Chadbourne & Parke's Gerry Silver
Over the last several years, attorneys for Internet users have been vigorously attempting to fashion a viable claim against Internet service providers, companies operating websites, "app" developers and Internet advertisers (collectively, "Internet companies") for collecting, transmitting or even selling personal, private data about the users. Such private information may include websites visited, advertising banners clicked on, search terms used and even key strokes made, which the users claim was collected without their informed consent. To date, based on the current laws on the books, very few, if any, of such claims have withstood court scrutiny.
Hence, there has been a tremendous movement of late to protect user privacy over the Internet. In late February, the White House unveiled a "Consumer Privacy Bill of Rights" as part of a blueprint for protecting individual privacy rights and to give users more control and transparency on how their Internet data is handled. Similarly, also in late February, major Internet providers, including Google and Yahoo, announced a willingness to install a "Do Not Track" button on their browsers, so users may elect to avoid, or at least limit, Web tracking.
This article analyzes the current legal viability of various online privacy claims, which analysis for the most part compels the conclusion that additional legislation and/or remedial measures would be additive. This article also looks at how the potential legislation and/or remediation may affect such claims, and how e-commerce companies will need to better protect themselves in the future.
CURRENT CLAIMS FOR VIOLATIONS OF INTERNET PRIVACY
There are a number of Internet privacy-related claims that are commonly asserted in courts throughout the country, thus far with limited success.
The Computer Fraud and Abuse Act
The CFAA, 18 U.S.C. §1030 et seq., provides a civil remedy against "[w]hoever intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains information from any protected computer." At first glance, the CFAA appears to cover unauthorized collection of private information. However, users have run into at least one major sticking point -- damages. Under the CFAA, the Internet user must allege "damage or loss" that meets or exceeds a $5,000 minimum statutory threshold.
Internet users have attempted to show damages by claiming either an overall loss of privacy, or that the unlawful taking of their private data has deprived them of the use and value of their data. However, courts have repeatedly found that the users have failed to allege any real economic value ascribed to such private information, let alone damages sufficient to meet the $5,000 statutory threshold. See, e.g., Bose v. Interclick, Inc., 2011 WL 4343517, *4-6 (S.D.N.Y. Aug. 17, 2011); LaCourt v. Specific Media, Inc., 2011 WL 1661532, *5 (C.D. Cal. April 28, 2011); see also In re Facebook Privacy Litigation, 2011 WL 6176208, *5-*6 (N.D. Cal. Nov. 22, 2011). Internet users have further attempted to establish damages by arguing that they may suffer severe harm if their private information is used for more than advertising purposes, such as if it is sold to, for example, credit card or lending companies, employment background check services, or to business competitors, but courts have found any such potential harm to be too speculative to sustain a claim. Del Vecchio v. Amazon.com Inc., 2011 WL 6325910, *3-*4 (W.D. Wash. Dec. 1, 2011); Facebook, 2011 WL 6176208 at *6.
Internet users have also claimed that the Internet companies' collection techniques, such as through the use of "cookies" or Web-tracking software, has harmed their computers. However, courts have repeatedly found that the users have failed to adequately allege how or in what manner any such harm occurred. See, e.g., Amazon, 2011 WL 6325910 at *3-*4.
Further, users have had little success under the CFAA because the click-through "Terms of Use" they agree to often disclose the very practices of which the users complain. Hence, the Internet companies have not acted "without authorization," as required under the statute. See Amazon, 2011 WL 6325910 at *4.
The Wiretap Act
The Wiretap Act, 18 U.S.C. §2511(3)(a), states that an entity "providing an electronic communication service to the public shall not intentionally divulge the contents of any communication (other than one to such entity, or an agent thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication [or its agent]." In one litigation, the user alleged that the Internet company violated the Wiretap Act because when the user of the Internet company's website clicked on an advertisement banner, this information was transmitted to the advertiser. The court dismissed the claim, finding that the click of the banner is either a communication to the Internet company itself or the intended recipient (the advertiser), and therefore no violation occurs as a result of this practice. In re Facebook Privacy Litigation, 791 F. Supp. 2d 705, 713 (N.D. Cal. 2011). Internet companies should be careful if disclosing such communications to third party advertisers, however, as such third parties may not be viewed as an "intended recipient."
