States Other Than CA and VA Consider Privacy Bills

The North Dakota legislature spikes two tech bills, one that would have regulated app stores and the other would have barred sales of personal data without consent.

With the recent enactment by ballot of the “California Privacy Rights Act” (aka Proposition 24) and the pending enactment of the “Consumer Data Privacy Act” in Virginia, other states are considering legislation to regulate privacy and other aspects of the technology industry’s businesses.

In North Dakota, an effort to take on Apple and Google’s 30% fees related to their application stores was defeated in the state Senate. Apparently, a lobbyist for the Epic Games and the Coalition for App Fairness drafted the initial bill and convinced a state Senator to introduce legislation and champion the issue. The Coalition for App Fairness, of which Epic Games is a member, “advocate[s] for enforcement and reforms, including legal and regulatory changes, to preserve consumer choice and a level playing field for app and game developers that rely on app stores and the most popular gatekeeper platforms” according to the press release announcing its establishment. And, of course, Epic Games is suing both Apple and Google in United States (U.S.) federal court over the 30% fee both companies take off the top of all in-app purchases, and so, this legislative push in a state is likely one of the strategies app developers will be pursuing. It is almost certain that similar legislation will crop up in other legislatures and maybe even in Congress.

SB 2333 would bar companies like Apple and Google from requiring application developers to use their application stores exclusively. Hence residents in North Dakota should be able to locate and download applications directly from developers or other non-Apple and non-Google sources. Apple, Google, and similarly situated companies could not mandate, as they presently do, that all in-application purchases must be conducted through their payment platforms. This provision would deny the companies their stranglehold on payments, which allows them to extract a 30% fee from such purchases. It was this very point that started the Epic Games litigation, for the company started offering Apple and Google platform users of its popular game Fortnite the option of buying directly from Epic Games at a price 30% lower than the one offered through the application stores. Apple and Google responded by kicking Epic Games out of their stores, sparking the current litigation. In this vein, an application store could not retaliate against companies that opt to use a separate payment system or block an application developer for the same. Developers could bring suit for violations asking to enjoin Apple and Google and asking for restitution, reasonable attorney’s fees, and other costs. SB 2333 would bar any contract or agreement contrary to this bill.

And yet, “special-purpose digital application distribution platforms” would be exempted from this bill. The definition provides examples of what these may be, including “a gaming console, music player, and other special-purpose devices connected to the internet.” These sound very much like Microsoft’s Xbox, Sony’s Play Station, Apple’s iPods, and Virtual Reality headsets like the Facebook-owned company, Oculus. Moreover, “digital application distribution platform for which cumulative gross receipts from sales on the digital application distribution platform to residents of this state” are less than $10 million a year are exempted. So, the bill seems to target Apple and Google.

Not surprisingly, Apple and Google fought against this bill. Apple’s Chief Privacy Engineer Erik Neuenschwander testified before a Senate committee that “Senate Bill 2333 threatens to destroy iPhone as you know it.” Not surprisingly, a representative of the Coalition for App Fairness argued “SB 2223 will benefit consumers and app developers in North Dakota by limiting the ability of dominant platforms to impose onerous and anticompetitive restrictions on app developers.” Nonetheless, the state Senate rejected a weakened version of SB 2333 by an 11-36 vote, killing the legislation.

Last fall, a federal court denied Epic Games’ request for a preliminary injunction requiring Apple to put Fortnite back into the App Store. The judge assigned the case had signaled this request would likely fail as its request for a temporary restraining order was also rejected. A May 2021 trial date has been set. The United States District Court for the Northern District of California summarized Epic’s motion:

In this motion for preliminary injunction, Epic Games asks the Court to force Apple to reinstate Fortnite to the Apple App Store, despite its acknowledged breach of its licensing agreements and operating guidelines, and to stop Apple from terminating its affiliates’ access to developer tools for other applications, including Unreal Engine, while Epic Games litigates its claims.

The court stated:

Epic Games bears the burden in asking for such extraordinary relief. Given the novelty and the magnitude of the issues, as well as the debate in both the academic community and society at large, the Court is unwilling to tilt the playing field in favor of one party or the other with an early ruling of likelihood of success on the merits. Epic Games has strong arguments regarding Apple’s exclusive distribution through the iOS App Store, and the in-app purchase (“IAP”) system through which Apple takes 30% of certain IAP payments. However, given the limited record, Epic Games has not sufficiently addressed Apple’s counter arguments. The equities, addressed in the temporary restraining order, remain the same.

