Page 6 - Sheppard Mullin Eye on Privacy 2018 Year in Review
P. 6

California Pioneers IoT Security Legislation
Posted on October 9, 2018
California’s governor recently signed into law a bill requiring connected device manufacturers to include “reasonable” security features for connected devices sold in California. The law doesn’t go into effect until January 1, 2020, and requires that the devices have security “appropriate to the nature and function of the device” and appropriate to the type of information collected. The security measures should also guard against breaches. Reasonable measures include, where appropriate, having a unique, preprogrammed password or making people create a password before using the device the first time.
The law specifically states that it is not imposing obligations on IoT manufacturers with regard to third-party software or applications that a user might choose to add to their connected device. Although the law follows many recent data breaches, it does not include a private right of action.
PUTTING IT INTO PRACTICE: Manufacturers of connected devices should take note of this law, which shows that regulators are concerned that appropriate measures are taken to ensure consumer security.
New York Federal Court Dismisses Nationwide Class Action Arising Out of Alleged Spying by E-Commerce Retailers Posted on September 10, 2018
In a victory for online retailers, a New York federal court recently dismissed three putative class action lawsuits brought on behalf of website visitors whose mouse clicks, keystrokes, and electronic communications were tracked by a third-party marketing company. The cases were filed against three e-commerce retailers—Casper (a mattress manufacturer and retailer), Tyrwhitt (a men’s clothing company), and Moosejaw (an active outdoor retailer)—and against a marketing company named NaviStone. NaviStone offers computer code that allows e-commerce retailers to determine the identities of consumers who visit their websites and track their online behavior. The plaintiff alleged that the code offered by NaviStone, and embedded in the retailers’ websites, functioned as an illegal wiretap enabling the retailers and NaviStone to “spy” on website visitors in real time as they browse. The lawsuits alleged violations under the federal Electronic Communications Privacy Act (ECPA), the federal Stored Communications Act (SCA), and New York General Business law (NYGBL).
In dismissing the lawsuits in their entirety, the Southern District of New York notably found plaintiff’s case failed under all three laws: the ECPA, the SCA, and the NYGBL. First, the Court held that the plaintiff’s ECPA claims failed, among other reasons, because the statute requires only one party to consent to the interception of electronic communications, and the online retailers clearly consented to NaviStone’s activities. Second, the Court held that the SCA regulates only electronic communications that are temporarily stored by electronic communications services (such as an ISP) incidental to their transmission; and, therefore, the SCA does not apply to communications stored on an individual’s personal device. Finally, and significantly, the Court dismissed plaintiff’s NYGBL claims because an alleged general invasion of privacy—without more—does not qualify as a cognizable injury under New York law sufficient to confer standing to sue under the NYGBL.
PUTTING IT INTO PRACTICE: Despite having dismissed the lawsuits in their entirety, the Court acknowledged that defendants’ conduct raised “troubling privacy concerns,” leaving the door open -potentially- for the similar claims to be brought under different causes of action. Online retailers should keep courts’ potential unease in mind when using tracking software, and should be mindful of how the use of such tracking software is disclosed and represented to consumers who visit their websites.
                     5 Eye on Privacy 2018 Year in Review

   4   5   6   7   8