brought 13 causes of action against Apple and the Mobile Industry defendants, including those based on federal statute, state statute, contract law, tort, and equity.

Defendants contended that plaintiffs lacked Article III standing and the case should be dismissed for lack of subject matter jurisdiction. They argued that plaintiffs failed to allege actual injury-in-fact. Judge Koh disagreed, noting that “Plaintiffs have alleged actual injury, including: diminished and consumed iDevice [iPhone, iPad, and iPod Touch] resources, such as storage, battery life and bandwidth; increased, unexpected, and unreasonable risk to the security of sensitive personal information; and detrimental reliance on Apple’s representations regarding the privacy protection afforded to users of iDevice apps.” The court found that plaintiffs’ alleged overpayment for those devices was enough to establish standing under California’s Unfair Competition Law (UCL). The court then found that the alleged business practices may be unlawful under California’s Consumer Legal Remedies Act (CLRA), unfair in that they are injurious to consumers and may not be outweighed by benefits to consumers, and fraudulent in that Apple made misrepresentations and material omissions to induce the purchase of mobile devices.

In addition, the court declined to dismiss the claims on the grounds that Apple’s Privacy Policy expressly permitted the collection and transfer of user data at issue, in part because the policy’s language was ambiguous as to the exact definition of “personal information.” Although many of the counts against Apple, and all of the counts against the other Mobile Industry defendants – Admob, Inc., Flurry, Inc., AdMarval, Inc., Google, Inc., and Medialets, Inc. – were dismissed, counts against Apple under the CLRA and UCL will proceed.

Notably, the court rejected Apple’s argument that all of the claims should be dismissed on the grounds that Apple has permission to collect and transfer user data pursuant to the Privacy Policy. On this point, the court said that “Plaintiffs have a colorable argument that the terms of the privacy agreement were ambiguous and do not necessarily foreclose the remaining claims against Apple.” The court stated that there was ambiguity as to whether something like a user’s unique device identifier is “personal information” under the terms of the privacy policy, and thus whether its collection and use was consistent with that policy. While this is one trial court decision on a preliminary motion, the decision reinforces the need for companies to closely examine disclosures to see how well they would hold up in any subsequent litigation.

Mobile Application Developers: California AG Settlement with Amazon, Google, Apple and Other Mobile Appcation Platform Providers Sends Privacy Compliance Obligations Your Way

This post was written by Paul Bond, Christopher G. Cwalina, Khurram Nasir Gore, Amy S. Mushahwar and Steven B. Roosa.

A warning from the California Attorney General’s office to mobile app developers: “Don’t get cute!” On February 22, California’s Attorney General Kamala Harris announced that her office and the six leading mobile application platform providers – Amazon, Apple, Google, Hewlett-Packard, Microsoft, and RIM – have agreed to a statement of principles that ask mobile app developers to inform users of their privacy practices before users purchase or download the app. In a press conference, Harris made it clear that failure to comply with the agreed-to principles by the thousands of mobile app developers churning out applications could lead to lawsuits being filed by the Attorney General’s office against developers.

For a detailed analysis, please click here to read the issued Client Alert.

Carpe datum? Apple app developer, Google, under intense scrutiny in challenges to data collection practices.

This post was written by Cynthia O’Donoghue and Nick Tyler; Paul Bond, Christopher G. Cwalina and Steven B. Roosa.

Following the widely reported allegation that a social network’s iPhone app had uploaded the names, addresses and phone numbers of users’ contacts onto their servers without permission, both Apple and U.S. legislators have moved swiftly to try to curb this practice.

Path, the company responsible, has apologised and promises to delete the uploaded contact information from its servers. Path has released a new version of the app that asks users for permission to upload their contacts onto Path’s servers (similar to their existing Android version of the app).

For its part, Apple has responded to this situation by modifying its app-related policies. Going forward, Apple will require all smartphone apps to obtain users’ permission before accessing users’ contact information. Apple’s existing iOS App Guidelines already prohibited non-consensual collection of such information, but now consent will be defined as “explicit user approval”. For existing apps, changes to the process of obtaining consent will have to wait for the next release of software.

