August 18, 2011
Another Lawsuit over Flash Cookies Fails -- Bose v. Interclick
[Post by Venkat Balasubramani, with comments from Eric]
Bose v. Interclick, Inc., et al., 10-cv-09183-DAB (S.D.N.Y. Aug. 17, 2011)
Bose sued Interclick, an advertising network, and various advertisers (including McDonald's, Mazda and Microsoft) over "flash cookies" and "history sniffing." As described the court:
[w]hen a user deletes a browser cookie, the flash cookie "respawns" the browser cookie without notice to or consent of the user....
"history sniffing" code, which [contains] a list of web page hyperlinks . . . [uses] the computer's browser to determine whether the computer had previously visited those hyperlinks, and [transmits] the results to [the advertising network's] servers. Interclick used data on the computer's browsing history to select particular advertisements to display on that computer.
Plaintiff asserted putative class claims under the Computer Fraud and Abuse Act, New York's unfair competition statute, and common law trespass.
CFAA claims: Bose asserted three types of damages to support her CFAA claims: (1) impairment of her computer; (2) "loss" based on the collection of personal information; and (3) loss due to "interruption of internet service."
Damage to the computer system: The court canvassed the broad array of losses that can support a CFAA claim, but focused on the issue of whether the loss alleged by Bose satisfied the $5,000 jurisdictional threshold. Boss "[failed] to quantify any damage Interclick caused to her computer . . . ." and what it would cost to remedy this supposed damage.
Collection of personal information: The court rejects Bose's attempt to satisfy the loss threshold by pointing to the alleged misappropriation of her personal information. The court notes that the CFAA provides recovery for "economic damages," and misappropriation of personal information does not qualify. In re DoubleClick arrived at the same result in 2001, and the court rejects her attempt to distinguish DoubleClick on the basis that in this case the network "circumvented" privacy controls that the plaintiff put in place.
Interruption of service: The court also rejects Bose's attempt to argue that the flash cookies caused a slowdown sufficient to invoke the CFAA:
Bose . . . fails to allege specific damage or loss incurred due to alleged interruption of service, or costs incurred to remedy the alleged interruption of service. Even if a flash cookie may reach up to 100 kilobytes in size and may occupy space on Bose's hard drive, Bose fails to demonstrate that the flash cookie caused damage, a slowdown, or a shutdown to her computer.
Aggregation: Finally, the court addressed the issue of whether the damages could be aggregated under the CFAA to meet the $5,000 jurisdictional threshold. The court notes some divergent authority on the issue of whether losses can be aggregated among multiple plaintiffs (as opposed to multiple computers or events) and concludes that each plaintiff has to satisfy the damages threshold individually.
Deceptive business practices: The deceptive business practice requires a consumer-oriented practice that was misleading and that caused injury. The court rejects the defendants' argument that there was no misleading practice. With respect to injury, the court notes that New York law does not require pecuniary injury to maintain a claim; a bare claim for invasion of privacy is sufficient. The deceptive business practices claim against Interclick moves forward. With respect to the advertisers, the court finds that there is no allegation that the advertisers were involved in any way with the misleading practices.
Trespass: Bose claimed that she was "dispossessed of the economic value of her personal information," but the court says this type of a trespass claim is of "dubious merit." Bose also asserted a more conventional trespass claim (a la Intel v. Hamidi). Although the court notes that "there is no allegation that the devices materially affected the condition, quality or value of the computer," the court nevertheless says that her allegations are sufficient to state a trespass claim.
Contract claims: Bose also asserted contract claims, but the court doesn't spend much time before dismissing those claims.
Dismissal with prejudice: The court dismisses the claims against the advertisers with prejudice, finding that any amendments against these defendants would be futile. The court also dismisses the CFAA and contract claims with prejudice.
