It is a reoccurring issue in data privacy litigation—a plaintiff commences litigation challenging applications of new technology and raising various claims concerning decades-old data privacy laws that predated the technology at issue.  Such is the case of recent data scraping litigation, addressed in greater detail below.

What is data scraping?  Good question.  To generalize, it is a mechanism of extracting data from websites (including websites not available to the public and accessible only to individuals with user accounts).  The practices of Clearview which has been the subject of recent litigation are a prime example.  By compiling information scraped from the social media accounts of billions of individuals, Clearview was able to create a massive facial recognition database it subsequently provided to third party customers.  However, notwithstanding the clear privacy issues implicated by data scraping, there is no law specifically regulating this practice nationwide (although some state laws, as CPW has already covered, regulate the collection of biometric data).  As such, in litigation regarding data scraping, parties are stuck arguing over the application of various statutes that were enacted long before data scraping was prevalent.

As just one example: To address the growing problem of computer hacking, in 1984 Congress passed the Computer Fraud and Abuse Act (the “CFAA”), creating criminal and civil liability for a party who accesses a computer without authorization or in a manner exceeding their authorization.  To prevail on a civil CFAA claim, a plaintiff typically must demonstrate that a defendant intentionally accessed a computer without authorization or exceeded the authorized access, and thereby obtained information from a protected computer.  The CFAA has been extensively litigated, although courts have not interpreted its provisions consistently.  This is true including in regards to data scraping.  While courts usually apply the CFAA in manner that protects a website’s publicly available data against third-party unauthorized access, courts have also formulated various standards to determine whether a third party’s access to a website was without authorization or exceeded authorized access in violation of the CFAA.

This is because, among other things, the CFAA prohibits intentionally accessing a protected computer “without authorization” or in a manner that exceeds the authorized access, and obtaining information from such a computer.  The CFAA defines “protected computer” broadly, and includes every computer connected to the Internet.  The CFAA also prohibits knowingly and with intent to defraud, accessing a protected computer without authorization, or exceeding authorized access, and by means of such conduct furthering the intended fraud and obtaining anything of value.  18 U.S.C. Section 1030.  Importantly, however, the CFAA however, does not define the term “without authorization”.  This ambiguity in the statute has led to a split among the federal appeals courts regarding how the condition of “without authorization,” as used in the CFAA, should be applied in the context of data scraping.  While some circuit courts have broadly looked to whether collecting data from a website violates a website’s terms of use or service, other courts have more narrowly interpreted the condition to require the technical circumvention of some kind of code-based access restriction.

For instance, last year the Ninth Circuit in hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985 (9th Cir. 2019), addressed under what circumstances a company may legally “scrape” data from another company’s website.  There, the court determined on a motion for a preliminary injunction that “scraping” publicly available information from LinkedIn likely is not a violation of the CFAA because the LinkedIn computers are publicly accessible.  As such, hiQ did not access the computers “without authorization” as required by the CFAA.  The Second and Fourth Circuits follow this interpretation of the CFAA as well.

This approach is far from uniform, however.  Sw. Airlines v. Farechase, 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004) (finding that a plaintiff plausibly alleged a CFAA claim when Southwest “directly informed” the defendant that its scraping activity violated the Use Agreement on Southwest’s website, which was “accessible from all pages on the website,” as well as via “direct repeated warnings and requests to stop scraping.”).  The First, Fifth, Seventh and Eleventh Circuits broadly interpret the CFAA to cover violations of corporate computer use restrictions and policies governing authorized uses of databases.

Three years in, the LinkedIn-hiQ battle over data scraping continues in both the Northern District of California, and the Supreme Court of the United States, where LinkedIn’s petition for certiorari is pending.  For those who are not familiar, hiQ filed its initial complaint against LinkedIn in 2017, alleging LinkedIn’s cease-and-desist letters to hiQ, followed by LinkedIn restricting hiQ’s access to its website, was anticompetitive and violated state and federal laws. The crux of hiQ’s complaint was that LinkedIn did not have monopoly rights to personal data made publicly available by its users, and that by scraping its website, hiQ did not violate users’ privacy rights (what LinkedIn alleges).  As mentioned, the Northern District of California granted hiQ’s request for a preliminary injunction against LinkedIn restricting hiQ’s access to publicly available LinkedIn member profiles.  LinkedIn appealed, but the appeal was denied.  LinkedIn then filed a petition for certiorari to the SCOTUS, which is currently pending.

