California Privacy Rights Act

California Privacy Rights Act (CPRA)

/in /by

California Privacy Rights ActConsumer protection has been of paramount importance to both lawmakers and residents in California for a long time, resulting in extremely strong laws that limit what companies can do with customer data and personal information. One of these laws addressing digital privacy concerns is the California Privacy Rights Act (CPRA), a new consumer privacy law that recently went into effect. The data protection law was passed by California residents through a referendum on the ballot in the 2020 general election. The CPRA was intended to be the most comprehensive consumer privacy legislation in the United States. Along with the California Consumer Privacy Act (CCPA), the CPRA set the standard for government protection of data privacy rights.

To learn more about the California Privacy Rights Act and how it affects both consumers and businesses, keep reading.

Who Does the CPRA Apply to?

Any for-profit company that does business in the state of California and that has significant gross annual revenues is subject to the regulations of the California Privacy Rights Act (CPRA). Additionally, if a company solicits customers in California and collects their personal information at any point, the company may be required to comply with the statute.

The CPRA can also apply to third parties that have been given access to a consumer’s personal data. If a company shared your information with a third party and you subsequently requested that the information be corrected or deleted, the company must pass on the request to the third party. The same is true for service providers and contractors: a company that shares customers’ personal information with these individuals and/or entities must instruct them about the CPRA requirements, and any violations by these other parties could expose the company to liability.

Additionally, the CPRA doesn’t apply only to consumers. CPRA protections also apply to employees who work for companies that monitor and use their data.

What Is the California Privacy Rights Act?

The California Consumer Privacy Act (CCPA) was the first state privacy law. The California Privacy Rights Act (CPRA) amended the CCPA and made California’s privacy laws even more consumer friendly. At the same time, the CPRA also strengthened existing protections for consumers by requiring businesses to comply with much stricter consumer privacy regulations.

New Obligations for Businesses Under the CPRA

The California Privacy Rights Act (CPRA) imposed further obligations on companies that do business in California and collect personal information from customers. For example, the CPRA created new compliance rules for businesses. This includes the elimination of a previous rule that gave companies 30 days to “cure” any violations of the CCPA. Now, any company that violates the CPRA is subject to monetary penalties under the statute.

Additionally, under the CPRA, companies must take affirmative steps to protect customers’ personal information against data breaches. This means that companies must implement reasonable security measures to ensure that personal data is not illegally accessed by others.

Businesses are also required to perform annual cybersecurity audits to confirm that no breaches have occurred. Businesses must submit the results of these audits to the California Privacy Protection Agency, in addition to conducting regular risk assessments that weigh the benefits of collecting consumer information against the security risks.

CPRA Created New Consumer Privacy Rights

The CPRA formally created a number of new privacy rights for California consumers, including the following:

  • Consumers can opt out of sharing their personal information with businesses.
  • Consumers can opt out of allowing businesses to use their “sensitive personal information.” This includes the customer’s Social Security number, driver’s license, state ID card, passport, credit card or debit card, bank account, geolocation data, and emails or text messages. It can also include information about the customer’s racial or ethnic origin, religion, genetic data, health data, and sexual orientation.
  • Consumers have the right to correct any personal data that is inaccurate. This means that businesses must provide customers with a means to review and then correct wrong information.
  • Consumers can legally access information about how the company is storing and using their data, as well as the data retention period.

What Types of Data Are Protected by the CPRA?

Basically, the California Privacy Rights Act (CPRA) protects any information that could be used to identify an individual. This includes things like the person’s name, email address, Social Security number, driver’s license number, state ID card, passport number, bank account or other financial account numbers, credit card or debit card numbers, and physical address.

When a company collects this type of information from a consumer, the consumer has a legal right to be notified. Moreover, once notified, the consumer has the legal right to demand that the information be corrected or deleted.

Sensitive Personal Information Protected by the CPRA

Data security is paramount in an age when information can be misused so easily. That’s why the CPRA places even stricter requirements on companies that collect consumer data deemed to be “sensitive personal information.”

What Is “Sensitive Personal Information”?

The California Privacy Rights Act (CPRA) defines a consumer’s “sensitive personal information” as including any of the following:

  • Social Security number, driver’s licenses, state ID card, or passport.
  • Website or app log-in information.
  • Bank accounts, credit cards, debit cards.
  • Geolocation data that identifies the consumer’s location.
  • Race, ethnicity, or religion.
  • Sexual orientation.
  • Email or text messages.
  • Genetic data.

The CPRA can also be updated by lawmakers in the future to add more categories that would qualify for protection as sensitive personal information. This definitional flexibility is codified in the statute to “address changes in technology, data collection practices, obstacles to implementation, and privacy concerns.”

How Sensitive Personal Information May Be Used

The CPRA places limitations on how businesses may use customers’ sensitive personal information. A business can only use this type of information to the extent necessary to perform services or provide goods reasonably expected by the consumer. Any use beyond this scope violates the statute.

Disclosures About Sensitive Personal Information

The statute stipulates that businesses must provide clear disclosures about the fact that they are collecting this type of information, as well as disclosures about how the information will be used. For example, a business should create a link on its company website that informs consumers of the collection practices and that gives them the ability to opt out of the collection and/or sharing of their data.

The California Privacy Protection Agency Is Tasked with Enforcing the CPRA

Section 24 of the CPRA created the California Privacy Protection Agency (CPPA), a state agency that implements and enforces the consumer privacy law. The CPPA receives reports of privacy law violations and then conducts investigations to determine whether companies should be penalized under the statute.

The CPPA is not the only state agency that oversees and enforces the CPRA. The California Department of Justice is also heavily involved in enforcing the law and ensuring that consumer privacy rights are protected.

What Are the Penalties for Violations of the CPRA?

The CPRA imposed substantial monetary penalties for noncompliance by companies. These penalties include a fine of $2,000 for each violation.

The penalties may be increased in certain circumstances:

  • $2,500 for each negligent violation of the statute.
  • $7,500 for each willful violation of the statute.

Civil Suits Filed Under the CPRA

The original consumer privacy law, the California Consumer Privacy Act (CCPA), gave consumers whose personal data was compromised a private right of action to bring a civil suit against the company that failed to prevent the data breach and protect consumers against invasions of privacy. But there were limitations on what exactly qualified as a “data breach” under the old statute. Under the new customer privacy regulations of the California Privacy Rights Act (CPRA), the types of data breaches that may expose a company to civil liability are greatly expanded: if a business fails to protect customer information such as an email address, username, password, or security question, the business could be sued by the victim.

Contact the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP

Are you a California resident? Did you visit a website that collected your personal information without authorization? Was your personal information exposed in a data breach? You may be eligible to recover statutory damages under the California Privacy Rights Act (CPRA). The experienced Los Angeles consumer protection attorneys at Tauler Smith LLP can help you file a complaint with the CPRA and possibly file a civil lawsuit for financial compensation.

Call us today at 310-590-3927 or send an email to schedule a free consultation.

FTC Rule on Automatic Renewals

FTC Rule Proposal on Automatic Renewals

/in /by

FTC Rule on Automatic Renewals

The Federal Trade Commission (FTC) may soon pass new rules that strengthen federal protections for consumers who purchase products or services that are automatically renewed. The FTC rule proposal on automatic renewals would impose strict requirements on companies that offer automatic renewal subscriptions, or negative options, to consumers. Federal statutes and rules typically refer to automatic renewals as “negative options” because the absence of any affirmative action by the customer is enough to justify the auto-renewal. In other words, silence or inaction by the consumer is construed as acceptance of the auto-renewal contract. The amended FTC rule would make it easier for consumers to cancel their auto-renewal subscriptions, and it would impose civil penalties on companies that violate federal law.

For more information about the proposed amendments to the FTC Rule on Automatic Renewals, keep reading this blog.

What Is the Federal Law on Automatic Renewals?

California consumer protection lawyers are familiar with California’s Automatic Renewal Law (ARL), which regulates businesses that offer auto-renewing subscriptions to consumers in the state. The federal analogue to the ARL is the Negative Option Rule, which has been in effect in every state for 50 years. The Negative Option Rule is enforced through Section 5 of the FTC Act. In this context, automatic renewals are called “negative options” because sellers are allowed to interpret a customer’s silence as implied acceptance of an auto-renewal offer.

There are some major limitations on the Negative Option Rule. For example, the federal law only regulates prenotification plans. This means that the law only applies to companies that attach auto renewals to customer agreements before the sale of products or services.

FTC Proposes Amendment to the Federal Rule on Automatic Renewals

The FTC has proposed amendments to the federal Automatic Renewal Law. The suggested changes to federal law would have a significant effect on many state laws, especially in states that do not already regulate auto-renewal subscriptions. Some of the specific regulations that would be modified or added to federal law under the rule change include:

  • Mandatory upfront disclosures of auto-renewal plans.
  • Penalties for company misrepresentations about auto-renewal plans.
  • Obtaining consumer consent for enrolling in auto-renewal plans.
  • Annual reminders about automatic renewals.
  • Easier cancellation of auto-renewal plans.

