Can service providers like Google and Facebook deny service to users who don't accept their privacy policy?

Question

Service providers like Google and Facebook are pretty much part of people's lives.

Like how the law has provisions for 'well known brands' (eg. generic trademarks and common carriers), does the law have provisions for 'well known service providers' when it comes to privacy terms?

What is the point of privacy laws if a dominant service provider like Google/Facebook can simply deny service if one does not want to accept its data collection policy? They can also change their policy from time to time.

This question is general, I do not want to restrict this to any jurisdiction. But if a jurisdiction is asked, can the answer be confined to the EU? Data protection laws are most stringent there.

I don't see why Google cannot deny you the use of there service for any reason they see fit. You have no right to use the IP of any company. — Neil Meyer, Sep 27 '21 at 17:49
"Service providers like Google and Facebook are pretty much part of people's lives." there's the flaw in your logic right there. You are reasoning that once a service crosses a threshold of popularity, this results in a "loss of rights" - or what we call a "taking" a-la eminent domain. There is no such threshold, and such a "taking" would be problematic. — Harper - Reinstate Monica, Sep 27 '21 at 21:12
What about trademarks? Different laws apply to popular brands... they are able to distinguish that. — user1034912, Sep 27 '21 at 22:16
@JörgWMittag no they don't. A "generic trademark" is one that has "lost its power" by falling into general use, diminishing or completely destroying the owner's ability to sue for infringement. — hobbs, Sep 27 '21 at 23:06
Do you actually want to live in a world where Facebook is considered as essential to life as heat and water? — hobbs, Sep 28 '21 at 02:02
@hobbs please elaborate on what the downsides would be. Do you foresee water being cut off so that Facebook service may continue? — user253751, Sep 28 '21 at 10:22
@Harper-ReinstateMonica : that's not that simple. It's a hot debate whether such service providers should be considered "common carriers", and social media is too new and is therefore in a sort of grey zone legally, they enjoy the benefits of both acting like and not acting like a common carrier. For your understanding, would you like if your water and electricity was cut due to your political views? They are not allowed to do that, because it would be illegal. It has nothing to do with trademarks, it's all to do with being or not being a "common carrier". — vsz, Sep 28 '21 at 18:15
@hobbs So-called "famous marks" get additional protection under US trademark law. In particular, their rights extend mor broadly then their registered category. — David Siegel, Sep 28 '21 at 19:21
@vsz The "social media is too new to regulate" viewpoint is what takes that logic off the rails. You know that sea of XFinity and UVerse postcards all Americans get in gross excess? We used to be equally carpet-bombed with AOL diskettes and CDs. And we had the same monopoly conversation then, and it went nowhere then because nothing really made AOL a monopoly except popularity. The Music City Star train is a common carrier, and most Nashville residents don't even know that's a thing. — Harper - Reinstate Monica, Sep 28 '21 at 20:28
@user253751 the downside is that such a gross display of stupidity would drive me to suicide. — hobbs, Sep 28 '21 at 23:09
@user253751 ... and the fact that many humans apparently are already that stupid doesn't make it a sensible lifestyle choice! (Full disclosure, I don't have a FB account, and have no intention of ever creating one). — alephzero, Sep 29 '21 at 01:04
A technique I've often seen used is to put multiple checkboxes saying "I agree ..." in a block during sign-up, some of which must be ticked, and others being optional. The service providers seem to rely on a combination of laziness and user confusion (some tick "I agree" to everything without reading anything, others don't realise that that the privacy consent is truly optional, and that the button to proceed to next step becomes enabled after ticking only the required agreements). Some even nag you to enable data sharing to avoid generic ads but let you proceed if you still say no thanks. — Steve, Sep 29 '21 at 06:57
@NeilMeyer "I don't see why Google cannot deny you the use of there service for any reason they see fit." - presumably you can see why they can't deny the use of the service for the reason that you are of a particular race? Once you accept that premise, then you can generalise and accept that a provider can't refuse service where the law says they can't. In that context it is valid to ask whether in scenario X there exists such a law (which essentially is what the OP is asking). — JBentley, Sep 29 '21 at 11:51
@Harper-ReinstateMonica google and facebook collect your data even if you don't use their services. You just have to use the internet and sooner or later some website will save a tracking cookie from Google or Facebook on your computer. So indeed, they are ubiquitous, inescapable. — henning, Sep 29 '21 at 12:45
@henning I would consider THAT a totally different issue, and one very worthy of legal attention. I give them hell with lots of cookie resets, but man, they make it hard... — Harper - Reinstate Monica, Sep 29 '21 at 19:03

