Subscribe to our InfoBytes Blog weekly newsletter and other publications for news affecting the financial services industry.
In December, the U.S. Court of Appeals for the Ninth Circuit reversed and remanded a district court’s decision to dismiss a suit alleging that a multinational technology company used persistent identifiers to collect children’s data and track their online behavior surreptitiously and without their consent in violation of the Children’s Online Privacy Protection Act (COPPA). According to the opinion, the company used targeted advertising “aided by sophisticated technology that delivers curated, customized advertising based on information about specific users.” The opinion further explained that “the company’s technology ‘depends partly on what [FTC] regulations call ‘persistent identifiers,’ which is information ‘that can be used to recognize a user over time and across different Web sites or online services.’” The opinion also noted that in 2013, the FTC adopted regulations under COPPA that barred the collection of children’s “persistent identifiers” without parental consent. The plaintiff class claimed that the company used persistent identifiers to collect data and track their online behavior surreptitiously and without their consent, and alleged state law claims arising under the constitutional, statutory, and common law of California, Colorado, Indiana, Massachusetts, New Jersey, and Tennessee, in addition to COPPA violations. The district court ruled that the “core allegations” in the third amended complaint were squarely covered, and preempted, by COPPA.
On appeal, the 9th Circuit considered whether COPPA preempts state law claims based on underlying conduct that also violates COPPA’s regulations. To determine this, the appellate court examined the language of COPPA’s preemption clause, which states that state and local governments cannot impose liability for interstate commercial activities that is “inconsistent with the treatment of those activities or actions” under COPPA. The opinion noted that the 9th Circuit has long held “that a state law damages remedy for conduct already proscribed by federal regulations is not preempted,” and that the statutory term “inconsistent” in the preemption context refers to contradictory state law requirements, or to requirements that stand as obstacles to federal objectives. The appellate court stated that it was not “persuaded that the insertion of ‘treatment’ in the preemption clause here evinces clear congressional intent to create an exclusive remedial scheme for enforcement of COPPA requirements.” The opinion noted that because “the bar on ‘inconsistent’ state laws implicitly preserves ‘consistent’ state substantive laws, it would be nonsensical to assume Congress intended to simultaneously preclude all state remedies for violations of those laws.” As such, the appellate court held that “COPPA’s preemption clause does not bar state-law causes of action that are parallel to, or proscribe the same conduct forbidden by, COPPA. Express preemption therefore does not apply to the children’s claims.”
In December, the U.S. Court of Appeals for the Ninth Circuit affirmed a district court’s ruling holding an individual liable for violations of the FCRA, the TSR, and the CFPA after the defendant, who allegedly “played a central role” in the scheme — and other defendants — were sued by the CFPB for allegedly obtaining individuals’ credit reports illegally and charging advance fees for debt relief services. As previously covered by InfoBytes, the CFPB filed a complaint in 2020 claiming the defendants violated the FCRA by, among other things, illegally obtaining consumer reports from a credit reporting agency for millions of consumers with student loans by representing that the reports would be used to “make firm offers of credit for mortgage loans” and to market mortgage products. However, the Bureau alleged that the defendants instead resold or provided the reports to numerous companies, including companies engaged in marketing student loan debt relief services. The defendants also allegedly violated the TSR by charging and collecting advance fees for their debt relief services and violated both the TSR and CFPA by placing telemarketing sales calls and sending direct mail to encourage consumers to consolidate their loans, while falsely representing that consolidation could lower student loan interest rates, improve borrowers’ credit scores, and allow borrowers to change their servicer to the Department of Education. Settlements have already been reached with certain defendants (covered by InfoBytes here, here, and here). In August 2021, the U.S. District Court for the Central District of California granted the Bureau’s motion for summary judgment against the individual defendant after determining that undisputed evidence showed that the individual defendant, among other things, “obtained and later used prescreened lists from [a consumer reporting agency] without a permissible purpose” in order to send direct mail solicitations from the businesses that he controlled to consumers on the lists as opposed to firm offers of credit or insurance. (Covered by InfoBytes here.)
