In Re DoubleClick Inc. Privacy Litigation
154 F. Supp. 2d 497 (20)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
The collection of user data via cookies for the purpose of targeted online advertising does not violate the Electronic Communications Privacy Act (ECPA), the Wiretap Act, or the Computer Fraud and Abuse Act (CFAA) when a party to the communication (the website) consents, the data collection is not for a criminal or tortious purpose, and the plaintiffs cannot demonstrate the requisite statutory minimum of economic loss.
Facts:
- DoubleClick, an internet advertising company, provided targeted advertising services to a network of over 11,000 affiliated websites.
- When a user visited one of these affiliated websites, DoubleClick placed a 'cookie' on the user's computer hard drive.
- This cookie assigned the user's computer a unique identification number and collected information about the user's activities on DoubleClick-affiliated websites, such as search queries and pages visited.
- DoubleClick used this collected data to create detailed demographic profiles of users, which were then used to deliver targeted banner advertisements to those users across its network.
- The process was invisible to the user, who would request a webpage from an affiliated site and receive it moments later with banner ads filled in by DoubleClick.
- DoubleClick acquired Abacus Direct Corp., a direct-marketing company with a large database of offline consumer information including names and addresses, and announced plans to combine its online profiles with Abacus's offline data.
- Following public concern and an FTC investigation, DoubleClick's CEO announced the company would not merge the online and offline databases until government and industry privacy standards were established.
Procedural Posture:
- Numerous individuals filed federal class action lawsuits against DoubleClick, Inc. in various federal district courts.
- The Judicial Panel on Multidistrict Litigation consolidated these related actions and transferred them to the U.S. District Court for the Southern District of New York for pretrial proceedings.
- The consolidated class of plaintiffs filed an Amended Complaint asserting three federal claims and four state law claims.
- Defendant DoubleClick, Inc. filed a motion to dismiss the three federal claims for failure to state a claim upon which relief can be granted, pursuant to Federal Rule of Civil Procedure 12(b)(6).
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does an online advertising company's practice of using cookies to collect internet users' browsing data on affiliated websites for the purpose of serving targeted advertisements violate the Electronic Communications Privacy Act (ECPA), the Federal Wiretap Act, or the Computer Fraud and Abuse Act (CFAA)?
Opinions:
Majority - Buchwald, District Judge.
No, the advertising company's practices do not violate the specified federal statutes. The court found that DoubleClick's actions either fell outside the scope of the statutes or were covered by statutory exceptions. For the Electronic Communications Privacy Act (ECPA), Title II claim, the court held that DoubleClick's conduct was authorized under the § 2701(c)(2) exception. The affiliated websites are 'users' of the internet communication service and they authorized DoubleClick to access the communications (GET, POST, and GIF submissions) that were 'intended for' them. Furthermore, the cookie identification numbers stored on the plaintiffs' hard drives do not qualify as being in 'electronic storage' under the statute's definition, which is limited to temporary, intermediate storage incidental to transmission by a service provider. For the Wiretap Act claim, the court determined that DoubleClick's actions fell under the one-party consent exception in § 2511(2)(d), as the affiliated websites were parties to the communications and consented to the interception. The plaintiffs failed to show that the interception was for a 'criminal or tortious purpose.' The court distinguished between committing a tort and having a tortious purpose, finding DoubleClick's motivation was permissible commercial gain, not an intent to harm plaintiffs. For the Computer Fraud and Abuse Act (CFAA) claim, the plaintiffs failed to meet the statutory threshold of $5,000 in 'damage or loss' required for a civil action under § 1030(e)(8). The court concluded that 'loss' is subject to the same monetary threshold as 'damage' and that damages can only be aggregated for a single act of unauthorized access, not across a defendant's entire course of conduct. Plaintiffs failed to allege any cognizable economic damages, as remedial costs were zero and the value of their attention or demographic data is not a recognized economic loss under the CFAA.
Analysis:
This case was a landmark early decision that significantly shaped the legal landscape for online privacy and e-commerce. By narrowly interpreting federal computer crime and wiretapping statutes, the court provided substantial legal protection for the burgeoning online advertising industry's business model of tracking user behavior to deliver targeted ads. The decision established a high bar for plaintiffs in such cases, requiring them to show specific intent to harm or significant, quantifiable economic damage, which is difficult to prove in the context of data collection. This ruling effectively pushed the debate over online privacy from the courts to the legislature, highlighting that existing statutes were ill-equipped to address the novel privacy issues raised by internet technologies.
Unlock the full brief for In Re DoubleClick Inc. Privacy Litigation