Thank you for sharing!

Your article was successfully shared with the contacts you provided.
The online harvesting of personal information on consumers — the placing of cookies to track their surfing activity for marketing purposes and the furnishing of such information to third parties — raises serious privacy concerns when undertaken without consumers’ consent. Common-law claims for invasion of privacy do not appear to be applicable. In states that have adopted the “intrusion upon seclusion” category of the tort, the intrusion must be “highly offensive to the reasonable person.” Restatement (Second) of Torts � 652B (1981). That standard could be difficult to meet in the Internet privacy context. [FOOTNOTE 1] The “public disclosure of private facts” category — found in � 652D — has a similar requirement, and it also requires that disclosure be to the public in general or at least to a large number of people. [FOOTNOTE 2] Several new federal laws, however, address such practices. For example, the 1998 Children’s Online Privacy Protection Act (COPPA) establishes a framework of notice, disclosure, parental consent and Federal Trade Commission enforcement for collecting personal information on children. [FOOTNOTE 3] Regulations promulgated pursuant to 1999 federal privacy legislation prohibit financial institutions from furnishing customer account numbers to unaffiliated third parties for e-mail marketing. [FOOTNOTE 4] The final regulation governing the privacy of online and offline medical information under the Health Insurance Portability Act of 1996 was issued in December 2000, to become fully effective in 2002. [FOOTNOTE 5] These laws and regulations, however, are not applicable to the full range of Internet privacy invasions as to the general public. Federal computer-crime and wiretapping laws such as the Computer Fraud and Abuse Act (CFAA) [FOOTNOTE 6] and the Electronic Communications Privacy Act (ECPA) [FOOTNOTE 7] were enacted before the widespread public use of the Internet. Private parties are using these laws in civil actions to stop Internet privacy invasions. NO UNAUTHORIZED ACCESS The CFAA prohibits unauthorized intentional access to, and obtaining information from, a computer used in interstate or foreign commerce or communication. Its civil liability provisions provide for injunctive and other equitable relief and compensatory damages. [FOOTNOTE 8] There are a few reported decisions on the use of CFAA in the context of Internet privacy in actions brought by one e-business against another. For example, in America Online Inc. v. LCGM Inc., [FOOTNOTE 9] LCGM, which operated pornographic Web sites and was a member of America Online, used extractor software programs to harvest the e-mail addresses of other AOL members, contrary to AOL’s terms of service. LCGM subsequently sent more than 92 million bulk e-mails advertising its pornographic Web sites to other AOL members. The federal district court held that the extraction constituted unauthorized access to AOL’s computers under CFAA and that AOL was entitled to injunctive relief. Through the application of CFAA, AOL achieved prospective privacy protection for its own members, which is better protection than the members could have obtained on their own. The decision left for trial AOL’s monetary-damages claim for technical costs, lost customer goodwill and revenue. After a bench trial, AOL obtained judgment for the monetary damages claim for more than $215,000. Another court, however, recently denied summary judgment to AOL, on a similar CFAA claim based on address harvesting and “spamming” — the sending of unsolicited e-mail — on the ground that AOL had not shown conclusively that it had suffered the requisite type of damages. [FOOTNOTE 10] Because CFAA’s statutory definitions do not state that the computer accessed must be the plaintiff’s, it appears that individual AOL members could bring their own damages actions. Proving damages, however, would be difficult. Although Internet service providers have used common- law trespass -to – chattels claims to redress spamming directed at their computers, it is not clear whether subscribers can bring such claims to challenge the initial harvesting of their e-mail addresses. [FOOTNOTE 11] One federal district court did grant a temporary restraining order to a Web-based dating service, holding that the plaintiff had stated a claim under the CFAA when it alleged that one of its former employees accessed the service’s site and entered a code that hijacked visitors to a separate, pornographic Web site. [FOOTNOTE 12] The court found a likelihood of irreparable harm to the service’s goodwill. The invasion of privacy appeared to be the unwanted exposure to offensive material, as well as potential unwanted inclusion of identifying information in a generalized online pornography database. In civil actions in other contexts, courts have discerned a congressional intent that the CFAA be construed broadly. [FOOTNOTE 13] THE ECPA STEPS IN Title I of the ECPA imposes liability on any person who intentionally intercepts or endeavors to intercept any electronic communication or intentionally uses, or endeavors to use, the contents of any electronic communication, knowing or having reason to know that the information was obtained through a prohibited interception. [FOOTNOTE 14] Last July, a class action was filed in the Southern District of New York against Netscape and AOL, illustrating that the law may potentially be used to vindicate individual privacy rights. The class action complaint was brought on behalf of “all … United States persons or entities who maintain Web sites on the Internet providing ‘zip’ or ‘exe’ files for download by visitors to the site.” [FOOTNOTE 15] It alleges that Netscape’s SmartDownload software uses a cookie, placed in the user’s computer the first time the user accesses the Internet through Netscape’s browser, to send Netscape data on each downloaded “exe” or “zip” file. This allegedly permits Netscape to create a continuing profile of the class members’ and each visitor’s file transfers over time. The legal theory underlying the suit is that the cookie’s secret transmission to Netscape of information on the “exe” and “zip” files that the user downloads, together with the user’s identifying information, is an interception of an electronic communication. The complaint seeks damages under the ECPA civil liability section [FOOTNOTE 16] that provides for monetary damages or statutory damages in a specific amount per day for each violation. [FOOTNOTE 17] Title II of the ECPA prohibits