Privacy Compliance Provisions

New Mexico’s injunction related to the Tiny Lab case includes changes to Google Play which will take effect after 120 days. Some of the specific measures include:

• revising Google Play Families policies and including additional help pages to assist app developers in compliance;
• requiring all developers to complete a form to indicate the targeted age group of apps;
• using a rubric to evaluate app submissions to help determine whether it appeals to kids and check for consistency with the age group form;
• requiring Families apps to certify they will comply with COPPA;
• requiring all apps to only use SDKs that certify compliance with Google’s policies including COPPA;
• requiring developers of Families apps to disclose collection of any children’s data including through third parties;
• requiring a link to the app’s privacy policy on the Google Play store page; and
• communicating whether an app is Child Directed to AdMob and AdMob will then follow COPPA pertaining to that data.

In addition to these injunctive provisions, Google agreed to a set of voluntary enhancements to the Google Education platform intended to promote safety for students. New Mexico’s enforcement of these provisions is limited to its ability to confirm that Google has made the changes, or inquire as to the status of changes not made.

These injunctions demonstrate continued state Attorney General scrutiny regarding children’s information. And they come at a time that the Federal Trade Commission, which is responsible for issuing the COPPA Rule, is redoubling its COPPA efforts. The FTC’s ongoing COPPA Rule Review includes a number of questions regarding the intersection of COPPA and education technology. The FTC’s Statement of Regulatory Priorities, which we wrote about here, identifies COPPA as a top priority. And just this week, the FTC released its first COPPA settlement in almost 18 months.

Additional Settlement Terms Part from Historical State Settlements

Not to be ignored, several other provisions of the settlement have unique aspects that are extremely noteworthy. Google has agreed to pay New Mexico $5.5 million – with $1.65 million of that going to outside counsel for the state. The remaining payment will be used to fund the “Google New Mexico Kids Initiative” – a program jointly run by Google and New Mexico to award grants to schools, educational institutions, charitable organizations, or governmental entities. This unique allocation of the payment to the State could result in scrutiny that other State Attorney General settlements have met in the past where they attempted to designate funds to specific third party recipients. Some state legislatures may see it as an effort to appropriate funds without their involvement.

While New Mexico reserves its rights under the agreement regarding public statements, it has agreed to provide Google 24-hour notice before making any written public statement. Moreover, New Mexico agrees to consider in good faith any suggestions or input Google has, and any statement will reference the parties’ shared commitment to innovation and education. States routinely resist any efforts to negotiate press in this manner, and it is unclear how enforceable a provision like this could really be anyway. That said, this certainly reflects the cooperative nature of the agreement, in which case it’s fair to assume the State would issue press reflecting such cooperation anyway.

Google and New Mexico have also agreed to an ADR provision, requiring the state to pursue any disputes relating to the agreement in mediation prior to pursuing relief. This again is fairly unique for a State AG settlement, as is the overall form of the document (a “Settlement Agreement and Release”) – normally states will only settle matters through a consent judgment or a statutorily authorized Assurance of Compliance or Discontinuance. But just like some of the other unique provisions, agreeing to ADR may be more of a reflection of the cooperative nature of the agreement, and certainly presents opportunity for a more streamlined enforcement mechanism in the future.

It remains to be seen if these provisions will serve as a template for future state agreements with other companies, but given that state Attorneys General continue to pursue Google on a variety of fronts[1], New Mexico’s settlement will certainly be relevant in any future settlement efforts.

[1] Google Search Manipulation, Google Ad Tech, Google DOJ Search Monopoly, State of Arizona v. Google LLC geolocation privacy

No “Sales” if Sharing with a Service Provider

To explain Google’s move, it’s helpful to understand that the CCPA incentivizes a business-service provider relationship. A business can provide a service provider personal information without calling the disclosure a “sale” or offering an opt-out option. When a business provides personal information to a service provider, the business receives liability protections so long as the business does not have actual knowledge or reason to believe that the service provider is violating the CCPA.

