Third Circuit Revives a Sliver of Plaintiff’s Cookie-Blocking Circumvention Claims Against Google

This is a lawsuit alleging that Google and others circumvented cookie-blocking settings of popular browsers. Our blog post on the district court ruling here: “Google Wins Cookie Privacy Lawsuit”. Plaintiffs asserted federal and state claims. The court affirms dismissal of the claims, but reverses dismissal of the California invasion of privacy claims.

Wiretap Act Claims: The court rejects the wiretap claims on the basis that defendants were intended recipients of the communications in question. Plaintiffs argued that, even if this were the case, participation in the communication was procured by improper means, but the court rejects this argument.

Although the court affirms dismissal of these claims, it does so on alternate grounds from those relied on by the district court. And in the process, it does a deep dive into the content/metadata distinction, ultimately conducting that a URL that points to content (the stuff to the right of the top level domain) may in certain circumstances be considered content as well. Professor Kerr, who is cited by the court, explains in depth and offers thoughts on the consequences of this.

Stored Communications Act Claims: The court affirms the trial court’s reasoning in dismissing the SCA claims. An end user’s browser is not a “facility” through which electronic communications services are provided, and defendants did not access any such facility.

Computer Fraud and Abuse Act Claims: The CFAA claims fails due to plaintiff’s failure to credibly allege the requisite $5,000 in loss. Plaintiffs relied on the “our personal information is the equivalent of currency” argument, but (as is typically the case) this gets no traction with the court.

State Law Claims: Somewhat surprisingly, the court reverses dismissal of the invasion of privacy claim. Defendants had the benefit of a long line of cases saying online tracking is not an “egregious breach of social norms,” but the court focused on how Google accomplished its tracking:

by overriding the plaintiffs’ cookie blockers, while concurrently announcing in its Privacy Policy that internet users could ‘reset your browser to refuse all cookies’. Google further assured Safari users specifically that their cookie blockers meant that using Google’s in-house prophylactic would be extraneous. Characterized by deceit and disregard, this alleged conduct raises different issues than tracking or disclosure alone.

The court says a reasonable jury could conclude that Google’s practices constitute a serious invasion of privacy that is actionable under California law.

The state wiretap claims fall for the same reasons as the federal wiretap claims. Finally, the remaining claims are dismissed for standing, or the absence of a sale, which would trigger applicability of the Consumer Legal Remedies Act.

__

As I was reading the decision’s treatment of the various claims, I wondered how the claims would fare under a state spyware statute.

The most interesting and attention-worthy aspect of the ruling is obviously the court’s deep dive into the content/non-content distinction and the effect it will have on government surveillance efforts. (Compare the court’s ruling here with the Ninth Circuit’s ruling in the Facebook/Zynga referer header cases.) Other possible effects include: (1) anonymity for online postings, and (2) other privacy statutes. As to the latter, the Third Circuit, which is hearing a VPPA case involving Nick.com, requested the lawyers to briefly address the effects of this case on the Nick.com case. My instinct is that the VPPA has its own unique definition of PII, so this ruling should not change the result there.

The court’s conclusion on the invasion of privacy claim under California tort and constitutional law is somewhat surprising. Scores of rulings have held, looking at the type of information captured or disclosed, the law only protects truly private and sensitive information. The court instead looked to the manner of collection and found this to be truly offensive. From a procedural standpoint, you wonder whether the case will be sent back and eventually be required to proceed in state court. This claim also seems less amenable to class resolution, so it may be a pyrrhic victory.

Finally it’s worth noting a possible double standard at play here. When service providers suffer the slightest affront, courts seem more willing to entertain hacking and CFAA claims. Consumers have a much tougher time asserting those claims.

Case citation: In re: Google Inc. Cookie Placement Consumer Privacy Litigation, No. 13-4300 (3d Cir. Nov. 10, 2015)

Related posts:

Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]