Last week the Supreme Court’s decision in Van Buren v. United States resolved a decade-long circuit split concerning the “exceeds authorized access” clause of the Computer Fraud and Abuse Act (“CFAA”).  Taking up the issue of whether an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose violates the CFAA, the Court ultimately found that such a use was not a violation of the statute.  Significantly, the decision in Van Buren endorses the narrower reading of CFAA adopted by the Second, Fourth, and Ninth Circuits,[1] while rejecting the more expansive reading of CFAA that had been the law of the land in the First, Fifth, Seventh, and Eleventh Circuits.[2]

One of the circuit splits that Van Buren appears to resolve, or provide guidance for resolving, is the question of whether violating a website’s terms of service constitutes a CFAA violation.  Prior to Van Buren, several courts within the Third, Fourth, Fifth, Eighth, and Ninth Circuits had found that terms of service violations could implicate the CFAA,[3] while other courts within the Fourth, Seventh, Tenth, and D.C. Circuits had found that individuals were not subject to criminal liability under CFAA by violating terms of service.[4]  The majority opinion in Van Buren, authored by Justice Amy Coney Barrett, adopts the latter reading.  Opining on the Government’s broad interpretation of the statute, the Court noted: “Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.” Op. at 18 (emphasis supplied).  This language appears in the Court’s broader analysis expressing concern over the scope of the Government’s interpretation of the statute, which the Court found “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”  Op. at 17.

This language, as well as the policy concerns articulated by the Court supporting the narrower interpretation of CFAA, are anticipated to make it challenging to assert claims under CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that would likely have constituted “exceed[ing] authorized access” under prior precedent.  However, companies seeking vindication for terms of service violations may still pursue other, previously available legal remedies.  This will be circumstance-dependent on the violation involved, including potential causes of action for copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy.

The Court’s narrow interpretation of the CFAA is also likely to impact individuals and companies engaging in data scraping, or the process of using a program to extract data from a codebase or another program. Many public-facing websites include provisions in their terms of service that limit both their own customer’s and third-parties’ use of the data contained on those websites.  Prior to Van Buren, some courts had found that data scraping constituted a violation of CFAA, particularly when the data being scraped was protected by some form of access permissions, such as a username or password requirement.[5]  This interpretation afforded entities with a remedy under the CFAA to protect the data against being scraped, as those entities could arguably assert claims under CFAA relying on that favorable precedent that data scraping “exceeds authorized access” of the website because the data was intended to be protected using access authorizations.  Some privacy advocates had also favored this broader interpretation of the CFAA as better protective of individual privacy.  [6]

While Van Buren does not affirmatively allow for data scraping, the Supreme Court’s narrower reading of CFAA in the decision will likely limit the legal remedies that may be available for data scraping.  As a result, companies engaged in data collection may wish to develop more stringent contractual policies for potential consumers, or take additional action to revoke authorization to their websites for parties violating the terms of service.  To afford the same protections previously available under CFAA, these companies may want to consider, to the extent they do not already have them, liquidated damages and injunction relief provisions in their contracts with other businesses.  This, of course, will not remedy violations committed by third parties that access their information by other means.  For that, a legislative fix may be necessary.

*Thomas J. Lloyd also contributed to this article as a co-author.

[1] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854, 856-63 (9th Cir. 2012) (en banc).

[2] See EF Cultural Travel B.V. v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); United States v. John, 597 F.3d 263, 271 (5th Cir. 2010); Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).

[3] See, e.g., America Online v. LCGM, Inc., 46 F. Supp. 2d 444, 451 (E.D. Va. 1998); United States v. Nosal, 844 F.3d 1024, 1033-38 (9th Cir. 2016); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066-69 (9th Cir. 2016); Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004); Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001); United States v. Lowson, No. 10-114 (KSH), 2010 U.S. Dist. LEXIS 145647, at *11-18 (D.N.J. 2010).

[4] See, e.g., Sandvig v. Barr, 451 F. Supp. 3d 73, 76 (D.D.C. 2020);  Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-34 (E.D. Va. 2010); Koch Indus., Inc. v. Doe, No. 2:10CV1275DAK, 2011 U.S. Dist. LEXIS 49529, at *19-25 (D. Utah. May 9, 2011); Bittman v. Fox, 107 F. Supp. 3d 896, 900-01 (N.D. Ill. 2015).

