Car Dealer’s Attempt to Crash Data Privacy Class Action Sputters Out
Posted on February 14, 2018
A Texas court recently affirmed the vitality of potential nationwide class actions brought under the federal Driver’s Privacy Protection Act (“DPPA”), in a case brought by an individual whose personal information had allegedly been obtained illegally from the Texas DMV database. The case was filed by a local individual, Arthur Lopez, who complained of getting direct mail from Don Herring Ltd., a local Texas car dealer. Lopez claims that Herring’s personalized advertisement violated the DPPA. Here, the advertisement contained Lopez’s full name, address and the make model of his car. Lopez, however, alleged he had never heard of Herring and had no idea how Herring obtained his personal information without his consent.
According to the complaint, Herring allegedly obtained Lopez’s personal information from the Texas DMV. Herring denies this, however. The DPPA prohibits the procurement of personal information from a state motor vehicle record for advertising purposes, and empowers plaintiffs to file class actions and seek monetary damages against violators of the Act. The court ultimately held that plaintiff had alleged enough facts to render his DPPA claim plausible, and denied the car dealer’s motion to dismiss, which means the case will likely proceed to the class certification stage.
PUTTING IT INTO PRACTICE: This case is a reminder that companies should look at the origins of data they obtain for marketing and advertising purposes.
2018 – The Year of the FTC and Informational Injuries?
Posted on January 17, 2018
What constitutes actionable consumer injuries post-breach or data misuse is a hotly contested topic. As we reported in our Advertising blog late last year the FTC hosted a workshop on December 12th to look at the issue. A large focus during the workshop was what constitutes harm to consumers. While there is a school of thought that consumers should have standing to bring action only if there is actual harm to consumers, panelists attending the workshop argued that potential future harm should be actionable as well. We anticipate hearing more from the FTC as a result of this workshop during 2018.
PUTTING IT INTO PRACTICE: The focus on injuries is a reminder to companies to look at their data protection practices. While data breaches may be inevitable (not “if” but “when” is the oft-quoted mantra), what happens after the breach is not as predictable. Companies should keep in mind that there is not a guarantee that they will get rid of a case from a standing perspective. With this in mind, ensuring appropriate security measures -and assessing if information really needs to be collected and stored in the first place- can be invaluable.
ESPN Knocks VPPA Suit Out Of The Park
Posted on January 9, 2018
The Ninth Circuit recently joined the Third Circuit in defining PII under the VPPA as “information that would readily permit an ordinary person to identify a specific individual’s video-watching behavior.” In the case, Eichenberger v. ESPN, Inc., the court found that because an ordinary person could not have identified the plaintiff from the information ESPN divulged to a third party (the plaintiff’s Roku serial device number and video history), the plaintiff failed to state a claim. For that reason the Ninth Circuit affirmed dismissal of the VPPA claim.
The Ninth Circuit also rejected the First Circuit’s “reasonably and foreseeably likely to identify an individual” test, stating that the ordinary person test “better informs video service providers of their obligations under the VPPA.” Thus, the First Circuit remains the only circuit-level court to adopt the “reasonably and foreseeably likely” test, while
                    19 Eye on Privacy 2018 Year in Review