Chinese Appellate Court Provides Guidance For Lawful Use Of Cookies.

14 August, 2015

 

On 6 May 2015, the Intermediate People’s Court of Nanjing City, Jiangsu Province, issued a civil judgment ruling that the search engine giant Baidu’s use of cookies to personalize advertisements directed at consumers on partner third party websites does not infringe consumer rights of privacy.  The court based its decision on findings that the information collected by the Baidu cookies did not amount to “personal information” under Chinese law, the complainant did not suffer cognizable injury by receiving targeted ads on other sites, and Baidu afforded consumers mechanisms to opt-out.

Although not binding on other courts, this judgment has significant implications.  It provides insight into how other courts in China are likely to handle similar challenges to the use of cookies in the future, and its detailed analysis of Baidu’s cookie policy sheds light on what policies and practices companies in China would be prudent to adopt in order to best balance industry and consumer interests in compliance with the law.

Regulation of cookies under Chinese law

Chinese law does not specifically regulate cookies.  Instead, cookies are generally subject to Chinese regulations on the Internet, consumer privacy and data protection.  Among these laws are:

• the 2010 Tort Liability Law;
• the related 2014 Supreme People’s Court’s Provisions on Certain Issues Concerning the Application of Law in the Hearing of Cases of Civil Disputes over the Use of Information Networks to Infringe upon Personal Rights and Interests (the SPC Provisions);
• the 2013 Ministry of Industry and Information Technology Provisions on Protection of Personal Information of Telecommunications and Internet Users (the MIIT Provisions); and
• the 2015 State Administration for Industry and Commerce Measures for Punishments against Infringements on Consumer Rights and Interests.

There is also a non-binding standard which gives helpful guidance for the industry, the 2013 China Standardization Administration’s Guidelines for Personal Information Protection within Information Systems for Public and Commercial Services on Information Security Technology (the Guidelines).

The consumer’s claim

In this recent case, Internet user Ms. Zhu Ye claimed that Baidu violated her privacy rights under the 2010 Tort Liability Law leading to damages in the form of emotional distress.  Ms. Zhu had used Baidu’s search engine to type in distinctive search terms such as “weight loss”, “abortion” and “breast implants”.  Then, when visiting third party websites, such as www.4816.com, www.paolove.com and www.500kan.com, she found (and used a notary to document evidence) that the advertisements displayed on these websites related to the search term she had input into Baidu’s search engine prior to visiting the site.  Marking on the online advertisements traced them back to the cooperative advertising arm of Baidu.  This caused Ms. Zhu to feel significant fear and distress that Baidu engaged in commercial activity using her personal habits and preferences, in violation of her rights to privacy.

The court’s finding

The appellate court disagreed with Ms. Zhu’s privacy claim based on three key considerations.

1. The information collected by the Baidu cookies did not amount to “personal information” as defined under the MIIT Provisions.

The court agreed that a record of a user’s internet activity and internet preferences are matters of privacy, but the court also found that such items did not amount to personal information in the context of cookies because the information is separate from, and unable to lead to discovery of the identity of the user.  Baidu’s cookies were not linked to the identity of a person, but only to the specific Internet browser.  Baidu did not know the identity of the user using the browser, nor did it know whether there were one or several people using the browser or what Ms. Zhu’s preferences would be if she used a different browser.

2. Baidu’s online targeted advertising service did not result in cognizable damages to the user or involve public disclosure.

The SPC Provisions, which set down the parameters for courts to take on Internet public disclosure cases, provides that courts shall uphold a finding for liability in tort for cases in which: (1) a network user or network service provider, (2) causes harm to an individual (3) by using the Internet to make public the individual’s genetic information, medical records, health examination data, criminal records, home address, personal activities or other private and personal information.  The court found that Ms. Zhu’s claims failed on the second element (damages) and the third element (public disclosure).

