HL Chronicle of Data Protection : Privacy Lawyers & Attorneys : Hogan Lovells Law Firm : Data Security, E-Commerce & Technology

David Vladeck, Director of the Division of Consumer Protection at the Federal Trade Commission, today spoke at the IAPP Privacy Academy in Baltimore, and offered the FTC vision for future privacy protection.  Here are some highlights:

• FTC will continue to bring cases to ensure that companies reasonably ensure safeguards for consumer privacy
• FTC will bring more cases involving pure privacy protections, in addition to data security cases, building on the Sears case.  "You can expect more cases like that in the future."  (This suggests a greater focus on how notice and choice is given and the degree to which privacy options are implemented, such as in the recent US Search enforcement).  "Consumer choice must control."
• We will be focusing our efforts on new technologies, such as our enforcement in the Twitter case.   FTC has hired new technologists and has created a mobile lab to address smart phones and mobile apps.
• There will be increased international cooperation on privacy, as evidenced by the Global Privacy Enforcement Network (GPEN) announced last week.  Recent cooperation brought down the latest spam operation in the world, resulting in a  25% drop in spam worldwide,

Vladeck also spoke on the formulation of new privacy policy following the FTC Roundtables.

• Past approaches to consumer privacy have not kept pace with technology.  (1) Notice and choice is a failed paradigm as implemented.  The problem is exacerbated by mobile devices, where one has to scroll down through hundreds of screens to read a privacy policy; (2) Focusing on harms is not the best way to address privacy violations.
• The Roundtables demonstrated that (1) Data persists longer than people expect; (2)  The difference between PII and non-PII is blurring; (3)  Consumers understand very little about how their information is used and shared; (4)  Often, consumers do not interact with or have direct contact with companies that handle their information; (5) Technology can provide important privacy solutions.
• When is the Report coming out?  "This Fall"
• What will he Report say?  "This is impossible to answer as Commissioners are still to review and will provide input"  But here are the big picture issues in the report:  (1)  Importance of Privacy by Design -- thinking about good data hygiene from the very beginning; (2) Increased transparency is needed about data practices -- we need better privacy notices, in a more consistent, shorter formats; (3)  We need to simplify consumer choice -- especially regarding uses of data they would not expect..  Privacy choices should be presented at the point when the consumer is providing the data.  And more consistent policies that allow comparison may allow competition for privacy practices.  We need more protection for sensitive information.  Consumer choice once exercised must be respected.  "The FTC will not tolerate a technology arms race to circumvent privacy protecting technology" (4)  On the thorny problem of access, companies collecting and aggregating data used for purposes beyond consumer expectation is a problem,.  There is no easy solution to the access question, and the FTC will consider the cost of access to the data broker industry.  (5)  There should be better consumer education about how tracking on the Internet works and what are their choices on privacy.
• The Report will be issued in DRAFT with opportunity for public comment.  Even when finalized, the Report will not be the end of the debate but " the beginning of the next phase of the debate on privacy."  One key component must be flexibility and adaptability,
• "Do Not Track" is not off the table, and will be considered, despite its complexity.
• On the issue of regulation vs. self-regulation:  The Commission has always supported self-regulation, but the Commission has supported privacy laws like the telemarketing law.  With respect to privacy and online advertising, "I am disappointed in the progress of self-regulation".  Ad disclosures and icons are all good ideas, but implementation is very much a work in process."  The Commission and the public may lose its patience with self-regulation if there is not better progress.
• On the Boucher and Rush legislative proposals, I am concerned that the bills place too much reliance on already overburdened privacy policies.   Also, it is premature to conclude that existing private initiatives are sufficiently robust to provide safe harbors.
• On data security, legislation that requires reasonable security and notice of breaches creating a reasonable risk of harm will provide sorely needed broad based protections at the federal level.  For the first time, the FTC would have the general right to obtain a civil penalty, which is important.  We see too many companies ignoring well-known vulnerabilities that are easily plugged.  Penalties would help convince those companies to comply.
• My vision for consumer privacy in 2011 in beyond:  In my privacy utopia, companies are building in privacy from the start; consumers have access to information about privacy; the FTC continues its enforcement regime, with the help of consumer watchdog organizations.  The time for companies using trial and error to protect privacy should come to an end.

