ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
'Do Not Track': Online Privacy Litigation Now and in the Future
Special to Law.com
Over the last several years, attorneys for Internet users have been vigorously attempting to fashion a viable claim against Internet service providers, companies operating websites, "app" developers and Internet advertisers (collectively, "Internet companies") for collecting, transmitting or even selling personal, private data about the users. Such private information may include websites visited, advertising banners clicked on, search terms used and even key strokes made, which the users claim was collected without their informed consent. To date, based on the current laws on the books, very few, if any, of such claims have withstood court scrutiny.
CURRENT CLAIMS FOR VIOLATIONS OF INTERNET PRIVACY
There are a number of Internet privacy-related claims that are commonly asserted in courts throughout the country, thus far with limited success.
The Computer Fraud and Abuse Act
The CFAA, 18 U.S.C. §1030 et seq., provides a civil remedy against "[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer." At first glance, the CFAA appears to cover unauthorized collection of private information. However, users have run into at least one major sticking point—damages. Under the CFAA, the Internet user must allege "damage or loss" that meets or exceeds a $5,000 minimum statutory threshold.
The Wiretap Act
The Wiretap Act, 18 U.S.C. §2511(3)(a), states that an entity "providing an electronic communication service to the public shall not intentionally divulge the contents of any communication (other than one to such entity, or an agent thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication [or its agent]." In one litigation, the user alleged that the Internet company violated the Wiretap Act because when the user of the Internet company's website clicked on an advertisement banner, this information was transmitted to the advertiser. The court dismissed the claim, finding that the click of the banner is either a communication to the Internet company itself or the intended recipient (the advertiser), and therefore no violation occurs as a result of this practice. In re Facebook Privacy Litigation, 791 F. Supp. 2d 705, 713 (N.D. Cal. 2011). Internet companies should be careful if disclosing such communications to third party advertisers, however, as such third parties may not be viewed as an "intended recipient."
Stored Communication Act
Under the Stored Communication Act, 18 U.S.C. §2702(a)(1), an entity providing an electronic communications service to the public "shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." However, the provider may divulge the communication to an addressee or intended recipient, or with the lawful consent of the addressee or intended recipient. At least one court has held that because clicking on an advertising banner is either a message to the Internet service provider itself or the advertiser as an intended recipient, the users failed to state a claim under the Stored Communication Act. Facebook, 791 F. Supp. 2d at 714.
Deceptive Act or Practice/Unfair Competition Statutes
Various states have laws prohibiting deceptive business acts or practices directed at consumers. See, e.g., Cal. Bus. & Prof. Code §17200, et. seq; N.Y. General Business Law §349. However, in most states, claims for loss of private data fail because a showing of lost money or property is required, and the majority of courts have held that the fact that an Internet company unlawfully accessed or shared personal data with another is not a loss of money or property. See, e.g., Facebook, 791 F. Supp. 2d at 714-15. Obviously, Internet companies must not disclose social security numbers or credit card numbers, as such disclosures could give rise to money damages, but disclosure of mere private information is generally insufficient.
Trespass to Chattels
A trespass to chattels occurs when a party intentionally, without justification or consent, physically interferes with the use and enjoyment of personal property in another's possession, and/or thereby harms that personal property. Internet users have attempted to allege trespass to chattels by claiming that Internet companies have deprived users of the economic value of their personal information by accessing and transferring it, and/or have harmed their computers by installing cookies and browser history-sniffing code thereon. These claims have been difficult to maintain because users have been unable to demonstrate harm to personal property, as courts have held that, again, the private information appears to have no economic value. Further, plaintiffs have struggled to adequately allege harm or obstruction to the normal use of their computers as a result of cookies or Web-sniffing code. Amazon, 2011 WL 6325910 at *5-6; see, e.g., Facebook, 2011 WL 6176208 at *4 (claim under California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502(c)(8), which creates liability for any person who knowingly introduces a contaminant on another's computer, fails because provider had permission and/or normal computer operations not usurped). However, a trespass to chattels claim based on accessing private information has survived a motion to dismiss in New York, at least. Bose, 2011 WL 4343517 at *9-*10.
Right of Publicity Claims
In certain limited fact patterns, Internet users have had some preliminary success asserting that the use of their private information on the Web violates their right of publicity. Right of publicity statutes in most states prohibits the non-consensual use of another's name, voice, signature, photograph, or likeness for advertising, selling or solicitation purposes. California Civil Code §3344.
Effect on Claims if Proposed Legislation or Remediation Is Adopted
The institution of the Consumer Privacy Bill of Rights and legislation arising therefrom may provide users with more control over what personal data companies collect and how they use it. It also may make it easier for users to understand what information is being collected. Similarly, the "Do Not Track" button being adopted by certain Internet service providers may prevent Internet companies from obtaining the data for advertising, employment, credit, health care or insurance purposes. However, Internet companies will still be able to use the information as part of their own market research and product development. Also, future compliance with the "Do Not Track" button appears to be voluntary at this point, meaning advertisers or other Internet companies may decide to attempt to override it.
Internet users are still best served taking preventative measures to protect their private information, such as being careful about what they put online in the first place and by fully utilizing Web browser and other privacy controls. In many cases, now and in the immediate future, court relief may not exist.
This article originally appeared on Law.com.