Feature

Opening the Door to Trust: Privacy and Intellectual Property Policies during Exit Events

Timothy L. Yim

©2015. Published in Landslide, Vol. 7, No. 5, May/June 2015, by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association or the copyright holder.

Trust is the ultimate endgame. In the relationships between consumers and business, trust creates additional value and can drive revenue. Therefore, trust—not merely legal compliance—is the ultimate goal to which organizations should aspire when developing corporate policies, especially those policies concerning privacy and intellectual property. Privacy, which has received considerable public attention in recent years,1 is admittedly a crucial piece of this game, but it is not the only piece. Factors as varied as IP policies on trademark and trade dress enforcement, conformity with disclosure rules of the U.S. Securities and Exchange Commission (SEC), and even form of corporate entity can play into and sway consumer trust.

For startups, an exit event—typically an acquisition or an initial public offering (IPO)—often showcases the privacy policies of a business evolving rapidly from privacy as a low priority to one of high import under rigorous scrutiny. Oftentimes this exit event presents an opportunity—a door to consumer trust made possible in part through responsible privacy and IP practices. Not coincidentally, this same rationale applies to trust and specifically to the trust policies of international corporations seeking U.S. IPOs.

This article will examine the journey of trust for one such foreign company, Alibaba,2 as it prepared for and subsequently raised a 2014 IPO of $25 billion, the world’s largest to date.3 Along the way, an analysis of Alibaba’s privacy practices—including data collection, expected use, and data security—will highlight takeaways for general counsel ramping up privacy programs using fair information principles. Finally, the article will touch on Alibaba’s trademark and trade dress enforcement, conformity with SEC disclosure rules, and form of corporate entity—unfortunately revealing a company for which consumer trust is and continues to be of little import.

An Opportunity for Trust

Alibaba Group Holding Limited is the umbrella corporation for a number of Chinese companies acting as online platforms for consumer-to-consumer, business-to-consumer, and business-to-business sales.4 Alibaba Group Holding Limited announced its intent to file for an IPO in the United States in March 2014.5

Alibaba began 2014 as a Chinese company arguably only marginally subject to the laws and regulations of the United States. However, post-IPO, it has become further subject to U.S. laws and jurisdiction via the SEC.. Similarly, privacy enforcers such as the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), and state attorneys general have gained new sway over Alibaba’s privacy practices through the SEC’s regulatory authority. Thus, observing the progression of Alibaba’s external-facing privacy notices during the IPO process should ideally reveal an integration of privacy awareness into Alibaba’s business practices.

Trust in Startups and Early-Stage Companies

In 1980, the Organisation for Economic Co-operation and Development (OECD) published “Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data.”6 These guidelines created a privacy framework consisting of collection limitation, data quality, purpose specification, use limitation, security safeguards, openness, individual participation, and accountability.7 Since then, the OECD framework of fair information principles has been drawn upon in the creation of subsequent frameworks, including the European Union Data Protection Directive and the Asia-Pacific Economic Cooperation Privacy Framework. The OECD guidelines are especially relevant where a multinational company operates in different territories and is thus subject to varying sets of privacy laws. Here, the OECD guidelines are used as a base with which to analyze Alibaba’s privacy policies.

Admittedly, startups and other early-stage companies often are not overly concerned with trust structuring, privacy compliance, or the possibility of intellectual property infringement. Yet the all-too-common practice of relegating privacy and privacy compliance to the back seat can have serious drawbacks. Vague privacy notices or data breaches in a startup can bring unwanted scrutiny from both regulators8 and the public9 that can affect user and investor confidence. Moreover, exit options for startups typically entail considerable scrutiny on data ownership, consent obligations, and processing restrictions by either an acquiring company or by the SEC.10 Finally, treating privacy as merely a tacked-on compliance step during an exit option often leads to a long-term, internal corporate culture11 that can misjudge consumer privacy risks. Accordingly, it is in the best interest of startups to think long and hard about user data and privacy, and then to bake that philosophy into the early development process.12

Surprisingly, startups are exceptionally well positioned to embrace privacy. Precisely because startups and their products, services, and platforms are still developing, it is substantially easier to bake in privacy by design into their fledgling company values.

