A Montana federal court dismissed claims under the Electronic Communications Privacy Act (ECPA) in a suit alleging that an Internet Service Provider (ISP) funneled its customers’ Internet traffic to a third party that then used the information for behavioral advertising, but the court ruled that claims under the Computer Fraud and Abuse Act (CFAA) could go forward.

A class of plaintiffs claimed that Bresnan Communications diverted their Internet communications to NebuAd, a third-party Internet advertising company, in order to target them with preference-sensitive ads.

But U.S. District Court Judge Richard F. Cebull said that the ISP had warned its customers about the practice in its privacy notice and subscriber agreement, and it had given customers the opportunity to opt out. The subscriber agreement explicitly stated that customers agreed that “Bresnan Communications and its agents shall have the right to monitor any . . . postings and transmission, including without limitation email, newsgroups, chat, IP audio and video, and web space content.” Although the plaintiffs argued that Bresnan “construed their consent too broadly” and did not obtain “meaningful” consent, the court disagreed.

With the privacy notice, the subscriber agreement, and a specific notice of the NebuAd appliance trial that appeared on Bresnan’s Web site, the plaintiffs were informed on at least three separate occasions of monitoring and possible transmissions of their activities to a third party, the court said, granting Bresnan’s motion to dismiss the ECPA claims. However, the court ruled that because the ISP had modified the settings of customers’ computers without authorization in the course of the data collection, claims under the CFAA could go forward.

The court said Bresnan “exceeded authorization” because the notice it provided did not tell the plaintiffs that their computer settings were going to be actively altered or tampered with. The company acted in concert with NebuAd by installing the appliance onto its network, and by doing so, altered the character of the plaintiffs’ computer privacy and security control protocols.

Judge Cebull’s decision on the state law claims followed the federal statutory rulings; the plaintiffs’ invasion of privacy claim was dismissed but the trespass to chattels claim survived.

To read the court’s decision in Mortensen v. Bresnan Communications, click here.

Why it matters: The decision is a mixed bag for companies engaged in behavioral advertising, but the court’s dismissal of the plaintiffs’ ECPA claims based on the ISP’s privacy policy and subscriber agreement emphasize the importance of notice, consent, and conspicuous disclosures. And although the court said the CFAA claims can go forward, the decision suggests that companies may be able to successfully defend such claims with clear and explicit policies, as Bresnan’s failure was not providing adequate notice to consumers that its settings were going to be altered.