US Law (local/state/federal)

This is crazy. Disney is claiming that a wrongful death lawsuit cannot go forward (paraphrasing):

“sorry, your husband signed up to a Disney+ trial a couple of years ago, hence they accepted T&Cs that clearly stated that any dispute about our products should go through arbitration rather than through courts”.

Even if a consumer carefully reads the terms and conditions, how could they reasonably expect the ToS for a video game would affect the terms they are under at a Disney restaurant? That’s fucking nuts.

Future parents: “sorry kids, you cannot play that video game because there is an arbitration clause and one day you might want to visit Disney’s amusement parks.”

I’ve boycotted Disney for over a decade because of how conservative the corp is and how right-wing extremist they are with politics. IIRC Disney financed the campaign of a politician looking to eliminate background checks on firearms. Indeed, the company who entertains kids is happy to fight against basic gun control. So when Disney pulls a dick move like this arbitration clause it just reinforces the idea that boycotting Disney is the right move.

(edit) wow the ups and downs of the votes are interesting. ATM 9 up & 9 down. Can’t help but wonder who are these anti-human people who are happy to lick the corporate boots of Disney.. capitalist fanatics disappointed that people would object to arbitration clauses perversely applied so broadly? I have to wonder if loyal Disney employees are following this thread.

Is there any kind of legal standard of liability when a victim of a data breach suffers from someone exploiting their data? If you are only breached once, obviously it’s easy to point the finger to whoever leaked your data.

But I’ve been hit 3 times now. So all those shitty corps who sloppily handled my data can point the finger to each other. Would a court say the most recent sloppy custodian is responsible if my data is used against me? Or would it be the most reckless custodian? Or would it be equal blame? Or does everyone get off the hook when a victim cannot prove which leak leads to an exploit?

It’s a hypothetical question. Not saying my data was exploited after the breaches, but I wonder about the overall trend. What I’m getting at is there may be little incentive to actually invest in good data security because when a breach happens amid so many other breaches there is perhaps a diffusion responsibility.

A company I have no business relationship with sent me a breach notice stating that criminals got my data. This company is a supplier to many banks, brokerages, insurance companies, etc.

Obviously I want to know which of my banks or insurance companies I am doing business with trusted them with my data. I called and asked. They refused to tell me. But they have made it deliberately complicated. The phone number they gave to breach victims is for a 3rd party call center who knows nothing. So the call center says “we don’t have that info”.

Question: do financial/analytics orgs (or whatever the fuck they are) have a legal obligation to provide data breach victims with the SOURCE of the info? Do they have to tell me which of my banks (or whatever) hired them to be a custodian of my data?

What rights to data breach victims have?

(more background: https://links.hackliberty.org/post/2667522)

(update)
Thanks for all the useful feedback folks! I guess the question that remains is whether there are any federal laws that require the disclosure I am after. I looked up the law for my state here and found no law entitling breach victims to be informed of the source of their personal data. It would help to know the law because the AG, CFPB, and FTC will be limited to the law themselves.

The FCRA requires credit bureaus to disclose to consumers the identity of the sources of information in your credit file. Yet if you look at your credit report from any of the 3 major giants (TRU, EFX, EXPN), they list out all addresses, phone numbers, and email addresses with no indication of who fed them that info. If you request that info, they ignore or refuse.

The penalty for FCRA violations in that section is $1k. So you might think: “how cool is that? I can simply sue all three credit bureaus for $1k each”. It should work like that, but doesn’t. IIRC, it was a lawyer for a credit bureau who told me in so many words: case law shows that you must incur damages in this particular case. So if you can prove damages, then you can claim $1k (even if the actual damages are $1). But how do you even prove $1 in damages?

I have some ideas but generally this is such an uphill battle that credit bureaus can simply bluntly ignore the law. Which is what they do. It’s a good demonstration of how US corporations will plainly break laws that are unenforceable.

According to 15 U.S.C. 7704 §5(a)(5):

INCLUSION OF IDENTIFIER, OPT-OUT, AND PHYSICAL ADDRESS IN COMMERCIAL ELECTRONIC MAIL.—

(A) It is unlawful for any person to initiate the transmission of any commercial electronic mail message to a protected computer unless the message provides—

(i) clear and conspicuous identification that the message is an advertisement or solicitation;
(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender; and
(iii) a valid physical postal address of the sender.

