Thank you for sharing!

Your article was successfully shared with the contacts you provided.
While many companies maintaining Web sites may be aware of the existence of proposed online privacy legislation that would govern the collection and use of certain types of information on Web site users, most are probably unaware of ongoing attempts to craft private Internet privacy causes of action out of existing federal criminal statutes directed to wiretapping and computer hacking as well as from common law claims such as trespass and invasion of privacy. The most recent decision in this area, In re Pharmatrak, Inc. Privacy Litigation, 220 F.Supp.2d 4 (D. Mass. 2002) (Tauro, J.), demonstrates that even Web site operators that do not sell products over the Internet face litigation risk from Internet privacy claims. Although they have not yet met with success, these types of Internet privacy claims are of concern because they are based in large part on the operation of the Internet itself, and therefore could have widespread and unanticipated application. Specifically, when an Internet user “visits” a Web site, he in fact sends a request to the host’s computer to download a Web page to the user’s own computer. That request may contain a variety of information, depending on the user’s own browser software and configuration, including information that could be “identifying” in some sense with respect to a person making the request. As a result, Web site operators may obtain a variety of data that may be argued to be “personal.” Internet privacy litigation concerning this process was first directed to those companies — primarily Internet advertisers — that used the data obtained on Web site usage to match “banner advertisements” to the presumed preferences of users. See In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y. 2001) (Buchwald, J.), Chance v. Avenue A, Inc., 165 F.Supp.2d 1153 (W.D. Wash. 2001 (Coughenour, C.J.) In the Pharmatrak litigation, the same theories pursued against online advertisers were advanced against ordinary Web site operators. Pharmatrak provided reports to pharmaceutical companies showing the level of activity on their respective Web sites using aggregate data. Pharmatrak’s customers then found themselves defending against putative class action litigation seeking civil penalties based on asserted violations of three federal criminal statutes — the Federal Wiretap Act, 18 U.S.C. � 2510 et seq., the Stored Communications Act (Title II of the Electronic Communications Privacy Act) (SCA), 18 U.S.C. � 2701 et seq., and the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. � 1030 — on the ground that the operation of Pharmatrak’s software, including the use of “cookies” to distinguish among repeat and first time visitors, violated users’ privacy. The claims under these statutes, in the Pharmatrak case and the Internet advertiser cases, all relied upon unanticipated applications of the language of the statutes to typical interactions between computers on the Internet. First, under the Wiretap Act, which prohibits the interception (and disclosure) of the contents of oral, wire, or electronic communications without the consent of at least one of the parties to the communication ( see 18 U.S.C. � 2511), plaintiffs claimed that their “communications” — i.e., requests to access pages on Web sites — were unlawfully “intercepted” when “hits” were recorded. Under the statute, however, a proper defendant must be someone other than the intended recipient of the communication, (id), and courts uniformly have dismissed such claims on the basis of the consent of Web site operators. See Doubleclick, 154 F.Supp.2d at 519 (Doubleclick’s customers were parties to the communication and their consent to the alleged interceptions precluded claim); Avenue A, 165 F.Supp.2d at 1162 (Web site operators consented to Avenue A’s interception of the communication); Pharmatrak, 220 F.Supp.2d at 12 (pharmaceutical defendants consented to services of Web monitoring company). See also Crowley v. Cybersource Corp., 166 F.Supp.2d 1263, 1269 (N.D. Cal. 2001) (dismissing Wiretap Act claim where defendant “acted as no more than second party” to communication). Similarly, the SCA, another criminal statute aimed at computer hackers, provides a civil cause of action against one who gains unauthorized access to communications facilities and thereby obtains, alters, or prevents authorized access to stored electronic communications. See 18 U.S.C. � 2701. Internet privacy plaintiffs contend that by sending and reading “cookies,” Web site operators “gain unauthorized access” to plaintiffs’ computers, which they allege are “communications facilities.” The SCA provides an exception for conduct authorized by a person providing an electronic communications service or “a user of that service with respect to a communication of or intended for that user,” however. Id. at � 2701(c). As such, these claims typically have been dismissed on the basis of “authorized access” by the Web site operators. See Doubleclick, 154 F.Supp.2d at 508-09; Avenue A, 165 F.Supp.2d at 1162; Pharmatrak, 220 F.Supp.2d at 13. Finally, the CFAA creates a claim against persons who intentionally access a computer