Alibaba: Privacy Practices

Alibaba itself consists of many different companies, most operating primarily in China and in the Chinese language; however, this article concentrates primarily on Alibaba.com, the English-language portal that handles sales between importers and exporters from the United States and more than 190 other countries.13

While reviewing Alibaba’s privacy policies as it prepared for an IPO exit, this article will focus primarily on three areas: data collection, expected use, and data security.14 The author hoped to uncover pro-consumer privacy policy changes made in consideration of the comparatively more developed privacy standards in the U.S. However, although the privacy notice was largely rewritten in terms of form and structure,15 Alibaba’s efforts prove to be largely form over substance.

Methodology

To locate Alibaba.com’s historical privacy notices, the Internet Archive16 was leveraged to access 38 snapshots of Alibaba’s privacy notices17 from July 7, 2011, to October 23, 2014. Iterative versions were then analyzed—leaving four versions with substantial changes between each: May 2014; 18 January 22, 2014; June 11, 2012; and March 5, 2011 (see figure 1). These privacy notices were then contextualized by the timeline of Alibaba’s IPO. Alibaba announced its intent to IPO in the U.S. in March 2013. Thus, conservatively estimating that Alibaba began preparations to IPO on the New York Stock Exchange (NYSE) at least several months prior leads to the inference that Alibaba began its internal preparations—including a review of its privacy policies and notices—in late 2012.

Accordingly, for the purposes of this article, the provisions of the March 2011 and June 2012 Alibaba privacy notices are treated as indicative of Alibaba’s pre-IPO privacy policies. The provisions of the January 2014 and May 2014 notices are treated as indicative of Alibaba’s post-IPO privacy practices.

* The date for internal privacy policy scrutiny is estimated based on reasonable timeline estimates above.

Data Collection

Based primarily on the OECD Collection Limitation Principle, the analysis of data collection here considers data minimization; notice, choice, and consent; opt-out options; and retention periods.

Pre-IPO, Alibaba did not adopt data minimization principles, which hold that data controllers should only collect data for definite, disclosed, and commercially necessary uses.19 Alibaba collected both personal and pseudonymous information, 20 including Internet protocol addresses, browser software and extensions, operating system details, browsing patterns, and behavioral data.21 Alibaba’s specified expected uses contained several unexpected uses, especially given Alibaba’s limited services as a digital marketplace. Post-IPO, Alibaba has added express language embracing data minimization.22 Unfortunately, Alibaba’s observance of data minimization essentially ends there. Alibaba collects the same categories of data as pre-IPO. Moreover, Alibaba has added additional language that is particular unfriendly to consumers, alleging that its “business use does not generally involve the collection of personal information of individuals”23 Such a statement is nonsensical given that names, email addresses, and Internet protocol addresses have long been held to be personally identifiable information.24

Pre-IPO, Alibaba did not expressly adopt a traditional notice, choice, and consent framework. Conversely, Alibaba asserted that newly updated privacy notices with completely new uses would apply retroactively to earlier data previously collected under a stricter privacy notice.25 In the United States, the FTC has long held such clauses to be an unfair trade practice under its Section 5 powers and just cause for sanction.26 Alibaba did provide a somewhat archaic opt-out mechanism in the form of a written letter to be mailed to a physical address in Hong Kong.27 Upon receipt, Alibaba.com would allegedly destroy the requested information from its possession. Post-IPO, Alibaba adds consent language to its privacy notice, but again does not require actual notice and consent—instead pegging its practices to a shifting floor based on jurisdiction.28 The clause regarding retroactive application of newly updated privacy notices to data previously collected remains, but, in a change for the worst, Alibaba no longer provides even that physical mail opt-out.29

Finally, for all categories of data, no retention period was disclosed. Generally, defined retention periods benefit consumers and companies by limiting liability for potential data misuse and breaches.30 Additionally, retention periods act as a final backstop to ambiguous-use scenarios that would otherwise allow for perpetual data use of consumer data. Post-IPO, Alibaba’s silence on data retention period continues.31

Expected Use

Based primarily on the OECD Use Limitation Principle, the analysis of expected use here considers whether any use would be unexpected third-party tracking, aggregate sharing, and mandated disclosures.

