California and 14 other states plus the District of Columbia have laws that restrict the collection of personal information at the point of sale when payment is by credit card. Unfortunately for retailers, the scope of prohibited conduct under these laws is not always clear. Complicating matters further, these laws were generally enacted in the early 1990s, but are now being applied to retail practices that could not have been contemplated at the time the statutes were enacted. For instance, plaintiffs have sued under these laws to address modern retail practices, such as rewards or customer loyalty programs, e-receipts, unmanned kiosks, and the collection of ZIP codes for CRM purposes. Plaintiffs have also argued – unsuccessfully so far in California under the Song-Beverly Credit Card Act – that these laws apply online. Litigation under these laws is increasing, following consumer-friendly decisions from the California and Massachusetts high courts. This article provides an overview of the current state of the law on point of sale data collection laws, including recent and pending litigation, and makes predictions regarding where the law is heading.
In a recent decision, United States District Judge Stephen V. Wilson granted summary judgment to defendant Sabre Inc. (“Sabre”) on the basis that the plaintiff provided her “prior express consent” to receive text messages simply by providing her mobile number on a contact form. Baird v. Sabre Inc., Case No. CV 13-999 (C.D. Cal. Jan. 28, 2014).
The plaintiff had booked a flight for her and her family on Hawaiian Airlines’ website, the contact section of which required that the user enter at least one of his/her home, work or mobile numbers. The plaintiff provided her mobile phone number where requested in this section. About a month before her scheduled departure, and three weeks after booking, Sabre, who provides travel notification services for Hawaiian Airlines, sent a text message to the plaintiff’s mobile phone that invited her to reply “yes” to receive flight notification services. She did not respond and Sabre sent her no further messages. The plaintiff then brought this action alleging that Sabre violated the Telephone Consumer Protection Act, 47 U.S.C. § 227, et seq., (“TCPA”) by sending her the unsolicited text message described above.
In its motion for summary judgment, Sabre argued as an affirmative defense that the plaintiff’s voluntary act of providing her mobile number to Hawaiian Airlines constituted the prior express consent required by the TCPA, and the court granted Sabre summary judgment on this basis.
The court’s reasoning is in line with TCPA cases that allow creditors to reach out to debtors who have provided their mobile numbers via auto-dialed “robocalls.” Both this case and creditor-debtor line of cases rely on a 1992 Federal Communications Commission (“FCC”) rulemaking action which explained that “persons who knowingly release their phone numbers have in effect given their invitation or permission to be called at the number which they have given, absent instructions to the contrary.” In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 7 F.C.C.R. 8752, 8769 ¶ 31 (1992) (“1992 FCC Order”) (citing H.R. Rep. No. 102-317, at 13 (1991) (“[T]he called party has in essence requested the contact by providing the caller with their telephone number for use in normal business communications.”)) (emphasis added). Despite the fact that the court admits that the FCC’s interpretation of “prior express consent” in the 1992 FCC Order “drains the term “express” in the TCPA of its meaning”, the court holds that an individual who ““knowingly releases” [his/her] cellphone number . . . . [gives] permission to be called at that number by an automated dialing machine.” Thus, in this decision, the court extended this reasoning beyond the creditor-debtor realm to all transactional calls.
- Although this decision further supports the position that “prior express consent” is obtained for purposes of transactional text messages when the consumer merely provides his/her mobile number, this does not change the requirements for obtaining “prior written express consent” for marketing text messages. Especially in light of new FCC requirements for advertising and telemarketing text messages (and all other advertising and telemarketing calls), you must ensure that you obtain the consumer’s clear, written permission prior to sending such consumer any marketing text messages. Further guidance on the new FCC amendments to its TCPA rule is available in our prior blog post on the topic.