Ultimately, the FTC will decide whether to approve or decline the proposed rule changes. The federal agency might also decide to make revisions and then open up the new amendment for public comments.

Auto-Renewal Disclosures

One of the biggest changes being proposed for federal law is to require businesses to disclose any auto-renewal terms in a way that ensures that customers will see the terms. The current federal law stipulates that businesses must place auto-renewal terms in “visual proximity” to a request for consent. By contrast, the new rules would require these disclosures to be “immediately adjacent,” or right next to, any text about customer consent so that the disclosures are easily noticeable or difficult to miss. In other words, companies won’t be able to hide the auto-renewal consent text.

Additionally, the proposed FTC rule calls for companies to disclose particular information before customers can legally consent to an automatic renewal plan:

  • Will payments be recurring?
  • What is the cost of the subscription, including the auto-renewals?
  • When will the subscription first automatically renew, and on what dates or at what intervals thereafter?
  • What is the deadline to cancel the subscription before it automatically renews?
  • What is the process for canceling the subscription?

The amended FTC rules would require companies to provide this information for all types of transactions involving recurring contracts, not just those occurring online. That’s because the rules would apply to offers made on the internet, in print publications and advertisements, during telephone solicitations, and in person at brick-and-mortar retail stores.

Misrepresentations About Auto-Renewal Plans

California consumer fraud lawyers will tell you that the state’s false advertising laws impose severe restrictions on the sales practices of companies that do business in the state. Companies that violate these laws may be subject to both civil liability and criminal penalties for egregious conduct. The proposed FTC rules would go a long way toward catching up with California’s regulations of companies that offer auto-renewal plans by applying federal regulations to misrepresentations about the entire sale agreement. For instance, the federal law would explicitly bar companies from misrepresenting a material fact related to any part of a transaction involving an automatically renewing subscription, even if the misrepresentation has nothing to do with the auto-renewal.

Consumer Consent for Auto-Renewals

The proposed changes to FTC rules would include a requirement that companies obtain affirmative consent from consumers before an auto-renewal contract becomes legally binding. Importantly, the customer’s consent for auto-renewal terms would have to be separate and apart from their consent for the transaction or purchase itself. For example, the business would not be able to hide the auto-renewal agreement or otherwise confuse the customer into thinking that they are only agreeing to the original purchase. As set forth by the recommended FTC rules, the request for affirmative consent from the consumer for the auto-renewal subscription would likely have to be a “check box, signature, or other substantially similar method.”

Additionally, companies will need to maintain a record of the customer-provided consent for a period of at least three (3) years from the date on which the subscription was first approved, or for one (1) year after the subscription has been cancelled.

Annual Reminders About Auto-Renewals

The FTC rule amendment under consideration would require companies to send annual reminders to customers about any auto-renewing subscriptions that involve products or services other than physical goods. The reminder must be sent annually even if it is not a yearly subscription plan. Additionally, these annual reminders would need to be in plain language that clearly identifies the product subscription or service being renewed, the dollar amount of the subscription, the frequency of the renewals, and the process for cancelling the subscription. The reminder would also have to be sent to the consumer in the same manner that they initially provided consent for the auto-renewal plan.

Cancellation of Auto-Renewals

The FTC rule changes would also require businesses to make it easy for customers to immediately cancel their auto-renewal subscriptions. For example, the cancellation option must use simple and easy-to-understand terms. The customer must also be given the ability to cancel through the same method they used to make the initial purchase, meaning that an online purchase could be cancelled on the company’s website.

Another requirement under consideration by the FTC is that companies would not be able to make any additional offers when a customer is attempting to cancel their auto-renewal subscription. These types of offers are known as “save attempts” because they tend to involve the business trying to save the auto-renewal subscription from cancellation. The idea here is that businesses should not be allowed to confuse customers with unclear terms or modifications that might dissuade them from cancelling their subscription.

FTC Rule on Auto-Renewals Regulates Business-to-Business Contracts

The California Automatic Renewal Law (ARL) is considered by many to be the strongest such law in the country, imposing requirements on businesses that go far beyond anything in current federal laws. In at least one way, however, the proposed FTC rule would actually go further than California’s ARL. That’s because the federal law would apply to both consumer transactions and business-to-business transactions.

FTC Enforcement of Federal Auto-Renewal Laws

Amendments to the federal law on automatic renewals would greatly strengthen the ability of the Federal Trade Commission (FTC) to enforce the law and crack down on violators. The FTC proposal would allow the government to seek restitution on behalf of consumers, as well as imposing civil penalties against companies that violate the law.

The federal law does not provide a civil remedy for individual consumers, but they can still seek financial compensation by filing a lawsuit based on state laws like the California Automatic Renewal Law (ARL). The federal law on auto renewals may also make it easier for consumers to file class action lawsuits under state law.

California’s Law on Automatic Renewal Offers

Companies that do business in California must follow stringent requirements when it comes to subscription renewals, including pre-transaction disclosures, affirmative consent, renewal notices, and cancellation policies. The purpose of the California Automatic Renewal Law (ARL) is to end the practice of ongoing charging of consumer credit cards without consumers’ explicit consent.

Some of the specific requirements that the California ARL imposes on companies include the following:

  • Cancellations: Customers must be permitted to cancel their subscriptions online if they initially signed up online. Additionally, the cancellation process must be easy, with no steps that might obstruct or delay the process.
  • Long-term subscriptions: If the subscription is for a period of at least one year before the initial renewal, businesses must send renewal notices to customers to ensure that they are informed. This notice needs to be sent at least 15 days before the subscription is scheduled to be renewed.
  • Free gifts or promotions: If there was a free gift, trial subscription, or promotional discount involved, the company must send a notice of renewal to the customer before the trial period is over.

Call the California Consumer Fraud Attorneys at Tauler Smith LLP

The California consumer fraud attorneys at Tauler Smith LLP represent plaintiffs in civil suits filed in both state and federal courtrooms throughout the country. If you were charged for an automatically renewing subscription that you did not authorize, we can help you pursue restitution and monetary damages. Call 310-590-3927 or email us to discuss your case.

Federal Law on Automatic Renewals

Federal Law on Automatic Renewals

/in /by

Federal Law on Automatic Renewals

Federal law on automatic renewals has gotten stronger and more far-reaching in recent years. This has come in response to states like California that have started to take the lead when it comes to protecting consumers against deceptive advertising and business fraud. There are several prominent laws at both the California state level and the federal level that govern retail subscription programs and automatic renewal programs, including the FTC Rule on Automatic Renewals. Additionally, both state and federal agencies have begun increasing their enforcement of these laws in recent years. For example, the California Automatic Renewal Task Force (CART) makes sure that businesses comply with California’s Automatic Renewal Law (ARL), while the Consumer Financial Protection Bureau (CFPB) is actively enforcing federal laws regulating negative options and recurring contracts. Before contacting federal or state agencies, consumers who have been billed without consent for an auto-renewal subscription should speak with a qualified consumer protection attorney.

To learn more about the federal law on automatic renewal subscriptions, keep reading this blog.

What Is the Federal Trade Commission Rule on Auto-Renewals?

Companies that do business in California while offering automatic renewal and subscription programs must comply with applicable state and federal laws, including the California Automatic Renewal Law (ARL). In fact, California has served as a model for automatic renewal legislation passed by other states, as well as federal statutes and rules that govern auto-renewals.

Federal law uses slightly different terminology for automatic renewal subscriptions: they are instead referred to as “negative option plans.” Basically, a negative option plan is one that is automatically renewed if the consumer fails to take any kind of affirmative action to cancel or not renew it.

The California false advertising lawyers at Tauler Smith LLP represent plaintiffs in civil litigation both individually and as members of class action lawsuits. We also regularly appear in both state and federal courts, so we are very familiar with the relevant consumer protection laws.

How Is the Federal Automatic Renewal Law Enforced?

The Federal Trade Commission (FTC) enforces federal law on automatic renewals and the Negative Option Rule. Federal guidelines for automatic renewals tend to focus on up-front disclosures from businesses, informed consent from customers, and uncomplicated cancellation procedures.

In addition to the FTC, the Consumer Financial Protection Bureau (CFPB) is also involved in enforcement of federal laws concerning automatic renewal and subscription practices.

Proposed Amendment to FTC Rule on Automatic Renewals

The FTC proposed an amendment to the agency rule on automatic renewals that could have a serious impact on how companies do business in California and other states. When the FTC asked for public input on auto-renewal policies, the response was overwhelming: the federal agency received thousands of comments from consumers who complained that businesses were deceptively renewing subscriptions without consent.

Some pro-business organizations like the U.S. Chamber of Commerce have objected to the FTC’s proposed rules for auto renewal subscription services, which the group says would “impose substantial and burdensome regulations on the business community.” But similar consumer fraud regulations already exist in California: statutes like the Automatic Renewal Law (ARL), the Consumers Legal Remedies Act (CLRA), and the Unfair Competition Law (UCL) all provide strong protections for consumers against companies that do business in the state.