Pre-IPO, Alibaba’s ambiguous and thus overbroad language provides for use of collected data in potentially unexpected ways. For example, all collected information could be used “without limitation” to facilitate “proper operation” of the site, the “business activities of its Users,” and “marketing initiatives.” 32 Presumably then, Alibaba’s privacy notice would allow third-party ad networks and analytics firms to track users on Alibaba and across other sites. If so, such a policy regarding third-party tracking could be more clearly and forthrightly stated. Post-IPO, Alibaba continues its expansive language on collected data use. 33 The only suggested form of “opt-out” is by technically disabling cookies via browser settings34—which is disquieting as this method of “opting out” has long since evolved into notice and choice options embedded in the services and platforms themselves. Moreover, cookies no longer are the only common tracking tools used.

Pre-IPO, Alibaba shared “aggregate information” with partners, customers, members, advertisers, and potential users.35 While in theory such aggregate information is untraceable to each individual, several well-known examples36 point to a growing potential for re-identification.37 Post-IPO, the effective language has been broadened from “aggregate” to “statistical” data,38 which does not provide the level of privacy assurances as the previously used “aggregate” language.39

Finally, pre-IPO, Alibaba allowed for “mandated” disclosure whenever there was “reason to believe” disclosure is required by law or to bring legal action if someone is “threatening to infringe.”40 Such language goes far beyond complying with legal subpoena or order and theoretically allows Alibaba almost unfettered discretion to release user data. Post-IPO, Alibaba’s disclosure rules include a non-exhaustive list of disclosure recipients: third-party service providers;41 affiliate companies within the Alibaba group;42 professional advisors, law enforcement agencies, insurers, government regulatory agencies;43 as well as the vastly overbroad category of “other organizations.”44

Data Security

Pre-IPO, Alibaba used “commercially reasonable security methods” but also disclaimed all liability for “damages rising from unauthorized use, publication, disclosure, or any other misuse” of information.45 Alibaba’s adherence to a commercially reasonable standard is commendable, but its disclaimer for all liability arising from such a failure largely turns that goodwill on its head. Complete disclaimers contracting away all civil liability have often been found unconscionable in U.S. courts.46 Furthermore, Alibaba could still be investigated, fined, and otherwise sanctioned by federal and state regulators, such as the FTC and state attorneys general. Post-IPO, Alibaba’s language regarding commercially reasonable security methods”47 remains largely unchanged, but some of the language that previously disclaimed all resulting liability has been removed.48 Nevertheless, a liability disclaimer still exists in a different section of the privacy notice where Alibaba maintains that users transmit data to Alibaba “at [their] own risk.”49

At this point, the author was able to lightly examine Alibaba’s current state of data security and gain insight into its interpretation of “commercially reasonable security methods.” A superficial assessment of Alibaba’s actual data security practices was not promising. Secure Sockets Layer support—which provides for secure browsing over HTTPS—appears to be almost nonexistent. Not only is HTTPS off by default, but it also is apparently unavailable at key stages in the transaction process. The author was able to create a user account, change that account’s password, and process preliminary order information—including name, address, telephone, and order information—all over the unsecured HTTP protocol.

Takeaways

Alibaba did indeed make a number of improvements to its privacy notice in preparation for and post-IPO (see figure 2, page 32). However, many of these improvements are facial in nature—speaking to overall support of pro-consumer privacy principles but not extending to Alibaba’s substantive privacy processes. Moreover, many of these improvements are counterbalanced by overly defensive (and sometimes unenforceable) legal language.