In September 2021, the district court entered judgment in favor of the Bureau against the individual defendant. While the individual defendant objected to the judgment, the district court ultimately determined that the Bureau is entitled to a judgment for monetary relief of over $19 million as redress for fees paid by affected consumers. This restitution is owed jointly and severally with the student loan debt relief company defendants in the amounts imposed in default judgments entered against each of them (covered by InfoBytes here).
On the appeal, the 9th Circuit cited “undisputed” evidence demonstrating how the individual defendant “violated” the FCRA, TSR, and CFPA. According to the appellate court, the defendant “is individually liable for corporate violations of the CFPA.” The appellate court further noted that the individual defendant “‘participated directly’ in these deceptive practices and ‘had the authority to control them,’” had a “central role” in these practices,” was “‘recklessly indifferent to the truth or falsity of the misrepresentations,’ and did not attempt to verify the truthfulness of statements” regarding the companies he controlled.
On December 13, the U.S. Court of Appeals for the Ninth Circuit affirmed summary judgment in favor of the CFPB against a California-based student financial aid operation and its owner (collectively, “defendants”), which were sued for allegedly mailing deceptive solicitations to individuals that advertised help in applying for scholarships. As previously covered by InfoBytes, the defendants allegedly engaged in deceptive practices when they, among other things, represented that by paying a fee and sending in an application, consumers were applying for financial aid or the defendants would apply for aid on behalf the students. But, according to the Bureau, the consumers did not receive the promised services in exchange for their payment. The case was stayed in 2016 while the owner defendant faced a pending criminal investigation, until the court lifted the stay in 2019 after finding the possibility of the civil proceedings affecting the owner defendant’s ability to defend himself in the criminal proceeding “speculative and unripe.” In 2021, the U.S. District Court for the Southern District of California issued an order granting in part and denying in part the CFPB’s motion for partial summary judgment and granting the agency’s motion for default judgment (covered by InfoBytes here). The order required the defendants to pay a $10 million civil money penalty and more than $4.7 million in restitution. Additionally, default judgment was entered against the defendants on the merits of the Bureau’s claims, which included allegations that the defendants failed to provide privacy notices to consumers as required by Regulation P. The defendants appealed.
On appeal, the defendant-appellant argued that he was not subject to the Bureau’s authority because he provided nonfinancial advice on “free” scholarships and that the solicitations were not deceptive. The appellate court noted that the CFPA lists ten different categories of covered persons, one of which is “providing financial advisory services … to consumers on individual financial matters or relating to proprietary financial products or services ….” Because the solicitations dealt with the topic of financial aid and scholarships for college tuition, the 9th Circuit concluded that “[a]dvising students to exhaust scholarship opportunities before taking on debt is no less ‘financial’ than advising students to leverage their unique access to federally subsidized loans.” The appellate court noted that the defendant’s “advice covered the entire gamut of financial aid and was undoubtedly financial in nature.” The appellate court further noted that the defendant “is incorrect that scholarships are not financial in nature merely because they do not have to be repaid,” and that “the ordinary meaning of financial is broad and encompasses both cash financing and debt financing. Indeed, the definition of ‘finance’ specifically contemplates raising funds, regardless of their origin, for college tuition.”
On December 8, the U.S. District Court for the Northern District of California issued a consent judgment and permanent injunction against a now-defunct plaintiff data analytics company in an action concerning whether the plaintiff breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The case was sent back to the district court earlier this year by the U.S. Court of Appeals for the Ninth Circuit (on remand from the U.S. Supreme Court) after the appellate court affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. (Covered by Infobytes here.)
As previously covered by InfoBytes, last month the district court ruled that the plaintiff breached its user agreement by creating fake accounts and copying url data as part of its scraping process. Nonetheless, at the time, the district court noted that there remained a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. The district court further questioned when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
On December 6, the parties separately reached an agreement to resolve all outstanding claims in the case. The final consent judgment enters a $500,000 judgment against the plaintiff and waives all other monetary relief. Additionally, the plaintiff is permanently enjoined from scraping or accessing the defendant’s platform without express written permission, whether directly or indirectly through a third party or whether logged in to an account or not. The plaintiff is also prohibited from developing, using, selling, or distributing any software or code for data collection from the defendant’s platform. The plaintiff must also delete all software code in its possession that is designed to access the defendant’s platform, must delete all member profile data in its possession (including data stored with a third party), and is barred from “using, distributing, selling, analyzing, or otherwise accessing any data” collected without the defendant’s express permission, whether directly or indirectly through a third party, among other requirements.
