Partner Justine Gottshall Interviewed by Cybersecurity Law Report

Partner Justine Young Gottshall was interviewed regarding key issues for mobile apps in the Cybersecurity Law Report on August 3, 2016 (note that subscription or registration for a free trial required to access full article).

Is Pokémon Go Pushing the Bounds of Mobile App Privacy and Security?

The popularity of the new app Pokémon Go, an augmented reality game in which players use their mobile devices to catch Pokémon characters in real-life locations, continues to grow despite security and privacy concerns. Intelligence firm Sensor Tower estimates the game has been downloaded 75 million times. The game’s success brings to light a number of privacy issues generally tied to the collection, storage and sharing of user information by mobile apps, as well as users’ control of those actions and the app’s disclosure practices. Justine Gottshall, a partner at InfoLawGroup, and Shook, Hardy & Bacon attorney Eric Boos recently spoke with The Cybersecurity Law Report about these issues as well as the recently filed lawsuit alleging that the Pokémon Go terms of service and privacy policy are deceptive and unfair.



The NAD’s First Native Ad Case Since Issuance of FTC Native Ad Guides

Just five months after the Federal Trade Commission (“FTC”) released its Native Ads Policy Statement, the National Advertising Division of the Better Business Bureau (“NAD”) has followed suit and issued a decision in its investigation of Joyous Inc.’s (“Joyous”) native advertising practices (NAD Case #5956, 05/19/16).

In its routine monitoring, the NAD explored the formatting and placement of Joyous ads in the Style Watch section of the online version of People Magazine, as well as claims about the efficacy of its products. While Joyous discontinued the efficacy claims at issue, the NAD conducted a complete analysis of the native advertising content on

Continue Reading

InfoLawGroup LLP Formalizes Privacy in M&A Practice

InfoLawGroup announces that it has formalized its Privacy in M&A practice group, which brings together its experienced attorneys to work closely with clients on the privacy and security issues that can arise when purchasing, investing in, or merging with another entity.  While we have been addressing these issues for some time and across related practice areas, we believe a more formalized practice group will allow us to better serve our clients.  This is an area growing in importance, as data is increasingly a significant asset for the selling and acquiring companies.  For more information, please contact Justine Young Gottshall or Mark Paulding.




Brexit: What It Means for Global Information Managers

The British electorate has voted to leave the European Union, rejecting the pleas of all major political parties and most business, media, and legal experts across the political spectrum.  Prime Minister Cameron announced that he will resign in October and that his successor will then work out the details of withdrawal from the EU.

What does this mean for US-based multinationals and other global companies that do business in Europe, often from a base in the UK?  Specifically, what is the impact on handling information across the English Channel and across the Atlantic?

Continue Reading

FTC Settles Complaint against Mobile Ad Network InMobi over Location-Data Collection & COPPA Violations

The FTC announced today that it reached a settlement with mobile ad network InMobi. InMobi offers a software-development kit (SDK) that its third-party app-developer customers can integrate into their mobile applications. The SDK allows InMobi to target advertisements to app users based on data collected and allows the app developer to thereby better monetize its advertising inventory.

The FTC alleged that – after representing to its developer customers that it would collect location information only after an app user opted into such collection – InMobi broadly collected location data from all app users, even those who denied an app’s request to collect such data.  Notably, the FTC did not allege that InMobi simply ignored a user’s decision and accessed device location data anyway.  Instead, the FTC alleged that InMobi built a mechanism whereby it could effectively sidestep the consumer’s choice and determine his or her location through means other than direct access to device location data.

Continue Reading

Now What? Plaintiffs Attack Popular Disclaimers in Online Terms of Use

In Short:

An old New Jersey law – the Truth-in-Consumer Contract, Warranty and Notice Act or TCCWNA – is now being used to challenge website Terms of Use in a flurry of recently filed cases. These cases have not yet produced any guidance from the courts and the nebulous nature of the law complicates compliance. However, while we wait for more guidance from the courts, any business that operates a website and offers consumers goods or services should take the opportunity to review its Terms of Use and other consumer-facing contracts and attempt to address any potential vulnerabilities implicated by this wave of lawsuits.

