A Washington federal district court has dismissed with prejudice class action claims against Amazon alleging that the company’s use of cookies to track consumers’ personal data violated the Consumer Fraud and Abuse Act (CFAA), and has requested further briefing on a claimed violation of the Washington Consumer Protection Act (WCPA). (Del Vecchio v. Amazon). This decision highlights how important it is for website operators to clearly and conspicuously disclose how they use cookies, while raising the question of who should profit from invisible traffic in information that takes place whenever we activate our web browser.
Cookies are small units of code that website operators can send to Internet browsers accessing their sites. While cookies may be set to delete when a browsing session terminates, many cookies remain stored on a user’s browser. Each subsequent time that this browser uploads a webpage on the site, the operator can access data stored in those cookies to customize webpages based on the user’s browsing activities. The most controversial cookies are those that track a user’s activity across the Internet. The European Union has enacted regulations requiring website operators to more fully disclose how websites deploy cookies, and to give users more control over the cookies placed on the browsers. The FTC has issued a white paper calling on industry to adopt similar disclosure practices in the United States.
In Del Vecchio, the plaintiffs complained that Amazon placed cookies on their hard drives against their wishes, even after users had attempted to block cookies with their browser setting. Under the CFAA, a plaintiff can state a civil cause of action where a defendant intentionally accesses a computer without authorization, but only if such conduct causes the plaintiff loss or damages of at least $5,000 over a one-year period. In arguing that they met the damages threshold, the Del Vecchio plaintiffs claimed that Amazon derived substantial financial gain through its use of cookies to gather the plaintiffs’ personal information. Conversely, plaintiffs claimed that they lost the opportunity to realize such gain.
Assuming the factual allegations of the complaint to be true for the purposes of the motion, the court acknowledged that, in theory, a plaintiff’s lost opportunity to sell his computer usage data to marketers could constitute a monetary loss that satisfies the $5,000 damage threshold of the CFAA. But here, the court found that the plaintiffs’ claims were entirely speculative because they did not allege facts showing that they had the capacity or opportunity to independently monetize their raw computer usage information. As a result, the court granted Amazon’s motion to dismiss for the plaintiffs’ failure to state a claim under the CFAA.
The court further found that the plaintiffs still might have a viable claim under Washington’s Consumer Protection Act (the “WCPA”). The WCPA requires a showing of injury, but, unlike the CFAA, does not require a plaintiff to demonstrate monetary damages in order to satisfy the requirement. In this case, the court stated that in order to allege an injury, the plaintiffs would need to demonstrate that Amazon accessed their computers or their information without authorization.
The court noted that Amazon’s “Conditions of Use and Privacy Notice” notifies visitors to Amazon sites that the company uses cookies and that the terms state that the plaintiffs’ use of Amazon was conditioned on their acceptance of those very terms. The court asked the parties to file additional briefings on the issues of: (1) whether plaintiffs had authorized Amazon’s use of cookies and (2) whether Amazon’s conduct was unfair or deceptive in light of Amazon’s terms.
In light of the Del Vecchio decision, the recent EU cookie regulation, and concerns raised by the FTC regarding cookies, website operators should re-evaluate the manner in which they disclose cookies deployed on their website and obtain consent from users for placing these cookies on users’ browsers. While it appears that the CFAA is not available as a vehicle for privacy class action claims, privacy class action attorneys are continuing to look for other legal bases for such claims, such as the WCDA. Increased regulatory scrutiny of cookie practices is likely to further stir such litigation.
But the Del Vecchio decision also issues a challenge for privacy advocates looking to protect consumer web browsing practices. Under the holding in Del Vecchio, if consumers could sell their web usage information to marketers, then they could invoke the CFAA to prevent third parties from deploying cookies to take this web usage information without their consent. Rather than more class actions, consumers may be better served by the development of marketplaces where they can sell their web usage information for marketing purposes, rather than giving it away to the websites they access.
