Designer Skin LLC v. S & L Vitamins, Inc., et al.
In re Doubleclick Inc. Privacy Litigation
154 F. Supp.2d 497, 00 Civ. 0641 (S.D.N.Y., March 28, 2001)
Court dismisses claims advanced by the plaintiff class under the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and the Wiretap Act arising out of Doubleclick's use and placement of "cookies" on plaintiffs' computers. Doubleclick uses such "cookies" to gather information about the users' use of Doubleclick client web sites. Because Doubleclick's clients consented to such information gathering, the court held that Doubleclick's activities did not run afoul of either the Electronic Communications Privacy Act or the Wiretap Act. The court also dismissed the claims plaintiffs advanced under the Computer Fraud and Abuse Act because any damages caused by Doubleclick's activities did not meet the threshold required by the Computer Fraud and Abuse Act. Finally, the court, having dismissed all of plaintiffs' federal claims, declined to retain jurisdiction over plaintiffs' state law claims, and dismissed the action.
Doubleclick uses "cookies" it places on users' computers to gather information about the user, and to provide that user with online advertising it believes will interest that user. According to the court's decision, Doubleclick only gathers information concerning a user's activities on a Doubleclick affiliated web site. It does not access information on a user's own computer.
The information Doubleclick gathers falls into three categories, described by the court as Get, Post and GIF. Typically a user accesses a Doubleclick client web site in response to a query to a search engine. Doubleclick will gather information contained in this query string, known as Get information (get me information about ....). Doubleclick will also gather information about a user that he posts to a Doubleclick web site in response to a query by the site, such as a request for that user's name and e-mail address. Lastly, Doubleclick will use a GIF tag to track the users' movements thru the client web site, such as the pages in the site the user visited. Doubleclick will gather this information as well.
Doubleclick will use this information to select the advertising the user will see when he visits a Doubleclick client web site. The user will send a command seeking access to a web site. The command will go to the servers housing that web site, which will deliver the site's contents, minus advertising, to the user. The user will also receive a link that instructs the user's computer to send a communication automatically to Doubleclick's servers. This will cause the user's computer to send a communication to Doubleclick's servers, which communication provides the number of the cookie Doubleclick has placed on the user's computer. Doubleclick uses this information to identify the user and determine the appropriate advertising to present to him. Doubleclick then causes that advertising to appear on the web site the user sought by sending it to his computer. In addition, Doubleclick will update the users' profile with information of the type noted above that is gathered during this particular web site query.
Users can prevent Doubleclick from obtaining this information by visiting Doubleclick's web site and requesting an opt-out cookie, or by configuring their browsers so as to prevent any cookies from being placed on their computers.
Claiming that this conduct violated the Electronic Communications Privacy Act, 18 U.S.C. Section 2701 et seq. ("ECPA"), the Wiretap Act, 18 U.S.C. Section 2510, et seq., and the Computer Fraud and Abuse Act, 18 U.S.C. Section 1030, et seq. ("CFAA"), plaintiffs commenced this class action suit. Plaintiffs also asserted a number of state law claims, including invasion of privacy and trespass.
Finding that plaintiffs' federal claims lacked merit, the court dismissed them with prejudice. The court also declined to retain jurisdiction over plaintiffs' state law claims, and dismissed the balance of the action.
It is a violation of the ECPA to "access without authorization a facility through which an electronic information service is provided ... and thereby obtain ... access to a wire or electronic communication while it is in electronic storage in such system ...". The statute contains an express exception, however, exempting from its coverage "conduct authorized ... (2) by a user of that service with respect to a communication of or intended for that user." 18 U.S.C. 2701(c)(2).
Doubleclick argued that its conduct was exempt from the ECPA because it was authorized by its clients, to whom plaintiffs' communications were directed. The court agreed, and dismissed plaintiffs' ECPA claims. The court found that the facility through which the electronic information services at issue (communications between plaintiffs and the Doubleclick client web sites) was provided was the service by which plaintiffs were provided access to the Internet from their home or other pcs. The court further found that Doubleclick's client web sites were authorized users of those services. Lastly, the court found that each of the communications as to which Doubleclick gather information were communications addressed to its clients web sites (either seeking access to that web site (a Get), or a portion thereof (a Gif) or responding to a query on that web site (a post). As Doubleclick's clients authorized Doubleclick to access that information, the gathering in question was exempt from the ECPA. It should be noted that Doubleclick does not gather information from the users' computer, or any information other than that derived from the users' use of a Doubleclick client web site.
