chevron-down Created with Sketch Beta.
April 01, 2014

Does “I Accept” Really Mean “Abandon All Hope of Privacy, Ye Who Enter Here”?

Recently, courts have been allowing suits about online privacy to proceed to class certification. We present a fictional case that lays out arguments about the very real issues.

Simon Goodfellow

Download a printable PDF of this article (membership required).

You are about to read closing arguments in a jury trial of an online privacy class action case: In re Amalgam, Inc. Online Privacy Litigation. Amalgam, Inc.—a fictional conflation of Google, Facebook, Twitter, LinkedIn, Yahoo, and others, and an online provider of search engine, email, social networking, business links, and other services—has been accused of improperly aggregating its users’ personal information and selling it to advertisers and vendors. Case law and relevant facts are interspersed to aid your understanding of the issues. Are you thinking that reading this would be a useless exercise because such cases are routinely tossed at the pleadings stage for lack of standing? Not so fast. That may have seemed true in the past, but courts have recently denied several motions to dismiss, allowing cases to proceed to class certification. Litigators need to start thinking beyond the motion to dismiss.

Before we begin, ask yourself: Can I (or my client) have any expectation of privacy in the personal information we share with friends, family, and colleagues using an online service provider whose terms of use we have accepted, if those terms expressly state the provider will use that information to give us advertising specifically relevant to us?

The Plaintiffs’ Closing Argument

So, ladies and gentlemen, are you ready to surrender to a world where Big Brother—I’m sorry—Amalgam, Inc., owns your most private thoughts and fears, and is free to sell them to the highest bidder? Who among you, when this trial started, understood that when you use Amalgam’s email service (FUMail), Internet search engine (Boohoo), 140 character messaging service (Bleeter), social networking site (PlayBook), or professional networking site (LockedOut), you are, according to Amalgam’s reading of its own terms of use, giving Amalgam free license to read your emails, Bleets, and posts, collect and analyze all your Boohoo searches, vacuum up all your “I’m interested” comments on PlayBook, blend all that information with all the other information it could buy about you from data miners, and then sell this very detailed picture of you to advertisers and vendors? I suggest that not even the most careful reader of the pages of Amalgam’s privacy policy at the “Click here if you agree” window could have understood that.

 

Amalgam, however, goes even further. Not only does it insist that its conduct here is legal because the users agreed to it; it blandly (and unbelievably) asserts that non-users too are bound by its privacy policy when they send anything via their nonFUMail email provider to an FUMail user because its policies were so widely publicized that the whole world “knew or should have known” that Amalgam was reading everyone’s emails.

 

(Both Google and Yahoo have recently been sued for allegedly aggregating information gleaned not from their own users’ emails—i.e., users who agreed to their terms of use and privacy policies—but from users of other email services who sent emails to Gmail or Yahoo mail users, and whose emails thus became information stored on Google’s and Yahoo’s servers. (In re Google Inc. Gmail Litig., No. 5:13-md-02430-LHK (N.D. Cal. filed May 23, 2013); Kevranian v. Yahoo! Inc., 5:13-cv-04547-LHK (N.D. Cal. filed Oct. 2, 2013))


 

I mentioned Big Brother when I started. Now, that term is usually used about a government that seeks to peer into every corner of its citizens’ lives. But I suggest even the National Security Agency (NSA)—and its “customer support line,” the White House—which has been exposed as conducting a massive surveillance of the American public, would blush to advance so sweeping a claim. The NSA at least asserts the fig leaf of an “investigation” into a terrorist threat as its justification for requiring telephone and Internet service providers (Amalgam among them) to turn over all our data. Amalgam, on the other hand, asserts it is entitled to use your data merely because you choose to use the Internet. Every email you send or receive, every Internet search you do on your home computer, everything you post, every Bleet you send—all are grist for Amalgam’s advertising service.

Let’s take a moment to think about what that means they claim to be able to collect about you and then sell. We’ll start with email. First, when was the last time any of you sent a “snail mail” letter? Maybe Christmas or get-well cards, right? For the rest, we all use email. Amalgam claims it has the right to read, cross-correlate, and sell the content of your emails. And what’s in those messages? Intimate notes to loved ones, responses to political debates on Bleeter, letters to the editor, private emails to your doctor. All are vacuumed up.

