By Ian Ross and Jorge Perez Santiago
(Originally featured by Law360 at: https://www.law360.com/articles/1358537 )
Over the last two years, plaintiffs have increasingly looked to state courts when filing their consumer protection and privacy putative class actions.
Claims under the Telephone Consumer Protection Act, for example, were once filed almost exclusively in federal court. Now hundreds are brought in state court where plaintiffs can try to avoid the U.S. Court of Appeals for the Eleventh Circuit precedent that has narrowed the viability of those cases.[1]
More recently, plaintiffs have tested their luck filing class claims based on alleged deceptive emails or data breaches under Florida’s Electronic Mail Communications Act and Florida’s Unfair and Deceptive Trade Practices Act.[2]
And now, plaintiffs attorneys have turned to Florida’s Security of Communications Act, or FSCA, filing putative class actions by the dozens throughout Florida.[3]
These cases seek to take advantage of the same theory of liability plaintiffs have pursued under privacy statutes in other states in recent years.
For example, in the last two years there has been an increasing number of claims brought in California courts under the California’s Invasion of Privacy Act.[4] In these lawsuits, plaintiffs have argued that website operators and mobile application providers violate California’s wiretapping statutes by purportedly intercepting and eavesdropping on their consumer’s use and interactions with websites and mobile applications without their consent.[5]
California, like Florida, requires consent from all parties when a communication is intercepted, recorded or monitored.[6] It is little surprise, then, that following the recent rush of filings in California, plaintiffs attorneys are now turning to Florida and other states to file these lawsuits.
The new Florida-based putative class actions under the FSCA each allege a similar fact pattern. Plaintiffs are claiming that the national retailers and corporations named in these lawsuits use tracking and session replay software to intercept their consumer’s interactions with their websites.
Each lawsuit alleges that the software or proprietary technology used by these companies to allegedly track mouse clicks and page scrolling is not disclosed to the consumer and that, as a result, consumer communications are being recorded or monitored without their knowledge or consent.
The statutory damages available under the FSCA are significant: Any person “whose wire, oral, or electronic communication is intercepted, disclosed, or used” in violation of the statue has a civil remedy and can seek damages “computed at the rate of $1000 a day for each day of violation or$1,000, whichever is higher.”[7] He or she may also seek reasonable attorney fees and an injunction.[8]
Given the potential availability of liquidated damages and attorney fees under the FSCA, it is in some ways a surprise that these lawsuits are only appearing now. But these cases may now take centerstage as courts seek to resolve questions of consent, the adequacy of website disclosures and the enforceability of limitations of liability and arbitration agreements in website terms of use.
And, regardless of whether these claims are ultimately viable under Florida law,[9] this wave of filings already offers some useful lessons to companies.
First, companies should make sure that the privacy policies and terms of use on their websites and mobile applications disclose the technology they are using and the information they are collecting. California courts in similar contexts have already held that a defendant can establish consent where existing website disclosures contain adequate disclosures and detail information-collecting efforts.[10]
Second, companies should consider whether the placement and display of their disclosures is clear and conspicuous given the developing law in this area. Some courts in recent years have been hostile to website disclosures that are not reasonably communicated to consumers because they appear in small print or are available only through a hyperlink to another location or webpage.[11]
While it may have been enough in prior years simply to include a hyperlink to robust terms of use at the bottom of a webpage, some courts are now refusing to enforce these browsewrap disclosures where they contain arbitration agreements or class waivers.[12]
In some jurisdictions, courts now prefer clickwrap-based assent, through which consumers are required to click “I agree” after they are presented with specific terms and conditions.[13] Plaintiffs who bring claims under the FSCA will likely argue that disclosures about the information being collected from them are browsewrap disclosures that do not demonstrate consent.
Third, given the proliferation of new consumer protection and privacy statutes — and the class actions that quickly follow when a new statute is enacted — companies should routinely be updating their privacy policies and terms to follow best practices in the states in which they do business.
