Blog

April 9th, 2015

Court finds Hulu did not “knowingly” disclose PII in violation of VPPA, grants summary judgment[i]

 By: Mariana Cunha e Melo

1. The case

One of the seminal cases on the interpretation of the Video Privacy Protection Act (VPPA) has just come to an end: the In Re Hulu Privacy Litigation. The Northern District Court of California dismissed the case with prejudice on March 31, 2015 on the grounds that Hulu did not “knowingly” disclose plaintiff’s information to third parties.

The case was brought by Hulu’s viewers under the VPPA provision that prohibits any person in the business of providing prerecorded audio visual materials from “knowingly” disclosing “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider”. Plaintiffs alleged unlawful disclosures of data to two companies: the metrics company comScore and the social media company Facebook.

 

2. Background

On April 28, 2014, the Court dismissed most of the claims based on the finding that the information disclosed to comScore were not “personally identifiable information” in the meaning of the statute. In re Hulu Privacy Litig., 2014 WL 1724344, *12 (N.D. Cal., 2014). The opinion reasoned that sharing unique anonymous identifiers do not violate the VPPA when the context surrounding such disclosure does not reverse this anonymity. 2014 WL 1724344, *11 (N.D. Cal., 2014). And concluded that no evidence suggested the link between users’ identities and their video habits was found in the disclosures to comScore.

As to the alleged unlawful data sharing with Facebook, the Court concluded that the context in which Lulu disclosed users’ data could make more obvious the link between the users’ identity and video views. Hulu’s conduct regarding Facebook consisted in inserting a “Like” button on its watch pages. The Court found that it could cause cookies to be sent to Facebook if a Hulu user happened to have recently logged into Facebook under specific settings. These cookies would reveal the Facebook ID of the visitor of a particular watch page, along with other information that Facebook could link to a specific individual. The opinion then narrowed the remaining issue as to whether Hulu made a “knowingly” disclosure to Facebook, that is, whether the company knew it was transmitting video watching information along with personal identifying information.

The Court then held there was not enough evidence to sustain a summary judgment for the defendant and denied its motion. On August 29, 2014, Hulu filed a new summary judgment motion.

 

3. Latest developments of the case

On March 31, the Court granted the defendant’s motion on the grounds that Hulu did not have “actual knowledge” that the cookies it sent to Facebook contained the users’ Facebook ID or that Facebook would aggregate the information it received separately. The Court found that the occurrence of automatic data sharing and the fact that Facebook tied users’ identity and video views did not implicate Hulu had actual knowledge of what would was happening. Finally, the Court held that the evidence showed Hulu in fact did not have knowledge of the operation of the cookie associated with the Facebook “Like” button. And that Hulu employee’s general knowledge that data sets may me aggregated to identify users did not change the case, since all employee’s communications referred to other functionalities rather than the “Like” button.

 

4. Thoughts on the aftermath

The report on the case indicates that the Court adopted “actual knowledge” as a standard of liability demanding a very high level of fault in identifying individual users to particular video habits. After all, the Court found no liability in the fact that Hulu inserted on its website a functionality that it did not know what consequences could bring to its users’ privacy.

The Court’s ruling in In re Hulu reflects a clear position in favor of innovative data sharing among different services. Considering the importance the April 28, 2014 ruling has gained in the caselaw (see, e.g, the Cartoon Network case), this final decision is also expected to be very influential to future cases interpreting the application of VPPA to new technologies.

[i] By Dominique R. Shelton, Derin B. Dickerson, Elizabeth Broadway Brown and Michael J. Barry, Apr. 03, 2015. Available at: http://www.lexology.com/library/detail.aspx?g=ae277a8c-3a4d-4e79-941d-e60171a6d576.

April 9th, 2015

LinkedIn not linked to First Amendment

By: Diwaagar Radhakrishnan Sitaraman

 https://cases.justia.com/federal/district-courts/california/candce/5:2013cv04303/270092/47/0.pdf?ts=1402647762

This blog is a discussion on the decision of the US District Court for the Northern District of California in the case of Perkins v. LinkedIn Corp. [2014 U.S. Dist. LEXIS 160381].

