Suing over Data Privacy and Behavioral Advertising

Unlike medical-device or drug cases where the plaintiff’s counsel often prefers to be in state court, the plaintiffs in data-privacy cases go to great lengths to get into and remain in federal court. In the absence of any actual damage or indeed injury, data-privacy suits are usually brought under statutes that allow for the recovery of statutory damages. To lay claim to federal subject-matter jurisdiction, putative, privacy class-action suits typically assert claims under the Electronic Communications Privacy Act (ECPA)—either Title I, the Wiretap Act, which proscribes interceptions, or Title II, the Stored Communications Act (SCA), which prohibits accessing the contents of stored communications in certain circumstances—and/or the Computer Fraud and Abuse Act (CFAA), in addition to state-law claims for breach of contract based on the alleged breach of posted privacy policies and terms of use and for unfair competition, where plaintiffs rely on supplemental jurisdiction or jurisdiction under the Class Action Fairness Act (CAFA). In the absence of injury or damage, many of these cases may not survive in federal court.

To have standing to bring suit in federal court, a plaintiff must have “injury in fact.” Where there is none alleged, a putative class-action suit will be dismissed. See, e.g., LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW (JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011) (dismissing a putative class-action suit brought over the alleged use of flash cookies to store a user’s browsing history).

Even where a plaintiff has standing, claims based on alleged data privacy violations do not necessarily fit well into existing federal statutes.

Claims under ECPA require the interception of the “contents” of a communication. Personal data, however, is not considered part of the “contents” of communications because ECPA defines the term as “information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). “[I]nformation concerning the identity of the author of the communication,” which is generally what is at issue in data-privacy cases, is not considered “contents.” Jessup-Morgan v. America Online, Inc., 20 F. Supp. 2d 1105, 1008 (E.D. Mich. 1998). As the legislative history makes clear, ECPA “exclude[s] from the definition of the term ‘contents,’ the identity of the parties or the existence of the communication.” S. Rep. No. 99-541, 1986 U.S.C.C.A.N. 3555, 3567; see also Hill v. MCI WorldCom Commc’n, 120 F. Supp. 2d 1194, 1195–96 (S.D. Iowa 2000) (holding that electronically stored phone records, including “names, addresses, and phone numbers of parties [the plaintiff] called,” do not constitute the contents of communications under ECPA).

Claims under Title II of ECPA—the SCA—may also fail for the additional reason that plaintiffs usually cannot claim that the information allegedly accessed was in storage as that term is defined by the act. Section 2701 of the SCA makes it an offense to “intentionally access without authorization” or “intentionally exceed an authorization to access . . . a facility through which an electronic communication is provided” to obtain, alter, or prevent authorized access to a wire or electronic communication that is storedelectronically. 18 U.S.C. § 2701(a)(1)–(2). Electronic storage is defined by the SCA as “temporary, immediate storage.” Claims that allege information has been accessed in violation of the SCA by placing cookies on users’ hard drives, or by accessing email located on a laptop hard drive, have been dismissed because “Title II deals only with facilities operated by electronic communications services such as ‘electronic bulletin boards’ and ‘computer mail facilit[ies],’ and the risk that communications temporarily stored in these facilities could be accessed by hackers.” In re DoubleClick, Inc., Privacy Litig., 154 F. Supp. 2d 497, 512–13 (S.D.N.Y. 2001); see also Hilderman v. Enea TekSci, Inc., 551 F. Supp. 2d 1183, 1204–05 (S.D. Cal. 2008); In re Toys R Us, Inc., Privacy Litig., No. 00-CV-2746, 2001 WL 34517252, at *4 (N.D. Cal. Oct. 9, 2001).

User consent—such as agreement to privacy policies or terms of use—may also provide a defense to ECPA claims. 18 U.S.C. §§ 2702(b)(3) and 2511(3)(b)(ii). As noted in the House Report accompanying the bill,

a subscriber who places a communication on a computer “electronic bulletin board,” with a reasonable basis for knowing that such communications are freely made available to the public, should be considered to have given consent to the disclosure or use of the communication. If conditions governing disclosure or use are spelled out in the rules of an electronic communication service, and those rules are available to users or in contracts for the provision of such services, it would be appropriate to imply consent on the part of a user to disclosures or uses consistent with those rules.

H.R. Rep. No. 99–647, 99th Cong., 2d Sess., 66 (1986).

Moreover, in some cases, defendants may argue that the information allegedly disclosed was not actually private because the SCA contains an exception for information that is “readily accessible to the general public.” 18 U.S.C. § 2511(2)(g). For example, some social-network data that is voluntarily provided by users and that users make publicly available on the Internet should not be subject to the act.

