By: Scott R. Wilson | Jeff Tsai | Vanessa Offutt | Noah Schottenstein

Missouri Attorney General Shuts Down Robocallers

Missouri Attorney General Bailey joined a coalition of seven states in shutting down a massive robocaller operation, involving John Caldwell Spiller II and his business partner Jakob Mears, the owners of Texas-based Rising Eagle Capital Group LLC and JSquared Telecom LLC, as well as Rising Eagle Capital Group-Cayman. The Attorneys General sued the defendants in June 2020 alleging violations of the federal Telephone Consumer Protection Act and the federal Telemarketing Sales Rule, as well as various state consumer protection laws. Mears and Spiller are now permanently banned from initiating or facilitating any robocalls, working in or with companies that make robocalls, and engaging in any telemarketing.

Learn more here: Attorney General Bailey Shuts Down Texas Robocallers (mo.gov)

 

By: Scott R. Wilson | Jeff Tsai | Noah Schottenstein | Vanessa Offutt

New York Attorney General Letitia James filed a lawsuit against cryptocurrency platform KuCoin for offering exchange services in New York without registering under New York or federal law.  The Attorney General alleges that many popular cryptocurrencies, including ETH, LUNA, and TerraUSD (UST) are both securities and commodities, and these cryptocurrencies are speculative assets because they rely on the efforts of third-party developers to provide profit to the holders.  Through the lawsuit, the Attorney General is seeking a court order to stop KuCoin from operating in New York, to require the implementation of geo-fencing technology to prevent access to KuCoin services from within New York, and to bar KuCoin from representing that it is an exchange.

Learn more here: Attorney General James Continues Crackdown on Unregistered Cryptocurrency Platforms

By: Scott R. Wilson | Noah Schottenstein | Vanessa Offutt

The New York Attorney General (NYAG) has brought a lawsuit against cryptocurrency platform CoinEx for allegedly failing to register as a securities and commodities broker-dealer and for falsely representing itself as a crypto exchange.  CoinEx is a Hong Kong-based virtual currency exchange platform that allows users to buy and sell virtual currencies, crypto options, and other crypto services and products, including staking services.

The NYAG’s lawsuit includes claims under the Martin Act, New York’s so-called blue sky anti-fraud law, Article 23-A of the General Business Law, as well as Section 63(12) of the Executive Law, which prohibits repeated and persistent fraud or illegality in the conduct of a business.  As we have previously noted, New York courts have held that virtual currencies fall within the scope of the Martin Act’s definition of a “commodity.”

The NYAG alleged that CoinEx violated these laws by acting as an unregistered securities and/or commodities broker-dealer, and also unlawfully misrepresented itself as a cryptocurrency exchange, despite not being registered as an exchange with the SEC, CFTC, or otherwise authorized to operate an exchange under New York law.  The NYAG stated that its investigation included (i) the creation of a CoinEx account and buying and selling cryptocurrencies with a New York based IP address, for which CoinEx charged fees, and (ii) ongoing tracking of whether CoinEx continued to offer services to New York based IP addresses.

The NYAG further noted that CoinEx failed to respond to a subpoena seeking testimony about its digital asset trading activities.  Under Section 353 of the General Business Law, the failure to respond to a Martin Act subpoena is “prima facie proof” that the respondent is engaged in fraudulent practices and may serve as the basis for the entry of a permanent injunction.  Accordingly, the NYAG is seeking permanent injunctive relief to prohibit CoinEx from offering its services to New Yorkers, as well as an accounting, disgorgement, and restitution with respect to all of the revenues obtained from allegedly illegal conduct in New York.

This action serves as a reminder that cryptocurrency remains an enforcement priority for the NYAG.  Persons operating in this sector should carefully consider federal securities and commodities registration laws, as well.

This article was first published on dlapiper.com

by: Andrew Serwin|Matt Dhaiti

On December 29, 2022, Indiana Attorney General Todd Rokita announced a settlement agreement with Google to resolve allegations that Google misrepresented how it collected and processed user location information. The settlement requires Google to update its location information practices to provide users more information and better allow users to make informed decisions about how they interact with Google’s location technologies, including by limiting or ending collection and retention.

The following day, then-DC Attorney General Karl Racine announced a similar settl ement agreement. In the two settlements, Google agreed to pay Indiana and the District of Columbia $29.5 million, collectively ($20 million and $9.5 million, respectively). These settlements follow similar settlements last year with 40 US state attorneys general and with Australian regulators.

The settlements highlight government expectations that companies obtain proper consents, including robust disclosures of data practices, for sensitive personal information such as location information.

