Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Under the Act, Cal. Civ. Code §1798.83, California residents have the right to request from a business with twenty or more employees, with whom they have an established business relationship, certain information about the business’s disclosure of personal information to third parties for direct marketing purposes. Specifically, such California residents may ask for details about what personal information the business shares with third parties for those third parties’ direct marketing purposes during the immediately preceding calendar year. 

There are several compliance options available to businesses under the Act. One option is for the business to adopt and disclose to the public in its privacy policy a procedure that allows its California customers to opt-out of the business’s sharing of their personal information for third parties’ direct marketing purposes. Alternatively, a business can inform its California customers of the business’s designated contact point to which a request under the Act should be directed in any of the three following ways: (A) by instructing its agents or employees to inform the customers of such information; (B) by including such information in the business’s web site privacy policy with the required emphasis and conspicuousness; or (C) by making such information available to customers at the business’s physical locations. 

To date, despite being effective since 2005, there are no published decisions under the Act. But that may change with this month’s wave of class action lawsuits. The complaints in the recently filed class action lawsuits share the same allegation (in addition to sharing the same plaintiff’s lawyer): that each respective business failed to comply with its obligations by not providing its California customers with the information necessary for them to make requests under the Act.

According to Cal. Civ. Code §1798.84(c), violating the Act can result in a civil penalty of up to $500 per violation, unless the violation is willful, intentional or reckless, in which case the business can be on the hook for as much as $3,000 per violation. However, businesses are given a ninety day cure period before they can be held in violation of the law, as long as their violation was not willful, intentional or reckless.  Many companies who have been challenged may be able to avail themselves of this safe harbor to avoid costly settlements and class notification expenses. 

Although these cases are still in their early stages and it is not clear how things will be resolved, it is important to note that while complying with the Shine the Light privacy law may be burdensome, noncompliance may result in a business’s lights being dimmed, or, given the possibility of statutory damages, turned off for good.

In Bateman v. Am. Multi-Cinema, Inc., the plaintiff filed a class action complaint alleging that from December 2006 to January 2007 AMC issued approximately 290,000 credit and debit card receipts from its automated box office machines that included both the first four and last four digits of customers’ payment card account numbers. The U.S. District Court for the Central District of California denied Bateman’s motion for class certification because Bateman failed to show that a class action would be the superior method of adjudicating his claim, as required by Federal Rule of Civil Procedure 23(b)(3). In the court’s view, class treatment might result in an enormous statutory damages award “completely out of proportion to any harm suffered by the plaintiff.” Moreover, the court cited AMC’s good-faith efforts to comply with FACTA shortly after the plaintiff filed his complaint to support its conclusion that class treatment would not further the purpose and policy of FACTA.

On appeal, despite acknowledging that the trial court must be given “wide discretion” to consider the most appropriate procedure in each case, including Rule 23(b)(3)’s superiority requirement, the Ninth Circuit held that the lower court abused this discretion by denying class certification to Bateman. Specifically, the Ninth Circuit concluded that FACTA did not give judges discretion to depart from the $100 to $1,000 per violation range of statutory damages where they find that such damages are disproportionate to the actual harm suffered. In addition, the Ninth Circuit found it inappropriate to consider the size of any damages award at the class certification stage, particularly since Congress did not see fit to impose a cap on potentially enormous statutory damage awards under FACTA despite several clear chances to do so. Finally, the Ninth Circuit concluded that denying class certification on account of AMC’s good-faith compliance (post-complaint) “undermines the deterrent effect of FACTA itself.” For these reasons, the appeals court reversed the lower court’s decision and remanded the case back to the lower court for further review.

While the Ninth Circuit’s Bateman decision should not substantively changes companies’ approaches to compliance with FACTA, the case makes clear that companies cannot rely on discretionary factors to stamp out potentially excessive statutory damages awards that are otherwise available for even harmless miscues.

Under the terms of the proposed settlement, each class member will be offered a settlement relief voucher good for any one of the following: (a) $50 off a purchase of $100 or more, (b) a “classy” tee shirt with a suggested retail value of up to $40 or (c) a hooded sweatshirt (“hoodie”) with a suggested retail value of approximately $55. The voucher will be redeemable at any store in PNC Park, the home of Major League Baseball’s Pittsburgh Pirates. Aramark has agreed that, if the settlement is approved, it will distribute not just those settlement relief vouchers claimed by members of the class, but a total of 4,773 vouchers – one for each electronically printed receipt alleged to have violated FACTA. To effectuate this requirement, beginning fifteen days after in-store notices to class members are removed, Aramark will distribute unclaimed vouchers to every customer who makes a purchase using a credit or debit card at PNC Park. Aramark will also be responsible for the costs of notifying class members regarding the settlement and paying class counsel’s fees of $105,000.

