Clickable Consent at Risk in Internet Privacy Lawsuits

The world’s biggest Web companies are lining up at the courtroom of a California federal judge whose rulings could further inflame the widening debate over online privacy and how the Internet giants use personal data.

Google Inc., LinkedIn Corp. and Yahoo! Inc. are all being sued by customers who say the companies unfairly appropriated their personal information for profit. The lawsuits have landed before U.S. District Judge Lucy H. Koh in San Jose, who in September rattled Google -- and became a hero to some privacy advocates -- when she said the company wasn’t disclosing clearly enough its plans for the user information it harvests.

At issue in the suits is consent: Are users who check off on online companies’ click-to-agree screens, or have access to their privacy policies and opt-out buttons, given an explicit enough picture of providers’ plans?

The answer is no, according to plaintiffs in several complaints before Koh that threaten to upend how the companies monetize user data for the online advertising market that generated more than $40 billion in the U.S. last year. These people allege that even if they clicked an online agreement button, they didn’t sign off on letting the Web companies read their e-mails, use their photos or access their personal address books.

Fullest Interpretation

Koh, in overseeing cases against Google as well as Facebook Inc., has broken from how other courts have handled allegations of online privacy violations. Judges have dismissed many such complaints, saying customers hadn’t proved they had been harmed and had agreed to online contracts. Koh, by contrast, is giving the fullest courtroom interpretations yet of when these companies may be acting without consent.

Koh declined to comment. Google, Facebook and Yahoo declined to comment on the legal proceedings.

The suits are accumulating in Koh’s court as consumers become aware of how online companies profit from personal information in ways many users may not understand. Concerns over data security have sharpened after Edward Snowden leaked information that Internet companies are being compelled under court orders to give the U.S. National Security Agency information about American and other users.

European Pressure

The U.S. giants are also facing pressure from the European Union, which is attempting to rewrite old privacy rules to empower regulators to fine tech companies as much as 100 million euros ($136 million) for violating EU citizens’ privacy. With European lawmakers haggling over those efforts, Google’s global privacy lawyer, Peter Fleischer, said today in a personal blog post that politicians should go back to the drawing board on rules he said could set global privacy standards.

Across the U.S., legal actions against Internet companies and social networks are surging. In just one category -- companies’ tracking of online activities -- there were more than 200 suits filed nationwide over the past 18 months, up from 10 in 2010, according to law firm Alston & Bird LLP.

Koh is one of five San Jose district judges ruling on cases that touch Silicon Valley. Her rulings, if they survive expected appeals, could have big implications for Web companies that offer users free services while turning the raw material of personal data into advertising money.

Advertising Prize

Google was expected to capture almost 40 percent of $42.6 billion in U.S. online ad money in 2013, research firm eMarketer Inc. reported in December. After runner-up Facebook, with 7.4 percent, Yahoo’s share was expected to be 5.8 percent, it said.

In the complaint against LinkedIn, nine people accuse the professional networking site of scanning their online contact lists and using their names and photos without permission to lure new members. The plaintiffs allege LinkedIn e-mailed repeat invitations to people they hadn’t wanted the messages to reach - - including fellow board members, rival lawyers and old girlfriends.

Hani Durzy, a spokesman for Mountain View, California-based LinkedIn, said the company doesn’t access users’ address books or send e-mailed invitations without permission. Asking Koh in December to dismiss the “meritless” suit, LinkedIn said members consented to terms allowing the company to invite their contacts to the site.

Privacy Imprint

Koh, a 45-year-old former intellectual property litigation lawyer who became a federal judge in 2010, gained international attention for handling one of the highest-profile recent technology trials, the patent-infringement battle between Apple Inc. and Samsung Electronics Co.

She began placing her imprint on online privacy soon after she was appointed. In 2011, she refused to dismiss a suit by Facebook members who alleged the operator of the world’s largest social network used subscribers’ names and photos without their permission, incorporating them in ads or product pitches to members’ “friends” on the network. Koh said Facebook users argued plausibly that their names and images had value that was taken from them without asking.

Facebook, based on Menlo Park, California, agreed to settle the case for $20 million and rewrite policies to give members more control over being used in ads. The deal is now on appeal.

Consent Blueprint

In September, Koh rejected Mountain View-based Google’s argument that she should dismiss the suit against it because users of its Gmail service and their correspondents had consented to have their e-mails scanned for commercial purposes. In an extended section of her order, she laid out a blueprint for gaining online consent -- essentially, that companies have to be explicit about what they’re doing with the data and ask permission beforehand.

Until Koh’s Google ruling, “no court has definitively addressed the issue of what consent means,” said David Straite of Kaplan Fox & Kilsheimer LLP, an attorney representing people who e-mailed with Yahoo users in a privacy suit who successfully joined an earlier case in Koh’s court. “The current regime is, ‘You’ve consented even if you didn’t read it or it’s difficult to comprehend.’”

Koh’s refusal to toss out the Google case could press the company to try to settle out of court, or else risk submitting to preliminary evidence-gathering and depositions that could turn up internal Google e-mails. That, in turn, could provide a road map for cases that continue to be filed.

Facebook Complaint

Facebook members on Dec. 30 sued the company, accusing it of mining personal data from messages that members had sent using settings that they said the social networking site touted as private. Facebook said the complaint is without merit and that it will defend itself vigorously.