Regulatory and litigation history

Google provides several apps and platforms that collect user location information, particularly from mobile devices, such as through Google Search and Google Maps. Google has used this information to support its business operations in several ways, including by disclosing user location information to other businesses, e.g., to learn how digital advertising can encourage people to visit brick-and-mortar stores. Following news reports in 2018, state attorneys general, including Attorneys General Rokita and Racine, alleged that Google collected location information from users without their consent, including by misleading users to falsely believe that certain settings limited location data collection.

These allegations included:

  • Deceiving consumers regarding their ability to protect their privacy through Google Account Settings
  • Misrepresenting and omitting material facts regarding the Location History and Web & App Activity Settings
  • Misrepresenting and/or omitting material facts regarding consumers’ ability to control their privacy through Google Account Settings
  • Misrepresenting and omitting material facts regarding the Google Ad Personalization Setting
  • Deceiving consumers regarding their ability to protect their privacy through device settings and
  • Deploying deceptive practices that undermine consumers’ ability to make informed choices about their data, including dark patterns.

Key takeaways

Pursuant to the settlements, in addition to the payments, the company must make prominent disclosures about its data practices prior to obtaining consent to collect location information, provide users with additional account controls, and introduce limits to its data use and retention practices. Certain aspects of the settlements deserve particular attention:

  • The settlement requires Google to issue notices to users who allow certain location tracking settings through Google services or devices, including via pop up notifications and email, that disclose whether their location information is being collected and provide instructions on how to limit collection and delete collected location information. Google is also required to notify users via email of any material changes in its privacy policy about the collection, use, and retention of user location information.
  • Google must establish and maintain a “location technologies” webpage that discloses Google’s location data policies and practices as well as how users can limit collection of, and delete collected, location information. Google must also provide a hyperlink to this webpage, in its privacy policy, in the account creation flow, and whenever users enable or are prompted to enable a location-related account setting while using a Google product.
  • The settlement requires Google to implement more specific language in a few places:
    • Settings webpage, about location information: “Location info is saved and used based on your settings. Learn more.”
    • Location technologies webpage, about ads: That users cannot prevent the use of location information in personalized ads across services and devices, based on user activity on Google services, including Google Search, YouTube, and websites and apps that partner with Google to show ads.
  • Google may only share a user’s precise location information with a third-party advertiser with that user’s express affirmative consent for use and sharing by that third party.
  • Google must conduct internal privacy impact assessments before implementing any material changes of how certain settings pages impact precise location information or how Google shares users’ precise location information related to such settings.

While there are many notable aspects to these settlements, it is also notable that this occurred as many states are beginning to implement new privacy laws and regulations, which include increased business obligations for the collection, use, and disclosure of sensitive personal information, such as location information.

See the Indiana AG and District of Columbia AG press releases here (IN) and here (DC).  Find out more about the implications of these developments by contacting either of the authors.

This article was first published on dlapiper.com

By:  Scott R. Wilson  |  Eric Forni  | Evan North

Earlier this week, authorities in eight states, among them the New York Attorney General, brought coordinated legal actions against crypto lending platform Nexo for allegedly failing to register with state regulators and defrauding investors.

Nexo’s web-based and mobile app platform allows users to buy and sell virtual currencies, as well as to earn interest on virtual currency deposits through its Earn Interest Product (EIP). Nexo uses clients’ EIP deposits to engage in revenue-producing activity such as lending.

Notably, the New York Attorney General (NYAG) alleged in a civil suit that Nexo offered and sold securities and commodities within the State of New York while failing to register as a securities or commodities broker-dealer as required by state law. The NYAG also alleged that Nexo gave investors the misleading impression that their investments are low-risk and that Nexo is fully licensed and in compliance with applicable law.

NYAG noted that Nexo’s website included assurances that “Nexo is compliant everywhere it provides services and retains top-tier legal counsels in the jurisdictions of its operation.” The suit also alleged that a Nexo co-founder described Nexo as “safer, especially for the larger clients, than your average bank” on a Yahoo Finance Live broadcast.

NYAG’s suit includes claims under the Martin Act, New York’s so-called blue sky anti-fraud law, Article 23-A of the General Business Law, as well as Section 63(12) of the Executive Law, which prohibits repeated and persistent fraud or illegality in the conduct of a business.  NYAG alleges that Nexo violated these laws by acting as an unregistered securities and/or commodities broker-dealer.  As we have previously noted, New York courts have held that virtual currencies fall within the scope of the Martin Act’s definition of a “commodity.”

The NYAG’s allegations suggest Nexo may have struggled to exclude New York customers from its platform, even after receiving a cease-and-desist letter from the state in October 2021 and committing to wind down its New York-based customer accounts.  In response to the letter, Nexo tweeted publicly, “it makes little sense to be receiving a C&D for something we are not offering in NY anyway.” The tweet noted, “We use IP-based geoblocking.” NYAG’s complaint alleges that data Nexo provided to state securities regulators in August 2022 revealed that Nexo still had thousands of active New York-based EIP accounts well into 2022.

