Published by LawTechie - June 17, 2013 - LawTechie

intellectual property attorneyGone are the days where privacy breaches would go unnoticed. At least, that is what is likely to happen as a result of Harris v. ComScore, a privacy case which allowed for a class action suit to be maintained.

Harris v. ComScore is a significant decision because class actions come with the threat of massive liability and tend to encourage companies in the industry (here internet and advertising businesses) to renew and extend their compliance efforts.

Privacy Law in the Internet age remains, to a large extent, a Wild West with unsettled boundaries. Generally speaking, when an Internet company breaches its privacy policy, no substantial consequence follows. Sure, the biggest players can, and frequently do, get in trouble with the Federal Trade Commission (FTC), but it is not like such regulations have any teeth for the small to middle-size players, as only the biggest Internet players have been investigated and fined so far.

Without class actions, individually suing a company was uneconomical because the money damages for such suits were insignificant, in terms of dollars and cents. And even when such suits were brought, they were too few and far between to encourage companies to set forth robust privacy compliance program.

But now that the ComScore class action has been green-lighted, expect an explosion of privacy suits. Whereas in the past, privacy breach could go unnoticed, they are now much more likely to be the basis of lawsuits. This is especially so since major privacy scandals (a.k.a. Spygate) have erupted, thereby putting privacy issues in the spotlight.

Digital Castle Intrusion & Passwords Collections are big No-Nos.

When ComScore users downloaded a free third-party software (such as a screen-saver) they were also downloading a ComScore software package. That package would ask the user to accept the privacy policy and would then proceed to,

“collect[…] a variety of information about a consumer’s computer, including the names of every file on the computer, information entered into a web browser, including passwords and other confidential information, and the contents of PDF files.”

After that, ComScore would sell the data to advertisers.

The ComScore case should be a slam-dunk for the plaintiffs because:

  1. Comscore collected data no holds barred. That is, it grabbed virtually all data it could get its hands on, including passwords; usernames; and credit cards information.
  2. ComScore exceeded the bounds of their customers’ consent (see below).

Regarding (1), ComScore reached into the users’ digital castle – inside their computers’ hard-drive – which has a trespass flavor to it, in contrast to collecting voluntarily disclosed information online, on social networking sites, for example.

Even in a digital world where the legal boundaries are uncertain, there is a world of difference between consumer interactions on the online public spheres and the passwords, credit card information, and family pictures retrieved on your home computers.

Privacy Policy: Best Practices: Don’t Exceed The Bounds of the Consent Received.

Making a misrepresentation is never a good idea. But that is what you would be doing if you were to collect data not stated in your Privacy Policy. There should be no meaningful difference between what you engage in in practice and your policy.

Having a Privacy policy in place enables you to use customer data by telling your customers exactly how their data is used. By detailing your process accurately and prominently displaying that policy, you can use such data legally and to your advantage (but other consent features may be required – opt-in/out; express/implied acceptance; conspicuous language.)

ComScore’s policy used vague language. It represented that it would collect “basic demographic information, certain hardware, software, computer configuration and application usage” but in fact went far beyond that. This is how you get in trouble.

To reiterate, draft your Privacy Policy with precision and make sure that it fairly depicts your data collection practices.

ComScore should be an easy privacy breach case, but will remain an interesting case to watch mainly because of the class action ramifications (i.e. explosions of privacy lawsuits) and because it remains to be seen how the broadly and awkwardly-worded federal statutes are to apply to modern privacy issues, in practice.

Guest author Steven Buchwald is a law clerk on Tim’s internet law team at Handal & Morofsky. Steven is currently a law student at the Benjamin N. Cardozo School of Law and will graduate in June 2014 with concentrations in intellectual property law and litigation.

LawTechie is a blog focusing on trends in tech and digital media. Areas covered include intellectual property, cyberlaw, venture capital, transactions and litigation as they relate to the emerging sectors. The blog is edited by the firm's partner Tim Bukher with contributions from the firm's experts in their respective areas of law.

Contact

Enter your email to get started.