Insights
Publications

Arbitration Agreements in Privacy Disputes: The Wyze Decision and the CCPA

December 1, 2020 Blog

Earlier this year, a number of individuals brought a lawsuit in the United States District Court for the Western District of Washington against Washington-based company Wyze Labs, Inc (Wyze), which manufactures “smart” home cameras and security equipment. See In re: Wyze Data Incident Litigation, Case No. C20-0282-JCC (W.D. Wa. 2020). The lawsuit – which centered around a 2019 data breach incident – alleged that Wyze failed to comply with Federal Trade Commission requirements for safeguarding users’ personal information.

Wyze moved to compel arbitration and dismiss the suit based on a provision of its user terms and conditions which stated “[Defendant] and you agree to exclusively arbitrate all disputes and claims… THIS ARBITRATION IS MANDATORY AND NOT PERMISSIVE.” The terms contained a provision allowing users to opt out of the arbitration and class action waiver provisions by notifying Wyze within 30 days of the date they accepted the agreement. The terms and conditions were implemented through a “clickwrap” arrangement whereby in order to create a new account, users had to click a box indicating that they agreed to Wyze’s terms and conditions, which were available through a hyperlink.

Plaintiffs argued that the arbitration provision was invalid, because the agreement only presented when they went to download the Wyze app – after the equipment (for which the app was necessary) had already been purchased. They also argued that the hyperlink to the terms was not conspicuous enough to be binding, and that Wyze could not show evidence of agreement by each individual Plaintiff. The court rejected each of those arguments.

The court first found that the time period between the product’s purchase and notice of the arbitration agreement was not legally significant. After noting that clickwrap agreements are generally valid, the court also found that the hyperlink was comparable – in both style and substance – to agreements previously upheld by other courts, and was therefore sufficiently conspicuous to support a valid agreement. Finally, the court found that, even without proof of each individual user’s assent, Wyze had provided sufficient evidence to show that any person with a user account (including the Plaintiffs) could not have accessed that account without, at some point, clicking a box to indicate his agreement with the terms and conditions. Based on those findings, the court found the arbitration agreement to be enforceable, and dismissed the suit.

It is not yet clear whether a similar suit in California would yield the same result, but new developments in that area may be on the horizon. Instagram, for example (a California-based subsidiary of Facebook, Inc.), recently updated its terms of service to implement a provision similar to the one in the Wyze case. Specifically, Instagram’s provision states:

Arbitration notice: You agree that disputes between you and us will be resolved by binding, individual arbitration and you waive your right to participate in a class action lawsuit or class-wide arbitration . . . You can opt out of this provision within 30 days of the date that you agreed to these Terms.

Instagram has significant freedom to guide users to acquiesce to new terms, as we have seen in previous cases. See Trudeau v. Google LLC, 816 F. App’x 68, 70 (9th Cir. 2020) (upholding unilateral addition of arbitration clause to Google’s terms of service). However, unlike in Trudeau, Instagram may not have quite as strong a footing as Google did, if the changes are challenged, because it did not require affirmative (if pro forma) consent to the new terms of service, nor did it send the new terms directly to users. Instead, the change was added to Instagram’s Help Center, where they are unlikely to be noticed by existing users – who primarily use the phone application. Of those that do visit the Help Center, and notice the change, even fewer are likely to take the time to gather and send their personal and account information, as well as a clear statement that they want to opt out of the arbitration agreement, to Facebook – as the terms require in order for them to opt out.

Considering these differences, and the fact that Instagram (like many similarly-situated companies) would likely be sued in California, it is unclear whether this kind of more passive modification will be upheld, should a suit arise. However, it is likely to be only a matter of time before a California court is required to consider a similar challenge to an arbitration clause in a privacy class action.

Indeed, Plaintiffs may argue that the newly enacted California Consumer Privacy Act (CCPA), which provides for a private right of action and has recently inspired various class action lawsuits, may make certain class action waivers or arbitration agreements unenforceable. Specifically, Cal. Civ. Code § 1798.192 provides:

Any provision of a contract or agreement of any kind that purports to waive or limit in any way a consumer’s rights under this title, including, but not limited to, any right to a remedy or means of enforcement, shall be deemed contrary to public policy and shall be void and unenforceable.

Although the U.S. Supreme Court has struck down multiple California rules limiting the enforceability of class action waivers and arbitration clauses, this issue has not arisen with respect to the CCPA and it could take years before any clear case law is developed in this area. In the meantime, companies and users alike should be mindful of arbitration agreements prior to and during litigation, including CCPA litigation.

Firm Highlights

News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Court Reinstates CPPA Enforcement Authority and Confirms No Delay Necessary for Enforcement of Future CCPA Regulations

A recent appellate decision has made clear that the regulations promulgated under California’s groundbreaking consumer privacy law, the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act (CPRA)), are ripe...

Read More
Publication

Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More