consent – Media Tech Law

Confusion in “Cookie”-Land: Consent Requirements for Placing Cookies under GDPR and ePrivacy Directive

Posted July 26, 2019 by Andrew Mirsky 0

Must a website get consent from a user before placing cookies in the user’s browser? The EU’s ePrivacy Directive says that yes, consent from the user is required prior to placement of most cookies (regardless of whether the cookies track personal data). But under the General Data Protection Regulation (GDPR), consent is only one of several “lawful bases” available to justify collection of personal data. If cookies are viewed as “personal data” under the GDPR – specifically, the placement of cookies in a user’s browser – must a website still get consent in order to place cookies, or instead can the site rely on one of those other “lawful bases” for dropping cookies?

First, are cookies “personal data” governed by the GDPR? Or to be more precise, do cookies that may identify individuals fall under the GDPR? This blog says yes: “when cookies can identify an individual, it is considered personal data. … While not all cookies are used in a way that could identify users, the majority (and the most useful ones to the website owners) are, and will therefore be subject to the GDPR.” This blog says no: “cookie usage and its related consent acquisition are not governed by the GDPR, they are instead governed by the ePrivacy Directive.” (emphasis added) Similarly with this blog.

We’ve Updated our Terms of Use!

Posted July 26, 2017 by Andrew Mirsky 0

Why are they sending me this information, and what am I supposed to do with it? You’ve just received an email like the one below from Uber, or from one of your various subscription services, credit card companies, banks, ISPs or any of a zillion different web applications:

SUBJECT: We’ve Updated our Terms of Use

Hi Andrew, we’ve been able to bring Uber to more than 400 cities in 72 countries. And that’s in just a little over 6 years. In light of that growth and some changes to our services, we’ve made some updates to our US Terms of Use

They have your attention. You sit up alert in your chair, you rub your eyes and read on. The company then sometimes offers a summary of the changes, often in as cheery and euphemistic a way as possible, with statements like “We revised our arbitration agreement which explains how legal disputes are handled”, or “We have updated our Terms of Use regarding the ways in which we may contact you.” All, no doubt, good things.

Turns out, noone actually reads these updates. That last sentence is not meant as sarcasm. The non-partisan Stanley Roper Polling Organization actually published a study that concluded “Noone actually reads these updates.” Editor’s Note: There is no such organization and there was no such study. Evidently. Although Andrea Peterson reports in The Washington Post about a 2008 study (about privacy policies) that concluded “it would take a staggering 244 hours a year for the average American to read the privacy policies of every site they visit over the course of a year.”

Private Metadata is Doublethink

Posted October 21, 2016 by Andrew Mirsky 0

It is commonly said that if you do not want digital information found, then you should not create any. A challenge however is that there is a class of digital information, called metadata, that often is not created by you but is nonetheless associated with you. While content is any information that can be published or posted online, such as tweets, photos, videos, ebooks, Facebook posts and games, to name a few, metadata is something entirely different.

At first metadata was used to help describe content. It was automatically assigned by the software or app developer to help make the content easier to sort, index and later find. Location tags for example, are a common form of metadata. When content is posted online, the location of the sender may be attached to the content. A person posting a picture of a beach to his Facebook account will reveal to his network that he is in Cabo San Lucas, Mexico and that the picture was taken two days ago at 3:30 PM.

Metadata is expressive now, meaning it reveals information about the individual’s behavior and ultimately identity, regardless of whether the individual wants to be known or the behavior identified, based on the content the individual creates, and what the individual searches or buys online. Thus a user who posts a picture of a positive pregnancy test, shops for prenatal vitamins and performs an online search for baby furniture can be inferred to be female and pregnant.

What’s Behind the Decline in Internet Privacy Litigation?

Posted September 8, 2015 by Roman Vayner 0

The number of privacy lawsuits filed against big tech companies has significantly dropped in recent years, according to a review of court filings conducted by The Recorder, a California business journal.

According to The Recorder, the period 2010-2012 saw a dramatic spike in cases filed against Google, Apple, or Facebook (as measured by filings in the Northern District of California naming one of the three as defendants). The peak year was 2012, with 30 cases filed against the three tech giants, followed by a dramatic drop-off in 2014 and 2015, with only five privacy cases filed between the two years naming one of the three as defendants. So what explains the sudden drop off in privacy lawsuits?

One theory, according to privacy litigators interviewed for The Recorder article, is that the decline reflects the difficulty in applying federal privacy statutes to prosecute modern methods of monetizing, collecting, or disclosing online data. Many privacy class action claims are based on statutes passed in the 1980s like the Electronic Communications Privacy Act (ECPA), the Stored Communications Act (SCA), both passed in 1986, and the Video Privacy Protection Act (VPPA), passed in 1988. These statutes were originally written to address specific privacy intrusions like government wire taps or disclosures of video rental history.

License Plate Numbers: a valuable data-point in big-data retention

Posted August 6, 2015 by Rob Ellis 0

What can you get from a license plate number?

At first glance, a person’s license plate number may not be considered that valuable a piece of information. When tied to a formal Motor Vehicle Administration (MVA) request it can yield the owner’s name, address, type of vehicle, vehicle identification number, and any lienholders associated with the vehicle. While this does reveal some sensitive information, such as a likely home address, there are generally easier ways to go about gathering that information. Furthermore, states have made efforts to protect such data, revealing owner information only to law enforcement officials or certified private investigators. The increasing use of Automated License Plate Readers (ALPRs), however, is proving to reveal a treasure trove of historical location information that is being used by law enforcement and private companies alike. Also, unlike historical MVA data, policies and regulations surrounding ALPRs are in their infancy and provide much lesser safeguards for protecting personal information.

