In Re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497

In Re DoubleClick, Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) in the United States

This is a Third Party Cookie Collection case. See Cookies legal issues.

Background of In Re DoubleClick, Inc. Privacy Litigation

This case was a multidistrict consolidated class action. DoubleClick, a Delaware corporation, was the largest provider of Internet advertising products and services in the world. DoubleClick specialized in collecting, compiling and analyzing information about Internet users through proprietary technologies and techniques, and using it to target online advertising. The DoubleClick cookies captured certain parts of the communications that users send to DoubleClick-affiliated Web sites. They collected this information in three ways: (1) “GET” submissions, (2) “POST” submissions, and (3) “GIF” submissions.

It was held that “Internet Access” is the relevant electronic communications service. And Web Sites are “users” under the ECPA. Because the ECPA defines a “user” as “any person or entity who (A) uses an electronic communication service; and (B) is duly authorized by the provider of such service to engage in such use.

While existing case law provides very limited guidance on the limits of privacy rights with internet cookies, this body of available case law does show where cookies fit within the federal statutory framework. The first and perhaps most significant case to address cookies began in 2001 with a group of frustrated internet users who brought a class action lawsuit against DoubleClick, Inc. in the federal court in the Southern District of New York.

The plaintiff class claimed that DoubleClick violated several federal and state statutes when they placed cookies on hard drives of internet users, which were designed to collect and return information about the users. The federal claims included violations of the Electronic Communications Privacy Act (“ECPA”)[i], the Federal Wiretap Act (“Wiretap Act”)[ii], and the Computer Fraud and Abuse Act (“CFAA”)[iii].

The claim under the ECPA was dismissed for a few essentially minor reasons. First, the court held that data collected through cookies fell under an exception found in the legislative history of the statute, regardless of the statute’s stated purpose of “prevent[ing] hackers from obtaining, altering or destroying certain stored electronic communications.”[iv] Additionally, the court felt that the communications between the users and the website that were affiliated with DoubleClick were “intended for” the websites, and that info sent directly to DoubleClick did not violate the ECPA because of the language of the statute specifically targeted “electronic storage.” The court felt that cookies did not fit within the definition of “electronic storage.”[v] Thus, it appears that this court believes that the ECPA does not apply to internet cookies.[vi]

Similarly, the court held that the Wiretap Act was also a dead end for the class of internet users. The court found that the information was not “intercepted” by DoubleClick, but rather was lawfully obtained by the company from their partner sites. Essentially, the court found that DoubleClick had received consent to obtain the information. The Wiretap Act, however, does have important implications in future lawsuits because a company that breaches the statute could be held criminally or civilly liable if the information obtained “is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or any State.” Thus, any minor criminal or tortious act that a company was found liable could easily be compounded into additional liability under the Wiretap Act.

While the CFAA attaches liability to anyone who “intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains . . . information from any protected computer if the conduct involved an interstate or foreign communication,” the court also dismissed this claim because a claim under the CFAA must allege at least $5000 in damages over the period of one year.

Since all the federal claims were dismissed, the court declined to address the state common law claims of trespass, unjust enrichment and invasion of privacy.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *