Justia Internet Law Opinion Summaries

California enacted a law aimed at addressing concerns about minors’ addiction to social media by regulating how internet platforms provide personalized content to users under 18. The law restricts minors’ access to algorithmic feeds without parental consent, imposes default settings such as hiding like counts and requiring private accounts, and mandates future age-verification procedures. NetChoice, a trade association representing major internet companies, challenged the law on First Amendment grounds, arguing it unconstitutionally restricts both platforms’ and users’ speech, and that some provisions are unconstitutionally vague.The United States District Court for the Northern District of California granted a preliminary injunction against two provisions not at issue in this appeal, but otherwise denied NetChoice’s request for broader injunctive relief. The district court found that NetChoice lacked associational standing to challenge the personalized-feed restrictions as applied to its members, that the age-verification requirements were not ripe for review, and that the default settings provisions (including the like-count and private-mode requirements) were constitutional. The court also rejected NetChoice’s vagueness arguments and found that any unconstitutional provisions could be severed from the Act.On appeal, the United States Court of Appeals for the Ninth Circuit affirmed most of the district court’s rulings. The Ninth Circuit agreed that NetChoice lacked associational standing for as-applied challenges to the personalized-feed provisions and that the age-verification requirements were unripe. The court held that the private-mode default setting survived intermediate scrutiny, but found that the like-count default setting was a content-based restriction on speech and failed strict scrutiny. The court determined that the like-count provision was severable and ordered the district court to enjoin its enforcement, while affirming the denial of injunctive relief as to the other challenged provisions. View "NETCHOICE, LLC V. BONTA" on Justia Law

Capstone Studios Corp., a copyright holder, sought to identify 29 subscribers of CoxCom LLC, an Internet service provider, whose IP addresses were allegedly used to share pirated copies of Capstone’s movie via the BitTorrent peer-to-peer protocol. Capstone petitioned the clerk of the United States District Court for the District of Hawaii to issue a subpoena under § 512(h) of the Digital Millennium Copyright Act (DMCA) to compel Cox to disclose the subscribers’ identities. Cox notified its subscribers, and one, identified as “John Doe,” objected, claiming he had not downloaded the movie and that his Wi-Fi had been unsecured.A magistrate judge treated John Doe’s letter as a motion to quash the subpoena. The magistrate judge found that Cox’s involvement was limited to providing Internet access, qualifying it for the safe harbor under 17 U.S.C. § 512(a), which covers service providers acting solely as conduits for data transmission. The magistrate judge concluded that, as a matter of law, a § 512(h) subpoena cannot issue to a § 512(a) service provider. The district court adopted these findings and quashed the subpoena. Capstone’s motion for reconsideration was denied, and Capstone appealed.The United States Court of Appeals for the Ninth Circuit reviewed the case. It held that the DMCA does not permit a § 512(h) subpoena to issue to a service provider whose role is limited to that described in § 512(a), because such providers cannot remove or disable access to infringing content and thus cannot receive a valid notification under § 512(c)(3)(A), which is a prerequisite for a § 512(h) subpoena. The court also found no clear error in the district court’s factual finding that Cox acted only as a § 512(a) service provider. The Ninth Circuit affirmed the district court’s order quashing the subpoena. View "In re Subpoena Internet Subscribers of Cox Communications, LLC" on Justia Law

A data breach occurred at Wawa convenience stores, affecting customers' payment information. Wawa discovered the breach in December 2019 and contained it within days. The breach led to a class action lawsuit filed in the U.S. District Court for the Eastern District of Pennsylvania, consolidating 15 actions into three tracks: financial institution, employee, and consumer. The consumer track, which is the focus of this case, alleged negligence, breach of implied contract, and violations of state consumer protection laws, seeking both damages and injunctive relief.The District Court preliminarily approved a settlement that included compensation through Wawa gift cards and cash for out-of-pocket losses, as well as injunctive relief to improve Wawa's data security. Class member Theodore Frank objected, arguing that the settlement's attorney's fees were excessive and that the settlement included a clear sailing agreement and a fee reversion clause. The District Court approved the settlement and the attorney's fees, but Frank appealed.The United States Court of Appeals for the Third Circuit vacated the fee award and remanded the case, instructing the District Court to scrutinize the reasonableness of the attorney's fees and the presence of any side agreements. On remand, the District Court found no clear sailing agreement or collusion and determined that the fee reversion was unintentional. The court reaffirmed the attorney's fee award based on the funds made available to the class, considering the benefits provided, including the injunctive relief.The Third Circuit reviewed the District Court's findings and affirmed the judgment, holding that the attorney's fee award was reasonable and that the settlement process was free of collusion or improper side agreements. The court emphasized the meaningful benefits provided to the class members and the appropriateness of the fee award based on the amount made available rather than the amount claimed. View "In re: Wawa, Inc. Data Security Litigation" on Justia Law