In turn, the service provider is restricted from keeping, using, or disclosing personal information for purposes other than “business purposes” spelled out in the service provider contract.

How to Determine if an AdTech Partner is a Service Provider?

But many in the Ad Tech industry have not yet publicly addressed their practices within the context of the CCPA, which has left companies to scrutinize existing contracts, the partner’s publicly-posted terms, statements, privacy policies, and to evaluate the partner’s actual tracking activity, to help determine if there is support for a service provider classification. Other Ad Tech players have asserted that CCPA does not change their practices, but that no “sales” are occurring, leaving many publishers and advertisers to determine if their business can withstand taking on the risk that this assertion will be rejected once the Attorney General evaluates the practice.

At bottom, there is not yet consensus in the AdTech industry on how to assess CCPA within the context of digital advertising. Enter Google. Google offers an array of advertising and analytics services. But is Google an eligible service provider?

In favor of this classification is the definition of a “business purpose,” which includes “performing services on behalf of the business…, including … providing advertising or marketing services, [or] providing analytic services…” Under this interpretation, Google obtains personal information to provide services to the business, but is using the personal information only as allowed under the CCPA.

But in the absence of clear contract or terms of service, there is ambiguity on whether this explanation would be enough to support a CCPA service provider classification. For example, it’s possible, absent clear restrictions, that Google or another Ad Tech service provider might use third party cookies for ad tracking or bid requests sent to third party programmatic buyers involving pooled personal information of customers. That practice would involve broader sharing and usage of personal information than what clearly fits within a service provide construct. Further, it’s also possible that some Ad Tech partners might use that personal information for their own purposes, such as their own marketing efforts or other commercial purposes.

Google’s response to these compliance concerns is to offer businesses covered by the CCPA both clarity as to which of its solutions, by default, only use personal information for purposes on behalf of the customer, such as Google Analytics, Google Ad Words Customer Match, among others. And, for other solutions, customers have to enable “restricted data processing” for Ad Manager, Ad Manager 360, AdMob, AdSense, and Google Ads services. When companies enable restricted data processing, they essentially “turn off” any interest-based advertising and other broader usage of the data that is not on behalf of a customer. Google explains, “When a publisher [using Ad Manager] enables restricted data processing, Google will limit how it uses data and begin serving non-personalized ads only. Non-personalized ads are not based on a user’s past behavior. They are targeted using contextual information, including coarse (such as city-level, but not ZIP/postal code) geo-targeting based on current location, and content on the current site or app or current query terms.” To further support a “service provider” classification and remove any ambiguity, Google’s service provider contract expressly affirms that, “with respect to customer personal information processed while restricted data processing is enabled … Google will act as Customer’s service provider…”

For solutions that are not enabled to restrict data processing, Google will let individual consumers opt out in accordance with the rights offered in the CCPA.

This development will have ripple effects on the industry given that Google, as a major player, provides core turnkey Ad Tech solutions where it is the only provider linking the publisher, advertiser, and end consumer. This gives Google latitude to implement contract language and new tools to restrict data processing, and to then apply those restrictions across Google’s services. By comparison, a solution being discussed by the Interactive Advertising Bureau would require disparate Ad Tech players to all enter into a common contract that governs sharing of personal information and restricts “commercial purpose” uses of personal information.

But both concepts recognize that online programmatic interest-based advertising often involves a broader sharing and use of personal information, as defined by the CCPA, that includes a “sale,” and there’s a need to distinguish which relationships and practices involve a “service provider” (where there is not a “sale”), and which entities in that exchange facilitate a sale of personal information.

Google will not require customers complying with its online terms to opt in to the new contract. The contract takes effect as of January 1, 2020 to the extent that the CCPA applies.

Next Steps

CCPA’s compressed timeline for compliance has resulted in late-breaking developments by major players in the industry on how they are interpreting and responding to CCPA requirements, whether in the role of a business, service provider, or third party. This necessitates a responsive compliance framework that tracks these developments and makes appropriate modifications, as needed. This is particularly the case with digital advertising. If you have further questions about how these developments apply to your business, please feel free to contact any of our Privacy team members at Kelley Drye.

