Enter to open, tab to navigate, enter to select
Standing for Consumers in Google Cookie Litigation: Third Circuit
Practical Law Legal Update w-000-7537 (Approx. 5 pages)
Standing for Consumers in Google Cookie Litigation: Third Circuit
by Practical Law Intellectual Property & Technology
| Published on 16 Nov 2015 • USA (National/Federal) |
In In re Google Inc. Cookie Placement Consumer Privacy Litigation, the US Court of Appeals for the Third Circuit held that the plaintiffs had standing to bring claims under certain California laws against Google, Inc. for its alleged circumvention of web browser controls designed to block third-party tracking cookies. The court upheld the district court's dismissal of the plaintiffs' federal claims brought under the Wiretap Act, Stored Communications Act, and Computer Fraud & Abuse Act.
On Nov. 10, 2015, in In re Google Inc. Cookie Placement Consumer Privacy Litigation, the US Court of Appeals for the Third Circuit overruled in part the US District Court for the District of Delaware's dismissal of the plaintiffs' consolidated class action complaint, which alleged federal and state claims stemming from the defendants’ alleged intentional circumvention of cookie blocking technology ( (3d Cir. Nov. 10, 2015)). The court of appeals held that the plaintiffs had standing to support their federal and state claims. However, the court dismissed all but two California-based privacy claims against Google, Inc. for failure to state a claim.
Background
This case arises from Google and other online advertising companies' alleged practice in 2011 and 2012 of intentionally bypassing internet browser settings designed to block the installation and access of third-party cookies. Google settled a Federal Trade Commission (FTC) complaint relating to this conduct on August 9, 2012, paying a record $22.5 million civil penalty. For more information on the FTC settlement, see Legal Update, FTC Settles Privacy Complaints Against Google and Facebook.
The class action plaintiffs, made up of consumers who actively used web browser cookie blockers, alleged that Google used third-party cookies, placed whenever a user visited a website which contained an embedded Google advertisement, to track that user’s activity across different internet websites and create an advertising profile for that user. Google's privacy policy explicitly provided that using a web browser’s settings to block third-party cookies would effectively opt users out of Google's tracking cookies. Google also specifically assured Safari web browser users that, if the default settings were unchanged, they would effectively be opted out of its tracking cookies. Nonetheless, plaintiffs alleged, Google’s advertisements routinely tricked Safari and other web browsers into allowing tracking cookies by embedding fake, hidden forms to trigger an exception.
A number of plaintiffs filed putative class actions that were eventually consolidated into a single complaint, asserting:
- Federal law claims against all defendants under the:
- Wiretap Act (18 U.S.C. § 2510);
- Stored Communications Act (18 U.S.C. § 2701); and
- Computer Fraud & Abuse Act (18 U.S.C. § 1030).
- California state law claims against Google only, including claims under the:
- California Constitution's right to privacy; and
- tort of intrusion upon seclusion.
Google and the other defendants moved to dismiss the complaint for lack of Article III standing and for failure to state any claim. Holding that the allegations did not give rise to any of the stated claims, the district court dismissed the complaint, but in doing so, its opinion did not fully resolve the Article III standing concerns.
Outcome
On appeal, the Third Circuit considered the plaintiffs’ claims that the district court erred in dismissing their suit, ultimately affirming in part, vacating in part, and remanding the matter to the district court for further proceedings.
Article III Standing
Before considering the merits, the court addressed the argument that the plaintiffs did not have standing to bring any of the claims because they had not adequately alleged the tracking cookie placement caused them to suffer economic harm. The court held that economic loss is not the only way to establish standing. Injury-in-fact will also exist through an invasion of a legally protected interest that is both:
- Concrete and particularized.
- Actual or imminent, not conjectural or hypothetical.
