All too often we think that privacy policies are just boilerplate forms that can be plunked down on a website and then scratched off from our to-do list. Unfortunately, that's just not the case. According to a recent U.S. federal district court case, Mortensen v. Bresnan Communications, LLC, companies need to pay attention to what their privacy policies say and how they are presented to users.
Background: Online Behavioral Advertising
Consider the factual background information on this specific case. Defendant Bresnan Communications, an internet service provider (ISP), allowed NebuAd, Inc., a California startup, to install a device on its network that engaged in "deep packet inspection." Stripped of opaque technical-sounding terminology, this means that NebuAd analyzed emails of Bresnan's users and tracked their web surfing in order to create a user profile. NebuAd then used this profile to target online behavioral advertising. For example, if a user waxed poetic in his emails about the romantic bed and breakfasts in Asbury Park, N.J., and then visited I-Love-NewJersey.com (this is all quite hypothetical, of course), the user may begin receiving online ads containing discounted passes for the Garden State Parkway and to Atlantic City casinos.
Plaintiffs, who sought to represent a group of aggrieved subscribers, claimed that their ISP (Bresnan) profited from NebuAd's activities and that Bresnan had not properly obtained the users' consent to collect their personal information. Plaintiffs specifically alleged the following: 1) This was in violation of the Electronic Communications Privacy Act (ECPA), 2) this was an invasion of privacy, 3) this was a violation of the Computer Fraud and Abuse Act (CFAA), and 4) it was considered a "trespass to chattels," a medieval, obscure doctrine of violating someone's personal property. Bresnan moved to dismiss the complaint, but the ISP was only partially successful. Although the court's opinion began in a predictable fashion in favor of the defendant, there was a surprising turn: The court permitted the class action to proceed.
On ECPA Claims, the Defendant Wins
The ECPA, also known as the Wiretap Act, prohibits intercepting (or assisting in intercepting) electronic communications unless the person has given prior consent to such interception. The question the court addressed was whether users had implicitly given their consent to the surveillance.
Bresnan argued that users had actually given their consent since its Online Privacy Notice and Online Subscriber Agreement stated that the ISP "and its agents" could monitor electronic postings and transmissions as well as use equipment to collect information on users' internet usage. Specifically, these policies indicated that Bresnan could collect information on three fronts: 1) the "web sites you review," 2) "your electronic browsing," and 3) "the text of e-mail or other electronic communications you send or receive." The policies also indicated that this information could be disclosed to third parties.
[ILLUSTRATION OMITTED]
Besides these general notices, Bresnan also specifically notified users that the NebuAd trial was set to begin and provided a link for customers to opt out.
The court dismissed the plaintiffs' Wiretap Act claim, concluding that Bresnan had given notice (on three separate occasions) to users that their email and browsing history would be monitored and that it could be passed on to third parties. The court concluded accordingly that users had consented, or at least acquiesced to, the interception of their messages.
On Invasion of Privacy Claims, the Defendant Wins
The plaintiffs' next claim was that Bresnan committed a tort by violating the users' privacy. To prevail on such a claim, the plaintiff must show that the plaintiffs expected privacy and that this expectation was objectively reasonable.
For the same reasons that the court rejected the plaintiffs' Wiretap Act claims (the users were given adequate notice that their communications would be intercepted), the court dismissed the privacy claims. While the users may have expected their communications to be private, this was not an objective and reasonable expectation because Bresnan had informed them three times that their messages were not private.
On the CFA Act, the Plaintiffs Win
A person violates the CFAA if he or she accesses someone else's computer without authorization or exceeds the authorized access to "obtain or alter information" in the computer. In the aggregate, plaintiffs must suffer economic loss or damages of $5,000 in order to bring a claim under the CFAA.
Since the users gave their consent to their emails being provided to third parties, the court held that Bresnan did not access the computers without authorization. However, the court did hold that Bresnan "exceeded authorization" since the Privacy Notice, the Online Subscriber Agreement, and the NebuAd appliance trial hyperlink didn't provide notice that NebuAd would place cookies on the users' computers that would alter the user's privacy protocol and security settings. Accordingly, the court concluded these changes to the privacy settings exceeded authorization, and therefore, the plaintiffs' CFAA claims would not be dismissed.
