On March 20, 2019, the Supreme Court deferred ruling on the settlement of a class action brought against Google. The underlying action was based on Google’s transmission of a users’ search terms, i.e., “referrer headers”, to its actual clients. Class counsel argued that the transmission and storage of these referrer headers was in violation of both federal and state law given those conducting the searches never gave proper consent.
In remanding the case to address a potential lack of standing, the Court ruled “[b]ecause there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.” This was obviously the correct ruling given a court cannot even hear a matter unless there is proper standing to sue. Given that the Supreme Court only decides matters properly on appeal and the question of standing was not put before it, the matter required a remand.
As pointed out by one of the attorneys who appealed this Google case to the Supreme Court, today’s ruling likely “simply delays the day of reckoning for this unfair practice.” Justice Thomas recognized today that there was something particularly odious about a settlement that only benefited lawyers and those third-party organizations acceptable to the Defendant. Hopefully, in the near future the full Court will reach the same conclusion and put an end to this unsavory practice of rewarding a defendant’s “non-profit partners” rather than the actual litigants.
On February 22, 2019, an amendment to the CCPA – S.B. 561, was proposed that would do away with a cure provision, expand the statutory damages provision to any violation of the law, and limit the role of the Attorney General in policing violations by directly passing along greater rights to consumers. If passed, these changes will significantly alter the reach of the law by making the plaintiff’s bar’s arsenal even wider and the law’s penalties that much stronger. Previously, the California Consumer Privacy Act – which will come online in 2020, was the first major privacy initiative to provide for statutory damages in the event of a data breach.
California’s Governor also recently said that he was “now convening a team to look into the creation of a new law requiring technology giants to kick back some of their billions in earnings in the form of a Data Dividend for Californians.” California is not waiting around for federal privacy action – it is outright looking to lead the world when it comes to the creation of statutory privacy rights.
UPDATE: April 4, 2019
On April 4, 2019, Senate Bill 753 was proposed to amend CCPA and provide for a major new exception to the law’s reach. If passed, “a business does not sell personal information” under CCPA if the following applies:
(E) (i) Pursuant to a written contract, the business shares, discloses, or otherwise communicates to another business or third party an online identifier, an Internet Protocol address, a cookie identifier, a device identifier, or any unique identifier only to the extent necessary to deliver, show, measure, or otherwise serve or audit a specific advertisement to the consumer. (ii) The contract specified in clause (i) shall prohibit the other business or third party from sharing, selling, or otherwise communicating the information except as necessary to deliver, show, measure, or otherwise serve or audit an advertisement from the business.
In effect, there would be a Google and Facebook exception to CCPA.
It remains to be seen whether this amendment proposed by State Senator Henry Stern will ever be enacted but the mere fact it was proposed is a stark reminder that those companies with the most to lose have not stopped fighting this battle – whether by way of this proposed amendment to CCPA or by way of a broad preemption quest in Congress.
UPDATE: April 24, 2019
In opposition to S.B. 753, a coalition of privacy advocates wrote: “In sum, this new exception would remove the ability of consumers to prevent the dissemination of their personal information from the website they are visiting to any third party, allowing their personal information to flow unchecked into the ad-exchange system, after which a consumer can never regain future control. ”
As reported by DLA’s Jim Halpert, during the Senate Judiciary Committee Meeting of April 23, 2019, State Sen. Stern apparently bowed to the pressure and withdrew S.B. 753 from further consideration.
In addition to S.B. 561, the other amendment most likely to see success is State Assemblywoman Jacqui Irwin’s A.B. 873 – which places parameters on de-identified information and limits the present potentially unbounded scope of “personal information”. Thankfully, given the attention being placed on these issues, it is very likely that the ambiguities rushed into the statute’s initial draft will be sorted out and corrected before CCPA comes online in 2020.
UPDATE: September 16, 2019
On September 13, 2019, the California Legislature adjourned with significant amendments to the California Consumer Privacy Act firmly ready for the signature of Gov. Gavin Newsom. There were two noteworthy amendment bills that ultimately passed, AB 25 – which provides a one-year moratorium on CCPA’s application to employee, beneficiary and emergency contact information, and AB 1355. One proposed amendment was withdrawn for consideration until next session. Other changes to CCPA, including AB 1146, AB 874, and AB 1564 either do not alter in any material way the spirit or intent of the law or are redundant to changes found in AB 1355.
