Starting in 2010, class action plaintiffs began filing lawsuits alleging that internet website providers violated their privacy through the use of “Flash Cookies” (also referred to as “Local Shared Objects”). These lawsuits have focused on the online tracking that can occur when Flash Cookies are used. Flash Cookies are similar to conventional browser cookies in that they are used to personalize a consumer’s experience by collecting and using information about what pages and content a consumer has looked at, when the consumer visited, what the consumer searched for, and whether the consumer clicked on an ad.1 This information can then be used to benefit the consumer with a more relevant experience online. However, the controversy that has been raised relates not so much to the use of the Flash Cookies for serving advertisements, but rather, unlike conventional cookies Flash Cookies can hold much more data, are more difficult to remove and result in profiles being created about the consumer.
Plaintiffs and consumer groups assert that harm has occurred in various ways when Flash Cookies are used to track consumers and collect data personal information that is used to create consumer profile for marketing and other purposes. The federal courts, however, have questioned whether there is actual or imminent injury in fact, but are willing to be convinced. More important, the federal courts have dismissed cases because plaintiffs have failed to meet the $5,000 loss requirement for a claim under the Computer Fraud and Abuse Act. After running into these obstacles, plaintiffs have migrated to state court.
This article will first discuss cases that have been brought in federal court asserting privacy violations thru the use of Flash Cookies. It will next turn to similar state court actions that rely on stipulations to limit damages. Finally, it will examine the decision of the United States Supreme Court to grant cert in The Standard Fire Insurance Company v. Knowles, a case that will address the question of whether named plaintiffs’ counsel can stipulate that the damages for the class will not reach $5 million to avoid removal to federal court under the Class Action Fairness Act (“CAFA”) – an integral component of the litigation strategy of class action plaintiffs in the state cases.
A. Flash Cookie Class Action Cases in Federal Court
When class actions asserting violations thru use of Flash Cookies first started, plaintiffs brought suit in federal court using the Computer Fraud and Abuse Act (“CFAA”) as their federal question jurisdiction hook.2 In these lawsuits, the plaintiffs also included a variety of state statutory and common law causes of action. The CFAA allows a private plaintiff to bring a civil lawsuit if, for example, a person “knowingly causes the transmission of a program, information, code or command, and as a result of such conduct, intentionally causes damage without authorization, to a protected computer.”3 However, CFAA also requires a civil plaintiff to show that the aggregate “loss” to “1 or more persons during any 1- year period” is “at least $5,000 in value.”4
Filed on August 18, 2010, In re Specific Media Flash Cookie Litigation5 was one of the earliest6 federal cases that followed this pleading pattern.
The plaintiffs alleged that the defendants “use[d] Adobe Flash local shared objects to track class members’ use of the Internet without their knowledge or consent.”7 The plaintiffs further alleged that they “‘are persons who have set the privacy and security controls on their browsers to block third-party cookies and/or who periodically delete third-party cookies,’ and that they each had a ‘Flash cookie’ installed on their computer by Specific Media without their knowledge or consent.”8 The plaintiffs brought claims under CFAA, several California state statutes, and numerous common law claims.9
Defendant Specific Media moved to dismiss the First Consolidated Class Action Complaint10 contending that the court lacked subject matter jurisdiction because the plaintiffs lacked Article III standing; the plaintiffs failed to articulate an injury in fact.11 Specific Media contended that the plaintiffs did not plead that any named plaintiff was affected by Defendant’s alleged conduct, that any named plaintiff had been harmed economically, that the computers of any named plaintiff had been harmed, or that any named plaintiff had suffered a permanent loss.12 In addressing Specific Media’s standing argument, the court concluded: “[i]t is not obvious that Plaintiffs cannot articulate some actual or imminent injury in fact. It is just that at this point they haven’t offered a coherent and factually supported theory of what that injury might be.”13 Even though the court granted the defendant’s motion to dismiss,14 in the next pen stroke it gave the plaintiffs leave to amend.15
The court then noted some “defects” in the plaintiffs’ causes of action. Addressing the CFAA claim, the court pointed out that the issues of whether any plaintiff(s) suffered a $5000 loss, and whether the putative class member’s claims could be aggregated to reach the $5000 threshold might be detrimental to the plaintiffs’ claims.16 However, the court left these discussions “for another day.”17
Eventually, plaintiffs filed a Second Amended Complaint. After many extensions of time for the defendant to move to dismiss the Second Amended Class Action Consolidated Complaint, the case was dismissed by the plaintiffs with prejudice.18 The merits of the Second Amended Consolidated Complaint were never addressed.
