December 15, 2018

What are the Constitutional Limits on Online Tracking Regulations?

As the conceptual contours of Do Not Track are being worked out, an interesting question to consider is whether such a regulation—if promulgated—would survive a First Amendment challenge. Could Do Not Track be an unconstitutional restriction on the commercial speech of online tracking entities? The answer would of course depend on what restrictions a potential regulation would specify. However, it may also depend heavily on the outcome of a case currently in front of the Supreme Court—Sorrell v. IMS Health Inc.—that challenges the constitutionality of a Vermont medical privacy law.

The privacy law at issue would restrict pharmacies from selling prescription drug records to data mining companies for marketing purposes without the prescribing doctor’s consent. These drug records each contain extensive details about the doctor-patient relationship, including “the prescriber’s name and address, the name, dosage and quantity of the drug, the date and place the prescription is filled and the patient’s age and gender.” A doctor’s prescription record can be tracked very accurately over time, and while patient names are redacted, each patient is assigned a unique identifier so their prescription histories may also be tracked. Pharmacies have been selling these records to commercial data miners, who in turn aggregate the data and sell compilations to pharmaceutical companies, who then engage in direct marketing back to individual doctors using a practice known as “detailing.” Sound familiar yet? It’s essentially brick-and-mortar behavioral advertising, and a Do Not Track choice mechanism, for prescription drugs.

The Second Circuit recently struck down the Vermont law on First Amendment grounds, ruling first that the law is a regulation of commercial speech and second that the law’s restrictions fall on the wrong side of the Central Hudson test—the four-step analysis used to determine the constitutionality of commercial speech restrictions. This ruling clashes explicitly with two previous decisions in the First Circuit, in Ayotte and Mills, which deemed that similar medical privacy laws in Maine and New Hampshire were constitutional. As such, the Supreme Court decided in January to take the case and resolve the disagreement, and the oral argument is set for April 26th.

I’m not a lawyer, but it seems like the outcome of Sorrell could have a wide-ranging impact on current and future information privacy laws, including possible Do Not Track regulations. Indeed, the petitioners recognize the potentially broad implications of their case. From the petition:

“Information technology has created new and unprecedented opportunities for data mining companies to obtain, monitor, transfer, and use personal information. Indeed, one of the defining traits of the so-called “Information Age” is this ability to amass information about individuals. Computers have made the flow of data concerning everything from personal purchasing habits to real estate records easier to collect than ever before.”

One central question in the case is whether a restriction on access to these data for marketing purposes is a restriction on legitimate commercial speech. The Second Circuit believes it is, reasoning that even “dry information” sold for profit—and already in the hands of a private actor—is entitled to First Amendment protection. In contrast, the First Circuit in Ayotte posited that the information being exchanged has “itself become a commodity,” not unlike beef jerky, so such restrictions are only a limitation on commercial conduct—not speech—and therefore do not implicate any First Amendment concerns.

A major factual difference here, as compared to online privacy and tracking, is that pharmacies are required by many state and federal laws to collect and maintain prescription drug records, so there may be more compelling reasons for the state to restrict access to this information.

In the case of online privacy, it could be argued that Internet users are voluntarily supplying information to the tracking servers, even though many users probably don’t intend to do this, nor do they expect that this is occurring. Judge Livingston, in her circuit dissent in Sorrell, notes that different considerations apply where the government is “prohibiting a speaker from conveying information that the speaker already possesses,” distinguishing that from situations where the government restricts access to the information itself. In applying this to online communications, at what point does the server “possess” the user’s data—when the packets are received and are sitting in a buffer or when the packets are re-assembled and the data permanently stored? Is there a constitutional difference between restrictions on collection versus restrictions on use? The Supreme Court in 1965 in Zemel v. Rusk stated that “the right to speak and publish does not carry with it the unrestrained right to gather information.” To what extent does this apply to government restrictions of online tracking?

The constitutionality of state and federal information privacy laws have historically and consistently been called into question, and things would be no different if—and it’s a big if— Congress grants the FTC authority over online tracking. When considering technical standards and what “tracking” means, it’s worth keeping in mind the possible constitutional challenges insofar as state action may be involved, as some desirable options to curb online tracking may only be possible within a voluntary or self-regulatory framework. Where that line is drawn will depend on how the Supreme Court comes down in Sorrell and how broadly they decide the case.

Comments

  1. Harry Johnston says:

    If I understand what you are saying, prohibiting the collection of data is distinct from prohibiting the dissemination of data that has been collected.

    Suppose, then, that the law were rewritten to prohibit pharmacies from collecting the data for a given patient unless they either (a) obtain written consent from the patient to disseminate the data; or (b) have an agreement with the patient that they will not disseminate the data.

    Since they have to collect the data, they would have to either obtain consent or agree not to disseminate it (the only other option being to refuse service) so the effect should be the same.

  2. PrometheeFeu says:

    This is interesting because the pharmacy case is effectively one of determining the default.

    Without the law in place, I (let’s pretend I’m a doctor) can go to the pharmacy and have them sign a contract agreeing not to use this information in that way. If I don’t explicitly make that choice, they are allowed to sell the data.

    With the law in place, the pharmacy can come to me and have me agree to let them use the data. If they don’t explicitly make that choice they are not allowed to sell the data.

    Theoretically, the two situations are equivalent. In both cases, doctors can take the stance that they will or will not allow that data to be used and the pharmacy can agree or disagree to do business with your patients under the condition. But, which case is the default matters immensely.

    Having some security expertise, I would say that this is a good place to apply the concept of sensible defaults. The sensible default is to prevent information from leaking and to then allow its release selectively. This is why I would personally favor that law.

    • Anonymous says:

      Wait — the patient may be refused service at some pharmacies depending on who the doctor is? That doesn’t seem right. The patient should not be caught in the middle like that — unless of course the patient is made the one who can veto the data release, not the doctor.

      The original article says patient names are replaced with “opaque” IDs, but we’ve seen repeatedly that that kind of data can often be de-anonymized.

  3. David Robarts says:

    If the law requires compliance with a Do Not Track header – then the site operator can respond appropriately for their policies. They could either choose to serve the visitor, or inform the visitor that their terms of service do not allow the visitor to use their site if tracking privilege is denied. Although an argument can be made for “free speech” of data already collected, we can at least prevent further erosion of privacy.

    • Anonymous says:

      We cannot allow websites to discriminate against users who set “do not track” on. Otherwise, they will all refuse service to users that turn on “do not track”, all users will turn off “do not track” so as not to be hitting roadblocks everywhere, and “do not track” will be completely worthless.

      I suggest instead a mechanism like this:

      1. There is a “do not track oracle”.

      2. Websites that want to do tracking are required to submit collected data to this oracle, along with all the user’s headers, and not retain any of it.

      3. If the user is “do not track” the oracle will discard this data. Otherwise it sends it back after a lengthy delay — on the order of hours.

      4. Sites are allowed to retain, use, and exchange the data thus returned.

      5. Sites are checked for compliance in some manner. (This is required for the original proposal, too.)

      This prevents most sites from discriminating effectively. They can’t tell whether a particular user was “do not track” until, in most cases, the user has conducted their business and moved on. They could punish the same user returning at a later date, but that would only apply to sites with user accounts.

  4. David Robarts says:

    Instead prohibiting pharmacies from sharing the information without permission, the law could provide an opt-out system for sharing the information. Simply adding a little fine print to the prescription pad should be adequate to bind the pharmacy without enabling a “free speech” argument.