This article was first published on dlapiper.com

by: Andrew Serwin|Matt Dhaiti

On December 29, 2022, Indiana Attorney General Todd Rokita announced a settlement agreement with Google to resolve allegations that Google misrepresented how it collected and processed user location information. The settlement requires Google to update its location information practices to provide users more information and better allow users to make informed decisions about how they interact with Google’s location technologies, including by limiting or ending collection and retention.

The following day, then-DC Attorney General Karl Racine announced a similar settl ement agreement. In the two settlements, Google agreed to pay Indiana and the District of Columbia $29.5 million, collectively ($20 million and $9.5 million, respectively). These settlements follow similar settlements last year with 40 US state attorneys general and with Australian regulators.

The settlements highlight government expectations that companies obtain proper consents, including robust disclosures of data practices, for sensitive personal information such as location information.

Regulatory and litigation history

Google provides several apps and platforms that collect user location information, particularly from mobile devices, such as through Google Search and Google Maps. Google has used this information to support its business operations in several ways, including by disclosing user location information to other businesses, e.g., to learn how digital advertising can encourage people to visit brick-and-mortar stores. Following news reports in 2018, state attorneys general, including Attorneys General Rokita and Racine, alleged that Google collected location information from users without their consent, including by misleading users to falsely believe that certain settings limited location data collection.

These allegations included:

  • Deceiving consumers regarding their ability to protect their privacy through Google Account Settings
  • Misrepresenting and omitting material facts regarding the Location History and Web & App Activity Settings
  • Misrepresenting and/or omitting material facts regarding consumers’ ability to control their privacy through Google Account Settings
  • Misrepresenting and omitting material facts regarding the Google Ad Personalization Setting
  • Deceiving consumers regarding their ability to protect their privacy through device settings and
  • Deploying deceptive practices that undermine consumers’ ability to make informed choices about their data, including dark patterns.

Key takeaways

Pursuant to the settlements, in addition to the payments, the company must make prominent disclosures about its data practices prior to obtaining consent to collect location information, provide users with additional account controls, and introduce limits to its data use and retention practices. Certain aspects of the settlements deserve particular attention:

  • The settlement requires Google to issue notices to users who allow certain location tracking settings through Google services or devices, including via pop up notifications and email, that disclose whether their location information is being collected and provide instructions on how to limit collection and delete collected location information. Google is also required to notify users via email of any material changes in its privacy policy about the collection, use, and retention of user location information.
  • Google must establish and maintain a “location technologies” webpage that discloses Google’s location data policies and practices as well as how users can limit collection of, and delete collected, location information. Google must also provide a hyperlink to this webpage, in its privacy policy, in the account creation flow, and whenever users enable or are prompted to enable a location-related account setting while using a Google product.
  • The settlement requires Google to implement more specific language in a few places:
    • Settings webpage, about location information: “Location info is saved and used based on your settings. Learn more.”
    • Location technologies webpage, about ads: That users cannot prevent the use of location information in personalized ads across services and devices, based on user activity on Google services, including Google Search, YouTube, and websites and apps that partner with Google to show ads.
  • Google may only share a user’s precise location information with a third-party advertiser with that user’s express affirmative consent for use and sharing by that third party.
  • Google must conduct internal privacy impact assessments before implementing any material changes of how certain settings pages impact precise location information or how Google shares users’ precise location information related to such settings.

While there are many notable aspects to these settlements, it is also notable that this occurred as many states are beginning to implement new privacy laws and regulations, which include increased business obligations for the collection, use, and disclosure of sensitive personal information, such as location information.

See the Indiana AG and District of Columbia AG press releases here (IN) and here (DC).  Find out more about the implications of these developments by contacting either of the authors.

This article was first published on dlapiper.com

By:  Scott R. Wilson  |  Eric Forni  | Evan North

Earlier this week, authorities in eight states, among them the New York Attorney General, brought coordinated legal actions against crypto lending platform Nexo for allegedly failing to register with state regulators and defrauding investors.

Nexo’s web-based and mobile app platform allows users to buy and sell virtual currencies, as well as to earn interest on virtual currency deposits through its Earn Interest Product (EIP). Nexo uses clients’ EIP deposits to engage in revenue-producing activity such as lending.

Notably, the New York Attorney General (NYAG) alleged in a civil suit that Nexo offered and sold securities and commodities within the State of New York while failing to register as a securities or commodities broker-dealer as required by state law. The NYAG also alleged that Nexo gave investors the misleading impression that their investments are low-risk and that Nexo is fully licensed and in compliance with applicable law.

NYAG noted that Nexo’s website included assurances that “Nexo is compliant everywhere it provides services and retains top-tier legal counsels in the jurisdictions of its operation.” The suit also alleged that a Nexo co-founder described Nexo as “safer, especially for the larger clients, than your average bank” on a Yahoo Finance Live broadcast.

NYAG’s suit includes claims under the Martin Act, New York’s so-called blue sky anti-fraud law, Article 23-A of the General Business Law, as well as Section 63(12) of the Executive Law, which prohibits repeated and persistent fraud or illegality in the conduct of a business.  NYAG alleges that Nexo violated these laws by acting as an unregistered securities and/or commodities broker-dealer.  As we have previously noted, New York courts have held that virtual currencies fall within the scope of the Martin Act’s definition of a “commodity.”

