Eric Goldman is a professor at Santa Clara University School of Law, where he is also director of the school’s High Tech Law Institute. His research and teaching focuses on Internet law, intellectual property and marketing law.
Q: What first drew you into this area of law?
A: I’ve been doing Internet law since the mid-1990s, and I’ve been teaching Internet law since about that time. Privacy has always been one of the topics in the Internet law course and the Internet law practice, and I come at privacy from being an Internet law generalist.
Q: The intersection of Internet law and consumerism and technology — it’s really wide in scope — what does that practice encompass now, what is involved in this arena of consumers and technology?
A: There are a couple different ways lawyers practice Internet privacy. One is in a compliance function, where companies who want to do things need to understand the legal regime that applies to those activities. The other main area is in litigation. We see an enormous amount of Internet privacy litigation. It’s a great opportunity for both plaintiffs lawyers and defense lawyers.
Q: What are the most prevalent claims you see by consumers against companies?
A: It’s a little hard to describe it that way because often consumers are represented by class action lawyers, who are often the principal movers in the litigation. It’s a little hard to talk about what consumers focus on because their class action lawyers act as proxies, and the class action lawyers may or may not be on the same wavelength as the consumers.
A typical Internet privacy class action will raise a dozen or more different legal doctrines. It’s a little bit of a "thrown everything against the kitchen wall and see what sticks" type of approach. We see a lot of Electronic Communications Privacy Act claims, and we see garden variety of state law claims; we often see breach of contract or promise claims, and then we also see the general catchall consumer protection laws (such as here in California Business & Professional Code §17200, false advertising law and competition claims).
Q: How have these consumer lawsuits fared?
A: Not well. From the plaintiffs side, most of the lawsuits have been tossed at the early stages of litigation, either on standing grounds or on other substantive grounds. A few have reached a settlement and in those cases the lawyers have probably gotten some pretty good bucks. Very few of them have had success on the merits in court. That’s kind of true generally of class action litigation, but certainly it’s been true in the Internet privacy arena. We see very few final judgments and fewer successes.
Q: Do you have an idea as to why?
A: There are a couple of reasons why Internet privacy class actions generally fail. First is, that there’s really not a problem for consumers; instead, the lawyers are just looking for a little extra cash. The second is that the laws are continually evolving and technology in some cases doesn’t neatly fit within the existing legal forms, so in many cases the lawyers are trying to stretch the law that was written for some different problem to try to address what they think is a new problem.
Q: With regard to consumers’ view of technology laws, do you feel they view those laws as more protective than they really are?
A: I think most consumers don’t have a good sense of what privacy laws cover, so it’s difficult to then measure whether the laws are actually accomplishing their goals or not. To the extent consumers understand privacy — and I think that’s rare — their understandings are being constantly put under pressure by evolving technology. Every day, Facebook does something different. Consumers can’t keep up with that. So they don’t know what to expect because the technology is changing along with the laws. I think consumers generally think they have more privacy rights than they do. They usual reaction to some problem is, "there must have been a law designed to protect me." But usually that’s a knee-jerk reaction.
Q: Is that reflected in the way companies understand the views of consumers? Do they tend to follow the letter of the law or be more proactive and comply with consumers’ expectations of what they should be doing?
A: There’s the good actors and the bad actors. Characterizing them may not be easy. There are scammers who are just looking to make some quick bucks, and they don’t care about their brand, they just want to run a scam. Let’s put those people aside, they’re not the kind of people you’re talking about. The FTC and consumer protection agencies routinely crack down on the scammers, and we need them drummed out of the marketplace. They are people taking advantage of consumers.
But let’s talk about the companies that do care about their brand. They are trying to build a relationship with consumers. And those companies are trying to do the right thing. Understanding what the right thing is may not be so easy, but for the companies that care about their brand, their efforts to gather collate and process consumer data is all in attempt to serve the consumer by trying to deliver better goods or services to consumers then they were able to do in the past. My starting point is that branded companies do care about consumers. Consumers may not be happy with the choices they make, but these companies’ hearts are in the right places.
Q: What changes would you like to see in the current state of Internet technology, privacy law as far as it affects consumers and the way they do business in the Internet marketplace?
A: There are a couple of changes I would like to see from a legal standpoint. First, I would like to put a moratorium on any new privacy laws. I’d just like to take a little legislative siesta. The worst legislative developments come from panic-driven, emotional responses — usually in the privacy arena under the broad heading of "creepiness." Someone says, "I’m creeped out about something I’ve experienced online, so let’s go ban it." These are almost never useful legislative efforts. So my starting point is I’d like to take a break, take a little breather. Let’s not think of legislation as the only solution to the problem.