Stored Communication Act
Under the Stored Communication Act, 18 U.S.C. §2702(a)(1), an entity providing an electronic communications service to the public "shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service." However, the provider may divulge the communication to an addressee or intended recipient, or with the lawful consent of the addressee or intended recipient. At least one court has held that because clicking on an advertising banner is either a message to the Internet service provider itself or the advertiser as an intended recipient, the users failed to state a claim under the Stored Communication Act. Facebook, 791 F. Supp. 2d at 714.
Deceptive Act or Practice/Unfair Competition Statutes
Various states have laws prohibiting deceptive business acts or practices directed at consumers. See, e.g., Cal. Bus. & Prof. Code §17200, et. seq; N.Y. General Business Law §349. However, in most states, claims for loss of private data fail because a showing of lost money or property is required, and the majority of courts have held that the fact that an Internet company unlawfully accessed or shared personal data with another is not a loss of money or property. See, e.g., Facebook, 791 F. Supp. 2d at 714-15. Obviously, Internet companies must not disclose social security numbers or credit card numbers, as such disclosures could give rise to money damages, but disclosure of mere private information is generally insufficient.
However, in certain states, it may be easier for users to state a deceptive practices act claim. For example, in New York, one court found that no showing of economic or pecuniary injury is required, but rather only "actual" injury. The New York court found that the transfer of personal data, without advance notice or consent, results in an "actual" injury (albeit not economic injury), and found such a claim sufficient to withstand a motion to dismiss. Bose, 2011 WL 4343517 at *9. Nevertheless, a properly drafted "Terms of Use" that fully and adequately discloses the conduct of the Internet provider may prevent a showing that the conduct was deceptive or unfair.
Trespass to Chattels
A trespass to chattels occurs when a party intentionally, without justification or consent, physically interferes with the use and enjoyment of personal property in another's possession, and/or thereby harms that personal property. Internet users have attempted to allege trespass to chattels by claiming that Internet companies have deprived users of the economic value of their personal information by accessing and transferring it, and/or have harmed their computers by installing cookies and browser history-sniffing code thereon. These claims have been difficult to maintain because users have been unable to demonstrate harm to personal property, as courts have held that, again, the private information appears to have no economic value. Further, plaintiffs have struggled to adequately allege harm or obstruction to the normal use of their computers as a result of cookies or Web-sniffing code. Amazon, 2011 WL 6325910 at *5-6; see, e.g., Facebook, 2011 WL 6176208 at *4 (claim under California Comprehensive Computer Data Access and Fraud Act, Cal. Penal Code § 502(c)(8), which creates liability for any person who knowingly introduces a contaminant on another's computer, fails because provider had permission and/or normal computer operations not usurped). However, a trespass to chattels claim based on accessing private information has survived a motion to dismiss in New York, at least. Bose, 2011 WL 4343517 at *9-*10.
Contract-Based Claims
Internet users have also attempted to assert claims for breach of contract, quasi-contract or tortious interference with contract, all arising out of the theory that the Internet companies agreed or represented that they would not access, sell or transfer private information. However, these claims have generally failed because the users have been unable to allege damages (a requisite of a breach of contract claim), or because the "Terms of Use" agreed to by the user sufficiently describe how such private information can and will be used. In re Facebook, 791 F. Supp. 2d at 717.
Internet users have attempted to argue that such "Terms of Use" are unconscionable or unenforceable contracts of adhesion. However, courts have been skeptical of such claims because among other reasons, Users have viable alternatives to agreeing to the "Terms of Use", and/or because the activity the user is engaging in is a "nonessential recreational activity." See, e.g., In Re Iphone Application Litigation, 2011 WL 4403963, *8 (N.D. Cal, Sept. 20, 2011) (playing "Angry Birds" is a nonessential recreational activity).
