Colorado on May 12, 2013 and Washington on May 21, 2013 joined the likes of California, Maryland, Utah and New Mexico by prohibiting employers from requesting that prospective and current employees disclose their username and password to their personal social media accounts.  Our Labor & Employment group discussed the Colorado law here and the Washington law here.

On May 15 a Ninth Circuit panel reversed the district court’s approval of a class action settlement, holding that attorney’s fees awarded in connection with a coupon for the class members must be tied to actual redemption of the coupons rather than the time the attorneys spent working toward the coupon settlement. (In re HP Inkjet Printer Litigation, No. 11-16097 (9th Cir. May 15, 2013) opinion available here.)

The decision (1) forecloses the use of a reasonable-hours-times-reasonable-rate method of calculating fees for the coupon part of a settlement and (2) prevents the award of fees as a portion of the coupon value until the value of actually-redeemed coupons is known. While this opinion only serves as governing precedent in Ninth Circuit federal courts, it may inform state court decisions on the subject of coupon settlements in class action cases.

The objectors are members of a class of people who bought printers from the Defendant between 2001 and 2010. In 2010 the parties agreed to a global settlement, with the Defendant (1) providing class members with $5 million in “e-credits” for the Defendant’s products, (2) making additional disclosures to customers, (3) paying class notice and settlement administration costs, and (4) paying up to $2.9 million in attorneys’ fees and expenses. The e-credits (which the Court deemed “a euphemism for coupons”) would be awarded in $2-$6 amounts, and would expire, would not be transferable, would only be accepted at the Defendant’s online store, and could not be used with other discounts or coupons. These are all variables that complicate the estimation of the actual value of the settlement to the class.

The district court approved the settlement, but estimated that the actual value of the whole settlement (coupons plus injunctive relief) to the class was approximately $1.5 million, so reduced the lodestar amount for the attorney’s fees to $1.5 million, with costs of nearly $600,000. The lodestar method of calculating damages requires multiplying the number of hours reasonably worked by a reasonable hourly rate.

With respect to the Class Action Fairness Act (“CAFA”), the Ninth Circuit majority and dissent “agree[d] that CAFA is poorly drafted,” and both opinions delved at a granular level into the meaning of CAFA’s text.

Section 1712(a)-(c) of CAFA governs the calculation of attorneys’ fees in class action settlements that involve a coupon component (the text of CAFA is available here). Under section 1712(a), when a settlement provides for coupons, “any attorney’s fee . . . that is attributable to the award of coupons shall be based on the value to class members of the coupons that are redeemed.” The majority noted that, with CAFA, Congress specifically “intended to put an end to the ‘inequities’ that arise when class counsel receive attorneys’ fees that are grossly disproportionate to the actual value of the coupon relief obtained for the class.”

The Ninth Circuit majority explained that the district court must calculate (1) the part of the fees based on the coupon using actual redemption value and (2) the part of the fees for injunctive relief using the lodestar method of estimating payment based on the time plaintiff attorneys reasonably spent working on the case. The majority then reversed the district court, finding that it had failed to calculate the redemption value of the coupons, instead only using the lodestar method for coupon and injunctive relief.

The majority also noted that allowing for redemption of coupons before final approval of the settlement (and the attorneys’ fees) would have alleviated part of the problem, because the redemption value of coupons actually used would be known. The Court did not address whether business modeling estimations of the actual coupon use would be sufficient to establish the actual dollar value of the coupons to the class.

Judge Berzon dissented, arguing that CAFA allows use of the lodestar method for the entire settlement, rather than only for the part resulting in non-coupon relief.  Judge Berzon explained that, under her reading of CAFA, section “1712(a) regulates how a percentage-of-recovery fee should be calculated, if that method is used to award attorney’s fees for a coupon settlement; it does not dictate whether a percentage-of-recovery method must be used.” Judge Berzon wrote that section 1712(b), in turn, states that the lodestar method is to be used if attorneys’ fees are not determined as “a portion of the recovery of the coupons.” Finally, the dissent said that 1712(c) allowed for a blend of the percentage and lodestar approaches. Judge Berzon further reasoned that plaintiffs’ counsel could not be expected to separate billing for their work on the coupon part of the settlement from their work on the injunctive relief. Additionally, district judges safeguard against the possibility of excessive fees based on hours for settlements with low value to the plaintiff class by reviewing the overall reasonableness of the fees and choosing which fee calculation method to apply, as appropriate.