Facts:

LinkedIn is a famous social networking website. This is dedicated for professional networking and has over 200 million users. The members maintain a profile similar to their resume and connect with other users by creating “connections”. LinkedIn earns revenue through three types of services viz. “Talent Solutions”, “Marketing Solutions” and “Premium Subscriptions”. The revenue of LinkedIn is directly proportional to the number of its users.

The plaintiffs are nine professional and claim to be representing class of LinkedIn users. They allege that LinkedIn collects email-ids of its users’ contacts from their email address during the sign-up process and through “Add connection” feature. It sends an initial invite message to all these contacts to join LinkedIn and also sends reminders at later point in time. These reminder emails are sent without plaintiff’s knowledge or consent. The plaintiff filed complaint before the court alleging: 1. Violation of California’s common law right of publicity; 2. Violation of California’s statutory right of privacy; 3. Violation of California’s UCL. The only basis for federal court’s jurisdiction in this case is the Class Action Fairness Act § 1332 (d). The defendants moved for dismissal of the complaint and this decision was on the same.

Decision:

There were several points raised by the defendants in support of their motion to dismiss. This blog will discuss and analyze only the First Amendment defense of the defendants.

The defendants raised several arguments that stem from First Amendment. Firstly, it argued that the emails were to “facilitate associations among people and therefore concerns matter of public interest” and they are non-commercial speech falling under the First Amendment protection. The reminder emails were not solely for the purpose of advertising so they cannot be commercial speech for the First Amendment purpose. The court rejected this argument relying on the Bolger’s test (Bolger v. Youngs Drug Products., 463 U.S. 60, 66, 103), wherein it was held that pamphlets containing discussions important of public issues were commercial speeches. The LinkedIn court held that the defendant’s reminder emails were sent for advertisements, promoting their service and had economic motivations. It concluded that the Bolger’s three prong test is satisfied. Hence, the reminder emails are commercial speeches.

The plaintiffs also alleged in their complaint that the emails were misleading and does not deserve the First Amendment protection. The emails sent by LinkedIn appeared to have been endorsed by the plaintiffs. This caused reputational damage to them as they have to apologize to several users for spamming them with several emails. The court relied again on Bolger and held that these emails were misleading and First Amendment does not come to rescue of the defendants.

The next argument of the defendants was that the reminder emails were protected by First Amendment as they are “incidental” or “adjunct” to the connection invitation which are protected by First Amendment. They also claimed that reminder emails promote rights of free speech and association. They relied on Page v. Something Weird Video (960 F. Supp. 1438, 1443-44 (C.D. Cal. 1996)) among others. The Court distinguished this case by stating that the defendant in Page used a video of an actress who acted in the video and the same videos were protected by the First Amendment. But, in the current case there is no underlying work that is protected by First Amendment to which the reminder emails would be “incidental” or “adjunct” to. Hence, this argument fails.

The court partially allowed the motion to dismiss with the right to amend the complaint.

Analysis:

The defendant in this case relied on First Amendment protection among others. The court relied on Bolger’s test to hold the defendant’s reminder emails were commercial speeches. Main advantage for the plaintiff was that these two cases have a similar facts. In Bolger’s case the medical informational pamphlets were held to be commercial speech as they were 1. Advertisements; 2. Promoting their product; 3. Had economic motivations. The reminder emails could be compared to that of advertising pamphlets in Bolger. The revenue model of LinkedIn depends on its number of users. Its reason to promote the website is directly linked to the revenue interests. Thus, the court was right in concluding that these reminder emails were commercial speeches because they were advertisements with economic motive. The court was also right in holding that the statements were misleading. All of us get several spams emails or unwanted emails. We reject or delete these emails as they come from an unknown sender. But, those which refer to any of our contacts shall have a different consideration. We may consider them seriously and may also subscribe to them. LinkedIn used this to its advantage and sent emails making its reminder emails appear to have been endorsed by their users who were friends with the targets of these emails. This is definitely added to the reputational damage of the LinkedIn users. It also misled the targets. Hence, the court was right is holding that these were misleading. Applying Central Hudson test where the US Supreme Court, First Amendment does not cover the misleading commercial speech. The defendants lost the First Amendment protection. I am in total agreement with the court’s decision.