• Email This
• Print

This post was provided by Gabriela Kennedy and Heidi Gleeson of Hogan Lovells' Hong Kong office.
 

The recent large scale sale of personal data by Hong Kong's Octopus Holdings Ltd. for the purposes of direct marketing is currently being investigated by the Hong Kong Privacy Commissioner and has prompted calls for reforms to the data protection regime.

The Octopus case

Octopus Holdings Ltd. operates the Octopus card, which is an electronic stored-value payment card used by Hong Kong residents for public transport, fast-food restaurants, parking, convenience stores and supermarkets. The cards may also be used as a student card or as an access card for residential apartments or office buildings.

In addition to the electronic payment facilities, Octopus Rewards Limited, a company which is wholly owned by Octopus Holdings Ltd. (referred collectively as "Octopus") operates a rewards program linked to the Octopus card, whereby card holders earn reward cash every time they make purchases with their Octopus cards at selected business partners ("Rewards Program"). While the electronic payment facilities of the Octopus card may be used without registering and providing any personal data, card holders wishing to take advantage of the Rewards Program must first register with Octopus. Card holders are requested to supply a broad range of personal information on the registration form (some of which is required for the application to proceed), including name, identity card or passport number, gender, month and year of birth, contact details, marital status, education level, occupation, income and interests.

Octopus provided the personal information of almost 2 million card holders to six insurance companies for direct-marketing over a four and a half year period, earning the company HK$44 million in revenue.

The application form for the Rewards Program was drafted in such a way as to give Octopus very broad rights to deal with the personal information of card holders. In signing the application form for the Rewards Program, card holders automatically consented to their personal data being disclosed to any third party (at Octopus's discretion) and used for direct marketing purposes. The only way that card holders were able to opt-out from their personal information being sent to third parties was to first sign the form (thereby consenting to the distribution and sale of their data to any third party), and later call Octopus to opt-out, a process which Octopus conceded would take approximately three days. The application form cross-referred to a separate set of terms and conditions relating to data protection/privacy, making it unlikely that the card holder would fully understand the scope of their consent prior to signing the form. Even if card holders understood that by signing the registration form they consented to their personal information being sold to third parties, it is likely that given the inconvenient and time consuming opt-out procedure, they would be reluctant to take the necessary steps to protect their personal information.

Investigation by the Privacy Commissioner

On 21 July 2010, the Privacy Commissioner ordered a formal enquiry into Octopus's practices to ascertain whether the collection and disclosure of card holders' personal data for direct marketing purposes was in contravention of the Personal Data (Privacy) Ordinance (the "Ordinance"). The Commissioner exercised his powers under the Ordinance to hold a hearing to summon witnesses to assist with the investigation.

The Privacy Commissioner is yet to issue the final report on the investigation. However, in response to the mounting public concern regarding the handling of personal data under the Rewards Program, on 30 July 2010 the Privacy Commissioner took the unusual step of issuing an interim report, containing his preliminary findings as well as interim recommendations to Octopus regarding its handling of personal data.

The Privacy Commissioner made 12 recommendations regarding Octopus's handling of personal data, including the following:

• Card holders should be able to submit their applications for the Rewards Program using only their names and Octopus card numbers.
• Consent to use personal data for direct marketing purposes should be expressly given and should not be deemed.
• The parties to whom personal data may be transferred should be clearly identified.
• Octopus should not disclose personal information other than name and contact information for direct marketing purposes, as any additional information is unnecessary and excessive.

The Privacy Commissioner is yet to issue a final determination on the matter. If Octopus is found to have breached the Ordinance it is likely to be because the scope of the information collected was arguably excessive for the purposes for which it was collected.

Calls for reform

As Octopus sold the personal information of almost 2 million people (almost a third of the population of Hong Kong) to third parties, the case received a fair amount of publicity and has generated debates in the media and has led to calls for reform of the data protection regime in Hong Kong.