Three of the changes found in AB 1355 are noteworthy given in some very real ways they cut away from the meat of the law. First, by modifying the definition of “personal information” to mean “reasonably capable of being associated with” a particular consumer or household, instead of just “capable of being [so] associated”, CCPA now has a reasonableness component that gives companies a strong new argument that can be used when defending a breach claim brought in a private action. Moreover, the AB 1355 amendments clarify that deidentified and aggregate information are exempt from CCPA – in effect, giving most social media platforms their sought-after CCPA safety hatch.
And finally, the AB 1355 Amendment states that the reasonableness of charging a different price or rate or providing a different level or quality of goods or services for the use of data should be measured in relation to the value of the personal information to the business, not to the consumer as it was previously written. Given most social media platforms and data brokers actually place very low values on consumer data, this change is of obvious great significance. Overall, these and other minor changes only benefited data merchants to the detriment of consumers.
UPDATE: November 4, 2020
On November 3, 2020 – despite a significant late push by data oligarchs such as Google, the CPRA ballot initiative won by 56% of the vote. As stated by Alastair Mactaggart, Chair of Californians for Consumer Privacy and the Prop 24 sponsor: “With tonight’s historic passage of Prop 24, the California Privacy Rights Act, we are at the beginning of a journey that will profoundly shape the fabric of our society by redefining who is in control of our most personal information and putting consumers back in charge of their own data.”
Former Presidential candidate, Andrew Yang – who was the Chair of the Board of Advisors for Californians for Consumer Privacy, added: “I look forward to ushering in a new era of consumer privacy rights with passage of Prop 24, the California Privacy Rights Act. . . . It will sweep the country and I’m grateful to Californians for setting a new higher standard for how our data is treated.”
There is no denying this was a momentous vote. On the other hand, a lot can happen by the CPRA enforcement date of January 1, 2023 – including passage of a law via standard lobbying channels or a new ballot initiative launched by the data oligarchs either with either one trimming the gains made this last election cycle.
On Valentine’s Day 2019, J.P. Morgan gave a kiss to the blockchain/DLT community by announcing its JPM Coin– a branded stablecoin pegged to the dollar that will be used by its large institutional clients to settle payment transactions. Upon settlement, each coin would be burned and traded for a dollar. The ultimate benefits in the JPM Coin ecosystem will be found in the transaction speed and very low cost of execution. This is a noteworthy move given that there are obvious short term negatives to J.P. Morgan in that the launch of such an ecosystem might initially cut into some custodial profits.
Perhaps driven by the fact no bank could ever really control Bitcoin, J.P. Morgan’s CEO previously said that Bitcoin was a fraud. It is likely no coincidence that this launch only took place after Bitcoin cratered by nearly 80% of its value. Moreover, this announced future use of a “digital coin” is very much something J.P. Morgan could exert some control over – hence its name, and would not even initially be made available to J.P. Morgan’s retail clients. It is assumed that would change over time after deployment and this coin’s usage matures – retail clients may eventually be able to use JPM Coins for mobile payment transactions or in lieu of a time-consuming wire transfer.
On February 7, 2019– in a devastating blow to global surveillance advertising, Germany’s antitrust arm, the Federal Cartel Office, ruled that Facebook’s tying of its data collection practices to usage of its services was unlawful. In the public announcement of this ruling, the FCO president Andreas Mundt said: “Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts.”
Interestingly, the FCO ruling considers the harm derived from Facebook’s data collection practices as the user’s “loss of control” rather than any specific pecuniary harm. If affirmed, this novel antitrust ruling could be a watershed in surveillance advertising sufficient to crack the existing digital ad ecosystem and allowing for new business models to finally take hold.
In its Annual Report filed on February 5, 2019, Google’s parent, Alphabet, Inc., emphasized in a more pronounced way the privacy regulatory and business headwinds it now faces. Specifically, on pages 9 and 10 of the report, Alphabet writes “as the focus on data privacy and security increases globally, we are and will continue to be subject to various and evolving laws. The costs of compliance with these laws and regulations are high and are likely to increase in the future.” It goes without saying, proper compliance will never be optional for the company given that Google’s surveillance advertising accounted for over 85% of its total revenues in 2018.
According to its 10-K, those laws and regulations that may subject Alphabet “to significant liabilities and other penalties” include:
The California Consumer Privacy Act of 2018 that comes into effect in January of 2020, and gives new data privacy rights to California residents and regulates the security of data in connection with internet connected devices.
Privacy laws, which could be interpreted broadly thereby limiting product offerings and/or increasing costs.