Overall, Alibaba’s privacy policies can be unfavorable to consumers. Alibaba’s privacy notice allows unexpected uses of data; third-party tracking, with the only opt-out “option” being a technical browser modification that potentially breaks the service; and indefinite data retention periods. It also applies new privacy notices retroactively to data previously collected. What’s more, Alibaba glosses completely over location data and do-not-track browser compliance, which some jurisdictions such as California require companies to address. Additionally, Alibaba’s disclosure rules are overly permissive, allowing almost complete discretion to Alibaba. Finally, Alibaba’s implementation of “commercially reasonable data security” stands to be improved.

Alibaba seems to be overly focused on technical legal compliance with the privacy laws and regulations of the myriad countries in which it operates. This is by no means an easy task, but legal compliance is merely a milestone toward the ultimate goal for which Alibaba should be striving—consumer trust.

Focusing on consumer trust means moving beyond legal compliance and liability defense to viewing consumer privacy and data security as a competitive feature and an essential component of the business relationship with users. For example, even without changing its practices, Alibaba could be more transparent about third-party tracking, location data, and do-not-track compliance. Moreover, narrowing its disclosure discretion by requiring an actual complaint or court order would help instill user trust in Alibaba’s privacy and business practices. From a trust standpoint, Alibaba’s privacy policies may be i

ndicative of a general approach to business.50

Alibaba: IP Practices

Alibaba’s recent and questionable practices regarding intellectual property rights (IPRs) enforcement would seem to substantiate that consumer and investor trust is a low priority for the company. Alibaba and its associated sites have long had a significant counterfeiting problem.51 In 2013, Alibaba removed more than 100 million listings suspected of intellectual-property infringement. And on January 27, 2015, the Chinese government’s own State Administration for Industry and Commerce (SAIC) released a white paper blasting Alibaba for fake goods, bribery, and other illegal activity on its sites.52 Meanwhile, BSA, a software alliance whose members include Apple, Dell, and Microsoft, has said that Alibaba’s process of removing suspect goods “continues to be inefficient and inconsistently applied, lacking any meaningful deterrence value.”53 Yet in the face of public inquiry, Alibaba has contended merely that “[s]ales of allegedly IPR-infringing goods . . . are minimal.”54

In particular, the SAIC claims highlight two major issues. First, Alibaba may not be wholly committed to establishing and maintaining consumer trust vis-à-vis discouraging IPR-infringing counterfeits listed on its platforms. Second, Alibaba’s willingness to skirt SEC disclosure rules belies a similar disregard for investor trust. The SAIC claims date back to conversations between the agency and Alibaba officials in July 2014—two months before Alibaba’s U.S. IPO. Under U.S. securities rules, companies are expected to disclose in IPO prospectuses legal matters that could be costly or damaging to the company. In the SAIC white paper, the Chinese agency itself said it held off on disclosing details of the talk so as not to affect the IPO.55 Not surprisingly, the market has responded; Alibaba stock dropped more than 13 percent in the weeks following the SAIC report.

Alibaba: A Suspect Corporate Structure

Even the form of corporate structure chosen can be particularly revealing from the perspective of both consumer and investor trust. Investors buying into the U.S. IPO of Alibaba will not be purchasing shares in Alibaba’s actual operating company in China. Instead they will be purchasing shares in a Cayman Islands entity, Alibaba Group Holding Limited, with contractual rights to the profits of Alibaba China.56 However, the majority of Alibaba’s Chinese assets are actually owned personally by Jack Ma and co-founder Simon Xie. Known as variable interest entity (VIE) structures, these VIEs have been used by Alibaba and other Chinese companies to sidestep Chinese prohibitions on foreign ownership.

