There is a series of cases (http://www.bloomberg.com/news/2014-01-08/clickable-consent-at-risk-in-internet-privacy-lawsuits.html) developing in the Ninth Circuit over what constitutes consent, particularly in regard to how various sites (such as LinkedIn and Facebook) information collected from their users. The article describes a surge of such cases (over 200) over the past 18 months. What makes these cases unique is that the judge in the case, Judge Lucy Koh, allowed them to survive a motion to dismiss. These cases (which may get lumped into a broader class action down the line) intend to explore exactly what agreeing to Terms of Service on a website entails.
Bloomberg doesn’t provide an extensive amount of detail about the cases in question, but does provide some common threads. The first major connecting point between many of these cases is that the websites used information provided by the user in a way mentioned by the Terms of Service. One of the cases mentioned includes information provided by the user (such as their name and picture) in advertisements for the website. One example provided is a 2011 case against Facebook that dealt with Facebook’s practice of using a user’s friends in “sponsored posts” (basically ads). Facebook alleged that the Terms of Service allowed them to use a person’s profile on the website in such a manner. The plaintiffs argued that their name and image had value that Facebook’s practices deprived from them. Judge Koh agreed with the plaintiffs in this regard.
The second, and more potentially troubling, common nexus between these cases involves information not knowingly provided by the user. The example Bloomberg gave for this situation involved LinkedIn using the user’s 11 year old son’s email address from a user’s email address book to pitch that user services from LinkedIn. The user didn’t remember allowing LinkedIn to look at the contents of his online address book, and the email address was unused otherwise. The question in the case involves how LinkedIn acquired the address initially and whether this user agreed to share that information in the first place.
These cases point to the need for a more thorough definition of consent in an internet-based context. Customers have to know what they’re agreeing to before they can knowingly agree to anything. In other parts of contract law, the contract usually has to describe what the offeree agrees to if they sign. A contract, after all, only includes what is in the four corners of the document. There is no good reason, either policy-wise or legal, why this should not be the case for service contracts involving websites. So far, the only hard and fast rule for consent appears to be “be clear about how you use the data and ask permission before you use it” (from the Gmail case back in September: http://www.mediapost.com/publications/article/210095/judge-rules-gmail-ads-might-violate-privacy.html).
That rule of thumb only serves as a starting point. Optimally, the increase of cases will allow for the legal system to further clarify when an individual validly consents to having their information used by a website. As with any aspect of contracting, it helps both parties to have clear rules in order to know their rights and obligations under the law.