As the FTC is evaluating its Dot Com Disclosures guidelines and Congress considers Do Not Track legislation, the debate over regulation of online advertising has intensified.  On one side, opponents of new legislation explain how online advertising subsidizes many of the free services Internet users enjoy and point to studies showing that Internet advertising contributes billions of dollars to the economy.  The online advertising industry continues to advocate for the use of self-regulatory efforts instead of inflexible regulations that could stifle innovation.  On the other side, privacy advocates are seeking clearer disclosures of privacy practices and demanding that businesses not use technology to circumvent actions taken by consumers to protect their privacy.  Privacy advocates point to research raising concerns about tracking technology, including Flash cookies, cookie “respawning,” and ETags.  As this debate continues, consumers continue to file potential class actions seeking damages allegedly caused by the use of tracking technology using claims of invasion of privacy, trespass to chattels, and violations of the Electronic Communications Privacy Act (“ECPA”) and Computer Fraud and Abuse Act (“CFAA”). 

Below is a summary of recent tracking litigation.  Although the plaintiffs bringing these claims have generally been unsuccessful, advertisers have undoubtedly considered the cost of defending these lawsuits when evaluating their current practices and deciding on whether to adopt new ones.  In a related post next week, we will address issues raised in the public comments submitted to the FTC regarding its plans to update its Dot Com Disclosures guidelines.   

  • On August 1, two California residents filed a potential class action against KISSmetrics and websites operators, including Hulu, Spotify, and Spokeo, related to their use of ETag technology provided by  KISSmetrics.  The plaintiffs claim KISSmetrics Etag technology continues to track consumers even after they delete cookies from their computers.  To support their ECPA, trespass, and California state law claims, the plaintiffs contend that their personal information is a personal asset to which online third parties have no presumptive right of access, and that the loss of such information lessened the economic value of their information, reduced the performance of their computers, and violated their privacy rights.  (Kim v. Space Pencil, Inc. et al., N.D. Cal., No. 3:11-cv-03796). 
  • Insurers of internet marketer NebuAd Inc. agreed to pay $2.4 million to settle a potential consumer class action over NebuAd’s alleged use of deep packet inspection in conjunction data provided by ISPs to deliver online behavioral advertising.  (Valentine v. NebuAd Inc., N.D. Cal., No. 3:08-cv-5113, Aug. 16 proposed settlement agreement filed). 
  • The ISPs who worked with NebuAd were pursued in separate suits.  The ISPs were successful in challenging the claims on the basis of standing, lack of harm, and consent.  For example, in one action that followed a similar path as the others, after the consumer’s Computer Fraud & Abuse Act (“CFAA”), invasion of privacy, and trespass to chattels claims were dismissed, the ECPA claim against the ISP was dismissed because the court found that the ISP did not have access to the consumer’s communications.  The court also found that, even if improper interception of communications had occurred, the consumer consented to the interception because the ISP disclosed that it would use “the websites you visit or online searches that you conduct to deliver or facilitate the delivery of targeted advertisements” in its privacy policy followed by an opt-out link.  (Kirch v. Embarq, 10-2047-JAR (D. Kan. Aug. 19, 2011).
  • Interclick, an advertising network company that purchases ad display space on websites for its customers, and four of its customers (McDonald’s, CBS, Mazda, and Microsoft) were sued by a consumer for allegedly violating the CFAA, invading her privacy, and misappropriating personal information through the use of “flash cookies” that “respawned” browser cookies she deleted and “history sniffing” to see other websites she visited.  On August 17, 2011, the court dismissed the CFAA claims because the unquantified alleged harm (repairs to her computer, collection of personal information without her permission, and slowing her network) failed to meet the CFAA’s $5,000 minimum statutory threshold.  All claims against Interclick’s customers were dismissed, with the court noting that there were no allegations directed to them.  The court did permit the plaintiff to continue with a state law deceptive trade practices claim and a trespass to chattels claim.           
  • A potential class action was filed against online data tracking service comScore, Inc. in Illinois federal court based on allegations of siphoning confidential information, including passwords, credit card numbers and Social Security numbers, from unsuspecting users through comScore software that scans all files on users’ personal computers and modifies security settings. (Dunstan, et al. v. comScore Inc, case no. 11-cv-5807 (N.D. Ill. Aug.23, 2011)).