The court further held that accessing "cookie" identification numbers fell outside the ambit of the statute, because the statute only covered communications in "electronic storage", which relates only to communications "temporarily stored" ... "for a limited time." "The cookies long term residence on plaintiffs' hard drives place them outside of Section 2510(17)'s definition of 'electronic storage' and hence title II's protection."
"Any person who intentionally intercepts ... [an] electronic communication" violates the Wiretap Act. However, the statute contains an express exception for one who intercepts such a communication "where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortuous act ...".
The court held that Doubleclick had intercepted electronic communications between plaintiffs and Doubleclick's clients. However, the court further held that Doubleclick's client web sites had consented to such interception. Thus, Doubleclick's acts were exempt from the Wiretap Act provided the interception was not for the purpose of committing a criminal or tortuous act.
The court held that the mere fact that the interception of the communication allegedly amounted to a tortuous act (for example invasion of privacy) was insufficient to establish that the exemption did not apply. Rather, to establish that Doubleclick is not entitled to the protection of the exemption, plaintiffs must show that Doubleclick intercepted the communications for the purpose of committing a tortuous act. Because the court found that Doubleclick's purpose in accessing these communications was to make a profit via the provision of targeted advertising, and not the invasion of plaintiffs' privacy, it found that Doubleclick's conduct was exempt from prosecution under the Wiretap Act by operation of 18 U.S.C. section 2511(2)(d). Said the court:
In the instant case, plaintiffs clearly allege that Doubleclick has committed a number of torts. However, nowhere have they alleged that Doubleclick's "primary motivation" or a "determining factor" in its actions had been to injure plaintiffs tortuously. ... Doubleclick's purpose has plainly not been to perpetrate torts on millions of Internet users, but to make money by providing a valued service to commercial web sites. If any of its practices ultimately prove tortuous, then Doubleclick may be held liable for the resulting damage. However, a culpable mind does not accompany every tortuous act.
Lastly, the court held that plaintiffs could not establish a claim against Doubleclick for violating the CFAA because they could not establish the requisite damage thereunder.
It is a violation of the Act to "intentionally access a computer without authorization ... and thereby obtain ... information from any protected computer ...". However, the statute sets a damage threshold that must be met before a claim for damages can be pursued. Under the statute, 18 U.S.C. Section 1030(g), "any person who suffers damage or loss by reason of a violation of this section may maintain a civil action ... to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in section (e)(8)(A) are limited to economic damages ...". Under section 18 U.S.C. section 1030(e)(8), damage is defined as "any impairment to the integrity or availability of data, a program, a system or information that - (a) causes loss aggregating at least $5000 in value during any 1-year period to one or more individuals; (b) impairs medical care; (c) causes physical injury; (d) threatens public health or safety."
Plaintiffs argued that this damage threshold did not apply because it was inapplicable to a "loss" caused by Doubleclick's actions. As noted above, the statute creates a cause of action in any individual "who suffers damage or loss by reason of a violation ...". While the court conceded there was "ambiguous" and "inconsistent" language in the statute, it held that the Legislative history and existing case law indicated that whatever type of injury a plaintiff sustained, be it damage or loss, had to meet the statutory minimum.
The court held that in determining whether the CFAA's damage threshold was met, the court would look to the aggregate injury caused by a single act ("we find that damages and losses under section 1030(e)(8)(A) may only be aggregated across victims and over time for a single act"). The court analyzed the economic damages allegedly caused by Doubleclick's acts, and determined that they did not, for a single act, achieve the requisite threshold. In reaching this conclusion, the court relied in part on the ease by which plaintiffs, for free, could prevent Doubleclick placing cookies on their personal computers. The court accordingly dismissed plaintiffs' CFAA claims.