Uber Hires a Privacy Mechanic: A Lesson in Both Physical Fitness and Privacy by Design

uberUber may be a smooth ride for those looking to get downtown in a hurry, but its privacy policies are in desperate need of a mechanic. In March, I summarized many of the privacy issues facing the transportation company as it defends itself against a potentially massive class action suit (see Reviewing the Rules of the Road Following Uber’s 2015 Data Breach Response). In that post, I explained how Uber faces a bumpy road in the press as increased reports of data breaches, lax cyber security protocols, and even outright abuses of data collecting features garner more and more attention: Uber suffered a data breach affecting approximately 50,000 of its current and former drivers but waited nine months to report; the security key used during the breach was allegedly made publicly available on the internet via app development webpages; Uber executives have casually informed members of the media that the company can acquire personal information about journalists that had written critical articles about Uber; Uber’s New York City general manager breached the firm’s privacy policy by spying on a Buzzfeed technology reporters using the company’s in-house “God View” tool which allows employees to access customers’ personal information. At the surface, a casual observer would be justified in thinking that Uber does not hold customer privacy in high regard. Coincidentally (or perhaps not), Uber is today operating at $470 million in operating losses, with $415 million in revenue.

»»Read More

Posted by Zach Heck
Data Security
July 1, 2015

Supreme Court Indicates Potential Significant Changes to Consumer Law

fair credit reporting actThe Supreme Court’s October 2014 term has been highlighted by decisions such as Bank of America v. Toledo-Cardona and Baker Botts v. ASARCO, which promise to transform the practice of bankruptcy litigation. The Court’s decision to grant certiorari in Spokeo, Inc. v. Robins, 135 S. Ct. 1892, 191 L. Ed. 2d 762 (2015), has the same transformative potential with respect to consumer law practice.

In a putative class action case, Plaintiff Thomas Robins alleged that Defendant Spokeo, Inc.’s (“Spokeo”) website aggregated personal information, including information regarding individuals’ employment history and creditworthiness, and was thus a consumer reporting agency as defined by the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq (“FCRA”). First Am. Compl., ¶ 51. Among the information included with respect to Robins was employment information that made Plaintiff appear to have a better educational and financial history than he actually did. Id., ¶ 32. Plaintiff claimed that these inaccuracies would hinder his job search, id., ¶¶ 34-35, and that he “suffered actual harm in the form of anxiety, stress, concern and/or worry about his diminished employment prospects.” Id., ¶ 37. Plaintiff did not, however, seek actual damages. Rather, he alleged that Spokeo had willfully violated the FCRA and sought a judgment “awarding himself and the Class the maximum statutory damages available under 15 U.S.C. § 1681n.” Id., ¶¶ 65, 71, 75. The FCRA provides that when a person willfully fails to comply with the statute, a plaintiff is entitled to “any actual damages . . . or damages of not less than $100 and not more than $1,000.” 15 U.S.C. § 1681n(a) (emphasis added). Similar “statutory damages” provisions also exist for willful violations of the Fair Debt Collection Practices Act (“FDCPA”), 15 U.S.C. § 1692k(a), and the Telephone Consumer Protection Act (“TCPA”). 47 U.S.C. § 227(b)(3)(B).

»»Read More

Posted by Jim Smerbeck
Class Action
June 24, 2015

Is the Right to Be Forgotten Among Our Unalienable Rights?

We hold these truths to be self-evident, that all men are created equal,
that they are endowed by their Creator with certain unalienable Rights,
that among these are Life, Liberty and the pursuit of Happiness.”
-Declaration of Independence, July 4, 1776

forgottenIn May 2014, the European Court of Justice (ECJ) held that Europeans’ fundamental right to privacy encompasses the “right to be forgotten.” Google Spain SL et al. v. AEPD et al., No. C-131/12 (May 13, 2014). The repercussions of the decision have been, and continue to be, phenomenal. Europeans are overwhelming Google with takedown requests; First Amendment scholars on this side of the pond debate fiercely whether the United States should recognize a similar right; and media lawyers grapple with how best to advise their clients when someone seeks to have outdated or embarrassing content removed from the Internet. Indeed, earlier this month, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) ordered Google to apply the ‘right to be forgotten’ takedown requests to all of Google’s domain names, including Google.com. As the volume of personal information online abounds, and the ease with which we can access the information from a variety of sources intensifies, the issue of whether the U.S. should recognize a right to be forgotten will persist. But, where should the U.S. land on the issue?

»»Read More

Posted by Erin Rhinehart
Advertising and Media
June 19, 2015

Next Page »