Court Rejects Plaintiff’s Argument that Overbroad Privacy Policy Led to Waiver of 1st Amendment Rights
By Mehmet Munur
A federal district court in Missouri ruled on December 9 that the broad website privacy policy of a newspaper did not lead to an anonymous commenter’s contractual waiver of his First Amendment rights. While the case does not break new ground in First Amendment jurisprudence, it emphasizes some of the shortcomings of the self-regulatory system of privacy regulation of the web in the US. Such overbroad privacy policies and underlying practices may be one reason why the FTC is shying away from the Notice-Choice paradigm.
The plaintiff brought a motion to compel in order to reveal the identity of an anonymous commenter, who was not a party to the litigation, for comments posted on a News-Leader article. First, the Plaintiff argued that the anonymous commenter’s speech was not given absolute protection. While the court agreed, it stated that political speech was given high level of protection especially in circumstances where the commenter was not a party to the litigation and dismissed the argument.
Second, the plaintiff argued that the anonymous commenter agreed to the News-Leader’s Privacy Policy during the sign-up process and, therefore, waived his First Amendment rights to anonymous speech. The Privacy Policy stated:
The District Court rejected this argument as well because “a contractual waiver of constitutional rights ‘must, at the very least, be clear.’” Therefore, the District Court declined to reveal the identity of the anonymous poster.
Leaving aside the free speech issues, the case also highlights some of the issues with the current state of privacy regulation on the web in the US. First, FTC’s aspirational Fair Information Practice Principles seek to stop such overreaching privacy policies. The Notice principle, which is “the most fundamental” of the principles, states that the entity collecting the data should “properly inform” consumers “of the uses to which the data will be put” and the “identification any potential recipients of the data.” Therefore, stating that the data transferred to any third party for any purpose does not properly inform a consumer. Nevertheless, this inconsistency does not create any liability because the FIPPs are only guidelines and they are not enforceable. FTC expects the industry participants to regulate themselves and only appears to bring enforcement actions against the most egregious of violators.
In contrast, websites in jurisdictions with omnibus data protections laws, such as the EU, would be hard pressed to implement such privacy policies. The EU Data Protection Directive states in Article 6 that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Since the purposes in the privacy policy are neither specified nor explicit, any further use by the collecting entity or a third party would violate the Directive and its national counterparts.
However, this difference in approaches to privacy regulation may be changing. Commentators and regulators in the EU and the US recognize the shortcomings of the Notice-Choice paradigm and are moving away from it. Recently, in the Madrid International Conference of Data Protection and Privacy Commissioners highlighted some of the issues with Notice-Choice and the need to move towards an Accountability standard. In fact, the regulators signed a document to that effect during the conference. Two weeks later, the Department of Commerce Conference on Cross Border Data Flows, Data Protection and Privacy reiterated the same message—primarily because the attendees were the same people. Finally, just last Monday, several attendees to the FTC Privacy Roundtable highlighted the issues with self-regulation in the US and the need to move to an Accountability standard. In fact, the FTC hinted at the need to refine the current Notice-Choice paradigm with the Sears enforcement action. Given the regulatory momentum, we will likely see the FTC providing more guidance for websites on privacy issues soon after the Privacy Roundtables, at the very least in the behavioral advertising realm.
The case is Sedersten v. Taylor, No. 09-3031-CV-S-GAF, 2009 U.S. Dist LEXIS 114525 (W.D. Mo. Dec. 9, 2009).
See also Venkat Balasubramani’s comments via Eric Goldman’s Blog.
A federal district court in Missouri ruled on December 9 that the broad website privacy policy of a newspaper did not lead to an anonymous commenter’s contractual waiver of his First Amendment rights. While the case does not break new ground in First Amendment jurisprudence, it emphasizes some of the shortcomings of the self-regulatory system of privacy regulation of the web in the US. Such overbroad privacy policies and underlying practices may be one reason why the FTC is shying away from the Notice-Choice paradigm.
The plaintiff brought a motion to compel in order to reveal the identity of an anonymous commenter, who was not a party to the litigation, for comments posted on a News-Leader article. First, the Plaintiff argued that the anonymous commenter’s speech was not given absolute protection. While the court agreed, it stated that political speech was given high level of protection especially in circumstances where the commenter was not a party to the litigation and dismissed the argument.
Second, the plaintiff argued that the anonymous commenter agreed to the News-Leader’s Privacy Policy during the sign-up process and, therefore, waived his First Amendment rights to anonymous speech. The Privacy Policy stated:
We also reserve the right to use, and to disclose to third parties, all of the information collected from and about you while you are using the Site in any way and for any purpose, such as to enable us or a third party to provide you with information about products and services that may be of interest to you. In some cases we will use and/or share only non-personally identifiable information, but in other cases we may use and share personally identifiable information.
The District Court rejected this argument as well because “a contractual waiver of constitutional rights ‘must, at the very least, be clear.’” Therefore, the District Court declined to reveal the identity of the anonymous poster.
Leaving aside the free speech issues, the case also highlights some of the issues with the current state of privacy regulation on the web in the US. First, FTC’s aspirational Fair Information Practice Principles seek to stop such overreaching privacy policies. The Notice principle, which is “the most fundamental” of the principles, states that the entity collecting the data should “properly inform” consumers “of the uses to which the data will be put” and the “identification any potential recipients of the data.” Therefore, stating that the data transferred to any third party for any purpose does not properly inform a consumer. Nevertheless, this inconsistency does not create any liability because the FIPPs are only guidelines and they are not enforceable. FTC expects the industry participants to regulate themselves and only appears to bring enforcement actions against the most egregious of violators.
In contrast, websites in jurisdictions with omnibus data protections laws, such as the EU, would be hard pressed to implement such privacy policies. The EU Data Protection Directive states in Article 6 that personal data must be “collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes.” Since the purposes in the privacy policy are neither specified nor explicit, any further use by the collecting entity or a third party would violate the Directive and its national counterparts.
However, this difference in approaches to privacy regulation may be changing. Commentators and regulators in the EU and the US recognize the shortcomings of the Notice-Choice paradigm and are moving away from it. Recently, in the Madrid International Conference of Data Protection and Privacy Commissioners highlighted some of the issues with Notice-Choice and the need to move towards an Accountability standard. In fact, the regulators signed a document to that effect during the conference. Two weeks later, the Department of Commerce Conference on Cross Border Data Flows, Data Protection and Privacy reiterated the same message—primarily because the attendees were the same people. Finally, just last Monday, several attendees to the FTC Privacy Roundtable highlighted the issues with self-regulation in the US and the need to move to an Accountability standard. In fact, the FTC hinted at the need to refine the current Notice-Choice paradigm with the Sears enforcement action. Given the regulatory momentum, we will likely see the FTC providing more guidance for websites on privacy issues soon after the Privacy Roundtables, at the very least in the behavioral advertising realm.
The case is Sedersten v. Taylor, No. 09-3031-CV-S-GAF, 2009 U.S. Dist LEXIS 114525 (W.D. Mo. Dec. 9, 2009).
See also Venkat Balasubramani’s comments via Eric Goldman’s Blog.
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home