How Does Google Violate GDPR, According to CNIL?

• Lack of Transparency: GDPR Articles 12-13 require a data controller to provide data subjects with transparent, intelligible, and easily accessible information relating to the scope and purpose of the personal data processing, and the lawful basis for such processing. CNIL asserts that Google fails to meet the required level of transparency based on the following:

• • Information is not intelligible: Google’s description of its personal data processing and associated personal data categories is “too generic and vague.”
  • Information is not easily accessible: Data subjects must access multiple Google documents or pages and take a number of distinct actions (“5 or 6”) to obtain complete information on the personal data that Google collects for personalization purposes and geo-tracking.
  • Lawful basis for processing is unclear: Data subjects may mistakenly view the legal basis for processing by Google as legitimate interests (that does not require consent) rather than individual consent.
  • Data retention period is not specified: Google fails to provide information on the period that it retains certain personal data.

• Invalid Consent: Per GDPR Articles 5-7, a data controller relying on consent as the lawful basis for processing of personal data must be able to demonstrate that consent by a data subject is informed, specified, and unambiguous. CNIL claims that Google fails to capture valid consent from data subjects as follows:

• • Consent is not “informed”: Google’s data processing description for its advertising personalization services is diluted across several documents and does not clearly describe the scope of processing across multiple Google services, the amount of data processed, and the manner in which the data is combined.
  • Consent is not unambiguous: Consent for advertising personalization appears as pre-checked boxes.
  • Consent is not specific: Consent across all Google services is captured via consent to the Google Terms of Services and Privacy Policy rather than a user providing distinct consent for each Google personal data use case.

While Google’s size, market power, and diversity of offerings (and associated scope of data collection) places it in a somewhat unique position within the online ecosystem, CNIL’s action nevertheless offers several practical takeaways for all companies that may be re-assessing their GDPR compliance status in light of this action:

• Don’t Hide the Ball: Make a concerted effort to ensure that privacy disclosures are clear, easily discernible to consumers, and contain a plain-language description of the categories of personal data that you collect, and the purposes for which you collect it.
• Minimize Clicks: To avoid EU regulator scrutiny, reduce the number of clicks required for a consumer to determine the scope of personal data collection relating to your service.
• Be Upfront on the Legal Basis for Processing: Explicitly state within your privacy notice your lawful basis for the intended data processing. If you are relying on consent, and your business intends to use the collected data for different purposes, ensure that the consumer has a reasonable opportunity to provide consent for each specific purpose (and avoid pre-checked boxes!).
• Sweat the Details: the CNIL action shows that regulators are taking a comprehensive look at how companies are complying with GDPR requirements, including ensuring that consumers understand how long a controller may retain their personal data. Take a checklist approach to GDPR compliance to ensure your privacy disclosures satisfy all requirements.

The plaintiffs in Google Cookie allege that Google circumvented the cookie-blocker settings in Microsoft’s Internet Explorer and Apple’s Safari browsers and placed advertising tracking cookies without user consent. The putative class—theoretically, every user of those hugely popular browsers—obviously is massive. The “damages” suffered by class members, however, if any, is vanishingly small.

In 2016, Google and the plaintiffs’ counsel reached a proposed $5.5 million class action settlement. The plaintiffs’ counsel requested a $2.5 million fee, with the balance (after administrative costs) to be distributed to privacy rights non-profits such as the Berkman Center for Internet and Society at Harvard University and the Privacy Rights Clearinghouse. Individual class members would receive nothing.

The Competitive Enterprise Institute’s Center for Class Action Fairness filed an objection to the settlement, arguing that if money cannot be distributed to class members, then the settlement class should not be certified at all. The Delaware federal judge hearing the case disagreed and approved the settlement. The objector took its arguments to the Third Circuit, and now 11 state Attorneys General have joined it.

The AG coalition brief, written by the office of the Arizona Attorney General, took no issue with the amount of the settlement and acknowledged that the settlement class is huge. They contend, however, that “[d]irecting settlement funds to members of the class wherever feasible is important,” and that “there is a feasible path to distribution here.” That “feasible path” is where the brief took an unprecedented turn for an AG objection.