The court held that the plaintiffs’ allegations that defendants placed tracking cookies directly on their personal computers when serving advertisements to their personal web browsers established standing for all of the plaintiffs' claims because the events described were concrete, particularized, and actual as to the plaintiffs. Determining whether the alleged conduct was sufficient to establish a statutory right violation or invasion of a legally protected interest was a separate issue that did not impact the court’s jurisdictional ability to hear the case.
Federal Statutory Claims
The court upheld the dismissals of all three federal claims on the grounds that the complaint's allegations did not meet the statutory requirements.
Federal Wiretap Act claims require a showing that the defendant intentionally intercepted (or tried or induced someone to intercept) the contents of an electronic communication using a device (18 U.S.C. § 2510). The Wiretap Act contains an exception, however, for a person who is a party to the communication (18 U.S.C. § 2511(2)(d)).
The district court dismissed the claim, holding that the information Google allegedly collected through its activities did not rise to the level of "content" under the Wiretap Act, because it was just metadata or routing information. The Third Circuit disagreed and rejected the argument that Universal Resource Locators (URLs) collected and tracked by the defendants were not considered content. It held:
- Metadata, such as dialing, routing, addressing, and signaling information can be considered content when the amount and type of information disclosed reveals substantive information.
- Website URLs often reflect the underlying content of the web page accessed or a user’s search terms and interests, so they reflect substantive information.
- Creating interest profiles about a plaintiff by acquiring and tracking the URLs they visited involved collecting some content within the meaning of the Wiretap Act.
The court upheld the dismissal, however, on the alternate ground that Google and the other defendants were parties to the internet communications that sent the content because they received the plaintiffs' URL content directly from the plaintiffs' browser as part of the normal internet communication protocols. They were thus a statutorily exempt party to the communication under Section 2511(2)(d) of the Wiretap Act.
Consistent with holdings from the US Courts of Appeals for the Ninth and Eleventh Circuits, the Third Circuit held that the Stored Communications Act, 18 U.S.C. Section 2701, does not apply to home computers of an end user.
The Computer Fraud & Abuse Act, 18 U.S.C. Section 1030, claim failed because the complaint did not adequately allege the statutorily required damage or loss. While the complaint did allege a clear and valuable market for the internet browsing history Google collected, it did not allege any facts suggesting that the plaintiffs would or could have participated in that information marketplace, or that Google’s actions prevented them from monetizing their information, or lowered its value. Without such a showing, the court held, there was no loss or damage, as those terms are defined by the statute.
California State Claims
Although the court dismissed most of the state law claims, it reinstated the plaintiff's freestanding California privacy claims, holding that Google’s alleged conduct could be the type of serious invasion of privacy contemplated by California law.
To state a claim under California’s common law tort of intrusion, a plaintiff must allege an intentional intrusion into a place, conversation, or matter, where:
- The plaintiff has a reasonable expectation of privacy.
- The intrusion occurs in a manner highly offensive to a reasonable person.
Similarly, claims based on California’s Constitutional right to privacy require a plaintiff to prove:
- A legally protected privacy interest.
- A reasonable expectation of privacy by the plaintiff.
- An intrusion so serious in nature, scope, and actual or potential impact that it constitutes an egregious breach of the social norms.
The court’s concern was not with cookies, tracking, or profiling in general, but with how Google allegedly accomplished the tracking in this case, noting, the alleged conduct raised different issues than tracking or disclosure, because it was characterized by deceit.
The court equated an activated cookie blocker to an express and clear denial of consent to use cookies and found it reasonable that a user, particularly in light of Google’s public statements, would not expect tracking of their personal activity. The allegedly surreptitious way that Google fooled the cookie blockers, combined with their public statements about how to block their tracking, was enough for the court to conclude Google’s conduct could be found highly offensive or an egregious breach of social norms.
Practical Implications
This decision is noteworthy because it is a reminder that States, such as California, often take a leading role in addressing privacy issues and may be a preferable forum for consumer actions against companies who mislead the public about their privacy practices. It is also a good reminder that companies should actively manage and regularly update their privacy policies to ensure those public statements accurately reflect the company's practices.