Lloyd v. Google

If it were simply a play, Shakespeare might have called it "Privacy, or What You Will."

On Friday, the Wall Street Journal broke just the latest story, its lens aimed on Facebook, concerning the all-too-fluid movement of smartphone users' information from (other) apps to Facebook.

"It is already known that many smartphone apps send information to Facebook about when users open them, and sometimes what they do inside. Previously unreported is how at least 11 popular apps, totaling tens of millions of downloads, have also been sharing sensitive data entered by users. The findings alarmed some privacy experts who reviewed the Journal’s testing."

According to the WSJ's tests, heart-rate monitoring apps were sharing users' hearts rates with Facebook.  And period-and-ovulation tracking apps "told Facebook when a user was having her period..."  (As you might have guessed, much or all of this intra-app sharing reportedly occurred without the user's consent - the apps share the information with Facebook, but do not share the with their users that they will share their information with Facebook.  And so, consumers come to realize that they are the product, not the customer.)

Why would Facebook care to know?  One answer is that if Facebook understands its users better, it can send them more targeted advertising.  If you're known to be pregnant, you're perhaps more likely to click on diaper or baby-crib adverts.  (This is, ostensibly, a benefit to Facebook's users, who enjoy receiving advertisements more likely to be of interest to them.  Ostensibly!)

Lloyd v. Google

The "key" to your online data - unsecured

Over the last few months, we have been researching an interesting lawsuit (and ruling) out of London.  The lens in that case was focused on Google, but many of the issues were similar.

In the Google matter, Google was alleged to have found a way around Apple's safety guards, imposing its own third-party cookies on Apple users' iPhone devices - so that Google could track iPhone user's web activities.

When looking into online privacy-related actions in the UK, at least 3 interesting similar examples came to light, in each case with the U.K. Information Commissioner’s Office (the ICO) leading the charge in fining entities:

1. ICO fined the Leave.EU campaign for “serious breaches of electronic marketing laws” during the 2016 Brexit referendum. The ICO found a significant relationship (e.g., overlapping directors) to exist between Leave.EU and an insurance company Eldon Insurance Services Ltd (“Eldon”). Commissioner Denham noted that it “is deeply concerning that sensitive personal data gathered for political purposes was later used for insurance purposes and vice versa. It should never have happened.” Eldon would, for example, pitch Leave.EU campaign supporters by way of email newsletters offering “10% off” for Leave.EU supporters. Leave.EU did little, if anything, to protect the acquired data when sharing it with Eldon (which trades as GoSkippy Insurance). “It was confirmed that there is no formal contract in place between Leave.EU and GoSkippy to provide direct marketing, and that the inclusion was an informal arrangement.


2. ICO found that Emma’s Diary (a website that provides pregnancy and related advice to mothers and mothers-to-be) illegally collected and sold personal information on over one million people to Experian Marketing Services, a branch of the consumer credit rating agency, “specifically for use by the Labour Party.” 


3. ICO fined Facebook £500,000 for serious violations of data protection law – the maximum fine allowable under the applicable laws at the time the incidents occurred. The ICO determined that “between 2007 and 2014, Facebook processed the personal information of users unfairly by allowing application developers access to their information without sufficiently clear and informed consent ....” According to Commissioner Denham, “Facebook failed to sufficiently protect the privacy of its users before, during and after the unlawful processing of this data.” The personal information of over one million users was harvested and consequently “put at risk of further misuse.” 

Putting the ICO fines and the Lloyd v. Google case itself together, we see at least one common theme and outcome: people’s social information (often personal/private) is clearly being mixed with their financial and political interests, whether they are aware of it or not.

We have also gone back to the late 1800s and early 1900s to quote the revered jurist Louis Brandeis.  In his famous dissent, in Olmstead, he defined the “right to be let alone” as “the most comprehensive of rights, and the right most valued by civilized men.” Olmstead v. United States, 277 U.S. 438 (1928).  

------------

Our analysis of the London High Court's ruling in Lloyd v. Google is now available to be reviewed by anyone interested.  We have sought to add a data market analysis to the commentary, so that readers can easily come to terms with how one might value personal data (and in an effort to make it an engaging read!). 

For our prior coverage of consumer data markets, click the "Consumer Data Markets" label on the right hand panel of this blog.