If the FTC rule change is approved and goes into effect, it will certainly affect businesses that offer automatic renewal plans in California and other states. That’s because federal law would allow for the imposition of civil penalties of up to $50,000 for each violation of the law.

Other Federal Laws Regulating Automatic Renewals: ROSCA and TSR

The Federal Trade Commission rule on negative options is the main federal law that governs automatic renewal offers by companies. In addition to the FTC rule, there are a couple of other federal statutes that also apply to automatic renewals:

  • The Restore Online Shoppers’ Confidence Act (ROSCA)
  • The Telemarketing Sales Rule (TSR)

Restore Online Shoppers’ Confidence Act (ROSCA)

Under federal law, there are disclosure requirements for auto-renewal terms when a customer signs up for a subscription online. The Restore Online Shoppers’ Confidence Act (ROSCA) requires companies to clearly and conspicuously disclose “all material terms of the transaction” prior to obtaining the customer’s billing information. ROSCA also imposes on businesses a requirement to obtain express informed consent for an auto-renewal plan before getting customers’ billing information.

Unfortunately for consumers, ROSCA has limited application to auto-renewal plans because it only applies to online purchases.

Telemarketing Sales Rule (TSR)

Another important federal law governing automatic renewals is the Telemarketing Sales Rule (TSR). The TSR requires certain disclosures when a telemarketer offers a product or service that includes an automatic renewal subscription, such as the material terms and conditions of the purchase.

State Laws: What Is the California Law on Automatic Renewals of Subscriptions?

California’s Automatic Renewal Law (ARL) goes even further than federal law by explicitly prohibiting companies from auto-renewing subscriptions without first obtaining affirmative consent from the subscriber. That type of consent can only be given when the customer is aware of what exactly they are agreeing to, so this means companies must “clearly and conspicuously” disclose the subscription terms, including the price of the service, length of the subscription, and any recurring charges. Clear and conspicuous disclosure can be achieved by using all-caps, highlighted text, colored text, boldface font, and anything else that might contrast or differentiate an auto-subscription from other terms or conditions.

Canceling Subscriptions Under California’s ARL

The California Auto Renewal Task Force (CART) is a group of district attorneys in Los Angeles County, San Diego County, Santa Barbara County, Santa Clara County, and Santa Cruz County who enforce the ARL against companies that mislead and deceive California consumers with confusing subscription policies that automatically renew without authorization and that can be difficult to cancel afterwards.

Doug Allen, an assistant district attorney with the Santa Cruz County District Attorney’s Office and also a member of CART, says that the ARL is specifically designed “to make it as easy to get out of [an auto-renewal subscription] as it was to get into it.” The ARL stipulates that businesses must provide full disclosure to customers about the terms and conditions of all subscription renewal plans, including automatic renewals. Additionally, the ARL requires businesses to make it easy for customers to cancel a subscription on the backend.

Most Common Violations of the California ARL

Some of the most egregious violations of the California Automatic Renewal Law (ARL) involve companies that intentionally make it tough for a customer to cancel by bouncing the customer around when they call or email. For example, a retailer might inform the customer that they will need to speak to a “supervisor” who is conveniently never available. This is done with the full intention of ensuring that the customer remains enrolled in the subscription program. When a customer tries to cancel on the company’s website, the site needs to be easy to navigate and the cancellation process needs to be simple. The ARL also prohibits businesses from attempting to drag out the cancellation with an online survey; any surveys must be provided after the cancellation is complete.

Contact the California Consumer Protection Lawyers at Tauler Smith LLP

Tauler Smith LLP is a law firm that handles consumer fraud litigation in both state and federal courts across the United States. Our consumer protection lawyers have extensive experience representing plaintiffs in these matters, so we understand the nuances of automatic renewal laws that may apply in your particular case. If you were billed for a monthly subscription contract that was automatically renewed without your consent, we can assist you. Call or email us now to schedule a free initial consultation.

Nationwide Mutual Insurance CIPA Lawsuit

CIPA Lawsuit Against Nationwide Mutual Insurance

/in /by

Nationwide Mutual Insurance CIPA Lawsuit

A CIPA lawsuit was recently filed against Nationwide Mutual Insurance for illegal wiretapping and invasion of privacy, and now a federal judge in California has ruled that the case can proceed to trial. The U.S. District Court judge issued the ruling in response to a motion to dismiss the wiretapping claims under Section 631 of CIPA, or the California Invasion of Privacy Act. The civil suit alleges that Nationwide Mutual unlawfully allows a third party to eavesdrop on customer conversations on the insurance company’s website. Chat communications are allegedly monitored in real time, and the sensitive personal data from those conversations is allegedly stored and used for financial gain. These actions would constitute clear violations of California consumer privacy laws.

These days, it is common for many different types of businesses to violate the CIPA and other invasion of privacy laws. If you live in California and used the chat feature on a company’s website, you may be eligible to join a class action lawsuit for invasion of privacy. The Los Angeles consumer protection lawyers at Tauler Smith LLP can help you get financial compensation.

Nationwide Mutual Insurance Sued for Invasion of Privacy

The defendant in the recent invasion of privacy case is Nationwide Mutual Insurance Co., which is a corporation that offers insurance, retirement, investing, and other financial services and products to consumers in the United States, including residents of California. Nationwide operates a website: www.nationwide.com. The website has a chat feature, which customers can use to have online conversations with Nationwide. Sometimes, the customers who use the chat feature may share sensitive personal data with the company.

Third-Party Wiretapping of Customer Conversations

Nationwide Mutual Insurance has been accused of using a third-party company, Akamai or Kustomer, to embed code into the Nationwide website, which allows the third-party company to monitor and store transcripts of the conversations that occur through the chat feature. Akamai specializes in harvesting data from consumer conversations, which is believed to be the reason that Nationwide contracted with them in the first place.

Significantly, Nationwide does not inform customers who use the chat feature on the website that monitoring of conversations, storing of transcripts, or data harvesting occurs. Beyond that, Nationwide does not obtain customers’ consent for any of these activities.

Federal Judge Denies Motion to Dismiss Wiretapping Lawsuit Against Nationwide Mutual Insurance

The plaintiff in the consumer data privacy case is a California resident who used a smartphone to visit the Nationwide Mutual Insurance website and to communicate with Nationwide via the company’s website chat program. She filed her original legal complaint in Los Angeles County Superior Court, and the case was later removed to the U.S. District Court for the Central District of California.

Once the case arrived in federal court, Nationwide filed a motion to dismiss the complaint. The U.S. District Court recently held a hearing on the motion to dismiss. Although the Section 632.7 CIPA complaint was dismissed, the court ruled that the Section 631 CIPA complaint could move forward to trial. The court found that the plaintiff had stated a valid claim under § 631 of the CIPA because she plausibly alleged that Nationwide aided third-party Akamai in violating the consumer privacy statute.

What Are California’s Data Privacy Laws?

On top of having extremely strong consumer protection laws, California also has some of the strongest digital privacy laws in the country. The three most prominent statutes are the California Invasion of Privacy Act (CIPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). All of these data protection laws impose civil liability on companies that invade the privacy of customers. The CIPA imposes a requirement on businesses to obtain permission from customers before recording telephone and internet communications, including online chat conversations. The CCPA specifically prohibits businesses from sharing the personal information of customers with third parties, while the CPRA amended the law to increase the penalties for violating consumer privacy.

What Conduct Is Prohibited by the California Invasion of Privacy Act?

Although Section 631 of the California Invasion of Privacy Act (CIPA) is technically a criminal statute with criminal penalties, the Penal Code authorizes civil liability for violations of the law. This means that consumers whose confidentiality was invaded by a company doing business in California can potentially bring a civil lawsuit for monetary damages.

California courts ruling on CIPA claims have interpreted Section 631 to prohibit three types of conduct:

  1. Intentional wiretapping.
  2. Attempting to learn the contents of a communication in transit over a wire.
  3. Attempting to use information obtained as a result of wiretapping or monitoring of communications.

Additional requirements or elements of a CIPA violation include that the intentional wiretapping was done while the communication was in transit and that the communication was being sent from or received at a location within California. The prohibited conduct includes reading the contents of any message, report, or communication without the consent of all parties to that message, report, or communication. If one of the parties did not know that the chat or other type of communication was being monitored and/or wiretapped, then it would not be possible for them to provide consent or authorization. The bottom line is that eavesdropping on a conversation is a clear violation of Section 631 of the CIPA.

“Aiding” a Violation of the CIPA

Section 631 of the California Invasion of Privacy Act (CIPA) also imposes liability on any company that “aids” or assists another in violating the statute. The plaintiff in this case alleges that Nationwide Mutual Insurance “aided, abetted, and even paid third parties to eavesdrop” on her conversations. Moreover, she alleges that these privacy breaches happened not only with her communications, but also with other consumers’ communications on the Nationwide website.

Party Exception to § 631

There is a “party exception” to Section 631 of the CIPA. Courts have found that a party to a conversation cannot be liable for “eavesdropping” on that conversation. But this gets complicated when the conversation involves a third party. For example, if computer code on a website automatically directs a communication to a third party, the party exception won’t shield the third party from civil liability under the CIPA.