On the Trespass to Chattels, the Plaintiffs Win
Trespass to chattels is a medieval, obscure doctrine of violating someone's personal property (as opposed to the more well-known trespassing on land), which was largely moribund until some creative attorneys in the late 1990s resuscitated it in the internet context in the case of Thrifty-Tel v. Bezenek (Cal. 1996). Plaintiffs in Mortensen claim that the ISP, by permitting NebuAd to alter the privacy and security settings, interfered with the users' possessory interest in their computers and thereby caused damage to the computers. Just as with the CFAA claim, altering the privacy and security settings was held sufficient to state a claim of trespass to chattels.
Analysis and Recommendations
NebuAd's appliance has been criticized for its invasion of privacy not just by the plaintiffs in this case but also during congressional hearings held in 2008. In particular, members of Congress railed against NebuAd for not obtaining explicit, proactive consent from users to monitor their email. Congressman Gene Green, DTexas, called NebuAd's opt-out procedures "contemptible." Congressman Mike Doyle, D-Pa., said the practice "goes against everything the country's been founded on." Rep. Bart Stupak from Michigan asked, "Why do I have to opt out? Why should the burden be on the American consumer?"
In the wake of this criticism, major customers of NebuAd terminated their agreements, and NebuAd has since gone out of business.
However, the lessons from this case have outlived the company. Even though I believe the court's conclusions on both the CFAA and trespass claims are not at all convincing (including on the issue of whether plaintiffs truly can make a claim for economic damages under CFAA or can prove actual damage to their computers on the trespass claim, as required by the leading case in this area, the California Supreme Court opinion in Intel v. Hamidi), the lessons of the Mortensen v. Bresnan holding are that companies should review their privacy practices in the following ways:
* Privacy policy must be specific.
In dismissing the plaintiffs' claims under both the Wiretap Act and for invasion of privacy, the court stated the users had consented since the privacy policies clearly stated that Bresnan or third parties might monitor their emails and web browsing. On a similar theory, the court refused to dismiss the CFAA and trespass to chattels claims since the privacy policies had not specifically stated that the NebuAd appliance would alter the privacy and security settings. Lesson 1: Companies should review their privacy policies to make sure that all of the following are clearly described--first, any proposed uses of users' information; second, the use of any cookies; and third, any alterations of a user's computer settings.
This advice is also consistent with various recent Federal Trade Commission (FTC) enforcement actions in the privacy area. In June 2009, the FTC settled a case against Sears and Kmart that charged that they failed to disclose adequately the scope of personal information they collected from users who downloaded a particular software application. Last November, the FTC settled charges against EchoMetrix that it failed to adequately inform parents using its web-monitoring software that information collected about their children would be disclosed to third-party marketers.
* Multiple privacy notices. In finding that the users had consented to the ISP's monitoring device, the court noted positively that users had received three notices from the ISP: the privacy policy, the online subscriber agreement, and a specific notice that the NebuAd trial was about to begin and that users could opt out of the trial. Lesson 2: Multiple notices should be given for potentially invasive or unexpected uses of a user's personal information. Specific, timely notices of particular uses are much more powerful and convincing to a court than general older notices.
* Minimize use of personal information. In this case, the court gave significant weight to user consent, even as part of a nonnegotiable standard-form privacy policy and terms of use. The court also looked favorably upon the opt-out procedure rather than requiring explicit consent to opt in to the NebuAd trial. Companies may not be so fortunate in the future. (This is especially true in Israel, where courts are not sympathetic to standard-form agreements in the consumer context.)
[ILLUSTRATION OMITTED]
Under the deep-packet inspection technology, it is not clear that a user who opted out of the trial did not have his or her personal emails or web activity collected. Rather, it may be that the information was simply not passed along to target advertisements. Lesson 3: Companies should evaluate whether their privacy practices as implemented minimize the amount of personal data collected and limit the collection to the purposes identified in their privacy policies. Both courts and regulators are increasingly conscious of protecting the privacy of users, and unreasonable practices may not be upheld, even if there is some generic allusion to such collection and use of personal information in a website policy.
David Mirchin chairs the Information Technology, New Media, and Licensing Group of Meitar, Israel's leading international law firm. His email is dmirchin@meitar.com; send your comments about this article to itletters@infotoday.com.
Комментариев нет:
Отправить комментарий