The use of VIEs has been touted by some as “the single biggest time bomb in the U.S. capital markets.”57 The VIE structure presents two major risks with respect to the Alibaba NYSE offering. First, the structure may be illegal under Chinese law because under Chinese contract law, a contract is void “when a lawful form is used to conceal an unlawful purpose.”58 Chinese law is especially relevant here because shareholders seeking to enforce their rights will do so based on contracts between the Cayman Islands entity and Alibaba China, and enforced through the Chinese legal system.59

Second, because the VIE structure does not own title to the Chinese operating company itself, a number of previous Chinese companies listed in the United States have lost complete control of their Chinese operating companies.60 In the case of ChinaCast, the ChinaCast operating company in China transferred $41 million out of the $43.8 million raised from global investors to a purported subsidiary that the CEO personally controlled.61 This previous ChinaCast executive team was able to carry out the “systematic looting of ChinaCast” by repeatedly lying to investors in SEC filings.62 In fact, this same issue has already occurred with Alibaba. In 2011, without Alibaba.com board notice or approval, Ma transferred Alipay, Alibaba’s online payment subsidiary, to a company he himself owned.63 At the time, Yahoo owned 43 percent and Softbank 30 percent of the company, and together they controlled half the seats on the board of directors.64

Conclusion

Though many corporate policies and practices factor into the consumer trust framework, privacy and IPR enforcement have proven to be two considerable factors. Without a doubt, at the time of an IPO and the accompanying scrutiny that it brings, aligning corporate privacy policies and privacy notices to be compliant with relevant jurisdictions is critical.65 When launching a public offering in a foreign country such as the United States, and especially when targeting citizens and residents of that country, companies should pay special attention to the body of privacy laws, regulations, and best practices.

At a time when more than 90 percent of adults agree that consumers have lost control over how personal information is collected and used by companies,66 successful companies need to focus on consumer trust and best practices, not simply on compliance to privacy laws and regulations. The name of the game today is trust—on privacy beyond compliance.

Endnotes

1. See, e.g., Big Data: Seizing Opportunities, Preserving Values (Interim Progress Report), whitehouse.gov (Feb. 2015), http://www.whitehouse.gov/sites/default/files/docs/20150204_Big_Data_Seizing_Opportunities_Preserving_Values_Memo.pdf; Why Privacy Is Our 2013 Word of the Year, Dictionary.com (Dec. 17, 2013), blog.dictionary.com/privacy; Glenn Greenwald, No Place to Hide (2014).

2. The entity commonly referred to as Alibaba is more accurately Alibaba Group Holding Limited and will hereinafter be referred to as “Alibaba.”

3. Laura Lorenzetti, The 7 Biggest U.S. IPOs Ever, Fortune.com (Oct. 22, 2014, 4:46 PM), http://fortune.com/2014/10/22/these-are-the-7-biggest-u-s-ipos-ever.

4. Our Businesses, AlibabaGroup.com, http://www.alibabagroup.com/en/about/businesses (last visited Dec. 1, 2014); but see infra Alibaba the Company: A Large Caveat (regarding the variable interest equity structure of Alibaba Group Holding Limited and its status as a Cayman Islands shell corporation).

5. Elzio Barreto and Denny Thomas, Alibaba Picks U.S. for IPO; In Talks with Six Banks for Lead Roles, Reuters.com (Mar. 16, 2014, 6:42 AM), http://www.reuters.com/article/2014/03/16/us-alibaba-ipo-idUSBREA2F05O20140316.

6. OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, OECD.org, www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm#part2 (last visited Dec. 1, 2014); see also OECD, Annex to the Recommendation of the Council of 23rd September 1980: Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, Part Two, ¶¶ 7–14.

7. OECD, supra note 6.

8. See, e.g., John D. Rockefeller IV, Public Letter from Senator Rockefeller to Whisper CEO Michael Heyward, US Senate Committee on Commerce, Science, and Transportation (Oct. 22, 2014), http://images.politico.com/global/2014/10/22/102214_chairman_rockefeller_letter_to_whisper_final_sent__redacted.html; Al Franken, Public Letter from Senator Franklin to Uber CEO Travis Kalanick, Senate Subcommittee on Privacy, Technology, and the Law (Nov. 19, 2014), http://www.franken.senate.gov/files/letter/141119UberLetter.pdf.