 

 

 

 

 

April 9th, 2015

Court blocks VPPA class action: Problems with VPPA definitions of “consumer” and “provider”

By: Amanda Gayer

With widespread concerns emerging about privacy on the internet, many people have become increasingly cautious about which online services they sign up for, what information they provide to theses services, and what the service’s privacy policy says. Subscribers of online video providers, fortunately, receive some protection from the Video Privacy Protection Act (VPPA), which prohibits video services from disclosing most personal information (other than a customer’s name and address) without the customer’s consent.

But, online video viewers shouldn’t breathe a sigh of relief just yet. On Tuesday April 7^th, a New York federal district judge rejected a class action lawsuit under the VPPA because the plaintiff class was not covered by the statute. The named plaintiff, Ethel Austin-Spearman, alleges that when she watched “The Walking Dead” on AMC television network’s online streaming service, AMC collected her personal information and provided it to Facebook without her consent.

Because of the language of the VPPA, only “consumers” are protected. Under the statute, a consumer is defined as “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” 18 USCS §2710(a)(1). Ms. Austin-Spearman argued that “consumer” should be interpreted to include anyone who does more than simply visit a website – including viewing a streamed online video.

However, Judge Buchwald rejected this argument and blocked the class action suit. According to her, the plaintiff’s interpretation of “consumer” is too broad. The word implies a relationship greater than unregistered use of the site’s streaming services. This means that anyone who has not signed up for or paid for a video service is not protected by the VPPA. This outcome seems to be consistent with a recent California case against Hulu, another online video provider. In that case, the plaintiff’s success turned in part on the subscription relationship between the plaintiff and Hulu.

Although the judge dismissed the complaint, she gave the plaintiff leave to amend the complaint to include a fact that she had failed to include – that she had provided AMC with personal information when she registered for the company’s Walking Dead newsletter. Judge Buchwald expressed skepticism that this would alter the outcome. Should it?

Under the VPPA, a consumer is “any renter, purchaser, or subscriber of goods or services from a video tape service provider.” If the plaintiff provided personal information by registering for a service (the newsletter) from the provider (AMC), then based on a literal reading of the statute, the plaintiff should be covered.

However, the Judge’s reluctance to acknowledge the validity of such a claim may stem from the fact that the newsletter and the video streaming are two separate services. Although they are services from the same provider, the Judge seems to be reading the statute to mean that the information must be given in relation to the specific service in question – not just any service provided by the provider.

Should the VPPA be read literally, or should it be read to consider AMC’s video streaming and AMC’s newsletter as two distinct providers?

It seems that online consumers, when providing information to a company, assume that that information will be used by the company as a whole, not used by a distinct subdivision (like the newsletter). If consumers understand that they are providing the company as a whole with information, perhaps that information should be protected regardless of which service it was provided for. This reading is supported by a literal reading of the test, and would provide protection that consumers reasonably expect based on the structure of a website like AMC’s.

Despite the judge’s skepticism and the plaintiff’s procedural blunders, this point remains to be argued and decided. Stay tuned.

Full article available at (may need to register to view article):

http://www.law360.com/newyork/articles/640338/amc-viewer-not-covered-by-video-privacy-law-judge-rules

 

April 3rd, 2015

Verizon’s Mobile ‘Supercookies’ Seen as Threat to Privacy[1]

By: Christian Díaz Ordóñez

The issue of advertisement campaigns targeted at specific sectors of the consumer base will remain a controversial issue. Despite growing regulation and stronger position from governmental and judicial entities around the world, technology seems to be winning the battle in the struggle to obtain more information in a cheaper, faster, and more complete manner.

In the article above quoted, the authors discuss the need of stronger regulation for internet services. Perhaps this regulatory approach needs to be complemented by having better enforcement mechanisms targeted at each of the participants in the internet (i.e. not exclusively to companies as Google, but also to service providers), especially aimed at protecting privacy rights of all its users.

The article highlights a most troubling reality, as users are witnessing how their privacy rights are diminishing, and their alternatives to protect themselves only keep reducing. Users may no longer be “safe” by eliminating cookies from their browsers, but now they have to face the fact that there are super-cookies that simply cannot be eliminated. Big Brother 2.0.