In addition to action taken by Path and Apple, the U.S. government has initiated responsive steps. Two members of the U.S. House of Representatives, Reps. Henry Waxman (D-Cal.) and G.K. Butterfield (D-N.C.), wrote to Apple’s CEO, Tim Cook, wanting to know more about the Guidelines and iTunes Store policies. In their letter, the Congressmen cited an allegation that the practice of uploading and storing user contacts is tacitly accepted - there being “a quiet understanding among many iOS app developers” that they can do so.

If true, this would suggest that the “Path situation” is just the tip of an iceberg. With the proliferation of apps, it is easy for companies to make apps available to the public without terms and conditions and/or privacy policies alerting users to their practices – a situation that creates the potential to flout not only Apple's rules, U.S. laws, and best practices, but also global data privacy laws. Governmental and regulatory hackles will inevitably be raised, particularly as the practice in question was at the heart of Google Buzz, resulting in a class action lawsuit, a US$8.5 million settlement, and a 20-year regulatory audit program.

Not only has Path not followed Apple’s Guidelines, but Google, as reported in the Wall Street Journal, has also been accused of bypassing the default privacy settings on Apple’s Safari browser, allowing Google to track iPhone users’ behavior. Google has now disabled those cookies and stressed that “the advertising cookies do not collect personal information”, a view that may be contrary to the EU data privacy laws. Apple is “working to put a stop” to any ability to get around Safari’s default privacy settings. Consumers have already launched related class action suits against Google in federal courts in Delaware, Kansas, Missouri, and New Jersey.

Stories like these only increase awareness of regulators in the United States and across Europe. With the potential for class actions and consent decrees in the United States, and with the draft EU Data Protection Regulation setting penalties at up to 2 percent of a company’s annual worldwide turnover, organisations need to have mechanisms in place to ensure they are in compliance with their contractual obligations, such as Apple’s iOS Guidelines, and with consumer protection and worldwide privacy laws. A failure to do so will leave companies open to investigation and litigation unless they can get a firm handle on the apps that bear their name and brand reputation.

Global Supply Chain: Human Trafficking, Sourcing, and Transparency - Do Your Suppliers Know What You Expect From Them? Do You?

This post was written by James P. Gallatin, Jr.

Companies with global supply chains are rapidly imposing detailed standards for their suppliers that go way beyond the traditional performance and quality specifications. Until recently, the most obvious categories of concerns for global manufacturers were rules of origin for products and parts for purposes of customs valuations and treaties, heightened by protectionist legislation such as that recently introduced in the U.S. Congress regarding steel. Now come laws regarding the use of conflict minerals and the state of California (where else?) has gotten into the action to require the disclosure of how companies act to prevent human trafficking in their supply chain . And Apple is grappling publicly with allegations regarding its China-based manufacturing.

To minimize legal challenges and, more importantly, brand damage, companies with global supply chains are moving rapidly to address a broad range of issues with every level of those chains. They are imposing detailed and public supplier standards for workers' health and safety, wages and benefits, and the use of child labor, as well as prohibitions against the use of coercion and discipline to maintain a workforce, and prohibitions against forced sex. Two examples of companies that have imposed such standards are Hewlett Packard, the U.S.-based manufacturer of IT products, and LEGO, the Danish manufacturer of children's toys and games. Their standards and practices reflect the dramatic impact that recent laws and social norms are having on such diverse global enterprises. 

But standards are not enough. Companies with global supply chains are also moving rapidly to enforce these standards through unannounced audits and inspections, and by reviewing facilities, inspecting records, and interviewing current and former employees. They are using internal or third-party resources, and are cooperating with local governments, NGOs, and international standards organization. Where they find noncompliance, they are taking action under their agreements. Many companies are still trying to figure out where their products are actually being made this month. They are falling behind of today's norms.