[5] See, e.g., HiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 999-1004 (9th Cir. 2019); Explorica, 274 F.3d at 582-84.

[6] See, e.g., HiQ Labs, Inc., 938 F.3d at 1003 (noting that CFAA is violated when an individual scrapes data by “circumvent[ing] a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer” as that data has been marked as “private”); see also id. at 1001-03 (discussing legislative history of CFAA and intent to increase privacy protections for online information).

In the continuing absence of comprehensive federal law regulating data privacy and protection, the states have continued to pursue their own agenda.  Pennsylvania recently became the most recent state to throw its hat into the ring with its legislature’s introduction of HB-1126, the Consumer Data Privacy Act (“CDPA”).  If passed, the CDPA would make Pennsylvania the third state to enact its own data privacy and protection laws, following California and Virginia.  CPW is here to tell you what you need to know about the CDPA and how it will likely influence litigation.  Hint: if passed, expect swelling dockets.

The CDPA creates a duty for businesses to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information”.  Sounds familiar, right?  To encourage compliance, the CDPA would create private consumer causes of action and leave civil enforcement to the state attorney general.  In this respect, the CDPA draws more inspiration from the California Consumer Privacy Act (“CCPA”), which also created a private right of action, than Virginia’s recently enacted Consumer Data Protection Act, which left enforcement solely to the state attorney general.

Under the CDPA’s private right of action, consumers may obtain statutory damages of not less than $100 but not more than $750 per consumer per incident, actual damages, and injunctive or declaratory relief.  Before filing suit, however, consumers must provide a business with 30 days’ written notice.  The notice must specifically identify which provisions of the CDPA the business allegedly violated.  If the noticed business cures the violation within 30 days and provides the consumer with an “express written statement” detailing that the violations have been cured and affirmed that further violations will not occur, then that business is precluded from liability under the CDPA for those violations.  Should the noticed business continue the alleged violations, however, then the consumer may file suit for the underlying violations.  The CDPA also states that should a noticed business issue an “express written statement” but continue violating the statute, then the notifying consumer will also have an additional cause of action for breach of the statement.

A private right of action in a consumer privacy bill is often a prelude to a surge in litigation.  As CPW has previously reported, over 1,000 lawsuits and at least 76 class action lawsuits have been filed under the Illinois Biometric Information Protection Act and the CCPA, respectively.  With its private right of action, the CDPA promises similar numbers.  Notably, if passed, that surge could begin immediately because the CDPA becomes effective immediately.

HB-1126 has 16 co-sponsors and is currently sitting in the Consumer Affairs Committee.  CPW will continue to monitor this bill for developments.

For those covering developments across the Atlantic, as Stéphanie Faber covers at Security & Privacy Bytes, the new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4, 2021 and should be published in the next few weeks.  As they explain, the new SCCs will go into effect twenty (20) days following publication in the Official Journal of the European Union (“EU”) and the old SCCs will be repealed three months after that date (“Date of Repeal”).  For a complete update on this development, check out their must-read analysis here.

Today President Biden issued an Executive Order (“EO”) with respect to the threat posed to the United States’ information and communications technology and services (“ICTS”) supply chain.  The EO “directs the use of a criteria-based decision framework and rigorous, evidence-based analysis to address the risks posed by ICTS transactions involving software applications that are designed, developed, manufactured, or supplied by persons that are owned or controlled by, or subject to the jurisdiction of a foreign adversary . . . that may present an undue or unacceptable risk to the national security of the United States and the American people.”

As summarized in a press release accompanying the EO, it:

  • Enables the U.S. to take strong steps to protect Americans’ sensitive data;
  • Provides criteria for identifying software applications that may pose unacceptable risk; and
  • Develops further options to protect sensitive personal data and address the potential threat from certain connected software applications.

A copy of the EO is available here EO PROTECTING AMERICANS’ SENSITIVE DATA FROM FOREIGN ADVERSARIES (003).

CPW has recently covered the intersection of cybersecurity and the supply chain, including a putative class action that was filed in federal court in Georgia against the owners of the Colonial Pipeline. This is a rapidly developing area-for more on this in the near future, stay tuned.

