Tracking Internet User History Does Not Violate Federal Law – Google’s Disregard Of Its Own Cookie Blocker Policy

A class action suit against Google Inc. asserted that Google’s Internet tracking, when Google tells its users that ad network tracking cookies are blocked, violated the federal Wiretap Act 18 USC Section 2510, the Stored Communications Act 18 USC Section 2710 and the Computer Fraud and Abuse Act 18 USC Section 1030. The Third Circuit Court of Appeals disagreed and held that, notwithstanding Google’s representations to its users, that third party Internet history tracking cookies would be blocked (or disabled), Google did not violate the Wiretap Act, the Stored Communications Act (SCA) and the Computer Fraud and Abuse Act (CFAA).  In Re Google Inc Cookie Placement Consumer Privacy Litigation, Case No. 13-4300 (3rd Cir. Nov. 11, 2015)(Available Here).  Although California state claims survived, the federal claims were dismissed.

The Third Circuit Court of Appeals discussed Google’s announced policy that it would honor cookie blocking programs on its user’s Internet browsers when, in fact, Google effectively disabled those cookie blocking programs on users browsers and, as a result, the Google browser permitted the transmission of user Internet history to third-party advertising networks. The Court of Appeals decision discusses how advertising content from third-party ad network servers is delivered to a user’s webpage when a user employs a browser to locate various websites on the Internet. Importantly, these third-party ad networks deploy third-party cookies which are placed on a user’s computer which enables the ad networks to track and monitor substantially all of an individual user’s web activity over multiple websites over a considerable amount of time. This gathering of Internet tracking history creates a detailed profile of the user. Once a third-party cookie is placed in the browser of a user, the ad network can track the behavior the user for an unlimited period of time.  The purpose of Internet tracking is to serve-up to the user relevant ads of interest to the user in order to spur sales of advertised products.

Many leading web browsers, including the one provided by Google, have designed built in features to prevent installation of cookies by third-party ad servers. These are called cookie blockers. Microsoft has an opt in cookie blocker. Apple’s Safari has an opt out cookie blocker.  Google’s privacy policy explains that most browsers are initially set up to accept cookies and you can reset your browser to refuse all cookies or indicate when a cookies being sent. However, Google enabled third-party ad networks to track a user’s Internet activity by generating automatic letters which would disable the user’s cookie blockers. After an online report identifying this deliberate disablement of cookie blocker software, this consumer class action suit was filed.

The suit alleged violations of the federal Wiretap Act, the Stored Communications Act and the Computer Fraud and Abuse Act and various state law claims.

The Appeals Court addressed whether any of the plaintiffs lacked standing. “A core requirement of standing is that the plaintiff have suffered in injury in fact. The defendants contend that the plaintiffs failed to demonstrate injury in fact because they make insufficient allegations of pecuniary harm.” However the Appeals Court said that the standard does not demand that a plaintiff suffer any particular type of arm harm.  The plaintiff need not show actual monetary loss. Standing is conferred and “may exist solely by virtue of statutes creating legal rights… the invasion of which creates standing.” For example in Doe v. Chao, 540 US 614, 641 (2004), Doe was found to have standing to sue when he was greatly concerned and worried because of the disclosure of his Social Security number.

For various reasons, the Appeals Court dismissed the Wiretap Act, the Stored Communications Act and the Computer Fraud and Abuse Act violations.

Regarding the wiretap claims, a plaintiff must show that the defendant acted intentionally, that he intercepted, endeavored to intercept or procured another person to intercept or endeavored to intercept, the contents of an electronic communication of the plaintiff by using a device. Further, there is a statutory exemption in the Wiretap Act which states that no cause of action will lie against a private person “where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception”.

The District Court dismissed the Wiretap Act claim under the theory that the acquisition of a user’s Internet history is not the acquisition of “content”. The Appeals Court found that in some instances, although parts of a URL from the browser history represent a routing function (not covered by the Wiretap Act because routing data is similar to the capture of a pen register, which is legal) other parts of the URL provide further details from the browser history that do show content and give meaning to the communication. The court found that the browser history includes both content as well as routing information. Further, the post domain name portions of the URL communicate specific website content viewed by the user. Therefore, content was obtained under the Wiretap Act.

However, the court then addressed whether the third-party ad networks became a party to the communications. The operative allegations in the complaint, which the court was required to accept as being true, support only the conclusion that the defendants acquired the plaintiff’s Internet history information by way of a GET request that the plaintiffs directly sent to the ad network defendants.  The defendants deployed identifier cookies imbedded and received with the GET request and thus obtained Internet history tracking information. Because defendants were the intended recipients of the GET request, the defendants did nothing unlawful under the Wiretap Act. In other words, since the defendants were the intended recipients of the communications, such violations were excluded by the Act.

Regarding the Stored Communications Act, to state a claim under the Act, plaintiff must show that defendant intentionally accessed without authorization a facility through which an electronic communication service is provided or that the defendant intentionally exceeded an authorization to access that facility and, as a result, obtained, altered or prevented authorized access to a wire or electronic communication while it is in electronic storage in such system. The District Court held that there was no facility through which an electronic communication service was provided. The Appeals Court agreed. Further, the Appeals Court relied upon Fifth Circuit Court of Appeals decision in Garcia v. City of Laredo 702 F3d at 793.

Also the Stored Communication Act does not apply with respect to conduct authorized by the person or entity providing a wire or electronic communication service. The plaintiffs argued that the terms “facility” and “electronic communication service” were sufficiently flexible to encompass personal computing devices. However, the Appeals Court disagreed with such a broad reading of the statute.

Regarding the Computer Fraud and Abuse Act, that Act creates a cause of action for persons who suffer damage or loss because a third party intentionally accesses a computer without authorization or exceeds authorized access and thereby obtains information from a protected computer. The District Court dismissed this claim because plaintiffs did not meet the statutory requirement of damage or loss. Under the CFAA, the term “damage” means any impairment to the integrity or availability of data, a program, a system or information. The term “loss” means any reasonable cost of the victim including responding to the that offense, conducting a damage assessment and restoring the programmer information as well as any revenue loss and consequential damages.

Plaintiffs contended that defendants seized personal identifying information (PII) which is both a currency and a marketable commodity. However, the complaint did not allege facts that the plaintiffs ever participated in or intended to participated in a market for PII. Also, the complaint did not indicate that the plaintiff sought to monetize PII information. Therefore, the Appeals Court dismissed the CFAA claims.

Related Posts