In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001)[1] ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.
In re DoubleClick Inc. Privacy Litigation | |
---|---|
Court | United States District Court for the Southern District of New York |
Decided | Mar. 28, 2001 |
Docket nos. | 1:00-cv-00641 |
Citation | 154 F. Supp. 2d 497 |
Case history | |
Subsequent actions | Complaint dismissed and judgment entered by In re DoubleClick Inc. Privacy Litig., No. 1:00-cv-00641, 2002 U.S. Dist. LEXIS 27099 (S.D.N.Y. May 23, 2002). |
Holding | |
DoubleClick's placement of web browser cookies on computer hard drives of internet users who accessed DoubleClick-affiliated web sites did not violate the Stored Communications Act, the Wiretap Statute or the Computer Fraud and Abuse Act. | |
Court membership | |
Judge sitting | Naomi Reice Buchwald |
Keywords | |
Computer Fraud and Abuse Act, Privacy law, Stored Communications Act, Wiretap Statute |
The court held that DoubleClick was not liable under any of the three federal laws because it fell within the consent exceptions under the Stored Communications Act and the Wiretap Statute. DoubleClick was not excluded from the consent exception of the Wiretap Statute because it did not intercept the communications for criminal or tortious purposes. DoubleClick was also not liable under the Computer Fraud and Abuse Act because the plaintiffs had failed to meet the statutory threshold of $5,000 in losses. The court established that damages under the Computer Fraud and Abuse Act may only be aggregated for the unauthorized access of each cookie.
Facts
editDoubleClick engaged in behavioral targeting and placed a cookie on each user's computer hard drive when the user accessed DoubleClick-affiliated web sites. DoubleClick was then able to track the users' web surfing activities and build user profiles for the purposes of delivering targeted advertisements. DoubleClick's server identifies the user's profile by the cookie identification number and presents the user with advertisements tailored to the user's interest. The plaintiffs claimed that DoubleClick's obtaining of user information stored in the web cookies constituted unauthorized access and interception of their electronic communications with the web sites they were accessing.
Stored Communications Act Claim
editThe Stored Communications Act, 18 U.S.C. § 2701, proscribes the intentional unauthorized access of electronic communication while it is in electronic storage.[2] The consent exception within the Stored Communications Act excludes the interception of communications between users and web sites by DoubleClick.[3]
The court in assessing DoubleClick's relationship with its affiliated web sites held that the web sites had engaged DoubleClick for the precise purpose of delivering targeted advertisements. DoubleClick is only able to provide tailored advertising to specific users by gathering user information and tracking users’ online activities based on the web sites' agreement to actively notify DoubleClick when users accessed the site, namely, through the use of cookies. Thus, the web sites had effectively consented to DoubleClick's interception of users' communications with the web sites. This is despite web sites' failure to understand the technology used by DoubleClick in the provision of targeted advertising.
The court held that the long term residence of DoubleClick's cookies on users hard drives excludes the cookies from the definition of "electronic storage" which connotes temporary and transitory storage.[3] Cookies’ identification numbers, which are sent from users' computers, also do not fall within the confines of "electronic storage" and the Stored Communications Act. DoubleClick could not be held liable for accessing the cookies or cookie identification numbers.
The court in DoubleClick further held that even if cookies' identification numbers were assumed to be "electronic communication[s] . . . in electronic storage," DoubleClick's access is still authorized because the Stored Communications Act exempts conduct which is authorized by a user of the service with respect to a communication of or intended for that user. The cookies' identification numbers are internal to DoubleClick communications and are both "of" and "intended for" DoubleClick.
"DoubleClick creates the cookies, assigns them identification numbers, and places them on plaintiffs' hard drives. The cookies and their identification numbers are vital to DoubleClick and meaningless to anyone else. In contrast, virtually all plaintiffs are unaware that the cookies exist, that these cookies have identification numbers, that DoubleClick accesses these identification numbers and that these numbers are critical to DoubleClick's operations."[1]
Wiretap Statute Claim
editThe Wiretap Statute, 18 U.S.C. § 2511, restrains the intention or endeavour to intercept any electronic communication or the procurement of any other person to do so.[4]
The court applied its analysis under the Stored Communications Act to determine DoubleClick’s liability under the Wiretap Statute, relying on the similar attributes of both statutes. Based on the presumption that DoubleClick falls within the ambit of the Wiretap Statute, the court proceeded to determine whether DoubleClick was excluded from liability by virtue of the consent exception under the Wiretap Statute. The court held that DoubleClick was exempt from liability for intercepting the communications under the Wiretap Statute because the web sites, being one of the parties to the electronic communication with the users, had given DoubleClick prior consent to the interception. The court held that the consent exception remains valid as the communication was not intercepted for the purpose of committing any criminal or tortious act.
Computer Fraud and Abuse Act Claim
editThe Computer Fraud and Abuse Act, 18 U.S.C. § 1030, prohibits the intentional access of a protected computer to obtain information without authorization which causes at least $5,000 damage or loss resulting from a single unauthorized access.[5] 18 U.S.C. § 1030(a)(5)(A) proscribes the intentional and unauthorized causing of damage to a protected computer resulting from knowingly causing the transmission of a program, information, code, or command.
The plaintiffs sought damages for the loss caused accruing from the unauthorized access of their computers and the misappropriation of information by DoubleClick. DoubleClick did not dispute that plaintiffs' computers were protected under the Computer Fraud and Abuse Act or that its access was unauthorized. The court stated that damages and losses under the Computer Fraud and Abuse Act may only be aggregated across victims and over time for a single act. Since each access of a cookie on users' computers constitutes a single and separate act of unauthorized access, damages and losses may only be aggregated for each cookie and cannot be aggregated across multiple computers. The court dismissed the plaintiffs' claim under the Computer Fraud and Abuse Act on the grounds that the damage caused by each cookie did not meet the statutory threshold of $5,000.
Plaintiffs' alleged emotional distress due to DoubleClick’s invasion of their privacy, trespass to their personal property, and misappropriation of confidential data was not actionable under the Computer Fraud and Abuse Act which only authorized the recovery of economic losses. The court denied the plaintiffs' claim that the alleged damage to the value of their individual demographic information, arising from DoubleClick's collection of user information, constitutes compensable economic loss. The court noted that while demographic information was valuable, its collection did not represent economic loss.
DoubleClick Settlement
editDoubleClick eventually entered into a settlement agreement with the plaintiffs. Under the settlement's terms, DoubleClick was required to explain its privacy policy in "easy-to-read" language; conduct a public information campaign consisting of 300 million banner ads inviting consumers to learn more about protecting their privacy; and institute data purging and opt-in procedures among other requirements.[6]
References
edit- ^ a b In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001).
- ^ The Stored Communications Act 18 U.S.C. § 2701
- ^ a b 18 U.S.C. § 2510
- ^ The Wiretap Statute 18 U.S.C. § 2511
- ^ The Computer Fraud and Abuse Act 18 U.S.C. § 1030
- ^ In re DoubleClick Inc. Privacy Litigation, Settlement Agreement (2002).