Now let’s talk about your Internet searches. I imagine, like me, you’ve used Amalgam’s search engine to perform hundreds, if not thousands, of searches. Those searches, too, become information Amalgam claims it has the right to gather and sell. You were sitting at your PC (your personal computer), believing you were in the privacy of your own home. Maybe you were searching online for facts about a very private health concern. Perhaps you were merely looking up what various politicians were saying about a current affairs issue—Obamacare, the government shutdown, national debt, gun control. Did you understand Amalgam claims it has the right not merely to capture that information but also to use and sell it?

In fact, Amalgam argues the plaintiffs are fools for not understanding this. Amalgam derides its users for thinking they can really get Amalgam’s services for “free.” “Of course, we’re selling you to the highest bidder. How else can we pay the electric bills and buy ever faster computers to give you the bandwidth you demand?” That is, in effect, their argument. My opponent won’t say it so baldly—rather, he will cloak it in citations to the various Amalgam user agreements that he contends you “sign” by logging in.

Originally, Amalgam was a portal through which users could access the Internet. It attracted users by claiming that its search engine would take them to the sites that produced the most responsive and accurate results for their search terms. Around the edges of that portal, Amalgam displayed advertisements, much as you see a billboard as you zip by on the subway. Over time, however, Amalgam has been pressured by its stock price to become ever more efficient at monetizing its users. (If “monetizing a user” sounds suspiciously like “tenderizing a steak” to you, you’re not far wrong.) To earn ever more revenue from you, the individual user, Amalgam has had to promise the advertisers more. The advertiser no longer has to hope one of the subway passengers is interested in the product flying past the windows. Instead, Amalgam will pick the rider’s pockets, burgle the rider’s house, read all the contents, and then allow the advertiser, through the miracle of modern computer wizardry, to post just the right ad at just the right window at just the right station. This is the invasion of privacy we are asking you to prohibit and punish. Amalgam’s attempt to justify its conduct by claiming it has, month by month, changed the fine print on the subway ticket to permit the pickpocketing and burglary should be dismissed as the smokescreen it is.

Amalgam is not content with selling your every search or email. It also adds huge amounts of data about you that it buys on the open market, and then it creates an incredibly detailed and personal picture of you—and all of its users and even nonusers who simply sent an email to an Amalgam user—perhaps including your name, address, phone number, Social Security number, marital status, job, sexual orientation, likes, dislikes, medical issues, and so on.


 

(This process is called “data enhancement.” There are “data mining” vendors—such as Acxiom and Consumer Orbit—that collect all the data available about Internet users, and sort and catalogue the data into huge files and analyses. Both sellers and buyers of advertising can buy this information about individual users/advertising targets on the open market. These data miners also offer predictions by deriving patterns of conduct, based on comparisons of huge volumes of data, that on their face do not necessarily suggest themselves. For example, they may determine that “someone who lives in the following zip code, who has also bought sandals, and who has gone abroad in the last six months, will likely buy a cookbook if offered one within four months of returning to the U.S.” This collection process is now being scrutinized and, possibly, regulated. One firm, Acxiom, is trying to get ahead of the regulators. It has started to post some, though not all, of the data it has about Internet users openly, and users can sign on to see it at www.aboutthedata.com. A user can even change his or her information to make it more accurate. Of course, if the user does so, he or she agrees Acxiom can use it to sell advertising to the user. 

There are also firms like Rocket Fuel, Inc., that specialize in real-time analysis of all these data and how users are responding to an advertising campaign. For example, is a user an “early adopter” or a “conservative buyer”?)


 

What does Amalgam do with that profile? It uses it to sell to advertisers and vendors the right to bombard you with targeted advertising. This is exactly what happened to my clients in this case. Amalgam’s revenue last year from this advertising? Almost $50 billion!


(In 2012, Google’s revenue from advertising was more than $43 billion (investor.google.com/financial/tables.html). Facebook’s was more than $4.2 billion (www.insidefacebook.com/2013/01/30/facebook-reports-1-585b-in-revenue-for-q4-2012-net-income-of-64m/). Yahoo’s was over $3.1 billion (marketingland.com/emarketer-yahoo-ad-revenue-is-growing-but-google-still-owns-the-marketshare-38129). And LinkedIn’s was more than $258 million (investors.linkedin.com/releasedetail.cfm?ReleaseID=738977).)


