Virtual Blinds: Finding Online Privacy in Offline Precedents

A person in a building shows a desire for privacy by pulling her blinds shut or closing her curtains. Otherwise, she cannot complain when her neighbor sees her undressing from the window, or when a policeman looks up from the street and sees her marijuana plants. In the online context, can we find an analogy to these privacy blinds? Or is the window legally bare because of the nature of the Internet? This Article argues that by analyzing the privacy given to communications in the offline context, and in particular, by analyzing case law recognizing privacy in an otherwise public place when the individual engages in affirmative efforts to ensure her privacy, the law can find a sensible foundation for recognizing privacy online. This Article proposes a framework that incorporates the following factors in the reasonable expectations of privacy context. First is the existence of a user agreement or employer policy governing the use of the specific communication mechanism or providing for monitoring of that use. Second is the extent to which third parties have access to or protect the communications. Third is the notice given to the user of the user agreement, employer policy, or practice of giving access to or protection from third parties. Finally, the fourth factor is the availability and use of privacy-enhancing controls which increase the likelihood of the communication being protected from disclosure to people other than the chosen recipient(s), including but not limited to (a) passwords, (b) encryption technology, (c) network configuration, and (d) privacy settings limiting disclosure to certain people. Courts can adapt this test to a civil tort or Fourth Amendment context, to employment and non-employment cases, and to statutory privacy claims. It is a logical evolution from the practical factors that courts have looked at in offline cases--like closing doors and securing lockers--and it is consistent with the growing weight of authority that finds a reasonable expectation of privacy in online communications where the Internet user avails herself of privacy-ensuring measures

Online Privacy Policies: Contracting Away Control Over Personal Information?

Individuals disclose personal information to websites in the course of everyday transactions. The treatment of that personal information is of great importance, as highlighted by the recent spate of data breaches and the surge in identity theft. When websites share such personal information with third parties, the threat of its use for illegal purposes increases. The current law allows website companies to protect themselves from liability for sharing or selling visitors’ personal information to third parties by focusing on disclosures in privacy policies, not on substantive treatment of personal information. Because of the low likelihood that a visitor will read or understand that policy, websites have an incentive to protect themselves by allowing for a broad use of the visitor’s personal information. In turn, websites word those policies as contractual commitments, purportedly binding visitors to their terms, which often include forum selection provisions as well as privacy terms. In light of these two factors – little substantive protection, and privacy provisions that allow for broad use of personal information – such visitors may well find themselves in the position of challenging the enforceability of the privacy policy. I argue that the policies are challengeable primarily on lack of assent and unconscionability grounds