The National Association of Attorneys General requested “immediate action” from Facebook and Instagram for the “dramatic increase in user account takeovers and lockouts” on the social media platforms, said their Tuesday letter to Meta Platforms Chief Legal Officer Jennifer Newstead. The letter came on the same day both platforms experienced disruptions when users weren’t able to log in to their accounts for over two hours. Meta issued a cursory tweet on X Tuesday acknowledging the outage but not giving a reason for it: “We know some people were having trouble accessing our apps earlier. Apologies for any inconvenience this may have caused, and thank you for your patience while our teams worked quickly to resolve!” The Tuesday letter, signed by 41 AGs, cited a “dramatic and persistent spike in complaints in recent years concerning account takeovers that is not only alarming for our constituents but also a substantial drain on our office resources.” In account takeovers, threat actors compromise Facebook and Instagram user accounts and change passwords so the rightful owner can’t access the account, the AGs said. The hackers can then “usurp personal information, read private messages, scam contacts, post publicly, and take other nefarious actions,” the letter said. There’s risk of financial harm to those users who use Facebook Marketplace for their business and those who have credit cards tied to their accounts, it said, referencing complaints of hackers “fraudulently charging thousands of dollars to stored credit cards.” In 2019, the New York Attorney General’s office received 73 account takeover complaints on Meta platforms; the number rose to 783 last year, and in January alone, the office received 128 complaints, it said. “While we may not be completely certain of any connection, we note that the increase in complaints occurred around the same time Meta announced a massive layoff of around 11,000 employees in November 2022, which reportedly focused on the 'security and privacy and integrity sector,'” the letter said. The AGs urged Meta to “substantially increase its investment in account takeover mitigation tactics, as well as responding to users whose accounts were taken over.” The AGs “refuse to operate as the customer service representatives of your company,” it said, saying “proper investment in response and mitigation is mandatory." In addition, they requested materials on the number of account takeovers over the past five years; suspected causes of the increase in account takeovers; safeguards in place to prevent account takeovers; current policies and procedures related to Meta’s response to account takeovers; and staffing related to safeguarding the platforms against account takeovers and responding to complaints. A Meta spokesperson emailed Wednesday: "Scammers use every platform available to them and constantly adapt to evade enforcement. We invest heavily in our trained enforcement and review teams and have specialized detection tools to identify compromised accounts and other fraudulent activity." Meta regularly shares tips and tools people can use "to protect themselves, provide a means to report potential violations, work with law enforcement and take legal action," she said. AGs from Alabama, Alaska, Arizona, California, Colorado, Connecticut, Delaware, District of Columbia, Florida, Georgia, Hawaii, Illinois, Iowa, Kentucky, Louisiana, Maryland, Massachusetts, Michigan, Minnesota, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, New York, North Carolina, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, Vermont, Virginia, Washington, West Virginia, Wisconsin, and Wyoming signed the letter.

Dagyana Ortiz-Nieves and Alternative for Kids seek the dismissal without prejudice of their verified complaint against Liberty Mobile of Puerto Rico, said their notice Tuesday (docket 3:23-cv-01613) in U.S. District Court for Puerto Rico in San Juan. The Dec. 18 SIM swap complaint alleged that four Liberty employees accessed Ortiz-Nieves’ account without her authorization about 30 times between December 2020 and June 2022 and repeatedly failed to safeguard her personally identifiable information and customer proprietary network information (see 2312190061). Ortiz-Nieves is president of Alternative for Kids, a daycare center in Bayamon, Puerto Rico.

The 9th U.S. Circuit Court of Appeals is considering for an upcoming oral argument calendar in San Francisco in July or August the appeal of six Chrome users against Google, said a text-only docket entry Monday (docket 22-16993). The six plaintiff-appellants seek to reverse a December 2022 district court order granting summary judgment for Google in a class action that alleged Google improperly collects the personal information of users who opt not to sync their browsers to their Google accounts (see 2212290037).

Publishers Clearing House (PCH) seeks the dismissal of James Camoras’ Dec. 15 class action under Utah’s Notice of Intent to Sell Nonpublic Personal Information Act (NISNPIA) because the statute “explicitly forbids” class actions, said PCH’s motion Friday (docket 4:23-cv-00118) in U.S. District Court for Utah in St. George. Camoras bought a tripod and a book from PCH in December 2022 and February 2023, and he alleges that PCH didn’t notify him that it discloses customers' private purchase information to third parties (see 2312180014). Without Camoras’ class claims, the court doesn’t have jurisdiction over the plaintiff's individual claim, as it’s not sufficient to meet the amount in controversy required by statute, said PCH’s motion. He also has failed to allege the “essential elements” of a claim under NISNPIA, it said. Even if the court did have jurisdiction over this matter, the complaint fails to allege that PCH itself “maintains an office in Utah, which is a required element under NISNPIA,” it said. The complaint also fails to adequately allege that PCH disclosed Camoras’ nonpublic personal information to any third party, it said.

Jessica Carey, who sued Comcast and Citrix in January involving the cloud platform provider’s October data breach (see 2401030066), filed a notice of voluntary dismissal without prejudice Friday (docket 0:24-cv-60008) in U.S. District Court for Southern Florida in Fort Lauderdale. Carey’s negligence class action was one of a dozen named in a January motion before the Judicial Panel on Multidistrict Litigation for transfer to the Eastern District of Pennsylvania in Philadelphia for coordinated or consolidated pretrial proceedings (see 2401120011). Carey's negligence suit alleges she was required to give Comcast her personal information as a condition of receiving internet service, and she has since suffered emotional distress and lost time associated with mitigating the breach's impact.