 

First, Amalgam’s practice is an outrageous violation of my clients’ constitutional right to privacy. Second, since Amalgam expressly promised my clients in its terms of use and privacy policies it would not sell their personal information, Amalgam has breached its contracts with my clients as well.


(Plaintiffs in recent cases involving online privacy have pled these and other claimed violations, including the Wiretap Act as amended by the Electronic Communications Privacy Act (ECPA) (18 U.S.C. § 2510 et seq.), the Stored Communications Act (18 U.S.C. § 2701 et seq.), California’s Unfair Competition Law (UCL) (Cal. Bus. & Prof. Code § 17200 et seq.), California’s Computer Crime Law (Cal. Penal Code § 502), California’s Consumers Legal Remedies Act (CLRA) (Cal. Civ. Code § 1750 et seq.), California’s Invasion of Privacy Act (CIPA) (Cal. Penal Code § 630 et seq.), and other state and federal common-law and statutory claims. (See, e.g., In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011); In re Google Inc. Gmail Litig., No. 5:13-md-02430-LHK, LEXIS 172784 (N.D. Cal. Sept. 26, 2013).))


 

Let’s start with the California Constitution. It provides: “All people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” As the jury instructions the judge read to you show, this right to privacy includes “precluding the dissemination or misuse of sensitive and confidential information.” This is called “informational privacy.” So my clients—and all Internet users in California—have the right to preclude Amalgam from disseminating or misusing their sensitive and confidential information. Yet, when an Amalgam user is diagnosed with cancer and uses Boohoo to search for information about potential treatments—in the privacy of her own home—Amalgam takes that information, aggregates it with other information it’s learned about that user from her emails, for example, and then goes to its pharmaceutical company clients and says: “Pay me a premium because I’ve identified this opportunity, and I’ll put your ad on her screen.” It’s callous. It’s pure greed. Amalgam is taking advantage of Internet users and laughing all the way to the bank. Did I mention Amalgam made almost $50 billion in revenue from this practice last year? It’s a blatant violation of my clients’ constitutional rights.

Not only is Amalgam’s conduct a violation of my clients’ right to informational privacy, but since Amalgam promised not to sell its users’ personal information, doing so was a breach of contract. Amalgam’s terms of use and policies expressly state Amalgam will not share—let alone sell—its users’ personal information unless the user gives his or her permission, or Amalgam is required to do so by law: in responding to a subpoena from the government, for example. You’ve heard the evidence. My clients did not authorize Amalgam to sell their information. And Amalgam is not claiming it was required by law to snoop through my clients’ personal, intimate secrets. So Amalgam breached its own terms of use and therefore breached its contracts with my clients.


(On January 24, 2012, on its official blog, Google stated: “We don’t sell your personal information, nor do we share it externally without your permission except in very limited circumstances like a valid court order.” (googleblog.blogspot.com/2012/01/updating-our-privacy-policies-and-terms.html)

Facebook’s Data Use Policy states: “[W]e don’t share information we receive about you with others unless we have: received your permission; given you notice, such as by telling you about it in this policy; or removed your name and any other personally identifying information from it.” (www.facebook.com/about/privacy/your-info)

LinkedIn’s Privacy Policy states: “We will not disclose personal information that is not published to your profile or generated through engagement with other LinkedIn services, such as Groups and Company Pages, without your consent or to carry out your instructions (for example, to process payment information) unless LinkedIn has a good faith belief that disclosure is permitted by law. . . .” (www.linkedin.com/legal/privacy-policy))

 

Now, Amalgam’s counsel is going to argue there was no selling of information, no disclosure, no breach of privacy, because all this is happening out in the ether, and no one’s really looking at the information. It’s all happening on computers. This is nothing but an attempted sleight of hand. Just because it’s Amalgam’s computer selling your information to Macy’s computer doesn’t make the sale any less a violation. And do you really think Amalgam’s employees or the vendors’ or advertisers’ employees aren’t looking at your information? Here’s what the evidence has shown is really going on.

What you know is that you run a search, see the results, and click on one of the links. What you don’t know is that between your click and the next screen showing up, Amalgam is conducting an auction of the right to have a company’s ad displayed on the next screen you see. Amalgam uses its knowledge of all your information to describe you to the advertisers, and the advertisers decide how much to bid to show you their ads. “We’ll pay $50 per thousand views for someone who has just come back from Europe, but only $40 per thousand views for someone who didn’t vote in the last election.” So money is paid by advertisers and vendors to Amalgam. And the more money they pay, the more likely their ad or link will appear on the user’s screen.