As a growing number of states pass legislation which will protect individuals’ social media accounts from employer scrutiny, they have encountered a surprising adversary – FINRA and other securities regulators.

To date, at least six states have enacted social media employee privacy laws (which were blogged about here, here, here, and here) and upwards of thirty-five states have considered legislation since the beginning of 2013. Washington State may soon join the ranks with SB 5211, a bill unanimously passed by both chambers of Washington legislature on April 27, 2013, which now awaits the Governor’s signature. Social media password protection laws, although unique to each state, generally restrict employers from requesting or requiring that employees or applicants provide their social media user names, passwords, and account information. Supporters believe the laws are necessary to protect employee and prospective employee privacy and to prevent against unlawful employer action in response to an employee’s social media use.

FINRA, the Financial Industry Regulatory Authority, fears that the new employee privacy laws may directly conflict with securities rules and threaten investor protection. With an increasing number of financial firms taking to Facebook and Twitter to interact with investors and give financial advice, FINRA has set forth various guidelines governing social media use. Under FINRA rules, securities firms must “adopt policies and procedures reasonably designed to ensure that their associated persons who participate in social media sites for business purposes are appropriately supervised,” and broker-dealers must be able to “retrieve and supervise business communications regardless of whether they are conducted from a device owned by the firm or by the associated person.” FINRA Regulatory Notice 11-39 (August 2011). According to FINRA, if the employee of a broker-dealer is engaging in business communications over a social networking site, the broker-dealer must have access to the account for general monitoring and for its records. Broker-dealers must also be able to freely follow up on red flags, or misuse of an account. FINRA fears that the adoption of social media employee privacy laws may conflict with monitoring and reporting requirements and could force some employers into a lose-lose situation—violate state law or violate a FINRA rule. FINRA worries that employers who choose the former will increase investor risk and the potential for securities fraud.

FINRA has sent letters to lawmakers in approximately ten states seeking carve-outs to social media employee privacy laws for the financial services industry. Many of the laws already include narrow exemptions, which allow for employers to require disclosure if an employee’s alleged misconduct has risen to a certain level. FINRA does not appear satisfied with these exemptions, which may be too limited for broker-dealers to be in full compliance with monitoring, recording and supervision requirements. California has rejected FINRA’s request for an exception for the financial services industry, but it remains to be seen how the states will react in general.

FINRA is not alone in its concerns that social media privacy laws are too broad. On May 6, 2013, Governor Christie of New Jersey conditionally vetoed a social media employee privacy Bill which he criticized for its over-breadth and for putting employers at increased risk.

While it is too soon to predict how this conflict between employee privacy interests and financial industry oversight will be resolved, what is apparent is the increasingly complex issue of handling privacy in the age of social media.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published on its website a series of factsheets designed to educate consumers unfamiliar with their rights under the Health Insurance Portability and Accountability Act’s (HIPAA) Privacy and Security Rules.  These four factsheets are described in detail below and are available in eight languages on OCR’s website at:  www.hhs.gov/ocr/privacy/hippa/understanding/consumers.

I.            OCR Consumer Factsheet: “Your Health Information Privacy Rights”

• OCR tells consumers that HIPAA gives them rights over their health information including the right to get a copy of their information, make sure it is correct and know who has seen it.
• OCR says that in most cases consumers must be given a copy of their medical record and other health information within 30 days.
• Consumers can ask to change any wrong information in their file if they believe that something is missing or incomplete.  OCR states, “Even if the hospital believes the test result is correct, you still have the right to have your disagreement noted in your file.”
• OCR summarizes how a consumer’s health information can be used and shared for specific reasons not directly related to the consumer’s care (i.e., “making sure doctors give good care, making sure nursing homes are clean and safe, reporting when the flu is in your area, or reporting as required by state or federal law”). 
• OCR encourages consumers to learn how their health care providers and health insurers are using and sharing their health information.
• OCR encourages consumers to let their health care providers and health insurers know if there is information that they do not want to be shared.
• OCR also tells consumers that they can make reasonable requests to direct their health care provider to contact them at a different place or in a different manner.  For example, if the doctor’s office usually sends a postcard with an appointment reminder, the consumer may request that the appointment reminder be sent in an envelope instead.

