I don't often blanket repost other blogs that I see, however, in this instance, I think it is appropriate. Venkat, writing for Professor Goldman's blog, writes an excellent analysis of the recent ruling in the
In re: Easysaver Rewards Litigation (S.D. Cal. August 13, 2010). This is a very interesting case in that it covers several different, more traditional causes of action and analysis. I'm interested to see what ramification this case is going to have on SaaS law and privacy litigation. Here you go:
"Internet Rewards Program Class Action Survives Initial Motion to Dismiss -- In re Easysaver Rewards
[Post by Venkat]
In re: Easysaver Rewards Litigation (S.D. Cal.) (Aug. 13, 2010)
Plaintiffs brought a class action lawsuit against Provide-Commerce (which operated Pro.Flowers.com). The lawsuit alleged that effecting transactions on the Proflowers website resulted in plaintiffs being unwittingly enrolled in a rewards program and being charged credit card fees. The court denied the motion to dismiss brought by defendants.
Background: Provide operated ProFlowers.com. At the time of completion of transactions on ProFlowers, consumers were offered a chance to enroll in a "rewards program" which was operated for Provide by Encore Marketing. Plaintiffs alleged that they were "unwittingly" enrolled in the program:
Plaintiffs allege that Provide leads customers to believe they will receive a complimentary $15.00 gift code to use on their next flower order as a thank you gift. After Plaintiffs completed the purchase of flowers on Provide's website by providing their personal and payment information, 'a window popped up that thanked Plaintiffs and Class Members for their order and offered a gift code for $15.00 off their next purchase at ProFlowers. The window also contained a link for Plaintiffs and Class Members to click on to claim the gift code.' Plaintiffs contend the pop-up window is part of an intentionally misleading and deceptive scheme, jointly orchestrated by Provide and EMI.
The named plaintiffs all testified to slightly different experiences. Some closed the pop-up window and did not provide any personal information, others responded to the pop-up by clicking on "I accept" and entering their personal information. Ultimately, plaintiffs were unable to have the charges relating to the EasySaver program reversed, and brought a variety of claims against both Provide and Encore.
Discussion:
Breach of Contract Claims:
Provide first argued that the privacy policy is not "an actionable contract" but was instead a "general statement . . . of policy." The court doesn't treat this as a colorable argument, citing to the alleged user experience and plaintiffs' reliance on the privacy policy and terms of use, which popped up every step of the way. (But see In re JetBlue, discussed in Professor Goldman's post here: "When Does a Privacy Policy Breach Support a Breach of Contract Claim? In re JetBlue.")
Provide also argued that the applicable privacy policy allowed it to transfer information to third parties, but the court holds that there is a disputed factual issue as to whether Provide agreed to only transfer the information with consumers' "informed consent or authorization," and would not share the information "beyond that which was necessary to complete the flower order."
Finally, Provide argued that the "EasySaver Rewards Policy" was not supported by an exchange of consideration, since it only came up after the flower transaction was complete. The court rejects this argument as well, finding that the rewards program was "part and parcel of the underlying flower purchase."
Provide also tried to disclaim liability for Encore's actions by arguing that it was not responsible for anything Encore did. The court cites to language in the description of the rewards program that indicates the program was jointly operated (the program was described as "our" program and Encore was described as Provide's "partner").
A separate sub-class of plaintiffs brought contract claims against Encore. These plaintiffs argued that they did not "knowingly" consent to the rewards program, and even if they did, Encore breached the terms of the program by not providing the stated benefits. Encore argued that these plaintiffs could not have it both ways - either they enrolled in the program (in which case plaintiffs accepted the terms were clearly stated) or they didn't. The court finds that plaintiffs could plead in the alternative that they did not enter into an agreement, and even if they did, Encore breached the terms of the agreement.
Fraud Claims: Provide raised a variety of arguments against plaintiffs' fraud claims (failure to plead fraud with particularity, failure to allege causation). The court rejects these arguments, holding that whether plaintiffs read the privacy policy or had adequate notice is not something that was amenable to resolution at the motion to dismiss stage.