U.S. District Court: Nationwide Mutual Insurance May Have Violated California Invasion of Privacy Law

The plaintiff in the Nationwide Mutual Insurance data privacy case alleged that Nationwide violated the California Invasion of Privacy Act (CIPA) pursuant to California Penal Code § 631. Now, the U.S. District Court for the Central District of California has found that the plaintiff plausibly alleged that Akamai read the contents of her messages, which would constitute a violation of Section 631 by Nationwide for “aiding” in the wiretapping offense. Moreover, the court agreed that it is conceivable that Nationwide hired Akamai specifically to intercept messages and use them for Nationwide’s financial benefit. This would constitute “aiding” the illegal wiretapping by Akamai, which would lead to Nationwide itself being liable for violating the CIPA.

One theory put forward in the case is that Nationwide paid Akamai to “embed code” into the website that “enables Akamai to secretly intercept in real time, eavesdrop upon, and store transcripts” of messages sent via the website chat feature. In fact, it has been alleged that Akamai’s business model is to harvest data from transcripts of communications. Significantly, the federal court said that one inference from the plaintiff’s legal claim is that the personal information being harvested goes beyond mere “record information” like the consumer’s name, address, and subscriber number.

Akamai has been accused of intercepting customers’ messages as they are sent and received on the Nationwide website. The court found that these allegations are “plausible” based on Akamai’s public statements about their conduct. Additionally, the court said that the plaintiff clearly alleged that neither Akamai nor Nationwide Mutual Insurance had her consent to harvest personal data from communications on the Nationwide website.

Contact the California Consumer Protection Lawyers at Tauler Smith LLP

Anyone who used the chat feature on a company’s website may have been the victim of illegal wiretapping and privacy violations. If you are a California resident who visited a website, the Tauler Smith LLP legal team can help you. Contact our Los Angeles consumer fraud and false advertising attorneys today. You can call 310-590-3927 or email us.

Textbook Company Chegg ARL Claim

Tauler Smith Files ARL Claim Against Textbook Company Chegg

/in /by

Textbook Company Chegg ARL Claim

Tauler Smith LLP filed an ARL claim against textbook company Chegg for allegedly renewing customer subscriptions without notice or authorization. KNTV, which serves as the NBC outlet for the San Francisco Bay Area, reported that the civil lawsuit was filed in federal court on behalf of a student who rented a book for her law school class. It is not uncommon for consumers who make what they thought was a one-time purchase online to later realize that they have been charged again – and again! – for an auto-renewing subscription. The California Automatic Renewal Law (ARL) makes it illegal for companies like Chegg to engage in this kind of deception. The statute also gives consumers the ability to pursue damages of up to $2,500 for each ARL violation. California false advertising attorney Robert Tauler is leading the fight for consumers against companies that violate the rights of customers with deceptive auto-renewal policies.

Click here to view the NBC Bay Area News report on the latest lawsuit filed under California’s ARL. To learn more about the Automatic Renewal Law claims against Chegg, keep reading this blog.

NBC Bay Area News Investigates Automatic Renewal Law Claim Against Chegg

A recent report by KNTV, the Bay Area affiliate of NBC, details the battle being fought by consumers who learn that they were automatically enrolled in a Chegg subscription service without their permission. The KNTV investigative team learned that many of these consumers have also found it nearly impossible to cancel the subscription and to get a refund for the unauthorized charges.

The plaintiff in the case is Sheri Moyer, a law student who needed a textbook for one of her law school classes. That book would have cost her upwards of $120, so instead she rented a digital textbook for $19.99 from Santa Clara-based Chegg. What is Chegg? Chegg markets itself as an education technology company that offers online tutoring, textbook sales, and both digital and physical textbook rentals to students in a variety of fields.

Moyer only needed the law school course book to complete a short class assignment, so it made sense for her to rent it instead of buying it. She paid for a 30-day subscription on Chegg and finished her assignment. But she was shocked when she checked her credit card statement the following month to see that Chegg charged her for another 30-day subscription. It turned out that the textbook rental company had auto billed her without authorization. To make matters worse, Chegg refused to refund Moyer’s money because “they had a zero-refund policy.”

Tauler Smith LLP Files Consumer Protection Lawsuit Against Chegg

Sheri Moyer has enlisted the Los Angeles law firm Tauler Smith LLP to help her file a civil suit against Chegg in the U.S. District Court for the Northern District of California. Chegg contested the lawsuit by getting the case moved to arbitration. Moyer wanted the case to go to trial so that she would have an opportunity to tell her story to a jury, but a federal judge ruled that the parties must first present their arguments to an arbitrator. The judge also ruled that the parties will need to provide the court with regular updates on the arbitration process.

Tauler Smith LLP frequently represents plaintiffs in consumer fraud actions and automatic renewal lawsuits filed in California courts. For example, our legal team recently filed an ARL claim against a casting company accused of deceptively renewing customer subscriptions to their service.

Consumer Class Action Lawsuit: Chegg Accused of Automatically Renewing Subscriptions Without Permission

In the Chegg textbook rental case, Sheri Moyer is suing for reimbursement of fraudulent charges, as well as statutory damages. That’s because the ARL allows consumers to recover $2,500 for each violation of the auto-renewal statute.

More than anything, Moyer wants to make sure that the online textbook rental company is held accountable for their deceptive actions, which allegedly included failing to disclose their auto-renewal policy. Moyer’s attorney, consumer advocate Robert Tauler, filed the suit in the federal court in San Jose because he wants to establish legal precedent throughout the state and send a strong message to other companies that trick customers into auto-renewing subscriptions. Tauler believes this is an important business fraud case that warrants class action status, which is why he is asking other consumers who have been charged for automatically renewing subscriptions to come forward. By exercising their legal rights, they can help put a stop to the fraud being committed by many online retailers that do business in California. Consumers who join the class action lawsuit can also recover statutory damages of $2,500 for every ARL violation committed by the company.

Contact the California Consumer Protection Attorneys at Tauler Smith LLP

The California consumer protection lawyers at Tauler Smith LLP regularly appear in both state and federal courts on behalf of consumers who were fraudulently charged for automatically renewing subscriptions. Our legal team is currently looking for plaintiffs in a class action lawsuit against the educational support services company Chegg. If you signed up for a textbook subscription with Chegg or any other type of subscription with an online retailer, we can help you file a civil suit for financial compensation.

Call 310-590-3927 or send an email today.

NBC News on Automatic Renewal Law

NBC News: Robert Tauler on California’s Automatic Renewal Law

/in /by

NBC News on Automatic Renewal Law

In a recent on-air report, NBC News spoke to attorney Robert Tauler about California’s Automatic Renewal Law (ARL). The impetus for the story was a lawsuit filed by Los Angeles law firm Tauler Smith LLP on behalf of a consumer who accused a casting company of automatically renewing his subscription to their service without notice or authorization. Many consumers find that it is incredibly difficult to cancel their subscriptions after they sign up for a service or make what they intended to be a one-time purchase online. Worse yet, a lot of companies will even go so far as to change the terms of the subscription and then renew it without informing the customer. The California Automatic Renewal Law, or ARL, makes it illegal for companies to use deceptive subscription methods. Under the ARL, a company that violates automatic subscription laws can be sued for $2,500 for each violation.

Click here to see the NBC Los Angeles report on subscription claims filed under California’s Automatic Renewal Law. To learn more about the ARL claims filed by Tauler Smith LLP, keep reading this blog.

NBC Los Angeles News Airs Report on ARL Claim Against Casting Company

NBC Los Angeles News recently aired a report on a lawsuit filed by Chris O’Brien, a Pasadena resident who is alleging that a casting website charged his credit card for a subscription renewal without permission. O’Brien is being represented by Tauler Smith LLP, a law firm which regularly represents consumers in automatic renewal claims filed in California courts and ARL claims filed in federal courts.

Casting Frontier is a talent agency that helps actors find auditions and casting calls through online searches on the company’s website. In a report on KNBC Channel 4, NBC Los Angeles detailed how Casting Frontier has been accused of charging customers’ credit cards and renewing annual memberships without authorization. In Chris O’Brien’s case, he didn’t realize that the talent agency had raised the cost of his membership until after they automatically renewed his online subscription. He told NBC News that he never received an email or any kind of notice from the casting website before the charges appeared on his credit card. The fee spike was noticeable because the membership cost went from $75 all the way up to $200, or more than double the original fee.

The NBCLA I-Team investigated the troubling allegations being made against Casting Frontier. The KNBC broadcast team later aired the results of the investigation and provided key details about the California Automatic Renewal Law (ARL), including information about how consumers can use the law to get substantial monetary compensation. If O’Brien wins his case against the casting company, he could be awarded $2,500 under the ARL.

How Consumers Can Get Compensated Under the California Automatic Renewal Law

The unfortunate reality is that Casting Frontier is far from the only company that has been accused of violating California’s automatic renewal laws. These days, it is common for people to use their cell phones and computers to quickly subscribe to different products and e-commerce services such as movie streaming platforms, music apps, food deliveries, and even pet supplies. A lot of these subscriptions renew automatically, which opens the door for unethical companies to use deceptive tactics on customers.