Separate from the preliminary injunction, on September 9, 2020, Judge Chen of the Northern District of California granted in part LinkedIn’s motion to dismiss hiQ’s amended complaint. The Court dismissed all claims under the Sherman Act, the federal antitrust legislation.  Nine separate causes of action remain, including HiQ’s allegation that LinkedIn violated California’s Business and Professions Code (the California antitrust legation).  LinkedIn filed its Answer and Counterclaims on November 20—including counterclaims under, you guessed it, the CFAA.

The specific question pending before the SCOTUS (in hiQ’s words) is: “Whether a professional networking website may rely on the Computer Fraud and Abuse Act’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.”  Theoretically, if SCOTUS rules in favor of hiQ, LinkedIn members (and users/members of other similar platform) may lose their ability to control where and with whom their personal information is shared once they have made it public through the platform.  The ruling would also answer the question on who owns rights to user’s “publicly accessible” data.  It is a critical question, and bound to have major impact in the data scraping arena.

So there you have it.  Another day, another interesting development in data privacy litigation.  How this all shakes out in regards to data scraping (and what it means for the millions of individuals whose personal data is the target of such scraping) remains to be seen.  Stay tuned.

 

As readers of CPW know, data scraping is a hot button data privacy issue.  We previously covered the hiQ/LinkedIn data-scraping saga HERE, and HERE.  In the most recent ruling out of the Northern District of California, Judge Chen denied hiQ’s motion to dismiss LinkedIn’s counterclaims for breach of contract, misappropriation, and trespass to chattels.  Additionally, the Court deferred ruling on the motion to dismiss counterclaims for violation of the Computer Fraud and Abuse Act (“CFAA”) and California Penal Code § 502, pending the Supreme Court’s ruling on LinkedIn’s petition for a writ of certiorari.

What question is pending before the SCOTUS in LinkedIn’s petition for writ?  As LinkedIn phrases it, the issue is “[w]hether a company that deploys anonymous computer ‘bots’ to circumvent technical barriers and harvest millions of individuals’ personal data from computer servers that host public-facing websites—even after the computer servers’ owner has expressly denied permission to access the data—‘intentionally accesses a computer without authorization’ in violation of the Computer Fraud and Abuse Act.”  [Note: In hiQ’s framing, the question is instead whether a professional networking website, such as LinkedIn), may rely on CFAA’s prohibition on “intentionally access[ing] a computer without authorization” to prevent a competitor from accessing information that the website’s users have shared on their public profiles and that is available for viewing by anyone with a web browser.]

In addition to LinkedIn’s petition, the question of “when does a person exceed authorized access under the CFAA?” is also pending before SCOTUS in the case of United States v. Van Buren, 940 F.3d 1192 (11th Cir. 2019), although it involves different facts than the present litigation.  140 S. Ct. 2667 (2020).  According to Judge Chen, both decisions may “have an impact on the instant case.”  And “[t]he Court will be in a better position to address the counterclaim[s] once the Supreme Court has issued its decision in Van Buren and/or the instant case.”

Since the specific question pending before the SCOTUS relates to the meaning of “unauthorized access” under CFAA, it was not surprising that Judge Chen deferred the ruling on the CFAA claims until after the SCOTUS has issued its decision.  What was somewhat more surprising, or interesting, was the Court also deferring ruling under the California Penal Code § 502, pending the SCOTUS ruling.  The Court agreed that although § 502 is not on all fours with the CFAA, the question of whether “as a matter of policy, the use of public information should be deemed criminal conduct” was deemed related to the question of “unauthorized access” under CFAA.

For you novices out there, California Penal Code § 502 makes it unlawful to “knowingly” and “without permission” access, alter, damage, delete, destroy, or otherwise use any data, computer or computer system or network.  In contrast to the CFAA, § 502 does not require “unauthorized access” but rather “knowingly access,” “without permission.”  In other words, what makes the access unlawful, is that the person “without permission” takes, copies, or makes use of’ the data.  Some may say § 502 is more restrictive than CFAA, but regardless, there is no question that both of the currently unanswered questions are bound to have a significant impact in the data-scraping arena.

Regarding hiQ’s motion to dismiss LinkedIn’s counterclaims for breach of contract, misappropriation, and trespass to chattels, the Court considered those adequately pled, raising only factual disputes and questions, which are not meant to be addressed at the pleading stage.  At bottom, hiQ was not successful in its motion to dismiss, but to be fair, the true victory in this case is squarely dependent on the question pending before the SCOTUS.  Stayed tuned for that.  CPW will be there.

CPW has previously covered the state of play for data scraping litigation in the context of hiQ’s and LinkedIn’s ongoing dispute.  For an update on this litigation, read on below.

As a reminder, data scraping is a mechanism of extracting data from websites (including websites not available to the public and accessible only to individuals with user accounts).  The practices of Clearview which has been the subject of recent litigation are a prime example.  Notwithstanding the clear privacy issues implicated by data scraping, there is no law specifically regulating this practice nationwide (although some state laws, as CPW has already covered, regulate the collection of biometric data).  As such, in litigation regarding data scraping, parties are stuck arguing over the application of various statutes that were enacted long before data scraping was prevalent.

Which brings us to the hiQ v. LinkedIn litigation.  In their recently filed, Joint Case Management Statement, both parties have made it clear that they are not backing away from proving that their definition of “unauthorized access” under the Computer Fraud and Abuse Act (the “CFAA”), is what the legislators intended, back in 1984, and what needs to prevail in the court of law. LinkedIn’s petition for certiorari on this question is still pending before the Supreme Court of the United States.  See our previous blog for more background on that, the CFAA, and this lawsuit.

As you will recall, hiQ filed its initial complaint against LinkedIn in 2017, alleging LinkedIn’s cease-and-desist letters to hiQ, followed by LinkedIn restricting hiQ’s access to its website, was anticompetitive and violated state and federal laws.  The crux of hiQ’s complaint was that LinkedIn did not have monopoly rights to personal data made publicly available by its users, and that by scraping its website, hiQ did not violate users’ privacy rights (what LinkedIn alleges).

The Northern District of California granted hiQ’s request for a preliminary injunction against LinkedIn restricting hiQ’s access to publicly available LinkedIn member profiles.  LinkedIn appealed, but the appeal was denied. The Ninth Circuit determined that “scraping” publicly available information from LinkedIn likely is not a violation of the CFAA because the LinkedIn computers are publicly accessible.  As such, hiQ did not access the computers “without authorization” as required by the CFAA.  LinkedIn then filed its petition for certiorari to the SCOTUS, which is currently pending.

Separate from the preliminary injunction, following Judge Chen’s ruling on its motion to dismiss, LinkedIn filed its Answer and Counterclaims on November 20, 2020, including counterclaims under the CFAA.  On January 18, 2021, hiQ filed a motion to dismiss LinkedIn’s counterclaims under the CFAA.  LinkedIn’s opposition is currently due on March 4, 2021.  It is unlikely that the SCOTUS will respond on the pending certiorari before then.

In addition to the meaning of unauthorized access, the parties are also disputing:

  • Whether the California Penal Code § 502 is simply coextensive with the CFAA or has a broader scope, whether it applies to public profile pages on the LinkedIn website and, if it does apply, whether hiQ’s access to such profiles violates the statute;
  • Whether any of hiQ’s claims are preempted by the CFAA or California Penal Code § 502; and
  • Whether hiQ breached the LinkedIn User Agreement, which specifically prohibits automated access and scraping.

Factual disputes also exist, including the method that hiQ purportedly used to gain access to LinkedIn’s computers, and scrape data of LinkedIn’s members (i.e. the use of automated software/”bots”), and whether hiQ “knowingly” bypassed LinkedIn’s technical measures.  LinkedIn is also disputing whether hiQ’s loss of employees, and its difficulty in signing customers or raising money and investments (including all of the reasons why hiQ’s business has failed, if indeed), is in fact related to LinkedIn’s cease and desist letter or other actions.  LinkedIn has pointed to the vulnerability of “startups” in general as a likely cause of hiQ’s alleged business failure.

As we mentioned earlier, the questions posed in this lawsuit are bound to have major impact in the data scraping arena.  Stay tuned.

 

Last week the Supreme Court’s decision in Van Buren v. United States resolved a decade-long circuit split concerning the “exceeds authorized access” clause of the Computer Fraud and Abuse Act (“CFAA”).  Taking up the issue of whether an individual who has legitimate access to a computer network but accesses it for an improper or unauthorized purpose violates the CFAA, the Court ultimately found that such a use was not a violation of the statute.  Significantly, the decision in Van Buren endorses the narrower reading of CFAA adopted by the Second, Fourth, and Ninth Circuits,[1] while rejecting the more expansive reading of CFAA that had been the law of the land in the First, Fifth, Seventh, and Eleventh Circuits.[2]

One of the circuit splits that Van Buren appears to resolve, or provide guidance for resolving, is the question of whether violating a website’s terms of service constitutes a CFAA violation.  Prior to Van Buren, several courts within the Third, Fourth, Fifth, Eighth, and Ninth Circuits had found that terms of service violations could implicate the CFAA,[3] while other courts within the Fourth, Seventh, Tenth, and D.C. Circuits had found that individuals were not subject to criminal liability under CFAA by violating terms of service.[4]  The majority opinion in Van Buren, authored by Justice Amy Coney Barrett, adopts the latter reading.  Opining on the Government’s broad interpretation of the statute, the Court noted: “Many websites, services, and databases—which provide “information” from “protected computer[s],” §1030(a)(2)(C)—authorize a user’s access only upon his agreement to follow specified terms of service. If the “exceeds authorized access” clause encompasses violations of circumstance-based access restrictions on employers’ computers, it is difficult to see why it would not also encompass violations of such restrictions on website providers’ computers.” Op. at 18 (emphasis supplied).  This language appears in the Court’s broader analysis expressing concern over the scope of the Government’s interpretation of the statute, which the Court found “would attach criminal penalties to a breathtaking amount of commonplace computer activity.”  Op. at 17.

This language, as well as the policy concerns articulated by the Court supporting the narrower interpretation of CFAA, are anticipated to make it challenging to assert claims under CFAA for terms of service violations, including for misuse of data or information contained on a company’s website that would likely have constituted “exceed[ing] authorized access” under prior precedent.  However, companies seeking vindication for terms of service violations may still pursue other, previously available legal remedies.  This will be circumstance-dependent on the violation involved, including potential causes of action for copyright infringement, misappropriation, unjust enrichment, conversion, breach of contract, or breach of privacy.

The Court’s narrow interpretation of the CFAA is also likely to impact individuals and companies engaging in data scraping, or the process of using a program to extract data from a codebase or another program. Many public-facing websites include provisions in their terms of service that limit both their own customer’s and third-parties’ use of the data contained on those websites.  Prior to Van Buren, some courts had found that data scraping constituted a violation of CFAA, particularly when the data being scraped was protected by some form of access permissions, such as a username or password requirement.[5]  This interpretation afforded entities with a remedy under the CFAA to protect the data against being scraped, as those entities could arguably assert claims under CFAA relying on that favorable precedent that data scraping “exceeds authorized access” of the website because the data was intended to be protected using access authorizations.  Some privacy advocates had also favored this broader interpretation of the CFAA as better protective of individual privacy.  [6]

While Van Buren does not affirmatively allow for data scraping, the Supreme Court’s narrower reading of CFAA in the decision will likely limit the legal remedies that may be available for data scraping.  As a result, companies engaged in data collection may wish to develop more stringent contractual policies for potential consumers, or take additional action to revoke authorization to their websites for parties violating the terms of service.  To afford the same protections previously available under CFAA, these companies may want to consider, to the extent they do not already have them, liquidated damages and injunction relief provisions in their contracts with other businesses.  This, of course, will not remedy violations committed by third parties that access their information by other means.  For that, a legislative fix may be necessary.

*Thomas J. Lloyd also contributed to this article as a co-author.

[1] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Solutions LLC v. Miller, 687 F.3d 199, 204 (4th Cir. 2012); LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1133 (9th Cir. 2009); United States v. Nosal, 676 F.3d 854, 856-63 (9th Cir. 2012) (en banc).

[2] See EF Cultural Travel B.V. v. Explorica, Inc., 274 F.3d 577, 583 (1st Cir. 2001); United States v. John, 597 F.3d 263, 271 (5th Cir. 2010); Int’l Airport Centers, L.L.C. v. Citrin, 440 F.3d 418, 420 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263 (11th Cir. 2010).

[3] See, e.g., America Online v. LCGM, Inc., 46 F. Supp. 2d 444, 451 (E.D. Va. 1998); United States v. Nosal, 844 F.3d 1024, 1033-38 (9th Cir. 2016); Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1066-69 (9th Cir. 2016); Southwest Airlines Co. v. Farechase, Inc., 318 F. Supp. 2d 435, 439-40 (N.D. Tex. 2004); Am. Online, Inc. v. Nat’l Health Care Disc., Inc., 174 F. Supp. 2d 890, 899 (N.D. Iowa 2001); United States v. Lowson, No. 10-114 (KSH), 2010 U.S. Dist. LEXIS 145647, at *11-18 (D.N.J. 2010).

[4] See, e.g., Sandvig v. Barr, 451 F. Supp. 3d 73, 76 (D.D.C. 2020);  Cvent, Inc. v. Eventbrite, Inc., 739 F. Supp. 2d 927, 932-34 (E.D. Va. 2010); Koch Indus., Inc. v. Doe, No. 2:10CV1275DAK, 2011 U.S. Dist. LEXIS 49529, at *19-25 (D. Utah. May 9, 2011); Bittman v. Fox, 107 F. Supp. 3d 896, 900-01 (N.D. Ill. 2015).

[5] See, e.g., HiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 999-1004 (9th Cir. 2019); Explorica, 274 F.3d at 582-84.

[6] See, e.g., HiQ Labs, Inc., 938 F.3d at 1003 (noting that CFAA is violated when an individual scrapes data by “circumvent[ing] a computer’s generally applicable rules regarding access permissions, such as username and password requirements, to gain access to a computer” as that data has been marked as “private”); see also id. at 1001-03 (discussing legislative history of CFAA and intent to increase privacy protections for online information).

Today, the Supreme Court handed down a decision significantly narrowing the scope of the Computer Fraud and Abuse Act (“CFAA”), a federal statute that can impose both criminal and civil liability on anyone who “intentionally accesses a computer without authorization or exceeds authorized access”, in its first-ever decision addressing this law.

In a 6-3 opinion in Van Buren v. United States, No. 19-783, authored by Justice Barrett, the Court reversed the Eleventh Circuit’s decision to uphold the conviction of a former police officer who was charged under the CFAA for searching a license plate in a law enforcement database for unofficial purposes.  His conviction concerned a provision of the statute that made it illegal “to access a computer with authorization and to use such access to obtain . . . . information in the computer that the accesser is not entitled so to obtain”.  The officer appealed, claiming that the CFAA did not cover unauthorized use of a database that he was otherwise authorized to access as part of his job.

Recall that the CFAA, which was passed in 1986, is considered to be the primary anti-hacking law and prosecutorial tool against outside actors who are accused of breaking into computer networks (although the statute has also been litigated recently in the commercial context, including in relation to data scraping).  It forbids individuals from intentionally accessing a computer without authorization or “exceed[ing] authorized access.”  The Supreme Court granted certiorari to resolve a split in authority among the Courts of Appeal regarding the scope of liability under the CFAA’s “exceeds authorized access” clause.

The majority opinion closely parsed the language of the CFAA and examined the types of activities that constituted “exceed[ing] authorized access.”  Ultimately, the Court concluded that the provision that Plaintiff had been convicted under “covers those who obtain information from particular areas in the computer—such as files, folders, or databases—to which their computer access does not extend.  It does not cover those who, like [Petitioner], have improper motives for obtaining information that is otherwise available to them.”  Op. at 1 (emphasis supplied).  Justice Barrett’s opinion also focused on the statute’s scope, noting that the government’s broad interpretation would criminalize a “breathtaking amount of commonplace computer activity,” including mundane activities such as using a work computer for personal purposes.

This case is a game changer for pending and future cases brought under the CFAA.  As CPW readers will remember, the hiQ/LinkedIn data-scraping saga ongoing in California federal court had been paused pending a ruling from SCOTUS in Van Buren.  All eyes will be back on that case now, in light of the circumscribed interpretation of the statute adopted by SCOTUS today.  For information as to how that litigation progresses, and how other courts (and litigants) respond to this important decision, stay tuned.  CPW will be there to keep you in the loop.

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

BREAKING: Supreme Court Unanimously Curbs FTC’s Ability to Obtain Monetary Relief in Court | Consumer Privacy World

Wait, What?! Ninth Circuit Affirms Dismissal of Data Breach Litigation for Deficient Damages Allegations | Consumer Privacy World

In re Clearview Update: Plaintiffs Ask Court To Enjoin Significant Portions Of Defendant’s Business Activities Based On Recent Patent Application | Consumer Privacy World

hiQ LinkedIn Data Scraping CFAA Ruling Delayed Pending SCOTUS Decision | Consumer Privacy World

In case you missed it, below is a summary of recent posts from CPW.  Please feel free to reach out if you are interested in additional information on any of the developments covered.

What Businesses Need to Know About Virginia’s Consumer Data Protection Act | Consumer Privacy World

Data Litigation Is Growing Fast, And So Is Liability Risk | Consumer Privacy World

Empire State of Mind: Over 50 Privacy Bills Under Consideration in New York, Poised to Reshape Data Privacy Litigation | Consumer Privacy World

Battle Royale, Data Scraping Edition: The hiQ v. LinkedIn Saga Continues | Consumer Privacy World

Another Consumer Privacy Litigation Pushed Out of Courts Into Arbitration | Consumer Privacy World

FCRA Litigation Survives Motion to Dismiss, Serving as Reminder of What Needed for Well-Pled Claim | Consumer Privacy World

BREAKING NEWS Clearview AI Plans to Take its BIPA Challenge Over Standing to the Supreme Court | Consumer Privacy World

Clearview and Blackbaud – Where are we, how did we get here, and where are we going? | Consumer Privacy World

Rare Prosecution Under the Computer Misuse Act 1990 for Data Breaches Caused by Rogue Employee | Consumer Privacy World

Virginia’s Data Privacy Legislation Is One Step Closer To Becoming Law | Consumer Privacy World

The world of digital marketing has grown exponentially in the last two decades.  In fact, it was estimated that in 2020, despite the global pandemic, approximately $332.84 billion will be spent on digital advertising worldwide.[1]  Not surprisingly, sophisticated algorithms (such as real-time bidding and programmatic ad buying) have been built in recent years to master the science of digital marketing and customer segmentation-aka target marketing.  While none of the current U.S. privacy laws explicitly prohibit target marketing based on electronically obtained consumer data, this space is getting over populated, and over regulated, and the landscape is changing.  And so we ask the obvious question, can target marketing withstand the emerging privacy regulations? Our answer is probably, with certain notable caveats.

Target marketing is an old but powerful marketing strategy.[2]  It used to involve breaking consumers into defined segments where each segment shared some similar characteristic, such as, gender, age, buying power, demographics, income, or a combination of a few shared characteristics; then designing marketing campaigns based on the shared characteristic(s).  Approaches have changed with the passing of time.  Nowadays, target marketing has been narrowed to the point of defining every individual consumer or household, and designing marketing campaigns for each individual consumer or household.  Target marketing is often the key marketing tool used to attract new business, increase sales, or strengthen brand loyalty.[3]  Despite its success, with the massive amount of consumer data now being used to target consumers, and the emerging data privacy laws and regulations, marketers have to tread carefully to avoid getting themselves in (legal) hot water.

How do marketers access consumer data?  And why is it potentially problematic?

Lets first address consumer data.  Marketers can acquire data by themselves, (aka, “first party data”).  This includes data from behaviors, actions or interests demonstrated across website(s) or app(s), as well as data stored in a business’ customer relationship management system (“CRM”).[4]  By contrast, “second party data” or “third party data” is data acquired from another source.  It could be someone else’s first party data, or it could be data collected by outside sources that are not the original collectors of the data.[5]

The most common method for obtaining consumer data (first, second or third party) over the internet has been through cookies stored on our digital devices.[6]  (For a recent litigation involving the use of cookies in the context of kids’ privacy rights see this prior post).  Cookies are used to track the activities of devices as users visit particular web pages, allowing advertisers to build profiles of a device’s online activities; these profiles can then be used to create targeted advertising tailored to the user of that device.[7]

Marketers are also able to obtain data through social media platforms.  Most of us using social media are aware of the personal information we submit before we create our accounts.  This information may include some personally “identifiable” information, such as our name, address, date of birth etc., but there is other personal information which is not considered “identifiable”, such as our gender, age, postal code, etc.  Marketers can then partner with social media platforms to create marketing campaigns based on consumer segments created through each individual’s personal information.  Ever wonder why your husband is not seeing ads for women’s shoes, or why you are receiving ads for products or services you have not shopped for but may be interested in?  It is target marketing.  (And of course, as CPW has covered, data can also be harvested from social medial platforms through scraping).

So what?  Well, until recently (with a few notable exceptions such as the Fair Credit Reporting Act (“FCRA”)) laws regulating companies selling or acquiring consumer data were sparse and preceded the advent of new technologies.  Compare Trans Union LLC v. FTC, 536 U.S. 915, 917 (2002) (stating that “the FCRA permits prescreening—the disclosure of consumer reports for target marketing for credit and insurance. . . .”) with FTC I, 81 F.3d 228 (D.C. Cir. 1996) (holding that selling consumer reports for target marketing violates the FCRA).

In many respects, corporations were thus able to use consumer data to create complex marketing campaigns.  This practice recently came up in the context of the Capital One data breach.  See, e.g., In re Capital One Consumer Data Sec. Breach Litig., 2020 U.S. Dist. LEXIS 175304, at *28 (E.D. Va. Sep. 18, 2020) (discussing plaintiffs’ allegation that “Capital One created a massive concentration of [personally identifiable information, a ‘data lake,’ in which Capital One ‘mines [customers’] data for purposes of product development, targeted solicitation for new products, and target marketing of new partners—all in an effort to boost its profits.”).

The tide is starting to change.  With the emergence of more recent data privacy laws, such as the California Privacy Rights Act of 2020” (“CPRA”), the California Consumer Privacy Act of 2018 (“CCPA”) and General Data Protection Regulation (“GDPR”), “covered entities” can no longer use personal information carte blanche for advertising purposes.  However, it bears noting that the statutory definition of personal information remains much narrower than what one might assume.   CCPA for example defines personal information as: “…information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household…”  California Consumer Privacy Act of 2018 §1798.140.(o)(1).

Thus, information about one’s gender and income, without more, would not be fall under this definition.  Are consumers comfortable to have this information used without their consent?  Do they even have a choice?  It depends.  Although common law tort principles, such as invasion of privacy, embarrassment or emotional distress, may allow some legal remedies, case law is sparse and for obvious reasons, has trended towards permitting corporate use of such data.  See, e.g., Bradley v. T-Mobile US, Inc., 2020 U.S. Dist. LEXIS 44102 (N.D. Cal. Mar. 13, 2020) (rejecting claim that use of consumer data, including age, for target marketing concerning online job postings constituted age discrimination and violated various federal and state laws).

At least insofar as California is concerned, there has been some interesting developments concerning target marketing of late.  This is because under CCPA, some businesses engaged in target marketing interpreted “sales” as excluding the exchange of personal information, such as cookie data, for targeting and serving advertising to users across different platforms.  This approach was on the purported basis that no “sales” (as defined in the statute) were involved because no exchange for “valuable consideration” had occurred.  The CPRA, which was approved by California voters in November, utilizes the concept of “sharing” and seemingly eliminates this potential loophole (although that doesn’t mean there won’t be future litigation regarding this issue).

The concept of “data clean rooms” as also (re)surfaced to bypass the issues related to sharing customer data.  Data clean room allow companies, or divisions of a single company, to bring data together for joint analysis under defined guidelines and restrictions that keep the data secure[8].  Whether a clean room contains PII or anonymized data, data privacy practices are critical.  If the anonymized data can be deanonymized (tied back to actual people through creative analytics), it would make the data subject to most privacy laws (and definitely the GDPR).

What does the future look like for digital advertising?  With the spike in US state regulations relating to consumers’ online privacy, such as, CPRA, the Nevada Senate Bill 220 Online Privacy Law (2019), and the Maine Act to Protect the Privacy of Online Consumer Information (2019)[9], it remains fluid.  There has also been changes in cybersecurity, data security and data breach notification laws (although we will table discussion of the specifics of that for another day).  The bottom line is that marketers now not only have to pay extra attention to each state’s regulation before obtaining and/or processing consumer information, they also have to pay extra attention to the consent obtained.  The free reigns of using unlimited consumer data to create complex algorithms for the optimal marketing campaign is slowly coming to a halt.

To mitigate litigation risk, entities in the marketing industry will have to take a jurisdiction specific approach that accounts for recent developments.  And as the scope of these new laws and regulations are tested via litigation, CPW will be there every step of the way.  Stay tuned.

[1] https://www.emarketer.com/content/global-digital-ad-spending-update-q2-2020

[2] https://www.acrwebsite.org/volumes/8572/volumes/v29/NA-29

[3] https://www.thebalancesmb.com/target-marketing-2948355

[4] https://www.lotame.com/1st-party-2nd-party-3rd-party-data-what-does-it-all-mean/#:~:text=First%20party%20data%20is%20the,you%20have%20in%20your%20CRM

[5] Ibid.

[6] Swire, Peter and Kennedy-Mayo, DeBrae, “U.S. Private-Sector Privacy,” Third Edition,  Pg 130

[7] Ibid.

[8] https://www.snowflake.com/blog/distributed-data-clean-rooms-powered-by-snowflake/

[9] https://www.csoonline.com/article/3429608/11-new-state-privacy-and-security-laws-explained-is-your-business-ready.html

Those of you familiar with the area of data privacy already know that the International Association of Privacy Professionals’ (“IAPP”) CIPP/US certification is the global gold standard for privacy professionals and a key industry benchmark.  The CIPP/US designation demonstrates familiarity with U.S. privacy laws and regulations.  Well, CPW is proud to announce that one of our extremely talented litigators Zarish Baig has joined the group of CIPP/US certified attorneys, which already included CPW’s privacy pros Elliot Golding, Petrina McDaniel and Kristin Bryan.  As you may know, here at CPW we have assembled one of the most experienced and dedicated consumer privacy teams on the planet—powerful class action litigators working together with privacy compliance professionals who have real-world experience operationalizing cutting-edge guidance.  Adding this important certification to our deep bench of litigators further enhances our team’s capabilities.