Conversion: Plaintiffs argued that defendants converted plaintiffs' "private payment information." With respect to plaintiffs' conversation claim, the court notes the historical trend away from limiting conversation claims to tangible property (citing to Kremen v. Cohen, among other cases). The court analogizes conversion of plaintiff's "Private Payment Information" to conversion of bank account information, and finds that plaintiffs adequately state a claim based on conversion of private payment information.
EFTA: The Electronic Funds Transfer Act prohibits, among other things, unauthorized billing. Provide argued that it was Encore and not Provide who engaged in the unauthorized billing. The court agrees and grants Provide's motion to dismiss as to the EFTA claim, finding that there is no liability under the statute for aiding and abetting an EFTA violation. With respect to Encore, the court denies the motion to dismiss. Among other things, the court rejects Encore's argument that the plaintiffs agreed to the membership charges by "entering [their] email address[es] and zip code[s] and clicking the green acceptance button."
___
Defendants will have another opportunity to show that plaintiffs' claims are without merit, but I think the court's resolution at the pleading stage is interesting. A more robust disclaimer and a non-leaky acknowledgment would have no doubt been useful here. (See professor Goldman's post on Scherillo v. Dun and Bradstreet for some good pointers.)
The case also illustrates the importance of the transaction flow and process (the user experience). Often lawyers provide advice, but implementation is left to the business or marketing folks. This case illustrates that in addition to the language of the terms, courts will look to the transaction process to poke holes in the contract formation argument.
Data breach claims alleging a breach of the applicable privacy policy have met with little success. (See, e.g., Ruiz v. Gap, discussed in this post: "9th Circuit Affirms Rejection of Data Breach Claims Against Gap.") Where there is out of pocket loss that is a result of a violation of the privacy policy, plaintiffs have a much easier time bringing claims for violation of the privacy policy. In this case, defendants didn't even raise the argument that plaintiffs had not suffered out of pocket loss or lacked standing - it was a nonstarter.
It was also interesting that defendants tried to rely (and have judicial notice taken of) the online terms, but the court refused to do so, in light of the changing content of the webpages. When defendants pushed this argument, the court predictably trotted out the "[i]nformation from the internet does not necessarily bear an indicia of reliability" argument."
Another post that doesn't quite fit neatly into Indiana Internet litigation or privacy law, but that intrigues me. BusinessWeek, passing along a Tim Greene article from NetworkWorld (found here: www.networkworld.com/nwlookup.jsp), is reporting that the U.S. military has issued an essay in which it urges its expertise in defense be put to use in protecting civilian networked infrastructure, such as power grids, financial institutions, etc. The essay from Foreign Affairs sets out the concept that our military networks are probed and scanned by outside sources millions of time a day by enemies looking for weakness and access. The Pentagon fears that the civilian cyberstructure could also be at risk from cyber-terrorism and that the U.S. military can help by using its tools to protect those necessary networks. 
Today is an exciting day for Indianapolis with the establishment of a brand new local eatery called "Pure" located in Fountain Square at 1043 Virginia Avenue. 
Your friendly neighborhood technology counsel here: As you likely know, my goal is to become THE Indiana technology lawyer; however, technology is not my only area of interest. Like many of the folks at Alerding Castor Hewitt, technology law is a passion, but we all strive to be a full service law firm for all businesses. Thus, in addition to tech stuff, I also litigate matters for several banking and business clients. And, as any good lawyer does, when I see changes in the law that may impact my clients, I want to shout it from the rooftops. One such change that, to date, has gone largely unheralded is an amendment passed to the Indiana "Get Hope. Get Help" statute (Ind. Code 32-30-10.5-8). 
Given the firm's technology legal counsel and software litigation practice, it only makes sense that the firm would support the prestigious 2010 Techpoint MIRA Awards Gala taking place on Saturday, May 15th, 2010. It makes for a positive synergy between the two groups.
Powered by Compendium Blogware