In Full:

If you operate a website, mobile app, or other online service that operates under a Terms of Use of similar user agreement, you should be aware of a recent group of purported class-action suits filed. The suits all make claims under New Jersey’s (perplexingly hyphenated) “Truth-in-Consumer Contract, Warranty and Notice Act,” N.J. Stat. § 56:12-14 et seq. (“TCCWNA”). The TCCWNA is a long-standing law (originally enacted in 1981), but was not heavily litigated until fairly recently. After gaining steam over the past few years, however, it has been the basis for a torrent of complaints filed in recent months that give the TCCWNA a new application: using it to challenge the various defendants’ website Terms of Use.

Continue Reading

GDPR: Getting Ready for the New EU General Data Protection Regulation

Four years in the making, the European Union’s General Data Protection Regulation (GDPR) obtained its final legislative approval on April 14, and the final text was published in the Official Journal yesterday.  It will be enforced after a two-year transition, beginning on May 25, 2018, replacing the national laws and regulations based on the venerable 1995 EU Data Protection Directive and reaching companies that target EU consumers from outside the EU.

While the GDPR largely retains the principles and terminology of the 1995 Directive, it also adds some new principles with uncertain consequences, such as a stricter concept of consent, a requirement for data portability, and a “right to be forgotten.” At the same time, if offers hope for a greater level of uniformity across Europe, which multinational enterprises may welcome, as well as relief from registration burdens that have persisted in many countries (although this is offset by a new obligation to notify security breaches).

Continue Reading

First Circuit Ruling May Extend Reach of VPPA

On April 29, 2016, the First Circuit Court of Appeals addressed the question of what data constitutes “personally identifiable information” and who is a “subscriber” under the Video Privacy Protection Act (VPPA) in Yershov v. Gannet Satellite Information Network, Inc. The plaintiff claimed that Gannett shared information identifying him and the video clips that he watched through the app with Adobe, which provided analytics services for the mobile app. As described in greater detail below, the court decided that

  • downloading and using the USA Today mobile app (without monetary payment) could make a person a subscriber and
  • sharing device identifier and precise geolocation data (along with a description of the video clips viewed) may be a disclosure of personally identifiable information.

Businesses that publish mobile apps (or websites) that show video materials and the third party service providers that may receive information about the content and those who view the content (particularly precise geolocation data) should carefully follow the case when it returns to the trial court.

Continue Reading

Math Question As Age-Gate and Invite-A-Friend Under Fire

The Children’s Advertising Review Unit of the Council of Better Business Bureaus (“CARU”) routinely monitors web sites and mobile apps for compliance with its Guidelines and the Children’s Online Privacy Protection Act (“COPPA”).  Through that routine monitoring, CARU recently discovered the information practices of the 1st through 7th grade mobile applications called Friendzy (e.g., 1st Grade Friendzy). Kids can play the games available in the apps without registering, but the games offer a registration feature to track the time spent on the app and see points earned.  In-app purchases are also available.  Registration required full name, username, password, email address, country, city, zip code and grade of the student.  Here is what happened during registration:

  • If you clicked to register, a pop-up box presented the following statements: “Ask your parents.  Parental permission is required to continue.”
  • The registration page included tabs at the top labeled STUDENT, PARENT AND TEACHER.  PARENT was set as the default tab.
  • Then, a pretty basic math question with six possible answers was presented.
  • Incorrect answers resulted in a new question and you could keep going through questions until you got it right on the first try.
  • After registration, you could invite friends via email (the native email app on the device) or via text (the native text app on the device).

Continue Reading

FTC Enters Proposed Consent Order Against Lord & Taylor for Native Advertising Campaign

The Federal Trade Commission (“FTC”) has wasted no time in bringing an action against an advertiser for allegedly deceptive native advertising. The FTC released its Enforcement Policy on Deceptively Formatted Advertisements (“Native Advertising Guidelines”) in late December 2015 (which we blogged about here) and last week the FTC concluded an enforcement action against Lord & Taylor, LLC (“Lord & Taylor”) for its native advertising campaign.

Continue Reading