9. Mike Isaac, Uber’s Privacy Practices Questioned by Senator Franken, N.Y. Times (Nov. 19, 2014, 8:12 PM), bits.blogs.nytimes.com/2014/11/19/senator-questions-uber-on-privacy-practices.

10. Richard M. Martinez, Crafting Better Data Privacy Guidelines for Startups, Acquiring Companies, Wall St. J. (Oct. 9, 2014), blogs.wsj.com/cio/2014/10/09/crafing-better-data-privacy-guidelines-for-startups-acquiring-companies. In an acquisition, data transfers to the acquiring company may often be restricted or carry conditions due to consent obligations, notice requirements, and local laws. The transfer and merging of data without proper due diligence can lead to serious liability and the tainting of otherwise compliant databases. In an IPO, a company subjects itself to elevated disclosure standards and regulatory scrutiny as part of the process of raising money and becoming a public company.

11. See, e.g., Ben Smith, Uber Executive Suggests Digging Up Dirt on Journalists, BuzzFeed (Nov. 17, 2014, 5:57 PM), http://www.buzzfeed.com/bensmith/uber-executive-suggests-digging-up-dirt-on-journalists (Uber executive suggests spending a million dollars to hire opposition researchers and journalists to look into the “personal lives” and “families” of critical journalists.). Previously, Uber employee had without consent used Uber’s “God View”—which lets them see all of the Ubers in a city and the silhouettes of waiting Uber users who have flagged cars—as a party demonstration for guests of a Chicago launch party. Kashmir Hill, ‘God View’: Uber Allegedly Stalked Users for Party-Goers’ Viewing Pleasure (Updated), Forbes.com (Oct. 3, 2014), http://www.forbes.com/sites/kashmirhill/2014/10/03/god-view-uber-allegedly-stalked-users-for-party-goers-viewing-pleasure. The 30 Uber users used for that demonstration were not pleased. Sam Biddle, Uber Used Private Location Data for Party Amusement, ValleyWAG.com (Sep. 30, 2014, 1:20 PM), http://valleywag.gawker.com/uber-used-private-location-data-for-party-amusement-1640820384.

12. See generally, Ann Cavoukian, 7 Foundational Principles, Privacy by Design, https://www.privacybydesign.ca/index.php/about-pbd/7-foundational-principles (last visited Dec. 1, 2014).

13. About Alibaba.com, Alibaba.com, activities.alibaba.com/alibaba/following-about-alibaba.php (last visited Dec. 1, 2014).

14. These attributes are ascertained from the posted privacy notice itself, except in the case of some data security practices associated with the currently operating Alibaba.com website. Though conformity with stated privacy notices is assumed, the author does not attest to Alibaba’s operating within the bounds of the stated privacy notices.

15. See generally Alibaba Privacy Policy — Updated January 22, 2014, available at web.archive.org/web/*/http://www.alibaba.com/help/safety_security/policies_rules/others/001.html.

16. Internet Archive, Wayback Machine, archive.org/web (last visited Dec. 1, 2014).

17. A history of external privacy notices was pulled from this URL on the Internet’s Archive’s Wayback Machine: http://www.alibaba.com/help/safety_security/policies_rules/others/001.html.

18. The day portion of the date was not provided in this iteration of the privacy notice.

19. Data minimization principles. In order to prevent data security loss and liabilities.

20. Pseudonymity refers to a persistent state of disguised identity, e.g., Ebay’s seller rating system that is tied to a username. See generally Office of the Australian Information Commissioner, The Difference Between Anonymity and Pseudonymity, oaic.gov.au (Feb. 2014), http://www.oaic.gov.au/privacy/applying-privacy-law/app-guidelines/chapter-2-app-2-anonymity-and-pseudonymity#_Toc380598657.

21. Alibaba Privacy Policy — Updated March 5, 2011, ¶6, available at web.archive.org/web/*/http://www.alibaba.com/help/safety_security/policies_rules/others/001.html.