To state a civil claim for a CFAA violation, a plaintiff must allege $5,000 in damages, which is a threshold that bars many privacy claims, especially those based on behavioral advertising, where there is no economic loss or injury from the practices at the source of the complaints. See, e.g., In re DoubleClick, Inc., Privacy Litigation, 154 F. Supp. 497 (S.D.N.Y. 2001)); Bose v. Interclick, Inc., No. 10 Civ. 9183 (S.D.N.Y. Aug. 17, 2011) (dismissing CFAA claims with prejudice in a behavioral advertising suit.

Because alleged cloud-based privacy concerns do not fit well within the confines of federal anti-hacking statutes, plaintiffs’ lawyers seek federal jurisdiction under CAFA, even though, as some defense counsel have argued, CAFA was enacted to protect them from runaway state-court juries, not to enhance the settlement value of state-court claims by allowing them to be brought in federal court. Under CAFA, federal jurisdiction is permissible where more than two thirds of the members of a putative class are allegedly citizens of states other than that of the named plaintiff and the amount of damages alleged exceeds $5 million. Even where the plaintiff’s counsel alleges the existence of a class of millions of people, the $5 million bar may be insurmountable in a case where there has been no economic injury. If the named plaintiffs cannot meet the $5,000 threshold to state a CFAA claim, for example, a potential class of similarly situated parties who also have not been injured may not meet CAFA’s $5 million threshold.

Whether in federal or state court, state-law claims may be equally unappealing. To maintain state-law contract and related unfair-competition claims, plaintiffs generally must be able to plead and prove actual injury and damage. Indeed, Chief Judge Ware of the Northern District of California recently dismissed a plaintiffs’ contract and California unfair-competition claims on this very ground. See in re Facebook Privacy Litig., No. C 10–02389 JW, 2011 WL 2039995 (N.D. Cal. May 12, 2011).

Even if some Internet-privacy claims could survive motions to dismiss or summary judgment, they are often ill suited for class certification because the proposed classes are defined in terms of conduct for which no records exist and are therefore unascertainable, or they involve numerous individualized inquiries into issues of consent, causation, reliance, and injury that may be specific to individual claimants that therefore make them potentially ill suited for class adjudication. For example, in Murray v. Fin. Visions, Inc., No. CV-07-2578-PHX-FJM, 2008 WL 4850328 (D. Ariz. Nov. 7, 2008), the court denied class certification in a case alleging that the defendants, including a web-hosting and email-services company, violated the plaintiff’s privacy by intercepting and forwarding emails to comply with broker-dealer regulations because demonstrating liability would have required numerous individualized inquiries, including whether the plaintiff had a reasonable expectation of privacy in each email, whether the email contained private information, and whether the defendant’s conduct caused any harm.

Of course, some privacy cases involve real claims. A material violation of a privacy policy, for instance, is potentially actionable, but only if a plaintiff can show actual injury or damage. Likewise, where there is a security breach and resulting harm, a plaintiff may be able to state a claim. But claims focused on behavioral advertising or information allegedly exposed through the use of social networks and popular apps, while providing fodder for reporters seeking to sell newspapers or politicians seeking voters’ attention in Washington, generally can’t satisfy the requirements of existing federal computer-crime statutes or the damage or injury elements of many of the state-law claims asserted.

Data-privacy cases based on behavioral advertising, information voluntarily disclosed by users in social-networking profiles or to app providers, and other practices related to cloud computing generally involve, at most, theoretical violations where no injury has occurred.

In a typical behavioral-advertising case, for example, if the plaintiffs’ assertions are correct, at most, users might have been shown an advertisement that was potentially of interest to the user based on the websites accessed by a computer’s browser, as opposed to an advertisement for herbal Viagra substitutes, unaccredited universities, or other ads of no interest to most users. In either case, the user was free to disregard the advertisement, which is typically displayed on sites that offer free content. Similarly, in either case, the advertiser and ad agency would not know who the user was.

Data-privacy cases increasingly challenge ad practices that in many respects are not much different from the way that television viewers are shown advertisements based on what the advertiser assumes to be the interests of the demographic group likely to be watching a particular television show. Whether the advertiser is correct, and a user is interested in lip gloss rather than laxatives, for example, implicates “injuries,” if any, that are at most de minimis. The fact that a user mighthave been shown an ad that he or she was free to ignore but which mighthave been of interest is not the sort of “violation” that is typically compensable.

For these alleged “violations,” millions of dollars are sought under statutes that authorize prevailing parties to recover statutory damages and attorney fees but typically afford no other relief on the facts alleged. In cases where injury and harm appear to be lacking, a main objective seems to be to generate publicity and force a quick settlement priced below the cost of defense. Increasingly, however, Internet companies are coming to view data-privacy cases as ones that should be won on the merits rather than settled as though meritorious. Like patent-troll and stock-drop cases, data-privacy suits may be viewed as a cost of doing business in today’s digital economy. Whether and how a company responds to these suits, however, may determine how many more get brought against it down the road.

Keywords: litigation, class actions, derivative suits, behavioral advertising, data privacy

_{Copyright © 2011, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).}