The parties in a Video Privacy Protection Act (VPPA) lawsuit against MLB Advanced Media (MLBAV) over ad tracking technology are seeking an extension to further extend the deadline for MLBAM’s response to plaintiff Bryan Henry’s complaint, said their proposed joint stipulation and order Wednesday (docket 1:24-cv-01446) in U.S. District Court for Southern New York in Manhattan. Henry’s Feb. 26 class action suit alleges MLB.tv collects and shares website and app users’ personal information with its third-party business partners via cookies, software development kits and tracking pixels without obtaining their consent. The parties filed a joint motion April 29 to stay all deadlines and extend MLBAV’s deadline to answer Henry’s complaint for 60 days pending mediation; the court granted the motion to stay and extended the deadline for a response to Tuesday. The parties scheduled a mediation conference for July 23, said the stipulation, and they agreed to further extend the deadline for a response to Aug. 22 to facilitate the mediation, prevent unnecessary expenses and serve the interest of judicial economy in the event they reach a settlement, said the filing.
The FTC finalized an order banning anti-virus software provider Avast from selling, disclosing or licensing any web browsing data for advertising purposes to settle charges that the U.K.-based Avast Ltd.’s Czech subsidiary sold consumers’ data after promising that its products would protect consumers from online tracking, it said in a Thursday news release. As part of the settlement, Avast must pay $16.5 million, which is expected to be used to provide redress to consumers. The FTC’s February complaint alleged Avast unfairly collected users’ browsing information, stored it indefinitely and sold it “without adequate notice and without consumer consent." Under the order, Avast and its subsidiaries must delete the web browsing information transferred to Jumpshot and any products or algorithms derived from that data; obtain affirmative express consent from consumers before selling or licensing browsing data from non-Avast products to third parties for advertising purposes; notify consumers whose browsing information was sold to third parties without their consent about the FTC’s actions against the company; and implement a comprehensive privacy program that addresses the misconduct alleged, it said. After receiving two comments, the commission voted 3-0-2 to give final approval to the settlement; commissioners Melissa Holyoak and Andrew Ferguson didn't participate.
U.S. District Judge Jennifer Rearden for Southern New York in Manhattan granted defendant Augusta National’s stay of proceedings request (see 2406070050) in a Video Privacy Protection Act (VPPA) lawsuit, said her Tuesday order (docket 1:24-cv-03058). In the June 6 letter motion, Augusta National’s counsel, David Venderbush of Alston & Bird, requested the stay of the suit by Adam Labernik and Shane Doyle, pending the 2nd U.S. Circuit Appeals Court's decision in Salazar v. National Basketball Association. Labernik and Doyle don’t oppose the stay. The plaintiffs allege that Augusta National, owner of the Masters golf tournament, doesn’t disclose on its website or in its online newsletter that the Meta Pixel tracking tool that the defendant installed will capture subscribers’ personally identifying information and then share that PII with Meta. In the Salazar appeal, the plaintiff-appellants argue that the district court erred in dismissing their claims against the NBA on grounds that the goods and services as defined in the VPPA don’t apply to online newsletters. The Southern District of New York has previously stayed a similar VPPA case pending the outcome of Salazar, said Venderbush’s letter motion: “It would be in the interest of the parties, the Court, and the public to do the same here.” Both parties will benefit from a decision in Salazar, “clarifying the scope of the VPPA and any new legal standards before beginning to brief a dispositive motion in this matter based on uncertain law,” said the letter motion. Oral argument in Salazar was held April 2.
Defendant Reuters doesn’t dispute that it collected users’ IP addresses and shared that data with third parties, said Zhizhi Xu’s memorandum Friday (docket 1:24-cv-02466) in U.S. District Court for Southern New York in opposition to Reuters’ May 24 motion to dismiss the plaintiff’s California Invasion of Privacy Act (CIPA) (see 2405280015). The company instead asserts that Xu lacks standing because the disclosure of IP addresses doesn’t “implicate traditional privacy interests, and the data is merely basic contact information,” it said. But the U.S. Supreme Court and multiple circuits have held that the right to privacy encompasses the individual’s control of information concerning his or his person, said Xu’s opposition. When statutes that codify such substantive privacy rights are violated, such a violation gives rise to a concrete injury sufficient to confer standing, it said. In arguing that Xu doesn’t sufficiently allege a CIPA violation, Reuters relies on an “incorrectly reasoned string of cases,” it said. Reuters then “misconstrues the plain text” of the CIPA, or attempts to “graft language onto the statute” that isn’t present, it said. It ignores that the California legislature intended for the CIPA to establish broad privacy protections, which supports an expansive reading to the statute, it said.
Dominic Fiacco voluntarily dismissed without prejudice his negligence class action against the University of Rochester (docket 1:24-cv-10777), said Fiacco's notice Tuesday (docket 3083) in U.S. District Court for Massachusetts. The action, part of In Re: MOVEIt Customer Data Security Breach Litigation, involved a May 2023 data breach at file transfer software company Progress Software. A University of Rochester student, the plaintiff alleged the college failed to safeguard and protect his and class members' confidential information under its control, including Social Security numbers and personal information "that can be used to perpetrate identity theft." In the event of future recovery in the action, “nothing in the foregoing shall prevent Dismissing Plaintiff from submitting a claim as an absent class member and/or from participating in any settlement or judgement as an absent class member,” said the notice.
