Internet Library of Law
and Court Decisions

In Re Pharmatrak, Inc. Privacy Litigation

Court grants defendants' motion for summary judgment, and dismisses plaintiffs' claims under the Electronic Communications Privacy Act ("ECPA") and the Computer Fraud and Abuse Act ("CFAA") arising out defendant Pharmatrak's monitoring of plaintiffs' activities on the web sites of various pharmaceutical companies.  With the authorization of these pharmaceutical companies, who were also named as defendants in this litigation, defendant Pharmatrak placed software on their web sites which enabled Pharmatrak to gather information submitted by the plaintiffs to, and to track their activities at, these sites.  Pharmatrak's software also enabled Pharmatrak to gather information both about the web site plaintiffs visited immediately prior to their visit to defendants' sites, as well as the search plaintiffs conducted to get to defendants' sites.  According to plaintiffs, the information Pharmatrak gathered included personally identifiable information, although there was no evidence that Pharmatrak disseminated anything other than aggregated non-personally identifiable information to third parties.

The Court held that defendants did not violate Title I of the ECPA, the Wire Tap Act, because they qualified for the protection of Section 2511(2)(d) of the ECPA, which permits interception of a communication when it is authorized by one of the participants in the communication, provided the interception is not undertaken for a tortuous or criminal purpose.  Defendants were permitted to intercept the communications at issue because (a) the pharmaceutical defendants which participated in them had authorized such interception, and (b) there was no evidence that such interception was done for an improper purpose.

The Court dismissed plaintiffs' claims under Title II of the ECPA, the Stored Communications Act, both because the devices defendants accessed, plaintiffs' PCs, were not protected "facilities" under the Stored Communications Act, and because the pharmaceutical defendants consented to accessing the communications at issue.

Lastly, the Court dismissed the claims plaintiffs raised under the Computer Fraud and Abuse Act, because plaintiffs did not sustain damages sufficient to meet the damage threshold requirements of that statute.

Various pharmaceutical companies engaged defendant Pharmatrak to monitor user activities on their web sites.  Pharmatrak accomplished this task by placing software on defendants' web sites with defendants' consent.  When an individual requested information from defendants' web sites, this software, through the use of web bugs, cookies and other programming devices, caused the user's computer to communicate both with the servers housing the pharmaceutical company web sites they sought to visit, as well as with servers operated by Pharmatrak. With these tools in place, Pharmatrak was able to track plaintiffs' activities on defendants' web sites, including the length of time spent at the sites, and the pages they visited.  This software also enabled Pharmatrak to ascertain the URL of the web sites plaintiffs visited just prior to their visit to defendants' sites, as well as the "query string" of any search plaintiffs conducted to get to defendants' site. Pharmatrak was also able to obtain information plaintiffs submitted to defendants' sites.  Plaintiffs asserted that the information Pharmatrak collected included personally identifiable information, such as names, addresses, and telephone numbers, despite their agreement with the Pharmaceutical defendants not to collect such information.  There was no evidence, however, that Pharmatrak either disseminated such personally identifiable information, or assembled a data base containing it.  Instead, it appeared that Pharmatrak only supplied its clients with aggregated, non-personally identifiable information.

Contending that defendants' activities violated both the Electronic Communications Privacy Act and the Computer Fraud and Abuse Act, plaintiffs brought suit.  Finding their claims without merit, the Court granted defendants' motion for summary judgment, and dismissed plaintiffs' complaint.

Title I of the ECPA, the Wire Tap Act, prohibits the interception of electronic communications.  However, under Section 2511(2)(d) of the statute: "It shall not be unlawful ... to intercept a[n] ... electronic communication ... where one of the parties of the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortuous act ...".  The court held that by authorizing Pharmatrak to put its Netcompare software on their sites, the Pharmaceutical defendants consented to the interception accomplished by that software of plaintiffs' communications with defendants' sites.  This was true, despite the fact that these defendants did not authorize the gathering of personally identifiable information accomplished by this software.  Said the Court: 

Plaintiffs concede that the Pharmaceutical Defendants consented to the placement of code for Pharmatrak's Netcompare service on their web sites.  As was the case in DoubleClick and Avenue A, the web site Defendants (here, the Pharmaceutical defendants) consented to the service of a web-monitoring company (Pharmatrak), and such consent precludes a claim under the Wiretap Act. ... Despite Plaintiffs' valiant attempts to shift the inquiry, it is irrelevant for the purposes of the Wiretap Act whether the Pharmaceutical Defendants knew the precise mechanisms of Pharmatrak's service or not.  It is sufficient that the Pharmaceutical Defendants were parties to communications with Plaintiffs and consented to the monitoring service provided by Defendant Pharmatrak.

Because the Pharmaceutical defendants had consented to the interception of the communications in question, and because there was no evidence that such interception was done for an improper purpose, the Court dismissed plaintiffs' claims under the Wire Tap Act.

The court also dismissed plaintiffs' claim under Title II of the ECPA, the Stored Communication Act.  That Act is triggered by improper accessing of a "facility through which an electronic communication service is provided."  The Court held that personal PCs are not facilities within the meaning of the statute, and accordingly dismissed plaintiffs' Stored Communication Act claims.  Said the Court:

Defendants are correct that an individual Plaintiff's personal computer is not a "facility through which an electronic communication service is provided" for the purposes of §2701. ... The relevant service is Internet access, and the service is provided through ISPs or other servers, not through Plaintiffs' PCs.

Plaintiffs' Stored Communications Act claims also failed because defendants authorized access to the intercepted communications in questions.

The Court further held that the ECPA does not prohibit Pharmatrak from placing cookies in plaintiffs' computers in the circumstances of this case.  Said the Court:

This court agrees with the DoubleClick court that "Title II only protects electronic communications stored 'for a limited time' in the 'middle' of a transmission, i.e. when an electronic communication service temporarily stores a communication while waiting to store it".  Even if such cookies were covered by the ECPA, Pharmatrak created and sent the cookies, and thus any accessing of the cookies by Pharmatrak at a later date would certainly be "authorized".  Because Pharmatrak's cookies fall outside the scope of §2701, Plaintiff's claim under that section must fail. 

Lastly, the Court dismissed plaintiffs' Computer Fraud and Abuse Act claims.  The CFAA provides for recovery from those who intentionally access a computer without authorization and thereby obtain information "if the conduct involved an interstate or foreign communication."  However, the CFAA limits recovery to those persons who suffer "damage or loss by reason of a violation of the Act."  The Court noted that "loss" was undefined in the CFAA and there was a question as to whether a loss arising out of an invasion of privacy was a "loss" covered by the statute.  Without resolving this issue, the court dismissed plaintiffs' CFAA claims, finding that plaintiffs did not meet the threshold requirements of the CFAA, whatever type of damage or loss was covered thereby.  Said the Court:

Plaintiffs have not shown any evidence whatsoever that Defendants have caused them at least $5,000 of damage or loss.  Even accepting Mr. Curtin's bald assertion that "[d]ata about people are valuable, marketable assets," plaintiffs are unable to meet the statutory threshold.