In 2016, an anonymous user uploaded child pornography images to Chatstep, an internet chatroom service. Chatstep identified and reported the uploads to the National Center for Missing & Exploited Children (NCMEC) using Microsoft’s PhotoDNA. The Bernalillo County Sheriff’s Office (BCSO) in New Mexico traced the IP address to Guy Rosenschein and obtained a warrant to search his home, uncovering approximately 21,000 images and videos of child pornography. Rosenschein was indicted on charges of possession and distribution of child pornography.The United States District Court for the District of New Mexico denied Rosenschein’s pre-trial motions to suppress evidence, dismiss the case, or compel discovery of the computer programs used by Microsoft and NCMEC. Rosenschein pleaded guilty to one count of possession and seven counts of distribution of child pornography, reserving his right to appeal the denial of his motions.The United States Court of Appeals for the Tenth Circuit reviewed the case and affirmed the district court’s denial of all three motions. The court held that Chatstep and Microsoft were not acting as governmental agents, so the Fourth Amendment did not apply to their conduct. Even if they were considered governmental agents, Rosenschein had no reasonable expectation of privacy in the images he uploaded to a public chatroom. The court also found no abuse of discretion in the district court’s denial of Rosenschein’s motion to compel discovery of NCMEC’s reporting system, since he had the opportunity to access the information through witness examination. Lastly, the court upheld the district court’s refusal to require expert reports for the government’s witnesses before the suppression hearing, since Rule 16(a)(1)(G) does not apply to suppression hearings. View "U.S. v. Rosenschein" on Justia Law

A recently enacted Mississippi statute, House Bill 1126, aims to protect minors from harmful online material by requiring digital service providers (DSPs) to verify users' ages, obtain parental consent for minors, limit data collection, and implement strategies to mitigate harmful content exposure. NetChoice, L.L.C., a trade association for internet-focused companies, challenged the statute's constitutionality under the First and Fourteenth Amendments and sought a preliminary injunction to prevent its enforcement.The United States District Court for the Southern District of Mississippi granted the preliminary injunction, finding that NetChoice was likely to succeed on its claims that the statute was unconstitutional. The court determined that NetChoice had associational standing to bring the suit on behalf of its members and that the statute imposed significant regulatory burdens that could cause financial harm. The Attorney General of Mississippi appealed, arguing that the district court erred in its findings and failed to perform the necessary facial analysis as mandated by the Supreme Court in Moody v. NetChoice, LLC.The United States Court of Appeals for the Fifth Circuit reviewed the case and found that the district court did not conduct the required two-step analysis outlined in Moody. This analysis involves defining the law's scope and determining which applications violate the First Amendment. The Fifth Circuit noted that the district court did not fully assess the range of activities and actors regulated by the statute or the specific regulatory burdens imposed on different DSPs. Consequently, the court vacated the preliminary injunction and remanded the case to the district court for further factual analysis consistent with the Supreme Court's opinion in Moody and Fifth Circuit precedent. View "NetChoice v. Fitch" on Justia Law

Michael Salazar filed a class action lawsuit against Paramount Global, alleging a violation of the Video Privacy Protection Act (VPPA). Salazar claimed that he subscribed to a 247Sports e-newsletter and watched videos on 247Sports.com while logged into his Facebook account. He alleged that Paramount had installed Facebook’s tracking Pixel on 247Sports.com, which enabled Paramount to track and disclose his video viewing history to Facebook without his consent.The United States District Court for the Middle District of Tennessee dismissed Salazar’s complaint. The court found that Salazar had standing because the alleged disclosure of his video viewing history to Facebook constituted a concrete injury. However, the court dismissed the complaint for failure to state a claim under the VPPA, concluding that Salazar was not a “consumer” under the Act. The court reasoned that Salazar’s subscription to the 247Sports e-newsletter did not qualify him as a “consumer” because the newsletter was not “audio visual materials.”The United States Court of Appeals for the Sixth Circuit reviewed the case and affirmed the district court’s decision. The Sixth Circuit agreed that Salazar had standing but held that he did not plausibly allege that he was a “consumer” under the VPPA. The court interpreted the term “goods or services” in the context of the VPPA to mean audio-visual materials, and since Salazar’s newsletter subscription did not involve audio-visual materials, he was not a “consumer” under the Act. The court also found that the district court did not abuse its discretion in dismissing the complaint with prejudice, as Salazar had not filed a formal motion to amend his complaint. View "Salazar v. Paramount Global" on Justia Law

Paige Thompson committed a significant data breach, hacking into Amazon Web Services (AWS) customers' accounts, stealing data from at least 30 entities, and causing tens of millions of dollars in damage. She also used the stolen credentials to mine cryptocurrency, further increasing the financial impact on the victims. Thompson was arrested after she revealed her activities to a cybersecurity professional, leading to an FBI investigation.The United States District Court for the Western District of Washington calculated Thompson's sentencing range under the Federal Sentencing Guidelines to be 168 to 210 months of imprisonment. However, the court granted a substantial downward variance, sentencing her to time served (approximately 100 days) and five years of probation. The court emphasized Thompson's personal history, including her transgender identity, autism, and past trauma, as significant factors in its decision.The United States Court of Appeals for the Ninth Circuit reviewed the case and found that the district court overemphasized Thompson's personal story and failed to properly weigh several of the 18 U.S.C. § 3553(a) factors. The appellate court held that the district court's findings regarding Thompson's lack of malicious intent, her remorse, and the seriousness of her actions were clearly erroneous and not supported by the record. The Ninth Circuit also noted that the district court did not adequately consider the need for general and specific deterrence or the risk of unwarranted sentencing disparities.The Ninth Circuit vacated Thompson's sentence and remanded the case for resentencing, instructing the district court to properly weigh all relevant factors and provide a more substantial justification for any variance from the Guidelines. View "USA V. THOMPSON" on Justia Law

