Legal shorts for May 5, 2015: Google's misuse of children's private info, Supreme Court to decide whether data brokers fall under FCRA
Google violates prohibition against profiling children
I was all set to write about Google's new extension for the Chrome browser that defends against phishing attacks by warning you when you enter your Google password at a non-Google site. Password Alert detects your password being entered on a potentially bogus site and pops up a warning that your password may have been compromised, so click the provided link to change it. The plug-in is described in an April 29, 2015, post on the Google Blog.
Before I could utter, "Bully for Google!" I came across an April 26, 2015, article on Medium.com by Tracy Mitrano that reports on Google's practice of creating profiles of children who use the company's services at school. The Family Educational Rights and Privacy Act (FERPA) requires that vendors act as "school officials" in protecting students' education records. This prohibits vendors from using and/or reselling education records for commercial purposes.
The U.S. Department of Education's Family Compliance Privacy Office has ruled that schools remain responsible for the protection of education records even after they have outsourced management of the records to a third party. The office has also ruled that any data mining of education records for commercial purposes is a per se violation of FERPA.
Similarly, the Children’s Online Privacy Protection Act (COPPA) requires "verifiable parental consent" for use of information related to children under the age of 13. That prohibition includes any form of online profiling. As Mitrano points out, Google prefers to beg forgiveness after than to ask for permission before. Google Apps for Education (GAFE) is used by more than 40 million students and teachers around the world, according to Mitrano, and Google Chromebooks will soon account for 50 percent of the computers in schools.
In a court filing from 2010 Google admitted that it mines data from GAFE emails, including those of students under the age of 13. At the same time, the company made it difficult for schools to determine what it was doing with student and teacher data, purposely obfuscating its practices in contract negotiations with the schools. For example, Google refused to include lawyers in the negotiations and continually redirected any question about data mining to the refer to "ads."
In April 2014, Google reported that it had ceased scanning student email accounts for the purpose of serving content-related ads. However, the company didn't state explicitly that it had stopped profiling students. Whether or not Google has violated the law by profiling students without their parents' "verifiable" consent, the company's educational operations are clearly deceptive. This isn't a big surprise, especially considering Google's statement in a motion filed in June 2013 related to a data-mining suit that “a person has no legitimate expectation of privacy in information… turned over to third parties.” Nothing deceptive about that statement. Immoral, unethical, potentially "evil"? Yes. Deceptive? No.
Supreme Court to determine whether data collectors are subject to FCRA
Suppose an online people directory lists inaccurate information about you. You sue the company for violating the Fair Credit Reporting Act, but the court rules that you lack Article III standing because you can't show an actual injury as a result of the inaccuracy. You claim the mistakes cost you a chance at a job when you were unemployed because the directory stated incorrectly that you were already employed.
Do you have standing to sue? Some federal courts have ruled yes, others have said no. Now the U.S. Supreme Court has agreed to hear the case of Spokeo Inc. v. Robins, Case Number 13-1339. The U.S. Court of Appeals for the Ninth Circuit reversed the dismissal by the U.S. District Court for the Central District of California for plaintiff's lack of Article III standing. The question is whether the defendant's "willful" violation of the FCRA is sufficient to confer Article III standing. In its petition to the Supreme Court, Spokeo pointed out that several other federal statutes include both private rights of action and statutory damages, including the Telephone Consumer Protection Act, Truth in Lending Act, Fair Debt Collection Practices Act, and Electronic Funds Transfer Act.
As Ashley B. Guffey of King & Spalding writes in an April 27, 2015, article on JD Supra Business Advisor, the case has widespread implications for actions related to data breaches and other privacy matters, for which it is often difficult to prove actual damages. In a class-action suit, each violation of the FCRA could be punishable by a fine of $1,000. For a service the size of Spokeo, loss of such a case could put the company out of business.