California has extremely strong consumer protection laws that explicitly prohibit companies that do business in the state from deceiving customers through fraud or false advertising. One of these consumer protection statutes is the Automatic Renewal Law (ARL), which imposes certain requirements on businesses that automatically renew subscriptions:

  • The company must clearly and conspicuously disclose any auto-renewal offer terms.
  • The company must obtain affirmative consent from consumers before charging their credit cards for an automatic renewal.
  • The company must allow customers to easily cancel their subscriptions.

In fact, the California statute is so strong that it has become the model for all other state automatic renewal laws, as well as federal law on auto-renewing contracts. The California ARL, which is codified in Cal. Bus. & Prof. Code §§ 17600, stipulates that consumers can’t be hit with new charges that they haven’t previously agreed to. This means that companies must inform consumers of exactly how much they will be charged for a subscription, as well as when those charges will be issued. The bottom line is that consumers must be made aware that a subscription will renew and that they are going to get a second charge.

California Auto-Renewal Task Force (CART)

The state of California has a task force dedicated to enforcing California’s Automatic Renewal Law. The California Auto-Renewal Task Force (CART) includes prosecutors from the district attorney’s offices in Los Angeles County, San Diego County, Santa Barbara County, Santa Clara County, and Santa Cruz County. CART has investigated dozens of companies over the years and imposed more than $16 million in fines against violators of both California state laws and federal laws.

Douglas Allen, an active member of CART, observed that many ARL violations are egregious, with companies intentionally making it difficult for customers to cancel subscriptions once they’ve signed up for a service. These companies count on customers allowing a subscription to auto-renew three or four times before they realize what’s happening.

ARL Statutory Damages

If your subscription was automatically renewed without your affirmative consent, you could be eligible to file a lawsuit and receive a minimum of $2,500 in statutory damages.

Consumers need to trust their gut when they think they might be dealing with a deceptive company. According to Los Angeles consumer protection lawyer Robert Tauler, “Anytime a consumer feels wrong about a situation or feels frustrated with a subscription service, that’s reason enough to know that something’s probably off.” Consumers who learn that they were billed for an automatically renewing subscription should speak with a California consumer fraud attorney immediately.

Contact the California Consumer Protection Lawyers at Tauler Smith LLP

The Los Angeles consumer protection lawyers at Tauler Smith LLP represent plaintiffs in cases against companies that violate California’s Automatic Renewal Law (ARL). If you signed up for a monthly or annual subscription that automatically renewed, our experienced attorneys can help you file a civil suit and get restitution of your expenses and financial compensation for any harm or losses you suffered. Call 310-590-3927 or email us.

Website Wiretapping & CIPA

California Invasion of Privacy Act & Website Wiretapping

/in /by

Website Wiretapping & CIPA

It is important for consumers who interact with businesses online to have a solid understanding of the California Invasion of Privacy Act (CIPA) and website wiretapping. When you have a conversation with someone on the phone or via the computer, there is usually a reasonable expectation that the conversation will remain between the two parties. But what happens when what you believed to be a private conversation was actually being wiretapped, surveilled, and/or recorded by the other party? If this happens in the context of a business transaction, sales call, or online chat, your information could be sold to other companies that profit from the data. This has become a very serious problem in the internet era when personal data can be transmitted and circulated at a rapid pace. It’s one reason that California consumer privacy laws like the CIPA have become so important as tools to protect consumers against unethical business practices.

To learn more about the consumer protections against website wiretapping afforded by the California Invasion of Privacy Act, keep reading this blog.

What Is Website Wiretapping?

Wiretapping is a term used to describe the act of connecting a listening or recording device to a telephone. Website wiretapping occurs when the chat communications on a website are unlawfully recorded, transcribed, or surveilled without permission. These days, wiretapping technology is commonly used to secretly record conversations on websites that were supposed to remain private. Some of the reasons that people might illegally wiretap a website chat include gaining information about a business competitor, learning the details of an opponent’s lawsuit, or acquiring valuable data about a customer that can be sold to others.

Illegal wiretaps are not just against the law; they can also cause significant harm to victims. That’s why California allows individuals to file civil lawsuits against anyone who records their online conversation without consent.

California’s Law on Website Wiretapping: Section 631 of the CIPA

California has a number of very strong consumer protection laws that prohibit companies from jeopardizing the digital privacy and security of customers. Any company that does business in California needs to be completely transparent in their data collection practices, which includes obtaining proper consent from customers and website visitors before any personal information is shared online.

For example, California courts have held that it is a violation of California’s Invasion of Privacy Act (CIPA) for companies to wiretap user chats and other communications on websites. It is specifically a violation of § 631(a) of the CIPA when the intercepted communications contain what might be considered more sensitive than “record information” such as the user’s name, address, email, etc.

Additionally, Section 631 of the CIPA gives consumers a legal right to know when their phone conversation is being recorded, or when their online chat conversation is being monitored and transcribed. That is why a lot of companies provide automated warnings at the beginning of calls to alert customers to the possibility that the call may be monitored or recorded, and privacy policies on websites that disclose the monitoring of website chat communications with session recording technology.

Wiretapping on Websites:

Customers have a reasonable expectation of privacy when they visit a company’s website and use the chat feature. Their privacy rights are violated when a company wiretaps the online conversations, and they are further violated when that company allows third-party entities to eavesdrop on the chat conversations.

In recent years, many companies doing business online have been accused of breaching the privacy of individuals who visit their websites. When those websites are accessible to customers in California, the companies may be violating California’s very robust consumer privacy laws. Companies violate the California Invasion of Privacy Act (CIPA) by illegally wiretapping the conversations of website visitors.

Winning a CIPA Claim for Illegal Wiretapping

The simple fact is that a lot of businesses fail to provide clear warnings about the nature of phone conversations, online chats, or other communications with customers. When a business secretly monitors or records a conversation, the customer whose privacy rights were violated by the illegal wiretapping may be able to take legal action by filing a CIPA claim.

One element of a successful CIPA claim that the plaintiff will need to prove is that they had a reasonable expectation of privacy. Generally, the content and circumstances of the conversation can be used to determine whether such an expectation existed. This is where the court will examine a number of case-specific factors, including:

  • The identity of the person who initiated the conversation.
  • The purpose of the communication.
  • The duration of the conversation.
  • Whether there were prior conversations between the parties.
  • The type of information that was communicated.
  • Whether the party recording the conversation provided a warning.

Section 632(c) of the CIPA clarifies that when the parties to a communication reasonably expect to be overheard or recorded, it does not qualify as a “confidential communication” under the law.

Civil Remedies Available to Consumers Under the CIPA

As mentioned above, the CIPA includes both civil and criminal penalties for companies that violate the statute by unlawfully accessing, maintaining, or sharing customer data. For consumers who have been victimized, the civil penalties can be a valuable tool to get some sort of justice. The CIPA allows consumers to file civil lawsuits in California state court to recover damages of up to $5,000 for each invasion of privacy violation. Additionally, in some cases, the court may order the defendant to pay treble damages that total three (3) times the economic harm suffered by the consumer.

Criminal Penalties for Wiretapping in California

Violations of the wiretapping law can also result in criminal penalties. On the criminal side, the CIPA gives courts the ability to impose penalties such as monetary fines and even jail time. A person charged with a crime for monitoring and recording a private communication could be sentenced to up to three (3) years in the county jail.

The decision about whether to bring criminal charges against a business or individual for breaching your privacy rights by recording a conversation will ultimately be made by prosecutors and other law enforcement authorities. If charges are filed against the defendant, the case will be heard in criminal court. A knowledgeable attorney can help victims start this process, as well as helping victims decide whether to file a civil lawsuit to recover money damages either before or after resolution of the criminal case.

Other Data Privacy Laws in California

Data privacy has been a major concern of California lawmakers for a while now, which is why the state has tended to lead the way with this kind of legislation. In fact, the California Invasion of Privacy Act (CIPA) is just one of the state’s extremely strong consumer fraud laws with a focus on data privacy. The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are two other laws that explicitly protect customers against companies that overreach when it comes to sharing personal data. In fact, both the CCPA and the CPRA require companies doing business in the state to give customers the right to opt out of the sharing of their data.

Recently, plaintiffs have been relying on § 638.51 of the CIPA to file class actions against companies that use pen registers or trap and trace devices to acquire data from website visitors without permission.

Contact the Los Angeles Consumer Protection Lawyers at Tauler Smith LLP to File a Website Wiretapping Claim

Too often, companies doing business online choose to deliberately disregard the privacy concerns of customers who use their websites. Instead, these companies prioritize financial gains over consumer privacy and personal well-being. If you visited one of these websites and shared any information via a chat feature, you may be able to get statutory damages under the wiretapping provision of the CIPA.

The Los Angeles consumer protection lawyers at Tauler Smith LLP can help you file a website wiretapping claim. Call 310-590-3927 or email us to learn more.