22. See Alibaba Privacy Policy — Updated May 2014, A1, available at web.archive.org/web/*/http://www.alibaba.com/help/safety_security/policies_rules/others/001.html (“Your privacy is important to us and we have taken steps to ensure that we do not collect more information from you that is necessary for us to provide you with our services and to protect your account.”).

23. Id. at ¶1.

24. See, e.g., Erika McCallister et al., Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) ES-1, National Institute of Standards and Technology (April 2010), available at csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.

25. Alibaba Privacy Policy — Updated June 11, 2012, ¶28, available at web.archive.org/web/*/http://www.alibaba.com/help/safety_security/policies_rules/others/001.html (“You agree that all Collected Information (whether or not collected prior to or after the new policy became effective) will be governed by the newest Privacy Policy then in effect.”).

26. In the Matter of Gateway Learning Corp., Decision and Order, Docket No. C-4120 (Sept. 17, 2004), ¶13, available at http://www.ftc.gov/sites/default/files/documents/cases/2004/09/040917comp0423047.pdf; see generally 15 U.S.C. § 45.

27. Alibaba Privacy Policy — Updated June 11, 2012, supra note 25, ¶28.

28. Alibaba Privacy Policy — Updated May 2014, supra note 22, B7 (obtaining “consent in any form as may be required under the applicable law”).

29. Id. at H.

30. Office of the Privacy Commissioner of Canada, Personal Information Retention and Disposal: Principles and Best Practices, Priv.gc.ca (June 17, 2014), https://www.priv.gc.ca/information/pub/gd_rd_201406_e.asp.

31. Alibaba Privacy Policy — Updated May 2014, supra note 22, A4.

32. Alibaba Privacy Policy — Updated June 11, 2012, supra note 25, ¶¶11, 17.

33. Alibaba Privacy Policy — Updated May 2014, supra note 22, B6–B7.

34. Id. at E.

35. Alibaba Privacy Policy — Updated June 11, 2012, supra note 25, ¶12.

36. The Netflix contest challenged the public to create a better movie-recommendation algorithm from an “anonymized” dataset of approximately 100 million ratings that included only movie ratings, date of ratings, unique ID numbers for Netflix subscribers, and movie information. Researchers from University of Texas were able to re-identify 99% of people in the Netflix database. Narayanan and Shmatikov, supra note 37.

37. See, e.g., Arvind Narayanan and Vitaly Shmatikov, Robust De-anonymization of Large Sparse Datasets, UTexas.edu, cs.utexas.edu/~shmat/shmat_oak08netflix.pdf (last visited Dec. 1, 2014); Larry Hardesty, How hard is it to ‘de-anonymize’ cellphone data?, MIT.edu (Mar. 27, 2013), http://newsoffice.mit.edu/2013/how-hard-it-de-anonymize-cellphone-data (de-anonymizing users with just four cell tower datapoints).

38. Alibaba Privacy Policy — Updated May 2014, supra note 22, A–C, C7.

39. Id. at C7.

40. Alibaba Privacy Policy — Updated June 11, 2012, supra note 25, ¶¶18-19.

41. Alibaba Privacy Policy — Updated May 2014, supra note 22, C1.

42. Id. at C2. Restricting “affiliate companies” to those “within the Alibaba Group which comprises a group of companies operating leading online and mobile marketplaces in consumer and business-to-business commerce, as well as cloud computing and other services” is important because affiliate sharing is generally only allowed within the same business unit, e.g., banking to banking; not banking to health. Id.

43. Id. at C3.

44. Id. at C3.

45. Id. at ¶¶14, 25.

46. See generally U.C.C. § 2-302 (“Unconscionable Contract or Clause”).

47. Alibaba Privacy Policy — Updated May 2014, supra note 22, G (“Security Measures”).

48. Compare Alibaba Privacy Policy — Updated March 5, 2011, supra note 21, ¶14, with Alibaba Privacy Policy — Updated May 2014, supra note 22, C6 (moving from disclaiming liability to risk notification).