This is the second lawsuit over flash cookies to meet a chilly reception in court. Eric blogged about the Specific Media case (repeatedly cited by this court) earlier this year: "Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media." Cookie plaintiffs just don't seem to have compelling facts in the eyes of the courts. Part of it, no doubt, is the courts' skepticism that anyone who got cookied would care enough about the damage to actually spend money fixing damage to their computers. Plaintiffs rarely allege that they do.
Interestingly, there is mixed authority on whether you can aggregate damages for loss purposes and whether you can assert claims premised on non-economic damages. To my knowledge, some courts had answered these questions in the affirmative, in part based on changes to the CFAA since the DoubleClick decision. But the court here was clearly unwilling to explore the outer reaches of the statute for the sake of these plaintiffs. The tenor of the court's opinion is one of deep skepticism that the plaintiffs is complaining about something that is truly injurious and which warrants judicial intervention:
personal data and demographic information concerning consumers are constantly collected by marketers, mail-order catalogs and retailers. The collection of demographic information does not 'constitute damage' to consumers or unjust enrichment to collectors. Advertising on the internet is no different from advertising on television or in newspapers. Even if Bose took steps to prevent the data collection, her injury is still insufficient to meet the statutory threshold.
It's interesting that the court comes right out and says that even if Bose took steps to prevent the collection, her injury isn't enough to get the court's attention. Not a very privacy-friendly judge here.
In some cases, plaintiffs have sued the advertisers as additional defendants, but the judge here clearly did not see them as appropriate defendants. It's helpful from an advertiser standpoint to get a clear ruling that their mere purchase of advertising on an ad network will not get them sucked into a privacy lawsuit. I wouldn't characterize this scenario as risk-free, but it's still nice that the court made clear that advertisers should not be a part of this lawsuit.
On the other hand, regardless of the legal rules and court decisions, there's little excuse for advertisers to not conduct some due diligence on the networks they deal with. The companies are off the hook in this particular decision, but the advertisers named are established companies, and I would be curious to know the background on how they ended up becoming entangled in a privacy-unfriendly practice that has recently been the focus of a huge negative spotlight.
The court's conclusion on the trespass claim was a little awkward. The court says that a slowdown is required, but despite noting the lack of this allegation, allows the claim to move forward.
It was also somewhat awkward that the court doesn't discuss plaintiff's "history sniffing" allegation at all. The omission is somewhat strange, but it looks like the court just treated Interclick's information collection practices generically. Here's a post from Kash Hill that explains the practice.
It may be too early to tell, but the early indication is that this wave of tracking lawsuits will have a long slog in the courts. This one suffered a pretty big hit at the judge's hands. Both this and the Specific Media case will likely be cited by privacy advocates as to why the current regulatory scheme is broken. I agree that consumers being tracked despite their stated preferences is problematic, but I'm not sure that creating a private right of action is the best solution. A final question. Where is the FTC in all of this? They seem pretty behind the curve in comparison to class action lawyers in the push to regulate privacy.
Hey, ad networks: it's not nice to ignore people's expressed preferences about cookies. (I'm not saying the defendants did so in this case; I'm just speaking generally). There may not be legally recognizable harm from placing unwanted cookies, but your consumers are trying to tell you something, and you really ought to listen. Contravening their wishes ticks people off, and it invites legislative bodies to pursue crackdowns like "Do-Not-Track" legislation (whatever that means). If Congress enacts some type of anti-cookie/anti-tracking measure, the ad network industry will have no one to blame but itself (and the Wall Street Journal "What They Know" series).
Hey, plaintiffs: lawsuits over cookies are stupid. The vast majority of us learned that from In re Doubleclick--a decade ago. Cookie lawsuits haven't gotten any more meritorious in the intervening years. So please, just get over it. Meritless privacy lawsuits over advertiser/ad network practices that don't actually harm consumers give legislators some reasons to make privacy lawsuits harder to bring.
A Look at the Commercial Privacy Bill of Rights Act of 2011
Flash Cookies Lawsuit Tossed for Lack of Harm--La Court v. Specific Media
Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff -- Claridge v. RockYou