The NYAG’s allegations suggest Nexo may have struggled to exclude New York customers from its platform, even after receiving a cease-and-desist letter from the state in October 2021 and committing to wind down its New York-based customer accounts.  In response to the letter, Nexo tweeted publicly, “it makes little sense to be receiving a C&D for something we are not offering in NY anyway.” The tweet noted, “We use IP-based geoblocking.” NYAG’s complaint alleges that data Nexo provided to state securities regulators in August 2022 revealed that Nexo still had thousands of active New York-based EIP accounts well into 2022.

Securities regulators for the states of California, Kentucky, Maryland, Oklahoma, South Carolina, Washington, and Vermont filed separate administrative actions against Nexo on the same day.  The states were part of a working group of state regulators that conducted a joint investigation into Nexo.

In a blog post, Nexo noted that it had already “ceased the onboarding of new US clients for our Earn Interest Product” following the SEC’s February 2022 settlement with BlockFi, another crypto lending platform.

These coordinated actions against Nexo serve as a reminder that cryptocurrency remains an enforcement priority for state AGs. The NYAG’s suit comes on the heels of investor alerts issued in June and August 2022 warning consumers about the risks of crypto investing and urging investors who believe they have been a victim of fraud and whistleblowers to contact NYAG.

Further, state AGs can share information and coordinate with federal authorities, including the SEC and the CFTC, which similarly are prioritizing cryptocurrency enforcement.  As a result, persons operating in this sector should carefully consider federal securities and commodities registration laws, as well, particularly if they are already on a state AG’s radar.

Learn more about the implications of these legal actions by contacting any of the authors.

By Jim Sullivan

Karl A. Racine, Attorney General of the District of Columbia, on Monday sued Meta CEO Mark Zuckerberg, accusing him of being personally responsible for decisions that enabled the Cambridge Analytica scandal, in which the personal data of over 87 million Facebook users was harvested without their consent.

The lawsuit argues that Zuckerberg was “personally aware” but “actively disregarded” the potential harms that could result from sharing consumers’ data with third-party apps.

The suit is the latest effort by Racine and other state Attorneys General to take a tougher line against tech companies over misleading privacy practices. It also makes clear that corporate leaders may face increasing personal liability for privacy violations. “This lawsuit is not only warranted, but necessary, and sends a message that corporate leaders, including CEOs, will be held accountable for their actions,” Racine said in a statement.

While it remains to be seen how this new lawsuit will play out, the claims against Zuckerberg serve as an important reminder that, especially when privacy and data protection pose business-critical risks, corporate executives must undertake good-faith efforts to ensure that reasonable data governance systems and controls and procedures are in place.

For more information on the suit, please visit this page.

This was originally posted on dlapiper.com.

This article first appeared on dlapiper.com.

By:  Kate Lucente   |  Lori Marsh  |  Lea Lurquin

In its most recent efforts to enforce the California Consumer Privacy Act (CCPA), the Office of California Attorney General Rob Bonta has announced an investigative sweep of businesses offering financial incentives to California residents (“Consumers”) in exchange for the collection, use, or sale of their personal information.

The AG’s Office, in a press release issued on January 28, 2022 (Data Privacy Day), stated that it had sent violation notices to major businesses in the retail, home improvement, travel and food services industries, which will have 30 days from receipt of a notice to cure any alleged CCPA violations, such as the failure to provide Consumers with adequate disclosures regarding financial incentives.

Under the CCPA, financial incentives may include commonly offered incentive programs, such as loyalty, rewards, benefit or membership programs related to the collection or sale of personal information. Continue Reading California Attorney General issues non-compliance notices regarding loyalty program requirements under the CCPA

DLA Piper Partner and former Delaware Attorney General Matt Denn interviews Iowa Attorney General Tom Miller, the new president of the National Association of Attorneys General. Matt and General Miller talk about General Miller’s priorities as the new head of the nation’s State AGs, and about General Miller’s perspective on current events as the longest serving Attorney General in US history.

This podcast can also be downloaded from iTunes and Spotify.

DLA Piper partner and former Delaware Attorney General Matt Denn interviews Pennsylvania Attorney General Josh Shapiro about challenges in his first term, his insight on running for office in a politically divided state and country, and how his work in public office will change under the new administration.

This podcast can also be downloaded from iTunes and Spotify.

By: Scott R. Wilson | Jeffrey L. HareJesse Medlong | Dante Alessandri

In a recent letter, the New York State Department of Financial Services (NYDFS) called on state-regulated financial institutions to integrate climate-related financial risks into their governance frameworks, risk management processes, and business strategies.

Investors increasingly view climate as an area of business risk, and this confirms regulators are beginning to view it as a supervisory risk as well. Incorporating climate change risk analysis can help financial institutions to better understand risks to their portfolios and clients, and to meet regulatory expectations. Now, with NYDFS announcing its “expectation” that institutions within its purview account for climate change in their risk assessments, New York has signaled a new approach in its efforts to combat climate change.

