We welcome you to the latest issue of Socially Aware, our guide to the law and business of social media. We are delighted to announce that, earlier this month, we received the 2011 Burton Award for Best Law Firm Newsletter! We wish to thank our contributors and readers for their continued support. In this issue, we discuss whether consumers have property rights in their personal information; new employment law developments involving social media; copyright concerns raised by online linking; Google's recent announcement to offer behaviorally targeted ads for mobile devices; new cases involving the formation and enforceability of online contracts; an update on Facebook's trademark suit against Teachbook; the FTC's crackdown on promotional websites posing as news sites; and Facebook's concerns regarding the FEC's new regulations for political ads. Plus, we present a snapshot of the top five online display ad publishers for Q1 of 2011, and we roll out a new feature—"Status Updates"—in which we provide bitesize summaries of social media developments.
Do Consumers Have Property Rights in Their Personal Information Collected by Website Operators?
When consumers sue online service providers for data breaches involving such consumers' personally identifiable information ("PII"), courts routinely dismiss such suits based on the failure to allege an "injury in fact" as required to establish constitutional standing — see, for example, the decisions in Bell v. Acxiom Corporation and Amburgy v. Express Scripts, Inc. In a recent ruling by the District Court for the Northern District of California in Claridge v. RockYou, Inc., however, the plaintiff survived a motion to dismiss on standing grounds by advancing a novel theory: PII, such as login information used to access social media websites, constitutes "property" that consumers provide to website operators in exchange for products, services and the promise that such website operators will safeguard such PII.
RockYou provides applications for use with social media sites such as Facebook. According to the plaintiff, RockYou promised in its online privacy policy to use "commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security" of the personal information of its customers. The plaintiff alleged that, despite this promise, RockYou stored its customers' PII in unencrypted form, and without taking any common and reasonable data protection measures, so that such PII was readily available to anyone who could access the database. Furthermore, the defendant allegedly failed to respond immediately to a warning from an online security firm that hackers knew about and were actively exploiting a security flaw in RockYou's database. RockYou acknowledged that its database had not been up to date with regard to standard security protocols and that one or more hackers had gained access to its database, which contained social networking login credentials for millions of users.
The crux of the plaintiff's theory was that RockYou's customers "buy" products and services by providing their PII, which is valuable property and is consideration for RockYou's promise that it would employ reasonable security methods. Under the plaintiff's theory, RockYou's failure to safeguard customers' PII breached RockYou's obligations to its customers, and harmed the value of that PII by compromising it. The court noted that there was no established law that clearly addressed such an argument. Further, the court avoided a probing analysis of the fundamental issues, and even expressed doubt that the plaintiff could prove any damages, but nonetheless found the plaintiff's allegations of harm sufficient "to allege a generalized injury in fact." Thus, the plaintiff had standing to assert claims against RockYou for, among other things, breach of contract, negligence and violation of various statutes.
Although the plaintiff's novel theory may not ultimately succeed as a way of establishing standing in data breach cases, commentators have observed that the RockYou case is noteworthy in its acknowledgment of the economic realities of the Internet, where creative use of PII is an increasingly important revenue source for online service providers. The court's ruling legitimizes, at least for now, complaints based on a website operator's failure to protect the inherent value of PII collected from site users. The ruling may also signal a new willingness for courts to view PII as personal property having monetary value, which could give users greater ability to enforce public-facing privacy and data security policies against website operators. Further, in viewing a website privacy policy as a set of promises made by a website operator in exchange for valuable PII, the RockYou decision has the potential to significantly alter the balance of risks in the gathering, storing and use of PII on the Internet.
To read this document in full please click here.
Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Morrison & Foerster LLP. All rights reserved
