Insights
Publications

Arbitration Agreements in Privacy Disputes: The Wyze Decision and the CCPA

December 1, 2020 Blog

Earlier this year, a number of individuals brought a lawsuit in the United States District Court for the Western District of Washington against Washington-based company Wyze Labs, Inc (Wyze), which manufactures “smart” home cameras and security equipment. See In re: Wyze Data Incident Litigation, Case No. C20-0282-JCC (W.D. Wa. 2020). The lawsuit – which centered around a 2019 data breach incident – alleged that Wyze failed to comply with Federal Trade Commission requirements for safeguarding users’ personal information.

Wyze moved to compel arbitration and dismiss the suit based on a provision of its user terms and conditions which stated “[Defendant] and you agree to exclusively arbitrate all disputes and claims… THIS ARBITRATION IS MANDATORY AND NOT PERMISSIVE.” The terms contained a provision allowing users to opt out of the arbitration and class action waiver provisions by notifying Wyze within 30 days of the date they accepted the agreement. The terms and conditions were implemented through a “clickwrap” arrangement whereby in order to create a new account, users had to click a box indicating that they agreed to Wyze’s terms and conditions, which were available through a hyperlink.

Plaintiffs argued that the arbitration provision was invalid, because the agreement only presented when they went to download the Wyze app – after the equipment (for which the app was necessary) had already been purchased. They also argued that the hyperlink to the terms was not conspicuous enough to be binding, and that Wyze could not show evidence of agreement by each individual Plaintiff. The court rejected each of those arguments.

The court first found that the time period between the product’s purchase and notice of the arbitration agreement was not legally significant. After noting that clickwrap agreements are generally valid, the court also found that the hyperlink was comparable – in both style and substance – to agreements previously upheld by other courts, and was therefore sufficiently conspicuous to support a valid agreement. Finally, the court found that, even without proof of each individual user’s assent, Wyze had provided sufficient evidence to show that any person with a user account (including the Plaintiffs) could not have accessed that account without, at some point, clicking a box to indicate his agreement with the terms and conditions. Based on those findings, the court found the arbitration agreement to be enforceable, and dismissed the suit.

It is not yet clear whether a similar suit in California would yield the same result, but new developments in that area may be on the horizon. Instagram, for example (a California-based subsidiary of Facebook, Inc.), recently updated its terms of service to implement a provision similar to the one in the Wyze case. Specifically, Instagram’s provision states:

Arbitration notice: You agree that disputes between you and us will be resolved by binding, individual arbitration and you waive your right to participate in a class action lawsuit or class-wide arbitration . . . You can opt out of this provision within 30 days of the date that you agreed to these Terms.

Instagram has significant freedom to guide users to acquiesce to new terms, as we have seen in previous cases. See Trudeau v. Google LLC, 816 F. App’x 68, 70 (9th Cir. 2020) (upholding unilateral addition of arbitration clause to Google’s terms of service). However, unlike in Trudeau, Instagram may not have quite as strong a footing as Google did, if the changes are challenged, because it did not require affirmative (if pro forma) consent to the new terms of service, nor did it send the new terms directly to users. Instead, the change was added to Instagram’s Help Center, where they are unlikely to be noticed by existing users – who primarily use the phone application. Of those that do visit the Help Center, and notice the change, even fewer are likely to take the time to gather and send their personal and account information, as well as a clear statement that they want to opt out of the arbitration agreement, to Facebook – as the terms require in order for them to opt out.

Considering these differences, and the fact that Instagram (like many similarly-situated companies) would likely be sued in California, it is unclear whether this kind of more passive modification will be upheld, should a suit arise. However, it is likely to be only a matter of time before a California court is required to consider a similar challenge to an arbitration clause in a privacy class action.

Indeed, Plaintiffs may argue that the newly enacted California Consumer Privacy Act (CCPA), which provides for a private right of action and has recently inspired various class action lawsuits, may make certain class action waivers or arbitration agreements unenforceable. Specifically, Cal. Civ. Code § 1798.192 provides:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

Although the U.S. Supreme Court has struck down multiple California rules limiting the enforceability of class action waivers and arbitration clauses, this issue has not arisen with respect to the CCPA and it could take years before any clear case law is developed in this area. In the meantime, companies and users alike should be mindful of arbitration agreements prior to and during litigation, including CCPA litigation.

Firm Highlights

Publication

How to Guard Against 3 Cannabis Cyber Attack Risks

Cyber attacks are now commonplace. Ransomware attacks, in particular, have skyrocketed in frequency and size. High-profile data breaches have cost businesses in the United States millions of dollars in losses and incalculable reputational harm...

Read More
Publication

Privacy During Bankruptcy Proceedings: Why It Matters

During these particularly trying times resulting from the COVID-19 pandemic, businesses of all sizes have been concerned about the future. As a result, considering potential liquidation or restructuring through bankruptcy is inevitably starting to...

Read More
Publication

What to Know About Taking a Data Center Company Public Through a SPAC

A recent IPO by InterPrivate IV Infratech Partners, a digital infrastructure-focused special purpose acquisition company, or SPAC, raised $250 million. Its impressive fundraising and management team, led by former CyrusOne CTO Kevin Timmons, may cause privately...

Read More
Publication

Data Center Business Deals Gone Bad, and the Risks of the “Known in the Industry” Defense

Exploring business partnerships often involves or even requires sharing highly confidential trade secret information. The data center industry is no exception, and its participants have in recent years faced litigation focused around the intellectual...

Read More
Publication

Undergoing Bankruptcy Proceedings? Here’s How to Make Sure PII Maintains Its Value

Due to the COVID-19 pandemic, some businesses are considering potential liquidation or restructuring through bankruptcy. Companies in this situation should keep privacy concerns in mind, because the handling of personal data in bankruptcy proceedings...

Read More
Publication

Top 10 Practical Business Implications Arising From the Passage of the CPRA

California’s Proposition 24 passed as expected, and the new California Privacy Rights Act will change the privacy landscape created by the California Consumer Protection Act (CCPA), which went into effect only months ago. While...

Read More
Publication

Cyber Insurance for the Cannabis Industry

Farella's Shanti Eagle (moderator), Nate Garhart and Tyler Gerking, along with guest speakers Javier Gonzalez and Michael Peters from PL Risk Advisors, discuss "Cyber Insurance for the Cannabis Industry." Cannabis businesses have cyber security...

Read More
Publication

No Quarter: What Claims Doesn’t Section 230 of the Communications Decency Act Protect Platform Companies Against?

Depending on what you read or who you talk to, Section 230 of the Communications Decency Act (47 U.S.C. § 230) (CDA) is either a tool of censorship, a shield of Big Tech that...

Read More
Publication

Electric Fence: Protecting Proprietary Rights in Collected Energy Data

Like companies in other industries, a growing number of modern energy-related companies are focusing their efforts on data collection and analysis. For example, Enphase – an energy technology company – regularly tracks data about how...

Read More
Publication

PSDcast – Is Energy Companies' Customer Data a Trade Secret?

We often focus on the privacy issues involved in data collection – and they are critically important – while neglecting the idea of data as a tangible and valuable resource (and how to protect...

Read More