By Katherine Gasztonyi
Last week, Judge Robinson of the District of Delaware dismissed a multi-district lawsuit claiming that Google, Vibrant Media, Media Innovation Group, and WPP violated federal privacy and computer security laws by allegedly circumventing browser privacy settings in order to track users online.
This lawsuit stems from a February 17, 2012, Wall Street Journal article describing these companies’ use of a loophole in Safari’s privacy settings to set third-party tracking cookies even where the browser had been configured to block such cookies. Lawsuits alleging violations of the federal Wiretap Act, Stored Communications Act, and Computer Fraud and Abuse Act (as well as various state laws) were filed in courts across the country, and ultimately were consolidated before Judge Robinson in Delaware.
Judge Robinson granted the defendants’ motions to dismiss all of the plaintiffs’ claims on the grounds that the plaintiffs had not adequately alleged standing to sue in federal court and, in any event, had failed to state a claim for relief under any of the statutes invoked in their complaint.
Lack of Article III Standing
To establish Article III standing—a prerequisite to bringing a private lawsuit in federal court—plaintiffs must allege “injury-in-fact.” The plaintiffs here alleged that their personal information had monetary value, and that the defendants had used cookies to collect that information without consent, thereby depriving the plaintiffs of value and causing them injury. In support of their position, Plaintiffs cited articles describing the cash value of personal information, including an article noting that a UK information broker had valued a “user’s data at $12 per year.”
The court was not persuaded, and held that the plaintiffs lacked Article III standing because they had not alleged facts showing that they had been injured. The court stressed that although the plaintiffs successfully alleged that their information had value, they had failed to sufficiently allege that their “ability to monetize” the information had been diminished by the defendants’ collection of it.
The court’s holding on standing is consistent with that of other district courts that have been reluctant to find injury where plaintiffs allege only the unauthorized collection, use, or disclosure of personal information.
Failure to State a Claim
Judge Robinson also considered whether the plaintiffs adequately alleged the elements of each of their individual claims, explaining that, in some circumstances, a sufficiently alleged statutory violation has the ability to confer standing even “in the absence of any actual injury.”
The Wiretap Act. The plaintiffs claimed that the defendants’ alleged circumvention of Safari’s privacy settings allowed them to “intercept” communications between the plaintiffs and the websites they visited in violation of the Wiretap Act. The information allegedly intercepted included URLs and information entered into online forms.
In response, the defendants argued that the information allegedly intercepted did not fall within the Wiretap Act’s prohibition because it did not include “content,” a statutory term meaning “information concerning the substance, purport, or meaning of [a] communication.” Google (but apparently not the other defendants) also argued that because users’ browsers communicated directly with Google’s servers, any alleged interception was permitted because Google was a party to the communication.
The court agreed that Google was “a plausible party to the communications” because plaintiffs’ browsers voluntarily transmitted the information to the company’s servicers. But because Google was alleged to have bypassed browser settings, allowing it later “to associate the plaintiffs’ data” and because “plaintiffs’ browsers sent different information in response to targeted advertising than would have been sent without the setting of third-party cookies,” the court declined to characterize Google as a party to the communications.
Nevertheless, the court dismissed the plaintiffs’ wiretap claims, holding that “personally identifiable information that is automatically generated by the communication” and URLs are not “contents” for the purposes of the Act.
The Stored Communications Act. Section 2701 of the Stored Communications Act (“SCA”) prohibits intentionally accessing a facility through which an electronic communication service is provided without authorization, and thereby obtaining authorized access to an electronic communication while it is in an electronic storage system.
The plaintiffs alleged that by circumventing browser settings and writing cookies to their computers without consent, the defendants had accessed without authorization a “facility” — i.e., the plaintiffs’ personal computers and devices.
Like a number of other courts that recently assessed similar claims, the court rejected the plaintiffs’ contention that a personal computer or device is a “facility” within the meaning of the SCA and dismissed the plaintiffs’ SCA claim.
Computer Fraud and Abuse Act. The Computer Fraud and Abuse Act (“CFAA”) provides a civil remedy to plaintiffs whose computers are accessed without (or in excess of authorization) and who suffer $5,000 dollars’ worth of “damage” or “loss” as a result. The court held that the plaintiffs had not alleged an impairment in the performance or functioning of their computers and therefore had not satisfied the CFAA’s requirement that a plaintiff allege damage or loss. This holding is in line with those of other courts in similar cases.
The complaint also included claims under California law, which were dismissed grounds similar to those discussed above.