Airbnb’s Clickwrap Agreement Prevails in Florida’s Top Court, Sending Hidden Camera Dispute to an Arbitrator

By Russ Bleemer

A highly anticipated Florida Supreme Court case on the effect of incorporating arbitration rules into a consumer contract was decided this morning in favor of the app provider, Airbnb, sending a decision about whether a case is arbitrated to an arbitrator, instead of a court.

Today’s opinion in Airbnb v. Doe, No. SC 20-1167, means that the inclusion of the American Arbitration Association rules, which are referenced in Airbnb’s “clickwrap” agreement—linked and behind the box that is checked before purchasing access to one of the company’s rental accommodations listings—are considered a part of the customer’s obligations under their contract with Airbnb.

The decision is posted on the Court’s website here.

The Florida case is important because the U.S. Supreme Court last year balked at addressing the incorporation question.  Today’s 6-1 opinion by Florida Supreme Court Justice Ricky Polston notes that in endorsing the incorporation concept, it is following every U.S Circuit Court opinion on the subject.

The opinion reverses a detailed decision on the effects of clickwrap agreements and ambiguities in incorporating arbitration rules. The 2-1 Second Florida District Court of Appeals found the reference vague and not in line with Supreme Court caselaw that requires the reference to an arbitration rule to be clear and unmistakable. John Doe & Jane Doe v. Natt & Airbnb Inc., 299 So. 3d 599 (Fla. 2d DCA 2020) (available at https://bit.ly/3BPYPcu).

* * *

In June 2020, the nation’s top Court agreed to hear a case on the effect of a carve-out from arbitration in a sales contract between two medical devices companies.  At the same time, the Court denied a separate cross-petition in the same case on challenging the determination of arbitrability of the case on a question of incorporation by reference of AAA rules.

When the December 2020 argument in Henry Schein Inc. v. Archer and White Sales Inc., No. 19-963, was held, the Court got stuck, repeatedly, on the incorporation by reference point.  It appeared that the effect of the delegation of the arbitrability question—whether the incorporation of the rules was effective to put the decision of arbitrability, as well as the decision about the carve-out, in the arbitrator’s hands–depended on an analysis of whether that delegation was “clear and unmistakable,” the issue the Court had rejected.

A month later, the U.S. Supreme Court dismissed the case as improvidently granted. See Russ Bleemer, “Scotus’s Henry Schein No-Decision,” CPR Speaks (Jan. 25) (available here).

So this morning’s Florida Supreme Court decision will be seen as a reaffirmation of what many drafters consider standard drafting practice in incorporating a set of rules into their arbitration contracts–though after the Florida Second District fairness opinion associated with the app and the delegation, drafters likely will proceed with heightened awareness that the arbitrability provisions will be a potential target for parties who don’t want to arbitrate. Today’s case provides guidance for the U.S. Supreme Court’s “clear and unmistakable” arbitration delegation requirement.

* * *

Justice Polston signaled his strong support of the effectiveness of Airbnb’s contractual incorporation by reference of the AAA rules at the Nov. 2 oral arguments in the case.  See Arjan Bir Singh Sodhi, “Florida’s Top Court Takes on ‘Who Decides?’ in Airbnb Arbitration Case,” CPR Speaks (Nov. 5) (available here).

Today, he followed up with a majority opinion that eviscerated the state appeals court decision, relying instead on the reasoning in the dissent by Florida Second District Court of Appeal Judge Craig C. Villanti. (See appeals court opinion link above.)  “Here,” Polston wrote, “Airbnb and the Does clearly and unmistakably agreed that an arbitrator decides questions of arbitrability.”  He continued:

Airbnb’s Terms of Service explicitly incorporate by reference the AAA Rules: “The arbitration will be administered by the American Arbitration Association (‘AAA’) in accordance with the Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes (the ‘AAA Rules’) then in effect.” The Terms of Service also provide a hyperlink to the AAA Rules and a phone number for the AAA. Further, the incorporated AAA Rules specifically provide that “[t]he arbitrator shall have the power to rule on his or her own jurisdiction, including any objections with respect to the existence, scope, or validity of the arbitration agreement or to the arbitrability of any claim or counterclaim.” (Emphasis added.) The Terms of Service incorporate the AAA Rules, and the express language in the AAA Rules empowers the arbitrator to decide arbitrability. Accordingly, consistent with the persuasive and unanimous federal circuit court precedent, we conclude that incorporation by reference of the AAA Rules that expressly delegate arbitrability determinations to an arbitrator clearly and unmistakably evidences the parties’ intent to empower an arbitrator to resolve questions of arbitrability.

