These days, trial lawyers seem to be exploring the territory of the Internet, where privacy-related class action cases are on the rise. Companies that choose to operate in online and social media take advantage of incredible opportunities to connect with users. Websites and social media networks create new ways to obtain and monetize data about users, often in innovative and potentially harmful ways. These activities often allow search engines, website operators and advertisers access to user data that has never happened before.
According to Todd Ruback, head of privacy and technology at law firm DiFrancesco Bateman, “There is a mushrooming number of cases. A decade ago privacy was a distant worry among CEOs and boards of directors, but now it’s a full-blown hurricane.”
In the climate of increasing concern about online privacy, US regulators are working to develop new frameworks and tools for consumer protection. In 2011, the Securities and Exchange Commission (SEC) began requiring public companies to report “cyber incidents” to investors. In an effort to reduce identity theft, since 2002, 49 US states and territories have passed laws that require companies that lose personal data to alert consumers and local authorities.
All this has resulted in a number of high-profile and costly lawsuits. Increasingly, more companies are agreeing to settle outside of court, rather than risk an unfavorable jury decision. In June 2012, Facebook agreed to a $20 million settlement to end a lawsuit over its use of members’ faces in online ads. Earlier in June, LinkedIn was hit with a $5 million negligence suit, after hackers made off with 6.5 million users’ passwords. In another example, Netflix cancelled its planned 2010 sequel to a $1 million public prize for movie recommendation software, after it was sued for accidentally releasing rental records that could be traced to individual consumers.
Of course, online privacy risks are spawning new and highly profitable industries. These days, companies can choose to purchase cyber insurance, which helps protect against the economic fallout from electronic mishaps such as viruses and data loss. In fact, according to insurance broker Marsh, this is the fastest-growing type of insurance coverage in the US.
Industry observers have taken note of some common categories of privacy class action suits, which are listed and described below:
B) Flash cookies
Cookies are commonly used to collect and track information about website and online app users. Cookies can perform a range of functions, from allowing the website operator to view internet browsing history, storing log-in/authentication information, or personalizing sites by remembering user preferences from past visits.
Since cookies are able to collect so much user data, they can often be the center of privacy claims. Recently, there have been a number of class action lawsuits relating to flash cookies. These cookies use a capability of Adobe’s Flash plug-in to track website users and store their information. They are especially common, as Flash software is installed on around 98% of PCs and are used in many popular online video players, such as YouTube and Hulu.
C) Social media information
This is a big category. Facebook and other popular social media networks amass a wealth of personal data about their users, including location, entertainment preferences and organizational interests. While this can certainly help with targeted advertisements, it’s also prime material for class action suits. Companies operating social media sites or apps, or those that place ads on such sites are coming under increasing criticism.
D) Online behavioral advertising
Online behavioral advertising refers to the practice of using a consumer’s internet browsing history or profile data to target more relevant ads to consumers. This allows advertisers to get more bang for their buck, however, the FTC and consumer rights groups are on the case, making demands for the industry to self-regulate this practice. This is where the “Do Not Track” debate comes in.
Mitigating the Risks
Experts have come up with a number of strategies to enable companies to continue using the powerful new opportunities the internet offers, while still respecting the privacy rights of their users and avoiding legal fiascos. These strategies are listed and described below:
- Due diligence before using third-party technologies
- Obtain a good indemnity provision
- Audit websites for hidden tags, cookies, or other such apps
Responding to Class Actions
Companies that find themselves in online privacy-related class action suits, may use any or all of the following defense strategies:
- Argue that the statues and causes of action invoked do not apply to online privacy issues
- Point to the lack of damage
This article discusses the increase in class action lawsuits involving online privacy. Companies that operate in the online world, specifically in social media environments have attractive opportunities for connecting with consumers, however, as recent events have shown, they must also proceed on the privacy front with caution. The article briefly introduces a number of high profile class action suits, the common categories of the claims, how websites operating in these spaces can mitigate the risks, and finally, how companies might respond to privacy-related class action suits.
CIPP Exam Preparation
In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT) exam, a privacy professional should be comfortable with topics related to this post, including:
- Privacy expectations – the consumer perspective (II.A.a.)
- Privacy expectations – organizational practices (II.A.b.)
- Personalization – end user benefits and concerns (II.C.a., II.C.b.)
- Privacy by policy (III.B.)