Service Provider Exemption in the CCPA

One of the larger exemptions to being deemed a seller of personal data under the CCPA is the “service provider” exemption. I am not going to quote the statutory language as frankly its written in a confusing way. But the CCPA states that a business will not be deemed a seller of personal data, with respect only to its relationship with a service provider, where such business uses or shares with a service provider personal information of a consumer, where:

  • its necessary to perform a business purpose, and
  • the service provider does not further collect, sell or use the personal information, and
  • the business has provided notice that information is being used or shared in its terms and conditions (which should comply with CA law, see 1798.135)

The CCPA broadly defines “business purpose” as that which uses the personal information for the business or a service provider for reasonable and necessary uses proportinate to get the operational purpose for which it was collected. Specifically, auditing, security purposes, debugging, transient use, performance of services (providing accounts, customer service, etc.), internal research, verifying quality or security of services or products.

If a business gets a right to delete information, it should pass that request along to its service providers and they should process the request and delete the information they have.

An agreement addressing specific items should be in place between the company and its service providers and many companies are now scrambling to amend all of their current agreements with service providers to ensure compliance with CCPA.

Digital Signatures – Basics of Hashes and Encryption

When dealing with online contracting, blockchain, clickwrap agreements, smart contracts, or just generally these days (and certainly in the future), you will come across the terms “hash” and “encryption.” Especially when discussing digital signatures. We’ll try to distill these a bit for you.  These are all regularly used in the transmittal of electronic information and verification of the information, the sender and/or receiver. Read more

Browsewrap License Cases: Other

  • Hubbert v. Dell Corp., 2005 WL 1968774 (Ill. App. Ct. 2005) (court upheld arbitration clause in Dell’s for cause regarding alleged false claims made by Dell to online purchasers of the computers. Court found different colored hyperlinks on each page like a multipage contract).
  • Hines v. Overstock.com, Inc., 668 F. Supp.2d 366 (E.D.N.Y. 2009) (both arbitration and forum selection clause invalid due to no actual or constructive notice)
  • Van Tassell v. United Mktg. Group, LLC, 795 F. Supp. 2d 770 (N.D. Ill. 2011) (holding arbitration provision was unenforceable where it was included website’s conditions of use but difficult to find, because users had to scroll all the way down home page, click on Customer Service link, then scroll down and click another link to find it).
  • Friedman v. Guthy-Renker, LLC, 2015 US Dist LEXIS 24307 (C.D. Cal. Feb. 27, 2015) (where two plaintiffs clicked on checkbox that only referenced credit card terms prior to purchase, arbitration not binding; for plaintiff who clicked on checkbox which had a link to the terms the arbitration provision was binding)
  • Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010) (terms of use not valid as they were buried at bottom of first page and on no other page).

Browsewrap License Cases: In re Facebook Biometric Information Privacy Litigation, 185 F. Supp. 3d 1155, 2016 U.S. Dist. LEXIS 60046, (N.D. Cal. 2016)

In In re Facebook Biometric Information Privacy Litigation, 185 F. Supp. 3d 1155, 2016 U.S. Dist. LEXIS 60046, (N.D. Cal. 2016):

  • A class action against Facebook was filed pursuant to the Illinois Biometric Informration Privacy Act (BIPA). Parties agreed to transfer case to N.D. California, but wanted Illinois law (and not CA law) to apply.
    • Plaintiff’s alleged that facial and other recognition used by Facebook violated BIPA
  • Facebook argued that its choice of law clause in its current Terms of Use required the use of CA law.
  • There were three plaintiffs at issue and court reviewed the sign up procedure for each (2005, 2008 and 2009).
    • When Facebook updated its Terms it emailed a notice to all user’s email addresses and the next time each user logged on, they saw “jewel” notification in their personal newsfeed alerting to the change in such documents but no affirmative action was required by each user).BUT said the general and individualized notice was enough, that the agreement was effective, but that in the situation it would not apply CA law.
  • The Court said that the notice provided by Facebook was enough to have a binding choice of law provision (seemed to like the “personalized” nature of the news feed notice).
  • But the Court then still chose to apply IL law as opposed to CA.

Browsewrap License Cases: Nguyen v. Barnes & Noble, Inc., 763 F.3d 1171 (9th Cir. 2012)

In Nguyen v. Barnes & Noble, Inc., 763 F.3d 1171 (9th Cir. 2012):

  • B&N was unsuccessful in enforcing an arbitration provision in its online Terms of Use.
    • Court found that there was no evidence of Nguyen having actual notice of the Terms of Use or acknowledgement of same.
    • Found that under circumstances a reasonably prudent user would not be on inquiry notice of the Terms of Use
    • Court said Terms of Use where hard to find and barely noticeable.
      • Said “inquiry notice” turns on “design and content of the website and agreement’s webpage.”
  • This case was followed by e.g., Long v. Provide Commerce, Inc. 245 Cal. App. 4th 855 (Cal. Ct. App. 2016) (refused to compel arbitration, stated that to put users on notice you need conspicuous hyperlink plus notice that it contains binding terms. A conspicuous notice alone is not enough).