Florida Supreme Court Justice Jorge LaBarga dissented. He wrote,

Because the arbitrability provisions relied upon by the majority to reach its decision in this case were buried within voluminous pages of rules and policies incorporated only by reference in a clickwrap agreement, the parties’ agreement to defer the consequential decision of arbitrability to the arbitrator was anything but clear and unmistakable.

Agreeing with and quoting heavily from the now-quashed appeals court decision, LaBarga wrote, “Unsuspecting consumers should not be expected to find the proverbial needle in the haystack in order to make a clear and unmistakable decision about arbitrability—that choice should be conspicuously located in the clickwrap agreement for the consumer to consider.

The case began when an anonymous Texas couple filed a complaint against Airbnb and the condominium owner who had listed the Florida property on the Airbnb platform. The complaint included intrusion against the condominium owner, and constructive intrusion against Airbnb, as well as loss of consortium against both the condominium owner and Airbnb. The plaintiffs had rented the condominium for three days in May 2016 from the Airbnb website, and later learned that the owner had installed hidden cameras and recorded the couple without their knowledge.

The plaintiffs filed their complaint in the Manatee County, Fla., circuit court. Airbnb moved to compel to settle the dispute through an arbitration proceeding. Airbnb claimed that the Does are bound to an arbitration proceeding under the signed terms and conditions when they accepted the app’s clickwrap agreement—that is, the legal contract in the Airbnb online software in which the customer indicates acceptance by typing in yes, or selecting a particular icon or link before they may use the service.

Today, the Florida Supreme sent the decision on how their case will proceed to an AAA arbitrator.

* * *

The author edits Alternatives to the High Cost of Litigation for CPR at altnewsletter.com.

[END]

Increased Mobile Health Triggers Increased FTC Enforcement, and Points to a Need for Dispute Prevention Efforts

By Janice L. Sperow

The pandemic changed how we work, how we shop, how we communicate, and how we “meet.” It changed our world’s “normal.”

Most significantly, it changed the healthcare industry, but not only with new vaccines and protocols. It revolutionized the way we maintain our health and wellness, as healthcare app development now shapes the future of medicine.

That, in turn, provides an opportunity for a new application for alternative dispute resolution—specifically, a recent Federal Trade Commission statement puts health-care industry managers on notice that they should institute dispute prevention steps and protocols to avoid potentially costly civil penalties as their products face closer federal scrutiny.

Spurred by rapid significant advances in mobile technology, artificial intelligence, and the internet of things, medical apps have accelerated at an unprecedented rate. Even before the pandemic’s uptick in the use of healthcare mobility tools, the Physicians Practice medical publication conducted a mobile health survey in 2018 and found that more than 75% of respondents used some form of mobile health solutions on a weekly basis.

Since the pandemic, the use of mobile applications in healthcare, MedTech (see www.medtech.org), and eHealth has skyrocketed. A $21.3 billion market in 2017, the global mobile health market is anticipated to reach $151 billion by 2025. See, e.g., Grand View Research, mHealth Apps Market Size, Share & Trends Analysis Report By Type (Fitness, Medical), By Region (North America, APAC, Europe, MEA, Latin America), And Segment Forecasts, 2021–2028 (February 2021) (available at https://bit.ly/2Zqo5bR).

The U.S Food and Drug Administration defines a health app as mobile software that diagnoses, tracks, or treats disease. A wellness app uses mobile software to enhance or track overall user health. They can and do address every facet of life impacting wellness from mental, physical, social, environmental, nutritional, behavioral, to even spiritual factors.

In response to the market’s growth, the Federal Trade Commission issued its “Statement of the Commission on Breaches by Health Apps and Other Connected Devices” (Sept. 15) (available at https://bit.ly/3bgLv63).  The statement stresses the FTC’s commitment to protecting private medical and health information inputted into these apps and devices, and explains the FTC’s Health Breach Notification Rule in more detail. (The Rule is available at https://bit.ly/3nFzkpk.) The Statement unequivocally declares the Rule’s scope and the FTC’s intention to enforce the rule.

The FTC’s Health Breach Notification Rule has been in effect since 2009, when the American Recovery and Reinvestment Act of 2009 (text at https://bit.ly/3pGHtMy) became effective. The Rule addresses the security of personal health records, or PHR, defined to include an electronic record of identifiable health information on an individual that can be drawn from multiple sources and that is managed, shared, and controlled by or primarily for the individual. See 16 C.F.R. § 318.2(d).