Arlo Home Security Invasion of Privacy

Arlo Home Security System Sued for Invasion of Privacy

/in /by

Arlo Home Security Invasion of Privacy

Arlo Home Security System is being sued for invasion of privacy. The consumer protection attorneys at Tauler Smith LLP recently filed the lawsuit on behalf of a California resident who used the company’s website: www.arlo.com/. Specifically, Arlo is accused of engaging in the unauthorized collection, storage, and sharing of the personal information of its customers. Arlo has also been accused of allowing a third-party company to secretly intercept and monitor the online chat conversations of website visitors without their knowledge or consent. Arlo’s actions are alleged as clear violations of the California Invasion of Privacy Act (CIPA), which explicitly prohibits companies from engaging in behavior that violates certain privacy rights of customers.

We believe Arlo could be potentially violating other privacy rights of consumers based on our preliminary investigation. Keep reading this blog for more information.

Arlo Technologies Fails to Protect the Privacy Rights of Customers

Arlo is a home security company that sells doorbells and security cameras with wireless connections. Arlo Technologies, Inc. is the parent company that manufactures the wireless surveillance cameras and smart home security systems being marketed to consumers for both residential and small business use. Customers are able to use the Arlo.com website to purchase products, monitor their home security systems, and communicate with the company.

Arlo primarily manufactures and sells home security cameras, which means that it is absolutely imperative that the company complies with all applicable federal and California state laws and regulations concerning data privacy. Moreover, the nature of Arlo’s business of selling security cameras and recording devices means that the personal information being collected from customers is likely to be extremely sensitive. When Arlo fails to protect the privacy rights of customers, it exposes them to significant risks not just because the information shared typically goes beyond basic record information to include personally identifiable details, but also because users are able to transmit video files over the internet that make them vulnerable to serious abuses of their privacy.

Privacy Lawsuit Filed Against Arlo Home Security System in Los Angeles County Superior Court

The plaintiff in the current lawsuit against Arlo alleges that Arlo unlawfully collected data using a third-party service on its website. The lead attorney for the plaintiff is Betsy Tauler, a consumer protection attorney who focuses on privacy law. Tauler filed the lawsuit in the Los Angeles County Superior Court.

Arlo’s Chatbox:

A major issue has been raised about the digital privacy of consumers who use Arlo’s website and share their private information. When the plaintiff in this case browsed the site, the complaint alleges, she interacted with a chatbox function that used a third party to collect information about her without her consent. Additionally, the home security system company allegedly utilizes the third-party chatbox on the website to unlawfully transmit and store user data. Arlo does this by covertly embedding code into its online chat function that sends the chat to a third party who collects data from the chat without the user’s knowledge. This type of commercial surveillance is illegal in California and violates the California Invasion of Privacy Act (CIPA).

Arlo’s Privacy Policy:

Arlo has been accused of collecting data from many website visitors without providing any disclosures about how their private information is being used. Although the Arlo website has a privacy policy, the policy is easy to miss because it is not prominently displayed on the home page. In fact, the policy is buried deep within the website, making it difficult for users to read and understand its terms before they provide personal information when prompted to do so by the website chat bot. The complaint filed in the Los Angeles County Superior Court alleges that Arlo’s failure to make sure that website visitors are aware of the terms of the privacy policy constitutes a deliberate attempt to mislead them.

Arlo Sued for Violations of the California Invasion of Privacy Act (CIPA)

The California Invasion of Privacy Act (CIPA) prohibits companies from wiretapping and eavesdropping on the electronic communications of customers. The statute also specifically requires website operators to conspicuously warn visitors if their conversations are being recorded or if any third parties are eavesdropping on them.

The CIPA applies to conversations transmitted via a “cellular radio telephone” or a “landline telephone.” These categories have been found to include smartphones that enable web browsing, as well as desktop computers and laptop computers that utilize wi-fi. The plaintiff in this case accessed Arlo’s website using a smartphone.

Arlo Home Security System faces a civil suit for violating two sections of the California Invasion of Privacy Act:

  • Section 631
  • Section 632.7

§631 of the CIPA:

Section 631(a) of California’s Penal Code prohibits companies from using any machine, instrument, or contrivance to wiretap a conversation. The statute also forbids companies from reading the contents of any message or communication without the consent of all parties to the communication.

Section 631 applies not just to telephone conversations, but also to internet communications. This means that Arlo’s wiretapping of website chat communications would constitute a clear violation of the CIPA.

Additionally, Arlo allegedly embedded software on its website for the purpose of recording and eavesdropping on customer communications, which is also prohibited because this type of session recording software qualifies as a “machine, instrument, or contrivance” as defined by the statute.

§632.7 of the CIPA:

Arlo has also been accused of violating Section 632.7 of California’s Penal Code by intercepting and intentionally recording customer communications transmitted via telephone. The plaintiff in this case accessed Arlo’s website and used the chat feature with a smartphone, which qualifies as a sophisticated “cellular radio telephone” as defined by the law. Since the statute prohibits companies from recording telephony communications without the consent of all parties, Arlo’s actions would constitute a violation of Section 632.7.

According to the complaint, Arlo’s actions demonstrate that the company is more interested in profiting from its users’ personal information than it is in protecting users’ privacy rights.

Arlo Allegedly Surveils Customers

Arlo allegedly also allows ADA, a third-party company, to eavesdrop on customer conversations. ADA allegedly collects transcripts of these conversations and uses them for financial gain in unregulated dark data markets without any limitations. Additionally, ADA may be exposing Arlo customer data in international data transfers, which could involve foreign countries with different data protection laws.

Arlo allegedly pays substantial sums of money to ADA to embed code into the website chat feature. This is how ADA is able to allegedly intercept the chat communications in real time. The third-party company then eavesdrops on those conversations and stores transcripts. Website visitors have no way of knowing that this is being done. In fact, the complaint alleges that no one who uses the chatbox feature on the Arlo.com website is informed that they are being subjected to unlawful surveillance.

Do You Use Arlo for Home Security? Call the California Consumer Protection Attorneys at Tauler Smith LLP

Anyone within California who uses Arlo and believes they have been unlawfully collecting data may be eligible to file an invasion of privacy lawsuit to recover injunctive relief and statutory damages under the California Invasion of Privacy Act (CIPA) or other consumer protection laws.

The California consumer fraud lawyers at Tauler Smith LLP are representing plaintiffs in a class action lawsuit against Arlo Home Security System. For more information, call 310-590-3927 or send us an email.

Amazon Alexa and Ring Settlements

FTC Settlement: Amazon’s Alexa, Ring Security Cameras, and Privacy Laws

/in /by

Amazon Alexa and Ring Settlements

Amazon recently reached a settlement with the Federal Trade Commission (FTC) and the Department of Justice (DOJ), agreeing to pay $31 million in civil penalties for consumer privacy violations associated with the company’s Alexa voice assistant devices and Ring doorbell cameras. The DOJ alleged that Amazon engaged in a number of unreasonable privacy practices, ultimately resulting in an FTC settlement involving Amazon’s Alexa, Ring security cameras, and privacy laws.

The use of home security cameras and other internet-connected devices to spy on and illegally record customers has triggered several high-profile lawsuits, including a recent invasion of privacy claim against Arlo Home Security System in California. In the Amazon case, the tech behemoth was accused of violating federal laws by using Alexa voice devices and Ring doorbell cameras to unlawfully collect voice and video data, including data from children. The FTC and the DOJ said that Amazon illegally stored voice information, geolocation information, and video recordings without user permission. Moreover, the tech giant allegedly failed to delete kids’ Alexa recordings when those removals were requested by parents. The FTC and the DOJ filed complaints against Amazon in federal court, and now those cases have been settled: Amazon agreed to pay $25 million for its Alexa privacy violations that compromised children’s data and another $6 million for Ring privacy violations that exposed users to surveillance, threats, and harassment.

To learn more about the DOJ and FTC settlements reached with Amazon over the company’s Alexa voice service and home security cameras, keep reading this blog.

Federal Trade Commission Accuses Amazon of Invading Privacy of Alexa Users

The Amazon settlement resolved two separate claims filed against the tech company by the FTC:

  1. A claim that Amazon’s Alexa service was being used in violation of federal child privacy laws.
  2. A claim that the Ring doorbell cameras were being used to illegally spy on customers.

The FTC’s Alexa complaint was filed in the United States District Court for the Western District of Washington, and it alleged that Amazon violated both the Federal Trade Commission Act (FTC Act) and the Children’s Online Privacy Protection Act (COPPA) by deceiving parents about how data collected by the Alexa devices would be utilized. Specifically, the FTC alleged that Amazon unlawfully recorded children’s voices and maintained their geolocation data while telling parents that they could delete voice recordings and other data collected by the Alexa app.

What Is Amazon’s Alexa Service?

Amazon’s Alexa is a cloud-based voice assistant service that is used by millions of Americans. Alexa allows consumers to interact with technology designed to make their lives easier. For example, Alexa can be used to check the weather, learn the latest news developments, perform online searches for information, listen to music and audiobooks, play games, order products from Amazon.com, and stream content on smart TVs. Global sales of Alexa devices have topped more than half a billion, with use of the Alexa voice service increasing every year since it reached the market. This includes more than 800,000 children under the age of 13 who have their own Alexa profiles.