Alphabet also warns: “Changes to our data privacy practices, as well as changes to third-party advertising policies or practices may affect the type of ads and/or manner of advertising that we are able to provide which could have an adverse effect on our business.” As pointed out by Bloomberg, this wording is not merely reused boilerplate but represents new language.
Even though the duopoly of Google and Facebook are not going away anytime soon, Alphabet’s latest filing is an acknowledgement that upcoming regulatory and market changes may limit how these companies do business. In other words, the free reign they have had for so many years may finally be coming to an end.
In the coming months, a divided Congress will likely begin a bipartisan effort to address one of the few bipartisan topics out there – data privacy rights. This effort may succeed if for no other reason next year launches California’s new data privacy regime and companies are feverishly lobbying behind the scenes to preempt this Consent Armageddon from materializing. In other words, there may soon be a “Data Property Day” coming into focus – the date when privacy rights that were born out of early constitutional and statutory underpinnings first became a basic property right.
That’s why we believe the Federal Trade Commission should establish a data-broker clearinghouse, requiring all data brokers to register, enabling consumers to track the transactions that have bundled and sold their data from place to place, and giving users the power to delete their data on demand, freely, easily and online, once and for all.
It is not difficult to cynically consider Apple’s new lobbying campaign simply an attempt at undercutting Samsung and Google – especially given Apple itself will always remain a very integral part of the digital ad ecosystem. In the near term, Apple faces little economic risk with its privacy-friendly posturing – only a potential increasing of its already lofty brand equity. Given that Apple is not technically a “data broker” the significant added costs to data brokers created by its advocacy will certainly not be absorbed by Apple.
No matter what its motivation, Apple’s new perspective may one day give consumers a bird’s eye view of exactly how valuable their personal data is to companies lacking any direct relationship with them. And, after that recognition, it may finally be time for consumers to get paid for their valuable data.
According to Guidance provided earlier this month by the Attorney General’s Office, the type of consumer information subject to this new law includes: “People with incomes over $100,000,” “People who like to play billiards,” or “People preparing for a wedding.”
In addition to an annual registration, data brokers must also maintain certain protective measures involving those administrative, technical and physical safeguards appropriate for the scope and size of the business or face a potential unfair or deceptive practice claim under the state’s consumer protection law.
The statutory civil penalties of this new law are actually quite limited given that a data broker required to register who fails to do so will be subject to a penalty of $50 for each day it fails to register, beginning February 1, 2019, up to a maximum of $10,000 per year. The real bite is found in the potential civil action that may be brought under Vermont’s Consumer Protection Law, namely potential treble damages and reasonable attorneys’ fees. By linking privacy violations with an established consumer protection law, the Vermont statute nicely meshes existing law – and related interpretative rulings, into an effective privacy battle axe.
While Vermont may never become a real challenger to California when it comes to privacy laws or regulations, this new law could have a ripple effect with other states eventually providing similar protections. And, given the call for a federal privacy law to harmonize patchwork state laws, the statute can also very easily be a model for certain provisions in a new federal omnibus privacy law. Combined with other laws that will be vigorously enforced regarding consumer consent, the coming year is shaping up as a strong one for consumer privacy rights.
In a December 18, 2018 bombshell expose, the New York Times admits it as well as more than 150 companies — “most of them tech businesses, including online retailers and entertainment sites, but also automakers and media organizations”, received special access to Facebook user and friend information. For example, Microsoft was granted access to user names, Yahoo was able to view posts, Amazon could obtain contact information, and Netflix could even read, write and delete Facebook private messages as well as see all users on a particular thread. Today, these companies either deny the claims outright, claim they were not kept in the loop as to their access capabilities, or simply suggest that such practices terminated.
Facebook today posted a blog post to “clear up” what is set forth in the article. According to Facebook, most of the features that gave rise to such usage “are now gone”:
We shut down instant personalization, which powered Bing’s features, in 2014 and we wound down our partnerships with device and platform companies months ago, following an announcement in April. Still, we recognize that we’ve needed tighter management over how partners and developers can access information using our APIs. We’re already in the process of reviewing all our APIs and the partners who can access them.
Netflix told the Times it was “unaware of the broad powers Facebook had granted.” It further said: “At no time did we access people’s private messages on Facebook, or ask for the ability to do so.” A Microsoft spokesperson told CNBC in a statement: “Throughout our engagement with Facebook, we respected all user preferences.” In another statement to CNBC, Amazon said: “We only use information in accordance with our privacy policy.” Indeed, in the New York Times article, there is this self-reference: “The Times — one of nine media companies named in the documents — had access to users’ friend lists for an article-sharing application it also had discontinued in 2011. A spokeswoman for the news organization said it was not obtaining any data.”
