- the types of data that is being collected and from whom data is collected;
- the purposes for the collection of data;
- the ways in which collected data is being used; and
- whether data is being shared with or sold to any third parties.
In addition, some state laws and regulations require explicit disclosures about the sale of data and require companies to afford consumers the ability to opt out of the sale of personal information. New York is likely to pass such a law within the next year.
Cases Allege Undisclosed Data Collection and Use by Google Incognito Mode and Google Assistant.
A 2020 class-action lawsuit alleged that Google illegally collects information during private browsing sessions using its “incognito” mode, through which users believe they are keeping their search activity private. Despite displaying a message stating that “incognito” users can browse “privately” without their search history becoming visible to other users of the device, according to the complaint, Google tracks and collects consumer browsing history and other web activity while using incognito mode, thus unlawfully intercepting and collecting confidential communications without user consent.
While Google contends that the plaintiffs consented to have their data collected when they agreed to the terms of service, according to the complaint many users feel that they were given a false or misleading impression by Google about what was being done with their data.
In another recently filed California action, a federal judge ordered Google to face class-action claims regarding privacy concerns with Google Assistant.
Google Assistant is voice-activated software that carries out users’ commands by constantly listening and responding to users’ voices when it picks up on hot words, such as “Okay Google.” Typically, Google Assistant does not respond unless it hears one of the hot words. However, plaintiffs allege that Google Assistant does not overwrite locally stored random-access memory of audio recordings when Google Assistant makes a mistake and perceives an unrelated phrase as a hot word. The complaint states that Google Assistant allegedly uses stored audio recordings for purposes other than carrying out users’ commands, including targeted personal advertising to users and improving the Google Assistant’s voice recognition capabilities. This may mean that even when users do not believe that their Google Assistant has been activated and is recording and collecting users’ data, Google Assistant is collecting user data and using it for unapproved purposes. In re Google Assistant Privacy Litigation, No. 5:19-cv-04286-BLF (N.D. Cal. Jul. 1, 2021).
Other Tech Giants Are Thinking Proactively About Privacy
These decisions come on the heels of Apple’s announcement that its upcoming iOS 15 update will give iPhone users more insight into and control over their own data. Among other things, users will be able to see the entities or users with whom the mobile apps are sharing their personal data, will be able to stop trackers from detecting if and when an email is opened, and will allow users to keep internet activity and some phone app usage private. Consumers are choosing not to share data at a high rate, and this change in data sharing frequency will shake up the internet advertising economy. Apple’s decision further highlights the increasing commoditization of data and represents one of the clearest examples of a major player in big tech attempting to proactively capitalize on the privacy concerns many consumers have. Apple will have to make sure it honors its privacy promises to consumers.
Now Is the Time To Reassess Privacy Policies and Disclosures
As data privacy lawsuits become more commonplace, businesses are reminded that they should take stock of their own data collection, use and disclosure policies. The obvious starting point in assessing privacy-related requirements are the state data privacy laws that have been enacted in the last few years, the most prominent of which is the California Consumer Privacy Act (the “CCPA,” as amended by the California Privacy Rights Act, or the “CPRA”), which applies to California residents. At least eight other states have since passed similar privacy regulations mirroring certain provisions of the CPRA, indicating that the regulation of privacy rights and oversight of data collection and use are concepts that are here to stay. In order to assess organizational privacy readiness, the following are some initial steps and considerations:
- Take stock of what data you collect. Sensitive personal information like social security numbers, credit card or payment information, and biometric data have received increased scrutiny from regulators and may require more stringent protocols with respect to data retention. Data collection processes can change in important ways every time a service is updated or a new version rolled out.
- Analyze your relationship with third-party advertisers. Do you engage with third-party advertisers? Other states are beginning to follow California’s lead by restricting the sharing of personal information for cross-context behavioral advertising (defined as the targeting of advertising to consumers based on the personal information obtained from their activity across businesses, distinctly branded websites, applications or services, other than which the consumer intentionally interacts). For example, Virginia recently passed the Consumer Data Protection Act, which allows consumers to opt out of targeted advertising and reflects legislation that appears to be modeled after California’s CCPA, at least in part. The CPRA, voted into law in November, further restricts businesses from sharing personal information for cross-context behavioral advertising. Under the CPRA, the transfer of personal information to a vendor for cross-context behavioral advertising purposes is no longer considered a “business purpose” (for which user consent was not required) as it was under the CCPA.
- Obtain meaningful consent. Since changes in the law leave businesses with limited options to avoid being considered “sharers” of personal information under the CPRA, many will need to assess methods for obtaining consent from users in order to share personal information with other entities. Consent must be obtained affirmatively before the information is collected. Consumers must be able to easily locate privacy policies, and in some cases, be able to revoke or limit their consent.
* * *
Carter Ledyard & Milburn LLP uses Client Advisories to inform clients and other interested parties of noteworthy issues, decisions and legislation which may affect them or their businesses. A Client Advisory does not constitute legal advice or an opinion. This document was not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. © 2021 Carter Ledyard & Milburn LLP.