A New York federal district court recently dismissed Computer Fraud and Abuse Act (CFAA) claims asserted against defendant advertising company Interclick and some of its advertising clients. Plaintiff consumer Sonal Bose alleged that the defendant advertising company’s use of “supercookies” and “history sniffing” invaded her privacy, misappropriated her personal information, and interfered with her computer’s operations. The court dismissed the CFAA claims because Bose failed to show the statutorily required damage or loss.
Bose alleged that Interclick used browser cookies to advertise for various companies online. Cookies are small files placed in a computer user’s web browser to gather information about the user’s online habits and behaviors. Cookies are helpful for users who want to autopopulate data, such as usernames or passwords, when they return to a website. These cookies are also extremely beneficial for marketing companies who can track a users online habits and behaviors. Thus, an advertising company such as Interclick can use this information to provide specifically tailored advertisements based on the user’s profile. If a user does not want to be tracked or have this information available, he or she can always delete the cookies from the web browser.
The problem Bose alleged in this case was that Interclick used “supercookies” aka “flash cookies.” These supercookies are not as delicious as they sound. When a user deletes his or her cookies, the supercookie “respawns” the deleted cookie without the user’s notice or consent. As in this case, Interclick allegedly continued to track Bose and collect her information, despite her attempt to delete the cookies and protect her privacy. Bose also alleged that Interclick used “history sniffing,” in which it allegedly looked at her computer’s browsing history to tailor its advertisements toward her.
Bose claimed that she suffered: (1) impaired computer services and resources, (2) loss due to collection of personal information, and (3) loss due to interruption of internet service. The defendants moved to dismiss on grounds that Bose failed to allege a cognizable injury to meet the $5,000 threshold statutorily required for CFAA civil claims. (18 U.S.C. § 1030 (c)(4)(A)(I)).
First, the court recognized that physical damage is not necessary for CFAA claims. As we have discussed in previous blogs, courts are expanding the CFAA’s definition of “losses” and have recognized computer forensic investigation costs and outside counsel fees as sufficient to meet the statutory threshold. However, the court here stated that Bose failed to quantify her damage and did not specifically show the impairment of her computer functions or any diminution of value.
Second, the court cited Doubleclick and stated that Bose’s allegations for invasion of privacy, trespass, and misappropriation of confidential data are not cognizable economic losses. (In re Doubleclick Inc. Privacy Litig., 154 F. Supp. 2d 497, 524, n. 33 (S.D.N.Y 2001)). The court found Bose claims similar to the California case La Court v. Specific Media, Inc. No. SACV 10-1256-GW(JCGx), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011), which also dismissed supercookie CFAA claims for failure to allege an economic injury. The court emphasized that “advertising on the internet is no different from advertising on television or in newspapers,” as marketers and retailers constantly collect consumer personal data and demographic information. In other words, no harm, no foul.
Finally, the court found that Bose failed to allege any specific damage or loss regarding the interruption of her internet service. Bose did not show that the cookies damaged, shutdown, or even slowed her computer.
This case is significant because it demonstrates that courts still require some quantifiable or cognizable loss for CFAA civil claims, despite the growing trend to allow claims absent any damage or interruption of service. Courts will not accept CFAA civil allegations merely based on the invasion of privacy. Indeed, privacy has at least a $5,000 price tag under the statute.
The use of supercookies will continue to rouse privacy advocates. In fact, this summer the European Union issued its “Cookie Directive” to address cookie privacy concerns.
The court dismissed the CFAA claims, but kept the claims against Interclick for alleged deceptive business practices. While supercookies may not be unlawful under the CFAA, how a company uses these tracking devices may still subject them to liability.
This area of law continues to be white hot as the plaintiffs' bar tries to leverage privacy and other claims against companies who collect computer users' data as class actions for large settlements.