But the information transfer doesn’t stop there. Amalgam claims none of your data are actually sent to the advertiser or vendor. Wrong! If you click on any of the search results or ads, something called a “referrer header” is sent to the advertiser or vendor who owns the link or ad. That referrer header includes your IP address, the website you were on when you clicked the link or ad, any cookies stored on your computer, and the search term you were searching for, which, if you were searching your own name—which we all do—would include your name.


(This was the plaintiffs’ claim in In re Google Referrer Header Privacy Litigation, No. 5:10-cv-04809-EJD (N.D. Cal.). On August 23, 2013, the parties asked the court to approve a settlement of the case, in which Google would pay $8.5 million and post a disclosure on the Frequently Asked Questions section of its website informing users whether their search queries would be transmitted to third parties. Because Google has not agreed to change its practices, but only to update its disclosures, several objectors have written to the court requesting it reject the settlement. (Id., ECF No. 58.))


Thus, Amalgam’s vendors and advertisers are receiving users’ information in return for money paid to Amalgam. In other words, Amalgam is selling its users’ information to advertisers and vendors, and Amalgam has clearly breached its contractual promise to my clients—and all its users—not to sell their personal information.

Based on the evidence, you must find in favor of my clients and against Amalgam. Thank you.


 

Amalgam’s Closing Argument

Ladies and gentlemen of the jury, what you just witnessed is what the French call effets de manche, or “sleeve effects.” The attorney who lacks facts or law to support his case waves his hands in grand gestures as he speaks, the sleeves of his black robe flap and billow out, and the jury is distracted from the lack of evidence or law in the argument. Here too, the plaintiffs’ counsel is hoping you won’t notice that neither the facts nor the law support the plaintiffs’ claims.

Your job today—just like the job of any jury on any day in this courtroom or any other courtroom across this country—is to uphold the law. The judge read the jury instructions to you earlier today. Those instructions state the law that applies in this case. You will have copies of those instructions with you in the jury room. And when you apply that law to the evidence you’ve seen and heard during this trial, you will conclude there’s nothing illegal—or even scary—going on here.

That’s what the plaintiffs’ counsel is really trying to do. He’s trying to scare you. He wants you to imagine that, when you send an email, or run a search, or post or Bleet about something, an Amalgam employee in a dark room somewhere is gathering and reading all that information. He wants you to imagine that the Amalgam employee then transmits that information to vendors’ and advertisers’ employees in other dark rooms, and that those employees read your information. And now all these people know your personal information.

The evidence you’ve seen and heard during this trial makes it clear that this simply is not happening. Amalgam has not breached its contracts with the plaintiffs because it has not sold the plaintiffs’ personal information to anyone. The evidence has shown that neither Amalgam nor its advertisers and vendors ever allow human eyes to see anyone’s information. Even more crushing to the plaintiffs’ case, the demands of technology mean that it is impossible for Amalgam to show your personal information to anyone as part of the advertising process. In order for the process to work, every step has to take place in one-third the time it takes the human eye to blink.

Let me explain factually what is happening. No sleeve effects, no scare tactics, just facts. The ads we’re talking about are the ones that show up on the edge of your screen as you click your way through the Internet. Amalgam’s contracts with its advertisers state that Amalgam will show an advertiser’s ads to the viewer who best matches the advertiser’s desired target viewer profile. As a result, advertisers are willing to pay Amalgam more for each thousand views.

Once you understand how this works, you will see the plaintiffs’ case is ridiculous. What we are talking about happens between the time that you click on a link and when your browser shows you the next page. Even if you are, like me, prone to complaining about how slow your browser is, we’re talking about nanoseconds.

So let’s say you’re a woman who plays golf, you’re browsing the Internet, and you run a search for “shoes.” The results page has many different results, all having something to do with shoes. You click on “Golf Shoes—The Golf Warehouse.” Before that store’s webpage comes up, here’s what happens.

Let’s say one of Amalgam’s advertising clients is Nike, and it has a new sales program selling golf shoes styled for female players between 25 and 35 years of age. It is willing to pay $45 per thousand views for that target audience. It has signed up as a user of Amalgam’s patented “Ad Exchange” program. So its computers—not any of its personnel, just its computers—are linked up to Ad Exchange.

