A fresh story about the privacy of electronic data appears in the news each week. People are justifiably concerned that online and mobile device companies not surreptitiously collect or use, without their knowledge and consent, personal information they voluntarily disclose to social media sites. See “Customers Stay Despite High-Profile Data Breaches,” https://abcnews.go.com/Technology/wireStory?id=13503565
Not surprisingly, these concerns and stories are spawning lawsuits. The challenge faced by attorneys filing or defending electronic privacy cases is to determine what legal principles will apply, and indeed whether the behavior complained of is actionable under existing law. Congress and state legislatures have only begun to consider legislation governing management of electronic personal data in the modern world of social media and mobile devices. As a result, lawyers and judges are currently struggling to determine the application of decades-old legislation and common law principles to new millennium problems.
In some cases hoary principles of negligence and contract law may provide the framework for decision. Recently filed cases involving hackers who obtained contact information for bank customers and credit card information from Sony Playstation devices will likely turn on whether the companies storing the stolen information acted with sufficient care to avoid unwanted release of data. In other cases courts are considering whether the defendant company’s management of electronic information violated the company’s contract with its customers. See, “Data Breach Suits Grow, But Damages Hard to Prove,”https://www.businessinsurance.com/article/20110512/NEWS01/110519979.
Two recent class action cases against Facebook have tested application of a number of federal and state statutes concerning wiretapping of electronic communications in transit, release of stored electronic information to third parties, computer hacking and consumer protection — all enacted decades before the advent of Facebook, Twitter and iPhones, to modern electronic privacy issues.
Lane v. Facebook concerned Facebook’s aborted “Beacon” program, which when active allegedly communicated information about people’s commercial activities to Facebook and its members without disclosure or consent. In that case the parties, rather than put the legal theories to the test, entered into a settlement in excess of $9 million, which is presently on appeal. Log on here for more information about the case: https://dockets.justia.com/docket/california/candce/5:2008cv03845/206085/.
In re Facebook Privacy Litigation involves complaints that when consumers clicked on banner advertisements on Facebook, the “referrer header” in the browser bar included the consumer’s personal Facebook member ID number, thus permitting advertisers to gather personal information about that consumer from the Facebook site. On May 12, 2011 the judge in that case dismissed large portions of the complaint, ruling that laws concerning wiretapping and computer hacking did not apply. The judge also rejected application of consumer laws protecting citizens against loss of money and property and injury in connection with purchase or lease of goods to release of personal data by an online service that does not charge its members. As a result, the case is likely to go forward on the limited question of whether the information disclosure violated Facebook’s terms of service. Click here for a copy of the ruling: https://regmedia.co.uk/2011/05/13/facebook_privacy_ruling.pdf.
The law concerning privacy of online information will continue to evolve through litigation unless and until Congress enacts comprehensive legislation in this field.