How do companies track people online, how have legal challenges played out, and what's coming next?
I gave this talk at University of California, Berkeley, School of Law (Boalt Hall) on April 12, 2016. Thanks to the Berkeley Center for Law and Technology, the Berkeley Technology Law Journal, and Winston & Strawn LLP for hosting.
19. DoubleClick
What about DoubleClick storing
cookies on users’ computers?
Under the SCA, “electronic storage” means:
“any temporary, intermediate storage of
a wire or electronic communication incidental
to the electronic transmission thereof . . . .”
20.
21. DoubleClick
DoubleClick’s cookies are permanent (ish)
→ Storage of cookies is not “temporary” or
“intermediate”
→ Cookies are not in “electronic storage” within
the meaning of the SCA
24. DoubleClick
Computer Fraud and Abuse Act:
Penalties for “access[ing] a computer without
authorization”
Losses must be > $5,000 in one year
Here: small losses; “act” means
access to a single user’s computer
28. Pharmatrak holding
l
Held: no consent
l
. . . but: must be intentional interception
l
On remand, held that Pharmatrak’s
l
interception was inadvertent
31. LinkedIn
l
Stored Communications Act:
l
Websites can’t disclose the contents
l
of your communications
l
(cf. DoubleClick: unauthorized access
l
by a third party; but here: unauthorized
disclosure by a second party)
32. LinkedIn
l
Stored Communications Act:
l
Only applies to “remote computing
l
services” (Dropbox) and “electronic
communication services” (Gmail)
l
LinkedIn: not an RCS or ECS
l
→ SCA doesn’t apply
33. LinkedIn
l
State law claims:
l
Privacy torts: no serious invasion here
l
False advertising: no evidence of reliance
l
Breach of contract: no ED damages in CA
l
Other tort claims: fail for similar reasons
l
. . . minimal harm; PII isn’t property; and users
don’t expect compensation for their data
37. Google v1: Google Buzz
l
FTC brought administrative proceedings
l
Consent order: Google must implement
l
a privacy program, allow audits for 20 years,
l
and avoid misrepresenting how it handles
private information
40. Google v2: Safari cookies
l
U.S. government: Google violated the 2011
consent order (i.e., the post-Buzz order) by
misrepresenting how Safari handles cookies
l
Settlement: Google has to delete Safari cookies
and pay a $22.5 million fine (the largest fine for
violating an FTC order)
42. Facebook facts and claims
l
Facebook tracks users with a persistent cookie
that activates whenever a user visits a page that
has a Facebook “like” button
l
Tort: Facebook collected and misused valuable
personal information
l
SCA, Wiretap Statute, Cal. Invasion of Privacy
Act: Facebook intercepted the contents of
private communications
43. Facebook holding
l
Tort claims: even if Facebook misused the
plaintiffs' information, its value to them hasn't
changed; there's no harm, so no standing
l
SCA and Wiretap Statute:
l Facebook hasn't “intercepted” the contents of
communications
l Cookies are not in “electronic storage,” which refers to
temporary storage of electronic communications