Case Summary and Outcome

The present case is a consolidated class action against several Internet advertisement services and Google. The lawsuit initially arose out of a report published in 2012 by the Wall Street Journal: “Google’s iPhone Tracking: Web Giant, Others Bypassed Apple Browser Settings for Guarding Privacy,” which alleged that Google and several Internet advertisement companies had circumvented the users’ web browsers, Apple’s Safari and Microsoft’s Internet Explorer, by placing tracking cookies capable of monitoring web activities for individualized or targeted advertising purposes.

The plaintiffs asserted three federal law claims under the Wiretap Act, the Stored Communications Act, and the Computer Fraud and Abuse Act. The lawsuit also involved six California state law claims against Google only, including the violation of privacy rights and the state’s Comprehensive Computer Data Access.  In October 2013, the U.S. District Court for the District of Delaware granted the defendants’ motion to dismiss for failure to state a claim. In November 2015, the U.S. Third Circuit Court of Appeals affirmed in part, vacated in part, and remanded to the district court for additional proceedings. It affirmed the dismissal of the plaintiffs’ claim under the federal Wiretap Act on the ground that the defendants were parties to all electronic transmissions communicated directly with the plaintiffs’ web browsers. It also sided with the district court’s finding that the plaintiffs had failed to allege cognizable losses as required by the Computer Fraud and Abuse Act. The Court, however, vacated the dismissal of the plaintiffs’ California privacy claims against Google on the ground that a reasonable jury could find the company’s act of bypassing the tracking cookie blockers as a serious invasion of privacy contemplated by California law.

Facts

The act of placing individualized advertisements on Internet users’ visited webpages are now a common practice. The so called tracking cookies installed on web browsers enable the advertising companies to track or monitor Internet activities in order to populate certain goods or services likely to purchased by users. To prevent this practice, major web browsers, Apple’s Safari and Microsoft’s Internet Explorer, have designed built-in features that block tracking cookies. For instance, Safari offers an “opt-out” cookie blocker, which is activated by default. Internet Explorer, instead, provides an “opt-in” cookie blocker, giving its customers the option to activate this feature. Google also offers a method similar to Apple’s Safari that when downloaded, it would prevent the installation of tracking cookies.

But in 2012, the Wall Street Journal published an article, disclosing Google’s use of certain codes to bypass the customers’ cookie blockers. It alleged that “Google and other advertising companies [had] been bypassing the privacy settings of millions of people using Apple Inc.‘s Web browser on their iPhones and computers—tracking the web browsing habits of people who intended for that kind of monitoring to be blocked.” Subsequently, the U.S. Department of Justice filed a lawsuit under the Federal Trade Commission’s authorizing statute, which was resolved by a $22.5 million civil penalty. Google later reached a $17 million settlement with 38 states.

The present complaint involves a consolidated class action brought by individual Internet users against Google and several advertisement services. In October 2013, the U.S. District Court for the District of Delaware dismissed the complaint for failure to state a claim upon which a relief could be granted. The plaintiffs then appealed the dismissal to the U.S. Third Circuit Court of Appeals.

Decision Overview

Circuit Judge Fuentes delivered the opinion of the Court.

As to the procedural aspect of the case, the Court found the plaintiffs with the standing to bring their consolidated actions before the federal court. It ruled that allegations asserted in the complaint were “concrete, particularized, and actual.”

Substantively, the Court first addressed whether the plaintiffs successfully asserted a violation of the federal Wiretap Act, the prima facie of which must show that the defendant: (1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.” As evidenced by its required elements, the statute only prohibits the interception of a communication’s contents rather than non-content information. While acknowledging that the line to distinguish between these two types of information can be inherently relative, the Court sided with the U.S. Surveillance Court that detailed URLs collected by Internet companies can reveal content information, such as search engine inquiries. Because the plaintiffs alleged that Google and advertising services used a broad scheme to acquire and track their Internet usage, the Court ruled that the defendants had collected electronic communications within the meaning of the Act.

As an exception to the statute, however, the defendants argued that even if they had collected the plaintiffs’ Internet activities, they were not in violation on the basis of Section 2511(2)(d) of Act, which provides that “[i]t shall not be unlawful . . . for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication . . . unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.” The defendants explained that they were intended recipients of and thus parties to any electronic communications that they monitored or tracked, and that they did not commit any criminal or tortious acts. The Court ruled that because the plaintiffs’ web browsers directly sent “GET” request to third party companies charged with serving the advertisements for webpages being visited, the defendants were the intended recipients. It accordingly affirmed the district court’s dismissal of the plaintiffs’ Wiretap Act claim.

Next, the Court assessed whether the defendants had violated the Stored Communications Act of 1986. To state a claim under the Act, a plaintiff must show that the defendant “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.” The Court agreed with the district court’s finding that the Act is only intended to protect providers of a communication service, such as telephone companies or Internet service providers. Therefore, it affirmed the dismissal on the ground that the plaintiffs’ personal competing devices could not be interpreted as a “facility” under the Act.

The Court then examined the plaintiffs’ third federal claim of Computer Fraud and Abuse Act, which provides a cause of action against a third party who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” The Court agreed with the particularity of the loss or damage intended to compensate under the Act, which includes “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Here, the Court sided with the district court that the plaintiffs had failed to allege that they, for example, “ever participated or intended to participate in the market they identify, or that the defendants prevented them from capturing the full value of their internet usage information for themselves.”

Lastly, the Court analyzed the plaintiffs’ California state claims against Google. First, the Court turned to the privacy claims under both tort common law and California Constitution. It followed the California Supreme Court’s dual inquiry of examining “(1) the nature of the alleged intrusion, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests.” The Court held that because the plaintiffs’ tracking cookies blockers clearly expressed the denial of consent for installation of cookies, Google’s act of bypassing blockers amounted to an intrusion upon reasonable expectation of privacy. As to the seriousness of such intrusion, the Court took into account how Google bypassed the plaintiffs’ cookie blockers, but at the same time, its privacy policy informed users that they could reset their web browsers to refuse all cookies. It concluded that “a reasonable jury could conclude that Google’s alleged practices constitute the serious invasion of privacy contemplated by California law.”

As to the plaintiffs’ claim against Google for violation of California Invasion of Privacy Act, which mirrors the federal Wiretap Act, the Court affirmed the dismissal for the same reasons stated for the claim under the Wiretap Act. The Court then affirmed the district court’s dismissal of the remaining state law claims against Google, including their claims under California Unfair Competition Law, and the Consumers Legal Remedies Act.