Alexa devices are made by both Amazon and third-party manufacturers, meaning that the technology is available on hundreds of millions of devices. Although Amazon’s marketing of its Alexa service and Echo devices claims that they are “designed to protect users’ privacy,” the fact that the Alexa mobile application is connected to the internet means that the data recorded by the device is accessible online and exposes users to scary breaches of their privacy.

Amazon Violations of the FTC Act

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits companies from engaging in “unfair or deceptive acts or practices in or affecting commerce.” Amazon was accused of committing multiple violations of Section 5 of the FTC Act:

  • Falsely representing that users of the Alexa app could delete their geolocation data upon request.
  • Falsely representing that Alexa users could delete voice recordings, including voice recordings of their children.
  • Unfair privacy practices that caused substantial injury to users of the Alexa service.

Amazon Violations of the Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act (COPPA) is a federal law that was passed by Congress in 1998, and it was intended to strengthen general privacy laws with specific protections for minors under the age of 13 who use the internet. The impetus for COPPA was a rise in websites that were secretly collecting the personal data of children. The COPPA Rule is codified in Section 1303(b) of COPPA, 15 U.S.C. § 6502(b), and Section 553 of the Administrative Procedure Act, 5 U.S.C. § 553. The COPPA Rule imposes strict requirements on the operators of commercial websites that target children: these websites must notify parents about the information collected. COPPA also requires website operators to give parents the option to delete their kids’ information at any time.

Although Amazon specifically promised Alexa users in a “Children’s Privacy Disclosure” that the company would delete their data upon request, the FTC alleged that Amazon continued to maintain children’s data long after such requests had been made. FTC consumer protection chief Samuel Levine observed that COPPA explicitly forbids companies “from keeping children’s data forever.”

Moreover, even in those instances when Amazon did erase the data, they reportedly retained written transcripts of the children’s recordings in a database that was accessible by employees. Amazon did not disclose to parents that the company was keeping the written transcripts and continuing to access them. FTC Commissioner Alvaro Bedoya said that Amazon deceived parents about its data deletion practices by failing to comply with parental requests to erase children’s voice data collected by Alexa. This was a violation of federal laws meant to protect children against online threats and privacy invasions.

Amazon tried to justify its actions by saying that it kept children’s voice information to improve the company’s voice recognition algorithm, to help the company better respond to voice commands, and to give parents enough time to review the information. According to Amazon, the algorithm is a form of artificial intelligence (AI) that learns and gains capabilities as it acquires more information. Artificial intelligence has become extremely controversial as an increasing number of tech companies have started to introduce AI products and applications into the marketplace. This is one reason that it was so important for the FTC to send a strong message to Amazon and others that using AI and other technologies to invade customer privacy will not be tolerated by the government. The Amazon Alexa settlement will bar the company from using children’s data to train the company’s algorithms.

Amazon Settles FTC Case Alleging Alexa Consumer Privacy Invasions

Samuel Levine, the FTC consumer protection chief, commented on the Amazon Alexa settlement and highlighted “Amazon’s history of misleading parents, keeping children’s recordings indefinitely, and flouting parents’ deletion requests.” All of these actions violated the Child Online Privacy Protection Act (COPPA) and “sacrificed privacy for profits.”

The Alexa settlement with the FTC includes a number of provisions:

  • Amazon must pay a $25 million civil penalty.
  • Amazon can no longer use children’s geolocation data or voice information for the purpose of creating or improving company products.
  • Amazon must delete any inactive Alexa accounts belonging to children.
  • Amazon must notify all users about the FTC action against the company, as well as the settlement.
  • Amazon is prohibited from misrepresenting its privacy policies in the future, especially as they pertain to geolocation data, voice recordings, and children’s voice information.
  • Amazon must create and strictly enforce a privacy program related to geolocation data.

As part of the Amazon Alexa settlement, the company will have to implement privacy safeguards for child users. The company will also have to make significant changes to the way it stores Alexa data: there will be a requirement that Amazon delete certain information right away so that underage children won’t have their information exposed. Amazon has also agreed to delete child accounts that are inactive, as well as voice data and geolocation data from active accounts.

In the wake of the Alexa settlement, FTC Commissioner Alvaro Bedoya warned companies “sprinting to do the same” thing as Amazon that they should think twice, especially if their products will be used by kids. Bedoya, who has two children of his own, said that “nothing is more visceral to a parent than the sound of their child’s voice.”

Department of Justice Files Complaint Against Amazon for Invading Privacy of Ring Home Security Camera Users

The Federal Trade Commission (FTC) doesn’t just protect children’s privacy; the agency is committed to protecting the privacy of all consumers. That’s why the FTC and the Department of Justice (DOJ) brought a second case against Amazon alleging that the tech giant violated federal law by allowing employees and contractors to access Ring doorbell cameras used by customers, with the access leading to illegal surveillance of the customers. Additionally, the FTC said that Ring did not take sufficient actions to stop hackers from accessing customer cameras.

Amazon Subsidiary Company Ring Sells Home Security Cameras

Ring is a subsidiary company of Amazon that primarily sells home security cameras, doorbells, and other accessories that are connected to the internet. Amazon has sold more than one million indoor cameras to customers in the United States and internationally. These cameras are typically used on the exterior entryways of a home, but they can also be used as indoor cameras to monitor private spaces such as bedrooms and bathrooms. It is these indoor cameras that were frequently targeted by Ring employees and hackers looking to spy on customers, with nearly 40% of all Ring devices that were compromised being either Stick Up Cams or Indoor Cams marketed primarily for indoor use.

Amazon bought Ring in 2018 for roughly $1 billion. Although most of the alleged privacy violations happened before Amazon acquired Ring, the parent company is still liable for any violations of federal law. Ring security cameras are marketed by Amazon as affordable cameras that can be attached to houses or, more commonly, to doors so that users can monitor entry into their homes. But while customers believed that they were securing their homes by using Ring cameras, they were actually exposing their homes to nefarious actors – many of whom were employed by Amazon.

DOJ Complaint Against Amazon for Ring Doorbell Cameras

The Justice Department filed its Ring complaint on behalf of the Federal Trade Commission (FTC) in the U.S. District Court for the District of Columbia. The complaint alleged that Amazon violated Section 5 of the FTC Act in connection with the company’s Ring cameras.

Ring Security Cameras Illegally Accessed by Company Employees

According to the DOJ complaint, Ring home security cameras were accessed by company workers who subsequently spied on and harassed customers. In fact, the workers who gained access to the devices were also able to communicate directly with customers and threaten them. There were documented instances of female customers being cursed at in their bedrooms, children being subjected to racist slurs, and a number of Ring customers receiving death threats. These same individuals harassing and terrorizing Ring customers also used the cameras to set off false alarms and to change home security settings.

The Ring home security videos were reportedly available to every employee, and this was true for all customer videos over a period of several years. The complaint filed by the Department of Justice in federal court stated that Ring “gave every employee…full access to every customer video.” Beyond allowing unauthorized access, Ring’s lapses when it came to customer security also meant that company employees were able to download customer videos and then share those videos freely with anyone. The videos could be downloaded, saved, and even transferred by both Ring employees and contractors based out of Ukraine.

Ring Employees Spied on Customers

One Ring employee allegedly accessed and viewed thousands of recordings from Ring security videos being used by female customers. According to the FTC, this employee targeted 81 different women who were using the Ring Stick Up Cams. The employee’s criminal actions included focusing searches on Ring cameras with names suggesting that they had been placed in customer bedrooms or bathrooms. The illegal spying reportedly continued for months before Ring took any action at all to stop it.

Another Ring employee was accused of accessing a camera belonging to a female employee and subsequently spying on her by watching video recordings stored on her account.

These privacy beaches continued for months and, in many cases, years before Ring finally took action to limit what the FTC called “dangerously overbroad access” and impose any kind of technical or procedural restrictions on employees who were trying to access customers’ home security videos. Additionally, the FTC complaint stated that Ring did not obtain consent for human review of video recordings, and that the company “buried information in its Terms of Service and Privacy Policy.” This meant that consumers had no way of knowing that Ring employees had access to their stored videos.

Ring Exposed Consumers to Cyberattacks by Hackers

Ring also had insufficient security measures to protect customer information against hacking, which led to some customer accounts being compromised via credential stuffing and brute force attacks. The FTC alleged that the doorbell company’s failure to fix “bugs in the system” allowed hackers to access customer cameras and, in some cases, to harass and frighten customers. This stemmed from “system vulnerabilities,” which Ring failed to repair despite knowing that the problems existed.

During one cyberattack committed against Ring, more than 55,000 U.S. customers had their Ring accounts compromised. Nearly 1,000 of these customer accounts had their stored videos unlawfully accessed, which included viewing, downloading, and sharing of recordings, livestream videos, and customer profiles.