The FTC referred to the DOJ a complaint vs. TikTok, the successor to Musical.ly, and its parent company ByteDance, it said Tuesday in a statement. The FTC’s investigation of the companies began in connection with its order compliance review of Musical.ly following a 2019 settlement for violations of the Children’s Online Privacy Protection Act (COPPA), it said. The commission investigated additional potential violations of COPPA and the FTC Act, uncovering “reason to believe named defendants are violating or are about to violate the law and that a proceeding is in the public interest,” it said. TikTok said in a statement Tuesday it’s been working with the FTC for more than a year to “address its concerns” and is “disappointed the agency is pursuing litigation instead of continuing to work with us on a reasonable solution.” TikTok “strongly” disagrees with the allegations, which relate to “past events and practices that are factually inaccurate or have been addressed,” the company said. The FTC doesn’t typically make public when it refers a complaint but determined that doing so in this case was in the public interest, it said.
The FTC seeks an order enforcing a Jan. 25 civil investigative demand (CID) issued to MGM Resorts International for documents and information relevant to the commission’s ongoing investigation into MGM’s data security practices, said the agency’s petition Monday (docket 2:24-cv-01112) in U.S. District Court for Nevada in Las Vegas. MGM “has refused to comply” with the CID, said the petition. Judicial enforcement is necessary so that FTC staff “may thoroughly and expeditiously conduct its investigation,” it said. The FTC “has met all of the requirements for judicial enforcement of the CID,” it said. It therefore asks the court to issue an order requiring MGM to appear and show cause why it shouldn’t comply with the CID, it said. The court thereafter should grant the FTC’s petition and enter an order compelling MGM to produce the documents and information specified in the CID, it said. Since 2019, MGM has experienced at least three publicly reported data breaches implicating consumers’ personal information, the most recent in September (see 2404020004), said the petition. After the latest breach, the FTC launched an investigation into MGM’s acts and practices relating to the privacy and data security of its consumers, it said. MGM’s failure to comply with the CID has “materially impeded” the commission’s ongoing investigation, it said.
Tracy Hyman voluntarily dismissed without prejudice his Video Privacy Protection Act class action claims against Sinclair without prejudice, said his notice of dismissal Wednesday (docket 2:24-cv-02168) in U.S. District Court for Central California in Los Angeles. Hyman alleged in his March 18 complaint that Sinclair, operator of TennisChannel.com, uses a wide array of “extremely sophisticated” tracking technology that collects its subscribers’ personally identifiable information and viewing history, and “knowingly discloses” that to third-party analytics and advertising companies (see 2403190001).
Marriott International secretly deploys spyware on its website that accesses visitors’ devices and installs "pen register" and "trap and trace" tracking software that monitors and reports visitors’ online habits after they leave the website, alleged plaintiff Monica Sanchez’s California Invasion of Privacy Act complaint removed Monday (docket 2:24-cv-04882) to U.S. District Court for Central California in Los Angeles. “The harm caused by this intrusion is grave,” said the complaint, filed May 3 in Los Angeles County Superior Court. Law enforcement historically used pen registers to record the numbers of outgoing calls from a particular telephone line, while trap and trace devices were used to record the numbers of incoming calls to that same phone line, said the complaint. Individuals who use devices to connect to a website “are typically anonymous and expect to remain anonymous,” it said. But some “rogue” website operators secretly attach a “tracking beacon” to visitor devices that are then used to track and surveil users, it said. Using tracking software, a website owner “can correlate a grouping of fragments and the connections between them to create a unique digital profile of each individual website visitor,” in a process known as digital fingerprinting, it said. If a website owner can link a unique digital profile created by digital fingerprinting to a particular individual, the website owner “can assemble a detailed picture of a person’s private life,” including that person’s political and religious affiliations, said the complaint. Sanchez alleges that when she visited Marriott.com, the website’s code caused its tracking beacon to be installed on her browser, it said. Marriott and the beacon’s developer then used the beacon to collect the California resident’s IP address, it said. Marriott and the beacon’s developer also used the information collected to analyze website data and marketing campaigns, conduct targeted advertising, and ultimately boost Marriott’s revenue, it said. Sanchez didn’t give Marriott her prior consent to install or use the tracking beacon on her browser, nor did Marriott obtain a court order before installing or using the beacon, it said. Sanchez therefore has had her privacy invaded by Marriott’s violations of Section 638.51(a) of the California penal code, said the complaint. Marriott denies all of Sanchez’s alleged claims, any wrongdoing and that Sanchez is entitled to any relief, said its notice of removal.
The Judicial Panel on Multidistrict Litigation transferred 18 tagalong actions to U.S. District Court for Northern Texas in Dallas in In Re: AT&T Customer Data Security Breach Litigation, said conditional transfer order 1 (CTO-1) (docket 3114) Wednesday. All the actions have been assigned to U.S. District Judge Ada Brown. The order is stayed for seven days to allow any party to file a notice of opposition with the clerk, it said. The 18 cases include five from three California district courts, and four from Northern Illinois, one from Western Missouri and three from Eastern Texas district courts. Also in the CTO are five class actions from U.S. District Court for Northern Georgia, including Unruh et al v. AT&T Mobility, which had sought to have the MDL transferred to the Atlanta court (see 2405210050).