Arbitration Agreements in Privacy Disputes: The Wyze Decision and the CCPA
Earlier this year, a number of individuals brought a lawsuit in the United States District Court for the Western District of Washington against Washington-based company Wyze Labs, Inc (Wyze), which manufactures “smart” home cameras and security equipment. See In re: Wyze Data Incident Litigation, Case No. C20-0282-JCC (W.D. Wa. 2020). The lawsuit – which centered around a 2019 data breach incident – alleged that Wyze failed to comply with Federal Trade Commission requirements for safeguarding users’ personal information.
Wyze moved to compel arbitration and dismiss the suit based on a provision of its user terms and conditions which stated “[Defendant] and you agree to exclusively arbitrate all disputes and claims… THIS ARBITRATION IS MANDATORY AND NOT PERMISSIVE.” The terms contained a provision allowing users to opt out of the arbitration and class action waiver provisions by notifying Wyze within 30 days of the date they accepted the agreement. The terms and conditions were implemented through a “clickwrap” arrangement whereby in order to create a new account, users had to click a box indicating that they agreed to Wyze’s terms and conditions, which were available through a hyperlink.
Plaintiffs argued that the arbitration provision was invalid, because the agreement only presented when they went to download the Wyze app – after the equipment (for which the app was necessary) had already been purchased. They also argued that the hyperlink to the terms was not conspicuous enough to be binding, and that Wyze could not show evidence of agreement by each individual Plaintiff. The court rejected each of those arguments.
The court first found that the time period between the product’s purchase and notice of the arbitration agreement was not legally significant. After noting that clickwrap agreements are generally valid, the court also found that the hyperlink was comparable – in both style and substance – to agreements previously upheld by other courts, and was therefore sufficiently conspicuous to support a valid agreement. Finally, the court found that, even without proof of each individual user’s assent, Wyze had provided sufficient evidence to show that any person with a user account (including the Plaintiffs) could not have accessed that account without, at some point, clicking a box to indicate his agreement with the terms and conditions. Based on those findings, the court found the arbitration agreement to be enforceable, and dismissed the suit.
It is not yet clear whether a similar suit in California would yield the same result, but new developments in that area may be on the horizon. Instagram, for example (a California-based subsidiary of Facebook, Inc.), recently updated its terms of service to implement a provision similar to the one in the Wyze case. Specifically, Instagram’s provision states:
Arbitration notice: You agree that disputes between you and us will be resolved by binding, individual arbitration and you waive your right to participate in a class action lawsuit or class-wide arbitration . . . You can opt out of this provision within 30 days of the date that you agreed to these Terms.
Instagram has significant freedom to guide users to acquiesce to new terms, as we have seen in previous cases. See Trudeau v. Google LLC, 816 F. App’x 68, 70 (9th Cir. 2020) (upholding unilateral addition of arbitration clause to Google’s terms of service). However, unlike in Trudeau, Instagram may not have quite as strong a footing as Google did, if the changes are challenged, because it did not require affirmative (if pro forma) consent to the new terms of service, nor did it send the new terms directly to users. Instead, the change was added to Instagram’s Help Center, where they are unlikely to be noticed by existing users – who primarily use the phone application. Of those that do visit the Help Center, and notice the change, even fewer are likely to take the time to gather and send their personal and account information, as well as a clear statement that they want to opt out of the arbitration agreement, to Facebook – as the terms require in order for them to opt out.
Considering these differences, and the fact that Instagram (like many similarly-situated companies) would likely be sued in California, it is unclear whether this kind of more passive modification will be upheld, should a suit arise. However, it is likely to be only a matter of time before a California court is required to consider a similar challenge to an arbitration clause in a privacy class action.
Indeed, Plaintiffs may argue that the newly enacted California Consumer Privacy Act (CCPA), which provides for a private right of action and has recently inspired various class action lawsuits, may make certain class action waivers or arbitration agreements unenforceable. Specifically, Cal. Civ. Code § 1798.192 provides:
Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.
Although the U.S. Supreme Court has struck down multiple California rules limiting the enforceability of class action waivers and arbitration clauses, this issue has not arisen with respect to the CCPA and it could take years before any clear case law is developed in this area. In the meantime, companies and users alike should be mindful of arbitration agreements prior to and during litigation, including CCPA litigation.