In Re Pharmatrak, Inc. Privacy Litigation

Rule of Law:

The Electronic Communications Privacy Act (ECPA) prohibits the intentional interception of electronic communications without actual consent, which cannot be casually inferred and requires clear knowledge and agreement to the specific scope of interception. Interception includes the contemporaneous acquisition of communication content, even if by an automatic routing program that duplicates data to a third party.

Facts:

• From approximately June 1998 to November 2000, Pharmatrak, Inc. provided its "NETcompare" service to pharmaceutical companies, including American Home Products, Pharmacia, SmithKline Beecham, Pfizer, and Novartis.
• Pharmatrak marketed NETcompare as a tool for intra-industry comparison of website traffic and usage, repeatedly assuring clients that it would not collect personally identifiable information from website users.
• Some pharmaceutical clients explicitly conditioned their contracts for NETcompare on Pharmatrak's guarantee that no personally identifiable information would be collected.
• Pharmatrak's service operated by clients embedding HTML code on their webpages, which caused users' computers to contact Pharmatrak's web server, retrieve a "clear GIF" (web bug), and place or access a "persistent cookie" containing a unique alphanumeric identifier.
• NETcompare was designed to record URLs visited and track users across client sites; however, it also collected full URLs, including query strings (using the "get" method), which sometimes contained sensitive personal information such as names, addresses, dates of birth, medical conditions, and email addresses.
• The collection of personal information was primarily due to one pharmaceutical client, Pharmacia, using the "get" method for a rebate form on its Detrol website, and also due to software errors.
• Pharmatrak's monthly reports to its clients did not contain any personally identifiable information, and clients were unaware that such data was being collected until litigation began, at which point they terminated the service.
• Plaintiffs' expert was able to develop individual profiles for 232 users from the approximately 18.7 million persistent cookies distributed by Pharmatrak, finding various types of personal information on Pharmatrak's servers.

Procedural Posture:

• Eight separate lawsuits were originally filed in the District of Massachusetts and the Southern District of New York.
• On April 18, 2001, the Judicial Panel on Multi-District Litigation ordered the transfer of the six New York cases to the District of Massachusetts.
• On June 28, 2001, plaintiffs filed an amended consolidated class action complaint in the District of Massachusetts against Pharmatrak, its parent company Glocal Communications, Ltd., and five pharmaceutical companies, alleging violations of Title I and II of the ECPA, the Computer Fraud and Abuse Act, state privacy laws, and common law claims.
• Pharmatrak, Glocal, and some pharmaceutical defendants moved for summary judgment in August 2001, while plaintiffs moved for summary judgment against Pharmatrak and Glocal on the Title I ECPA claim.
• The district court (Hon. Joseph L. Tauro, U.S. District Judge) denied plaintiffs' motion for summary judgment and granted in part defendants' summary judgment motions, holding that the claim against Pharmatrak under Title I of the ECPA was precluded by the statutory consent exception because the pharmaceutical defendants had consented to the placement of Pharmatrak's code on their websites.
• The district court granted summary judgment to all defendants on all federal law causes of action and declined to retain jurisdiction over the state law causes of action, dismissing them without prejudice.
• Plaintiffs (Appellants) appealed the district court's decision concerning the Title I ECPA claim against Pharmatrak (Appellees) to the United States Court of Appeals for the First Circuit.