score 30 · Accepted Answer · answered Sep 27 '21 at 11:52

The point of privacy laws is to set basic standards that apply to everyone, whether or not they have a privacy policy. A privacy policy that is inconsistent with privacy laws cannot be enforced. Breaches of privacy law can be punished even if the conduct is permitted by a privacy policy.

Article 7 of the GDPR illustrates this by making special provision for the nature of "consent" to the processing of personal data. Consent must be freely given, and a "written declaration" as to consent, like the acceptance of a privacy policy, "shall not be binding" to the extent that it infringes the GDPR.

The $5 billion penalty obtained by the FTC in United States v. Facebook, Inc (19-cv-2184) demonstrates that privacy laws can have a practical impact when a service provider "subvert[s] users’ privacy choices to serve its own business interests." Facebook was penalised even though its users agreed to Facebook sharing "information about the App User and the App User’s Facebook Friends" with third-party developers.

Whether a service provider has breached privacy law is a complex, fact-specific question, but if the service is "pretty much part of people's lives," that will generally affect both the application of privacy law and the likelihood of an investigation by the regulators.

This makes a lot of sense now. Good you pointed out the Facebook violation. Basically the bigger they are, the harder they will be investigated on. — user1034912, Sep 27 '21 at 12:24

score 18 · Answer 2 · edited Oct 03 '23 at 22:53

GDPR doesn't generally expect “agreement”, so it's not necessary to prevent access by people who don't “agree”. A privacy policy is not a contract, but a unilateral notice about how personal data will be processed. This processing is either legal, or it is not. The GDPR contains various conditions and parameters that determine what is legal. In particular, every processing of personal data needs a clear purpose that is covered by a legal basis. Legal bases can include legal obligations, contracts with the data subject, but also consent (opt-in) or a legitimate interest (balancing test with opt-out).

Large service providers like Google or Facebook have the legal resources to defend themselves, and have a lot to gain from more flexible interpretations of data protection law. So they often end up doing stuff that's not entirely legal.

For example, Facebook is arguing that they're not processing personal data for advertising purposes because they want to – they argued that they have a contract with the user, and they have an obligation under this contract to show ads. So it's really the user's fault, and Facebook is just carrying out the user's wishes. If that is the case, then Facebook would not need consent. It is not yet clear whether this is legal (noyb is currently litigating this “consent bypass” technique).

My assumption is that Facebook's standpoint won't prevail: while parties are generally free to enter whatever contract they like, pre-formulated contracts / contracts of adhesion are generally subject to additional regulation and can't sneak in surprising extra terms. A pre-formulated contract about providing a social media or messaging platform cannot contain non-necessary terms about data use. Instead, consent would be a more appropriate legal basis.

And at least under the GDPR, consent is subject to substantial conditions. Consent must be specific, informed, and freely given. Access to a service cannot generally be made conditional on unrelated consent, since this would make it impossible for a user to freely decide (Art 7 GDPR). (However, it might be OK to give the user a choice between consent and a reasonable payment.) GDPR consent must involve an unambiguous action, and cannot be implied by an unspecific action like “by continuing to use this site, you agree …” or by checking a button “I have read and understood the privacy policy”. If consent was obtained in an invalid manner (such as by pressuring the data subject, or making it impossible to decline), then data processing activity that was covered by the consent legal basis is illegal, risking fines under the GDPR.

again, think it's important to note that facebook/google et al have an "opt out of targeted ads" button - this means that they'll stop using your data for advertising. there's been a lot of arguing about how prominent this button has to be, if it can be ticked on by default, etc,etc. The requirement to have it is as part of the "consent must be freely given" - they can't stop you from using their service if you opt out of having your data used for ads, because that would be coercion to keep allowing them to use your data — lupe, Sep 27 '21 at 15:26
@lupe: An " opt-out" button is ticked by default. That's literally what opt-out means. An unticked-by-default button is referred to as "opt-in". The GDPR specifically requires opt-in consent. — MSalters, Sep 28 '21 at 10:05

score 2 · Answer 3 · answered Sep 27 '21 at 08:52

2

By using their service, you have to agree to their conditions. So yes, if you don't agree, you can't use their services. There are alternatives, although of course they may have limitations in functionality or reach (there's a reason many people think google is the best search engine).