After you click on “Golf Shoes—The Golf Warehouse” and before The Golf Warehouse’s webpage is displayed on your computer screen, Ad Exchange lists you as a user who is “female, buys Golf Digest, age 32, looking for golf shoes,” and its computer asks for bids for the ads on the page Amalgam is about to show you. Amalgam’s advertising clients’ computers then post bids based on their desired target demographic. One client’s computer bids $38 per thousand such viewers. Nike’s computer bids $40 per thousand. Ad Exchange declares Nike the “winner,” and when The Golf Warehouse’s webpage shows up on your computer screen, on one side of that screen is an ad for Nike’s golf shoes.

The entire process, from your clicking the link to seeing The Golf Warehouse’s webpage, is, by Amalgam’s contract terms, required to take less than 120 nanoseconds. That’s one-third of an eye blink. And remember, all I’ve described is one interaction. Amalgam’s officers have testified that this sequence happens 30 million times an hour. As a result, it is mathematically impossible that any human eyes ever see your information. All Nike gets is a bill showing that Amalgam has, per contract, shown the golf shoes ad to X thousand viewers who meet the requested demographic. Neither Nike’s employees nor Amalgam’s ever know who each “you” is. The plaintiffs’ counsel is trying to create a dark, sinister plot where there simply isn’t one.

You also heard evidence about data mining companies. Indeed, plaintiffs’ counsel admits there are data miners out there gathering personal information about Internet users. If plaintiffs’ information is available from multiple sources, some of whom sell that information on the open market, how can plaintiffs claim the information that Amalgam has about them is unique and private?

In addition to the facts about how Amalgam’s advertising service works, we’ve shown you Amalgam’s terms of use and privacy policies. And you’ll have copies of those in the jury room. They expressly informed the plaintiffs that by using Amalgam’s services, they were sharing their information with Amalgam and that Amalgam would aggregate any information they shared and would use that information to provide them with more useful advertising. And we’ve shown you that each of the plaintiffs—and all Amalgam’s users—agreed to those terms of use and privacy policies when they became Amalgam users. Having agreed, the plaintiffs then voluntarily provided their information to Amalgam by using its services. The plaintiffs cannot claim Amalgam violated their privacy rights by doing exactly what it told them—from the beginning—it would do. Once you apply the law to the evidence, you must find in favor of Amalgam.

Now let’s turn from the facts to the law. And let’s focus on the right-to-privacy-claim first. The law is clearly set forth in the jury instructions. You should read them again. To prove a violation of the right to informational privacy, the plaintiffs must show three things: (1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) a serious invasion of the privacy interest. The plaintiffs have to prove all three. If any of the three is lacking, you must rule for Amalgam. Here, the plaintiffs’ evidence fails to prove both the second and third of those elements.

First, plaintiffs must prove a reasonable expectation of privacy under the circumstances. Yet, the evidence we’ve presented to you has shown every Amalgam user, when he or she signs up to use Amalgam’s services, must click “I agree” to the terms of service, and thus to the privacy policies. If they didn’t click “I agree,” they wouldn’t be able to use Amalgam’s services. Plaintiffs admit they clicked “I agree,” and they admit they entered into these contracts. If they didn’t, they wouldn’t be able to claim Amalgam breached those contracts. In a few minutes, I’ll explain why their breach-of-contract claim fails, but for now we’re focused on the right to privacy.

Amalgam’s terms of use and privacy policies are crystal clear. They expressly state that an Amalgam user agrees that Amalgam may aggregate his or her information to create targeted advertising. So ask yourself, how can the plaintiffs claim Amalgam violates their “reasonable expectation of privacy” by aggregating their information to create targeted advertising, when they’ve expressly authorized Amalgam to do just that?


(Google’s, Facebook’s, LinkedIn’s, and Yahoo’s terms of service and/or privacy policies all state they will use the information provided by their users to provide targeted advertising. For example, Google’s terms of service (as modified on March 1, 2012) provide: “Google’s privacy policies explain how we treat your personal data and protect your privacy when you use our Services. By using our Services, you agree that Google can use such data in accordance with our privacy policies.” (www.google.com/intl/en/policies/terms/). Google’s Privacy Policy (as modified on June 24, 2013) provides: “We use the information we collect from all of our services to . . . offer you tailored content—like giving you more relevant search results and ads. We may combine personal information from one service with information, including personal information, from other Google services. . . .” (www.google.com/policies/privacy/).