- Additionally, despite the FCC’s rulemaking authority, its interpretation of “prior express consent” has been questioned as recently as May 2013. In Mais v. Gulf Cost Collection Bureau, a debt collection case, U.S. District Judge Robert N. Scola rejected the defendant’s argument that the plaintiff’s provision of a mobile number constituted “express” consent on the basis that the FCC’s interpretation was inconsistent with the plain meaning of “express.” Case No. 11-61936-Civ (S.D. Fla. May 8, 2013) (granting summary judgment for the plaintiff; currently pending appeal in the Eleventh Circuit). Likewise, there was a similar result in the Northern District of Illinois in late 2012 where summary judgment was granted in favor of the plaintiff because: (i) even though the plaintiff had consented to receiving calls on her mobile phone number she did not provide her prior express consent to receive autodialed calls; and (ii) the case did not specifically fall under the creditor-debtor exception set forth in the FCC’s 2008 Order. Thrasher-Lyon v. CCS Commercial, LLC, No. 11-cv-4473, 2012 WL 3835089 (N.D. Ill. Sept. 4, 2012) (currently pending appeal in the Seventh Circuit).
In other words, Federal District Courts have recently taken inconsistent positions in interpreting “prior express consent” even in connection with transactional calls. Given the number of TCPA cases brought against often well-intentioned defendants, the conservative approach would be to obtain the user’s specific consent to receive text messages even in the transactional context (e.g., by employing language similar to “I agree to receive text messages regarding [this transaction] to the mobile number provided” on contact forms).
 The FCC further clarified the use of robocalls in connection with debt collection in a 2008 order: “autodialed and prerecorded message calls to wireless numbers that are provided by the called party to a creditor in connection with an existing debt are permissible as calls made with the ‘prior express consent’ of the called party.”
In re Rules & Reg’s Implementing the Tel. Consumer Prot. Act of 1991, 23 F.C.C.R. 559 ¶ 1 (2007) (“2008 FCC Order”) (quoting 47 U.S.C. § 227(b)(1)(A)).
 It is well-settled that a text message is a “call” under the TCPA.
The BIG 2014 security stories concerning the Target, Neiman Marcus and Michaels payment card breaches of have highlighted the significant criminal hacking and fraudulent payment card activity that goes on in the retail space. Of course, it was not so long ago that the Heartland Payment Systems breach (2008; 100 million cards exposed) and the TJX breach in (2007; 45 million card exposed) dominated the news cycle. The reactions in the media and with the population then were very similar to those today. The latest round of mega breaches occurred, however, despite the existence of the Payment Card Industry Data Security Standard for a decade. In fact, according to the Verizon 2014 PCI Compliance Report, only 11.1% of the organizations it audited between 2011 and 2013 satisfied all 12 PCI requirements. In other words, just under 90% of the businesses Verizon audited as a PCI Qualified Security Assessor failed. This begs the question, despite aggregate expenditures by merchants likely in the hundreds of millions of dollars (if not over a billion) over the last decade: has anything really changed?
Yes, in fact some things have changed — global card fraud losses have increased from about $3 billion annually in 2000 to about $11 billion annually in 2012 (source: the Nilson Report, August 2013). Organized crime has increased its activity in the payment card fraud space, and sophisticated economic ecosystems have sprung up to make the fraudulent use of payment cards more efficient. Payment card breaches are low risk (of getting caught) and high reward crimes, and activity in this space will continue to increase as a result (per the FBI):
The growing popularity of this type of malware, the accessibility of the malware on underground forums, the affordability of the software and the huge potential profits to be made from retail POS systems in the United States make this type of financially-motivated cyber crime attractive to a wide range of actors . . . we believe POS malware crime will continue to grow over the near term despite law enforcement and security firms’ actions to mitigate it.
Moreover, fraudsters have automated and scaled their attacks so they can go after payment cards held by small and medium businesses on a mass basis. These small and medium sized companies lack the sophistication, technical knowledge and resources to achieve full PCI-DSS compliance (or take even basic steps like changing the default passwords on the remote access of a point of sale system). Breaches of small and medium businesses can result in severe financial difficulties and in many cases, bankruptcy. Not to mention the adverse impact and inconvenience suffered by cardholders and their issuing banks.
Payment card breaches are not 100% preventable, and for most merchants over time, are inevitable (indeed the practice of information security itself has recognized this generally by shifting its attention in recent years to not only prevention, but also detection, response, containment and mitigation of breaches). As such, rather than focus solely on cumbersome security standards such as PCI-DSS, payment card breaches should be viewed more from an overall risk management perspective.