The Facebook case was assigned to a judge in Oakland. Several such cases have been assigned to Koh’s courtroom: After the September Google ruling, lawyers successfully argued that Koh should handle six cases in which plaintiffs alleged that Sunnyvale, California-based Yahoo intercepted all communications to and from its users without seeking permission, in order to profit from targeted ads, profiling and data collection. Two of the Yahoo cases were dropped today.

Plaintiffs in the LinkedIn and Yahoo cases in front of Koh also seek to represent broader groups of users.

For BNP Paribas SA senior manager Peter Faulkner, a LinkedIn membership generated some too-close-for-comfort moments. Faulkner said that when he received a September invitation from the professional networking site to connect with a “person you may know,” he was suspicious: The person LinkedIn invited him to connect with was his own 11-year-old son.

Unused Address

Faulkner said he created an Internet domain name in 2003, adding an e-mail address for the then-infant. He never used that address, he said, but had it in an address book he kept elsewhere online. He calculated the company must have failed to tell him it would store any data he temporarily accessed while using the site.

Faulkner, an information-technology officer who heads the bank’s IT client services in Japan, said he didn’t knowingly give the company permission to look at his external address book, and doesn’t remember LinkedIn ever asking if it could save or use the details.

He said the incident confirmed his approach to Internet companies that echoes a motto from the science-fiction TV series “The X-Files,” where a little understood “smoking man” lurks in the background: “Trust no one.”

Punitive Damages

Plaintiffs in the suit against LinkedIn in Koh’s court want the judge to make the company disgorge money made from its allegedly improper conduct and pay punitive damages. In the worst-case scenario, the Mountain View, California-based company could be liable for damages of $100-a-day per user if the plaintiffs can prove the company broke the wiretap law, lawyer Straite said.

Koh hasn’t always ruled in customers’ favor in privacy cases. When users sued Apple over applications it had approved for iPhones, Koh told them they hadn’t shown exactly how they were harmed by use of their personal information. She dismissed the case in November.

The Google wiretap complaint in front of Koh was filed by Gmail users as well as people who use other e-mail services who traded messages with Google customers. The plaintiffs recalled that in 2010, Google chairman and then-chief executive officer Eric Schmidt had said “Google policy is to get right up to the creepy line and not cross it.” The plaintiffs alleged that Google had crossed that line by unlawfully intercepting their e-mails and profiling users for undisclosed purposes.

Google has an analytics unit that sells its expertise to advertisers and other clients.

Dismissal Request

Google, asking Koh to dismiss the suit, said in a June 13 filing that customers had consented to scanning for various purposes and its privacy policies for years had told users in “clear terms” that it might use their information “to improve our services including advertising services and develop new services.”

Koh said companies can’t merely say that private information “might” be used for advertising or other commercial purposes -- customers must explicitly understand its use.

Koh also set limits on the reading of e-emails. Google had created the impression that it might pre-screen e-mails for objectionable and sexual content, not to use the information for ads and profiles, Koh said. Customers’ acceptance that their messages might be intercepted for virus and spam control didn’t bind them to being scanned for profiling and targeted ads, unless those actions were specifically disclosed, she said.

‘Objectionable Content’

“The Terms of Service suggests that content may be intercepted under a different set of circumstances for a different purpose -- to exclude objectionable content, such as sexual material,” she said. “This does not suggest to the user that Google would intercept emails for the purposes of creating user profiles or providing targeted advertising.”

Even plaintiffs who didn’t have Gmail accounts implicitly consented to have their e-mails scanned because they continued to message people at Gmail addresses, Google told Koh. To argue that point, it cited a 2008 ruling on a wiretap suit in which appeals judges held that a prisoner implies he agrees to eavesdropping if he chooses to talk on a jail telephone he knows may be monitored.

Rejecting Google’s reasoning, Koh effectively reinterpreted old U.S. privacy laws for the Internet age, said Jonathan Mayer, a Stanford University doctoral student with a law degree who tracks online privacy issues.

‘Deeply Ambiguous’

“Federal privacy law mostly makes sense for phone calls and messages, but it’s deeply ambiguous on newer technology,” said Mayer, whose February 2012 blog post drew early attention to Google’s attempt to bypass privacy settings on Apple browsers, which ended with the search giant’s $17 million payment to 37 states in November.

Google has asked Koh to let it appeal her “novel” ruling. She has set a trial for October 2014 and hasn’t yet responded.

Google had another privacy suit dismissed in October, when a Delaware district judge told plaintiffs they hadn’t shown the company made unlawful use of their messages.

Any change in online privacy might come more quickly from technology entrepreneurs than from courts and legislators, said Mayer at Stanford. If consumers demand ways to protect themselves, innovators will devise them, he said, which will in turn give companies an incentive to change.

“Technology must regulate technology,” he said.

Online Disclosures

Pressure from courts and lawmakers could force companies to clarify their online disclosures. They would have to find new ways of making money based on consent if users defect, said Robert Ellis Smith, publisher of Privacy Journal and author of books on online privacy invasion. “There will be winners and losers,” he said.

If companies were to lose some of the lucrative advertising deals that foot the bill for free services, some could choose to charge customers for the extra privacy. Companies could keep tracking web activities, though without storing personal data or identifying individuals for specific ads, said Lorrie Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory.

“Once you have these lawsuits, there’s an incentive to try harder,” Cranor said. “I don’t see the suits going away any time soon.”

The Google case is In re Google Inc. Gmail Litigation, 13-md-02430; the LinkedIn case is Perkins v. LinkedIn Corp., 13-cv-04303; the Yahoo case is Pincus v. Yahoo! Inc., 13-cv-05326, U.S. District Court, Northern District of California (San Jose).