 |
 |
|
|||||
| ||||||||||||||
| ||||||||||||||
Seth Richard Lesser, Partner
Gene Locks, LLC
Internet Privacy Litigation And The Current Normative Rules of Internet Privacy Protection [pdf]
The last three years have seen the rise and fall of a concerted effort by private litigants to use existing laws protecting privacy to obtain a higher level of Internet privacy protection than the free market otherwise has provided. Depending on one's perspective, the results of this litigation have different implications. On the one hand, the private lawsuits Ð most of which have now settled Ð led to improvements in some companies' privacy protection policies. While the improved policies have been fairly described as state of the art
or industry leading
they still fall short of the goals of dedicated advocates for privacy protection.
On the other, more positive, hand, there can be no question that the private lawsuits Ð part of a wider expression of public concern about privacy in 1999-2000 Ð raised the consciousness of Internet companies about the importance of privacy to their relationship with consumers. As a result, privacy policies are now ubiquitous and of a markedly higher quality than previously. Now, virtually every significant Internet company has appointed an officer responsible for privacy matters. Most significantly, blatant disregard of Internet user privacy no longer appears a viable option for Internet businesses.
In this article, I provide my personal view of the litigation, based on my role as lead or co-lead counsel for the plaintiffs in some of the most prominent Internet privacy cases, including, among others, Supnick v. Amazon.com, Inc., No. C00-0221P (W.D. Wash.); In re DoubleClick, Inc. Privacy Litigation, No. 00-CIV-0641 (NRB) (S.D.N.Y.); and Chance v. Avenue A, Inc., No. C00-1964 C (W.D. Wash.), three cases I specifically discuss herein.[1]
Four years ago, Internet privacy received scant attention outside of a fairly small group of legal academics and some individuals in the Internet community. By late 1999, privacy became a matter of significant public concern, as advocacy groups such as the Electronic Privacy Information Center (EPIC
), the Electronic Frontier Foundation (EFF
), and Privacy Rights Clearinghouse focused attention on the issue. At the same time, the explosive growth of the Internet conjoined with publicized disclosures of supposed Internet privacy violations by such leading Internet companies as RealNetworks and DoubleClick sparked widespread attention. State attorneys general announced prosecutions and formed task forces; members of Congress spoke out and held hearings; and privacy became cover story material for publications like Newsweek and The New York Times Magazine. Additionally, individuals approached firms like mine to bring cases that led, in late 1999 and early 2000, to the filing of a number of class action lawsuits against Internet companies for alleged violations of privacy.
Not surprisingly, the filing of class actions and their attendant publicity only heightened media attention on the topic of privacy. To many Ð including me Ð it appeared a critical moment of decision. Would our Internet future include significant privacy protection or would it be limited to the constraints obtainable by whatever demand the marketplace would create for privacy?
The class action lawsuits essentially fell into two categories: (1) allegations that companies compiled information about their customers in violation of what they had represented to their customers (cases against Alexa Internet/Amazon.com, Buy.com, and Toys-R-Us) or surreptitiously collected information about what their customers were doing (Intuit, RealNetworks)[2] or (2) claims that third-party ad-serving or Internet traffic analysis companies collected information surreptitiously about Internet users (DoubleClick, Avenue A, Matchlogic/At Home and Pharmatrak).[3] The defendants' actions were presented as particularly egregious because most Internet users did not know that their actions or movements across the Internet were being tracked, and sometimes did not even know of the companies that were doing the tracking. In the case of DoubleClick, the highest-profile Internet ad serving company, the potential merging of the Abacus
off-line demographic database (for which DoubleClick had paid over $1 billion) with Internet user information created a specter of an invasive, content-rich Big Browser
that would be able to look over virtually all Internet users' shoulders as they surfed the Internet. The ad-serving cases attracted the most attention as they specifically raised the issue of the collection and use of Internet browsing behavior by anonymous companies Ð that is, companies of which the Internet user was unaware and with which the Internet user had no known relationship.
Initially, some of the litigations moved forward successfully. In the Alexa Internet/Amazon.com case, a federal court in May 2000 certified a nationwide class of litigants comprised of users of Alexa's web browsing software about whom Alexa had retained personal information contrary to the representations of Alexa's privacy policy. Without admitting liability, Alexa Internet and its parent Amazon.com settled the case by paying $40 to users of Alexa's web browsing software and money awards to programs and organizations concerned with Internet public privacy issues. Ultimately, over $1.9 million was distributed to seventeen such programs.[4]
Other cases, particularly those against the Internet ad-serving entities (DoubleClick, Matchlogic, Avenue A) proved more problematic. The problems arose on several levels.