On December 1, the U.S. Court of Appeals for the Ninth Circuit affirmed in part and reversed in part a district court’s dismissal of a putative class action brought against a French cryptocurrency wallet provider and its e-commerce vendor for lack of personal jurisdiction. As previously covered by InfoBytes, plaintiffs—customers who purchased hardware wallets through the vendor’s platform between July 2017 and June 2020—alleged violations of state-level consumer protection laws after a 2020 data breach exposed the personal contact information of thousands of customers. Plaintiffs contended, among other things, that when the breach was announced in 2020, the wallet provider failed to inform them that their data was involved in the breach, downplayed the seriousness of the attack, and did not disclose that the attack on its website and the vendor’s data theft were connected. The district court held that it did not have jurisdiction over the French wallet provider, and ruled, among other things, that the plaintiffs did not establish that the wallet provider “expressly aimed” its activities towards California in a way that would establish specific jurisdiction, and “did not cause harm in California that it knew was likely to be suffered there.” The district court further held that the fact that the vendor was headquartered in California at the time the breach occurred was not sufficient to establish general jurisdiction because the vendor moved to Canada before the class action was filed. “Courts have uniformly held that general jurisdiction is to be determined no earlier than the time of filing of the complaint,” the district court wrote, dismissing the case with prejudice.
The 9th Circuit also determined that the district court abused its discretion in disallowing any jurisdictional discovery concerning the defendant e-commerce vendor. Explaining that the e-commerce vendor employs more than 200 people who work remotely from California, including a data-protection officer (DPO) who may have played a role related to the data breach, the appellate court wrote that “[b]ecause more facts are needed to determine whether those activities support the exercise of jurisdiction, we reverse the district court’s denial of jurisdictional discovery with respect to the DPO’s role and responsibilities and his relationship to [the e-commerce vendor], which processed and stored the data.”
On November 16, the U.S. Court of Appeals for the Ninth Circuit upheld a district court’s dismissal of a proposed TCPA class action, holding that in order for technology to meet the definition of an “automatic telephone dialing system” (autodialer), the system must be able to “generate and dial random or sequential telephone numbers under the TCPA’s plain text.” Plaintiff claimed he began receiving marketing texts from the defendant after he provided his phone number to an insurance company on a website. Plaintiff sued alleging violations of the TCPA and asserting that the defendant used a “sequential number generator” to select the order in which to call customers who had provided their phone numbers. This type of number generator qualifies as an autodialer under the TCPA, the plaintiff contended, referring to a footnote in the U.S. Supreme Court’s ruling in Facebook v. Duguid (covered by a Buckley Special Alert), which narrowed the definition of an autodialer under the TCPA and said “an autodialer might use a random number generator to determine the order in which to pick phone numbers from a preproduced list.” Defendant countered, however, that its system is not an autodialer, and “that the TCPA defines an autodialer as one that must generate telephone numbers to dial, not just any number to decide which pre-selected phone numbers to call.”
The 9th Circuit was unpersuaded by the plaintiff’s argument, calling it an “acontextual reading of a snippet divorced from the context of the footnote and the entire opinion.” The appellate court pointed out that nothing in Facebook suggests that the Supreme Court “intended to define an autodialer to include the generation of any random or sequential number.” The 9th Circuit further explained that “[u]sing a random or sequential number generator to select from a pool of customer-provided phone numbers would not cause the harms contemplated by Congress.”
On November 3, the U.S. District Court for the Northern District of California issued an order ruling on cross-motions for summary judgment in an action concerning whether a now-defunct plaintiff data analytics company breached a user agreement with a defendant professional networking site by using an automated process to extract user data (a process known as “scraping”) for the purposes of selling its analytics services to businesses. The defendant claimed that the user agreement prohibits scraping, and sent the plaintiff a cease-and-desist letter demanding it stop and alleging violations of the Computer Fraud and Abuse Act (CFAA) as well as various state laws. In response, the plaintiff sued the defendant, arguing that it had a right to access the public pages, and later sought a preliminary injunction, which the district court granted.