Florida has become one of the most popular venues for consumer protection class actions,[14] and the landscape for these cases will continue to change with new legislation on the horizon. Earlier this month, a robust consumer data privacy bill,[15] mirroring California’s Consumer Privacy Act, was filed in the Florida House of Representatives with support from Gov. Ron DeSantis.[16]
The proposed law would provide a private right of action, with the potential for statutory damages, for consumers whose nonencrypted and nonredacted personal information or email addresses are subject to unauthorized access and exfiltration, theft or disclosure. Similar statutes in Illinois and California have already led to hundreds of new case filings in those states.
Time will tell whether the next wave of privacy class actions under the FSCA or, if enacted, Florida’s proposed Consumer Data Privacy law, will drive the swell of litigation that has forced businesses big and small to learn the ins and outs of the TCPA.
But this new wave of lawsuits is a reminder that as businesses look for new and innovative ways to interact with their customers, they need to navigate carefully through the constantly evolving and ever-changing framework of consumer protection and privacy statutes.
[1] See Eric J. Troutman, The Rise and Fall of TCPA Suits in the Sunshine State: How the Eleventh Circuit Court of Appeal Created and Destroyed a Cottage Litigation Industry in Florida, available at https://tcpaworld.com/2020/02/07/ (last visited February 23, 2021); Drazen v. GoDaddy.com, LLC , CV 1:19-00563-KD-B, 2020 WL 8254868, at *3, *8 (S.D. Ala. Dec. 23, 2020) (recognizing recent Eleventh Circuit decisions have “impact[ed] the viability of TCPA cases” and the “evolving landscape of TCPA cases . . . have not been favorable to plaintiffs”).
[2] Plaintiffs have had mixed success arguing that they have a private cause of action under the Florida Electronic Mail Communications Act. Compare George v. Defenders, Inc. , Case No. 2019-CA-012688, 2020 WL 4930310, at *2 (Fla. Cir. Ct. Aug. 18, 2020) (holding that plaintiffs do not have a private cause of action under FEMCA and dismissing claim) and Wriley v. Quick Weight Loss Centers, LLC, Case No. CACE-19-020202 (Fla. Cir. Ct. Mar. 18, 2020) (slip op.) (same) with Hackworth v. Equity Business Solutions, LLC , Case No. 20-CA-003485 (Fla. Cir. Ct. Sept. 1, 2020) (slip op.) (denying motion to dismiss). Please note: The author of this article represented the defendant in George.
[3] See, e.g., Jacome v. Spirit Airlines, Inc., Case No. 21-947-CA-01 (Fla. Cir. Ct. filed January 14, 2021); Goldstein v. Costco Wholesale Corp., Case No. 2021-CA-001558 (Fla. Cir. Ct. filed Feb. 4, 2021); Holden v. Fossil Group, Inc., Case No. 2021-CA-000673 (Fla. Cir. Ct. filed Feb. 4, 2021).
[4] Cal. Penal Code §§ 630 et seq.
[5] See Cal. Penal Code §§ 632(a) (providing for an up to $2,500 fine for use of a recording device to eavesdrop “without the consent of all parties to a confidential communication”). See also 18 U.S.C. § 2511(c), (d) (it is not “unlawful . . . for a person . . . to intercept a[n] . . . electronic communication . . . where one of the parties to the communication has given prior consent to such interception”) (emphasis added).
[6] See Fla. Stat. § 934.03(2)(d).
[7] Fla. Sta. § 934.10(1)(b).
[8] Fla. Sta. § 934.10(1)(a), (d).