First, a great deal of the wind was taken out of the pro-privacy sails when, in the spring of 2001, the Federal Trade Commission announced its approval of the NAI Principles, the negotiated principles that the Network Advertising Initiative Ð a group of Internet advertisers Ð had reached with the Federal Trade Commission (FTC
). The NAI negotiations had pre-dated the late 1999-early 2000 explosion of interest in Internet privacy. To many privacy advocates, the NAI principles were a weak compromise position and, indeed, they appear to some to be a sell out
by the FTC to a business interest group. Although the NAI principles did not provide any legal defense to the Internet companies, they bore the imprimatur of the government, and as a result their psychic impact on the privacy debate was considerable. With the change in administrations in 2001 and the diminishing likelihood that Congress would pass Internet privacy legislation, the matter faded from public debate.
The impact of the NAI principles was particularly pronounced because of the way in which they make obtaining injunctive relief unlikely. As one of the primary aims of the litigation was to compel changes in the ways the defendants do business, FTC approval of a set of standards made it significantly more difficult to argue to a judge that the defendants violated the laws in a way that required judicially-imposed standards higher than those to which the FTC had agreed.
The challenge to obtaining injunctive relief was compounded by the fact that while a number of the defendants had placed themselves in the position of being able to exploit the clickstream data they had obtained, none of the companies had actually done so. DoubleClick, for example, defused the issues presented by its Abacus acquisition by announcing that it would not combine its on-line database with the Abacus information. While indications existed that at least some of the defendants may have intended to create Internet user databases, none of the companies would admit to it and, most certainly, none of the companies profited from what they had collected.
Second, the Internet bubble burst. The New Economy
was no longer as formidable or revolutionary a force. The collapse of the value of Internet companies diminished their ability and willingness to countenance lawsuit resolutions that would involve either the payment of money or costly programmatic corporate policy changes.
Third, and most significantly, the foregoing developments were compounded by a series of legal defeats. As noted, the Internet advertiser cases primarily challenged the collection of information about Internet users without their knowledge and consent. The greatest monetary threat the cases posed to the defendants was found in the statutory $100 - $1,000 per violation penalties provided by the federal Wiretap statute (18 U.S.C. § 2511 et seq.) and the federal anti-hacker
statute prohibiting interference with stored electronic communications (18 U.S.C. § 2701 et seq.). The application of these acts, as well as the federal Computer Fraud and Abuse Act , 18 U.S.C. § 1030, to Internet activities was entirely untested. In March 2001, the federal court hearing the DoubleClick court dismissed the case with an 80-page decision (154 F. Supp.2d 497 (S.D.N.Y. 2001)). Not long thereafter, another federal court Ð the one hearing the Avenue A case Ð essentially followed the DoubleClick decision and threw out the Avenue A litigation (165 F.Supp.2d 1153 (W.D. Wash. 2001)).
Aspects of these two court opinions Ð and several other less-publicized decisions Ð appear questionable and are being appealed. The essential theme of the decisions, however, is that the challenged Internet collection activities do not fit comfortably within the confines of the federal acts, which were written to address activities that predate the Internet. The DoubleClick decision specifically noted that the surreptitious kind of collection activities being challenged were not covered by the federal statutes. These decisions have proven potent as precedent in the hands of defendants in Internet privacy cases. In the Pharmatrak litigation, for instance, although the facts were markedly different from those in the DoubleClick case, the court followed that decision in a mechanical manner and dismissed the action.[5] (An appeal in the Pharmatrak case is now pending before the federal court of appeals).
A remaining route to challenging Internet advertiser activity remained in pursuing common law state court remedies such as invasion of privacy and trespass to chattels. In both the DoubleClick and Avenue A situations, in fact, even after the federal courts had dismissed the cases before them, the state court cases remained pending. The state court cases, however, faced two serious impediments.
but how much in terms of monetary damages have these users suffered?
The validity of the legal basis for asserting this point appears open to lawyerly debate. However, the costs of continuing expensive class action lawsuits are burdensome and not insignificant if the answer is that the damages are non-existent, nominal or minimal.[6]
Given the defeats in the federal courts and the impediments facing claims under state law, most of the Internet privacy cases have settled for programmatic relief Ð that is, the defendants have agreed to abide by higher privacy protocols.[7]
As best as can be discerned, no Internet privacy class action of the type filed in the 1999-2000 time frame has been filed since. Just as Internet privacy as a matter of concerted public attention has passed, so, too, has the wave of private litigant cases. Another wave seems unlikely. There will be individual actions against companies that cross the lines now established: entities that disregard their privacy policies or who wiggle so far from their policy's representations that the policy becomes fraudulent and deceptive. Or a company may stretch too far to obtain and then profit from clickstream data in a deceptive manner. Other, more precise statutory provisions such as the Cable Communications Policy Act may lead to privacy claims.
In retrospect, what has resulted is a matter of perspective. Undoubtedly, the private class actions played a significant role in causing the sea change of opinion among Internet and Internet-active companies concerning privacy. The mere threat of a class action lawsuit was alone sufficient to capture the attention of top in-house legal counsel and allocate funding to correct a company's privacy policy or to rectify in-house practices. Privacy is no longer taken for granted. Protection of their customers' privacy is now a matter of serious concern for companies.