If you think they do more with your data than what you agreed to, you may file a complaint with the GDPR representative, but this must be very well justified. Note that the GDPR does not prevent that data be collected. It only requires companies to inform you what they do with it and why.

answered Sep 27 '21 at 08:52

PMF

5,583
2
19
41

That's what I thought. All this privacy stuff seems like a sugar coat. There are always ways to take your data . – user1034912 Sep 27 '21 at 09:11
Wondering does this include email/SMS opt ins? Can they force us to agree (i.e. by not allowing access if I dont want to be in their mailing list)? – user1034912 Sep 27 '21 at 09:13
@user1034912 a serious company will always include an "unsubscribe" link in their mails. And they really work. Subscriptions without your consent (E.g by people who just know your mail address) should not be possible. – PMF Sep 27 '21 at 11:13
Why should it not be possible? You mean legal wise? – user1034912 Sep 27 '21 at 12:22
It's not serious. Just trying to send your adds to as many people as possible discredits you as spammer. A serious business doesn't want that. – PMF Sep 27 '21 at 13:09
@user1034912 - I'm not sure it's a sugar coat, gdpr is pretty powerful as a privacy tool - there's some useful things it does. To take examples from facebook, the ability to opt out of targeted adverts is a pretty powerful feature - this amounts to a "stop processing my data for advertising" instruction. It also requires companies to seek consent to distribute your data. – lupe Sep 27 '21 at 15:24
@PMF it is possible it is called spam – Neil Meyer Sep 27 '21 at 17:51
2

@user1034912 A company can "force" you to do anything to receive the product as long as it's legal, such as "forcing" to pay $5/mo. If the mailing list terms are legal, then that's fair game. An illegal example would be offering the service in exchange for, say, heroin. The website you're on right now didn't allow you to make that post until you were "forced" to make an account. – Clay07g Sep 27 '21 at 18:42
5

This is factually incorrect. GDPR literally spells out this situation and calls it illegal. You can not predicate access to your service on consent to process PII, and you cannot process PII without consent (or one of the exceptions that are not applicable here). – Davor Sep 27 '21 at 19:11
If you don't agree to any of the terms they provide, you can't use their service. They do have a legitimate reason to at least process some PII (such as your IP) in most cases, and some of it is usually technically required. If you don't agree to that, how can you proceed anyway? – PMF Sep 27 '21 at 19:50
@NeilMeyer Of course you can send out spam. Since most spammers probably never legally got your E-Mail, they're in breach of the GDPR. But if you agree to some kind of E-Mail newsletter service, that's perfectly legal. I was referring to the (cheap) websites where you can register for a newsletter by just providing a mail address, without any verification that it's actually yours. – PMF Sep 27 '21 at 19:56
@Davor I never knew about the legality of predicating access on consent for PII. Is that the reason why I see two check boxes nowadays? One for accepting terms, another for joining mailing list.... – user1034912 Sep 27 '21 at 22:20
1

@user1034912 - pretty much, yes. They can force you to accept terms like "I wont upload illegal content", but they can't force you to accept "I give my PII in exchange for using the service". That much be optional, and false by default. – Davor Sep 28 '21 at 08:55
3

@PMF - GDPR Article 7 (https://gdpr-info.eu/art-7-gdpr/) spells out that you can't condition the access to your service on access to PII. And you don't need to store IP addresses to process requests, and most services don't. We usually store partial IPs for logging purposes, and those are not required either. – Davor Sep 28 '21 at 09:03
@Davor Those IPs are for mostly for analytics purpose, which can not be used to identify a person – user1034912 Sep 28 '21 at 09:19
1

@user1034912 - yes, exactly my point. Using anonymized data ike partial IP or hash of an IP is fine because it doesn't identify a person. We used those to block people, for example. We don't know who the people are, or even what their IP is, we just know that if their IP hashes to XXXXXX, we should reject their requests from API. – Davor Sep 28 '21 at 09:54
1

@Davor Understood now. TQ Davor for taking your time to reply. May god bless your life. – user1034912 Sep 28 '21 at 10:04

score 2 · Answer 4 · answered Sep 28 '21 at 19:43

A privacy policy is generally not an agreement or a contract, it is a statement of the provider's actions in connection with the acquisition and retention of personal information (PI) and other privacy issues. Various laws may require a provider to hae a current and accurate privacy policy displayed, including the GDPR, the CCPA, HIPPA, and various industry-sepcific laws in the US.