As previously covered by InfoBytes, earlier this year, the U.S. Court of Appeals for the Ninth Circuit, on remand from the U.S. Supreme Court, affirmed the district court’s order preliminarily enjoining the defendant from denying the plaintiff access to publicly available member profiles. The 9th Circuit had previously affirmed the preliminary injunction, but was called to further consider whether the CFAA applies to the plaintiff’s data scraping after the U.S. Supreme Court vacated the appellate court’s judgment in light of its ruling in Van Buren v. United States. The 9th Circuit found that the ruling in Van Buren, in which the Supreme Court suggested the CFAA only applies in cases where someone is accused of hacking into or exceeding their authorized access to a network that is protected, or in situations where the “gates are up,” narrowed the CFAA’s scope and most likely did not apply to cases involving data scraped in bulk by automated bots from public websites. The appellate court concluded, among other things, that the defendant showed that it “currently has no viable way to remain in business other than using [the networking site’s] public profile data” for its analytic services and “demonstrated a likelihood of irreparable harm absent a preliminary injunction.” Moreover, the 9th Circuit rejected the defendant’s claims that the plaintiff violated the CFAA.
In partially granting the defendant’s motion and denying the plaintiff’s, the district court ruled that the plaintiff breached its user agreement by directing the creation of fake accounts and copying of url data as part of its scraping process. Nonetheless, the district court noted there remains a legitimate dispute over whether the defendant waived its right to enforce the user agreement after the plaintiff openly discussed its business model, including its reliance on scraping, at conferences it organized that were attended by defendant’s executives. Moreover, questions remain for trial as to when the defendant became aware of the plaintiff’s scaping, whether it should have taken “steps to legally enforce against known scraping” sooner, and whether the defendant can raise certain defenses to its breach of contract claim tied to the plaintiff’s data scraping and unauthorized use of data.
On October 20, the U.S. Court of Appeals for the Ninth Circuit ordered a district court to reassess the constitutionality of a statutory damages award in a TCPA class action. Class members alleged the defendant (a multi-level marketing company) made more than 1.8 million unsolicited automated telemarketing calls featuring artificial or prerecorded voices without receiving prior express consent. The district court certified a class of consumers who received such a call made by or on behalf of the defendant, and agreed with the jury’s verdict that the defendant was responsible for the prerecorded calls at the statutorily mandated damages of $500 per call, resulting in total damages of more than $925 million. Two months later, the FCC granted the defendant a retroactive waiver of the heightened written consent and disclosure requirements, and the defendant filed post-trial motions with the district court seeking to “decertify the class, grant judgment as a matter of law, or grant a new trial on the ground that the FCC’s waiver necessarily meant [defendant] had consent for the calls made.” In the alternative, the defendant challenged the damages award as being “unconstitutionally excessive” under the Due Process Clause of the Fifth Amendment.
On appeal, the 9th Circuit affirmed most of the district court’s ruling, including upholding its decision to certify the class. Among other things, the appellate court determined that the district court correctly held that the defendant waived its express consent defense based on the retroactive FCC waiver because “no intervening change in law excused this waiver of an affirmative defense.” The appellate court found that the defendant “made no effort to assert the defense, develop a record on consent, or seek a stay pending the FCC’s decision,” even though it knew the FCC was likely to grant its petition for a waiver. While the 9th Circuit did not take issue with the $500 congressionally-mandated per call damages figure, and did not disagree with the total number of calls, it stressed that the “due process test applies to aggregated statutory damages awards even where the prescribed per-violation award is constitutionally sound.” Recognizing that Congress “set a floor of statutory damages at $500 for each violation of the TCPA but no ceiling for cumulative damages, in a class action or otherwise,” the appellate court explained that such damages “are subject to constitutional limitation in extreme situations,” and “in the mass communications class action context, vast cumulative damages can be easily incurred, because modern technology permits hundreds of thousands of automated calls and triggers minimum statutory damages with the push of a button.” Accordingly, the 9th Circuit ordered the district court to reassess the damages in light of these concerns.