The court held:

Apple and all persons in active concert or participation with Apple, are preliminarily enjoined from taking adverse action against the Epic Affiliates with respect to restricting, suspending or terminating the Epic Affiliates from the Apple’s Developer Program, on the basis that Epic Games enabled IAP direct processing in Fortnite through means other than the Apple IAP system, or on the basis of the steps Epic Games took to do so. This preliminary injunction shall remain in effect during the pendency of this litigation unless the Epic Affiliates breach: (1) any of their governing agreements with Apple, or (2) the operative App Store guidelines. This preliminary injunction supersedes the prior temporary restraining order.

In its complaint, Epic Games is arguing that Apple’s practices violate federal and California antitrust and anti-competition laws. Epic Games argued:

  • This case concerns Apple’s use of a series of anti-competitive restraints and monopolistic practices in markets for (i) the distribution of software applications (“apps”) to users of mobile computing devices like smartphones and tablets, and (ii) the processing of consumers’ payments for digital content used within iOS mobile apps(“in-app content”).
  • Apple imposes unreasonable and unlawful restraints to completely monopolize both markets and prevent software developers from reaching the over one billion users of its mobile devices (e.g., iPhone and iPad) unless they go through a single store controlled by Apple, the App Store, where Apple exacts an oppressive 30% tax on the sale of every app. Apple also requires software developers who wish to sell digital in-app content to those consumers to use a single payment processing option offered by Apple, In-App Purchase, which likewise carries a 30% tax.
  • In contrast, software developers can make their products available to users of an Apple personal computer (e.g., Mac or MacBook) in an open market, through a variety of stores or even through direct downloads from a developer’s website, with a variety of payment options and competitive processing fees that average 3%, a full ten times lower than the exorbitant 30% fees Apple applies to its mobile device in-app purchases.

In its late August denial of Epic Games’ request for a temporary restraining order, the court decided the plaintiff does not necessarily have an antitrust case strong enough to succeed on the merits, has not demonstrated irreparable harm because the “current predicament appears to be of its own making,” would unjustifiably be enriched if Fortnite is reinstated to the App Store without having to pay 30% of in app purchases to Apple, and is not operating in a public interest strong enough to overcome he expectation private parties will honor their contracts or resolve disputes through normal means.

Another North Dakota technology bill appears to have died in committee. The North Dakota House Industry, Business and Labor Committee voted not to pass HB 1330, a bill that would ban the sale of one’s personal data without opt-in consent. The penalties for doing so in violation of this proposed law are stiff and would depend entirely on private lawsuits with class actions being explicitly allowed. A company that violates this proscription would be liable for at least $10,000 and reasonable attorney’s fees while companies that knowingly violate the law would be facing at least $100,000 in damages, reasonable attorney’s fees, and punitive damages. As mentioned, the bill explicitly states class actions may be filed, which would likely result in massive cases arguing for millions of dollars in damages if a multinational were to knowingly violate this bill.

HB 1330 provides simple parameters to how entities may sell personal data:

A covered entity may not sell a user’s protected data to another person unless the user opts-in to allow the sale. To opt-in, the covered entity shall provide the user with the opportunity to affirmatively click or select approval of the sale. The user must be given the opportunity to opt-in to the sale of each type of protected data by individual selection. Protected data collected and sold by the covered entity must be described clearly in plain language to the user.

Given the bill does not include a definition of sell or sale, it is unclear if trading personal data or some other exchange short of money changing hands would qualify. If not, this considerable loophole would probably not stop companies like Facebook and Google from amassing massive troves of data, processing them, and then selling targeted advertising or other services based on the value of its data and profiles.

The definition of what is “personal data” is fairly expansive:

a user’s location; screen name; website address; interests; hometown; professional history; friends or followers; shopping habits; test scores; health conditions, insurance, or interests; internet browsing history; purchases or purchase history; the number of friends or followers of the user; socioeconomic status; religious affiliation; alcohol, tobacco, or drug usage; gambling habits; banking relationships; residence details; children’s information or household information; credit; banking and insurance policies; media usage; and relationship status.

And yet, some notable omissions include sexual orientation and political beliefs. Arguably, those types of information could be considered part of one’s “interests,” “internet browsing history” or “household information.” If a covered entity decided to make the case such information is outside the definition of “personal data,” then the collecting and selling of these data could continue without consent.

It bears note this bill does not give residents of North Dakota any control over whether data may be collected, processed, shared, or used. It merely bars the sale of certain data without opt-in consent.

It bears note that for whatever flaws this bill has, it uses an opt-in model whereas one currently enacted state privacy law and a pending privacy law do not. The California Privacy Rights Act (CPRA) would continue the right of California residents currently enjoy under the “California Consumer Privacy Act” (CCPA) (AB 375) to opt out of the sale of their personal data (see here for more analysis.). Likewise, Virginia’s the “Consumer Data Protection Act” (SB 1392/HB 2307) allows for the opting out of the sale of personal data (see here for more analysis.)

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2021. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

Image by dksecord from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s