On the other hand, the current laws did not provide sufficient rights to establish a basis for obtaining a heightened regime of privacy protection. To individuals (such as myself) who would like to have an Internet world of significant protection, the results of the litigation represent an incremental step, but not what might have been wished for. The present regime in the United States is far less protective of privacy than that in Europe and places great reliance on private action. At the core, in America, Internet privacy is now primarily set by individual web sites that express their position through posted privacy policies. The normative rule is not that companies are required to respect privacy, but that they can set their own standards through what they post.
This is, in essence, a contractual regime and, accordingly, is an inherently adversarial one. Because it is a private regime, the rules will be determined by disclosures and, because the disclosures are made in an impersonal, adhesion context, the question of consent rests upon legal suppositions. The fact is that consent by Internet users to the contract Ð i.e., the posted policies and rules Ð is, or at least probably is, a fiction. For every company that is responsible and protective of privacy, there will be a company whose rules will be written by lawyers instructed (at least implicitly, if not explicitly) to appear to say as much as possible but to bind their clients to as little as possible. All too often, privacy policies contain language that may sound good but that hides loopholes and technical subtleties. Even if most Internet users spent the inordinate amount of time it takes to review privacy policies, they still would substantially remain in the dark. Rather than operate in a regime of trust, Internet users can Ð and should Ð only proceed at their own risk. They simply cannot reasonably know whether their Internet use will take them into contact with companies that actually respect their privacy or with companies who, at best, only pay lip service to privacy. Whether this regime is one that is the best or most efficient for our society, I question. It is, however, the one with which we now live.
What was made clear by the litigation of the cases, reinforced by the FTC's ultimate acquiescence to the NAI guidelines, and underscored by the current contract regime, is the importance of a private right of action to protect whatever privacy interests exist. Although no company likes to receive inquiries from government investigators, the reality is that it is often the threat of private litigation that prompts corporations to take notice. Most certainly, the class actions did so here.
Insofar as, going forward, the privacy matters that arise will be in the nature of breach of privacy policy claims, it seems doubtful that government enforcement actions will follow. More egregious instances of consumer fraud will consume already-stretched entities like the FTC or state attorneys general offices. The FTC will continue to pursue the worst privacy offenders but the most likely offenders will be companies that, under guise of privacy policy obfuscation, have acted wrongfully. Such less than clear-cut cases are not likely to obtain much in the way of enforcement resources. The lesson is that the threat Ð and, sometimes, the reality Ð of private enforcement mechanisms are necessary to deter wrongdoing. Where the regime is a private contractual one, those mechanisms are particularly appropriate and necessary.
[1] The views expressed in this paper are entirely my own.
[2] Wiesman v. Buy.com, No. SA CV 00-447 AHS (C.D. Cal.); In re Toys R Us, Inc., No. M-00-1381 MMC (N.D. Cal.); In re Intuit Privacy Litig., 138 F. Supp. 2d 1272 (C. D. Cal. 2001); In re RealNetworks, Inc. Privacy Litig., No. 00-C-1366 (N.D. Ill.).
[3] In re Matchlogic, Inc. Privacy Litig., No. 00-K-2289 (D. Co.); In re Pharmatrak, Inc. Privacy Litig., No. 00-11672-JLT (D. Mass.).
[4] Included among the recipients was the Center for Democracy and Technology.
[5] 220 F. Supp. 2d 4 (D. Mass. 2002).
[6] As the defendants had not actually sold or utilized the information, plaintiffs could not argue that the defendants' gain was the class' loss.
[7] The DoubleClick settlement was approved by the federal court and is final. Avenue A's remains pending for approval by the federal court. The cases are similar. In DoubleClick's case, company agreed to a series of programmatic privacy protections that went beyond the NAI principles to which the company had earlier subscribed. For example, it agreed to ensure that its privacy statements were clear, it limited access by employees and vendors to computer files that could contain information about Internet users, it agreed to regularly purge computer files that contained clickstream data, it agreed that online data would only be used in manners consistent with the privacy policy in effect at the time of collection, it limited its cookie's life, it purged databases that might have contained certain information, it agreed that the merger of personally indentifiable information with non-personally identifiable information would be pursuant to affirmative opt-in following clear and conspicuous notice at time of entry of the personally identifiable information, it paid for a large public Internet information campaign and it would have accountant review of compliance with the terms of the settlements. No money was obtained for individual consumers or for Internet policy groups (as in Alexa/Amazon.com) and while the plaintiffs' attorneys obtained payment for their work, what they received was, in the end, less than half of the time and money they had put into the litigation.
|
The Center For Democracy & Technology 1634 Eye Street NW, Suite 1100 Washington, DC 20006 (v) 202.637.9800 (f) 202.637.0968 Contact CDT Copyright © 2005 by Center for Democracy and Technology. |