Internet providers are getting an economic benefit by selling its users’ searching history, tendencies and information about their activities. Even if the question of privacy was left aside, from a strictly legal perspective, these companies are getting income with no consideration from their counterparties. The situation is challenging, to say the least, from every single legal perspective.

Even more troubling is the fact that Internet providers are also subject to hackers and other attack sources, thus leaving users’ information at high risk of being accessed by unscrupulous third parties. In addition, history has proven that these services providers are very prone to providing information to governmental entities without major questioning.

As a matter of principle, one must assume that governmental requests are made in pursuit of the greater good of security, and that government officials will refrain from incurring in the excessive use of power. Even if this was not the case, then the judicial “system” must be so thoroughly aligned so as to prevent, punish and deter the occurrence of such breaches.

Certainly, individual citizens may be afraid of an ever-intruding service providing entities, which may just store information of individuals for no apparently legal (or even ethical?) reasons. That fear has motivated revolutions and different constitutional and judicial changes that strive to protect one’s privacy. Individuals may fear that they may be discriminated against for race, sex, religion, political convictions, or otherwise, once the government has enough information to do so.

Nevertheless, this fear should, ideally, be non-existent in a well-functioning democracy. This fear should be non-existent in a democracy where institutions prevail over temporary shocks or crisis situations. This fear should be non-existent in a democracy where powers are properly balanced. The inherent worry still remains open and ever present.

 

[1] By NATASHA SINGER and BRIAN X. CHENJAN. 25, 2015. Available online at: http://www.nytimes.com/2015/01/26/technology/verizons-mobile-supercookies-seen-as-threat-to-privacy.html?_r=0

April 3rd, 2015

‘Eavesdropping’ WiFi Barbie is Seriously Creepy

By: Andrea Carlon

This fall, Mattel is expected to launch ‘Hello Barbie’, a doll that incorporates a voice-recognition technology, which captures the child’s speech. The recorded data is transferred via WiFi to TalkToy´s (company that has developed the technology) cloud servers. As a result of the processing and analysis of the data, over time, the ‘talking Barbie’ will be capable of learning information about the child and will be able to reproduce such information.

Internet-connected toys hold out the tantalizing promise of personalized services and also, the risk of privacy perils. First and foremost, the data which is being collected, pertains to minors. Even though, according to TalkToy, parental consent shall be required to activate the voice recognition feature, it remains controversial to what extent are parents protecting the minor’s privacy when allowing a company to record them and hand in all the information

Second, concerns as to what sort of information is exactly being collected are unclear. For instance, will the companies be able to track the location of children? Furthermore, neither Mattel nor TalkToy have disclosed what the privacy policy provisions will include. Also, in terms of the purpose of the data, will Mattel be allowed to share this data with third party advertisers? Given the company’s deteriorated economic situation, is there a heightened risk of them selling the data?

Third, advocates for privacy have expressed their unrest to the launching of this product. For instance, the CCFC (Campaign for a Commercial-Free Childhood) has questioned the use and purposes of the data collected. Furthermore, Professor Campbell from Georgetown University, Center on Privacy and Technology, has raised the issue as to the value for marketers of the information of what a child can say to their toys, and the potential unfairness towards children.

Fourth, the privacy issues this article contemplates should be contextualized within the recent and rising phenomenon of the Internet Of Things (IOT), making every day objects into technological devices connected to internet and transmitting data continuously can be concerning in many ways.

While it seems that many questions remain unresolved today, the Hello Barbie is expected to be available to consumers by the end of this year. We will have to wait to see how courts deal with privacy concerns derived from IOT, which surely and probably in a short period of time will arise.