Hong Kong's Personal Data (Privacy) Ordinance is currently under review by the Government. A number of amendments have been proposed, partly in response to the increasing concern of the public relating to protection of personal data. The Government published a consultation document on 28 August 28 2009, inviting public comment on the proposed amendments to the Ordinance. The consultation period ended on 30 November 2009. The Government is yet to make any further announcements in relation to the reforms, but given the profound impact that the proposed changes may have on various sectors of the community and the recent furore over the Octopus case, it is expected that further changes may be introduced when the bill is made public.

Gabriela Kennedy (Partner) (gabriela.kennedy@hoganlovells.com) and Heidi Gleeson (Foreign Legal Assistant), Hogan Lovells, Hong Kong.

• Email This
• Print

The FTC has entered into a proposed settlement with a company that promised a consumer the ability to choose what information would appear when others searched for that person in the company's online service, but failed to provide the promised control.  The proposed settlement  announced by the FTC followed an investigation of US Search, a data broker that promised consumers that if they paid $10 for its "PrivacyLock" service, it would "lock their records" by excluding their information from search results.  Instead, according to the FTC's complaint, PrivacyLock did not block consumers' names from showing up as an associate of someone else in a search for the other person's name; did not block consumers' information from appearing in a "reverse search" of their phone number or address, or in a search of their address in real estate records; did not work if the consumer changed addresses; and did not work if the consumer had multiple records (e.g., "John Smith" and "John T. Smith").  The consent decree, which is part of the proposed settlement, subject to a regulatory comment period, prohibits US Search from continuing to market any products claiming to ensure consumer privacy in such a manner and requires it to refund customers who paid for Privacy Lock.

This enforcement action comes on the heels of the FTC's Feburary settlement with ControlScan, another company that promoted a privacy-enhancing service but failed to live up to its promises.  In that case, ControlScan purported to certify the privacy and data security practices of its clients' websites but failed to adequately verify those websites' actual privacy and security protections and displayed a certification date that did not reflect the actual date of its most recent security review.  And last October, the FTC brought enforcement actions against six companies over misrepresentations that they were current with their certifications under the U.S.-EU Safe Harbor program, a privacy compliance program that provides assurance to European organizations that U.S. businesses to which they transfer personal data will treat that data in accordance with European privacy standards.

The FTC's activity in this area demonstrates the importance it places on promises of privacy and security by companies that directly sell and market privacy and security protections.  Privacy enhancing services are obviously a good thing.  But profiting from consumers' willingness to pay for  protections by selling them knowingly or negligently false guarantees will trigger enforcement actions.  Therefore, companies developing privacy certifications and technologies should take care to evaluate their marketing materials and to constantly evaluate their services to ensure that they do not fall short in their promises to consumers.

• Email This
• Print

On September 21, 2010 Hogan Lovells privacy partners Marco Berliri and Winston Maxwell briefed the Italian smart metering consortium E-Cube on the practical aspects of privacy by design. The seminar commenced by a presentation of the E-Cube project by Telecom Italia Director of Public Policy, Lorenzo Pupillo. The e-Cube project involves leading Italian industrial companies and universities in Italy, and is funded by the Italian government. A full presentation of the e-Cube project can be found in Dr Pupillo’s paper here.

Seven pillars of privacy by design.

After Dr Pupillo’s introduction, Marco Berliri and Winston Maxwell presented the seven principles of privacy by design, contrasting the preventive and “positive sum game” approach with the current confrontational and “zero sum game” approach that is currently the norm when dealing with data protection authorities in some European countries. Marco Berliri gave an overview of the current legislative framework for privacy in Europe, while Winston focused on the June 2010 report of the smart grid task force at the European Commission. The report, submitted by the so-called Expert Group 2 (EG2), fully endorses the privacy by design approach, recommending that European standards organizations working on smart grid standards take privacy requirements into account. The EG2 report urges smart grid stakeholders to be inspired by security and privacy practices of other industries, particularly telecommunications and banking. The EG2 report also highlights a methodology developed by a consortium of electricity providers in the Netherlands to conduct privacy impact assessments of smart grids systems.

NIST report compared.

