Supreme Court Casts Doubt On Whether Privacy Laws Control Retailers

Attorney Mark D. Rasch is the former head of the U.S. Justice Department's computer crime unit and today serves as Director of Cybersecurity and Privacy Consulting at CSC in Virginia.

Remember all those privacy laws you thought you had to comply with? You know, laws ranging from the Fair Credit Reporting Act to health privacy laws to California's Beverly-Song law that prohibits the collection of personal information during a credit card transaction? Well, a U.S. Supreme Court decision last Thursday (June 23) could be read to mean that all of these laws are unconstitutional and that the government may be without the ability to pass any of them.

This might return us to the "Wild West" days of selling personal information to anyone for any reason. Then again, it may not. But for now, at least, the case will provide something of a backstop legal defense to retailers that use personal information for marketing purposes when someone has not explicitly given their permission.

The case at hand involved a Vermont law that limited the use of information related to prescriptions. To get a prescription drug, you have to have, well, a prescription—a note from a real doctor telling the pharmacist that the doctor has permitted you to get the particular drug. In fact, federal law requires doctors to write prescriptions for certain drugs and pharmacies to maintain records of such prescriptions.

Pharmacies eventually learned that there's gold in them thar prescription pads. Although information about patients might be protected by either privilege or statute, the information about the doctor is not. Data brokers quickly bought information from the pharmacies about which doctors were prescribing which drugs, how often and in what geographic area.

Data miners then licensed this data, crunched the numbers and leased the resulting information to pharmaceutical reps who could target doctors, hospitals or other practitioners based upon their prescribing habits. An entire business grew up around this secondary use of prescription information—not to fulfill the order ("fill the 'scrip") but to market to doctors.

Based upon complaints from privacy groups and doctors, Vermont passed a law prohibiting the use (misuse?) of this information for marketing purposes without the consent of the prescribing physician.

But last week, the U.S. Supreme Court decided that the Vermont statute infringed on the pharmaceutical companies' (and their marketing components') constitutionally protected free-speech rights to use the information collected at the pharmacy. The court ruled that this was impermissible "content-based" regulation of free speech and that the prohibition must be held to the highest standard of review, what the law calls "strict scrutiny."

Unless the government can show both a compelling governmental interest in regulating this speech and that there is no less-intrusive means of achieving that interest, the "rights" of the marketers trumped the government's interest in regulating—just as it ruled a few days later that the rights of videogame manufacturers to sell ultra-violent videogames to minors trumped the rights of the government to attempt to regulate such sales.In the pharmaceutical case, the court held that the Vermont legislature's findings of fact—that such targeted marketing based upon physician prescribing practices would ultimately cause the cost of prescription medicines to rise as marketers pushed newer, more expensive and non-generic drugs on doctors—was insufficient to warrant such a "content-based" regulation. The pharmaceutical prescribing behavior could be used by the government for "evidence-based medicine," to improve public health and delivery, or for education or medical research, but not for marketing.

As a result, the U.S. Supreme Court noted, "The statute thus disfavors marketing, that is, speech with a particular content. More than that, the statute disfavors specific speakers, namely pharmaceutical manufacturers." Essentially, the Court found that the statute was a "ban" on a protected form of expression—marketing—aimed only at marketers. The Court likened this to other "bans" on protected expression, like censorship of books, which are prohibited by the Constitution.

The Court also found that the information provided by the doctors to the pharmacists (and then sold to the data brokers) in a sense "belonged" to the pharmacy, which could do whatever it wanted to with "information that the speaker already possesses." The Court then went on to say "the creation and dissemination of information are speech within the meaning of the First Amendment," so that the collection and use of the doctor's information without the consent of either the doctor or the patient was a form of protected expression (as opposed to a commercial activity subject to reasonable regulation).

OK, so the physician information belongs to the pharmacies and they have a free speech right to use it, right? What about the doctor's privacy rights? Nope, that's not a legitimate interest here because, according to the Court, the statute was not really designed to protect doctor's privacy. The Court noted that the law allowed pharmacies to sell the information for reasons other than marketing, such as healthcare research, and that it "permits insurers, researchers, journalists, the State itself and others to use the information." Only marketers were left out.