Twitter is widely expected to start providing targeted advertising once it goes public and is under more pressure to monetize its services.

Google made the argument that users’ agreements to its privacy policies barred their claims in In re Google, Inc. Privacy Policy Litigation, No. 5:12-cv-01382-PSG, 2012 U.S. Dist. LEXIS 183041(N.D. Cal. Dec. 28, 2012). The court dismissed the original complaint, with leave to amend, for lack of Article III standing and did not reach this issue. Google raised the argument again in its successful motion to dismiss the amended complaint.)


 

The result is no different for plaintiffs who are not Amalgam users. They still cannot prove a reasonable expectation of privacy. The evidence has shown all those plaintiffs used other email services that required them to agree to privacy policies almost identical to Amalgam’s. You heard me ask them on the witness stand if they had seen targeted advertising on their screens. They all said yes. Any claim they did not know companies on the Internet are using the information they voluntarily post, send, and share to provide them with targeted advertising is not reasonable. Thus, any claimed expectation of privacy is not a reasonable expectation of privacy. It’s an effort by the plaintiffs to put their heads in the sand, ignore the realities of the modern world, and claim Amalgam somehow duped them.

In any event, neither the Amalgam user plaintiffs nor the nonusers can prove the third element of their claim—a serious invasion of the privacy interest. As I explained a few minutes ago, the plaintiffs have offered no evidence—because they cannot—that any human eyes have ever seen or read their information or that any vendor or advertiser was able to figure out from the Internet addresses, search terms, and so on, that they allegedly received, whose information it was.


(In In re Facebook Privacy Litigation, 791 F. Supp. 2d 705 (N.D. Cal. 2011), the court granted Facebook’s motion to dismiss. Both the Wiretap Act and the Stored Communications Act bar divulging the contents of a communication but not when the alleged divulging is to the user’s intended recipient. The court held that when a user clicks on an ad, the user is the sender and the advertiser is the recipient; thus, any alleged divulging to the advertiser did not state a cause of action. The court granted the motion for the further reason that the plaintiffs’ complaint alleged—which allegation had to be assumed true on a motion to dismiss—that referrer headers had been a part of how the Internet worked since 1996.)


 

The plaintiffs’ counsel has tried to get around this gaping hole in his clients’ evidence by offering scenarios focusing on what happens if a user clicks on one of the ads or links. But by then, Amalgam isn’t even involved anymore. Amalgam has now done what it expressly told the plaintiffs it would do. It has used their information to provide them with ads and links that are relevant to them. Once those ads or links have been placed on a user’s screen by the computer-to-computer process I just described, and the user clicks on the ad or link, the user is communicating with the vendor or advertiser. Amalgam isn’t communicating with anyone. The user is saying to the vendor, “I’m interested in your product. Please give me more information.”

Nor is the “referrer header” argument of any help to the plaintiffs. If any information is transmitted when the user clicks his or her mouse, it’s not a function of Amalgam’s conduct, but a function of how the Internet works. As you heard during expert testimony in this case—and as the plaintiffs’ counsel admits—when a user clicks an ad or link, a referrer header is sent to the advertiser or vendor. The plaintiffs are claiming the personal information Amalgam is selling is in this referrer header. Yet, as an expert witness testified, this is how the Internet has worked since 1996, long before Amalgam ever existed. What Amalgam is selling is neither more nor less than what each user agrees it can sell: the aggregation of the user’s Internet conduct—sent computer to computer—in order to make sure the advertising the user sees is, in fact, of interest to the user.

But there’s another, overarching reason you must rule for Amalgam. The plaintiffs haven’t proven they were damaged. You heard in the jury instructions, and you can read them again in the jury room: The paintiffs must prove they’ve been damaged. If not, how are you supposed to compensate them?

So even if the plaintiffs’ counsel has convinced you some advertiser or vendor has seen or read the plaintiffs’ information because of something Amalgam did—and remember I’ve argued today the evidence has not shown that—the plaintiffs have shown you no evidence that, as a result, the plaintiffs have suffered any damages. You’ve seen no proof of identity theft—in other words, that anyone has applied for credit cards or cell phones in the plaintiffs’ names, or run up charges on plaintiffs’ credit cards, or anything of that nature. So the plaintiffs haven’t proven they’ve lost anything of value. All of Amalgam’s services are free of charge. So the plaintiffs have not lost any money.


