Plaintiffs Squeak Past Motion to Dismiss in Amazon P3P Case – Del Vecchio v. Amazon

[Post by Venkat Balasubramani with comments from Eric]

Del Vecchio v., 2012 WL 1997697 (W.D. Wash.; June 1, 2012)

I previously posted on Del Vecchio v. Amazon, a case that challenged Amazon’s alleged failure to respect the P3P protocol. P3P allows websites to summarize their privacy policies in machine readable code so that web browsers could be configured to automatically “determine a website’s privacy settings and adjust its [own] security settings, including its level of cookie-filtering protection.” (In theory, it allows users to control collection and use of their information through configuring their browser settings.) The plaintiffs allege that Amazon miscoded its P3P settings and used a token Amazon knew to be invalid, thus miscommunicating its policies to web browsers. Plaintiff sued on her own behalf and on behalf of a putative class, alleging claims under the Computer Fraud and Abuse Act and Washington consumer protection statutes. In the first round, the court granted Amazon’s motion to dismiss. (My prior blog post on the case: “The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon”; see also our post on Bose v. Interclick, a separate lawsuit challenging the use of flash cookies: “Another Lawsuit over Flash Cookies Fails — Bose v. Interclick.”)

CFAA Claims: The court dismisses plaintiffs’ CFAA claims with prejudice due to plaintiffs’ failure to credibly allege that they satisfied the $5,000 damage threshold. Plaintiffs argued that they satisfied the damage threshold in two ways: (1) the value of their personal information was in excess of $5,000 and Amazon’s exploitation resulted in a “loss” to them, and (2) they purchased anti-virus software.

The court rejects the anti-virus software purchases, noting that the anti-virus program had nothing to do with the alleged exploitation of the P3P protocol by Amazon. Plaintiffs also alleged that they purchased the software prior to accessing Amazon’s site, so by their own allegations, Amazon’s conduct did not necessitate the purchase of the software.

The argument that gets a little more attention is the loss attributable to the exploitation of personal information by Amazon. One recent case (Claridge v. RockYou) recognized that personal information can be property for standing purposes. Most courts have been lukewarm to this theory, and this court rejects it as well, saying that the alleged exploitation of personal information by Amazon can’t satisfy the jurisdictional threshold in this context:

Plaintiffs do not allege that they attempted to sell their “private information” to one of the purchasers they identify . . . and were rebuffed because [Amazon] had already sold or publicized that information. . . . It is not enough to allege only that the information has value to [Amazon]; the term “loss” requires that plaintiffs suffer a detriment—a detriment amount to more than $5,000.

Consumer Protection Act Claims: Two key points with respect to the claims under the Washington CPA. First, the court says Washington law “does not require damages to show ‘injury’” (although the damage has to be to plaintiff’s “business or property”). Second, the court says that the issue of whether Amazon’s access of plaintiffs’ computers was “authorized” can’t be resolved on the pleadings. The court directs the parties to come up with a briefing schedule and (if necessary) conduct discovery on the issue of “authorization”.

Trespass to Chattels and Unjust Enrichment The court dismisses the first claim, finding no credible allegation that there was any diminution in performance of plaintiffs’ computers. The court says it’s skeptical of the unjust enrichment claim for the same reasons that it dismisses the CFAA claim. However, because plaintiffs’ unjust enrichment claim–that Amazon took property that was valuable (personal information) without authorization–depends on the resolution of the authorization issue, the court defers ruling on this until completion of discovery and further briefing.


Plaintiffs keep pressing the “personal information as property” argument, but courts remain unconvinced (a few exceptions notwithstanding).

On the issue of “authorization,” Amazon’s terms are less than clear about the use of Flash Cookies. They reference flash cookies, but the terms contain the typical language that without cookies users may not be able to take advantage of certain features of the site. Interestingly, the terms do reference browser settings and this may cut against Amazon’s overall argument here (e.g., “you can disable or delete . . . data used by browser add-ons, such as Flash cookies, by changing the add-on’s settings or visiting the Web site of its manufacturer . . . .”). The core of plaintiffs’ argument is that Amazon failed to respect the browser settings and P3P protocol. Language in the policy saying that the user can control the level of cookie placement or activity through the use of browser settings would, if anything, seem to reinforce plaintiffs’ argument. Plaintiffs would still face damages issues, that as Eric notes below will be tough to overcome, but I’m surprised to see the court say that plaintiffs’ possible agreement to the terms would definitively resolve the issue of authorization.

This ruling could conceivably prompt a settlement. For their separate reasons, the parties may not want to litigate the issues of whether plaintiffs were truly harmed and what Amazon’s business practices were. It’s still curious that the alleged P3P shenanigans received so little attention from the court. Maybe plaintiffs will try to re-inject into the mix through discovery. We’ll see.

Related posts:

* The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

* A Look at the Commercial Privacy Bill of Rights Act of 2011

* Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

* Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

* Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

* LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn


Eric’s comments

As Venkat indicates, the judge shuts the door on the CFAA and trespass to chattels claims. The WA consumer protection act and unjust enrichment claims survive, but only out of an abundance of judicial caution (as the judge notes himself). The court says it’s “very likely” that Amazon’s privacy disclosures negate those claims. If I were in Amazon’s shoes, I’d reject any settlements and litigate the crap out of this. The judge has made it clear that this lawsuit will fail.

As usual, the litigation circles around the harm suffered by the plaintiffs. Funny, because that’s an easy issue to resolve. The plaintiffs have NONE. Not a scintilla of harm. NOTHING. Without any underlying harm, lawsuits like this aren’t laudable in the least. For more on why I think privacy advocates should oppose lawsuits like this one rather than applaud them, see my article The Irony of Privacy Class Action Lawsuits.

The court wisely gets to the right point. For example, the judge properly rejects the argument that non-monetary harm can be counted towards the CFAA’s $5k threshold. The court also gets the plaintiffs to admit that individuals’ PII has no economic value to the individuals, even if it’s commercializable by websites. Thus, showing that Amazon could make money from the data in its database does nothing to get the plaintiffs closer to the CFAA’s $5k threshold. The judge, wielding Iqbal, lays into the plaintiffs for rehashing their assertions about harm without any factual evidence at all. If the judge really wants to tells plaintiffs to stop wasting everyone’s time and resources, a whiff of sanctions would help a lot.