Pointedly, the Court attempted to distinguish the approach taken by Vermont—no use of the information for marketing—from that taken for medical privacy under HIPAA. As the Court noted, "the State might have advanced its asserted privacy interest by allowing the information's sale or disclosure in only a few narrow and well-justified circumstances," as HIPAA does. "A statute of that type would present quite a different case than the one presented here." The Court characterized HIPAA as a law that protects privacy and only allows the use of medical information in a few circumstances.

The problem with this analysis is that it is a complete mischaracterization of what HIPAA actually does. HIPAA allows the use of medical information for any purpose for which it is collected—medical diagnosis, treatment, payment, third-party payment and related purposes. It also allows the information to be collected and used (sometimes anonymously) for training, education, disease control, reporting, licensing, law enforcement and other regulatory purposes. In the end, HIPAA does almost the same thing that the Vermont law does—prohibits the use of medical information for non-medical purposes.

The "horror stories" that led to the passage of HIPAA—the sale of medical records to insurers, real-estate brokers, credit-card companies, financial institutions, etc.—are precisely the types of "misuse" for marketing purposes that the Vermont law tried to curtail.

So what the Court found was this:So what the Court found was this:

1. Collecting personal information about doctors is "speech."

2. That "speech" is protected under the Constitution.

3. The information collected belongs to the collector.

4. Restricting the use of that information for marketing purposes is a "content-based" ban.

5. Such a ban is subject to "strict scrutiny."

6. The government's interest in protecting privacy is not sufficient if it allows other uses of the information apart from marketing.

What does it all mean? The Court seemed most concerned about the fact that the statute was aimed only at marketers and only at their use of this information for targeted marketing. The government, the six Justices in the majority felt, was trying to favor doctors over pharmaceutical manufacturers. The Court noted:

"The capacity of technology to find and publish personal information, including records required by the government, presents serious and unresolved issues with respect to personal privacy and the dignity it seeks to secure. In considering how to protect those interests, however, the State cannot engage in content-based discrimination to advance its own side of a debate.

"If Vermont's statute provided that prescriber-identifying information could not be sold or disclosed except in narrow circumstances then the State might have a stronger position. Here, however, the State gives possessors of the information broad discretion and wide latitude in disclosing the information, while at the same time restricting the information's use by some speakers and for some purposes, even while the State itself can use the information to counter the speech it seeks to suppress. Privacy is a concept too integral to the person and a right too essential to freedom to allow its manipulation to support just those ideas the government prefers."

All privacy laws, the Vermont statute included, attempt to restrict the collection and use of information. Like the Vermont law struck down, the government "favors" one use of personal information (say, for the purpose for which it was collected) and disfavors another (say, marketing or defamation.) Privacy law begins with the assumption that the data subject retains some rights or interests in their information. The U.S. Supreme Court appears to reject that assumption—at least for information about professionals.

So how far does this decision go? The three dissenting Justices—Breyer, Ginsburg and Kagan—point out that the many laws that restrict the use of personal information collected for one purpose to be used for another are called into question, such as laws that restrict the use of credit scores for finding new customers or the use of medical records to identify new patients. These laws are potentially unconstitutional.

For example, the Song-Beverly Act, which restricts the use of personal information in California for marketing, may suffer the same infirmities as the Vermont statute. In fact, if marketing to people based upon information you have collected (or purchased) is constitutionally protected speech, then restrictions like "opt in" must be the least burdensome, so "opt out" may become the norm if permitted.

Is that what the Court meant to do? In the end, we don't know.

My advice here would be the same as if you were attacked by a bear: Stand very still and don't make any sudden movements. Keep protecting and respecting privacy and adhering to privacy laws.

But if you are sued, this decision may present you with a substantial legal defense on constitutional grounds.

If you disagree with me, I'll see you in court, buddy. If you agree with me, however, I would love to hear from you.