As the jury instructions also state, the law is clear: Personal information is not property in the eyes of the law. This makes perfect sense. If you give the person next to you $10, that person now has the $10, and you no longer have the $10. So you’ve technically given up something that was yours. The same would be true if you give the $10 to Amalgam. But if you turn to the person next to you and say, “I live in San Francisco, and I enjoy cycling and Mexican food,” you haven’t lost anything of value. And, in the absence of any proof the information was used to harm the plaintiffs financially, the same is true if you share information with Amalgam, and Amalgam shares it with advertisers and vendors.


(This conclusion that plaintiffs in such cases have not alleged injury in fact, and thus lack Article III standing, is one of the reasons courts have dismissed many such cases at the motion-to-dismiss stage. For example:

In re Facebook Privacy Litigation, 791 F. Supp. 2d 705, 714 (N.D. Cal. 2011): “Plaintiffs do not allege that they lost money as a result of Defendant’s conduct. Instead, Plaintiffs allege that Defendant unlawfully shared their ‘personally identifiable information’ with third-party advertisers. . . . However, personal information does not constitute property for purposes of a UCL claim. . . . Because Plaintiffs allege that they received Defendant’s services for free, as a matter of law, Plaintiffs cannot state a UCL claim under their own allegations.”

In re iPhone/iPad Application Consumer Privacy Litigation, No. 5:11-md-02250-LHK, LEXIS 106865 (N.D. Cal. Sept. 20, 2011): “Plaintiffs have not identified a concrete harm from the alleged collection and tracking of their personal information sufficient to create injury in fact.”

LaCourt v. Specific Media, Inc., No. SACV 10-1256 GW JCGX, LEXIS 50543 (C.D. Cal. Apr. 28, 2011): “[E]ven assuming an opportunity to engage in a ‘value for value exchange,’ Plaintiffs do not explain how they were ‘deprived’ of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party.”

In re Doubleclick, Inc. Privacy Litigation, 154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001): While “demographic information is valued highly . . . the value of its collection has never been considered an economic loss to the subject.”

In re JetBlue Airways Corp. Privacy Litigation, 379 F. Supp. 2d 299, 328 (E.D.N.Y. 2005): There is “no support for the proposition that an individual passenger’s personal information has or had any compensable value in the economy at large.”

On the other hand, several courts have denied motions to dismiss and held that plaintiffs have alleged standing—in cases involving statutory claims—based on a determination that the alleged violation of the statute itself constituted the required injury. See, e.g., In re Google Inc. Gmail Litig., No. 5:13-md-02430-LHK, LEXIS 172784 (N.D. Cal. Sept. 26, 2013) (“Like both RESPA and the Wiretap Act,

. . . [the California Invasion of Privacy Act] creates a statutory right the violation of which confers standing on a plaintiff.”); see also In re Facebook Privacy Litig., 791 F. Supp. 2d 705 (N.D. Cal. 2011); Gaos v. Google, Inc., No. 5:10-cv-04809-EJD, LEXIS 44062 (N.D. Cal. Mar. 29, 2012).)


 

 

So whether you rule in Amalgam’s favor because the plaintiffs expressly agreed to the conduct they’re now claiming violated their rights, or because the plaintiffs have failed to prove anyone’s seen their personal information, or because the plaintiffs have not proven any damages, you must rule—based on the law and the evidence you’ve seen during this trial—in Amalgam’s favor. Thank you.


 

The Plaintiffs’ Rebuttal

Amalgam is saying: “Yes, we’re collecting all your personal information. Yes, we’re trawling through it and aggregating it and creating a detailed profile about you. All your personal emails. All your searches about personal health issues that you did sitting at your personal computer, in the privacy of your own home. But there’s nothing you can do about it because, when you signed up to use Amalgam’s services, you clicked ‘I agree.’”

First, as you heard from one of the expert witnesses, it’s well known nobody reads the policies before they click “I agree.” The whole Internet industry knows it. And Amalgam knows it. How can Amalgam argue you agreed to something it knew you wouldn’t read?

Second, even if you’re one of the few people who read the policies before clicking “I agree,” Amalgam has changed what you agreed to, after you agreed to it. Its policies say that by continuing to use its services, you agree to any changes to its policies it might make. So what they claim you’ve agreed to is a moving target. They say you can’t have had a reasonable expectation of privacy. What’s reasonable about arguing you agreed to something you never read and they knew you wouldn’t read and they kept changing anyway?

