Cookies are small units of code that website operators can send to Internet browsers accessing their sites. While cookies may be set to delete when a browsing session terminates, many cookies remain stored on a user’s browser. Each subsequent time that this browser uploads a webpage on the site, the operator can access data stored in those cookies to customize webpages based on the user’s browsing activities. The most controversial cookies are those that track a user’s activity across the Internet. The European Union has enacted regulations requiring website operators to more fully disclose how websites deploy cookies, and to give users more control over the cookies placed on the browsers. The FTC has issued a white paper calling on industry to adopt similar disclosure practices in the United States.
Assuming the factual allegations of the complaint to be true for the purposes of the motion, the court acknowledged that, in theory, a plaintiff’s lost opportunity to sell his computer usage data to marketers could constitute a monetary loss that satisfies the $5,000 damage threshold of the CFAA. But here, the court found that the plaintiffs’ claims were entirely speculative because they did not allege facts showing that they had the capacity or opportunity to independently monetize their raw computer usage information. As a result, the court granted Amazon’s motion to dismiss for the plaintiffs’ failure to state a claim under the CFAA.
The court further found that the plaintiffs still might have a viable claim under Washington’s Consumer Protection Act (the “WCPA”). The WCPA requires a showing of injury, but, unlike the CFAA, does not require a plaintiff to demonstrate monetary damages in order to satisfy the requirement. In this case, the court stated that in order to allege an injury, the plaintiffs would need to demonstrate that Amazon accessed their computers or their information without authorization.
In light of the Del Vecchio decision, the recent EU cookie regulation, and concerns raised by the FTC regarding cookies, website operators should re-evaluate the manner in which they disclose cookies deployed on their website and obtain consent from users for placing these cookies on users’ browsers. While it appears that the CFAA is not available as a vehicle for privacy class action claims, privacy class action attorneys are continuing to look for other legal bases for such claims, such as the WCDA. Increased regulatory scrutiny of cookie practices is likely to further stir such litigation.
But the Del Vecchio decision also issues a challenge for privacy advocates looking to protect consumer web browsing practices. Under the holding in Del Vecchio, if consumers could sell their web usage information to marketers, then they could invoke the CFAA to prevent third parties from deploying cookies to take this web usage information without their consent. Rather than more class actions, consumers may be better served by the development of marketplaces where they can sell their web usage information for marketing purposes, rather than giving it away to the websites they access.