The Feb. 27 decision in the Northern District of California in Massel v. Successfulmatch.com (docket 23-cv-02389) provides supplemental authority to support Indira Falcon’s opposition to TelevisaUnivision Digital’s motion to compel her claims to arbitration, said Falcon’s notice Friday (docket 8:23-cv-02340) in U.S. District Court for Middle Florida in Tampa. Falcon’s class action alleges TelevisaUnivision knowingly violated the Video Privacy Protection Act by embedding the Meta Pixel tool on its website to track users’ video viewing history and then reporting that history to Facebook (see 2310170001). Falcon’s opposition contends that TelevisaUnivision failed to give her and her class members proper “inquiry notice” of its terms and arbitration provision. The judge in Massel found that because the defendant’s links to its terms didn’t appear in a contrasting color, the court must conclude that they weren’t reasonably conspicuous enough to put Massel on notice of the terms and that the plaintiff therefore can’t be said to have assented to them, said Falcon’s notice. “This conclusion is bolstered by the fact that other links on the signup page appear in all capital letters,” while the links to the service agreement and privacy policy are in “title case,” it said. These distinctions “may seem picayune,” but website operators “have ultimate control over their design decisions,” it said. Nothing requires them to present terms as “subtle hyperlinks” to separate pages instead of requiring users to scroll through the actual terms before signing up, it said.

Plaintiffs in two privacy lawsuits vs. Forward Bank voluntarily dismissed their cases without prejudice, said a notice (docket 3:23-cv-00844) Friday in U.S. District Court for Western Wisconsin in Madison. The negligence actions, bought by Matthew Hamilton and Ethan Rohland (docket 3:23-cv-00852), asserted Forward Bank handled their personally identifiable information in a reckless manner during a September data breach (see 2312110012).

Sellers International, the parent company of Quimbee, a website tailored to law students, seeks the dismissal of Isaac Shapiro’s Jan. 4 Video Privacy Protection Act class action for failure to state a claim on which relief may be granted, said its motion Thursday (docket 4:24-cv-00079) in U.S. District Court for Northern California in Oakland. Shapiro alleges Sellers knowingly disclosed his personally identifiable information (PII), including a record of case brief videos he watched on the Quimbee website, without his consent (see 2401110045). He alleges that Quimbee installed the HubSpot tracking code on its website, which tracks and records visitors’ private video consumption. But the plaintiff’s complaint “lacks crucial allegations” to bring a VPPA claim against Quimbee, said the defendant’s memorandum of points and authorities in support of its motion to dismiss. Shapiro fails to allege Quimbee is a videotape service provider under the VPPA, “or that an ordinary person would be able to glean video viewing history from the information allegedly shared with HubSpot,” it said. Quimbee also didn’t disclose any PII, as HubSpot “is merely the tool that Quimbee uses to collect information about Quimbee’s own customers, exclusively for Quimbee’s own use,” it said. If the VPPA is interpreted in the manner that Shapiro “advocates,” the VPPA violates due process and the First Amendment, it said. Shapiro’s California Invasion of Privacy Act claim also fails because Quimbee didn’t “aid or abet its software vendor,” and Shapiro has failed to allege that HubSpot violated the CIPA, it said.

HopSkipDrive should have known it was responsible for protecting plaintiff Tara McIntosh’s and class members' personal information, alleged McIntosh’s data breach negligence class action Thursday (docket 2:24-cv-01676) in U.S. District Court for Central California in Los Angeles. The ride-hailing service waited over three months after being notified of a May 31-June 10 data breach, discovered “one to two months afterward,” to notify McIntosh of the incident, said the complaint. The Spokane, Washington, resident received a letter from HopSkipDrive Nov. 14, notifying her that her personally identifiable information had been improperly accessed, it said.

Meta is violating the EU data protection law by requiring users to pay for ad-free service or consent to the use of their personal data, eight European consumer groups alleged Thursday. Meta didn't immediately comment. The groups, from the Czech Republic, Denmark, Greece, France, Norway, Slovakia, Slovenia and Spain, are European Consumer Organisation (BEUC) members. In complaints filed with their national data protection authorities (DPAs), they charged the tech giant with failing to comply with GDPR principles of fair processing, data minimization and purpose limitation. Moreover, they said Meta has no valid legal basis to justify the massive data sweep it carries out on Facebook and Instagram users because the choice it gives them can't lead to free and informed consent. "Meta has tried time and time again to justify the massive commercial surveillance it places its users under," said BEUC Deputy Director-General Ursula Pachl. "Its unfair 'pay-or-consent' choice is the company's latest effort to legalise its business model." In recent years several DPAs have tried to force Meta to change the legal basis for collecting and processing people's data, and the company's "last resort" is to obtain users' consent for those activities by offering them the choice to either pay to see a supposedly ad-free service or consent to the company's full commercial surveillance with ads, BEUC said. Asked why BEUC didn't file the complaint with the DPA in Ireland, where Meta is headquartered, a spokesperson said the organization wanted to involve national data protection authorities that can then take ownership of the issue when those authorities transfer the matter to the Irish authority. In addition, he said, BEUC wanted to involve its members because they know the procedural rules of their own DPAs and to maximize coverage of the issue to show that it affects all Europeans.