Magazine article Information Today

Getting Down to the Basics of a Solid Privacy Policy

Magazine article Information Today

Getting Down to the Basics of a Solid Privacy Policy

Article excerpt

All too often we think that privacy policies are just boilerplate forms that can be plunked down on a website and then scratched off from our to-do list. Unfortunately, that's just not the case. According to a recent U.S. federal district court case, Mortensen v. Bresnan Communications, LLC, companies need to pay attention to what their privacy policies say and how they are presented to users.

Background: Online Behavioral Advertising

Consider the factual background information on this specific case. Defendant Bresnan Communications, an internet service provider (ISP), allowed NebuAd, Inc., a California startup, to install a device on its network that engaged in "deep packet inspection." Stripped of opaque technical-sounding terminology, this means that NebuAd analyzed emails of Bresnan's users and tracked their web surfing in order to create a user profile. NebuAd then used this profile to target online behavioral advertising. For example, if a user waxed poetic in his emails about the romantic bed and breakfasts in Asbury Park, N.J., and then visited I-Love-NewJersey.com (this is all quite hypothetical, of course), the user may begin receiving online ads containing discounted passes for the Garden State Parkway and to Atlantic City casinos.

Plaintiffs, who sought to represent a group of aggrieved subscribers, claimed that their ISP (Bresnan) profited from NebuAd's activities and that Bresnan had not properly obtained the users' consent to collect their personal information. Plaintiffs specifically alleged the following: 1) This was in violation of the Electronic Communications Privacy Act (ECPA), 2) this was an invasion of privacy, 3) this was a violation of the Computer Fraud and Abuse Act (CFAA), and 4) it was considered a "trespass to chattels," a medieval, obscure doctrine of violating someone's personal property. Bresnan moved to dismiss the complaint, but the ISP was only partially successful. Although the court's opinion began in a predictable fashion in favor of the defendant, there was a surprising turn: The court permitted the class action to proceed.

On ECPA Claims, the Defendant Wins

The ECPA, also known as the Wiretap Act, prohibits intercepting (or assisting in intercepting) electronic communications unless the person has given prior consent to such interception. The question the court addressed was whether users had implicitly given their consent to the surveillance.

Bresnan argued that users had actually given their consent since its Online Privacy Notice and Online Subscriber Agreement stated that the ISP "and its agents" could monitor electronic postings and transmissions as well as use equipment to collect information on users' internet usage. Specifically, these policies indicated that Bresnan could collect information on three fronts: 1) the "web sites you review," 2) "your electronic browsing," and 3) "the text of e-mail or other electronic communications you send or receive." The policies also indicated that this information could be disclosed to third parties.

[ILLUSTRATION OMITTED]

Besides these general notices, Bresnan also specifically notified users that the NebuAd trial was set to begin and provided a link for customers to opt out.

The court dismissed the plaintiffs' Wiretap Act claim, concluding that Bresnan had given notice (on three separate occasions) to users that their email and browsing history would be monitored and that it could be passed on to third parties. The court concluded accordingly that users had consented, or at least acquiesced to, the interception of their messages.

On Invasion of Privacy Claims, the Defendant Wins

The plaintiffs' next claim was that Bresnan committed a tort by violating the users' privacy. To prevail on such a claim, the plaintiff must show that the plaintiffs expected privacy and that this expectation was objectively reasonable.

For the same reasons that the court rejected the plaintiffs' Wiretap Act claims (the users were given adequate notice that their communications would be intercepted), the court dismissed the privacy claims. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.