Web tracking and privacy law overview
•
0 likes•595 views
How do companies track people online, how have legal challenges played out, and what's coming next? I gave this talk at University of California, Berkeley, School of Law (Boalt Hall) on April 12, 2016. Thanks to the Berkeley Center for Law and Technology, the Berkeley Technology Law Journal, and Winston & Strawn LLP for hosting.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Web tracking and privacy law overview
Similar to Web tracking and privacy law overview (20)
Recently uploaded
Recently uploaded (20)
Web tracking and privacy law overview
- 1. Web tracking and privacy law April 12, 2016 Joe Mornin joe@mornin.org
- 3. I. How tracking works II. Cases III. What's next
- 12. I. How tracking works II. Cases III. What's next
- 13. In re DoubleClick, S.D.N.Y 2001
- 16. DoubleClick l Stored Communications Act: l No unauthorized access l to stored communications l E.g., third parties can’t access l your Gmail messages
- 17. DoubleClick l Stored Communications Act: l But: l Exception for “conduct authorized . . . by l a user . . . with respect to a communication of or intended for that user”
- 18. DoubleClick Allowing third party cookies == “disclosure”?
- 19. DoubleClick What about DoubleClick storing cookies on users’ computers? Under the SCA, “electronic storage” means: “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof . . . .”
- 21. DoubleClick DoubleClick’s cookies are permanent (ish) → Storage of cookies is not “temporary” or “intermediate” → Cookies are not in “electronic storage” within the meaning of the SCA
- 22. DoubleClick Wiretap Statute: No eavesdropping → Unless a party to the communication consents → Unless the interception is for a criminal or tortious purpose
- 23. DoubleClick Wiretap Statute holding: Sites consented; and even if DoubleClick committed a tort, its “primary motivation” was not to “injure plaintiffs tortiously.”
- 24. DoubleClick Computer Fraud and Abuse Act: Penalties for “access[ing] a computer without authorization” Losses must be > $5,000 in one year Here: small losses; “act” means access to a single user’s computer
- 25. In re Pharmatrak, 1st Cir. 2003
- 26. Pharmatrak l Pharmaceutical companies embedded Pharmatrak code in their sites l Pharmatrak then collected user data— l including personal information— l in violation of the sites' privacy policies
- 27. Pharmatrak l Wiretap Statute again: l No eavesdropping— l unless a party consents
- 28. Pharmatrak holding l Held: no consent l . . . but: must be intentional interception l On remand, held that Pharmatrak’s l interception was inadvertent
- 29. Low v. LinkedIn, N.D. Cal. 2012
- 31. LinkedIn l Stored Communications Act: l Websites can’t disclose the contents l of your communications l (cf. DoubleClick: unauthorized access l by a third party; but here: unauthorized disclosure by a second party)
- 32. LinkedIn l Stored Communications Act: l Only applies to “remote computing l services” (Dropbox) and “electronic communication services” (Gmail) l LinkedIn: not an RCS or ECS l → SCA doesn’t apply
- 33. LinkedIn l State law claims: l Privacy torts: no serious invasion here l False advertising: no evidence of reliance l Breach of contract: no ED damages in CA l Other tort claims: fail for similar reasons l . . . minimal harm; PII isn’t property; and users don’t expect compensation for their data
- 34. United States v. Google, FTC 2012
- 35. Google v1: Google Buzz
- 37. Google v1: Google Buzz l FTC brought administrative proceedings l Consent order: Google must implement l a privacy program, allow audits for 20 years, l and avoid misrepresenting how it handles private information
- 38. Google v2: Safari cookies
- 40. Google v2: Safari cookies l U.S. government: Google violated the 2011 consent order (i.e., the post-Buzz order) by misrepresenting how Safari handles cookies l Settlement: Google has to delete Safari cookies and pay a $22.5 million fine (the largest fine for violating an FTC order)
- 41. In re Facebook, N.D. Cal. 2015
- 42. Facebook facts and claims l Facebook tracks users with a persistent cookie that activates whenever a user visits a page that has a Facebook “like” button l Tort: Facebook collected and misused valuable personal information l SCA, Wiretap Statute, Cal. Invasion of Privacy Act: Facebook intercepted the contents of private communications
- 43. Facebook holding l Tort claims: even if Facebook misused the plaintiffs' information, its value to them hasn't changed; there's no harm, so no standing l SCA and Wiretap Statute: l Facebook hasn't “intercepted” the contents of communications l Cookies are not in “electronic storage,” which refers to temporary storage of electronic communications
- 44. I. How tracking works II. Cases III. What's next