Can service providers like Google and Facebook deny service to users who don't accept their privacy policy?

Question

Service providers like Google and Facebook are pretty much part of people's lives.

Like how the law has provisions for 'well known brands' (eg. generic trademarks and common carriers), does the law have provisions for 'well known service providers' when it comes to privacy terms?

What is the point of privacy laws if a dominant service provider like Google/Facebook can simply deny service if one does not want to accept its data collection policy? They can also change their policy from time to time.

This question is general, I do not want to restrict this to any jurisdiction. But if a jurisdiction is asked, can the answer be confined to the EU? Data protection laws are most stringent there.

Answer 1

The point of privacy laws is to set basic standards that apply to everyone, whether or not they have a privacy policy. A privacy policy that is inconsistent with privacy laws cannot be enforced. Breaches of privacy law can be punished even if the conduct is permitted by a privacy policy.

Article 7 of the GDPR illustrates this by making special provision for the nature of "consent" to the processing of personal data. Consent must be freely given, and a "written declaration" as to consent, like the acceptance of a privacy policy, "shall not be binding" to the extent that it infringes the GDPR.

The $5 billion penalty obtained by the FTC in United States v. Facebook, Inc (19-cv-2184) demonstrates that privacy laws can have a practical impact when a service provider "subvert[s] users’ privacy choices to serve its own business interests." Facebook was penalised even though its users agreed to Facebook sharing "information about the App User and the App User’s Facebook Friends" with third-party developers.

Whether a service provider has breached privacy law is a complex, fact-specific question, but if the service is "pretty much part of people's lives," that will generally affect both the application of privacy law and the likelihood of an investigation by the regulators.

Answer 2

GDPR doesn't generally expect “agreement”, so it's not necessary to prevent access by people who don't “agree”. A privacy policy is not a contract, but a unilateral notice about how personal data will be processed. This processing is either legal, or it is not. The GDPR contains various conditions and parameters that determine what is legal. In particular, every processing of personal data needs a clear purpose that is covered by a legal basis. Legal bases can include legal obligations, contracts with the data subject, but also consent (opt-in) or a legitimate interest (balancing test with opt-out).

Large service providers like Google or Facebook have the legal resources to defend themselves, and have a lot to gain from more flexible interpretations of data protection law. So they often end up doing stuff that's not entirely legal.

For example, Facebook is arguing that they're not processing personal data for advertising purposes because they want to – they argued that they have a contract with the user, and they have an obligation under this contract to show ads. So it's really the user's fault, and Facebook is just carrying out the user's wishes. If that is the case, then Facebook would not need consent. It is not yet clear whether this is legal (noyb is currently litigating this “consent bypass” technique).

My assumption is that Facebook's standpoint won't prevail: while parties are generally free to enter whatever contract they like, pre-formulated contracts / contracts of adhesion are generally subject to additional regulation and can't sneak in surprising extra terms. A pre-formulated contract about providing a social media or messaging platform cannot contain non-necessary terms about data use. Instead, consent would be a more appropriate legal basis.

And at least under the GDPR, consent is subject to substantial conditions. Consent must be specific, informed, and freely given. Access to a service cannot generally be made conditional on unrelated consent, since this would make it impossible for a user to freely decide (Art 7 GDPR). (However, it might be OK to give the user a choice between consent and a reasonable payment.) GDPR consent must involve an unambiguous action, and cannot be implied by an unspecific action like “by continuing to use this site, you agree …” or by checking a button “I have read and understood the privacy policy”. If consent was obtained in an invalid manner (such as by pressuring the data subject, or making it impossible to decline), then data processing activity that was covered by the consent legal basis is illegal, risking fines under the GDPR.

Answer 3

By using their service, you have to agree to their conditions. So yes, if you don't agree, you can't use their services. There are alternatives, although of course they may have limitations in functionality or reach (there's a reason many people think google is the best search engine).

If you think they do more with your data than what you agreed to, you may file a complaint with the GDPR representative, but this must be very well justified. Note that the GDPR does not prevent that data be collected. It only requires companies to inform you what they do with it and why.

Answer 4

A privacy policy is generally not an agreement or a contract, it is a statement of the provider's actions in connection with the acquisition and retention of personal information (PI) and other privacy issues. Various laws may require a provider to hae a current and accurate privacy policy displayed, including the GDPR, the CCPA, HIPPA, and various industry-sepcific laws in the US.

(see also https://law.stackexchange.com/a/73222/17500)

Thus there is generally no need for a user to agree to or accept a privacy policy, as there often is to a "terms and conditions" or "end-user agreement" document.

While laws can and sometimes do treat large firms differently than small ones, i don't know of any law tht makes privacy rules less strict for large firms. In fact the CCPA only applies some of its rules to services with more than a certain number of users, I think 10 million.

A service can impose privacy policies with no consent provided that they are within what the applicable law permits.

Accepting a privacy policy or a user agreement does not allow a service to impose terms or use practices forbidden by law (unless the law permits such an exception, and most do not in this area).

Answer 5

does the law have provisions for 'well known service providers' when it comes to privacy terms?

No, the law (generally) doesn't make a provider's rights worse when it crosses a certain size threshold. And even where those restrictions exist, they can be gamed around.

Suppose you "break up AT&T" as it were. Four brothers form corporations: Gryffindor, Hufflepuff, Ravenclaw and Slytherin, and they socially incentivize social media users to spread out evenly among all 4, so none are a monopoly and they dodge the law. Then they tightly link each site's experience to the others using OAuth, embedding under the guise of open systems, but really they close it via tough contractual commitments outsiders are unlikely to tolerate. Same difference in the end, just now it's a cartel.

What is the point of privacy laws if a dominant service provider like Google/Facebook can simply deny service if one does not want to accept its data collection policy? They can also change their policy from time to time.

The laws apply to all providers. They can't change their privacy policy to contradict laws. If you want a privacy policy to be guaranteed, you need to talk to your representatives and get it baked into a law.

And citizens can always "vote with their feet". Consider the fate of Google Plus... Myspace... Friendster... Livejournal... AOL... Prodigy... Facebook may seem like the ten ton gorilla today, but I remember when it was AOL and people were talking about anti-monopoly action against them.

All of them lived by the social effect of "all your friends are there"... and died by it too.

An offensive privacy policy is simply likely to cause a mass exodus. StackExchange itself had a setback two years ago after spectacularly botching an internal discussion amongst mods and staff about personal pronouns, for Pete's sake, which goes to reflect how easy it is to take a fall. That could have snowballed into social abandonment of the platform, had an appealing alternative been up and running.