“Claims rates in small-dollar cases are reliably in the very low single digits (if not below one percent),” the brief argued, citing cases with low claims rates. “Even assuming a class in the tens of millions, such a claims rate would result in an economically meaningful” payment of “a few dollars to $15 or $20, if not more) to those lucky “one-percenters.” That, these Attorneys General argued, “is preferable to making no distribution to any class members.”

In the years since the Class Action Fairness Act of 2005 required federal litigants to notify State AGs of proposed class action settlements, State AGs have taken a leading pro-consumer role in trying to limit the forms that settlements can take. A multistate AG objection to a coupon settlement a decade ago, for example, has sharply curtailed the use of coupon settlements. This is the first time, however, that AGs have argued it is better to direct small dollars to a tiny fraction of a large class than to pay millions of dollars to non-profits that ostensibly could advocate on behalf of the interests of the class as a whole.

It will be very interesting to see how the Third Circuit responds to this argument.

Joining Arizona on the brief were the Attorneys General of Alaska, Arkansas, Louisiana, Mississippi, Missouri, Nevada, Oklahoma, Rhode Island, Tennessee, and Wisconsin.

BRIEF OF ELEVEN STATE ATTORNEYS GENERAL AS AMICI CURIAE IN SUPPORT OF OBJECTOR-APPELLANT AND REVERSAL

The Third Circuit found that Google intentionally circumvented “cookie blockers” on Internet browsers by exploiting loopholes found in the cookie blockers and that Google was actually tracking users’ browsing habits without these users’ knowledge. Meanwhile, Google’s privacy policy as well as a number of other public statements indicated that the company was abiding by the browsers’ cookie-blocking settings.

“Cookie blockers” are features built in to web browsers that allow a user to prevent the installation of cookies by third-party servers. Internet users have grown wary of Internet “cookies” because cookies can track visits to webpages and clicks throughout the site. Information collected from cookies is often sold to third-party advertisers or marketers.

The case, In re: Google Cookie Placement Consumer Privacy Litigation, consists of 24 consolidated suits alleging violations of California state law and federal statutes, specifically, the Computer Fraud and Abuse Act (CFAA), the Stored Communications Act (SCA) and the Wiretap Act. While the Third Circuit decision affirmed the dismissal of claims pertaining to the CFAA, SCA and the Wiretap Act, the Court vacated the trial court’s dismissal of claims under California tort law and the state’s constitutional right to privacy, reviving the suit.

The Third Circuit noted that Google’s actions amounted to “deceit and disregard” as the Company “not only contravened the cookie blockers – it held itself out as respecting the cookie blockers.” The Court concluded that a reasonable jury could find that Google’s conduct was “highly offensive” or “an egregious breach of social norms” as the Company’s actions touched millions of unsuspecting internet users over an indeterminable amount of time. Accordingly, the Third Circuit vacated the trial court’s dismissal of the plaintiffs’ claims under the California constitution and California tort law.

While Google’s “cookie blocking” practices sparked both the instant lawsuits and settlements with the FTC and 38 state attorneys general, Google isn’t the only company to come under fire for the use of cookie-blocking technology. Earlier this week, MoPub Inc., a mobile ad server owned by Twitter, was sued in California court for using “super cookies” to track and store the Internet browsing history of anyone accessing the web through their Verizon smartphone. The suit alleges that MoPub then used this information to build a personal profile which it then used to send targeted advertising, without subscribers’ knowledge or consent. Similar to the Google litigation, MoPub is accused of misleading subscribers who believed that their browser’s “opt-out” mechanism would stop MoPub’s tracking.

Companies that use tracking cookies or similar technologies should pay close attention to Google’s current litigation. Companies should also be aware of their own privacy practices, specifically, what data is being collected, how that data is used, and with whom the company may be sharing that data. When it comes to privacy policies, companies should clearly communicate their practices to users and then live up to those commitments.