(see also https://law.stackexchange.com/a/73222/17500)

Thus there is generally no need for a user to agree to or accept a privacy policy, as there often is to a "terms and conditions" or "end-user agreement" document.

While laws can and sometimes do treat large firms differently than small ones, i don't know of any law tht makes privacy rules less strict for large firms. In fact the CCPA only applies some of its rules to services with more than a certain number of users, I think 10 million.

A service can impose privacy policies with no consent provided that they are within what the applicable law permits.

Accepting a privacy policy or a user agreement does not allow a service to impose terms or use practices forbidden by law (unless the law permits such an exception, and most do not in this area).

Harper - Reinstate Monica · Answer 5 · 2021-09-28T18:59:15.217

does the law have provisions for 'well known service providers' when it comes to privacy terms?

No, the law (generally) doesn't make a provider's rights worse when it crosses a certain size threshold. And even where those restrictions exist, they can be gamed around.

Suppose you "break up AT&T" as it were. Four brothers form corporations: Gryffindor, Hufflepuff, Ravenclaw and Slytherin, and they socially incentivize social media users to spread out evenly among all 4, so none are a monopoly and they dodge the law. Then they tightly link each site's experience to the others using OAuth, embedding under the guise of open systems, but really they close it via tough contractual commitments outsiders are unlikely to tolerate. Same difference in the end, just now it's a cartel.

What is the point of privacy laws if a dominant service provider like Google/Facebook can simply deny service if one does not want to accept its data collection policy? They can also change their policy from time to time.

The laws apply to all providers. They can't change their privacy policy to contradict laws. If you want a privacy policy to be guaranteed, you need to talk to your representatives and get it baked into a law.

And citizens can always "vote with their feet". Consider the fate of Google Plus... Myspace... Friendster... Livejournal... AOL... Prodigy... Facebook may seem like the ten ton gorilla today, but I remember when it was AOL and people were talking about anti-monopoly action against them.

All of them lived by the social effect of "all your friends are there"... and died by it too.

An offensive privacy policy is simply likely to cause a mass exodus. StackExchange itself had a setback two years ago after spectacularly botching an internal discussion amongst mods and staff about personal pronouns, for Pete's sake, which goes to reflect how easy it is to take a fall. That could have snowballed into social abandonment of the platform, had an appealing alternative been up and running.

This seems more like an opinion piece than an answer. Even as opinion, I can't make sense of it. There's precedent in the U.S. for putting special restrictions on corporations that are de facto monopolies due to the high cost of entry for competition – and you even mention an example – yet your answer is written as though you think OP is foolish to suggest such a thing. — benrg, Sep 27 '21 at 22:53
@benrg where does it infer I think OP is foolish for suggesting such a thing? And what case of high cost of entry for competition did I mention? I'm happy to fix such a blunder, but I am responsible for what I write, and it seems like you are making a lot of inferences that don't look like my work. — Harper - Reinstate Monica, Sep 27 '21 at 23:07
The EU does have a specific threshold for large companies. It's called a "dominant market position", and Facebook has it. The EU puts up extra restrictions for companies with a dominant market position. It is entirely possible to imagine additional privacy requirements for such companies, even if they don't exist today. Thus, "the law applies to everyone" is not meaningful in the EU. — MSalters, Sep 28 '21 at 10:13
@benrg well 2 people seem to agree with you. shrug I tried to remove what I'm guessing you're after, but you tell me. Please, tell me. — Harper - Reinstate Monica, Sep 28 '21 at 19:00

Can service providers like Google and Facebook deny service to users who don't accept their privacy policy?

5 Answers5

Linked