On October 12, a split U.S. Court of Appeals for the Ninth Circuit reversed a district court’s dismissal of a TCPA complaint, disagreeing with the argument that the statute does not cover unwanted text messages sent to businesses. Plaintiffs (who are home improvement contractors) alleged that the defendants used an autodialer to send text messages to sell client leads to plaintiffs' cell phones, including numbers registered on the national do-not-call (DNC) registry. The plaintiffs contented they never provided their numbers to the defendants, nor did they consent to receiving text messages. The defendants countered that the plaintiffs lacked Article III and statutory standing because the TCPA only protects individuals from unwanted calls. The district court agreed, ruling that the plaintiffs lacked statutory standing and dismissed the complaint with prejudice.
On appeal, the majority disagreed, stating that the plaintiffs did not expressly consent to receiving texts messages from the defendants and that their alleged injuries are particularized. In determining that the plaintiffs had statutory standing under sections 227(b) and (c) of the TCPA, the majority rejected the defendants’ argument that the TCPA only protects individuals from unwanted calls. While the defendants claimed that by operating as home improvement contractors the plaintiffs fall outside of the TCPA’s reach, the majority determined that all of the plaintiffs had standing to sue under § 227(b), “[b]ecause the statutory text includes not only ‘person[s]’ but also ‘entit[ies].’” With respect to the § 227(c) claims, which only apply to “residential” telephone subscribers, the appellate court reviewed whether a cell phone that is used for both business and personal reasons can qualify as a “residential” phone. Relying on the FCC’s view that “a subscriber’s use of a residential phone (including a presumptively residential cell phone) in connection with a homebased business does not necessarily take an otherwise residential subscriber outside the protection of § 227(c),” and “in the absence of FCC guidance on this precise point,” the majority concluded that a mixed-use phone is “presumptively ‘residential’ within the meaning of § 227(c).”
Writing in a partial dissent, one judge warned that the majority’s opinion “usurps the role of the FCC and creates its own regulatory framework for determining when a cell phone is actually a ‘residential telephone,’ instead of deferring to the FCC’s narrower and more careful test.” The judge added that rather than “deferring to the 2003 TCPA Order which extended the protections of the national DNC registry to wireless telephones only to the extent they were similar to residential telephones, a reasonable interpretation of the TCPA, the majority has leaped over the FCC’s limitations to provide its own, much laxer, regulatory framework and procedures that broadly allow anybody who owns a cell phone to sue telemarketers under the TCPA.”
On August 24, the U.S. Court of Appeals for the Ninth Circuit affirmed a $20.8 million disgorgement award and agreed with a district court’s decision to hold the defendants jointly and severally liable. The defendants appealed the district court’s 2021 final judgment of disgorgement, which ordered them to disgorge more than $20.8 million in an action concerning money that was collected from investors for a cancer treatment center that was never built. As previously covered by InfoBytes, the district court’s order followed a 2020 U.S. Supreme Court ruling (covered by InfoBytes here), in which the high court examined whether the SEC’s statutory authority to seek “equitable relief” permits it to seek and obtain disgorgement orders in federal court. The Supreme Court ultimately held that the SEC may continue to collect disgorgement in civil proceedings in federal court as long as the award does not exceed a wrongdoer’s net profits, and that such awards for victims of the wrongdoing are equitable relief permissible under § 78u(d)(5). The Supreme Court vacated the original $26.7 million judgment and remanded to the lower court to examine the disgorgement amount in light of its opinion. Of the nearly $27 million raised, the SEC alleged the defendants misappropriated approximately $20 million of the funds through payments to overseas marketing companies and to salaries. To calculate the final disgorgement award, the court subtracted what it determined were “legitimate expenses,” including $2.2 million in administrative expenses and $3.1 million in business development expenses, from the nearly $27 million raised.
On appeal, the 9th Circuit reviewed the proper method of calculating disgorgement as an equitable remedy in an SEC enforcement action and found “no error with the district court’s factual findings as to the illegitimate expenses or with the district court’s disgorgement award.” In so finding, the 9th Circuit explicitly rejected appellants argument that disgorgement was improper because the venture resulted in “no revenues and no profit,” finding that such a result “would not produce an equitable remedy.” The appellate court also determined that because the common law “permit[s] liability for partners engaged in concerted wrongdoing,” the district court did not err in holding both defendants jointly and severally liable where there was evidence the appellant in question “played an integral role” in the fraudulent scheme.