I think it would be great to create some more safe harbors or immunities that would allow companies to understand that if they comply with certain minimum standards, the class action lawyers will have to stand in abeyance. Right now, if an Internet company makes a mistake, even a bona fide mistake, it is going to get gang-tackled by the class action lawyers. And that process doesn’t add any value to anybody. Everybody knows they made a mistake. The marketplace tells them they made a mistake. Yet, the lawyers are still going to be fighting for years trying to put some cash into their pockets from that mistake. It would be great if we could find a way to suppress that. It’s not helping anybody, other than the class action lawyers.
The third thing is that, if we were to feel that we needed to make more laws to protect consumer privacy, we should focus much more on what the government is doing. I find that all of the concern about the private actors is misdirected. The real enemy is the government, and the fact that we tolerate the extreme abuse of our privacy by the government while we get all up and arms over the innocuous, small mistakes by Internet companies is just baffling to me. We are kind of missing the forest for the trees there. Internet companies make mistakes; they shouldn’t do that; we should be discouraging them. But the government isn’t making mistakes, they are building an entire infrastructure to invade our privacy constantly and we just seem to take it.
Q: As Internet companies receive more and more private information what do you see as some challenges these companies are facing in terms of compliance with the current laws and regulations?
A: Right now, there’s a race among some of the leading branded Internet companies to build the richest consumer databases. Facebook has a very special database of relationships between people that they can use to create their recently announced, Graph Search. Google has some pretty neat databases as well of information other companies wish they could have. And then there’s a bunch of intermediaries and brokers who are gathering data and providing data in various ways to companies who are trying to bridge the gap. These other companies may not have the same depth of data that Facebook or Google has and they are trying to catch up. Amazon is another company that has built a very interesting, unusual database its competitors envy.
There’s a race between big branded companies trying to aggregate the killer database of consumer information. And the legal regulation of those databases … there’s not a lot of restrictions on the ability of these big branded companies to build those databases and use them for their benefit. We sometimes talk about first-party versus third-party data collection, and companies who are collecting data for their own usage are in the first-party category and are usually subject to much lighter regulations. The general approach is to tell consumers what you’re doing, and you’re good to go. The regulation doesn’t really restrict their ability to aggregate the databases.
Once first-party data collectors have their databases, there are some concerns about things like data breaches. There are laws that govern data breaches. Companies are well aware of those laws, and they spend a lot of money to try to comply with them. Big branded companies like Google, Facebook and Amazon have security teams who do nothing but think how they can suppress threats to try to get at this treasure trove of data they’ve aggregated.
Q: What is your take on the government’s involvement in pursuing claims against Internet companies?
A: We’ve already discussed the risk that the class action bar poses to the Internet community. The government is another category of plaintiffs. There are different government enforcers: federal, state and even local enforcement. There’s different agencies within each of those categories. At the federal level, the FTC is usually the lead actor, but other agencies could have authority. We’ve seen it on the financial side: The emergence of the new Consumer Financial Protection Bureau is actively involved in the financial privacy enforcement as well.
A long list of other government agencies are all watching the Internet as well. I think the most interesting has been the California attorney general’s office creating a special enforcement agency for privacy. From my perspective, that’s squarely targeted at Silicon Valley. They’ve designed a bunch of government litigators to think about privacy in California; where are they going to go? Whom are they going to pursue? Turns out they are going to deal with the Internet companies here. It remains to be seen how many companies are going to have to tangle with the state AG, or how many companies end up tangling with the FTC. At the end, it’s limited by prosecutorial discretion and resources.
The FTC has been making a concerted effort to lock down Internet companies. The way I joke about it is: "They drive up and down the 101 and say, ‘Have we busted them yet?’" They are locking up companies up and down the 101 to very long-term oversight arrangements with the FTC. They can’t chase everybody; the FTC has to rely on some persuasive power of their enforcement, some deterrent effect; and that’s going to be true with every government agency. The government enforcement efforts sit parallel with the class actions. They complement each other, sometimes. Still, in the end, both government enforcement and private enforcement aren’t complete. There will always be companies that somehow fall through the cracks.
Q: What do you see as the next big thing in Internet privacy law?
A: I think the biggest future development relates to the fact that at some point we’ve crossed an invisible line, where so much data is in the hands of private actors that any model contemplating consumers could manage their own privacy is gone. Amazon has its super-complete database of consumers; and Google has its super-complete database of consumers; and Facebook has its super-complete database. They are all competing with each other to try to deliver better goods and services to consumers. At that point, the idea of trying to suppress information to keep it out of the hands of big branded companies doesn’t really work. They already have everything they need to do some very powerful things. I’m hoping we’ll come to the realization that in the end it’s a win for us as a society, not a loss. We’ll recognize that these companies are trying to the right thing; they are trying to make our lives better. And they’ve got now enough data to do some things no one ever contemplated we could do before. That’s why I think Facebook’s Graph Search is so interesting. It’s a whole new way of sorting data we never had before. And we’re going to see new development and launching of new tools and new services for consumers that are based on the aggregation of data we never could have contemplated before. In the end, I think that’s a big win for us. The question is whether we’ll be able to embrace that emerging reality, or if we’ll let regulators run roughshod over it.