without authorization and obtain information from that computer. See 18 U.S.C. � 1030(a). As with the SCA, Internet privacy plaintiffs assert that the operation of Web tracking software itself demonstrated a violation of this statute. The CFAA limits any private right of action to persons who have suffered actual damage or loss satisfying a $5,000 threshold, however ( seeid. at � 1030(e), (g)), and no such harm has been demonstrated in Internet privacy cases. See Doubleclick, 154 F.Supp.2d at 525-26 (stating plaintiffs failed to state facts to support finding of economic loss in value of plaintiffs’ demographic information); Avenue A, 165 F.Supp.2d at 1160 (noting that, unlike illegal destruction of computer files or transmission of a computer virus, “the transmission of an Internet cookie is virtually without economic harm”); Pharmatrak, 220 F.Supp.2d at 15 (finding no evidence that plaintiffs incurred damage or loss over $5,000 for any single act of defendants). DESPITE WINS, RISKS STILL THERE Although the attempts in Pharmatrak and the Internet advertiser cases to pursue claims under these statutes were rejected by the courts ( see Doubleclick, 154 F.Supp.2d. at 526, Avenue A, 165 F.Supp.2d at 1163; Pharmatrak, 220 F.Supp.2d at 15), facing such litigation is both costly and potentially damaging to Web site operators’ reputations. Moreover, courts are reluctant to dismiss claims alleging that personal information has been improperly taken from Internet users without some discovery. In the Pharmatrak case, that reluctance translated into expensive discovery probing the dark recesses of Pharmatrak’s computer files to search for bits of “personal” data. While the defendants ultimately obtained summary judgment, it was not an inexpensive process. Web site operators can be expected to face continuing efforts to craft online privacy protection through litigation. While proposed legislation has been introduced in Congress concerning Internet privacy ( See, e.g., Online Personal Privacy Act, S. 2201, 107th Cong. (2002); Consumer Privacy Protection Act of 2002, H.R. 347, 107th Cong. (2001); Consumer Internet Privacy Enhancement Act, H.R. 237, 107th Cong. (2001)), only some of the legislation contemplates any private right of action, and only to a limited degree. See, e.g., Consumer Privacy Protection Act (expressly stating that it creates no private right of action); Online Personal Privacy Act (limited right of action concerning “sensitive” personally identifying information). As it becomes increasingly clear that courts will not accept Internet privacy causes of action based on existing federal legislation either, plaintiffs may focus on other avenues that most ikely will include renewed attention to common law claims such as trespass to chattels and invasion of privacy. These types of claims have been untested to date. With these risks in mind, Web site operators should act to protect themselves by making sure that they fully understand what information is intentionally or unintentionally collected in their Web logs or by any third party vendor used to service or monitor the Web site and by placing clear, detailed privacy disclosures on their Web sites describing that process. The federal claims pursued in Pharmatrak and the advertiser cases, based as they were on the technical operation of the Internet, did not depend on the presence or absence of a privacy policy addressing the challenged conduct, but common law claims such as invasion of privacy, which vary by state but often require a showing of an “unreasonable” invasion of the plaintiff’s privacy, would be much more difficult to assert in the face of clear disclosures. Diana Weiss is a litigation partner in the New York and Washington, D.C. offices of Orrick, Herrington & Sutcliffe (www.orrick.com), and Holly M. Dellenbaugh is a litigation associate in the firm’s New York office. Weiss and Dellenbaugh represented one of the defendants in the Pharmatrak litigation discussed in this article. If you are interested in submitting an article to law.com, please click here for our submission guidelines.

This content has been archived. It is available exclusively through our partner LexisNexis®.

To view this content, please continue to Lexis Advance®.

Not a Lexis Advance® Subscriber? Subscribe Now

Why am I seeing this?

LexisNexis® is now the exclusive third party online distributor of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® customers will be able to access and use ALM's content by subscribing to the LexisNexis® services via Lexis Advance®. This includes content from the National Law Journal®, The American Lawyer®, Law Technology News®, The New York Law Journal® and Corporate Counsel®, as well as ALM's other newspapers, directories, legal treatises, published and unpublished court opinions, and other sources of legal information.

ALM's content plays a significant role in your work and research, and now through this alliance LexisNexis® will bring you access to an even more comprehensive collection of legal content.

For questions call 1-877-256-2472 or contact us at [email protected]


ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2020 ALM Media Properties, LLC. All Rights Reserved.