“PHR identifiable health information” includes “individually identifiable health information,” as defined in section 1171(6) of the Social Security Act. See 42 U.S.C. 1320d-6. It also includes individual information provided by or on behalf of the individual that actually identifies or reasonably can be used to identify the individual. See 16 C.F.R. § 318.2(e) (“reasonable basis to believe that the information can be used to identify the individual”).

The Rule applies to (1) vendors of personal health records; (2) PHR-related entities that interact with vendors of PHRs or HIPAA-covered entities by offering products or services through their sites; (3) PHR-related entities that access information from or send information to a PHR; (4) PHR-related entities that process unsecured PHR identifiable health information as part of providing their services; and (5) third-party service providers for PHRs vendors.

The Rule does not apply to HIPAA-covered entities or any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.

Under the Rule, vendors of PHRs and PHR related entities must report a “breach of security” involving PHRs to the FTC, the consumers, and in some cases to the media. Service providers that process information for PHR vendors and PHR related entities also have a duty to notify their business customers of a security breach.

Typically, these service providers handle data storage or billing as a third-party provider. The Rule defines a “breach of security” as the acquisition of unsecured, PHR identifiable health information without the individual’s authorization.

Upon discovering a security breach, the entity must notify the required recipients within 60 days; but it must alert the FTC within 10 business days if the breach involves more than 500 individuals. Noncomplying entities face civil penalties of $43,792 per violation per day.

Rule Clarification

The FTC’s new Statement clarifies the Rule’s scope and application. It explains that the Rule covers PHRs vendors that contain individually identifiable health information created or received by health care providers. The Statement then specifies that health app and connected-device developers qualify as “health care providers” under the Rule because they “furnish health care services or supplies.”

Consequently, the Rule’s protections encompass any personally identifiable information developers create or receive that relates to the past, present, or future physical or mental condition of an individual; the provision of healthcare to an individual; or the past, present, or future payment for healthcare to an individual.

The Statement also emphasized that an electronic health record must draw information from multiple sources and be managed, shared, or controlled by or primarily for the individual before the FTC will consider it to be a PHR under the Rule.

The Statement, however, interprets multiple sources liberally to include other non-health related information. An electronic health record can draw information “from multiple sources” in the context of a health app, for example, through a combination of consumer inputs and application programming interfaces.

Hence, the Rule would apply to an app if it collects information directly from consumers and can technically draw information through an application programming interface that enables syncing with a consumer’s fitness tracker or phone, even if only one source provided the health information. For example, the Rule would cover a blood sugar monitoring app that collects health information only from the user’s blood sugar levels if it then uses non-health information from the user’s phone, such as date, time, or percentage figures.

The Statement also warns entities that the Rule does not limit a “breach of security” to cybersecurity intrusions, illegal behavior, or ill-intentioned activities. Rather, any unauthorized access will trigger the Rule’s notification duties, much like under HIPAA. Thus, a health app developer faces a reportable breach of security if it accidentally discloses private health information to a third party without the individual’s consent.

Rule Enforcement Change

In addition to clarifying the Rule’s scope, the FTC’s new Statement also signaled an enforcement sea change. Even though the Rule was enacted more than a decade ago, the FTC has not enforced it once since 2009.

The FTC admitted that it has not used the Rule. The Statement cautioned, however, that the FTC considers the Rule’s notification duties critical now in light of the surge in health apps and connected devices. The Statement explicitly declares the FTC’s intent to notify entities of their continuing obligation to publicize breaches under the Rule.

The Statement’s message is unequivocal: the FTC will enforce the Rule and its notice requirements from now on.

A Dispute Prevention Opportunity

Instead of being in a “more bad news” category, healthcare managers should file the FTC’s Statement as a new opportunity to prevent future disputes. The FTC Statement serves as a warning, affording the healthcare industry some time to implement strategies to protect itself from class actions, mass claims arbitration, and other costly disputes. By taking the warning seriously, the industry can assess and then minimize its risk.

The bottom line: Healthcare and wellness app developers should assess the Rule’s application to their services and the adequacy of their current security measures in order to prevent triggering the Rule’s notification provisions or even the possibility of a noncompliance finding.

And then they can breathe a sigh of relief if the current measures adequately protect the business, or implement new measures now to upgrade them until they do. Either way, the FTC handed the healthcare industry an opportunity to prevent costly future risk.

* * *

The author is a full-time neutral, arbitrator, mediator, dispute prevention facilitator, and Hearing Officer specializing in mass claims, healthcare, technology, employment, and all commercial matters. She works on domestic and international matters, and is based in La Mesa, Calif.

[END]