Sign Up
Stay current with GH&R Newsletters. Click here to sign up.
E-Commerce News
OPT In May Not Equal Consent to Share Customer Information; File Copying By Departing Employee May Not Violate CFAA
December 5, 2006
OPT IN MAY NOT EQUAL CONSENT TO SHARE CUSTOMER INFORMATIONAn Oregon federal court has ruled that an online customer who answers "yes" to an opt-in question asking whether the user would like to receive more information is not necessarily giving "express consent" to disclose that user's information to third parties.
The case involved litigation between two companies -- CollegeNET Inc. and XAP Corp. - which both provide online filing of college applications. Neither charges students a fee for this service. CollegeNET's revenue comes from fees it charges colleges. XAP makes its money by selling personal data about prospective college students to banks and other financial institutions.
CollegeNET sued XAP complaining that XAP's methods for gathering and sharing student data violated the terms of its privacy policy. XAP's policy provides: "Personal data entered by the User will not be released to third parties without the user's express consent and direction." Additionally, account set-up screens state: "The information you enter will be kept private in accordance with your express consent and direction."
XAP asked its users to answer yes or no to the following question: "Are you interested in receiving information about student loans or financial aid?" From its perspective, a "yes" answer to that question constituted express consent to the information sharing. XAP also contended that the privacy statements are not facts regarding the services; they merely deal with "matters that are incidental" to the company's services.
CollegeNET argued, however, that a student's agreement to receive financial-aid information cannot be fairly characterized as giving "express consent and direction" to disclose the student's personal data to third parties.
The judge disagreed that confidentiality promises are incidental. "Promises of confidentiality of information provided over the internet are certainly more than incidental; i.e. , "minor matters," she said. But she concluded it was too early to rule on either party's motion for summary judgment as to the truth or falsity of the privacy policy until the parties could come forward with additional evidence on the question whether privacy promises are "fundamental" to the purchase decision.
CollegeNET also argued that XAP's alleged misrepresentation of its privacy practices gave it an unfair competitive advantage over CollegeNET. According to its argument, schools may be inclined to pick XAP's "free" service instead of CollegeNet, because they are tricked into believing that XAP will protect the students' data. Once again, the court chose not to rule. It asked the parties to provide additional evidence on whether the two services are in fact "competitors," a necessary prerequisite to bringing a false advertising claim under the Lanham Act.
Most privacy litigation to date has involved claims by customers complaining about how the company mishandled their data. The idea that a competitor might be able to sue over another company's data handling is a novel approach.
FILE COPYING BY DEPARTING EMPLOYEE MAY NOT VIOLATE CFAA
In our September 12, 2006 edition, we noted that an Arkansas federal court ruled an employee may have violated the Federal Computer Fraud and Abuse Act ("CFAA") by copying his employer's confidential information onto a CD just before terminating his employment.
But, according to a federal district court in Florida, an employee who copies computer files, prior to leaving his employer to work for another company, has not "exceed[ed] authorized access" as that phrase is used in the CFAA.
Although the CFAA has been primarily aimed at hackers, it also provides civil remedies to companies that have been injured. In this case, the employer, Lockheed, filed a complaint alleging that its former employees' file copying activities violated several sections of the CFAA. Lockheed agreed that its former employees "exceed[ed] authorized access" by abusing the computer access privileges they had at the time to obtain information for later use against Lockheed, and that these actions constituted a breach of an implied duty of loyalty. The defendant employees filed a motion to dismiss the complaint.
The district court concluded that the employees' access to Lockheed's computer system did not "'exceed[]' the employees' authority when he still had access privileges at the time the files were copied, including access to the 'precise information at issue.'" The court rejected Lockheed's argument that the employees' access exceeded their authority, because the CFAA makes it a violation to knowingly, and with intent to defraud, access a protected computer "without authorization" or "exceed[] authorized access" to commit fraud and obtain something of value.
In reaching that conclusion, the court rejected the reasoning of the Seventh Circuit, which had imposed CFAA liability in another case on the premise that the employee's authorization disappeared once he breached a duty of loyalty to the employer.
The court granted the defendants' motion to dismiss the complaint, but gave Lockheed leave to amend.
Similar facts, but different conclusions. No wonder people sometimes get frustrated by the legal system. We will keep you posted as it sorts out.
This Newsletter is a periodic publication of Graydon Head & Ritchey LLP and should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general information purposes only, and you are urged to consult your own advisor concerning your situation and any specific legal question you may have.