A full risk management approach includes efforts not only to prevent and contain the breach itself, but also to mitigate the financial impact businesses and individuals may suffer in the wake of a breach. Spreading the risk of payment card breaches across the payment card ecosystem (e.g. merchants, banks, processors and card brands) is the best way to mitigate the systemic risk that exists. As such, it is time to consider whether cyber insurance should be mandated either by law or the card brands to achieve this goal.
Our Senior Counsel Mark Paulding assisted in the preparation of this post.
There is little argument that the issue of information security has bipartisan support in Congress. It has been some time since we have seen both parties come together for information governance legislation, but they did just that in December 2010, passing the Red Flags Clarification Act that narrowed the scope of the infamous Identify Theft Prevention Red Flags Rule, allowing the FTC to implement the rule after two years of delays. But battles over other issues have prevented Congress from focusing on cybersecurity since then. This is despite the recognition of increasing threat to the security of U.S. networks from foreign governments, ”hacktivists,” and terrorists. Frustrated by the inaction, the Administration issued an Executive Order that called for enhanced cybersecurity measures. Now, NIST has published the first release of the Framework for Improving Critical Infrastructure Cybersecurity (“Framework”) designed to fulfill one of the mandates set by the Executive Order.
The order and the framework target owners, operators and other entities working within assets that are vital to the U.S. The White House has named a broad swath of critical industries, including:
- Chemical plants;
- Communications providers;
- Water supply facilities;
- Defense industrial base;
- Emergency services;
- Energy and utilities (including nuclear);
- Financial services;
- Food and agriculture;
- Government facilities;
- Healthcare industry;
- Information technology;
- Waste management and transportation systems; and
- Water and waste-water systems.
The Framework will apply – by extension – to the critical infrastructure owners’ and operators’ service providers.
Over the past few weeks, new revelations have provided greater insight into the breach of Target Corp. over the holiday shopping season. Notable among the recent news is the assertion that the cybercriminals behind the Target breach initiated their infiltration through HVAC vendor Fazio Mechanical (http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/). It is believed that the cybercriminals staged a phishing attack against Fazio Mechanical in order to steal credentials to access Target’s network remotely (http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/). Allegedly, these access credentials were used to infiltrate systems used to perform electronic billing, contract submission, and project management for Target vendors. From these systems, the attackers may have been able to gain access to the information systems used for processing payment card information, resulting in the reported theft of cardholder data. While many details about the Target breach remain to be uncovered, important lessons may be learned at this point.
A recent case underscores the importance of paying attention to the conditions set forth in a technology services agreement, and how those may affect the notion of a “work made for hire” under the Copyright Act.
Plaintiff web developer delivered a signed proposed contract to defendant customer on July 10, 2010. The proposed agreement contained the following provision:
To be valid, this agreement must be signed within 30 days of the date signed by [plaintiff], and be accompanied by an initial deposit.
The proposed agreement also provided that plaintiff was “producing this project as ‘works for hire’”.
Defendant did not sign the contract until seven months later, as negotiations on the scope of work continued. Plaintiff provided certain deliverables to defendant, but the relationship between the parties eventually broke down over payment disputes and whether plaintiff had met the development specifications.
Plaintiff sued defendant for copyright infringement because defendant continued to use the deliverables. Defendant countersued, claiming it actually owned the copyright in the deliverables pursuant to the agreement dated July 10. Plaintiff moved for summary judgment, arguing the July 10 agreement was never formed because defendant did not sign it within the required 30 day window.
The court agreed and granted plaintiff’s motion for summary judgment.
It found that plaintiff’s argument presented a threshold question of common law contract formation rather than copyright law. Viewed from the perspective of contract formation, the court observed, the July 10 agreement became a “dead letter” 30 days after plaintiff signed it, and defendant had not.
The fact the parties may have intended the deliverables to be works made for hire did not carry the day. The court held that “it does not matter what the parties intended, for Congress has rendered their intent non-determinative unless they expressed it in writing and signed it.” Under the Copyright Act, a “work made for hire” is one “specially ordered or commissioned … if the parties expressly agree in a written instrument signed by them that the work shall be considered a work made for hire.”
In this case, under copyright law, ownership of the deliverables never vested in defendant because defendant did not meet the condition precedent in the July 10 agreement by signing it within 30 days.