While coupon or voucher settlements are generally frowned upon by courts, Judge Lancaster acknowledged that such relief “appears well suited to the [FACTA] violations alleged, especially in light of the lack of actual damages.” The court’s acknowledgement lends credence to the denial of class certification, in, for example, Soualian v. International Coffee & Tea LLC, No. 07-cv-502 (RGK) (C.D. Cal. June 11, 2007), on account of the damages sought being disproportionate to the actual harm suffered by the class.

Prior to the Court’s decision in Amburgy, the trend in lost data cases had been in favor of finding subject matter jurisdiction, even where the plaintiff's allegations failed to state a valid cause of action. (See our post regarding McLoughlin v. People’s United Bank, Inc. here.) Indeed, as Judge Buckles observed in his opinion, subsequent to the Seventh Circuit’s decision in Pisciotta v. Old Nat’l Bancorp, “district courts have consistently determined that claims of increased risk of identity theft resulting from security breaches sufficiently allege an injury-in-fact to confer Article III standing.” After noting the Seventh Circuit’s lack of discussion in Pisciotta about applying the U.S. Supreme Court’s recognized standards for determining standing under Article III, Judge Buckles engaged in a thorough analysis of the plaintiff’s standing to sue. Relying principally on the Supreme Court’s opinion in Whitmore v. Arkansas, the Court concluded that the plaintiff lacked standing because he “cannot show that he has suffered or will immediately suffer a concrete injury-in-fact.”

In addition to dismissing all of plaintiff’s claims for lack of subject matter jurisdiction, the Court explained that the claims for negligence, violations of state data breach notification laws and violations of Missouri’s MPA also should be dismissed under Rule 12(b)(6) of the Federal Rules of Civil Procedure for failing to state a viable cause of action. The Court pointed out that Plaintiff’s breach of contract allegations stated a claim for at least nominal damages under Missouri law, but the Court lacked subject matter jurisdiction to entertain the matter.

The rejected settlement would have required Ameritrade to:

• Post notices on its Web site warning customers about “stock touting spam”
• Retain independent experts to conduct biannual penetration tests on its systems
• Seed its email address databases with monitored email addresses for the purpose of detecting data compromises
• Offer to pay for one year’s worth of a spam or virus filtering service for each of the 6 million customers whose email addresses were compromised
• Retain an analytics specialist to perform analyses of whether the compromised data has been used to commit identity theft
• If identity theft is detected, offer class members identity theft remediation services
• Donate $55,000 to two anti spam projects
• Pay plaintiffs’ counsel $1.9M in attorney’s fees

Since these settlement terms did not satisfy the judge, the parties will reconvene at a hearing on December 10, 2009.

The Ameritrade case has served as a reminder that companies should not ignore the importance of keeping contact information secure while focusing primarily on more sensitive information such as Social Security Numbers and financial account numbers. However, applicable laws that require companies to protect the security of individuals’ information generally do not apply to mere contact information. For that reason, it is still appropriate to classify contact information as “confidential” as long as your policies provide for reasonable protections for such information. As an example, since customer databases compile all customer contact information into one place, and are an attractive target for hackers, such databases should be afforded greater protection than individual documents that contain just one customer’s name and contact information. Similarly, when disposing of paper files containing customer contact information in mass, it would be a best practice, although not required by U.S. law, to shred such documents upon disposal.

California Civil Code § 1747.08 prohibits a retailer that accepts credit cards from, among other things, requesting, or requiring as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the retailer writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise. Subdivision (e) of the statute provides that "[a]ny person who violates this section shall be subject to a civil penalty not to exceed two hundred fifty dollars ($250) for the first violation and one thousand dollars ($1,000) for each subsequent violation, to be assessed and collected in a civil action brought by the person paying with a credit card, by the Attorney General, or by the district attorney or city attorney of the county or city in which the violation occurred."

The TJX Companies, Inc., T.J. Maxx of CA, LLC, Marshalls of CA, LLC, Marshalls of MA, Inc., and Marmaxx (collectively, TJX) sought a writ of mandate compelling the trial court to grant their motion to strike portions of the complaint that defined the class as users of credit cards "within the last three . . . years." The court found that the penalty imposed in subdivision (e) of the statute, using the language "shall be subject to" is mandatory and therefore is "[a]n action upon a statute for a penalty" subject to the one-year statute of limitation of California Code of Civil Procedure section 340.

The court also held that the plain language of section 1747.08 does not apply to returned merchandise and directed the court to vacate its order overruling TJX’s demurrer to the complaint. Among other things, the court noted that "there are substantial opportunities for fraud" in connection with merchandise returns and "it behooves the merchant to identify the person who returns merchandise, which subsequent examination may disclose to have been used, damaged, or even stolen."