Internet Privacy Class Actions: How to Manage Risks from Increasing Attacks against Online and Social Media

DWT Media Law September 16, 2011 Comments Off on Internet Privacy Class Actions: How to Manage Risks from Increasing Attacks against Online and Social Media

By Jimmy Nguyen

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Web sites and social media provide search engines, web site operators, and advertisers powerful ways to obtain and monetize data about users.  This power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010.  Not surprisingly, all that attention sparked a wave of class action lawsuits.

Given the fast-changing nature of the Internet, it is not hard for plaintiff’s class action lawyers to uncover some privacy violations (no matter how small), and even easier to name a large putative class (given the many users of most Internet platforms). Privacy lawsuits also make news because people are sensitive about their personally identifiable information (PII). As a result, purported class actions alleging online privacy violations have hit leading Internet and technology companies such as Google, Apple, Facebook, Zynga, Interclick, and Clearspring Technologies. Also targeted for their web site operations are traditional media companies, including The Walt Disney Company, Fox, and NBC.  The risks can be high: Facebook paid $9.5 million to settle the case aimed at its now-defunct Beacon advertising program.

For the most part, these class action lawsuits invoke laws written long ago. At the federal level, they include the Electronic Communications Privacy Act (18 U.S.C. § 2810), passed in 1986 to make wire-tap restrictions on telephone calls applicable to electronic data transmission; its related Stored Communications Act (18 U.S.C. § 2702) which prohibits the operator of a “remote computing service” from knowingly divulging information about its user or subscriber; and the Computer Fraud and Abuse Act (18 U.S.C. §1030), an anti-hacking law aimed at unauthorized access to computer systems.  These statutes were enacted long before the interactive Internet era exploded with Google, YouTube, Facebook, and their progeny. Much like in the copyright and trademark fields, courts must interpret how those pre-Internet laws should apply to the digital environment – at least until modernized online privacy legislation might be enacted by Congress or increasingly at state levels.

As this legal area evolves, it is important for companies to manage the risks that come with the rewards of new media. This article reviews some categories of class actions filed against online and social media properties, and then strategies for managing the exposure.

CATEGORIES OF PRIVACY CLASS ACTIONS

Category #1:  Claims for violation of web site Terms of User or Privacy Policy

Virtually all companies have Terms of Use and Privacy Policies posted on their web sites.  If they use or reveal consumer data inconsistently with such provisions, they can be subject to a straightforward claim for breach of the contract created through those online provisions.
One recent example is the Alan Claridge v. RockYou, Inc. class action filed against in the U.S. District Court for the Northern District of California. RockYou is a publisher and developer of applications used on social media sites like Facebook. In December 2009, unauthorized individuals breached its database, leading to disclosure of unecrypted user names and passwords of some 32 million RockYou users. One user sued on behalf of all affected individuals.

In total, the complaint asserted nine causes of action. One of the theories was for breach of contract: a claim that RockYou failed to secure users’ personally identifiable information in violation of the company’s posted Terms of Service and Privacy Policy. On April 11, 2011, the District Court judge dismissed five of the claims at the pleading stage.  The main surviving theories were for breach of contract (RockYou’s online Terms of Use) and negligence. The case thus continues on those claims.

RockYou may still emerge victorious in defeating the contract and negligence claims. In particular, it appears to have a good argument that the purported class cannot establish any adequate damage from the data breach and disclosure of their PII. But the case against it is a good reminder for companies to make sure they vigilantly comply with their stated Privacy Policies.

Category #2:  Flash cookies

Web sites and online applications often use cookies to track information about users. There are various types of cookies, each with different uses. Cookies can allow the web site operator to see your Internet browsing history; store your log-in or authentication information; and help personalize sites by “remembering” your preferences from prior visits. Many Internet users have learned how to disable cookies through controls on Internet browsers.

Because cookies collect data about Internet users, they trigger privacy claims and in particular, a recent spate of class action litigation related to flash cookies. Flash cookies (otherwise known as Local Shared Objects) use a capability of Adobe’s Flash plug-in to track web site users and store user information.  These cookies are prevalent because Adobe’s Flash software is installed on an estimated 98% of personal computers, and powers many online video players (including for YouTube and Hulu). For entertainment content owners and distributors, Adobe Flash and its cookies help the digital distribution ecosystem to function. But flash cookies are less known to the public, because they are typically not identified in cookie privacy controls available on browsers.

Moreover, some flash cookies are like “zombies.”  Even a user deletes a website’s tracking cookie, that cookie’s unique ID can be assigned to a new cookie using the Flash data as backup. Like a zombie, the cookie comes back to life even after you think you’ve killed it.