Davis v. VideoEgg, Inc. followed soon after Specific Media, and was filed on September 23, 2010.19 In Davis, the Flash Cookie plaintiffs filed suit contending that the defendant “used or deposited Adobe Flash Local Shared Objects on the computers or devices of consumers visiting [its] websites; did so to circumvent such consumers’ attempts to block or delete browser cookies; did so to obtain or provide information from or about such consumers to track them; did so without providing such consumers adequate notice or choice; did so without such consumers’ consent; and did so contrary to their intent.”20 The plaintiffs brought a CFAA claim, five California state statutory claims, as well as common law claims for trespass to chattel and unjust enrichment.21
Soon after the suit was filed, the parties reached a settlement agreement, and the court certified, for purposes of settlement, a class “consisting of all persons in the United States who, during the Class Period visited any other internet site employing any of Defendants technologies involving the use of local shared objects stored in Adobe Flash Media local storage (LSOs).”22 The parties settled for $825,000.23 Each named plaintiff was awarded $1,500, while class counsel took home $206,250; the remainder (minus expenses) was used for a cy pres distribution to various consumer protection groups.24 Because of the early settlement, again, the merits of the plaintiff’s claims were never addressed.
The next, similar Flash Cookie class action brought was Sonal Bose v. Interclick, Inc. (December, 2010).25 In Bose, the named defendants included McDonald’s Corporation, CBS Corporation, Mazda Motor of America, Inc., Microsoft, and Does 1 to 50.
The defendants each filed motions to dismiss.26 The Court dismissed the plaintiff’s CFAA claim, because she could not meet the $5,000 loss requirement.27 Interestingly, to save her case from dismissal (as federal question jurisdiction was lost with the dismissal of CFAA), the plaintiff argued that the court maintained jurisdiction “under the Class Action Fairness Act of 2005, 28 U.S.C. § 1332 (hereinafter, “CAFA”), because the aggregate claims of Plaintiff and the proposed Class exceeded $5,000,0000, there is minimal diversity of citizenship between Defendants and the proposed Class, and the Class ... consist[s] of more than one hundred members.”28 In response, the court noted that the plaintiff’s “failure to meet the $5,000.00 threshold under the CFAA is not, as Defendants argue, necessarily fatal to Bose’s attempt to assert CAFA jurisdiction over her state law claims.”29 The court continued: “Damages under the CFAA are narrowly defined, and Plaintiff and the Class Members may be entitled to damages under state law that are not cognizable under the CFAA.”30 The court then went on to address each of the plaintiff’s state law claims including a violation of New York General Business Law Section 349 (broad consumer protection statute) claim, trespass to chattels, breach of implied contract, and tortious interference with a contract.
In support of her Section 349 claim, the plaintiff alleged: Defendant Interclick used LSOs and browser history sniffing code to circumvent consumers’ ordinary browser privacy and security settings on their computers. This conduct misled consumers into believing their digital information was private when in reality it was being tracked without their knowledge. Plaintiffs allege that consumers were harmed in that they suffered “the loss of privacy through the exposure of the [sic] personal and private information and evasion of privacy controls on their computers.”31
In addressing Interclick’s argument that, under Section 349, the plaintiff had not articulated an injury, the court found that “[a]lthough collection of personal information does not constitute ‘economic’ injury for purposes of the CFAA, courts have recognized similar privacy violations as injuries for purposes of Section 349.”32 Applying this reasoning, the court denied Interclick’s motion to dismiss the plaintiffs’ Section 349 claim. It also denied Interclick’s motion to dismiss the plaintiff’s trespass to chattels claims.33 The court dismissed all of the other defendants.
Less than a year after the decision was entered, at the request of the parties, the case was dismissed with prejudice. Again, the class was not certified, nor were the merits of the state law claims against Interclick tested.
In March, 2011, a fourth set of Flash Cookie plaintiffs filed a class action against Amazon.com.34 The court summarized the plaintiffs’ allegations as follows:
“Amazon’s conduct violated their legally protected property interests” in the exclusive use of “their computers and computer resources” and circumvented their “right to control the dissemination and use of personal information belonging to them, including sensitive information about their web browsing and shopping habits, purchases, and related transaction information, combined with their financial information such as credit and debit card information, and their mailing and billing addresses.” Plaintiffs contend that these injuries led to “several forms of economic injuries, all of which boil down to the failure to compensate Plaintiffs and Class members for the value of their personal information and computer assets that Amazon misappropriated through its various ‘exploits.’”35
The District Court for the Western District of Washington gave the plaintiffs three opportunities to file a complaint that would stick. Following the third attempt, the district court dismissed the plaintiffs’ CFAA claim because the plaintiffs were not able to allege a loss of more than $5000.36 Although not dismissing it, the court also commented, in discussing the merits of the plaintiffs’ unjust enrichment claim, that plaintiffs were not able “to plausibly allege any monetary detriment.”37 (The court did acknowledge that the plaintiffs had alleged that the value of their personal information was worth “an amount substantially in excess of 1/100th of one cent.”)38
The court allowed the plaintiffs to go forward with their Washington Consumer Protection Act and unjust enrichment claims even though the court commented that “it is very likely that [Amazon’s] ‘Conditions of Use and Privacy Notice’ disclose sufficient information to negate” those claims.39 On November 15, 2012, the court dismissed the case with prejudice, noting that the case was settled.40
On June 28, 2011, a plaintiff filed a class action lawsuit against AOL, Inc., Brightcove, Inc. and ScanScout, Inc.41 One of the defendants, ScanScout, Inc., filed a motion to dismiss42 arguing, in part, that the plaintiff lacked standing because she was not able to articulate any “actual injury caused by ScanScout” and that her injury, which was likely de minimis, could not give rise to Article III standing.43 ScanScout also contended that the plaintiff had not met CFAA’s $5,000 loss threshold.44 Before the court could issue a ruling, the plaintiff voluntarily dismissed her case.45
B. State Court Flash Cookie Class Action Cases
Although Flash Cookie class actions have been litigated in federal court for nearly two years, no federal court has ruled upon a motion for class certification. And, no federal court has reached the merits of the plaintiffs’ claims, either at summary judgment or trial. At most, federal courts have discussed the merits of the Flash Cookie plaintiffs’ claims solely when examining the merits of defendant’s motion to dismiss. But, because the plaintiffs have failed to establish federal question jurisdiction using CFAA, Flash Cookies plaintiffs have and begun to file Flash Cookie complaints in state court. In state court, plaintiffs hope to avoid the federal standing question and the CFAA’s loss requirement. These state law suits are based on state statutory and common law claims including: State consumer protection statutes, State privacy statutes, State computer crime/fraud statutes, State constitution invasion of privacy, Unfair Competition, Trespass to chattel, and Unjust Enrichment.
