Google is No Cookie Monster, says Delaware Federal Court

by BakerHostetler
Contact

In a decisive victory for Google and several co-defendants, a Delaware federal court dismissed the claims of a putative class of individuals who alleged that they were injured by Google’s practice of circumventing certain internet browsers’ cookie blocking software, thereby enabling Google to display targeted advertising. In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL Civ. No. 12-2358-SLR, U.S. Dist. Ct., Dist. Of Del. (Oct. 9, 2013).

The plaintiffs alleged that Google circumvented anti-cookie software contained in Microsoft’s Internet Explorer and Apple’s Safari browsers. “Internet ‘cookies’ are used to track an individual’s activities and communications on a particular website and across the internet. Cookies are used in internet advertising to store website preferences, retain the contents of shopping carts between visits, and keep browsers logged into social networking services and webmail as individuals surf the internet.” As alleged by the plaintiffs, if a user of Internet Explorer or Safari was logged into a Google account, Google was better able to synchronize advertisements to the user’s personally identifiable information (PII), including information the user had provided to Google in signing up for its Google account.

Despite the plaintiffs’ argument that PII has a monetary value and is a commodity that companies trade and sell, the Delaware Court was not persuaded that any actual injury had been suffered. Finding a key element of Article III standing to be missing, the Court observed that “[d]istrict courts have been reluctant to equate loss of PII, without more, to injury in fact.” Allegations that the plaintiffs were deprived of some economic value solely because their PII was purportedly collected by a third party were insufficient, notwithstanding the plaintiffs’ demonstration that there is a market for such data. Importantly, the Court distinguished the situation in this case from one in which PII, coupled with financial information such as credit and debit card information, mailing, and billing addresses, was collected without authorization, potentially delineating a course for successfully pleading similar claims in the future.

In addition to finding that the plaintiffs lacked Article III injury, the Court noted that allegations of violation of statutes may in some cases create standing even absent injury in fact, and accordingly addressed each of the statutory violations asserted by the plaintiffs. As discussed further below, in each instance, statutory standing was similarly found lacking:

  • The Electronic Communications Privacy Act. Often referred to as the Wiretap Act, this federal law protects against the unauthorized intercept of the “contents” of electronic communications. The plaintiffs alleged that Google was in violation of the Wiretap Act because it intercepted information such as URLs and information that users filled in on other websites. The Court rejected this argument, holding that such information did not constitute the “contents” of electronic communications protected by the Wiretap Act. “While URLs may provide a description of the contents of a document, e.g., www.helpfordrunks.com, a URL is a location identifier and does not concern the substance, purport, or meaning of an electronic communication.” In addition, “[PII] that is automatically generated by the communication is not ‘contents’ for purposes of the Wiretap Act.”
  • The California Invasion of Privacy Act. The plaintiffs’ claim under this California law, similar to the Wiretap Act, failed for the same reasons at the Wiretap Act claim. In addition, the Court noted that Google would have received the inputted information, including the URL, regardless of the setting of the third-party cookies.”
  • The Stored Communications Act. This federal law makes it illegal to intentionally access without permission a “facility” through which an electronic communication service is provided (see 18 U.S.C. § 2701(a)). Declining to “fit a square peg (modern technology) into the proverbial round hole (the intent of Congress. . .)”, the Court held that an “individual’s computing device is not ‘a facility through which an electronic communication service is provided,’ as required under the SCA.”
  • The Computer Fraud and Abuse Act. Although primarily a criminal statute, this federal law provides a civil remedy to anyone who suffers damage or loss as a result of any impairment to the integrity or availability of data, a program, a system, or information (see 18 U.S.C., § 1030). However, the Court found that the plaintiffs had not alleged any injury to the performance or functionality of their computers, and noted that “[g]enerally, courts have rejected the contention that the unauthorized collection, use, or disclosure of personal information constitutes economic damages for the purpose of the CFAA.”
  • The California Computer Crime Law. This California law prohibits tampering, interference, damage, and unauthorized access to computer data and systems “without permission” and provides a civil remedy to one who suffers damage as a result.  Acting “without permission” has been interpreted to mean “accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers.” The Court conceded that Google exploited a standard Safari browser function by adding coding to ads. It held, however, that  although its actions may be objectionable, “Google did not access plaintiffs’ browsers by overcoming technical or code-based barriers.” Therefore, the plaintiffs did not meet the “without permission” requirement. The Court also found that in the absence of adequate allegations of injury, the plaintiffs also failed to the meet the “damage” requirement to trigger a civil remedy.
  • The California Constitution. The Court noted that an invasion of privacy could constitute a violation of the California Constitution, where plaintiffs show a legally protected privacy interest, a reasonable expectation of privacy, and a serious invasion of that privacy. Unsurprisingly, the Court found the actions of Google and its co-defendants to not rise to the requisite level of seriousness.
  • The California Unfair Competition Law. The Court found that the plaintiffs failed to carry the day under this statute, again due to their failure to adequately plead economic injury.
  • The California Consumers Legal Remedies Act. Relying on California precedent, the Court ruled that this California law, which prohibits unfair competition and deceptive trade practices in connection with the sale or lease of goods and services, does not apply to software.

Although the Court relied exclusively on other district court decisions with regard to its injury in fact ruling, the outcome here is consistent with the United States Supreme Court’s recent decision in Clapper v. Amnesty International, 568 U.S. ___ (2013) and data breach cases citing it, declining to find standing when only speculative injuries have been alleged.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BakerHostetler | Attorney Advertising

Written by:

BakerHostetler
Contact
more
less

BakerHostetler on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.