Squire Patton Boggs is pleased to announce senior associate, Kristin Bryan will host a presentation during the Cyber Security & Data Privacy ConfEx. This case study presentation, titled, “What Do the Next Four Years Hold for Cyber Security & Data Privacy in the USA Region?” will take place June 16, 2:20-3:00pm PDT. Topics will include, how organizations are seizing opportunities presented by their digitization journey, addressing unique cybersecurity and trust challenges in the U.S., maintaining control of your data, and building a competitive advantage, as well as understanding how your data is managed.

#GLC2021

Colorado’s SB 21-190 has passed both chambers and if not vetoed will become the 3rd omnibus state privacy law enforceable 7/1/23.  It has no private right of action, but includes the right to object to processing for purposes of targeted advertising, the sale of personal data, or profiling, including via means of an online global privacy control, as well as the rights to access, correct and/or delete personal data, or obtain a portable copy of it.  It does not apply to employee data.  It specifies how controllers must fulfill duties regarding consumers’ assertion of their rights, transparency, purpose specification, data minimization, avoiding secondary use, avoiding unlawful discrimination and sensitive data, and requires risk assessments for certain “high risk” processing activities.  The law is closer to Virginia’s CDPA than California’s CCPA/CPRA, but there are material differences.  Look for a post next week that compares and contrasts the three states’ laws and the EU’s GDPR, which inspired this growing state trend.

The much-awaited new Standard Contractual Clauses (“SCCs”) have been adopted by the European Commission on June 4, 2021 and should be published in the next few weeks.

The new SCCs will go into effect twenty (20) days following publication in the Official Journal of the European Union (“EU”) and the old SCCs will be repealed three months after that date (“Date of Repeal”).

Continue Reading New Standard Contractual Clauses for the Transfer of Personal Data Outside the EEA – Adopted On the Eve of Publication

Earlier this year, a federal court granted preliminary approval of a proposed class action settlement in connection with litigation arising under the Driver’s Privacy Protection Act (“DPPA”).  Gaston v. Lexisnexis Risk Solutions, 2021 U.S. Dist. LEXIS 12872 (W.D.N.C. Jan. 25, 2021).  Last week, the court gave the settlement final approval, marking an end to five years of litigation between the parties.

To recap, the DPPA is a federal statute governing the sale and resale of certain personal information (PI) from a motor vehicle record (think driver’s license number and the like).  In Gaston, after the plaintiffs had been involved in a car accident they filed a putative class action complaint alleging that their PI had been electronically transmitted by officers and law enforcement agencies to North Carolina DMV to be used to create a “DMV-349 crash report.”  Plaintiffs alleged that information in those crash reports was accessed and used by PoliceReports.US LLC and LexisNexis Risk Solutions to solicit business in violation of the DPPA.

Following discovery, both parties moved for summary judgment.  The court held that the DMV-349 crash reports are “motor vehicle records” under the DPPA.  Additionally, “based on Defendants’ admission that they disclosed the reports without regard to whether the personal information in the reports would be used for a purpose permitted by the DPPA as well as the undisputed evidence that at least some of those reports were used for an impermissible purpose,” the court awarded Plaintiffs summary judgment on their claim for declaratory and injunctive relief.

Which brings us to the settlement which received final court approval last week.  Recall that the negotiated relief to the class includes Defendants adopting business changes to govern the release of crash reports going forward (including disclosing the information contained in the crash reports only under limited circumstances, such as those protected under the DPPA).

In granting final approval last week, the court confirmed its prior holding that “the settlement represents not only a fair, reasonable, and adequate resolution of the claims brought in this action, but also represents a new standard for the treatment of information on a Crash Report nationwide.” Order at 2-3.  Among other things, the court confirmed that the settlement reached by the parties satisfied a multi-factor test used in the Fourth Circuit for fairness (including “(1) the posture of the case at the time the proposed settlement was reached, (2) the extent of discovery conducted, (3) the circumstances surrounding the settlement negotiations, and (4) counsel’s experience in the type of case at issue.”) (citation omitted).

Additionally, in the absence of settlement, the court noted both parties intended to pursue litigation before the Fourth Circuit (concerning the issues of whether crash reports are a “motor vehicle record” under the DPPA or are otherwise outside the scope of the DPPA and whether Defendants are entitled to qualified immunity and otherwise had an express permissible purpose under the DPPA precluding liability).  This in turn would increase litigation costs and uncertainty, while stalling any class-wide relief.

