The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

[Post by Venkat Balasubramani]

Del Vecchio v. Amazon, C11-366-RSL (W.D. Wash.; Dec. 1, 2011)

Plaintiffs sued Amazon, alleging that Amazon’s use of “flash” cookies and certain browser “tokens” was misleading. In a putative class action, Del Vecchio asserted claims against Amazon under the Computer Fraud and Abuse Act, and the Washington Consumer Protection Act, along with claims for trespass and unjust enrichment. The court dismisses the lawsuit, and although it grants leave to amend, it sends a pretty clear message to plaintiffs that they face a high (and likely insurmountable) hurdle.

CFAA Claim: The court identifies two problems with the CFAA claim. First, plaintiffs fail to satisfy the $5,000 damage threshold. Plaintiffs argued that Amazon’s use of cookies “devalued” their personal information but the court says that this allegation is entirely speculative. Did the plaintiffs really lose the ability to exchange their personal information with third parties as a result of Amazon’s use of cookies or was this ability somehow lessened? Negative, says the court. The second category of possible loss was diminished performance to the plaintiffs’ computers. The court rejects this allegation as well, noting that “not one of the Plaintiffs alleges that he or she discerned any difference whatsoever in the performance of his or her computer while visiting [Amazon’s] site.”

Although the failure to meet the five thousand dollar threshold is sufficient to dismiss the CFAA claim, the court goes on to address the issue of authorization and says that Amazon’s terms of use and privacy notice disclosed to end users that Amazon uses “Flash cookies” and uses these cookies to track and serve advertisements. (Thus, the access by Amazon was not “without authorization”.) Plaintiffs made the clever argument that their injury occurred at the very moment they accessed Amazon’s site (i.e., before they had the chance to read and agree to the policy) but the court rejects this, saying that any information collection only occurred as a result of plaintiffs’ use of Amazon’s site.

Consumer Protection Act: Plaintiffs’ CPA claim suffered from two similar flaws. The court says plaintiffs failed to allege any “non-speculative” injury. One of the plaintiffs claimed that after she purchased pet supplies through Amazon, she received advertisements and junk mail from companies selling pet products. The court says this allegation is too speculative. In a footnote the court notes that this type of tracking and marketing is disclosed in Amazon’s privacy policy. The court also says that Plaintiffs failed to satisfy the requirement that Amazon’s conduct be unfair or deceptive—plaintiffs did not allege any actions that were inconsistent with Amazon’s privacy policy. [Although not cited in the order, see Cherny v. Emigrant Bank, for the proposition that the receipt of spam is not in itself a compensable harm. I would assume the same is true of junk mail as well.]

Trespass to Chattels: The court dismisses the trespass argument on the basis that trespass to chattels requires an allegation that the defendant’s actions interfered with a plaintiff’s property interest in a way that affects the physical condition or plaintiff’s use of the chattel, and plaintiffs failed to adequately make out this allegation.

Unjust Enrichment: Relying on the plaintiffs’ failure to allege any improprieties in Amazon’s use of cookies or collection of information, the court also dismisses the unjust enrichment claim. The court cites to In re DoubleClick case and says:

Although demographic information is valued highly . . . the value of its collection has never been considered an economic loss to the subject. Demographic information is constantly collected on all consumers by marketers, mail-order catalogues and retailers . . . we are unaware of any court that has held the value of this collected information constitutes damage to consumers or unjust enrichment to collectors.

__

Yet another decision rejecting claims by plaintiffs who sued over the use of cookies. (See the Specific Media and Interclick cases for other recent examples.) Some courts dismiss on the basis of Article III standing, while others (as in this case) find that plaintiffs failed to allege the requisite elements of causes of action. Whichever route the courts end up taking, they have overwhelmingly rejected these lawsuits. The “personal information as property” argument ends up going nowhere–in the context of tracking, courts don’t seem enthusiastic about claims where the damages are premised on loss of value to personal information.

There was an element of plaintiffs’ allegations which did not receive as much attention as I expected. Plaintiffs alleged that Amazon used a piece of code, or a “token” (a P3P “Compact Policy”), which told the user’s browser that no personal information is collected and thus allegedly “tricked” the browser into accepting Amazon’s cookies. (Here is a link to plaintiffs’ complaint, which details these allegations.) The court does not get into the issue of whether even if Amazon did “trick” the user’s browser this translates into misleading the user, or whether there was some sort of implied contractual promise in the P3P Compact Policy in the first place, given that it is a string of code directed at a machine, rather than a human. The court instead relies on the fact that plaintiffs’ have not alleged any harm. In any event, the court cites to the broad disclosures in Amazon’s privacy policy, indicating that the disclosures in the policy will likely trump any claim based on Amazon’s allegedly misleading use of the P3P Compact Policy.

Plaintiffs (and their lawyers) who have brought the latest wave of cookie lawsuits must be feeling pretty discouraged at this point. They’ve tried every conceivable variation of every possible argument and have gotten nowhere in the courts. We will see if they have better luck on appeal.

Related posts:

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn