The good folks at EPIC.org write:
In a surprisingly brief opinion, the Ninth Circuit has upheld a decision to dismiss a privacy suit against Facebook concerning the collection of sensitive medical data. In Smith v. Facebook, users alleged that the company tracked their visits to healthcare websites, in violation of the websites’ explicit privacy policies. In a little less than five pages, the Ninth Circuit decided that Facebook was not bound by the promises made not to disclose users’ data to Facebook because Facebook has a provision, buried deep in its own policy, that allows Facebook to secretly collect such data. The court actually wrote that searches for medical information are not sensitive because the “data show only that Plaintiffs searched and viewed publicly available health information…” EPIC filed an amicus brief in the case, arguing that “consent is not an acid rinse that dissolves common sense.” In 2011 Facebook settled charges with the FTC that it routinely changed the privacy settings of users to obtain sensitive personal data. The consent order resulted from detailed complaints brought by EPIC and several other consumer organizations
I hate to say it, but I do understand the court’s reasoning, at least in part. Just visiting a site about a health issue is not the same thing as going to a doctor’s office for a consultation on a disorder or diagnosis. But we also know that sometimes, these situations create significant problems when advertising relating to a sensitive issue then shows up on a shared browser. For example, if a teen browses for information on transgender issues, and then their parents later have ads pop up while they’re using the browser, the collection and use of data from public sites can cause privacy issues and concerns.
So yes, the court’s siding with Facebook is very troubling because it’s ignoring what we have learned — that buried provisions in Facebook’s terms of service are generally not read by consumers who click through “I consent.” For the court to say that hey, it’s in there and consumers consented to have their data collected by Facebook, even though they are on a web site that promises NOT to share their data with Facebook, well…. the Ninth Circuit has set consumer privacy back. As EPIC noted in their amicus brief (p. 6):
Users could point to explicit statements on the medical websites they visited which said their personal data would not be disclosed to others. Yet, Facebook pointed to language, buried deep in its privacy policy, which said that it nonetheless could collect the data, and the lower court sided with Facebook. In such a world, how can users possibly make sense of privacy statements
Although the plaintiffs didn’t prevail, do read EPIC’s amicus brief in this case as it provides a helpful discussion of the concerns.