Browsewrap License Cases: Jerez v. JD Closeouts, LLC, No. CV-024727-11, 2012 WL 934390 (N.Y. Dist. Ct. 2012).

In Jerez v. JD Closeouts, LLC, No. CV-024727-11, 2012 WL 934390 (N.Y. Dist. Ct. 2012):

–The court held that a terms of sale provision found on the “About” page of the website was not enough to enforce the forum selection clause.

  • Plaintiff ordered products ($6,000 worth of tube socks) over the Internet, and sued claiming there were defects.
  • Seller moved to dismiss claiming the forum selection clause required the dispute be heard in a Florida state court, and Plaintiff claimed he never saw clause.

–Court found the clause was not reasonably communicated where it was “buried” and “submerged” on the website, and could only be found by clicking on an “inconspicuous” link to the company’s About Us page.  Seller’s attempt to have the terms incorporated by reference in a printed contract and letter agreement were not enough for the court.

  • Court relied on Specht and Carnival Cruise Lines.

–Similar holding in Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927 (E.D. Va. 2010).

Browsewrap License Cases: Ticketmaster Corp. v. Tickets.com, Inc., 2003 U.S. Dist. Lexis 6483 (C.D. CA., March 7, 2003)

In Ticketmaster Corp. v. Tickets.com, Inc., 2003 U.S. Dist. Lexis 6483 (C.D. CA., March 7, 2003):

–Tickets.com used deep links to Ticketmaster’s interior pages, in violation of Ticketmaster’s terms of use which were on its homepage.

–Relying on Register.com and Pollstar, the court held that a contract can be formed by use of a website, provided the user, at the time of use, has knowledge of the site’s terms and conditions that provide that such use constitutes an agreement to be bound.

  • Court relied on “cruise ship” case law precedent. It analogized interior web pages to the back of a cruise ship ticket’s venue clause, where user has actual or presumptive knowledge.

–Court found that Tickets.com used Ticketmaster’s site with full knowledge of the terms, and upheld such terms in the breach of contract action.

Browsewrap License Cases: Pollstar v. Gigmania, Ltd., 170 F. Supp. 2d 974 (E.D. CA 2000).

In Pollstar v. Gigmania, Ltd., 170 F. Supp. 2d 974 (E.D. CA 2000):

–Pollstar kept track of concert information on its website, which any user could download by accepting the terms of Pollstar’s license.

»License prohibited commercial use of information.

»License was not on Pollstar’s homepage, but on different page of its site.

»Visitor is alerted to existence of Pollstar’s license only by reason of a small grey print on grey background (with a link to terms, but other links on homepage were blue)

–Gigmania downloaded information from Pollstar’s site and used it on its own site for commercial purposes. Pollstar sued to enforce terms.

–The court refused to enforce the terms of the license agreement because it found that the link to the license was hard to read based on the way it was presented.

  • Notably, the court did not rule that the license agreement was unenforceable, only that the website did not give users adequate notice of it.

Browsewrap License Cases: Register.com v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004).

Below is a brief overview of Register.com v. Verio, Inc., 356 F.3d 393 (2d Cir. 2004):

–Register.com sued Verio for violating the terms of use of its WHOIS database, which Verio used to get information on who registered domain names with Register.com to offer web services to the registrants.

  • As part of receiving the information from WHOIS, Register.com’s terms stated that the domain name registrant information, which consisted of email, phone number and mailing address, could not be used for marketing purposes. The terms of use were, however, proffered after the domain name registrant information was presented to the user of the WHOIS database.

–VERIO claimed there was no contract as it never agreed to the terms, and in any event any user of the WHOIS site could receive the information before seeing the terms.

  • The court said that this argument may only have worked if Verio used the WHOIS database once, but Verio did it every day with full knowledge of the terms.

–The Second Circuit held that Verio’s continued use of Register.com’s WHOIS database constituted consent to Verio’s terms of use, expressly  rejecting Verio’s argument that they were not enforceable because the user had not clicked an “I agree” icon.

 

Browsewrap License Cases: In re Zappos.com, Inc. Customer Data Security Breach Litigation, 893 F.Supp. 2d 1058 (Dist. Ct. Nevada 2012).

Here is a brief summary of the case In re Zappos.com, Inc. Customer Data Security Breach Litigation, 893 F.Supp. 2d 1058 (Dist. Ct. Nevada 2012):

–Users sued in multiple forums for damages due to a security breach.

  • Zappos filed a motion to compel arbitration in Las Vegas pursuant to its terms of use agreement, which was a typical browsewrap agreement which also gave Zappos the right to amend any of the terms as it saw fit.

–Zappos had a hyperlink on each page of its website to the terms but it was hard to see, being the same size and color as other insignificant links, and located ¾ of the way down the page.  The website never prompted or directed a user to the terms even when purchasing a product or opening an account.

–Court concluded that the plaintiffs may have never seen the terms, so in no way could be deemed to have actually or constructively agreed to them. No assent, no contract.

  • Sidenote: The Court also held the arbitration provision was an illusory contract (and therefore not enforceable) because Zappos was able to amend the Terms as it saw fit at any time. See Grosvenor v. Qwest Corp., 854 F. Supp. 2d 1021 (D. Colo. 2012) for this same holding.