Pushing aside the pristine parsing of words now being used, the fact remains Facebook users were never explicitly made aware of this massive exchange of consumer data between Facebook and its partners.
Not far different from this latest Facebook entangle, Vanderbilt University computer science professor Douglas C. Schmidt, in a study released in August 2018, found that: “A major part of Google’s data collection occurs while a user is not directly engaged with any of its products. And while such information is typically collected without identifying a unique user, Google distinctively possesses the ability to utilize data collected from other sources to de-anonymize such a collection.” Indeed, Android mobile devices send 10 times more data to Google than iPhones.
On August 13, 2018, the AP Newswire released an expose on Google’s geo-data collection practices – but only after retaining Princeton researchers to confirm exactly how Google was able to gather this data. Stemming from this usage of consumer information, there is a newly consolidated Google class action suit. Not surprisingly, Google is defending by claiming its data collection could be stopped by changing certain settings – users would simply need to turn off “web and app activity” settings that would, in effect, disrupt full usage of many of their apps.
With 2019 coming closer into view, it becomes clear that many companies using and maintaining consumer data will likely continue into the New Year with their existing practices given they do not really care about compliance risk – nor do users apparently really care about privacy risk. Until such time as the compliance and privacy risks are superseded by even greater risks – or overtaken by demonstrated economic benefits to both users and owners of data, it seems likely this status quo will remain intact in the coming year.
The first new business that can address this current apathy by creating tangible and easily understood economic benefits for all participants might very well succeed in modifying an entire ecosystem. The motivation for launching such an enterprise is readily apparent. As recognized in the Times article: “Personal data is the oil of the 21st century, a resource worth billions to those who can most effectively extract and refine it.”
On November 19, 2018, the UK’s Register reported how even though the Washington Post was in technical violation of the GDPR, the UK’s privacy enforcement arm, the Information Commissioner’s Office, admitted in private emails that it was not likely going to seek extra-jurisdictionally any potential penalties.
According to the Register, the Washington Post’s online subscription options offers readers a free option (for a limited number of articles); a $6 a month option (for unlimited articles); and a $9 a month option that allows users to switch off tracking and cookies. With the free and $6 a month options, readers, however, must consent to the use of cookies, tracking and ads.
Acting on a complaint apparently ginned up by the Register, a Case Manager from the UK ICO reviewed these policies and purportedly decided they were in violation of applicable privacy law. (“I am of the view that the Washington Post has not complied with their Data Protection obligations. This is because they have not given users a genuine choice and control over how their data is used.”).
Pushing aside the fact the pricing model set forth in the article may be stale – the current pricing is apparently set at a higher rate, and the fact EU residents can apparently opt out of the WaPo’s terms that may be in violation of GDPR, the article still brings home a very important point, namely that consent cannot truly be “freely given” when it is given only in response to a threatened change in pricing.
By way of background, Article 7 (4) of the EU’s GDPR states: “When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” By charging a different price for the same services based solely on whether consent is given, there is certainly technical violation of GDPR.
Moreover, under the recently enacted Section 1798.103 (“Right to Equal Service and Price”) of the California Consumer Privacy Act, this alleged violation is made even more stark: “A business shall be prohibited from discriminating against a consumer because the consumer requested information pursuant to sections 1798.100 or 1798.101, or because the consumer directed the business not to sell the consumer’s personal information pursuant to section 1798.102, or because the consumer exercised the consumer’s rights to enforce this Act, including but not limited to, by: (a) denying goods or services to the consumer; (b) charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties. . . .”
Whether by way of GDPR or CCPA – or other laws still not enacted, companies will eventually be tested on the adequacy of “freely given” consents. And, the extra-jurisdictional limitations of GDPR will certainly not curtail US enforcement under an even more direct CCPA. In other words, despite what others may suggest, marketers and others embedded in the digital ad ecosystem should likely get their consent proofs in order – especially as “big brands continue to redirect their ad spend and adapt their advertising practices to the GDPR.”
Between the recent 60 Minutes GDPR feature with Max Schrems – an educational piece that can only further draw consumer ire, or the actual four Complaints filed by Schrems that will likely resolve these issues, a Consent Armageddon is headed our way beginning in 2020 – the year CCPA also comes online and GDPR enforcement efforts will be more fully staffed. More importantly, with the proper mechanisms in place, sometime after 2020, data subjects will finally have the power to fully exert ownership and controlled use of their own data – a property class that should be treated no differently than gold or silver.