Google Wins Cookie Privacy Lawsuit

In re Google Inc. Cookie Placement Consumer Privacy Litigation, MDL Civ No. 12-2358 (D. Del. Oct. 9, 2013) [pdf]

The factual background in the court’s order is fairly brief. In a nutshell, plaintiffs sued Google, along with advertisers and networks, alleging that defendants “circumvent[ed] Apple’s Safari browser’s default blocker and deceive[d] the [Internet Explorer] browser into accepting third-party cookies.” Although Google stopped after being flagged for this, plaintiffs alleged that the cookies set by defendants allowed them to assign a unique ID and associate “future information received to the unique ID.”

Defendants moved to dismiss, and the court grants the motion in full. [Note: this ruling has been appealed: "Safari Users Seek to Revive Case Against Google, WPP, Vibrant Media".]

Standing: Noting that courts have been “reluctant to equate loss of PII, without more, to injury in fact,” the court says plaintiffs have not satisfied injury-in-fact for standing purposes. While PII in the abstract may have value, plaintiffs have not alleged that Google’s collection of their PII in any way hindered plaintiffs’ own ability to monetize it.

ECPA: The court says Google cannot take advantage of the “party” exception because Google bypassed browser settings to place cookies and the information sent would have been different had the third party cookies not been placed. However, plaintiffs have problems alleging that any “contents” of their communications were intercepted or disclosed. Personally identifiable information that’s automatically generated (such as metadata) is not considered “content” for ECPA purposes. A URL itself is also not considered content. While the court acknowledges that in many instances, a URL may give clues as to the document’s contents, it’s a location identifier. (This conclusion is noteworthy.) Thus, plaintiffs failed to allege a violation of the Wiretap Act.

Computer Fraud and Abuse Act: The CFAA claims fail because plaintiffs don’t satisfy the $5,000 damage threshold. Unauthorized use of personal information does not qualify as economic damages, and plaintiffs failed to show “individual economic loss”.

California’s Computer Crime Statute: With respect to this claim, the court says that plaintiffs failed to allege damage or loss. The court also says that (1) any unauthorized access was not “without permission” as this term is used under section 502, and (2) Google did not introduce a “contaminant” that usurped the normal operation of plaintiffs’ browsers.

Invasion of Privacy: A claim for invasion of privacy under the California constitution has the typical elements for invasion of privacy, but the invasion must constitute “an egregious breach of the social norms underlying the privacy right.” This does not fit the bill.

Unfair Competition Claim: The court dismisses this for lack of standing. Plaintiffs have to show the loss of money or other property, and loss of PII and related economic loss is insufficient.

California Consumer Legal Remedies Act: This claim fails because this statute only applies to goods and services and has been held to not cover software.

__

The year 2000 called and it wants its cookie lawsuits back!

Seriously, privacy plaintiffs have had little luck with the second wave of cookie lawsuits. (See also Del Vecchio v. Amazon; La Court v. Specific Media.) This presents an arguably clearer example of the defendant saying one thing and doing another, and circumventing the consumer’s preferences, but standing turns out to be a formidable bar.  If a loss in a lawsuit like this does not cause plaintiffs to give up on tracking lawsuits, I’m not sure what will.

[Eric's comment: cookie lawsuits are stupid. That is all.]

(Although Google dodges a bullet here, it did not escaped wholly unscathed as a result of this episode. In August 2012 Google settled with the FTC over its alleged misrepresentations to Safari users that Google would not place third party cookies if users did not change their default privacy settings for Safari: “Google Will Pay $22.5 Million to Settle FTC Charges it Misrepresented Privacy Assurances to Users of Apple’s Safari Internet Browser“.)

A few questions that were mulling around:

  • How does the result change under California’s newly enacted Do-Not-Track disclosure rules? (see Eric’s post for more on that statute: “How California’s New Do-Not-Track Law Will Hurt Consumers“).
  • Would Section 230 bar state law claims based on use of third-party cookies, or is there a misrepresentation that allows a workaround by plaintiffs?
  • Is there a double standard when it comes to unauthorized access statutes? The argument raised by the consumers here are very similar to those raised by networks when litigating unauthorized access claims; if an IP address block is a technical restriction that’s sufficient to invoke Section 502 (California’s anti-hacking statute) it’s surprising that your browser privacy settings are not.

Google certainly has its hands full on the privacy litigation front (gmail scanning; Wi-Fi sniffing). Although this ruling has been appealed, it probably appreciates being in the position of defending a favorable judgment.

A recent article in the Wall Street Journal is of interest, and speculates about the post-cookie world: “Google, Microsoft Threaten End to Cookie Tracking“. [Eric's comment: I think we're going to look back in 10 years and reminisce fondly about the era when one-size-fits-all cookies predominated. I think consumers get an even worse deal from the anti-competitive effects of proprietary tracking technologies and associated proprietary databases. The rich will get richer, and future new entrants will find the proprietary tracking of the incumbents an even greater barrier to entry.]