by: Claire Sullivan
Concern for the privacy and protection of personal information has long found a place within the United States legal system. In recent decades, however, the discussion surrounding the issue of privacy has taken on new connotations as technology has rapidly broadened the definition and understanding of precisely what kind of information should be regarded as private. As issues regarding Internet usage and privacy have become more common, so have discussions surrounding what kind of legal protections personal information should be afforded, as well as exactly what qualifies as personal information in a digital age. A key factor in such discussions is the existence of online sites and major corporations that draw an extensive degree of profit from Internet users. As culture and markets have adapted rapidly to keep pace with new technological changes, the nation’s legal system has faced struggles in its attempts to catch up.
In 2015, a New Jersey case regarding the companies Viacom and Google’s use of data collected from children who at the time were under the age of thirteen highlighted one of the key issues facing privacy as it relates to technology. Reportedly, the children “had standing to assert claims that a website with video streaming and an Internet advertising company unlawfully collected personal information about the children … relating to the children’s online behavior”[1]. The case presented complications because it involved not only the Nickelodeon website, owned by the company Viacom, but also the company Google, whose advertisements were present on the website and thus allowed Google to access basic data of users who visited the website.
The 1988 Video Privacy Protection Act, a piece of legislation which allows “plaintiffs to sue persons who disclose information about their video-watching habits”[2], was determined to be insufficient for resolving claims made in this case, as the act only addresses parties who disclose information regarding viewers’ habits, and not parties who receive such information. Thus, under this act, Google was not found to be at fault in this instance as it was the recipient and not the discloser of the information. In addition, it was concluded that “the expansion of privacy laws since the Video Privacy Protection Act’s passage demonstrates that, whatever else “personally identifiable information” meant in 1988, it did not encompass the kind of information that Viacom allegedly disclosed to Google”[3]. The kind of data Viacom shared with Google was not determined to be personally identifiable, as it was basic information such as “URL information” and “IP addresses, browser fingerprints, and unique device identifiers”[4] which revealed little about the website users. Despite the conclusion that this act was insufficient to support the plaintiff’s claims, Viacom did face a certain degree of scrutiny regarding not the kind of information shared with Google, but rather the way in which Viacom’s information collection and sharing was represented on the website.
Though the majority of websites employ some type of data-collecting function as a means of increasing revenue by tailoring ads to user preferences, the Nickelodeon case raises the point that “targeting advertisements to children is more profitable than targeting advertising to adults “because children are generally unable to distinguish between content and advertisements”[5]. The Children’s Online Privacy Protection Act, which was passed by Congress a decade after the Video Privacy Protection Act, stipulates that personal digital information, which encompasses a wide array of information regarding an individual as well as the individual’s device, may only be gathered from children under the age of thirteen with the consent of parents[6]. This litigation was concluded in part with the determination that Viacom and Google’s gathering of information was not the inherent problem, because the information gathered was not considered to be “personally identifiable” as it “was not the kind of information that would readily permit an ordinary person to identify a specific child’s video-watching behavior”[7]. Rather, the issue was that “an expectation of privacy” was created for users jointly by the two companies through a message that assured parents that no personal information would be gathered or shared, thus meaning that the information was gathered and shared “under false pretenses”[8].
The plaintiffs in this case specifically claimed “that the Nickelodeon website included a message that read “‘HEY GROWN-UPS: We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to!’” and “appeared on the webpage that children used to register for website accounts, apparently to calm parental fears over the tracking of their children’s online activities”[9]. The fact that information was collected and distributed in spite of this reassurance reveals misrepresentation on the part of Viacom. The Children’s Online Privacy Protection Act “says nothing about whether such information can be collected using deceitful tactics” and therefore “leaves the states free to police this kind of deceptive conduct”[10]; thus, there is room for addressing the legality of Viacom’s actions on this front. Regardless of the fact that the information collected was not ruled to be concretely personally identifiable, it becomes clear that there is a need for more coherent legislation to ensure that Internet users are accurately informed about precisely what data is collected when they access a website, as well as how that data could potentially be shared or used in the future.
Attorney Alexandra Rengel stated in an article discussing recommendations for improved privacy standards that:
In this newly commoditized information market, buyers everywhere can collate and manipulate data for marketing, profiling, and, in some instances, for nefarious purposes. Individuals have little ability to control this collection or manipulation of their data. Not only does much of this happen far from the reach of regulators, but most people are not even aware of what information has been collected about them or for what purpose it is being used.[11]
These and other related issues stem from the fact that understandings of privacy and the language used to discuss it are far from uniform. For instance, debate surrounding the precise legal definition of the term “personally identifiable information” has persisted throughout a number of cases regarding digital privacy. This case in particular reached the conclusion that “norms about what ought to be treated as private information on the Internet are both constantly in flux and often depend on the novelty of the technology at issue”[12]. Viacom’s defense of the legality of its information collection was found to be reasonable under the stipulations of existing laws; however, the issue of what language or descriptions count as truly informant of a company’s intentions with user data is still up for debate and improvement.
The Nickelodeon case brings attention to issues that stand to be discussed further, as technological advancements continue and begin to fall beyond the reach of existing laws. The plaintiffs in the case asserted that due to Google’s aggregation-based business model, the company “knows more details about American consumers than any company in history,” and furthermore, that “it has, in effect, turned the Internet into its own private data collection machine”[13]. Though the validity of these statements is not confirmed within the litigation, it is stated that “we do not think that a law from 1988 [the Video Privacy Protection Act] can be fairly read to incorporate such a contemporary understanding of Internet privacy” and that some of the laws cited in the litigation are too narrow to apply to this broader issue[14]. This in itself is a significant point, as laws created decades before the rapid technological advancements of recent years can hardly be expected to sufficiently and uniformly address the intricacies of issues that modern Internet technologies create. As large tech companies gain more and more influence in the everyday lives of Internet users, discussion regarding the need for new or at least updated privacy legislation becomes vital.
The most important takeaway from this case and the legislation used to address it is that there is a measurable gap between legislation regarding Internet user privacy and the actions of big tech corporations regarding privacy protection. While there is room to debate what kinds of data should be regarded as private and how far data protections should extend, it is undeniable that Internet users have the right to be provided with clear and accurate information regarding how even their most basic information is collected and distributed. Perhaps the first step to take is not against the gathering of information by tech companies, but rather is to hold these companies accountable for the promises they make regarding user data. What might prove most beneficial as data privacy legislation develops is the institution of clear standards for companies’ representation of their information collection practices. This will in turn ensure that big tech companies are held to a standard of truthfulness in their interactions with users and their personal information.
[1] In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3rd Cir. 2016).
[2] Id.
[3] Id.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] Id.
[11] Rengel, Alexandra. Privacy-Invading Technologies and Recommendations for Designing a Better Future for Privacy Rights, 8 Intercultural Human Rts. L. Rev. 177, (2013).
[12] In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3rd Cir. 2016).
[13] Id.
[14] Id.