Flash cookies have been in use since at least 2005.  But they caught public attention in 2009, after a UC Berkeley study was published about how Web companies can recreate cookies after they have been deleted by consumers. Plaintiffs’ lawyers then jumped on the flash cookie bandwagon.

In July 2010, privacy activist lawyer Joseph Malley filed a class action in the U.S. District Court for the Central District of California (Valdez v. Quantcast Corporation).  Quantcast Corporation provides technology for media companies to measure their online audience, and created “zombie cookies” which were used in its application to measure web traffic. Its technology is used by thousands of web sites, creating a widespread issue. Quantcast defended that the “zombie” reactivation was unintended, and promptly corrected the situation after the situation came to light.

Meanwhile, the class action complaint alleged that Quantcast and its media clients engaged in a pattern of “covert online surveillance” to harvest consumers’ personal information to use for online marketing. It named as defendants major entertainment companies which operate some of the most popular video web sites, including ABC, NBC, MTV, ESPN, MySpace, and Hulu.

Again, the complaint had to rely upon outdated laws – including the federal Computer Fraud and Abuse Act (the computer hacking statute), the federal Electronic Communications Privacy Act (an eavesdropping law), California’s computer crime law (California Penal Code § 502, which also authorizes a civil claim), and California’s privacy crime law (California Penal Code § 630).

The lawsuits did not stop there.  A similar complaint was filed against Quantcast’s competitor, widget maker Clearspring Technologies, and its clients such as The Walt Disney Company, Warner Bros. Records, and Demand Media. Clearspring and Fox Entertainment Group (in particular for the americanidol.com web site) were also hit with yet another lawsuit. And a separate case was brought against Specific Media, one of the Internet’s largest ad-serving and tracking companies.

In December 2010, Quantcast and Clearspring settled some of those lawsuits by paying $2.4 million (with over $1 million going to fund privacy groups to be selected by the plaintiffs). Other cases remain pending.

Category #3: Social media information

Facebook and other social media networks hold a wealth of personal data about their users – from where you live, tastes in entertainment, and organizational interests. That is great for targeting advertisements based upon your preferences. But it is also ripe territory for plaintiffs’ lawyers to seek litigation gold.

Facebook and Zynga, the maker of wildly popular casual games (like Farmville), found that out in 2010.  Facebook assigns a unique user ID number to each of its members.  If you know someone’s user ID, you can look up the person’s profile and see information on that member’s public Facebook profile. Not everyone is savvy (or inclined to) enough to carefully manage their

Facebook privacy settings, so some Facebook citizens reveal quite a bit on their public profiles. In October 2010, a Wall Street Journal investigative report revealed that many Facebook applications (including some of Zynga’s popular games) were transmitting Facebook user IDS to advertisers and Internet tracking firms.

The class action lawsuits then came pouring out. They claim breach of 218 million users’ privacy expectations, as well as violation of Facebook and Zynga’s privacy policies, which pledge not to share personally identifiable information with third parties.

However, some observers wonder whether this is all ado about nothing. A Facebook user ID is not private information, and simply an identification tag (like finding someone’s name in a phone book). All it does is point someone to what is already public on a Facebook user’s profile.

While these class action lawsuits may not go far substantively, they reveal another area of risk:  the great wealth of information available from social media profiles.  Companies operating social media sites or applications, as well as advertisers using social media to promote their products and services, are likely to come under increasing scrutiny.

Category #4:  Online behavioral advertising

The latest batch of litigation is directed against online behavioral advertising – the practice of using a consumer’s Internet browsing history or profile data to target more relevant ads to the consumer.  Advertisers love this because it gives them more impact for their media buy dollar. The FTC and consumer rights groups are concerned, and have called for the industry to self- regulate the practice – for example, by asking Internet browsers to install a “Do Not Track” button so users can turn off any tracking mechanisms used to target ads.

A wave of 30+ federal class action lawsuits across the country began in 2010 and continues in 2011. Defendants have spanned a broad range of industry sectors, including internet and telecommunications service providers (Cable One, Google, Skype, Amazon.com), retailers (Nordstrom), consumer electronics makers (Phillips Electronics), and consumer products companies (Skechers, Reebok).

In general, the cases allege that web sites and third-party ad servers install onto users’ computers, without consent, cookies, spyware devices, and other applications to facilitate targeted ads. With no statute specifically governing behavioral advertising, the legal theories invoked include the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and even arcane theories like trespass to chattels (i.e., by interfering with a user’s personal computer).