In the Arkansas state court case of Kimbrough v. Nordstrom, 46 for example, the plaintiffs alleged that Nordstrom covertly placed Flash Cookies “onto the computers of persons who view[ed] the Nordstrom website.”47 The plaintiffs alleged that they were harmed because their computer was contaminated and their computer performance was degraded. The plaintiffs brought claims under Arkansas state statutes and common law claims of civil theft, conversion, trespass, invasion of privacy, and unjust enrichment. In their Second Amended Class Action Complaint, the plaintiffs alleged that their total damages did not exceed $5,000,000 and that the “Plaintiffs and Class Members stipulate pursuant to Ark. Code Ann. § 16-63-221 that they do not and will not seek to recover an amount in excess of that amount.”48 The plaintiffs also attached sworn stipulations to the complaint in which the named plaintiffs stipulated that each did not intend to “seek or accept damages” for the class “in excess of $5,000,000.”49 No attempt was made to remove the case to federal court. Less than a year later, the parties settled for $590,000 in attorneys fees and $5,000 for each class representative.
Likewise, in Wood v. Macy’s, Inc.,50 in the Original Petition, the plaintiff pled that “the total damages of Plaintiff and Class Members, including of costs and attorneys’ fees, will not exceed $4,999,999 and is less than the five million dollar ($5,000,000) minimum threshold to create federal court jurisdiction.”51 Attached to the Original Petition were sworn and binding stipulations from the named plaintiff and from putative class counsel stipulating that they would not “seek or accept damages for the class in excess of $4,999,999 in the aggregate ”52
C. Stipulation of Damages
Faced with newly filed state court Flash Cookie class actions, website providers have attempted to remove the case to federal court under the Class Action Fairness Act (“CAFA”). CAFA provides for federal subject matter jurisdiction over qualifying class actions where, among other requirements, the aggregate amount in controversy exceeds $5 million. 28 U.S.C. § 1332(d). (Indeed, the plaintiff in Bose argued that CAFA allowed her case to remain in federal court even after her CFAA claim was dismissed.)
To avoid the strictures of federal court, class action plaintiffs (including those in Nordstrom and Macy’s) have been stipulating from the outset that their damages are less than $5 million. Defendants on the other hand have attacked such stipulations as violating the due process rights of the unrepresented class plaintiffs. Defendants have argued that such stipulations demonstrate that the class representation and class counsel are poor representatives of the proposed class.
The fate of these stipulations may soon be decided by the United States Supreme Court.
On August 31, 2012, the United States Supreme Court granted cert in the case of The Standard Fire Insurance Co. v. Knowles,53 an appeal out of the Eighth Circuit. The Court in Knowles will consider whether a class plaintiff can stipulate that damages are less than $5 million to avoid a defendant’s right to remove the case to federal court under CAFA.
In their cert petition, Standard Fire argued that the class plaintiff cannot stipulate that damages will be less than $5 million on behalf of putative class members that named plaintiff’s counsel does not yet represent. Standard Fire explained that the stipulation relates not just to the named plaintiff’s damages but to the total damages of the class including those of the putative class members. Standard Fire argued that the named plaintiff’s counsel does not represent the putative class members at the time of the stipulation, and that the stipulation violated the “due process rights of the absent putative class members.”54
Should Flash Cookie plaintiffs continue to file class actions in state court, the Supreme Court’s decision in Knowles may determine whether a maximum damages stipulation means that it remains in state court, or whether even with the stipulation the case can be removed to federal court where a body of Flash Cookie class action case law has developed. The outcome of Knowles will likely have a major impact on the litigation of future Flash Cookie class cases.