intentionally accessing (without authorization) a facility through which an electronic communication service is provided. Title II may apply if a third party manages to obtain e-mail messages, without authorization, from an Internet service provider. The statute provides a civil cause of action by the service provider, subscriber or other aggrieved person to recover actual damages and profits gained by a knowing violator, with a minimum recovery of $1,000. It also provides for recovery of attorney fees and costs, and punitive damages for willful or intentional violations. [FOOTNOTE 18] In addition to lawsuits between businesses, individual consumer and class actions have been brought under the CFAA and the ECPA. For example, DoubleClick has allegedly deployed cookies to track consumers’ surfing habits in order to personalize site ads. DoubleClick has also allegedly acquired a direct marketing company so that it could combine its online personal information with the marketing company’s off-line database on consumer purchasing patterns. [FOOTNOTE 19] Other actions have targeted Toys ‘R’ Us, which allegedly used an outside firm to place cookies and monitor the Internet surfing of visitors to the retailer’s Web site. [FOOTNOTE 20] Similar privacy class actions have reportedly been filed against Amazon.com, RealNetworks and Buy.com. [FOOTNOTE 21] IT AIN’T FAIR Most of the FTC’s administrative and federal court Internet privacy enforcement actions allege deception, [FOOTNOTE 22] but the FTC has also brought an unfairness claim. The FTC’s first such action was against GeoCities in 1998, [FOOTNOTE 23] alleging that it maintained false representations on its Web site. GeoCities’ Web site stated that identifying and other personal information would not be disclosed to third parties without the member’s permission. The complaint, together with a consent order, alleged that such information was actually maintained by third parties hosted on the site and marketed to e-mail advertisers other than those approved by the member. In another action, the FTC filed a federal court complaint and consent agreement enjoining bankrupt e-tailer Toysmart.com from holding an online auction of its customer information as a step in resolving its bankruptcy obligations. [FOOTNOTE 24] The complaint alleged deceptive practices in that the company represented to its customers that information would never be shared with a third party. In yet another FTC action, International Outsourcing Group and other defendants sold prescription medications, including Viagra and Propecia, online. [FOOTNOTE 25] International Outsourcing’s Web site requested personal medical history information from users; represented that it would be encrypted and securely transmitted to its own physicians; and represented that prescriptions would be filled by an on-site pharmacy. The federal court complaint alleged that the information was not encrypted and prescriptions were actually filled by an independent, off-site pharmacy. The defendants simultaneously entered into stipulated final orders for permanent injunctions. The FTC filed a federal court complaint and consent agreement in January 2000, alleging unfairness as well as deception against ReverseAuction.com, an Internet auction service. [FOOTNOTE 26] Although it may signal a substantial expansion of the FTC’s Internet privacy enforcement activity, unfairness claims must still pass the commission’s three-pronged test: (1) the practice causes or is likely to cause substantial injury to consumers; (2) the injury is not outweighed by offsetting benefits to consumers or competition that the practice produces; (3) and consumers could not have reasonably avoided the injury. [FOOTNOTE 27] The complaint alleged that ReverseAuction registered as a user of eBay and obtained the e-mail addresses, user IDs and feedback ratings of other registered eBay customers. It then disseminated unsolicited commercial e-mail to them, allegedly falsely representing that their eBay registrations would expire soon and promoting the new ReverseAuction Web site. The complaint claimed that such a use of member information was an invasion of privacy and violated the eBay User Agreement and Privacy Policy, and that it led many eBay customers to believe eBay had provided their e-mail addresses and user IDs to ReverseAuction. In a concurring statement filed on the FTC’s public record simultaneous with the federal court filings, one FTC commissioner maintained that the real harm suffered was decreased consumer confidence in eBay and, in turn, the entire electronic marketplace. Two of the five FTC commissioners, however, filed a statement on the FTC’s public record, indicating their dissent to the majority’s decision to include the unfairness claim in the complaint. They reasoned that consumers had already agreed to make their information available to other eBay members and that a substantial portion of the information was available without restriction to visiting nonmembers. The two dissenters also concluded that merely obtaining consumers’ e-mail addresses without their explicit consent and sending them e-mail solicitations do not cause substantial injury. In its consent agreement, ReverseAuction agreed to delete and refrain from using user IDs, e-mail addresses and feedback ratings of eBay users, and it also agreed to post on its Web site a notice that it would take those steps and that eBay had lacked knowledge of or participation in ReverseAuction’s actions. The key question in individual damages actions under the states’ “little FTC acts” will be whether Internet privacy invasions cause actual, compensable damages in the absence of demonstrable monetary loss. Although some statutes require loss of money or property, [FOOTNOTE 28] at least one provides for multiple damages for mental anguish caused by knowing, prohibited conduct. [FOOTNOTE 29] David J. Federbush is a solo practitioner in Largo, Md., where he focuses on plaintiffs’ and commercial litigation. He was previously a senior litigator at the Federal Trade Commission. FN1 Compare Doe v. High-Tech Institute, 972 P.2d 1060, 1067 (Colo. App. 1998) with Smith v. Jack Eckerd Corp., 400 S.E.2d 99, 100 (N.C. App. 1991).

FN2 See, e.g., Morrow v. II Morrow Inc., 911 P.2d 964, 968 (Or. App. 1996).

FN3 15 U.S.C. 6501 et seq.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

Reprints & Licensing
Mentioned in a Law.com story?

License our industry-leading legal content to extend your thought leadership and build your brand.


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.