Securities regulators for the states of California, Kentucky, Maryland, Oklahoma, South Carolina, Washington, and Vermont filed separate administrative actions against Nexo on the same day.  The states were part of a working group of state regulators that conducted a joint investigation into Nexo.

In a blog post, Nexo noted that it had already “ceased the onboarding of new US clients for our Earn Interest Product” following the SEC’s February 2022 settlement with BlockFi, another crypto lending platform.

These coordinated actions against Nexo serve as a reminder that cryptocurrency remains an enforcement priority for state AGs. The NYAG’s suit comes on the heels of investor alerts issued in June and August 2022 warning consumers about the risks of crypto investing and urging investors who believe they have been a victim of fraud and whistleblowers to contact NYAG.

Further, state AGs can share information and coordinate with federal authorities, including the SEC and the CFTC, which similarly are prioritizing cryptocurrency enforcement.  As a result, persons operating in this sector should carefully consider federal securities and commodities registration laws, as well, particularly if they are already on a state AG’s radar.

Learn more about the implications of these legal actions by contacting any of the authors.

By Jim Sullivan

Karl A. Racine, Attorney General of the District of Columbia, on Monday sued Meta CEO Mark Zuckerberg, accusing him of being personally responsible for decisions that enabled the Cambridge Analytica scandal, in which the personal data of over 87 million Facebook users was harvested without their consent.

The lawsuit argues that Zuckerberg was “personally aware” but “actively disregarded” the potential harms that could result from sharing consumers’ data with third-party apps.

The suit is the latest effort by Racine and other state Attorneys General to take a tougher line against tech companies over misleading privacy practices. It also makes clear that corporate leaders may face increasing personal liability for privacy violations. “This lawsuit is not only warranted, but necessary, and sends a message that corporate leaders, including CEOs, will be held accountable for their actions,” Racine said in a statement.

While it remains to be seen how this new lawsuit will play out, the claims against Zuckerberg serve as an important reminder that, especially when privacy and data protection pose business-critical risks, corporate executives must undertake good-faith efforts to ensure that reasonable data governance systems and controls and procedures are in place.

For more information on the suit, please visit this page.

This was originally posted on dlapiper.com.

This article first appeared on dlapiper.com.

By:  Kate Lucente   |  Lori Marsh  |  Lea Lurquin

In its most recent efforts to enforce the California Consumer Privacy Act (CCPA), the Office of California Attorney General Rob Bonta has announced an investigative sweep of businesses offering financial incentives to California residents (“Consumers”) in exchange for the collection, use, or sale of their personal information.

The AG’s Office, in a press release issued on January 28, 2022 (Data Privacy Day), stated that it had sent violation notices to major businesses in the retail, home improvement, travel and food services industries, which will have 30 days from receipt of a notice to cure any alleged CCPA violations, such as the failure to provide Consumers with adequate disclosures regarding financial incentives.

Under the CCPA, financial incentives may include commonly offered incentive programs, such as loyalty, rewards, benefit or membership programs related to the collection or sale of personal information. Continue Reading California Attorney General issues non-compliance notices regarding loyalty program requirements under the CCPA

DLA Piper Partner and former Delaware Attorney General Matt Denn interviews Iowa Attorney General Tom Miller, the new president of the National Association of Attorneys General. Matt and General Miller talk about General Miller’s priorities as the new head of the nation’s State AGs, and about General Miller’s perspective on current events as the longest serving Attorney General in US history.

This podcast can also be downloaded from iTunes and Spotify.

DLA Piper partner and former Delaware Attorney General Matt Denn interviews Pennsylvania Attorney General Josh Shapiro about challenges in his first term, his insight on running for office in a politically divided state and country, and how his work in public office will change under the new administration.

This podcast can also be downloaded from iTunes and Spotify.

By: Scott R. Wilson | Jeffrey L. HareJesse Medlong | Dante Alessandri

In a recent letter, the New York State Department of Financial Services (NYDFS) called on state-regulated financial institutions to integrate climate-related financial risks into their governance frameworks, risk management processes, and business strategies.

Investors increasingly view climate as an area of business risk, and this confirms regulators are beginning to view it as a supervisory risk as well. Incorporating climate change risk analysis can help financial institutions to better understand risks to their portfolios and clients, and to meet regulatory expectations. Now, with NYDFS announcing its “expectation” that institutions within its purview account for climate change in their risk assessments, New York has signaled a new approach in its efforts to combat climate change.

Learn more here.