49. Alibaba Privacy Policy — Updated May 2014, supra note 22, G.

50. For example, just prior to its IPO filing in the U.S., Alibaba undertook an aggressive acquisition spree—unlike any of its past acquisitions—acquiring numerous majority and minority stakes in dozens of companies, including almost $200 million for a stake in a professional soccer club. Jesse Solomon, Alibaba is Coming: Should You Buy It?, CNN Money, http://money.cnn.com/2014/09/14/investing/alibaba-ipo-should-you-buy (“worrying about Alibaba’s aggressive acquisition streak in a range of industries”).

51. LuLu Yilun Chen, Alibaba Took Down 90 Million Fake Products in Lead to IPO, Bloomberg (Dec. 22, 2014), http://www.bloomberg.com/news/articles/2014-12-23/alibaba-took-down-90-million-fake-products-in-lead-to-ipo.

52. Carlos Tejada, China Raps Alibaba for Fakes, Wall St. J. (Jan. 28, 2015), http://www.wsj.com/articles/chinas-saic-criticizes-alibaba-over-fake-goods-1422425378.

53. Kathy Chu and Laurie Burkitt, Knockoffs Thrive on Alibaba’s Taobao, Wall St. J. (Apr. 28, 2014, 12:20 AM), http://www.wsj.com/articles/SB10001424052702304049904579517642158573008.

54. Carlos Tejada, supra note 52.

55. Telis Demos, Alibaba Dealings with Chinese Regulator Draw SEC Interest: Request Comes After Company Didn’t Disclose Interactions with Agency, Wall St. J. (Feb. 13, 2015), http://www.wsj.com/articles/sec-seeks-info-from-alibaba-on-china-probe-1423865120.

56. Steven Davidoff Solomon, Alibaba Investors Will Buy a Risky Corporate Structure, N.Y. Times (May 6, 2014, 7:56 PM), http://dealbook.nytimes.com/2014/05/06/i-p-o-revives-debate-over-a-chinese-structure.

57. See generally Gregory J. Millman, Alibaba’s IPO Puts VIE Structure in the Spotlight, Wall St. J. (Sept. 22, 2014, 9:46 AM), blogs.wsj.com/riskandcompliance/2014/09/22/alibabas-ipo-puts-vie-structure-in-the-spotlight (quoting Professor Nicholas C. Howson).

58. Id. (“In a letter to Baidu questioning the effectiveness of such a structure, the Securities and Exchange Commission noted that a ruling in late 2012 by the Supreme People’s Court of China invalidated a V.I.E. structure used by Minsheng Bank.”).

59. Solomon, supra note 56.

60. Millman, supra note 57.

61. SEC Charges China-Based Executives with Fraud and Insider Trading, SEC.gov (Sept. 26, 2013), http://www.sec.gov/News/PressRelease/Detail/PressRelease/1370539844443.

62. Id.

63. Solomon, supra note 56.

64. Joseph Menn and Kathrin Hille, Dispute Saps Yahoo’s Hold Over Alibaba, Financial Times (May 13, 2011, 11:45 PM), http://www.ft.com/cms/s/2/0107b9ca-7d4b-11e0-bc41-00144feabdc0.html.

65. The author would recommend a single international standard for each national branch of a multinational company, rather than Alibaba’s shifting privacy floor for each jurisdiction. A universal standard across a multinational company would also allow for the adoption of Binding Corporate Rules, which would simplify cross-border data transfers.

66. Pew Research Center, Public Perceptions of Privacy and Security in the Post-Snowden Era 3 (Nov. 12, 2014), available at http://www.pewinternet.org/files/2014/11/PI_PublicPerceptionsofPrivacy_111214.pdf.

Timothy L. Yim

Timothy L. Yim, CIPP/US, CIPT, CIPM, is an attorney with the Privacy and Technology Project at the Institute for Innovation Law at the University of California Hastings in San Francisco, where he directs research and policy initiatives in the consumer privacy and emerging technology space. His practice focuses on data privacy, cyberlaw, and intellectual property for technology companies and startups.