Amazon Settles Ring Consumer Privacy Complaint

The Ring settlement with the DOJ and the FTC requires Amazon to pay $5.8 million. That money will be used to issue refunds to Ring customers who were affected by any privacy violations and data breaches. The settlement also requires Amazon to delete Ring data that had been stored since before Amazon acquired the company. Amazon must also implement new privacy and security measures to ensure that consumer data is not exposed or compromised, including multi-factor authentication before access is granted to customer accounts.

Both the Alexa settlement and the Ring settlement will need to be approved by federal judges before they take effect.

California Laws Protecting Consumers Against Invasion of Privacy: CIPA, CCPA, CLRA, and UCL

California’s consumer protection laws are among the strongest in the country, with the California Invasion of Privacy Act (CIPA), the California Consumer Privacy Act (CCPA), the Consumers Legal Remedies Act (CLRA), and the California Unfair Competition Law (UCL) providing robust protections against invasion of privacy, false advertising, and consumer fraud that go even further than federal laws like the FTC Act and COPPA. For example, companies that do business in California are not allowed to expose or share the sensitive personal information that you disclose when you use their products, services, or websites.

California’s digital privacy and consumer protection laws also explicitly prohibit companies from illegal wiretapping on websites, unauthorized recording of online chats, sharing the personal data of customers, false advertising that misleads consumers, and other deceptive business practices.

Contact the California Consumer Protection Attorneys at Tauler Smith LLP

Did you purchase or use a home security camera, doorbell camera, Alexa device, or any other internet-connected device? If so, your privacy may have been invaded in violation of both federal and California state laws. The experienced Los Angeles consumer protection lawyers at Tauler Smith LLP can help you file a civil suit for invasion of privacy and get financial compensation. Call 310-590-3927 or email us today.

Goodyear Tires Wiretapping Lawsuit

Goodyear Tires Wiretapping Lawsuit to Proceed

/in /by

Goodyear Tires Wiretapping Lawsuit

In a highly anticipated ruling, a federal judge in California recently denied Goodyear’s motion to dismiss wiretapping claims based on their use of third-party chat applications hosted on their website. This ruling allows the Goodyear Tires wiretapping lawsuit to proceed. The complaint alleges that when users visit www.goodyear.com/ and use the website chat feature, they share personal data in communications that are unlawfully recorded and transcribed. The plaintiff alleged that Goodyear was allowing a third-party company to intercept, eavesdrop, and store transcripts of the conversations, which is prohibited by the California Invasion of Privacy Act (CIPA).

Do you live in California? Did you use a chat feature on a commercial website? You may be eligible to file a civil suit for invasion of privacy and get financial compensation. Contact us now.

CIPA Claim: Judge Denies Motion to Dismiss Goodyear Wiretapping Lawsuit

The California Central District Court recently issued a ruling in a case involving allegations that Goodyear Tires violated the California Invasion of Privacy Act (CIPA) by wiretapping user chats on the company’s website. The federal court agreed with the plaintiff that the chat feature violated the CIPA, ruling that the plaintiff contends that Goodyear used a third-party service to “intercept in real time” website visitors’ chat conversations. The court added that the allegation that user messages were unlawfully intercepted “is to be taken as true at this stage of the case.”

In her CIPA claim, the plaintiff alleged that visitors to the Goodyear Tires website share “sensitive personal information” when they use the chat conversation. Significantly, the court ruled that the plaintiff pled sufficient facts for a claim under § 631(a) of the CIPA by showing that chat communications were intercepted, and those communications plausibly contained “more than mere record information” such as her name and address.

Wiretapping of Smartphone Communications

The California Central District Court also addressed the fact that the plaintiff accessed the Goodyear Tires website on her smartphone, which is considered a cellular phone with web capabilities. The federal court noted the precedent set by other courts that have applied § 632.7 of the CIPA to internet-based communications, ruling that the plaintiff has sufficiently alleged that users of Goodyear’s chat feature have a reasonable expectation of privacy because they share highly sensitive personal data.

California Has the Strongest Data Privacy Laws in the Country

California’s consumer protection laws include the California Invasion of Privacy Act (CIPA), the California Consumer Privacy Act (CCPA), and the California Privacy Rights Act (CPRA). The CIPA requires companies to get permission before recording any online chats, while the CCPA gives customers the right to prevent companies from sharing their personal data and the CPRA bolsters those digital privacy protections. California’s data privacy laws go even further by placing the onus on companies to make efforts to warn customers if their phone conversations or online chats are being monitored or recorded. In fact, California has some of the strongest such laws in the country. This may be why Goodyear’s terms of use include a forum selection clause requiring claims to be filed in another state: Ohio.

Goodyear Website Terms of Use

The Goodyear Tires website has a “Terms of Use and Privacy Policy” hyperlink at the bottom of the homepage. Site visitors can only see this link by scrolling all the way down on the website. When a user clicks on this link, they are directed to a “Terms, Conditions & Privacy Policy” page that includes another link for Terms of Use. There is no option for the user to click a button acknowledging that they have read the terms of use. Buried deep on this page is a section on “Applicable Laws,” which includes a forum selection clause stating that anyone who uses the Goodyear website automatically consents to litigating any legal disputes in an Ohio courtroom.

Goodyear Forum Selection Clause

In a recent lawsuit filed in California by Los Angeles false advertising attorney Robert Tauler against Goodyear, the tire company attempted to get the case moved to a jurisdiction with less stringent consumer protection laws. Goodyear specifically requested that the venue be changed from the U.S. District Court for the Central District of California to the District Court for the Northern District of Ohio.

Goodyear Tires argued that the plaintiff already agreed to having any legal proceedings handled in Ohio because she used the Goodyear website and automatically consented to the forum selection clause contained in the website’s “Terms of Use.” Robert Tauler responded on behalf of the plaintiff and persuasively argued that it was not possible for the plaintiff to legally consent to the forum selection clause because there was neither actual nor constructive notice of the “Terms of Use.”

The California federal trial court hearing the case ultimately rejected Goodyear’s motion to change venue, which means that the case will be adjudicated in the California Central District Court and decided under California’s very strong invasion of privacy and consumer protection laws. The court gave several reasons for ruling in favor of the consumer-plaintiff and against Goodyear, including contract formation laws which require mutual assent in order for a contract to be binding on both parties.

Are Internet Contracts Legally Enforceable?

The Ninth Circuit Court of Appeals previously identified two categories of internet contracts like the Goodyear terms of use:

  1. Clickwrap Agreements: Site visitors must check a box to confirm that they agree with the website’s terms and conditions of use.
  2. Browsewrap Agreements: Site visitors are able to click on a hyperlink that will take them to a page with the website’s terms and conditions of use.

An important aspect of browsewrap agreements is that it is possible for a site visitor to continue using a website without knowing that the agreement even exists. That’s because browsewrap agreements like the one on the Goodyear Tires website do not require site visitors to take any affirmative action. This creates a legal issue for internet contracts that rely on browsewrap agreements since users might not have an opportunity to assent to the terms of use. Courts have held that such a contract can only be valid if the website user had either actual or constructive notice of the terms and conditions.

Goodyear Browsewrap Agreement

The Goodyear browsewrap agreement does not qualify as a valid, legally binding internet contract because the website terms of use are inconspicuous: the hyperlink can only be seen when the user scrolls to the bottom of the page, and the text does not stand out against the background colors. This does not provide the user with sufficient notice. In Wilson v. Huuuge, Inc., the Ninth Circuit Court of Appeals held that courts should not enforce a similar smartphone app agreement “where the terms are buried at the bottom of the page or tucked away in obscure corners of the website.”

Additionally, there is nothing on the Goodyear Tires website that requires the consumer to click a button, check a box, or take any other action that would unambiguously convey their assent to the terms of use. This also means that site visitors are not provided with constructive notice of the website terms of use which they are supposedly agreeing to abide by.

Class Action Lawsuit Against Goodyear Tires for Violating California’s Wiretapping Law

When you visit a website, you have an expectation that your personal data will be protected and that any conversations you have on the website will remain confidential. The Los Angeles consumer protection attorneys at Tauler Smith LLP help clients file CIPA claims both individually and in class action lawsuits against companies that violate California’s data privacy laws. For example, our attorneys have represented individuals whose data was compromised due to illegal wiretapping and eavesdropping, including chat conversations on company websites.

The CIPA is a criminal statute that subjects companies to criminal penalties, including jail time and substantial fines. Victims can also bring civil lawsuits to recover statutory damages of $5,000 for each illegally recorded conversation. In some cases, it may be possible to recover treble damages, meaning that plaintiffs are eligible for up to three (3) times the total economic damages caused by the invasion of privacy.

Contact the California Consumer Protection Attorneys at Tauler Smith LLP Today

Did you use the chat feature on the Goodyear Tires website? Did you use a chat feature on any other commercial website? If so, your personal data may have been unlawfully recorded without your consent and in violation of both state and federal wiretapping laws. The California consumer protection lawyers at Tauler Smith LLP can help you. Call 310-590-3927 or send an email to learn more and find out if you are eligible to file a CIPA claim.