Marco and Winston then compared the European approach as outlined by the EG2 report with the August 2010 recommendations of the NIST in the U.S. The NIST’s report on privacy over smart grid contains a useful discussion of different concepts of personal data which go from the U.S. concept of “personally identifiable information” (PII) to data about behavior inside the home that can be developed using Non-intrusive Appliance Load Monitoring (NALM) which provides a very detailed individual fingerprint of a given household’s behavior. The NIST suggests that the traditional notion of PII in the U.S. may not be adequate to address the risks posed by granular use data. Marco compared PII with the European concept of personal data. In response to a question from an E-Cube consortium member, Winston and Marco described the process of developing privacy use cases, using the two examples presented in the NIST report, as well as a use case involving the Canadian electricity company Hydro-One. Each use case requires breaking a service into small individual parts. For each part of the service one must ask whether key privacy requirements are being addressed. For example, if a consumer brings home a smart thermostat from the store and plugs it in for the first time, that thermostat will first seek to communicate with the home area network, which will in turn communicate the details of the thermostat to a central server so that the thermostat can be authenticated and registered in the service. In a privacy use case, this seemingly simple process may be broken down into five or more individual parts and for each part one must ask the questions: Is the communication link encrypted? Is the device transmitting the minimum amount of data necessary? Are organizational measures in place to ensure that the data are accessible only by the right people in the organization? Does the process contemplate a date when the data would be deleted? It is by building these individual use cases that Privacy by Design can be built up, piece by piece. As aptly put by the EG2 report: “Security is a path, not a destination!”

Sharing consumption information.

Finally, Marco and Winston compared Italian legislation which obligates electric utilities to share consumer usage data with the similar requirement adopted in December 2009 by the California Public Utilities Commission. Winston mentioned that the U.S. FCC is placing a particular emphasis on innovations at the edges in the smart grid ecosystem but this policy creates a dilemma for regulators who may not have jurisdiction over the service providers to whom the data are supplied. Winston pointed out that the California PUC is expected to issue more detailed privacy requirements before the end of 2010 and that these requirements are expected to address the issue of transfers of data to a third party service providers.

Cloud computing.

Marco reminded participants of the rules regarding transfer of personal data outside the European Union, pointing out that some data may in fact be transferred outside the European Union if an electricity service provider outsources some of its data processing, or makes use of cloud computing.

A copy of Marco and Winston’s presentation can be found here.

• Email This
• Print

Maneesha Mithal from the FTC Division of Privacy and Identity Protection spoke today at the Online Trust Alliance Forum in Washington, DC and provided some insights into the forthcoming FTC Report on Privacy, following the three recent Roundtables conducted by the Commission.  She cautioned that the Commissioners had not yet reviewed and approved the Report, and that it may change, but said the following:

There are five fundamental findings about privacy today that will be included in the Report:

1. There is increased collection, storage and use of data.
2. Consumers are largely unaware of the use of data, especially the practices of the data broker industry and behavioral advertising.  Notice and choice has been a disaster.
3. Consumers really do care about privacy. 
4. Innovation in the Internet economy is important, and free content that is provided through the collection of information also is important.
5. There is a blurring of the distinction between personally identifiable information and non-personally identifiable information.

1. Privacy by Design, that includes privacy reviews, must be a part of all technology development that involves personal information
2. There is a need to improve consumer choice, with just in time notices of collection practices
3. There is a need for Improved transparency, even with just in time disclosures.  Privacy notices will remain, but must improve (see e.g.  the new GLB privacy notices sanctioned by the FTC)

Ms. Mithal summarized by saying "Our whole Report is about consumer control."

In some circles, it was expected that the FTC Report might be released before the 32d Annual Conference of Privacy and Data Protection Commissioners in Jerusalem at the end of October, but that now does not seem likely given the review process at the Commission. 

So we now have a glimpse of what to expect, but stay tuned.

• Email This
• Print

On September 22, the U.S. Senate Commerce Committee's Consumer Protection, Product Safety, and Insurance Subcommittee held a hearing on S.3742, The Data Security and Breach Notification Act of 2010.  This Act would give the Federal Trade Commission the authority to require a wide range of commercial and nonprofit entities to establish security practices to protect personal information, including social security numbers and certain financial information.  Entities also would be required to notify individuals in the event of a breach of such information.  Hogan Lovells US LLP partner Melissa Bianchi testified before the Subcommittee about the effect this legislation would have on HIPAA covered entities, on behalf of the American Hospital Association.  A link to the hearing and video is available at http://commerce.senate.gov/public/index.cfm?p=Hearings.

