New York Court Dismisses Advertisers from "Flash Cookie" Lawsuit; Narrows State Claims Against Ad Technology Provider

Date: Aug 26, 2011

On August 17, 2011, the U.S. District Court for the Southern District of New York dismissed a class action lawsuit against four advertisers- McDonald's, CBS, Mazda, and Microsoft- and narrowed the claims against the advertising network Interclick. In that case, Sonal Bose v. Interclick, Inc., et. al., No. 10-cv-09183-DAB, the Plaintiff sued each Defendant in December 2010 alleging that the placement of "flash cookies" and use of "history sniffing" code on websites to target advertising violated the Computer Fraud and Abuse Act ("CFAA"), New York General Business Law, and New York State common law. The cases were consolidated, and the Defendants moved to dismiss the claims in April 2011.

Computer Fraud and Abuse Act Claims

The CFAA prohibits accessing and obtaining information from a computer without authorization, and permits any person who suffers damage or loss to institute an action for compensatory damages and injunctive or other equitable relief. Notably, any damage or loss must be greater than or equal to $5,000 per person. Bose claimed damages due to the impairment of her computer, loss due to the collection of her personal information, and loss due to interruption of Internet service.

The Court relied on the decision in LaCourt v. Specific Media, Inc., 10-cv-01256-GW-JCG (C.D. Cal. 2011), and found that Bose failed to allege economic injury sufficient to meet the $5,000 threshold. In Specific Media, the court determined that the plaintiffs failed to allege economic injury from the installation of flash cookies sufficient for a CFAA claim because nothing indicated that the plaintiffs ascribed economic value to their personal information and the plaintiffs failed to explain how they were deprived of the economic value of their personal information. The Interclick Court also relied on In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001), to conclude that Bose's claims that Interclick placed cookies on multiple computers could not be aggregated to reach the $5,000 threshold.

State Law Claims

Bose also alleged violations of New York General Business Law Section 349 governing deceptive business acts or practices, and of the common law by trespass to chattels, breach of implied contract, and tortious interference with contract. The Court denied Interclick's Motion to Dismiss the Section 349 and trespass to chattels claims, but granted the other Defendants' Motions to Dismiss the claims. The Section 349 claim alleged that the use of flash cookies and browser history sniffing code circumvented users' privacy and security settings and harmed consumers. According to the Court, it was sufficient that Interclick engaged in a deceptive practice likely to mislead consumers, and the Court found that Bose alleged sufficient injury, despite that she did not suffer pecuniary injury. The basis for the trespass to chattels claim was that the Defendants impaired the value of her computer by installing flash cookies and browser history sniffing code. The court found the claim that Plaintiffs had been dispossessed of the value of their personal information to be dubious.

The Court also granted all Defendants' Motions to Dismiss the breach of implied contract and tortious interference with contract claims. According to the Court, Bose was not denied the benefit for which she bargained, namely, receiving goods and services through the websites to which she supplied personal information, and Bose failed to specify any specific contracts that were breached (she merely alleged that the Defendants' activities violated the privacy policies for the websites on which Interclick operated).

Significance of the Order

The Complaints in the Interclick case were filed on the heels of privacy reports from the Federal Trade Commission ("FTC") and U.S. Department of Commerce ("DOC") and discussions about "Do Not Track" registries. Federal privacy legislation introduced earlier this year incorporates concepts from the FTC and DOC reports, and lawmakers have expressed concerns about the use of cookies, flash cookies, and other technologies to track and/or target consumers online for online behavioral advertising purposes. This landscape may be responsible for the significant increase in the number of privacy-related lawsuits in 2010 and 2011 related to alleged "tracking" using technology.

While the Interclick order illustrates the steep burden faced by plaintiffs under federal law who are unable to demonstrate economic harm associated with the alleged privacy violations but somewhat lesser burdens under state law. Nevertheless, it reflects the growing interest of plaintiffs' lawyers in privacy class-action litigation. The increase in privacy and data security litigation exposure highlights the need to carefully review contractors and their practices as well as frequent review and update website privacy policies and terms of use to limit liability. Companies should also examine how technologies are used to collect information, the nature of the information collected through such technologies, and how such information is used, shared, and retained, recognizing that lawsuits today often focus on the collection of information historically deemed to be "non-personal" in nature, like pages viewed, referring websites, demographic data, etc. It is also important to review contractual arrangements with third party ad partners and service providers who may be collecting information using technology, and to confirm that the activities do not violate representations in a posted privacy policy. Finally, it is always advisable to review company insurance policies to determine the extent and availability of coverage for privacy and data security lawsuits, recognizing that some insurers are seeking to deny coverage in connection with such suits.

For more information on privacy and data security enforcement and litigation, contact Sheila A. Millar at 202-434-4143 or via e-mail at millar@khlaw.com, Douglas J. Behr at 202-434-4213 or via e-mail at behr@khlaw.com, Tracy P. Marshall at 202-434-4234 or via e-mail at marshall@khlaw.com, or Art S. Garrett at 202-434-4248 or via e-mail at garrett@khlaw.com.