ALPR – what is it?

Consisting of either a stationary or mobile-mounted camera, ALPRs use pattern recognition software to scan up to 1,800 license plates per minute, recording the time, date and location a particular car was encountered.

Website Policies and Terms: What You Lose if You Don’t Read Them

Posted July 15, 2015 by Roman Vayner 0

When was the last time you actually read the privacy policy or terms of use of your go-to social media website or you favorite app? If you’re a diligent internet user (like me), it might take you an average of 10 minutes to skim a privacy policy before clicking “ok” or “I agree.” But after you click “ok,” have you properly consented to all the ways in which your information may be used?

As consumers become more aware of how companies profit from the use of their personal information, the way a company discloses its data collection methods and obtains consent from its users becomes more important, both to the company and to users. Some critics even advocate voluntarily paying social media sites like Facebook in exchange for more control over how their personal information is used. In other examples, courts have scrutinized whether websites can protect themselves against claims that they misused users’ information, simply because they presented a privacy policy or terms of service to a consumer, and the user clicked “ok.”

The concept of “clickable consent” has gained more attention because of the cross-promotional nature of many leading websites and mobile apps.

Cookies For Sale? How Websites Obtain Permission to Track and Sell Online User Data

Posted February 19, 2013 by Andrew Mirsky 0

Have you ever wondered how websites get your permission to “install” a cookie on your computer, and then sell the data associated with it? The simple answer… when you accept their terms and conditions, you give them the keys to your data.

There is a marketplace in this country for technology companies, advertisers, media firms and other enterprises to purchase consumers’ cookie “identifiers” and their associated information, allowing those organizations to know where you are, and what you are doing, online. Almost always, this information is used solely for tracking website analytics, sign-in permissions and for other advertising purposes. A cookie is “placed” onto a website user’s computer through the user’s browser, typically by publishers or their third party partners. The cookie then collects information – pages that you visit, sign-in information, profile information, what you click, what purchases you make, what you read, etc. When this data is sold (if it is sold), most of this information is not personally identifiable, but some of it can be.

In this blog, the first of a few on the topic of cookies, I will briefly explain the process of how and when websites get your permission to install cookies on user’s computers, and how they use the resulting data collected.

First of all, what is a cookie? Google has a two nice working definition that we can use:

(https://support.google.com/chrome/bin/answer.py?hl=en&answer=95647&topic=14666&ctx=topic)

Please Don’t Take My Privacy (Why Would Anybody Really Want It?)

Posted October 22, 2012 by Andrew Mirsky 0

Legal issues with privacy in social media stem from the nature of social media – an inherently communicative and open medium. A cliché is that in social media there is no expectation of privacy because the very idea of privacy is inconsistent with a “social” medium. Scott McNealy from Sun Microsystems reportedly made this point with his famous aphorism of “You have zero privacy anyway. Get over it.”

But in evidence law, there’s a rule barring assumption of facts not in evidence. In social media, by analogy: Where was it proven that we cannot find privacy in a new communications medium, even one as public as the internet and social media?

Let’s go back to basic principles. Everyone talks about how privacy has to “adapt” to a new technological paradigm. I agree that technology and custom require adaptation by a legal system steeped in common law principles with foundations from the 13th century. But I do not agree that the legal system isn’t up to the task.

All you really need to do is take a wider look at the law.

Privacy writers talk about the law of appropriation in privacy. The law of appropriation varies from state to state, though it is a fairly established aspect of privacy law.

Privacy: Consent to Collecting Personal Information

Posted April 4, 2012 by Andrew Mirsky 0

Gonzalo Mon writes in Mashable that “Although various bills pending in Congress would require companies to get consent before collecting certain types of information, outside of COPPA, getting consent is not a uniformly applicable legal requirement yet. Nevertheless, there are some types of information (such as location-based data) for which getting consent may be a good idea. Moreover, it may be advisable to get consent at the point of collection when sensitive personal data is in play.”

First, what current requirements – laws, agency regulations and quasi-laws – require obtaining consent, even if not “uniformly applicable”?

1. Government Enforcement. The Federal Trade Commission’s November 2011 consent decree with Facebook user express consent to sharing of nonpublic user information that “materially exceeds” user’s privacy settings. The FTC was acting under its authority under Section 5 of the FTC Act against an “unfair and deceptive trade practice”, an authority the FTC has liberally used in enforcement actions involving not just claimed breaches of privacy policies but also data security cases involving managing of personal data without providing adequate security.

2. User Expectations Established by Actual Practice. The mobile space offers some of the most progressive (and aggressive) examples of privacy rights seemingly established by practice rather than stated policy. For example, on the PrivacyChoice blog, the CEO of PlaceIQ explained that “Apple and Android have already established user expectations about [obtaining] consent. Location-based services in the operating system provide very precise location information, but only through a user-consent framework built-in to the OS. This creates a baseline user expectation about consent for precise location targeting.” (emphasis added)

MediaTech Law

By MIRSKY & COMPANY, PLLC