II.          OCR Consumer Factsheet: “Privacy, Security, and Electronic Health Records”

• OCR explains that electronic health records (EHRs) are electronic versions of the consumer’s paper medical record and includes health information such as medical history, notes, diagnoses, medications, lab results, and immunizations. 
• OCR tells consumers that their privacy rights are the same whether the health information is stored as paper or in an electronic form.
• In the factsheet, OCR summaries the benefits of health care providers using EHRs.  Consumers should expect “improved quality of care”, “more efficient care”, and “more convenient care.” 
• OCR summarizes certain protections that can safeguard EHR systems including access controls like passwords and PIN numbers, encrypting, and an audit trail feature.
• OCR describes for the consumers the breach notification requirement for health care providers.

III.        OCR Consumer Factsheet: “Understanding the HIPAA Notice”

• OCR provides a four step process for consumers to follow to make sure that they understand the “Notice of Privacy Practices” and their rights under HIPAA.
• Step 1: OCR encourages consumers to “Get a Copy of the Notice of Privacy Practices”
• Step 2: OCR encourages consumers to “Read the Notice”
  • The Notice explains how the health care provider or insurer is allowed to use or share their information
  • Explains the consumers’ privacy rights
  • Explains the doctor or insurer’s legal duties to protect consumers’ health information
  • Provides the contact information about the doctor or insurance company’s privacy polices.
• Step 3: OCR encourages consumers to “Ask Questions about the Notice or Your Rights”
• Step 4: OCR encourages consumers to “Know What You are Signing”
  • HIPAA requires the consumer’s doctor, hospital, or other health care provider to ask for written proof that he or she received the Notice of Privacy Practices acknowledgement of receipt. 
  • Consumers are not required to sign the acknowledgment of receipt; however providers must keep a record that the consumer decided not to sign the form.  Providers must still care for consumers who do not sign the acknowledgment of receipt. 

IV.         OCR Consumer Factsheet: “Sharing Health Information with Family Members and Friends”

• OCR summarizes and provides examples of when a health care provider or health plan may share relevant information with family members or friends involved in the consumer’s health care or payment for health care.
• OCR states that under HIPAA, a health care provider may share a consumer’s information face-to-face, over the phone, or in writing … if:
  • The consumer gives the provider or plan permission to share the information.
  • The consumer is present and does not object to sharing the information.
  • The consumer is not present, and the provider determines based on professional judgment that it is in the consumer’s best interest.
• OCR provides frequently occurring examples for each of these scenarios. 
  • The consumer’s hospital may discuss the consumer’s bill with his or her daughter who is with the consumer and has a question about the charges, if the consumer does not object.
  • The consumer’s doctor may discuss the drugs the consumer needs to take with the consumer’s health aide who has accompanied the consumer to his or her appointment.
  • The consumer had emergency surgery and is still unconscious.  The consumer’s surgeon may tell the consumer’s spouse about his or her condition, either in person or by phone, while the consumer is unconscious.
  • A doctor may not tell a consumer’s friend about a past medical problem that is unrelated to the consumer’s current condition.

Finally, OCR provides information to consumers on who to contact if their HIPAA rights are being denied or their health information is not being protected.

The Securities and Exchange Commission (the “SEC”) and Commodity Futures Trading Commission (the “CFTC”) recently adopted rules requiring entities subject to their respective enforcement authorities to adopt and implement programs to detect and respond to indicators of possible identity theft, as required by the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (the “Dodd-Frank Act”). The SEC rules apply to entities such as broker-dealers, investment companies and investment advisers, while the CFTC’s rules apply to entities such as futures commission merchants, commodity trading advisors and commodity pool operators.

 The Dodd-Frank Act requirement shifted rulemaking responsibility and enforcement authority for identity theft rules governing such entities to the SEC and CFTC from the six federal agencies that had jointly adopted identity theft rules under the Fair Credit Reporting Act in 2007.