Right of Publicity Claims
In certain limited fact patterns, Internet users have had some preliminary success asserting that the use of their private information on the Web violates their right of publicity. Right of publicity statutes in most states prohibits the non-consensual use of another's name, voice, signature, photograph, or likeness for advertising, selling or solicitation purposes. California Civil Code §3344.
In at least one case, an Internet user has been able to allege a violation of a right of publicity claim as a result of Facebook's use of "Sponsored Stories," which appear on a member's Facebook page, and which typically consist of another member's name, profile picture, and the assertion that the person "likes" the advertiser, complete with the advertiser's logo. At least one court has found that Facebook's use of a user's "like" information as part of a "Sponsored Story" on another's Facebook page is sufficient to state a claim for violation of the right of publicity statute. See Fraley v. Facebook, Inc., 2011 WL 6303898, *7 (N.D. Cal. Dec. 16, 2011). The damages requirement is not as much of an impediment to stating a claim in a publicity case as it is with other causes of action because damages would be the value of the user's endorsement and/or disgorgement of profits (although given that the user is not a celebrity or public figure, damages may be de minimus).
In any event, the Fraley case involved a unique set of circumstances which can be easily remedied by ceasing the practice or by obtaining explicit consent of the user for such practice. The Right of Publicity statutes do not currently provide relief for the typical Internet user whose private information is accessed, collected or tracked for advertising purposes. However, we may see Internet users attempt to pursue an expansive interpretation of these statutes in the future. For example, New York's Right of Privacy Statute, N.Y. Civil Rights Law §50, prohibits the use of a person's "portrait" for advertising purposes, and case law suggests that the term "portrait" is much broader than merely a photograph. Internet users may argue that the use of an individual's Web history, including websites visited, search terms used, advertising banners clicked upon and key strokes made, constitute a "digital" portrait that may not be used for advertising purposes without the user's consent. However, it is highly questionable whether courts will broadly interpret such statutes in this manner.
Effect on Claims if Proposed Legislation or Remediation Is Adopted
The institution of the Consumer Privacy Bill of Rights and legislation arising therefrom may provide users with more control over what personal data companies collect and how they use it. It also may make it easier for users to understand what information is being collected. Similarly, the "Do Not Track" button being adopted by certain Internet service providers may prevent Internet companies from obtaining the data for advertising, employment, credit, health care or insurance purposes. However, Internet companies will still be able to use the information as part of their own market research and product development. Also, future compliance with the "Do Not Track" button appears to be voluntary at this point, meaning advertisers or other Internet companies may decide to attempt to override it.
While these measures should help protect users' private information, at first glance, they do not appear to provider users with many additional legal remedies in the event private data is taken without authorization. Perhaps, as all of the above presents more restrictions on Internet companies than currently exist, users will be more equipped to demonstrate violations. For example, if Internet companies continue to track Web-surfing despite the "Do Not Track" button, or act inconsistently with the Consumer Privacy Bill of Rights or their own policies, this may give rise to stronger fraud or breach of contract claims. However, the damages issues that are currently prevalent will still exist.
CONCLUSION
Internet users are still best served taking preventative measures to protect their private information, such as being careful about what they put online in the first place and by fully utilizing Web browser and other privacy controls. In many cases, now and in the immediate future, court relief may not exist.
Meanwhile, as increased scrutiny and requirements are imposed upon Internet companies, whether through voluntary self-regulation or through legislation, Internet companies' legal obligations will continue to mount. Thus, Internet companies, including not just service providers but all companies conducting business through their websites, as well as Internet advertisers and advertising agencies, should regularly and proactively review their practices, "Terms of Use," privacy polices and other disclosures to make sure they are consistent with one another, and also within the letter of the law of online privacy, which is evolving every day.
Gerry Silver is a partner at Chadbourne & Parke and head of its Information Technology Litigation practice. He is reachable at 212-408-5260 or gsilver@chadbourne.com.
