This post was co-authored by Julian D. Perlman and is a joint submission with BakerHostetler’s Class Action Lawsuit Defense blog.
In a decisive victory for Google and several co-defendants, a Delaware federal court dismissed the claims of a putative class of individuals who alleged that they were injured by Google’s practice of circumventing certain internet browsers’ cookie blocking software, thereby enabling Google to display targeted advertising. In re: Google Inc. Cookie Placement Consumer Privacy Litigation, MDL Civ. No. 12-2358-SLR, U.S. Dist. Ct., Dist. Of Del. (Oct. 9, 2013).
The plaintiffs alleged that Google circumvented anti-cookie software contained in Microsoft’s Internet Explorer and Apple’s Safari browsers. “Internet ‘cookies’ are used to track an individual’s activities and communications on a particular website and across the internet. Cookies are used in internet advertising to store website preferences, retain the contents of shopping carts between visits, and keep browsers logged into social networking services and webmail as individuals surf the internet.” As alleged by the plaintiffs, if a user of Internet Explorer or Safari was logged into a Google account, Google was better able to synchronize advertisements to the user’s personally identifiable information (PII), including information the user had provided to Google in signing up for its Google account.
Despite the plaintiffs’ argument that PII has a monetary value and is a commodity that companies trade and sell, the Delaware Court was not persuaded that any actual injury had been suffered. Finding a key element of Article III standing to be missing, the Court observed that “[d]istrict courts have been reluctant to equate loss of PII, without more, to injury in fact.” Allegations that the plaintiffs were deprived of some economic value solely because their PII was purportedly collected by a third party were insufficient, notwithstanding the plaintiffs’ demonstration that there is a market for such data. Importantly, the Court distinguished the situation in this case from one in which PII, coupled with financial information such as credit and debit card information, mailing, and billing addresses, was collected without authorization, potentially delineating a course for successfully pleading similar claims in the future.
In addition to finding that the plaintiffs lacked Article III injury, the Court noted that allegations of violation of statutes may in some cases create standing even absent injury in fact, and accordingly addressed each of the statutory violations asserted by the plaintiffs. As discussed further below, in each instance, statutory standing was similarly found lacking:
- The Electronic Communications Privacy Act. Often referred to as the Wiretap Act, this federal law protects against the unauthorized intercept of the “contents” of electronic communications. The plaintiffs alleged that Google was in violation of the Wiretap Act because it intercepted information such as URLs and information that users filled in on other websites. The Court rejected this argument, holding that such information did not constitute the “contents” of electronic communications protected by the Wiretap Act. “While URLs may provide a description of the contents of a document, e.g., www.helpfordrunks.com, a URL is a location identifier and does not concern the substance, purport, or meaning of an electronic communication.” In addition, “[PII] that is automatically generated by the communication is not ‘contents’ for purposes of the Wiretap Act.”
- The California Invasion of Privacy Act. The plaintiffs’ claim under this California law, similar to the Wiretap Act, failed for the same reasons at the Wiretap Act claim. In addition, the Court noted that Google would have received the inputted information, including the URL, regardless of the setting of the third-party cookies.”
- The Stored Communications Act. This federal law makes it illegal to intentionally access without permission a “facility” through which an electronic communication service is provided (see 18 U.S.C. § 2701(a)). Declining to “fit a square peg (modern technology) into the proverbial round hole (the intent of Congress . . .)”, the Court held that an “individual’s computing device is not ‘a facility through which an electronic communication service is provided,’ as required under the SCA.”
- The Computer Fraud and Abuse Act. Although primarily a criminal statute, this federal law provides a civil remedy to anyone who suffers damage or loss as a result of any impairment to the integrity or availability of data, a program, a system, or information (see 18 U.S.C., § 1030). However, the Court found that the plaintiffs had not alleged any injury to the performance or functionality of their computers, and noted that “[g]enerally, courts have rejected the contention that the unauthorized collection, use, or disclosure of personal information constitutes economic damages for the purpose of the CFAA.”
- The California Computer Crime Law. This California law prohibits tampering, interference, damage, and unauthorized access to computer data and systems “without permission” and provides a civil remedy to one who suffers damage as a result. Acting “without permission” has been interpreted to mean “accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers.” The Court conceded that Google exploited a standard Safari browser function by adding coding to ads. It held, however, that although its actions may be objectionable, “Google did not access plaintiffs’ browsers by overcoming technical or code-based barriers.” Therefore, the plaintiffs did not meet the “without permission” requirement. The Court also found that in the absence of adequate allegations of injury, the plaintiffs also failed to the meet the “damage” requirement to trigger a civil remedy.
- The California Constitution. The Court noted that an invasion of privacy could constitute a violation of the California Constitution, where plaintiffs show a legally protected privacy interest, a reasonable expectation of privacy, and a serious invasion of that privacy. Unsurprisingly, the Court found the actions of Google and its co-defendants to not rise to the requisite level of seriousness.
- The California Unfair Competition Law. The Court found that the plaintiffs failed to carry the day under this statute, again due to their failure to adequately plead economic injury.
- The California Consumers Legal Remedies Act. Relying on California precedent, the Court ruled that this California law, which prohibits unfair competition and deceptive trade practices in connection with the sale or lease of goods and services, does not apply to software.
Although the Court relied exclusively on other district court decisions with regard to its injury in fact ruling, the outcome here is consistent with the United States Supreme Court’s recent decision in Clapper v. Amnesty International, 568 U.S. ___ (2013) and data breach cases citing it, declining to find standing when only speculative injuries have been alleged.