Zenova Corp. v. Mobile Methodology, LLC, 2014 WL 415952 (E.D.N.Y. February 4, 2014)
On Valentine’s Day last year, in a very unromantic gesture, Tiffany & Co. sued Costco Wholesale Corp. for allegedly selling knock-off engagement rings under the “Tiffany” trademark in a California store. The point of sale signs in the Costco store read:
639911 – Platinum Tiffany.70CT, VS2, 1 Round Diamond Ring –
3199.99 ” and “605880 – Platinum Tiffany VS2.1 1.00CT Round Brilliant Diamond Solitaire Ring – 6399.99.
Tiffany’s brought the lawsuit on its own turf in the Southern District of New York, asserting the following claims: trademark infringement, dilution, counterfeiting, unfair competition, injury to business reputation, false and deceptive business practices and false advertising. Tiffany argued that Costco sells high-end branded jewelry at a discount, such as Cartier. Therefore, Tiffany argued, consumers are likely to be confused that the “Tiffany” rings sold at Costco are rings made by Tiffany.
In response to the complaint, Costco went on the offensive and filed a counterclaim. In part, Costco argued “Tiffany is a generic term for ring settings comprising of multiple slender prongs extending upward from a base to hold a single gemstone.” In support of its counterclaim, Costco cited various dictionaries where “Tiffany” is defined as a jewelry setting C.L. Tiffany designed in 1886. Costco contended that through time, the words “Tiffany” and “Tiffany setting” have entered American English as generic terms for a type of a pronged ring setting. In short, Costco argued it wasn’t using “Tiffany” as a trademark, but rather as a good faith description of a ring setting.
Costco also pointed to several historical examples of where trademarks had become “genericized,” meaning the principal significance of the trademark had become the indication of the nature or class of the good for which it is used, rather than on indication of the good’s origin. Notable examples of trademarks that have become genericized include “aspirin” for acetyl salicylic acid, “cellophane” for transparent cellulose sheets and films, “escalator” for a moving stairway, “Murphy Bed” for a bed that folds into a closet, and “pilates” for a form of exercise. In these cases, despite any effort on the trademark owners’ part to police its marks, the marks had become generic. As a result, the trademark owners could not foreclose others from using the marks in commerce. This can be true even for marks that have become incontestable under trademark law.
Tiffany filed a motion to dismiss Costco’s counterclaim that the “Tiffany” mark had become generic. In its motion, Tiffany argued that the primary significance of the “Tiffany” mark to the public is that of the “iconic [Tiffany] jewelry company.” Tiffany also called Costco’s argument “a claim that is made up out of whole cloth” and said Costco was trying to “turn the tables” on legitimate claims of trademark infringement.
In its recent decision, the court found that while none of the evidence Costco submitted was conclusive, the evidence taken together and read in the light most favorable to Costco in a pre-discovery context “was sufficient to frame a genuine factual dispute as to whether the terms ‘Tiffany’ and/or ‘Tiffany Setting’ have a primarily generic meaning in the minds of members of the general public in the context of ring settings.” Accordingly, the court denied Tiffany’s motion to dismiss the counterclaim.
The court’s denial of Tiffany’s motion to dismiss means that the case will proceed to discovery on both parties’ claims, meaning there is a chance that Tiffany, although the plaintiff, could face a finding that its “Tiffany” marks used in connection with the ring setting are generic and thus available for use by Costco and others. The potential risk of a finding of genericide is likely all the more of a bitter pill for Tiffany to swallow given Costco changed its marketing after Tiffany complained, and Costco reportedly only sold 2,500 of the allegedly infringing rings.
What this all means: Although the transformation of a trademark into a generic trademark is rare, it should be a concern for any trademark owner. So what can you do to avoid your brand from becoming a generic name? Although there is no surefire rule, the following measures can definitely help prevent genericide:
- Register your trademark to cover the actual goods or services for which the trademark is used in commerce;
- Do not use your trademark as a noun or verb and, instead, always use a generic term next to your trademark (e.g. “Xerox copy” and not “a xerox”; and “to copy” and not “to xerox);
- Diligently monitor how your trademark is used publicly, internally, and by competitors;
- Use the ® or ℠, or ™ symbols with your trademark as appropriate to notify the public and members of the trade of your trademark ownership rights;
- Create guidelines on how to use your trademark correctly in commerce; and
- Take action against misuses, including generic use, of your trademark.
If you require assistance with developing a trademark strategy to avoid genericide, you may contact us at firstname.lastname@example.org.
The Canadian Radio-television and Telecommunications Commission (CRTC) has released final regulations to implement Canada’s Anti-Spam Legislation (CASL). CASL applies notice and consent obligations upon organizations that transmit Commercial Electronic Messages (CEMs) to individuals in Canada. The plain language of the CASL is somewhat broader than some other anti-spam laws, such as the CAN-SPAM Act in the United States, applying to electronic communications beyond traditional e-mail, such as SMS text messages.
For example, the law requires that prior to the installation of computer programs on computers, the software publisher must present a description of the function of the computer program and acquire express consent from an authorized user. Also notable is the introduction of a private right of action with a three-year statute of limitations.
In addition, an entity that acquires electronic addresses from a third party that obtained the consent from individuals to collect those addresses must identify the source of the electronic addresses in its CEMs. Thus, if an e-mail address is collected from website visitors by the publisher of the website, sold to a mailing list aggregator, then resold to a retailer, the retailer must identify the website publisher in its CEM.
In the first case of its kind (that I am aware of), the California Attorney General’s office filed a complaint against the Kaiser Foundation Health Plan, Inc. (“Kaiser”) alleging a violation of California’s “unfair competition law” (Business and Professions Code sections 17200-17210) arising out of a personal information security breach and delayed notification. This lawsuit is interesting because the AG’s office alleges that the timing of Kaiser’s notification violated California’s breach notification law (California Civil Code section 1798.82, subdivision (a)). It also comes on the heels of the Target breach where people are questioning Target’s 3-week “delay” in providing its initial notification. As discussed further below the fold, the outcome of this case could impact when and how companies subject to California’s breach notice law provide notice to affected individuals. Moreover, considering California’s influence in the privacy regulatory space it could have nationwide implications.
Telephone recording laws in the United States are generally divided between one-party and two-party consent statutes. California is a two-party state where both parties need to consent before a telephone conversation may be recorded. In Annette Jonczyk v. First National Capital Corporation et al, a plaintiff brought a class action lawsuit against her husband’s employer for allegedly recording employee telephone conversations.
First National Capitol (“First National”) is a California corporation accused of recording telephone conversations in California. However, the plaintiff is a resident of Missouri, a one-party consent state. Under Missouri law, telephone conversations may be recorded so long as at least one-party to the conversation consents. Here, the telephone calls underlying the plaintiff’s lawsuit took place while she was in Missouri. With the choice-of-law deciding the outcome of the litigation, First National moved to dismiss the plaintiff’s claims on the grounds that because she is a Missouri resident, Missouri law should apply.
U.S. District Court Judge Josephine Staton considered which state had the greater interest in applying their call recording statute. In California, Judge Staton noted that the legislature expressed its intent to “protect the right of privacy of the people of this state.” Here, the plaintiff was not a resident of California therefore applying California law to this case would not further that goal. On the other hand, Missouri specifically limited their privacy protection statute to allow a single party to consent to a recording. As noted in Mazza v. Am. Honda Motor Co., Inc., 666 F.3d 581, 589 (9th Cir. 2012), “[m]aximizing consumer and business welfare, and achieving the correct balance for society, does not inexorably favor greater consumer protection.” While California may have an interest in protecting its citizens, Judge Staton recognized that Missouri also had a vested interest in protecting out-of-state businesses from excessive exposure to liability for actions directed at its residents. These factors weighed in favor of applying Missouri law. As a result, Judge Staton granted First National’s motion to dismiss.
Although Judge Staton’s decision rested on conflict-of-law principles, the reasoning behind her decision has the potential for a much greater impact. California and its two-party-consent brethren are in the minority. The majority of states this country have enacted single-party call recording statutes and every one of them could potentially apply the same logic for favoring their state’s call recording framework. So long as the resident involved in the recording resides in a one-party constant state, there is a potential argument that California’s call recording statute may not apply.