While We Were Shopping, the Privacy Legal Risk Environment Shifts Again

2010. What a year for data security and privacy, and the law. Choose whatever story you want: Facebook privacy practices, Google Buzz, Wikileaks data breach,  TSA full-body scanning at the airports, FTC Do Not Track, etc. I am having trouble thinking of a week (perhaps even a day) in 2010 where there was not a big privacy or data security story reported at a major media outlet. In fact, it is difficult to come up with an issue in 2010 (except perhaps “the economy” or the healthcare debate) that became more firmly lodged in the public consciousness than privacy and data security.

However, while all the headline grabbing stories were catching the eyes of the average “American Joe,” an excellent series by the Wall Street Journal (“What They Know”; Pulitzer possibilities?) has ended up rocking the privacy legal liability landscape for 2011. While we can argue cause and effect all day long, it appears that the WSJ series has caught the eye of one important group in the American legal world: the plaintiffs' bar.

While we were all thinking about Halloween and Thanksgiving, and trying to avoid the crush of Hanukah, Christmas and New Years, several privacy lawsuits were filed against online behavioral tracking companies and some of their clients. In my view these lawsuits and the activity that arises out of them (regulatory, settlements, judgments and otherwise) will be one of the big data security and privacy stories of 2011.

These cases have the potential to change the privacy and security game in ways that are difficult to anticipate. Could they be the “tipping point” leading to new state or federal regulations? Might they result in a “break-through” case that leads to a flood of litigation? Will they impact the way companies handle personal information and do business? Will consumers think of their privacy in a different light if these suits are frequent or successful?

What follows is a very brief listing of some the key lawsuits from 2010 that InfoLawGroup is aware of and tracking.  There may be more that are not on the list (such is pace of change in this space) and if you know of others, please send them to me so I can list them here to serve as a resource for the larger privacy community.  Over the course of 2011 (and beyond) InfoLawGroup will be taking a deeper look at these cases and providing updates as they progress through motion practice, trial and settlement.

01.21.11, 02.08.11 & 03.11.11 UPDATE BELOW (Search for dates to find updates)

“Zombie” flash cookie online tracking lawsuits. A series of class action lawsuits have been filed against marketing companies (e.g. Clearspring Technologies, Inc., Quantcast Corporation, and Specific Media, Inc.) for using “flash cookies” to track website visitors as they surf the web. These flash cookies, also known as "zombie cookies," are capable of reinstalling themselves even if purposefully deleted by the user. Several brand name clients of the marketing companies were also named as defendants in the lawsuits. By the end of 2010, some of these lawsuits had settled for millions of dollars. A copy of one of the complaints can be found HERE. It alleges a series of data privacy and security violations, including violations of the CFAA, ECPA, Video Privacy Protection Act and various California laws. 02.08.11 UPDATE:  another lawsuit filed in New York. 03.11.11 UPDATE:class action filed in filed against Amazon.com in Washington. More HERE.

HTML5 mobile online tracking lawsuit. A class action lawsuit was filed against Ringleader Digital alleging privacy violations arising out of its use of HTML5’s client-side database storage capabilities to track users of mobile devices as they surfed the Internet. Similar to the flash cookie lawsuits, plaintiffs allege that the HTML5 tracking capabilities returned even if users were able to delete the HTML5 database engaged in the tracking. A copy of the complaint can be found HERE. It alleges a series of data privacy and security violations, including (among others) violations of CFAA and various California laws.

History sniffing online tracking lawsuit. In two separate lawsuits an online advertising company (Interclick) and a pornography website (YouPorn) were sued for engaging in a practice known as “history sniffing.” History sniffing involves obtaining data about a user’s web surfing by secretly accessing the web history data stored by most commonly used browsers. This browsing history data is then used to create profiles about the user’s online behavior and visits to websites across the Internet. The complaint against Interclick can be found HERE. The compliant alleges (among others) violations of the CFAA, ECPA, violations of various New York laws and trespass to chattels.

Deep packet inspection online tracking lawsuit. In December 2010 a Federal District Court in Montana refused to dismiss the CFAA claim against an ISP that had allowed an advertising company to engage in “deep packet inspection.” EPIC describes deep packet inspection in relevant part as follows:

Deep packet inspection is a computer network packet filtering technique that involves the inspection of the contents of packets as they are transmitted across the network. . . Deep Packet Inspection can be used to determine the contents of all unencrypted data transferred over a network. Since most Internet traffic is unencrypted, DPI enables Internet Service Providers to intercept virtually all of their customers' Internet activity, including web surfing data, email, and peer-to-peer downloads.

A copy of the court’s order denying in part and granting in part, the defendant’s motion to dismiss, can be found HERE.

Data aggregation and social media/application privacy lawsuits. Social media giant Facebook, social media application designers (such as Zynga), and a data broker (Rapleaf) were sued for their handling of personal information obtained from Facebook users. The plaintiffs allege that the defendants impermissibly shared the personal information of Facebook users with advertisers and marketing companies, including unique Facebook ID numbers that could be combined with other information to create user profiles. The complaint can be found HERE. It alleges (among others) violations of ECPA, the Stored Communications Act, and various California laws, and breach of contract. 03.11.11 UPDATE: class action filed against Netflix in California.

Apple iPhone/iPad Privacy Lawsuit. Apple was sued in the waning days of 2010 for allegedly allowing application makers for its popular iPad and iPhone to obtain and transmit personal information about users' activities. The complaint alleges that Apple’s iPad and iPhone are encoded with identifying devices that allow advertising networks to track applications users download, monitor their use and sell personal information of users. Also named are several application providers that allegedly provided their users’ personal information to advertisers. A copy of the compliant can be found HERE. It too alleges (among others) violations of the CFAA, ECPA and various California laws. Some believe that claims set forth in this lawsuit could impact Google in the future. 02.08.11 UPDATE:  Another class action filed against Apple in California.

01.21.11 UPDATE -- Canadian Class Action Against Google

We have identified a rare beast indeed:  a Canadian class action privacy lawsuit against Google (arising out of Google Buzz).  More HERE.  Will try to get the pleadings... stay tuned.

Conclusion

Based on the foregoing it should be apparent that there has been a significant increase in the volume of privacy lawsuits recently filed and being litigated. In addition, with significant settlements on the books (e.g. Google Buzz for $8.5 million; Facebook Beacon for $9.5 million; Quantcast for $2.4 million) it is likely that privacy-related lawsuits will become more attractive to the plaintiffs' bar.

It also should be noted that many/most of the lawsuits cited above involve online behavioral tracking. Moreover, not only are the social media companies and advertising networks being sued, “brand name” organizations are being brought into these suits if they participated in an advertising network or used a behavioral advertising services.  Based on these suits, it appears that privacy-related legal risk and liability potential is at a cross-road, and will likely increase going forward (at least in terms of litigation costs and settlements, and perhaps someday in the form of judgments and adverse case law).

Action Item.  At this stage companies that handle personal information, especially those that provide online behavioral advertising services, and those that purchase such services or participate in behavioral advertising, should consider an audit and risk assessment of their policies, processes and activities in order to reduce privacy-related legal risks. In fact, it is likely that some companies are not even aware that they are participating in online advertising networks that track users, or if they are aware they may not understand how their providers collect and use personal information. Preparation on privacy and security issues ahead of time is key in order to reduce risk and increase the likelihood of a favorable outcome should an organization find itself in a lawsuit.  Moreover, if a lawsuit arises, understanding the substantive privacy issues that it raises is crucial.  Again, we have blinked, and the privacy and security legal landscape looks very different.