Cookies legal issues in the United States

Federal Statutes and the use of Cookies

The Computer Fraud and Abuse Act, officially named “Fraud and related Activity in Connection with Computers, 18 U.S.C. § 1030 (2000)” prohibits unauthorized access to government data, but section a(2)(c) states that “[w]hoever . . . intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication” shall be punished by fine or imprisonment. In the Act, “Protected computer” is defined to “mean a computer exclusively for the use of a financial institution or the United States Government . . . which is used in interstate or foreign commerce.”

The Federal Wiretap Act, which officially was named “Wire and Electronic Communication Interception and Interception of Oral Communications, 18 U.S.C. §2511-22 (2000)”, states that “any person who intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication [or] intentionally discloses, or endeavors to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subsection” shall be punished by fine or imprisonment.

There is an exception to the rule, however, stated in section 2(a)(ii)(D) which states that “[i]t shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.”

The Courts have held that as long as the intent of the defendant was not tortious or criminal, the Wiretap Act cannot be used to find liability.

The Electronic Communication Privacy Act, or “Stored Wire and Electronic Communications and Transactional Records Access, 18 U.S.C. § 2701-11 (2000)” states that “whoever intentionally accesses without authorization a facility, through which an electronic communication service is provided or intentionally exceeds an authorization to access that facility and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system shall be punished” by fine or imprisonment.

“In [DoubleClick], the court stated that this provision of the ECPA aims to prevent hackers from obtaining, altering or destroying certain stored electronic communications, such as those posted on electronic bulletin boards.( Citing Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, which was stated that”the ECPA was primarily designed to provide a cause of action against computer hackers”). Even if using cookies could be characterized in some sense as an unauthorized access, the statute makes no mention of individual computers.”

Section 2907 of the ECPA contained provisions of the Patriot Act that allow the Federal Bureau of Investigations (“FBI”) to issue a demand to produce customer records from internet service providers if the records relate to national security. This becomes relevant because a company’s privacy policy may or may not explain the fact that your “private” information may be surrendered to the government under this provision.

Case Law on Cookies

While the case law on cookies is very limited, the following cases give a look into how the courts have applied the federal statues to deal with internet cookies. These cases explore the applicability of the Electronic Communications Privacy Act (“ECPA”), the Federal Wiretap Act (“Wiretap Act”), and the Computer Fraud and Abuse Act (“CFAA”).

Regarding Third Party Cookie Collection, In Re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001), the plaintiff class claimed that DoubleClick violated several federal and state statutes when they placed cookies on hard drives of internet users, which were designed to collect and return information about the users. The plaintiffs alleged violations of the ECPA, the Wiretap Act, and the CFAA. All clams dismissed on technicalities.

About Primary Party Cookie Collection, in the case In Re Intuit Privacy Litigation, 138 F. Supp. 2d 1272 (C.D. Cal. 2001), the defendant (Intuit) was being litigated for directly placing cookies and gathering information from users on their website www.quicken.com. The class action lawsuit similarly alleged violations of the ECPA, the Wiretap Act, and the CFAA. The ECPA claim was not dismissed at summary judgment as court felt that the ECPA “generally prohibited the unauthorized access of electronic data and did not apply exclusively to third parties.”

In Chance v. Avenue A, Inc., 165 F. Supp. 2d 1153 (W.D. Wash. 2001), Avenue A, Inc was an internet advertising firm that placed cookies on internet user’s hard drives. In turn, the cookies then gathered information and used the information to create targeted advertisements on banner ads. Additionally, Avenue A also acted as a “subcontractor” for DoubleClick and essentially performed the functions that DoubleClick would normally undertake for DoubleClick’s customers. Again the same three federal statues were brought forth to assert liability, the ECPA, the Wiretap Act, and the CFAA. The court removed the collection of information with cookies from the reach of the Wiretap Act, due to the requirement that the “primary motivation” be tortious or criminal action for liability under the act.

Relating to Detailed Information Gathering, the case In Re Pharmatrak, Inc. Privacy Litigation, 292 F. Supp. 2d 263 (D. Mass. 2002) was about a company (Pharmatrak) that compiled information about pharmaceutical website users and compiled the information to create elaborate databases of information on individuals that included medical conditions, occupations and insurance information. Again, an angry group of internet users brought a class action in federal court in Massachusetts citing the same federal statues, the ECPA, the Wiretap Act and the CFAA. The court refused to narrow the scope of the defendant’s permission and dismissed all three claims.