Links to articles:

• Privacy advocates try to keep ‘creepy,’ ‘eavesdropping’ Hello Barbie from hitting shelves: http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/11/privacy-advocates-try-to-keep-creepy-eavesdropping-hello-barbie-from-hitting-shelves/
• Campaign for a Commercial-Free Childhood: http://commercialfreechildhood.org/action/shut-down-hello-barbie

 

April 3rd, 2015

Facebook (again) struggles with Privacy

By: Fernanda Echavarría

http://www.wsj.com/articles/facebook-confronts-european-probes-1427975994

http://www.technewstoday.com/22579-facebook-probed-in-europe-over-privacy-issues/

http://www.cnet.com/news/facebook-privacy-probes-ramp-up-in-europe/

http://www.chicagotribune.com/news/local/breaking/ct-facebook-facial-recognition-lawsuit-met-story.html

Privacy regulators from Spain, France and Italy have recently joined Dutch, Germany and Belgium authorities in the investigations of Facebook privacy practices. In particular, the group of European regulators would be investigating the use of the worldwide famous “Like” feature to track user’s habits, as well as the collection techniques and aggregation of data for the purposes of targeted advertisement.

Facebook is not the only U.S. located company under examination by European authorities (see Google, Apple and Amazon). The differences between U.S. and E.U. Privacy Law have created an increasing tension that is screaming for legislative harmonization action. Previous attempts in this regard, such as the Safe Harbor Agreement, have proven not enough in the data protection current state of affairs. Notwithstanding how difficult it may seem to achieve, an organized set of rules promoting proper balance between privacy rights and development of new businesses in the U.S. and Europe, should be a primary concern of the authorities at both sides of the Atlantic. Countries outside Europe and the U.S. usually follow one or the other approach, so the lack of a uniformed legislation will have effects all around the world.

As for the current investigation, and notwithstanding Facebook’s allegation of lack of jurisdiction from the group of European privacy regulators, we will have to see if Facebook will wait for an official resolution of such group or, as we have seen in previous occasions, e.g. Belgium investigations and introduction by Facebook of the timeline feature, if it will attempt to avoid possible fines by adapting its practices to comply with the concerns of the European watchdogs.

But European privacy issues are not the only privacy related problems faced by the social network company. This week a man sued Facebook in the U.S. claiming that the facial recognition system used to tag persons in photos would be illegal under Illinois Privacy Law. Considering the allegations, the problem appears to be that there is no option to delete the information collected by Facebook when a person is tagged to a photo. Even if the person is no longer tagged, after the user takes the relevant steps in that sense on its privacy settings, Facebook still has that data and the user cannot erase it.

The multiple uses and features and the constant development of Facebook, and social media in general, will continue to raise privacy issues as the ones mentioned here. It is to be expected that the relevant authorities will face these new challenges on time and properly balancing all interest at play.

 

 

 

April 2nd, 2015

Robert Durst case; is there a privacy concern on his alleged confession?

By: Tomás Kubick

Panel 4

Robert Durst, a real state businessman and millionaire, is being charged with the murder of his friend Susan Berman. Those facts alone do not have special signification for privacy law. The twist on this case is that as the press has stated one key clue that led to Durst’s detention is an audio recording on which he allegedly confesses the murder. There may be a privacy concern of how that record.

HBO was filming the documentary “The Jinx: The life and Deaths of Robert Dusts” which investigated Durst’s life and his relation with three murders, included Susan Berman’s. On one interviewed conducted to prepare the documentary, Durst was faced with evidence that supposedly incriminated him, evidence that he denied. Shortly after, he went to the bathroom and on solitude he stated, “What the hell did I do? Killed them all, of course”.

Durst’s lawyers have announced that he will declare himself innocent and surely will try to exclude HBO’s recording from trial. One strategy to do so could involve raising privacy concerns issues. Defendant could argue a breach of his fourth amendments rights. To do so, they should characterize the recording as a search and somehow link it with a governmental investigation regarding with this case, which is unlikely to happen.

Notwithstanding, defense can argue that the recording breaches The Wiretap Act (18 U.S.C. §§ 2510-2522). In case that the recording was obtained with breach to the act, there is an exclusionary rule. The Wiretap Act does not apply if one of the parties of the communications consented. Under this premise defendant will try to argue that he consented to be recorded on the set but not outside of it, even though he agreed that any record of him could be used as HBO deemed reasonable. This issue will be the key issue because if it is found that his consent was just for “on stage”. If this is believed this way, it may be sustained that every person has a reasonable expectation of privacy if he is alone in a bathroom.