• Email This
• Print

On September 15th, the Federal Deposit Insurance Corporation (FDIC) issued guidance (Financial Institution Letter FIL-56-2010, "FDIC Guidance on Mitigating Risk Posed by Information Stored on Photocopiers, Fax Machines and Printers") urging banks under its supervision to ensure that they have written policies for the erasure or destruction of sensitive or confidential customer information stored in photocopiers, fax machines, or printers.  Such storage may occur when the device's hard drive or flash memory stores digital images of documents that were photocopied, faxed, or printed using the device.

This is a particular concern for banks that lease office equipment - which may be used to process a significant amount of confidential information relating to financial transactions - and then return the equipment or sell it to another party.  If the memory of such devices is left intact, it is possible that such a third party could access data constituting "nonpublic personal information" under the Gramm-Leach-Bliley Act, such as information in consumers' loan applications or account statements, or other confidential information.

FDIC-supervised banks must, therefore, implement written policies and procedures to ensure that a hard drive or flash memory in office equipment containing sensitive data is erased, encrypted or destroyed prior to the device being returned to a leasing company, sold, or otherwise disposed of.  If the bank chooses to erase or encrypt the hard drive rather than destroy it, the bank should ensure that the method used will render the information on the disk unrecoverable.

While FIL-56-2010 applies only to banks supervised by the FDIC, all financial institutions are required to ensure the proper safeguarding and disposal of customer information.  Therefore, even non-FDIC-supervised financial institutions would be well advised to consider and implement the guidance contained in FIL-56-2010.

• Email This
• Print

In this interview with Forbes, I share some perspectives on

(1) the prospects for an online privacy bill passing this year;

(2) some of the issues raised by the Rush privacy bill currently pending in Congress;

(3) the efficacy of FTC enforcement;

(4) the problems with the concept of a "Do Not Track" list, which has been proposed; and

(5) the need for reform of the Electronic Communications Privacy Act.

• Email This
• Print

On Wednesday, September 15th the Future of Privacy Forum (FPF) announced the papers that were selected as “privacy papers for policy makers” at an event held at George Washington Law School. FPF is the privacy think tank founded and co-chaired by Hogan Lovells’ Chris Wolf. These works were deemed by the FPF to be the recent scholarship dealing with privacy issues that will prove most useful to policy makers. The papers that were selected are:

• Privacy on the Books and on the Ground – Kenneth A. Bamberger and Deirdre K. Mulligan
• What is Privacy Worth? – Alessandro Acquisti, Leslie John, and George Lowenstein
• Misplaced Confidences: Privacy and the Control Paradox – Laura Brandimarte, Alessandro Acquisti, and George Lowenstein
• Standardizing Privacy Notices: An Online Study of the Nutrition Label Approach – Patrick Gage Kelley, Lucian Cesca, Joanna Bresee, and Lorrie Faith Cranor
• How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies – Chris Hoofnagle, Jennifer King, Su Li, and Joseph Turow
• Privacy and Regulatory Innovation: Moving Beyond Voluntary Codes – Ira Rubinstein

You can view these papers, along with the papers that received notable mentions, on FPF’s website at http://www.futureofprivacy.org/the-privacy-papers/.

The papers were discussed by a panel, including:

• David Vladeck, Director of the Bureau of Consumer Protection for the Federal Trade Commission (FTC)
• Jules Polonetsky, Co-Chair of the FPF
• Christopher Wolf, Co-Chair of the FPF and Partner at Hogan Lovells
• Dan Solove, Professor, The George Washington University Law School
• Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
• Brendon Lynch, Chief Privacy Officer, Microsoft

The conversation focused on how these papers could be used by policy makers to bridge the gap between scholarship and how organizations implement privacy practices on the ground. In his remarks, David Vladeck described how the FTC looks to academic writing to help inform its regulatory priorities. He referenced FTC’s series of roundtable discussions held in late 2009 and early 2010 that were influenced by recent scholarship, including the winning papers. These discussions, and the resulting recommendations, are being used to create an FTC Report that was promised as a follow-up to the roundtables. Mr. Vladeck predicted that the report would be released by the end of October, subject to the Commission’s approval process, and he broadly hinted that some proposed changes to the privacy framework may be forthcoming.