Third, and most importantly, I want you to read Amalgam’s policies closely when you’re deliberating. Now, I know what you’re thinking. I didn’t read them when I signed up to use Amalgam because they were long and tedious and full of legal mumbo jumbo. And you want me to read them now? The answer is yes. And here’s why. When you read them, you’ll see they simply don’t explicitly say what Amalgam’s counsel told you they say. They say things like, and I’m quoting: “We will use your information to provide, maintain and improve our services—including advertising.” Or: “Advertisements may be targeted to the content of the information stored on our services.”

These statements do not—even if you read them—tell you all the shocking things the evidence has shown Amalgam does with your information. By lumping advertising in with providing, maintaining, and improving services, and by saying what Amalgam “may” do, instead of what it “will” do, Amalgam intentionally created a policy that would allow its lawyer to stand here today and say my clients agreed to everything they’re complaining about. But when any reasonable person really reads it, it does not say Amalgam will read all your emails, all your posts, all your Bleets, all your Internet searches, and create a profile of you that will allow it to sell to the highest bidder the right to advertise to you.


(Google argued the plaintiffs had consented to its conduct in its motion to dismiss in In re Google Inc. Gmail Litigation, No. 5:13-md-02430-LHK, LEXIS 172784 (N.D. Cal. Sept. 26, 2013), which involved causes of action for violation of federal and state antiwiretapping laws. Google pointed to language in its privacy policies stating it “use[s] the information [it] collect[s] from all [its] services . . . to offer you tailored content—like giving you more relevant search results and ads.” The court held, however, Google’s policies “did not explicitly notify Plaintiffs that Google would intercept users’ emails for the purposes of creating user profiles or providing targeted advertising.”

The court also held the alleged interception of the content of emails for purposes of selling targeted advertising was not in the ordinary course of Google’s business—transmitting emails from sender to recipient—and thus rejected Google’s argument that the “ordinary course of business” exception to the Wiretap Act applied.

On October 9, 2013, Google moved for certification of interlocutory review under 28 U.S.C. § 1292(b).)


 

 

So despite Amalgam’s policies, my clients had a reasonable expectation of privacy as they sat in their own homes and on their own computers, and Amalgam invaded that privacy in violation of the California Constitution.

Amalgam claims it’s not selling the plaintiffs’ information, but that any personal information the vendors and advertisers receive when a user clicks a link or ad is either a communication from the user to the vendor or advertiser, or simply a function of how the Internet works. Amalgam cannot wash its hands of any responsibility for the disclosure of this information when its privacy policy states otherwise. Amalgam’s policy states it takes the confidentiality of users’ personal information very seriously and shares that information only in certain limited circumstances, such as with the user’s consent or in order to respond to a subpoena. In light of those statements, Amalgam’s dismissive response to the evidence is ridiculous.

Moreover, Amalgam’s response that it is not the one communicating personal information to vendors and advertisers is nonsense. It is only based on Amalgam’s collection of users’ information and use of that information to put certain vendors’ and advertisers’ links and ads on those users’ screens, that the users are able to click on the links and ads that cause these disclosures. If not for Amalgam, the disclosures never happen.

Amalgam’s counsel argues my clients have not been injured because their information has no value, so they’ve shown no damages. Yet, the evidence has shown Amalgam’s vendors and advertisers paid Amalgam almost $50 billion for that information in 2012. How can Amalgam argue with a straight face that its users’ personal information has no value?

Lastly, think about this. Amalgam’s counsel has stood here today and told us we should all calm down. Take a breath. Sure, Amalgam gathered Internet users’ personal, secret information and used it to sell advertising. So what? It’s nothing to get all hot and bothered about. But when a recent newspaper article reported that the NSA had tapped the connections between Amalgam’s data centers and intercepted data, Amalgam was outraged.

You should be outraged, too. Amalgam gathered up emails from both its own users and users of other email services, it then combined that information with personal information from its other services, as well as information from other data miners, and created profiles of millions of people. It then used that information to sell advertising space on those people’s screens, making billions of dollars. And it did so in violation of its promises not to do so. My clients neither consented to, nor had a reasonable expectation of, this outrageous conduct. You must find against Amalgam, and in favor of my clients. Thank you.

Simon Goodfellow

The author is an associate in the business litigation group of Bartko Zankel Bunzel & Miller, San Francisco.