So there you have it.  While this litigation has come to the end of the road, other DPPA cases remain pending.  And aside from claims brought under the DPPA, there are other cases involving the purported collection and use of driver and driver’s license information.  Not to worry, CPW will be there to keep you in the loop.  Stay tuned.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

BREAKING: SCOTUS Slashes Scope of Cybercrime Statute | Consumer Privacy World

Do You Want Fries With That? McDonald’s Customer BIPA Class Action Lands in Federal Court | Consumer Privacy World

Recent California Supreme Court Decision Expands Liability Arising Under the California Invasion of Privacy Act | Consumer Privacy World

Lawsuit Filed in Federal Court Over Alleged Data Breach Concerning COVID Contact Tracing Information | Consumer Privacy World

Recording Available: The Colonial Pipeline Hack–Understanding Cyber-Attacks, Supply Chain Breaks and Data Breach Litigation Issues | Consumer Privacy World

BIPA is a frequently litigated data privacy statute, and as readers of CPW know, we’ve been covering BIPA litigations for some time (for some of our prior coverage, check out here, here and here).  Often these claims are brought in the context of a preexisting employee-employer relationship, where employees allege that their employer improperly collected their data in violation of BIPA for timekeeping purposes.  A recent BIPA lawsuit against McDonalds filed on behalf of customers alleging that the fast food chain utilized drive-thru voice assistants in Illinois which captured and stored customers’ biometric voiceprint identifiers without their written consent breaks with this trend.  Carpenter v. McDonald’s Corporation, Case No. 1:21-cv-02906 (N.D. Ill.).  Read on to learn more.

First, a quick recap. The Illinois Biometric Information Privacy Act (“BIPA”) was enacted in 2008 and has standards regarding  the retaining and handling of the biometric data of Illinois residents.  At its core, BIPA protects the “biometric information” of Illinois residents, which is any information based on “biometric identifiers” that identifies a specific personregardless of how it is captured, converted, stored, or shared.  740 ILCS 14/10.  Biometric identifiers are, “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”  Id. (collectively, with “biometric information,” “biometric data”).

The Carpenter complaint, which was initially filed in Illinois state court, alleges that “[i]n an effort to reduce costs and staff, beginning sometime in 2020 McDonald’s implemented an artificial intelligence (AI) voice assistant in the drive through of various McDonald’s restaurants across the nation, including in Illinois.”  Compl. ¶ 6.  The crux of Plaintiff’s claim is that “McDonald’s AI voice assistant’s voice recognition technology collects customers’ voiceprint biometrics in order to be able to correctly interpret customer orders and to identify repeat customers to provide a tailored experience.”  However, “McDonald’s has failed to comply with BIPA’s regulations and does not notify its customers that when they interact with McDonald’s AI voice assistant their voiceprint biometric information is used and collected, nor does McDonald’s obtain their consent to do so.”  Compl. ¶¶ 8-9.

Plaintiffs proposed class includes “[a]ll individuals whose voiceprint biometric identifiers or biometric information were collected, captured, stored, transmitted, disseminated, or otherwise used by or on behalf of Defendant within the state of Illinois any time within the applicable limitations period and for whom Defendant did not have any written record of consent to do so.”

While disputing Plaintiff’s allegations, McDonald’s had the case removed to federal court last week under the federal Class Action Fairness Act (“CAFA”).  There, the court will address whether Plaintiff’s Complaint should make it past the pleading stage and enter discovery, assuming McDonald’s moves to dismiss.  Ultimate questions of liability will depend largely on McDonald’s business practices, and whether it was simply collecting voiceprints to understand customers’ orders or alternatively if it was “connecting the dots” to ascertain customers’ exact identities.

For instance, the Complaint alleges that, “McDonald’s AI voice assistant goes beyond real-time voiceprint analysis and recognition and also incorporates ‘machine-learning routines’, that utilize voiceprint recognition in combination with license plate scanning technology to identify unique customers regardless of which location they visit and present them certain menu items based on their past visits.”  Of course, whether that allegation is well-founded based upon McDonald’s actual practices remains to be seen.

For more on this litigation, stay tuned.  As more states continue to enact biometric laws with a private right of action, more entities will find themselves named in similar litigation.  CPW will be there to keep you in the loop.  Stay tuned.