• Email This
• Print

On Wednesday, September 15th at 8:45 AM EDT, there will be a live webcast of a program featuring privacy scholarship voted most useful to US policy makers, "Privacy Papers for Policy Makers," presented by the Future of Privacy Forum (FPF), which I founded and co-chair. 

Our featured speaker will be David Vladeck, head of Consumer Protection at the FTC. 

Discussion will be led by my FPF co-chair, Jule Polonetsky, as well as Mr. Vladeck and

Professor Dan Solove, The George Washington University Law School
Carol DiBattiste, Senior Vice President, Privacy, Security, Compliance & Government Affairs, LexisNexis
Brendon Lynch, Chief Privacy Officer, Microsoft 

The program may be viewed live at 8:45 AM EDT at http://www.law.gwu.edu/News/Videos/Pages/Privacy.aspx.

It is also available for audio only at  800-884-7907, access code: 379342

• Email This
• Print

The Platform for Privacy Preferences Project, or P3P, involves browser technology that allows a user to set privacy conditions and state what personal information may be seen by websites.     Websites usuing P3P are supposed to respect the user's settings.  Heralded as a privacy enhancing technology when the World Wide Web Consortium recommended it in 2002, adoption of the automated tool, it has never caught on and the vast majority of consumers don't use it.

Nevertheless, a just-released study by Pedro Giovanni Leon, Lorrie Faith Cranor, Aleecia M. McDonald and Robert McGuire of the Carnegie Mellon Cy Lab has concluded that large numbers of websites are misrepresenting their P3P privacy practices, "thus misleading users and rendering privacy protection tools ineffective."  From the Abstract:

"Platform for Privacy Preferences (P3P) compact policies (CPs) are a collection of three-character and four-character tokens that summarize a website's privacy policy pertaining to cookies. User agents, including Microsoft's Internet Explorer (IE) web browser, use CPs to evaluate websites' data collection practices and allow, reject, or modify cookies based on sites' privacy practices. CPs can provide a technical means to enforce users' privacy preferences if CPs accurately reflect websites' practices. Through automated analysis we can identify CPs that are erroneous due to syntax errors or semantic conflicts. We collected CPs from 33,139 websites and detected errors in 11,176 of them, including 134 TRUSTe-certified websites and 21 of the top 100 most-visited sites. Our work identifies potentially misleading practices by web administrators, as well as common accidental mistakes. We found thousands of sites using identical invalid CPs that had been recommended as workarounds for IE cookie blocking. Other sites had CPs with typos in their tokens, or other errors. 98% of invalid CPs resulted in cookies remaining unblocked by IE under it's default cookie settings. It appears that large numbers of websites that use CPs are misrepresenting their privacy practices, thus misleading users and rendering privacy protection tools ineffective. Unless regulators use their authority to take action against companies that provide erroneous machine-readable policies, users will be unable to rely on these policies."

Just as a recent University of California-Berkeley study about flash cookies and privacy prompted a series of lawsuits recently against Quantcast and Clearspring and users of their technology, there is speculation that the Carnegie Mellon study may inspire new lawsuits and investigations.  The websites using P3P compact policies are not without their defenses however, so it remains to be seen whether the study serves as a sturdy "platform for plaintiffs' preferences."

• Email This
• Print

On Wednesday, September 15th at 8:30 AM in the Moot Courtroom of the George Washington University School of Law, there will be a program featuring privacy scholarship selected by the Future of Privacy Forum Advisory Board as the best “Privacy Papers for Policy Makers,” representing cutting-edge research and analytical work on a variety of privacy topics.  I founded and co-chair the Future of Privacy Forum, which is a think tank focused on advancing consumer privacy in ways that are business practical.