 The rules adopted by the SEC and the CFTC specify: (1) which financial institutions and creditors must develop and implement a written identity theft prevention program; (2) the objectives of such program; (3) the elements that the program must contain; and (4) the steps financial institutions and creditors need to take to administer the program. The rules do not contain any requirements that were not already in the rules established in 2007, nor do they expand the scope of those rules to include new categories of entities that the rules did not already cover.  However, the rules and the related adopting release contain examples and minor language changes that are designed to help guide entities with compliance.

 The rules will become effective 30 days after publication in the Federal Register, and the compliance date will be six months after that effective date.

Are social media companies based in the United States subject to European data privacy laws?  Two recent judicial decisions – one in France and the other in Germany – arrived at different answers.  The Civil Court of Paris held that Twitter, based in California, was obligated under the French Code of Civil Procedure to reveal the identity of its users in France who posted racist tweets.  In Germany, on the other hand, an administrative court held that Facebook, also based in California, was not subject to a German law that would have prohibited Facebook from requiring users to register under their real names. 

To be subject to French data protection laws, a data controller must be either established on French territory or use a means of processing data that is located on French territory.  However, Article 145 of the French Code of Civil Procedure does not include such geographical limitations and allows parties, upon application to the court, to seek evidence before a case has been formally instituted whether there is a legitimate reason to preserve or establish the evidence.

In October 2012, the Union of French Jewish Students (“UFJS”) filed a summary action under Article 145 to require Twitter to identify individuals who had posted anti-Semitic tweets (a criminal offense).  On January 24, 2013, the court ruled that while Twitter was not subject to French data protection laws, it was nevertheless obligated to hand over the identities of users in France who post racist tweets.

Twitter has yet to hand over the authors’ identities, however, and the UFJS is taking further legal action against Twitter, claiming $50 million in damages.  Twitter has appealed the decision.

In Germany, the Düsseldorfer Kries (ULD), Germany’s consortium of state data protection regulators, issued an opinion against Facebook’s real-name policy, which requires users to register accounts under their real names and remove fake accounts.  This policy is central to Facebook’s business model, but the ULD argued it violates users’ online privacy.  German data protection laws provide for the right to anonymous use of social media.

Facebook appealed to a German administrative court, arguing that because it processes the relevant data in Ireland (which does not have a right to anonymous use of social media), and not in Germany, it was not subject to the German law.  The court agreed, though the ULD has announced it plans to appeal.

These two decisions illustrate the patchwork of local laws that social media companies may face when conducting business in the EU.  We will continue to monitor this issue, as well as these cases as they go up on appeal.

California Assembly Member, Bonnie Lowenthal, recently introduced the “Right to Know Act of 2013″ (AB 1291), which would require any company that retains a  California resident’s personal information to provide a copy of that information to that person, free of charge, within 30 days of the request. The company would also have to disclose a list of all third parties with whom it has shared the resident’s data during the previous 12 months, the contact information of such third parties, and the types of personal information that was shared. In contrast to the existing Shine the Light Act, this legislation would not be limited to data sharing for direct marketing purposes, and would not provide exceptions for companies that maintain an opt-in or opt-out policy for data sharing.  Moreover, the legislation’s definition of “personal information” is broader, and includes data such as online usage information. Also, the legislation would apply to businesses even if they do not have a direct relationship with the California resident, such as data aggregators and online ad networks.  Additional requirements also exceed what is present in the existing law.  If a company does not comply, California residents would be empowered to file a civil suit to force compliance. The law does not distinguish between brick-and-mortar businesses and online companies.

Although the Right to Know Act contains certain provisions intended to prevent abuse, it provides for an unprecedented level of data access for California residents. Under CA Civil Code § 1798.83 (better known as the Shine the Light Act), California residents may request from a company an accounting of disclosures made to third parties for direct marketing purposes, as well as general facts about the types of data disclosed. The Right to Know Act would allow California residents to know all of the ways that their personal information is being shared – including via online interactions – with the exception only of data sharing with service providers who are only permitted to use the information to provide service to the company.