On the other side, it may be hard to argue that a person voluntarily wearing a microphone did not gave consent to be recorded. Even in such situation The Wiretap Act may not apply. For a communication to be deemed oral, the person involved on it must “[exhibit] an expectation that such communication is not subject to interception”. It can be sustained that a person wearing a microphone does not exhibit such expectancy.

As exposed, there are serious privacy law question on Mr. Durst’s case with arguments balancing on each side of the dispute. It will be the task of courts to answer them and to continue shaping the reaches of this topic on criminal procedures.

 

March 27th, 2015

Wyndham and the Unfairness Jurisdiction

By: Ajitha Pichaipillai

Panel 5

I would like to write to few paragraphs regarding the Article, “An Era of Rapid Change: The Abdication of Cash & the FTC’s Unfairness Authority”, 14 PGH. J. Tech. L. & Pol’y 351. This Article discusses about the ‘unfairness’ jurisdiction of FTC in the data-privacy enforcement context. It provides a good summary of the Wyndham case, in which the Wyndham hotel group challenged the FTC’s authority to regulate data-security breaches.

Interestingly, Wyndham’s challenge of the FTC’s unfairness authority is three pronged: (i) the FTC lacks authority to pursue unfair practices related to data security, (ii) the unfairness actions related to data security require rulemaking, and (iii) the injury resulting from these payment card breaches is insufficient to support a claim. The second pronged argument on the requirement of rule making seems highly persuasive. Wyndham argues that any authority of FTC to regulate data security would require establishment through administrative rulemaking. It also suggests that the data security standards mandated by FTC, ex post, through selective enforcement actions and imposition of such standards on Wyndham could raise “serious constitutional questions of fair notice and due process”.

Even though, the motion to dismiss filed by Wyndham against the FTC’s compliant was dismissed by the district court, the questions certified by it for appeal may turn out to be determinative of FTC’s ‘unfairness jurisdiction’ in the data -security and data-privacy enforcement context. The questions, on which the Third Circuit is currently hearing the appeal, are: (i) Whether the Federal Trade Commission can bring an unfairness claim involving data security under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a); and (2) Whether the Federal Trade Commission must formally promulgate regulations before bringing its unfairness claim under Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

The oral arguments of the Wyndham’s appeal dated March, 3, 2015 (available at https://epic.org/amicus/ftc/wyndham/#interest), features interesting discussion on the origin and legislative reports of Section 45 (n) of the FTC Act and how far a negligent practice could be regarded as a ‘unfair practice’. Judges asks the FTC’s counsel to substantiate on the ‘adequacy of notice’ with respect to the standards purported to be imposed on Wyndham. The Judges also takes note of the FTC’s sparing use of its powers under Section 45(n) (according to the counsel, FTC’s has exercised its unfairness jurisdiction under Section 45 (n), in relation to data security breaches, only five times).

As EPIC notes, the decision of this appeal could have significant impact on FTC’s authority to regulate data security breaches and consumer’s privacy rights enforcement.

 

March 26, 2015

 TV Ads Delivered via Google Fiber:

Mad Men’s Dreams Come True at the Cost of Viewers’ Privacy?

By: Erin L. Bansal

http://www.wired.com/2015/03/google-fiber-ads/

http://www.adweek.com/news/television/google-fiber-may-have-created-game-changer-real-measurement-tv-ad-views-163604

 http://bits.blogs.nytimes.com/2015/03/23/google-plans-experiment-with-targeted-ads-for-television/

Google recently announced the trial of a new service in the Kansas City metro area through its Google Fiber Internet and television service that will allow it to personalize ads based on a viewer’s locality and viewing habits. This capability is “dynamic ad insertion” in marketing parlance. AdWeek described this capability more dramatically –as “advertising’s Holy Grail.” Likewise, The New York Times described Google’s service as a potential “sea change” in TV advertising. But while Madison Avenue and its Mad Men may embrace Google’s new service, what does it mean for the viewers watching television in the privacy of their own homes?

In simple terms, Google’s service will give it the ability to deliver more tailored ads and then to accurately monitor the viewing of those ads. Google will be able to insert an ad whenever it is timely, and they relay that viewing back to the marketer. As Google reported, the fiber TV ads will be “digitally delivered in real time and can be matched based on geography, the type of program being shown (sports, news, etc.), or viewing history.” Google can tailor the fiber TV ads to both live TV and DVRed programs. In addition, Google can give marketers a more accurate idea of how many people are watching an ad. Unlike Nielsen’s rating system that is based on old school sampling, each TV with Google’s service will report back to marketers.