We solicited papers that clearly analyzed current and emerging privacy issues, and either proposed achievable short-term solutions or offered fresh analysis that could lead to new approaches and solutions. Academics, privacy advocates and Chief Privacy Officers on FPF’s Advisory Board reviewed all submitted papers, emphasizing clarity, practicality and overall utility as the most important criteria for inclusion.

The hope is that this relevant and timely scholarship helps inform policy makers in Congress, at the FTC, and in other federal and state agencies as they address privacy issues. This compilation is also being provided to policy makers abroad.

Leading the discussion on the 15th will be David Vladeck, Director of the Bureau of Consumer Protection at the Federal Trade Commission, who will be joined by Carol DiBattiste, Chief Privacy Officer of Lexis Nexis; Brendon Lynch, Chief Privacy Officer at Microsoft, GW Law Professor Dan Solove, as well as my FPF co-chair and director, Jules Polonetsky.

To attend, please e-mail lauren@futureofprivacy.org

• Email This
• Print

In an opinion piece appearing in today's Wall Street Journal, available here, Eric Felten describes an ongoing case in which a tort claim seeks to escape the limitation of liability language contained in an End User License Agreement (EULA):

A federal judge in Hawaii ruled last month that a man claiming to be addicted to a videogame can sue the game's maker for gross negligence in not warning him he could become a joystick junkie. Craig Smallwood alleges in his lawsuit that, as a result of playing the online game "Lineage II," he has "suffered extreme and serious emotional distress and depression, and has been unable to function independently in usual daily activities such as getting up, getting dressed, bathing, or communicating with family and friends."

Felten continues:

Silly as the suit may be, it isn't without legal ramifications. Steven Roosa, a lawyer doing research at Princeton's Center for Information Technology Policy, sounded almost giddy this week at the prospect that a court might chip away at the enforceability of End User License Agreements, or EULAs. These software license agreements often radically limit how, and for how much, customers can sue if they feel harmed by an electronic product.

Mr. Roosa cheered on his blog that the judge in Hawaii has opened an avenue for escaping the tyranny of these one-click, liability-limiting contracts. He called the judge's refusal to throw the case out in its entirety a "stunning defeat" not only for the maker of Lineage II, but for the whole business of locking customers into contracts that consist of miles of electronic fine print that hardly anyone ever reads.

Felten observes in his Journal article that "[n]o doubt we do live in a time of kudzu legalese, with weedy contractual tendrils crawling into every electronic transaction. It's alarming to think about everything we sign off on these days, with endless demands to click "I agree" as the non-negotiable price of entry into our electronic worlds. Alarming, because few of us ever peruse the legal documents to which we so regularly and glibly affix our electronic signatures."

Last April, the British retailer Gamestation set out to prove the point by including in its boilerplate some Mephistophelean contractual language: "By placing an order via this Web site," read the clause, "you agree to grant us a non-transferable option to claim, for now and for ever more, your immortal soul." In just one day, some 7,500 customers "agreed" to hand over their souls for a mess of virtual pottage. (emphasis supplied)

In the context of privacy policies, two weeks ago I was a panelist at the Privacy, Identity and Innovation 2010 conference in Seattle in the session "Competing on Privacy: Trade-offs, Transparency and Trust."  At the session, I observed  that privacy policies often are dense because companies need to protect themselves, but that alongside the legalese of the privacy policies can be layered notices with simple declarative sentences and even videos of people explaining in plain English how personal information is collected and used.

A blogger in the Seattle audience yelled out at me for admitting that I draft lengthy privacy policies, and I tried to get this concept across, explained in today's Journal article:

The proliferation of annoying and obnoxious license agreements has been driven, primarily, not by companies' desire to abuse their customers, but by a need to keep their rather more litigious customers from abusing them (and the legal system). As Jonathan Zittrain, who teaches both law and computer science at Harvard, puts it, "EULAs are, for most companies, a shield not a sword."

(I did not admit nor do I mean to suggest that the policies I draft are "annoying and obnoxious," just lengthy.)

So it is a given that legal notices almost inevitably will be complex but supplemental, simplified notices, even video notices, alongside the legalese will better inform consumers.  And it should thwart tort claims where a plaintiff claims "I had no idea this could be the result of my interaction with the web site."

• Email This
• Print