CNN: Attorney General Eric H. Holder Jr. on February 24 joined the group of administration officials calling on Congress to create a federal law requiring companies to report data breaches that affect consumer information. Such a law would help the Justice Department pursue cybercrime investigations, Holder said in a video address. He used the recent data breach at Target, which may have compromised the records of up to 70 million customers, as an example of why such a law is necessary. “As we’ve seen — especially in recent years — these crimes are becoming all too common,” Holder said. “And they have the potential to impact millions of Americans every year.”
One of the most interesting and important developments in retail privacy cases is a recent unpublished decision, Capp v. Nordstrom. The Court in Capp interprets the California Song-Beverly Act’s application to email addresses. Nordstrom requested an email address from its customer in order to send an electronic version of the customer’s receipt. The Court, in a matter of first impression, found the email address constituted “PII” [Personal Identification Information] as defined in the Credit Card Act at Cal. Civ. Code section 1747.08(b). The broader potential implication of Capp, is that the Court did not find the exception for “special purpose” applied. This exception allows the collection of PII, ” for a special purpose incidental but related to the individual credit card transaction, including, but not limited to, information related to shipping, delivery, servicing, or installation of the purchased merchandise, or for special orders.” The rational in the Nordstrom case was that even where retailors obtain and use PII for a special purpose, that does not then allow the retailor to use the information for all purposes. This issue is going to be hotly contested in California and other jurisdictions with similar exceptions and may implicate the use of loyalty programs. How courts determine this issue will likely turn on what the program agreements provide in terms of how the information will be used, an issue not previously dealt with in any of the current case authority.
There is some practical, if not limited, guidance provided in the opinion on the importance of when retailors ask for PII at the point of sale. While the Court rejects Nordstrom’s argument that the federal CAN-SPAM Act pre-empts the Song-Beverly Act from governing email, the court suggests that if the information [here the customer's E-mail] is requested after the transaction is complete, it would comply with the Song-Beverly Act and could also comply with the federal CAN-SPAM objectives. This provides support for the position that the temporal aspect of the request is key. Thus, if the transaction is over and a retailor obtains a customer’s PII and an agreement from the customer about future uses, the retailor can comply with the Act.
This case adds to the issues for retailers regarding point of sale requests for information, the use email even for special purposes such as giving receipts. The case signifies a trend where courts are likely to expand the definition of PII to include any type of information that can link to a customer’s identify for use in marketing or other data mining.
On remand from the Illinois Supreme Court’s holding that TCPA damages were not punitive and thus were insurable as a matter of public policy, Standard Mut. Ins. Co. v. Lay, 989 N.E.2d 591 (Ill. 2013), the intermediate Illinois appellate court determined that several policies, including a general commercial liability policy, covered the $1.7 million TCPA settlement. 2014 IL App (4th) 110557-B. In so ruling, the appellate court determined that TCPA damages qualified as “injury to tangible property,” and did not fall within the intentional acts exclusion because the insured was at most negligent in violating the TCPA because it believed it had authorization to send the faxes at issue. The Court also determined that TCPA claims fell within the advertising injury provision of the policy. Finally, the court held that where a Peppers conflict situation arose that prevented an insurer from controlling the defense, the insurer also lost the right to require permission for a settlement of the defense and because the insurer could not show it was prejudiced by the settlement it could not avoid its indemnification obligation on that basis.
While this decision should not impact on policies that have express TCPA exclusions, it does signal that Illinois Courts are likely to find coverage for TCPA claims absent such an express exclusion.
On January 16, 2014, the English High Court of Justice issued reasons in Vidal-Hall v. Google Inc. relating to an appeal of a Master’s decision to allow Google to be served outside of the jurisdiction in relation to claims brought in connection with tracking and collating, information relating to the claimants’ internet usage through the claimants’ Apple Safari internet browser.
Importantly for the UK, the High Court explicitly recognized the tort of misuse of private information (at para. 70).
Perhaps more far-reaching, at least from the perspective of the ongoing debate in Canada and elsewhere concerning the boundaries of what is “personal information”, the High Court addressed the argument that the information generated by the claimants’ searches and used in interest-based advertising was not really personal information.
Spoiler alert. The court followed similar logic as the Office of the Privacy Commissioner of Canada in its online behavioural advertising guidance. The High Court held:
Was the information private?
 Mr White submits that the Browser-Generated Information was not private. It is anonymous. The aggregation of such information sent to separate websites and advertising services cannot make it private information. One hundred times zero is zero, so one hundred pieces of non-private information cannot become private information when collected together.
 I find this a surprising submission to be made on behalf of Google Inc. It would not collect and collate the information unless doing so enabled it to produce something of value. The value it produces is the facility for targeted advertising of which the Claimants complain, and which yields the spectacular revenues for which Google Inc is famous.
