When was the last time you actually read the privacy policy or terms of use of your go-to social media website or you favorite app? If you’re a diligent internet user (like me), it might take you an average of 10 minutes to skim a privacy policy before clicking “ok” or “I agree.” But after you click “ok,” have you properly consented to all the ways in which your information may be used?
As consumers become more aware of how companies profit from the use of their personal information, the way a company discloses its data collection methods and obtains consent from its users becomes more important, both to the company and to users. Some critics even advocate voluntarily paying social media sites like Facebook in exchange for more control over how their personal information is used. In other examples, courts have scrutinized whether websites can protect themselves against claims that they misused users’ information, simply because they presented a privacy policy or terms of service to a consumer, and the user clicked “ok.”
The concept of “clickable consent” has gained more attention because of the cross-promotional nature of many leading websites and mobile apps. For example, Facebook now has access to all the personal information users have uploaded to Instagram, and Google can use your YouTube searches to provide targeted ads to your Gmail account.
But with the prevalence of these cross-linked services, companies have been accused of using users’ information for unintended, or undisclosed purposes. In a recent example, LinkedIn users accused the networking site of using their email addresses and profile pictures to send invitations to their email contacts without permission. LinkedIn denied the accusations, claiming that users consented to allowing the company to access their contact lists, or that the users were responsible for checking their default settings, which allowed LinkedIn to use email addresses from a user’s contact list.
The California federal district court hearing this case sided with LinkedIn, finding that its users consented to LinkedIn’s accessing their email contacts. Key to this finding were three factors in LinkedIn’s sign-up process: clarity, proximity and opt-out. First, users creating a profile were clearly advised that “LinkedIn.com is asking for some information from your Google account [email address]” and then asked to choose either “Allow” or “No thanks.” Second, LinkedIn presented that disclosure immediately before the alleged unlawful activity (i.e. the gathering of users’ emails from their Gmail contacts). The court specifically distinguished this disclosure from a similar clause buried in a standard Terms of Service agreement, which presumably no one would notice. Finally, the court noted the express opt-out feature of the “No thanks” button.
In another case, Gmail users accused Google of violating federal and state anti-wiretapping laws by scanning keywords from emails to use in targeted ads. The users claimed that Google’s Privacy Policy explicitly set out a list of information that it may collect, but did not include the contents of emails. Google argued that users who send emails from a Gmail address impliedly consent to its scanning and use of their information across its products (for example using Google searches to show ads in a Gmail account).
U.S. District Court Judge Lucy Koh wasn’t buying it. Judge Koh rejected Google’s “implied consent” argument, stating that “[a]ccepting Google’s theory of implied consent — that by merely sending emails to or receiving emails from a Gmail user, a non-Gmail user has consented to Google’s interception of such emails for any purposes — would eviscerate the rule against interception.” While Judge Koh did not rule on the merits of users’ claims, she denied Google’s motion to dismiss. According to Judge Koh, Google’s policies “did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising.”
The litigation of this case continues, although Google won a small victory in March 2014 after class action certification for plaintiffs was denied. Nonetheless, Google must have taken Judge Koh’s warning to heart because its revised Terms of Service now state:
Our automated systems analyze your content (including emails) to provide you personally relevant product features, such as customized search results, tailored advertising, and spam and malware detection. This analysis occurs as the content is sent, received, and when it is stored.
Judge Koh’s findings are also important because they help establish the boundaries of a user’s permissible consent to a privacy policy or terms of service:
1.) Disclosure is specific to the context of each type of use. Google’s terms suggested that users’ content may be intercepted to exclude objectionable content (e.g. sexual material), but said nothing about intercepting emails to enhance Google’s targeted advertising. Therefore, a user’s consent to the former does not equal consent to the latter. As Judge Koh said, “Consent is not an all-or-nothing proposition,” instead it should put users on notice with regard to each way in which their information may be used.
2.) Disclosure must differentiate between capacity to use information and intent to do so. Google’s terms stated that its advertisements may target the content of information obtained by using its services, but not that it intended to do so. Thus, if a website intends to use stored or collected information in a particular way, disclosure of its intent may help protect it from a claim that it did not properly obtain consent for that type of use.
3.) The website’s role in data collection and use must be defined. Google’s privacy policy stated that Google collects users’ communications to Google, but did not mention that it may also intercept emails in transit between Gmail users and users with other email accounts. Misleading or confusing users was a prime factor for Judge Koh’s conclusion that users did not explicitly consent to Google’s privacy policy.
4.) Not all users are created equal. Google claimed that non-Gmail users (those who did not agree to its terms of service or privacy policy) understand that emails are electronically processed, and can be intercepted by a third party like Google. Judge Koh did not extend Google’s theory of “implied consent” to cover non-Gmail users, instead holding that users who did not agree to Google’s terms or privacy policy could not have given their consent to Google’s interception and use of their emails. As such, a website should be mindful of the third parties to whom its users can share or send information (and vice versa) and should ensure that its privacy policy and terms or service disclose how information sent to or received from third parties will be used.
These and other cases illustrate the “opt-out” consent typical of U.S. privacy law: Unless a use is explicitly prohibited by applicable law, expressly barred in a website’s privacy policy or (perhaps) explicitly communicated to a website operator by a user, the use is permitted. These cases do not address the related question of whether a specific use – even if explicitly permitted under a privacy policy – could nonetheless be prohibited where a user successfully argues that consent to such use was not properly obtained, for example non-compliant disclosure format or process in violation of a specific law (such as California’s “Online Privacy Protection Act”). Or … under circumstances where despite technical “disclosure”, informed user consent is challenged because of the denseness of the legal language, or perhaps the lack of true choice, making consent to a privacy policy essentially a “contract of adherence”. Or in other words, the proverbial “what choice do I really have if I want to use the internet”? argument. These sorts of arguments have not fared well in U.S. courts. We will write about this separately however, in the near future.