When my text-based mail client receives an HTML-only email message, it tries to render the HTML as text. It’s sometimes a jumbled up unreadable heap of garbage because the HTML is malformed and relies on a forgiving/tolerant rendering engine. Even when the HTML is well formed, hyperlinks are not exposed in the text rendered. E.g. a msg will say “to unsubscribe and stop receiving emails, update preferences here.”

Where is “here”? That is just raw text to me. Sure, an advanced user can do a number of things to dig up that link. But I doubt that would pass the legal standard of “clear and conspicuous”.

Anyone have confidence either way whether HTML-only spam is legally actionable on this basis?

(update) I should mention the most annoying offenders-- corporate senders (e.g. banks) that attach a plaintext MIME part, but then the motherfuckers use it to just say (in so many words) “You need to update your software”. This makes it extra difficult to see the content of the message because the text mail client of course shows the text MIME part by default.

Some banks have started demanding proof of address when they realize that the address they have on file is “commercial”, e.g. like a UPS Store PMB type of address. How would this play out in court? The law¹ states:

“(i) Customer information required—(A) In general. The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer. Except as permitted by paragraphs (b)(2)(i)(B) and (C) of this section, the bank must obtain, at a minimum,the following information from the customer prior to opening an account:

1. Name;
2. Date of birth, for an individual;
3. Address, which shall be:
   (i) For an individual, a residential or business street address;
   (ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or …
4. Identification number, which shall be: …

(emphasis mine)

Banks seem to be over-reacting to law that is more lenient than what banks are interpreting. Not only are business addresses allowed, but a bank customer can even supply someone else’s address. The law also seems to distinguish between old customers and new. Yet out of the blue banks are harrassing customers who have had an account for years. They have a gov-issued ID doc and SSN, yet suddenly the banks get anal and persnickety about the address to the extreme of freezing people’s accounts as databases grow (DBs that track the zoning an address is in).

Has this been challenged in court? It’s clear from the linked thread that customers either dance for the banks or get their accounts frozen. It could be hard to challenge in court since banks can demand whatever info they want even if not required by law. But if they suddenly close an account that has been established, that could cause damages to the customer.

One interpretation is that legislators intended the business address to be that of the customer’s workplace. But the law does not seem to specify that.

¹ 31 C.F.R. § 103.121

Some tax forms ask information that seems to have no effect on the bottom line. No matter how you answer the question, your tax bill is the same either way. In Europe, this sort of thing would violate the data minimization principle of the GDPR. So the question is, what happens to people who either leave the intrusive fields blank, or they give bogus info? I’ve heard that tax penalties are generally a constant × the amount of underpayment. If underpayment is zero then so is the penalty, correct?

My credit union has been spamming me for years. As the volume of their bulk junk mail increases, I’m looking for a way out. Their email is HTML-only. So my text mail client only renders the raw text “To unsubscribe and stop receiving emails click here”. And “here” is obviously just text because it’s a text terminal.

Is that legal?

Suppose it is. So I dissect the HTML and fish out the link from a heap of garbage. The link does not go to the credit union’s website (if it did, that would be a non-starter anyway because I canceled my web account when they started blocking Tor). The link goes to a 3rd party site which also blocks Tor. So apparently as a precondition to opting out of spam I must share my personal IP address with a 3rd party agent of spam. Perhaps I can play whack-a-mole with a series of VPNs but I’m not interested. I just want to know if the opt-out procedure can legally be exclusive in this way. Can a legal challenge be mounted that forces them to provide an opt-out mechanism that’s inclusive?

The legal text is this:

(ii) clear and conspicuous notice of the opportunity under paragraph (3) to decline to receive further commercial electronic mail messages from the sender;

I don’t know the legal meaning of “clear and conspicuous”, so I’m not sure if nesting it in HTML satisfies that requirement. But it’s strange that they must merely give notice of the opportunity to opt-out, apparently without actually giving the opportunity to opt-out (just notice thereof IIUC).