[9] Many of the defendants who are being named in this first flood of cases under the FSCA may already have the disclosures they need to defend these cases. California courts have held that consent may be established based on existing disclosures on business websites. The FSCA also exempts from the definition of an “electronic, mechanical, or other device” any equipment that is furnished to a subscriber or user of a web service by a provider “in the ordinary course of its business” and used “in the ordinary course of its business.” Fla. Sta. § 934.02(4)(a)(1). A similar carveout appears in the federal Wiretap Act. See 18 U.S.C. § 2511(5)(a)(ii). And defendants may argue that the FSCA only covers communications that are confidential or reflect a reasonable expectation of privacy. See Fla. Sta. § 934.01(2) (the Florida legislature states that it is enacting the FSCA to “protect effectively the privacy of wire and oral communications”); In re Google, Inc. Gmail Litig. , Case No. 13-MD-02430-LHK, at *22, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013) (discussing cases finding that individuals engaged in “internet-based communication” “cannot have a reasonable expectation that their online communications will not be recorded”) (citations omitted); see also Campbell v. Facebook Inc ., 77 F. Supp. 3d 836, 849 (N.D. Cal. 2014) (finding that internet-based communications are not confidential because they “can easily be shared by . . . the recipient(s) of the communications”).
[10] See Smith v. Facebook, Inc. , 745 F. App’x 8, 9 (9th Cir. 2018) (finding consent established where “Terms and Policies contain numerous disclosures related to information collection on third-party websites”); see also Garcia v. Enterprise Holdings, Inc. , 78 F. Supp. 3d 1125, 1135-37 (N.D. Cal. 2015) (dismissing claim under California act where defendant’s terms of use and privacy policy were sufficient for consent for the alleged disclosures).
[11] See, e.g., Cullinane v. Uber Techs., Inc. , 893 F.3d 53, 63-64 (1st Cir. 2018) (reversing enforcement of arbitration clause and finding that terms were not conspicuous and that consumers did not “provide their unambiguous assent to those terms”); see also Anand v. Heath , Case No. 19-CV-00016, 2019 WL 2716213, at *4 (N.D. Ill. June 28, 2019) (refusing to enforce arbitration agreement where “[t]here was simply nothing present to [plaintiff] that conditioned her continued navigation on the site to acceptance of the terms and conditions available through the hyperlink”).
[12] See Anand, 2019 WL 2716213, at *4 (declining to enforce “hybridwrap” agreement where the court found that a consumer did not manifest assent to arbitrate claims by clicking “Continue” button); Wilson v. Redbox Automated Retail, LLC , 448 F. Supp. 3d 873, 885 (N.D. Ill. 2020) (hyperlink to terms of use was not sufficiently conspicuous).
[13] Wilson, 448 F. Supp. 3d at 882 (“Clickwrap agreements are usually upheld by courts ‘because they present the consumer with a realistic opportunity to review the terms of the contract and they require a physical manifestation of assent.’ “) (quoting Applebaum v. Lyft, Inc. , 263 F. Supp. 3d 454, 465 (S.D.N.Y. 2017)); Hidalgo v. Amateur Athletic Union of United States, Inc. , 468 F. Supp. 3d 646, 654 (S.D.N.Y. 2020) (“[Courts routinely uphold “‘clickwrap’ (or ‘clickthrough’) agreements, which require users to click an ‘I agree’ box after being presented with a list of terms and conditions of use’ ‘for the principal reason that the user has affirmatively assented to the terms of agreements by clicking ‘I agree.'”) (quoting Meyer v. Uber Techs., Inc. , 868 F.3d 66, 75 (2d Cir. 2017)).
[14] See WebRecon Stats for December 2020 and Year in Review, available at https://webrecon.com/webrecon-stats-for-dec-2020-and-year-in-review/ (last visited February 23, 2021).
[15] HB 969: Consumer Data Privacy.
[16] If enacted, the new law would, among other things, (i) require certain businesses to publish and annually update privacy notices, (ii) provide consumers with the right to opt-out of the sale/sharing of certain private information, and (iii) expand the Florida Information Protection Act (i.e., Data Breach Notification Law) to include biometric data, such as fingerprints, voice recordings, and retina scans. See HB 969: Consumer Data Privacy, available at https://www.flsenate.gov/Session/Bill/2021/969 (last visited February 23, 2021).