The Right to Know Act provides that in lieu of responding to individual California resident requests, a company can provide a California resident with a notice about what data will be disclosed and to whom— prior to or immediately following a disclosure. In addition, a company would only have to provide each California resident with the required information once every 12 months.

The bill is expected to be debated by California legislators within the next few months.

On April 5, 2013, New Mexico joined six other states (including, among others, Utah, Maryland and California) in passing a new law prohibiting employers from requesting or requiring that a prospective employee provide access to his or her social networking accounts.  Proskauer’s Labor & Employment group has discussed the new law here. 

The French, Italian, British, German, Spanish and Dutch Data Protection Authorities announced on April 2, 2013 that each will launch investigations and enforcement actions against Google on the grounds that its privacy policy is not compliant with the European Directive on Data Protection, available at http://eur-lex.europa.eu/en/index.htm, (the “Directive”).

The first year of existence of Google’s new privacy policy has been eventful

Google’s new privacy policy has been under the scrutiny of the European Data Protection Authorities since its launch was announced by Google at the end of January 2012.

The Article 29 Working Party, whose members are the Data Protection Authorities of the 27 Member States, immediately expressed concerns about the compliance of Google’s privacy policy with the European Directive on Data Protection, and requested in February 2012 that Google delay the implementation of the new policy, which Google refused (which we blogged about here: http://privacylaw.proskauer.com/2012/03/articles/online-privacy/googles-new-privacy-policy-being-scrutinized-by-the-french-data-protection-authority

The French Data Protection Authority (CNIL) took the task of reviewing and assessing Google’s privacy policy on behalf of all European Data Protection Authorities. After several months of exchanges between the CNIL and Google, the Article 29 Working Party rendered in October 2012 its findings and requested that Google make changes to its privacy policy:http://ec.europa.eu/justice/data-protection/article-29/documentation/other-document/files/2012/20121016_google_privacy_policy_recommendations_cnil_en.pdf

The findings of the European Data Protection Authority on Google’s Privacy Policy

Google’s new privacy policy unified more than 60 different privacy policies across Google’s services and apps under one single privacy policy that covers almost every Google product and service. In addition, it allowed Google to combine data collected in every service into a single detailed user profile. To give an example, if a user searches for cooking recipes through the Google search engine, Google can use this information to suggest cooking videos on YouTube!.

The Article 29 Working Party determined that Google’s privacy policy does not comply with the Directive’s obligation to precisely inform the user of the type of data collected, its purposes and its recipients because the policy is too general. As a result, a user is unable to determine which categories of data are processed in the service that is used and for which purpose they are processed. In addition, the Article 29 Working Party stated that the combination of data requires the unambiguous consent of the user and that this large combination of data is disproportionate and creates high risks to the privacy of the user. Finally, Google has not specified the retention periods for the data it processes, in breach of the Directive.

National Enforcement Actions in Six EU Countries

Google decided not to implement the Article 29 Working Party’s recommendations.

Following a meeting with Google on March 19^,, 2013 the national Data Protection Authorities of 6 of the 27 EU Member States announced that each will launch investigations and enforcement procedures against Google. Unlike the initial assessment phase that was coordinated by the CNIL on behalf of the other EU authorities, these investigations and enforcement procedures are not being jointly pursued. Indeed, each national Data Protection Authority has its own procedures, powers and sanctions.

Although the authorities have announced that they will cooperate together, Google will nevertheless face six distinct national procedures, and should they result in divergent decisions, there is no system to reconcile them. One goal of EU data protection reform is to establish a new system of supervision when data processing has an EU-wide impact. Under the proposition for a new EU data protection regulation made by  the European Commission in January 2012 [http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf] and currently under review before the European Parliament, only the  Data Protection Authority of the EU country where the company has its main establishment  would be in charge of taking legally binding decisions against a non-compliant company (one-stop shop). In addition, mandatory cooperation between national authorities, as well as a consistency mechanism at the EU level, would be implemented to ensure consistency across investigations and enforcement procedures.

Following a growing trend among states, on March 26, 2013, the Utah legislature passed the Internet Employment Privacy Act, which prohibits employers from requesting that job applicants or employees disclose passwords protecting their personal internet accounts.  Proskauer’s Labor & Employment group has discussed the new law here.