A key issue in these cases is whether the defendants’ posted privacy policies permit the activity. There is nothing inherently wrong with using consumer data (whether collected from Internet browsing history or discerned from users’ social media profiles) to serve targeted ads; but the practice needs to comply with the privacy policies of the involved companies. Consequently, one common defense in these class actions is to assert that users consented to the activity.

In addition, a “no harm, no foul” (or lack of damage) defense is often asserted, just as it is in other privacy case areas discussed above. For plaintiffs, it can be hard to prove consumers suffered actual harm because they received a targeted ad. (In fact, there is some argument that behavioral advertising benefits consumers by helping them avoid irrelevant ads).

STRATEGIES TO MANAGE RISK

To help control risk and hopefully avoid being sued, companies can take various steps.  These include:

  1. Carefully review web site Terms of Use and Privacy Policies for accuracy and compliance. Companies should not make promises about data privacy in their web site Terms of Use or online Privacy Policy unless they are prepared to live up to those promises. Otherwise, as we’ve seen with the RockYou case, a breach of contract claim is easy for plaintiffs to assert, and can be difficult for defendants to defeat at the pleading stage.  Additionally, if your client obtains consumer data from social media networks or engages in online behavioral advertising, make sure the governing Privacy Policies permit such activity. Companies should periodically review their web site Terms of Use and Privacy Policy to ensure compliance, and include appropriate information technology and digital marketing executives in that review process.
  2. Do due diligence before using third-party technology. Web site operators often obtain applications from third-party providers to help run or optimize their web sites.  They may not always know hidden surprises may come with the technology. For example, if a company installs a third-party application on web sites or social media pages, it should ask whether that application collects or transmits out consumer data, what data is sent, and to whom. Based on the answers to those questions, your client might ask for adjustments to the technology’s data collection, or may discover it needs to amend its Privacy Policy to justify using the application. Due diligence at the outset can help avoid problems down the road.
  3. Get a good indemnity provision.  If your client is getting web site or social media applications from a third-party provider, negotiate a good indemnity provision. You’ll want it to cover not just claims for IP infringement (especially patent claims), but also privacy violations and other claims arising from use of the technology on your client’s web sites.
  4. Periodically audit web sites for hidden tags, cookies and other applications. Companies can only control data collection they know about. It’s possible that a web site may have data collection devices installed on it unbeknownst to the web site owner. This was likely the situation for the media companies sued for having zombie Flash cookies from Quantcast on their web sites.   While the media companies had good indemnity from the technology providers (see lesson #3 above), some headache could have been saved if the hidden devices were self-discovered before the Wall Street Journal wrote about them.

If your company or client is hit with an online privacy class action, here are some defense strategies to consider:

  1. Explain why statutes and causes of action invoked by the plaintiff do not apply to online privacy issues. Plaintiffs’ lawyers have to invoke federal and state computer hacking and eavesdropping statutes enacted well before the Internet era, not to mention common law torts such as negligence and trespass to chattel that have nothing to do with the Internet. While courts are of course open to applying existing laws to the Internet world, some theories being asserted in these class actions appear to be a stretch.  Defense lawyers can take advantage of that, and press arguments for why these theories may not apply to a given fact scenario.
  2. Argue consent by users pursuant to the relevant Privacy Policy. In many instances, the disputed activity might be permitted by the defendants’ posted privacy policies. There is nothing wrong with collecting and using consumer data for marketing, as long as applicable privacy policies are honored. Consequently, one common defense is to assert that users consented to the collection and use of their data. And don’t look to just your own client’s Privacy Policy; in instances where your client has partnered with another party (such as Facebook) to obtain and use consumer data, that company’s Privacy Policy may permit the usage as well.
  3. Attack the lack of damage. Certainly, web site operators should not minimize users’ concerns about personal information (which could be a public relations faux pas). However, in many instances, the use of data which triggers a lawsuit has likely not caused any tangible damage to consumers. Plaintiffs and some Internet users may profess to being offended by unbeknownst access to, or use of, their data. But in reality, they will likely have a difficult time proving actual damage. That does not eliminate the risk of statutory damages and other remedies available under certain statutes, but it can be used to minimize the realistic exposure of any litigation.

Online and social media will forever be a world which requires a delicate balance. Companies need sufficient freedom to leverage the power of the Internet for their business goals, while consumers should expect their legitimate privacy rights to be protected. However, class action lawsuits that seek relief when little, if any, harm to consumers exists may disrupt this balancing act. With the right combination of due diligence, risk management, and strategic defense, companies operating in cyberspace can hopefully stay out of the class action world.

Comments are closed.