Learn more here.

DLA Piper partner and former Delaware Attorney General Matt Denn interviews Montana Attorney General Tim Fox about his work in public office and his role as the President of the National Association of Attorneys General, including his initiative for transformational leadership and civility.

Montana Attorney General Tim Fox

by Scott R. Wilson, Peter Karanjia, Jessica Masella and Michael Fluhr

A recent decision by the state appellate court in Manhattan in the New York AG’s long-running investigation into the virtual currency “tether” reaffirms the strength and breadth of the office’s investigative powers under New York’s Martin Act.

The Martin Act, New York’s so-called “blue sky” anti-fraud law, Article 23-A of the General Business Law (“GBL”), has long been one of the most powerful tools in the New York AG’s arsenal. It prohibits, inter alia, fraud in connection with the offer, sale or purchase of securities and commodities within or from New York. High-profile enforcement actions under the Martin Act earned a former New York AG the sobriquet “the Sheriff of Wall Street” in the early 2000s. In the post financial crisis era, the Martin Act was deployed in connection with the federal-state Residential Mortgage Backed Securities (RMBS) Working Group, co-chaired by the New York AG. However, in 2018, during her campaign for office, Attorney General Letitia James told the New York Times, “It’s really critically important that I not be known as the ‘Sheriff on Wall Street,’” in recognition of the variety of important issues deserving of the office’s attention. She observed at the time, “The attorney general cannot be a one-trick pony. I will be laser-focused on taking on Wall Street abuses—I don’t need a moniker for that.”

The July 9, 2020 decision by the First Department, Appellate Division, in In re Letitia James v. iFinex Inc. reflects the New York AG’s focus not only on policing traditional Wall Street players like banks, but also on finding novel and aggressive ways to wield Martin Act authority in the FinTech sector.

The New York AG is conducting an investigation concerning representations about the cash reserves backing tether, currently the most traded “stablecoin” currency, and the relationship between the companies that issue tether and their corporate affiliate Bitfinex, a virtual currency trading platform. Stablecoins are cryptocurrencies designed to experience less price volatility than other cryptocurrencies, such as bitcoin, by being pegged to the value of some “stable” asset, such as the US dollar or a precious metal. According to the New York AG, Bitfinex transferred over $850 million in co-mingled client and corporate funds to a Panamanian entity that may have lost or absconded with the funds. To handle customer withdrawals, Bitfinex allegedly swapped these missing deposits for the cash reserves backing tether. In April 2019, the New York AG obtained an order pursuant to Section 354 of the GBL requiring the entities that operate the Bitfinex platform and issue tether to produce documents and testimony under oath in connection with the office’s investigation. On appeal, the respondents challenged the New York AG’s authority to conduct its investigation for lack of personal and subject matter jurisdiction.

In rejecting the appeal, the First Department’s decision underscored the New York AG’s broad authority to investigate securities and commodities fraud under the Martin Act, and held that virtual currencies like tether are commodities within the scope of the statute.

First, noting that the Martin Act prohibits fraud in connection with the offer or sale of commodities “within or from” New York (Section 352 of the GBL), the Court found that the New York AG had multiple bases for exercising its investigative jurisdiction, even though the respondents are incorporated abroad. These included that, within the six-year lookback period under the applicable statute of limitations: New York-based customers were permitted to trade tether on the Bitfinex platform; one of respondents’ executives had resided in and conducted business from New York; and the entities had used bank accounts in New York. (Order at 10-12.) The Court also observed that it was not improper for the New York AG to use a Section 354 order to develop evidence that a company under investigation is in fact doing business in New York. (Id. at 13.) Finally, the Court noted the New York AG can establish personal jurisdiction necessary to exercise its investigative authority by “a far lighter showing” than is required to bring a lawsuit. (Id. at 13.)

Second, summarily rejecting the argument that tether does not fall within the scope of the Martin Act, the Court found that the virtual currency is “easily encompassed” by the statute’s definition of “commodity” and therefore is within the New York AG’s subject matter jurisdiction. (Id. at 8 n.2.) The Court pointed to prior determinations by federal courts and the US Commodities Futures Trading Commission (“CFTC”) that virtual currencies are commodities under the federal Commodities Exchange Act, “which defines the term more narrowly than does the Martin Act.” (Id. at 8.)

The takeaway: the decision is a timely reminder to companies and individuals in the FinTech sector that the New York AG has broad power to investigate suspected fraud in the realm of virtual currencies. Dealing with the New York AG’s Investor Protection Bureau may be a disorienting experience for white collar practitioners used to responding to inquiries by federal regulators. The text of the Martin Act places few clear limits on the New York AG’s investigative authority, and the office is not constrained by the large body of guidance memorialized in the US Department of Justice’s manual for prosecutors and other published federal enforcement guidelines that help practitioners attempt to deal with regulators on a level playing field. Ultimately, the New York AG’s investigation may have implications for the popularity of tether, which remains the most traded stablecoin but which faces growing competition from other cryptocurrencies, such as USD Coin and Gemini Dollar.