Concerning damages, the court found that Ms. Zhu’s claims of emotional distress were subjective and unsupportable, and that the objective result of Baidu’s personalized advertisements service, far from being harmful, actually provided a benefit to Ms. Zhu as the advertisements she saw on third party websites were targeted towards her preferences, rather than being random and irrelevant.

Concerning public disclosure, the court found that no public disclosure had occurred.  The only place where Ms. Zhu’s Internet preferences were disclosed was to Ms. Zhu’s own Internet browser, and not to the public.

3. Baidu had not denied Ms. Zhu’s right to know and right to choose.

The court found that Baidu had fulfilled its duty to Ms. Zhu as a consumer and user of its website by merit of its published and well-developed privacy policy.  Baidu’s privacy policy, which was accessible through a link at the bottom of its homepage entitled “Must read before using Baidu“, explained what cookies are, informed that Baidu uses cookies to personalize advertisements on partner websites, and provided two ways to opt out of cookies.  Although Baidu did not collect explicit consent for its use of cookies, the court found this policy functioned as a notice and the opt-out mechanism is consistent with the rules of the non-binding Guidelines, which state that when collecting “general personal information”, consent may be obtained in an implied way, as long as collection and use stops if a user objects.

In Baidu’s case, there are not one, but two opt-out mechanisms available to users.  The first is Baidu’s explanation of how to turn off cookies through adjusting the user’s browser settings.  The second is a button provided by Baidu on its own website that allows users to turn off the cookie function.

Conclusion

China has no specific rules on cookies, which can leave companies uncertain about whether the cookie policies they have formulated under general PRC privacy rules and practice comply and are sufficient to withstand claims in court.  Indeed, Baidu itself could not be certain of the outcome of this particular case, and actually lost the case in the court of first instance.

The appellate judgment, on the other hand, overruled the court of first instance and, in a detailed opinion, shed much needed light on the issue.  Even though not binding on other courts as a precedent, given that the PRC is not a common law jurisdiction, the court’s opinion is the final judgment for this case, and its analysis reveals important take-aways to consider in addition to the main findings discussed above:

1. Using cookies, at least in a targeted advertising context, can be compliant with PRC privacy law. The legality of other uses of cookies, however, still remains unclear, and the court judgment did not address other uses outside the specific facts of Baidu’s case. Baidu’s case, it should be noted, involved limited delivery of information as between Baidu’s servers and the user’s browser. Importantly, in that use, no personal information was displayed, provided or sold to external parties. If the opposite were true, then the use of cookies might be analyzed differently under PRC law.
2. Privacy policies are critical. They should be thorough in their explanation of cookie use and where applicable, explain how to opt out, or even better, directly provide a mechanism to users for opting out.
3. A webpage privacy policy should be prominent and easy to find. In the appellate case, the court said it was acceptable that the privacy policy was presented in a link at the bottom of the page.  An argument was made challenging this presentation because the link was in a smaller font, was displayed in an inconspicuous color, and was sandwiched between other information.  Although the court acknowledged these points, it still found the link to be conspicuous enough given the simplicity of Baidu’s webpage overall.  This suggests a holistic approach to the notice analysis.  A more conspicuous link may be advisable for more complicated webpages.
4. The court cited the Guidelines. The Guidelines are non-binding, so their usefulness is often, and at least in some measure rightly, discounted.  Nevertheless, they are the most detailed statement of standards for privacy matters in the PRC, and we often advise clients of the potential upside of referring to them to develop best practices.  In this court judgment, the upside was explicit.  The court found the Guidelines to be an important reference point for devising principles for what is acceptable, acknowledged the Guidelines’ separate classification and consent requirements for sensitive personal information as opposed to general personal information, and recognized the Guidelines’ purpose of striking a balance between preserving personal dignity and promoting technical innovation.

The judgment cannot be relied on as a precedent, but it bodes well for Baidu and provides strong arguments for why similar uses of cookies will be compliant with the spirit and letter of Chinese law, which is a welcome development for technology companies across China.