 The fact, if it be a fact, that Google Inc personnel do not themselves identify any of those from whom they collect the Browser-Generated Information is irrelevant. The point is whether any Claimant is identifiable. Moreover, that is to focus attention on the transfer of information from the user to Google Inc, whereas the complaint of the Claimants does not stop at that point: indeed the essence of the Claimants’ complaint is the damage suffered by the sending back to their screens of information in the form of targeted advertisements generated from the Browser-Generated Information. At the point at which the advertisement is visible on a user’s screen, the user is likely to be identifiable to a third party viewer.
 Not all the information that can be deduced or inferred by a person viewing a screen which shows targeted advertisements will be private information. Far from it. For example, if lawyers’ screens might show advertisements from which it could be inferred that they were lawyers, then that would, in most circumstances, not disclose information that was private (although it might be personal). But what is specific about the complaints in this case is that the information that was, or may have been, apparent from the screens was, on particular occasions, private information. The particular types of information specified in each of the Confidential Schedules is information for which each Claimant has a sufficiently strong case that that information was private.
 These are not generic complaints. They are complaints about particular information about particular individuals, displayed on particular occasions (even though the precise dates and times of the occasions are not identified).
 In my judgment the Claimants have a sufficiently good case on this point that it would be wrong to set aside the Master’s order in relation to the claims for misuse of private information.
As was widely reported, on January 15, 2013, the Office of the Privacy Commissioner of Canada (OPC) issued a Report of Findings regarding interest-based advertising or online behavioural advertising through Google’s AdSense service.
Reports of the case frequently suggested that the Canadian law does not permit the use of “health information” for interest-based advertisements. This is debatable but, in any event, that wasn’t really what the case was about. The issue appears to have been whether Google exercised sufficient due diligence in monitoring its customers.
What the complaint was about
Accordingly to the Report of Findings, the complainant searched for a particular type of medical device for sleep apnea. Importantly, the complainant was signed into his Google account when he made those searches. Subsequently, the complainant began to see targeted advertising on other sites relating to his searches.
Google participates in the AdChoices program and advertisements often include the AdChoices icon indicating that there page involves interest-based advertising or OBA. By clicking on the icon users can opt-out of interest-based advertising.
Although the complainant browses while signed into this Google account (and appears not to have opted-out), the complainant argued, according to the Report of Findings that “he did not provide Google with consent to display his personal medical information in browsers.”
Contextual advertisements versus OBA
Previously, the OPC has distinguished between contextual advertising, which is advertising based on the content of a page, with interest-based or online behavioural advertising (OBA), which is based on “tracking” user interests across websites.
Initially, Google disputed that the advertising was OBA and instead was based on recent or related page content that, according to the Report of Findings, “appeared out of context to the user”. However, subsequently Google appears to have conceded that the advertisements were placed as a result of a Google customer’s AdWords remarketing program.
The AdWords remarketing program allows Google customers to install code on their websites provided by Goggle. This code installs a cookie ID in the user’s web browser unless the user has opted-out of interest-based advertising or OBA. The Google customer can then design an advertising campaign that the user will see on other webpages that uses Google’s advertising products. This is interest-based advertising or OBA.
“[w]e use information collected from cookies and other technologies, like pixel tags, to improve your user experience and the overall quality of our services […] When showing you tailored ads, we will not associate a cookie or anonymous identifier with sensitive categories, such as those based on race, religion, sexual orientation or health”
Although Google requires advertisers to agree to specific policies that prohibit OBA based on “health or medical information”, the customers could use the products in violation of these policies since the customer is in control.
But is health information really off-limits?
The OPC (perhaps incorrectly) equated implied consent with “opt-out” consent. Leaving aside that debate, it appears that the OPC is reinforcing previous guidance that express consent should be used when conducting interest-based advertising using sensitive information.
Principle 4.3.6 of the Personal Information Protection and Electronic Documents Act (PIPEDA) states:
The way in which an organization seeks consent may vary, depending on the circumstances and the type of information collected. An organization should generally seek express consent when the information is likely to be considered sensitive. Implied consent would generally be appropriate when the information is less sensitive. Consent can also be given by an authorized representative (such as a legal guardian or a person having power of attorney).
Importantly, however, subsection 5(2) of PIPEDA states that “[t]he word “should” […] indicates a recommendation and does not impose an obligation.” Whether a court would agree that express consent is always required even if the Ad Choices program is prominently used (and the website Privacy Notice is clear) is open for debate.
What does the future hold in this case
To remedy this situation, Google undertook initiatives to:
- reject remarketing campaigns involving the sleep apnea treatment devices;
- clarify its policies to advertisers;
- develop new training for internal teams;
- increase monitoring of advertiser’s remarketing campaigns;
- upgrade automated screening systems;
The bottom line is that the practice of Google’s customers did not comply with Google’s policies and the OPC was not satisfied with Google’s due diligence in enforcing its policies. Whether health information is always off limits to interest-based advertising is not at all clear. The OPC suggests it is absent express consent; however, whether this view will ultimately prevail on the current wording of PIPEDA is uncertain, particularly if an organization prominently draws its practices to the attention of the consumer and provides an immediate opt-out mechanism. On the other hand, this may be one of those uses of personal information that simply fails the test of reasonableness under subsection 5(3) of PIPEDA.