News & Insights


May 22, 2017

Data, Privacy & Security Practice Report – May 22, 2017

Reach Out And Invite Someone – Federal District Court Sets Limits On Liability Under The TCPA – On May 15, 2017, a federal district judge granted summary judgment in favor of Poshmark, Inc., dismissing a putative nationwide class action alleging violations of the Telephone Consumer Protection Act, 47 U.S.C. § 227(b)(1)(A)(iii) (“TCPA”). A copy of the order is available here

Defendant Poshmark, Inc. (“Poshmark”) is an online clothing marketplace where users can buy and sell used clothing and other fashion accessories from other users’ “closets.” Users can also “follow” others’ closets if they choose, in an effort to gain more exposure on the marketplace.

Poshmark developed a mobile application (“app”) relating to its marketplace, providing users with an additional platform available on their mobile devices to list items for sale, upload pictures of items, browse, shop, and purchase goods from other users. Like many other apps, Poshmark’s app allows registered users to send invitations to their friends and contacts, inviting the contacts to join. Invitations can be sent in a number of ways, including sending text messages to contacts whose telephone numbers are saved in the user’s mobile device, or to users’ contacts on social media, such as Facebook and Twitter.

In September of 2016, Christopher J. Reichman (“Reichman” or “plaintiff”) filed suit against Poshmark in the U.S. District Court for the Southern District of California, after receiving two text messages on his cell phone, both containing invitations to join Poshmark. Reichman alleged that Poshmark violated the TCPA, and he sought to represent a nationwide class of all persons and entities “to whose mobile phones POSHMARK and/or its agents transmitted a text message without prior express written consent anytime from September 15, 2012, to the present.”

Poshmark moved for summary judgment, arguing that Reichman’s TCPA claim failed because Poshmark did not send or “make” the invitational text messages within the meaning of the TCPA. Poshmark argued that one of Reichman’s former clients took affirmative steps to send the text invites to Reichman, who was saved as a contact in the client’s phone. Thus, Poshmark argued, it had not “made” the text messages and therefore, based on the plaintiff’s own assertions, had not violated the TCPA. The court agreed with Poshmark.

The TCPA makes it unlawful to “make any call,” which includes sending of a text message, without the prior express consent of the called party, “using any automatic telephone dialing system . . . to any telephone number assigned to a cellular phone service.” The TCPA does not define the phrase “to make any call.” In concluding that Poshmark did not “make any call,” the district court relied on past guidance provided by the Federal Communications Commission finding that the TCPA is not necessarily violated by a company when an app user takes multiple affirmative steps to “make” an invitational text message, rather than the company sending it itself.

Plaintiff did not dispute that affirmative steps, independent of Poshmark, must be undertaken by a user of the app before an invitation message or text message would be sent. Instead, plaintiff argued that Poshmark had not adequately informed users of the method by which invitations would be sent, but Poshmark provided evidence that its app informed users whether their invitations would be sent via text or email. Further, plaintiff argued that whether Poshmark had “knowledge” that its users were violating the TCPA was a genuine issue of material fact precluding summary judgment. But the court was not persuaded, ultimately concluding that plaintiff’s conclusory allegations, made in the face of the undisputed record, were insufficient to establish a genuine issue of material fact.

The Poshmark decision suggests that companies may be able to avoid TCPA liability for certain text messages if they are sent by an app that sufficiently informs the user of what method will be used to send the invites, and that requires registered users to take multiple affirmative steps before sending text message invitations to join the service.  

Reporter, Brittany N. Clark, Washington, D.C., +1 202 626 5528,

Illinois “Right to Know” Bill Passed Out Of Illinois State Senate – On May 4, 2017, the Illinois State Senate passed a bill requiring websites and apps to notify their Illinois customers of the personally identifiable information they collect and disclose and with whom they share it. If enacted, this would expand existing Illinois law, which only requires notification of security breaches. 

The bill, titled the “Right to Know Act,” was designed to recognize “the importance of providing consumers with transparency about how their personal information, especially information relating to their children, is shared by businesses,” and to help them “protect themselves and their families from cyber-crimes and identity thieves.” Toward this end, the bill requires that operators of commercial websites or online services (“Operators”) provide certain information when customers sign up for services, and upon request. Specifically, if ultimately enacted, the Right to Know Act will first require Operators that collect Illinois customers’ “personal information” through the internet to disclose and describe the following to customers in their customer agreements, “Terms of Use,” or incorporated addenda:

  • The categories of personal information that the Operator collects about its customers;
  • All the types or categories of third parties to which an Operator may disclose a customer’s personal information; and
  • A customer’s rights under the Right to Know Act.

Second, the Right to Know Act will require that Operators make certain specified information available to customers who request it, including the names of parties who received the information. Operators must also provide an e-mail address or toll-free telephone number whereby customers may request or obtain the information.

The bill also gives Illinois residents a private right of action. Specifically, customers may recover: (i) liquidated damages of $10 or actual damages, whichever is greater; (ii) injunctive relief, if appropriate; and (iii) reasonable attorneys' fees, costs, and expenses. To appease the business community, this provision replaced a March 2017 version proposed by the State Senate Judiciary Committee that created a right of action for customers to pursue relief under the Illinois Consumer Fraud and Deceptive Business Practices Act.

The bill narrowly passed the Illinois State Senate, with 31 out of a total of 59 senators voting “aye.” The bill now moves to the Illinois House for consideration, against the backdrop of the United States Congress voting to repeal the Federal Communications Commission's broadband privacy rules, which were adopted last fall under the Obama administration and were supposed to go into effect this year. 

The Right to Know Act can be found here

Reporter, Stephen Abreu, San Francisco, +1 415 318 1219,


President Trump’s Executive Order On Cybersecurity – On May 22, 2017, King & Spalding published a Client Alert discussing President Trump’s long-awaited Executive Order on the cybersecurity of federal networks and critical infrastructure. The full Client Alert can be found here.