Do you know Zarish?  She is a frequent contributor to CPW blogging on key developments in data privacy litigation (in case you missed it, be sure to check out some of her work analyzing the CCPA and other matters here, here and here).  Zarish is a truly international attorney, licensed to practice in Canada and the United States.  She has counselled clients all over the world in multifaceted roles.  Her current practice ranges from advising clients on consumer privacy issues, product design and litigation, and ensuring clients stay compliant with applicable laws and regulations.  In addition to representing clients in both state and federal courts, and internal and government investigations, Zarish is also experienced in providing practical and business-oriented advice.

Well done Zarish!  We’re proud to have you on our team.

As most of you already know, the Illinois Biometric Information Privacy Act (“BIPA”) regulates the storage and sale of biometric data.  Following a New York Times expose earlier in the year, ten lawsuits were filed against Clearview AI which alleged, among other things, that Clearview’s practices violated BIPA.  Why?  Well, according to complaints filed in these cases, Clearview extracted faceprints from three billion photographs of people’s faces from social media platforms and other websites and created a database.  That database was then provided to Clearview’s clients, which purportedly includes national law enforcement agencies and government bodies.  Unsurprising, public and media scrutiny of Clearview’s practices followed.

This development has rocked the tech world, which responded in a variety of fashions.  Several of the tech giants sent cease and desist letters to Clearview after they learned Clearview’s database was compiled by scraping images from their platforms.  Other name brand companies, which previously had been engaged in developing facial recognition technologies, announced they were stopping such activities altogether.

What was Clearview’s response?  In contrast with these other approaches, it claimed that the company had a First Amendment right to access public information (including images from online platforms).  This assertion was followed in October with a motion to dismiss a complaint filed against it by the American Civil Liberties Union (“ACLU”), where Clearview asserted that the ACLU’s claims were barred under the First Amendment and the Illinois constitution.  Clearview claimed that its use of publically-available images was permissible because its collection and organization of images was essentially the creation and dissemination of information, which is protected by the First Amendment.

Clearview also argued that the activities of search engines like its own have historically been entitled to First Amendment protections.  Because the information that it used was publically available online, Clearview argued that the individuals featured in those photos had no reasonable expectation of privacy.  Clearview further claimed that BIPA violated the First Amendment as a content-based restriction on speech that cannot survive strict scrutiny.  Pointing to BIPA’s definition of “biometric identifiers,” Clearview argued that the way that BIPA targets the information included in that definition limits Clearview’s effectiveness and ability to use public information, and therefore burdens its speech.  Clearview also moved to dismiss the ACLU’s complaint for lack of jurisdiction, among other grounds.

Well, as this issue is sorted out by an Illinois court (where the litigation is pending), last week an amicus brief was filed on behalf of the Electronic Frontier Foundation (“EFF”) that addresses Clearview’s First Amendment argument head on.  As summarized in EFF’s brief, the applicable First Amendment test is not strict scrutiny but “intermediate judicial review,” which requires “a close fit between a speech limit and a substantial government interest.”  This is because, according to EFF’s brief, the speech Clearview seeks to protect is commercial speech that does not concern a public issue.  Instead, the speech is solely in the interest of Clearview and its business audience, as its faceprinting is offered as a proprietary and confidential service for paying customers.  Although Clearview sells its service to law enforcement agencies, EFF argued that this does not make collecting personal data a matter of public concern.

EFF’s brief argued that the application of BIPA to Clearview satisfies intermediate scrutiny as “Illinois has substantial interests in protecting privacy, and the free speech and information security that depends on privacy, from the special hazards posed by faceprinting” and “BIPA’s requirement of opt-in consent to collect faceprints is narrowly drawn to these interests.”  EFF’s brief highlighted that BIPA’s opt-in consent measure does not burden more speech than is necessary, even though businesses have argued that opt-in consent is more burdensome than opt-out consent, because opt-out is only marginally less intrusive than opt-in.  EFF’s brief further argued that opt-out could be ineffective for consumers who may not know that a business collected their faceprint.

What does this all mean?  Well for now, it is unclear as the court at least in this specific Clearview suit has yet to rule on the issue.  Given the proliferation of the collection and use of biometric information – including but not limited to employers in the wage and hour industries using biometric information for timekeeping purposes – this case and others are of particular interest.  Stay tuned as CPW will continue to cover these developments as they occur.