By: Benjamin McCarty

Today it is difficult to visit a website and not notice the presence of multiple advertisements, or “ads,” all of which seem to know your shopping habits better than you do. This process of third party advertisers delivering content to webpage visitors’ browsers is highly technical, and it involves a number of communications between the browser, the website’s server, and the advertiser’s server.[1] Advertisers are able to send various ads to different Internet users by paying for unused webpage space and targeting specific users by compiling their Internet histories.[2] These third party advertisers place “cookies” on users’ computers each time they visit a certain website on which the advertiser has placed an ad.[3] Advertisers can use this data to individualize your advertisement experience and display ads you would likely be interested in.[4]

Web browsers such as Microsoft’s Internet Explorer and Apple’s Safari purport to have designed built-in features that prevent the placement of cookies.[5] However, Stanford graduate student, Jonathan Mayer, published an online report in February 2012 observing that browsers were surreptitiously exploiting loopholes in their cookie blockers.[6] Google, in particular, used code to command users’ web browsers to automatically send a hidden form when users visited websites that contained its ads.[7] As a result, several lawsuits were consolidated and filed in the District of Delaware; they were dismissed for lack of standing and failure to state a claim.[8] On appeal, the Third Circuit reviewed the plaintiffs’ federal Wiretap Act (“Act”) claim and noted a number of courts now consider URLs as “content,” observing that “[some] URL[s], unlike an IP address, identif[y] the particular document within a website that a person views and thus reveal[] much more information about the person’s [i]nternet activity.”[9] The Court concluded the alleged scheme by which plaintiff web browsers tracked Internet usage involved the collection of at least some “content” within the meaning of the Act.[10] However, the dismissal of the plaintiffs’ Act claim was still affirmed, as the Act did not make it unlawful for a person to intercept an electronic communication if that person is a party to the communication.[11] In the Court’s view, the plaintiffs’ web browsers sent cookie requests directly to the defendants’ servers, and the defendants were thus naturally a party to the communication.[12]

The Court affirmed the remaining federal claims regarding violation of the Stored Communication Act and the Computer Fraud and Abuse Act.[13] The Court vacated the alleged privacy claims under California’s Constitution and tort law, however, noting Google’s actions could constitute the serious invasion of privacy required by these laws.[14] The Court observed how Google accomplished its tracking by overriding plaintiffs’ cookie blockers and noting that Google carried out this practice on millions of Internet users.[15] The Court remanded this claim, noting that a reasonable jury might conclude the means by which Google accomplished its tracking constituted a serious invasion of privacy.[16]

This case serves as a warning to web browsers and third party companies, as they may need to alter the “cookie” mechanisms by which they acquire Internet user data because the Third Circuit’s ruling may implicate further lawsuits involving violations of state privacy statutes. On the other hand, it is important to note that the dismissal of all of the plaintiffs’ federal claims was affirmed; federal statutes such as the Computer Fraud and Abuse Act and the Stored Communication Act are decades old, and this may implicate a trend among judges not to allow for wide interpretrations of outdated statutory language. This could also mean that future plaintiffs involved in “cookie” litigation will find it difficult to bring successful federal claims because of the antiquated nature of current privacy law. It will also be tough for plaintiffs as companies will inevitably continue to seek innovative ways to circumvent cookie blockers and capitalize on Internet users’ data.

[1] See In re Google Inc. Cookie Placement Consumer Privacy Litig., No. 13-4300, 2015 WL 6875340, at *5 (3d Cir. Nov. 10, 2015).

[2] See id. at *6.

[3] See id.

[4] See id. at *7.

[5] See id. at *8.

[6] See id. at *9.

[7] Id.

[8] Id.

[9] See generally 18 U.S.C. § 2510 (1986). See also id. at *23 (citing United States v. Forrester, 512 F.3d 500, 510 n.6 (9th Cir. 2008)).

[10] See In re Google Inc., 2015 WL 6875340, at *27.

[11] See § 2511(2)(d). See also id. at *28.

[12] See id. at *30, 34.

[13] See generally 18 U.S.C. § 2701 (1986); 18 U.S.C. § 1030 (1986). See also id. at *48, 50.

[14] See id. at *53-56.

[15] See id.

[16] See id. at *60.

Share this post