For TV viewers, this new service raises some old concerns. While some have suggested that this service is no different than Google tracking a user’s browser history in the online world, the thought that Google can now monitor what shows a viewer is watching raises concerns. Wired remarked that this is “yet another way for Google to collect even more data about you.” It further noted that Americans are “not used to the idea that the shows we watch will be logged and turned into advertising fodder.”

At this point, Google is sensitive to privacy concerns. AdWeek reports that “a source familiar with the deal” explained that “Google is trying to be extra cautious with user privacy on this initiative.” Google asserts that viewers can opt out of being shown ads based on their viewing history. However, AdWeek points out that Google has not specified what it means by “viewing history” or how the opt-out process might work. And although users of Google’s web services can similarly opt out of ads based on their browsing history, few users choose to do so.

While Google’s trial of fiber ads is limited to a small number of viewers in a limited geographic area at this time, it is not difficult to image Google growing to become a ubiquitous force in the TV world given its dominance in online search and the functionality its Internet service offers (its Fiber Internet service is reportedly 100 times faster than the standard broadband connection). Perhaps Google will be able to design the privacy settings in Google Fiber and its TV service so that viewers feel that they can control their private information. But with opt-out as the standard default, a viewer is no more likely to take control while flipping channels on TV than she is while surfing the Internet.

March 26th, 2015

Consumer Privacy Bill and the role of FTC

By: Jyotsana Sinha

Panel 5

http://www.washingtonpost.com/blogs/the-switch/wp/2015/03/23/the-ftc-beefs-up-technology-investigations-with-new-office/

http://www.hldataprotection.com/2015/03/articles/consumer-privacy/insights-on-the-consumer-privacy-bill-of-rights-act-of-2015/

While the government is ready to take the next step by enacting a consumer privacy bill, the bill has increasingly drawn criticism from various actors, ranging from privacy advocates, the Federal Trade Commission (FTC) and even some members of the Congress.

FTC currently acts as the watchdog of consumer privacy in US. It regards the use or dissemination of personal information in a manner contrary to a posted privacy policy is a deceptive practice under the FTC Act, 15 U.S.C. § 45. FTC, however, does not possess actual rule making power. It merely enforces the policies established by the companies, however lax they are. Inspite of being the default enforcement authority, FTC lacks the necessary teeth to ensure proper enforcement.

Although the draft of Consumer Privacy Bill aims at empowering the consumer to take charge of their own data, the bill does not establish any mandatory standard to be followed by the companies. Neither does it enhance the authority of the FTC. While it is argued that adopting a business friendly and lenient approach towards the industry will be beneficial in gaining industry support, and self-regulation with minimal supervision by FTC will yield the desired result, the reality is quite the opposite. Giving the industries a free go on one hand and crippling the FTC on the other merely increases the risk to consumer privacy. The FTC has also expressed its disappointment at absence of any expansion or upgrading in the FTC’s role as a regulator.

The draft bill, while criticised by the privacy advocates, has been appreciated by the technology industry related groups. Highlighting the importance of benefit and risk assessment, the draft bill proposes establishment of Privacy Review Boards to counter the overreaching effect of law on beneficial use of data. It is important to note that the courts have continued to look up to the FTC as the crucial regulator of privacy policies and protector of consumer data and have rejected challenges to the scope of FTC’s power. With this support from the judiciary encouraging the FTC to ‘exercise [their] powers more robustly’ and ‘take more of a leadership role,’ it might not be surprising if FTC wishes to emerge as the supreme authority on consumer data privacy concerns. Lack of technical expertise and resource constrains are often cited as the reasons against empowering the FTC. But, the recent initiative by the FTC to establish BCP’s Office of Technology Research and Investigation to evaluate and address the effects of technological advancement in consumer privacy issues appears to be a step forward towards this goal. Amidst the criticism attracted by the draft bill and efforts of FTC to expand their authority, it now remains to be seen if any substantial development takes place effectually providing consumers the option and power to control their data.