‘Click’ . . . You Just Agreed To Sell Your Privacy

We have all gone to a website and, in accessing the website’s services, have agreed to “terms and conditions” that include a litany of policies, including privacy policies governing how the company maintaining the website will use our personal information obtained while accessing the website. And let’s be honest, even as attorneys or soon-to-be-attorneys, many of us usually do not actually take the time to read the laundry list of items we are agreeing to just so we can obtain a 20% coupon.  I know I’m guilty of regularly clicking “I agree” without reading every term and condition.

cartoon image of a desktop computerWhile we may think our assent to a website’s terms and conditions has little effect on our everyday life, our agreement does in fact matter, and not just for us but also for the company maintaining the website.  For example, one such specific website that most, if not all, of us have used is Facebook. While, again, we likely have not paid very close attention to Facebook’s privacy policies such as its data and cookie policies, those policies explain that Facebook uses cookies or browser fingerprinting to identify users and track what third-party websites users browse.  This use of cookies or browser fingerprinting is why you see ads for products or services that are, or at least should be, most relevant to you.  Indeed, these processes are why I now regularly see ads for Nintendo products when on Facebook after having searched for and purchase Nintendo’s handheld 3DS video game system for my ten year old son.

Facebook’s privacy policies governing its use of cookies or browser fingerprinting serve an important function in helping protect Facebook against potential liability for use of a consumer’s information. Indeed, Facebook’s privacy policy recently carried the day in getting a case dismissed against it in which the Plaintiffs alleged a litany of causes of action against Facebook, including violation of the Computer Fraud and Abuse Act, California Invasion of Privacy Act, Health Insurance Portability and Accountability Act, and other common law claims.

In Smith v. Facebook, Inc., Case no. 16-cv-1282, the Northern District of California dismissed the claims against Facebook, with prejudice, based upon Facebook’s user agreement, which one must accept to use Facebook. There, the Plaintiffs argued that Facebook violated numerous federal and state statutes, as well as common law, by tracking and collecting its users’ web browsing activity, including sensitive information from various healthcare websites. In dismissing the case, the Court found that Plaintiffs had consented to Facebook’s tracking and marketing activity when they agreed to Facebook’s “data policy” and “cookie policy” when opening a Facebook account. The Court further found that while the applicable policy provisions were broad, they were not vague and provided adequate notice of the tracking activity in which Facebook engaged. For example, a portion of Facebook’s “cookie policy” explained that “[t]hings like Cookies and similar technologies (such as information about your device or a pixel on a website) are used to understand and deliver ads, make them more relevant to you, and analyze products and services and the use of those products and services . . . we use cookies so we, or our affiliates and partners, can serve you ads that may be interesting to you on Facebook Services or other websites and mobile applications.” Simply put, Facebook’s privacy policy, which Plaintiffs had agreed to when they signed up for Facebook, was adequately clear to permit Facebook to track and collect Plaintiffs’ web browsing activity, including browsing of healthcare related information. In so finding, the Court rejected Plaintiff’s arguments that the policies were buried and overbroad.

Facebook’s victory raises two practical concerns in mind.  First being, what all have I agreed to with respect to my personal information?  For example, I own an iPhone 7 with which I can say, “Hey Siri?” and it will respond.  In other words, the microphone in my iPhone is always listening to what I say.  This makes me wonder, by purchasing and using my iPhone, have I agreed that Apple can record my conversations and use “buzz” words it picks up to market directly to me?  Or worse, are there apps I’ve downloaded to my iPhone in which I agreed that those companies can record and sell my conversations to third-parties?  I’ve likely given up much privacy without even realizing it.

Second is what, if anything, can I do about these privacy policies?  The general answer is, not much other than decide not to use certain websites or products as I doubt Facebook will accept my redlines of its privacy policy.  Instead, if I use the website, I’m stuck agreeing to the company’s terms and conditions.  Again, to engage with these websites and other modern conveniences, think Amazon, I likely need to give up portions of my privacy.

In the end, Facebook’s victory is a good reminder that as consumers we should not take so lightly the privacy policies to which we regularly agree.  Additionally, as students of the law we should critically think about what privacy policies’ similar to Facebook’s mean for our individual privacy in our modern world.  Maybe we already decided, as a society, that convenience and improved technology are worth exchanging for less privacy.  Nonetheless, it is something of which I know I need to be more cognizant and I think it would not hurt if we all think about a little more.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.