Joseph Sullivan, the former Chief Security Officer for Uber Technologies, was convicted of obstruction of justice and misprision of a felony. The case arose from Sullivan's efforts to cover up a significant data breach at Uber while the company was under investigation by the Federal Trade Commission (FTC) for its data security practices. The breach involved hackers accessing and downloading sensitive information from Uber's servers. Sullivan and his team tracked down the hackers and had them sign a non-disclosure agreement (NDA) in exchange for a payment, recharacterizing the hack as part of Uber's Bug Bounty Program.The United States District Court for the Northern District of California presided over the trial, where a jury found Sullivan guilty. Sullivan appealed, challenging the jury instructions, the sufficiency of the evidence, and an evidentiary ruling. He argued that the district court erred in rejecting his proposed jury instructions regarding the "nexus" requirement for the obstruction charge and the "duty to disclose" instruction. He also contended that the evidence was insufficient to support his misprision conviction and that the court improperly admitted a guilty plea agreement signed by one of the hackers.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's decisions. The court held that Ninth Circuit precedent foreclosed Sullivan's argument regarding the "nexus" instruction and that the district court did not err in rejecting it. The court also found that the omission of the "duty to disclose" instruction was proper, as the theories of liability under Section 1505 and Section 2(b) were conjunctive. The court concluded that the evidence was sufficient to support Sullivan's misprision conviction and that the district court did not abuse its discretion in admitting the hacker's guilty plea agreement. The Ninth Circuit affirmed Sullivan's conviction. View "USA V. SULLIVAN" on Justia Law

A cyberattack on California Pizza Kitchen, Inc. (CPK) in September 2021 compromised the personal information of over 100,000 former and current employees. This led to multiple class action lawsuits against CPK, alleging negligence and other claims. The consolidated plaintiffs reached a settlement with CPK, offering cash payments and credit monitoring services to class members, with CPK required to make payments only to those who submitted valid claims. The settlement's monetary value was estimated at around $950,000, while the attorneys sought $800,000 in fees.The United States District Court for the Central District of California approved the settlement but reserved judgment on the attorneys' fees until after the claims process concluded. The consolidated plaintiffs reported a final claims rate of 1.8%, with the maximum monetary value of the claims being around $950,000. Despite expressing concerns about the scope of attorneys' fees, the district court ultimately awarded the full $800,000 in fees and costs.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's approval of the class settlement, finding that the district court had properly applied the heightened standard to review the settlement for collusion and had not abused its discretion in finding the settlement fair, reasonable, and adequate. However, the Ninth Circuit reversed the fee award, noting that the district court had not adequately assessed the actual value of the settlement and compared it to the fees requested. The case was remanded for the district court to determine the settlement's actual value to class members and award reasonable and proportionate attorneys' fees. View "IN RE: CALIFORNIA PIZZA KITCHEN DATA BREACH LITIGATION" on Justia Law

An underage user of the Grindr application, John Doe, filed a lawsuit against Grindr Inc. and Grindr LLC, alleging that the app facilitated his sexual exploitation by adult men. Doe claimed that Grindr's design and operation allowed him to be matched with adults despite being a minor, leading to his rape by four men, three of whom were later convicted. Doe's lawsuit included state law claims for defective design, defective manufacturing, negligence, failure to warn, and negligent misrepresentation, as well as a federal claim under the Trafficking Victims Protection Reauthorization Act (TVPRA).The United States District Court for the Central District of California dismissed Doe's claims, ruling that Section 230 of the Communications Decency Act (CDA) provided Grindr with immunity from liability for the state law claims. The court also found that Doe failed to state a plausible claim under the TVPRA, as he did not sufficiently allege that Grindr knowingly participated in or benefitted from sex trafficking.The United States Court of Appeals for the Ninth Circuit reviewed the case and affirmed the district court's dismissal. The Ninth Circuit held that Section 230 barred Doe's state law claims because they implicated Grindr's role as a publisher of third-party content. The court also agreed that Doe failed to state a plausible TVPRA claim, as he did not allege that Grindr had actual knowledge of or actively participated in sex trafficking. Consequently, Doe could not invoke the statutory exception to Section 230 immunity under the Allow States and Victims to Fight Online Sex Trafficking Act of 2018. The Ninth Circuit affirmed the district court's dismissal of Doe's claims in their entirety. View "DOE V. GRINDR INC." on Justia Law