Preliminary Results Indicate More to Come

The first quarter of 2011 has been marked by the rise of awareness and legal activity surrounding the question of behavioral or targeted advertising. The Federal Trade Commission (“FTC”) defines behavioral advertising as “the process of tracking consumers’ activities online to target advertising.” It often, but not always, includes a review of the searches consumers have conducted, the Web pages visited, the purchases made, and the content viewed – in order to deliver advertising tailored to an individual consumer’s interests. While the FTC and self-regulatory groups, such as the Interactive Advertising Bureau (IAB) and the national advertising initiative (NAI) have been developing procedures to address this issue since 2007, it appears that 2011 will be the year where litigation and legislation concerning this issue will peak.1

Already, the FTC has closed the public comment period for a “Do Not Track” option to be added to websites before users’ behaviors are tracked online to provide advertising. As of March 2011, there were 449 comments from industry groups, advertisers and consumer advocates.2 In addition the European Union passed a new privacy directive in March 2011 that will go into effect on May 25, 2011. The EU rules call for “explicit” consent before users’ behaviors can be tracked to target advertising. The call for a nationwide privacy protocol has caught the interest of legislators in the United States, and on March 16, 2011, the Obama administration followed suit, calling for a universal privacy bill, and specifically supported the FTC’s “Do Not Track” proposals.

As legislators, regulatory agencies, consumer groups and industry debate the issues publicly, the plaintiffs’ bar has seized the opportunity to step up class action activity. A summary of some of the recent results obtained in 2011 regarding behavioral advertising class action lawsuits provides insights into strategies and tactics that might be used by plaintiffs and defendants in the remaining 30 plus class actions that are currently pending in state and federal court across the country.

  1. Standing and Consent Have Emerged as Strong Defenses in Behavioral Advertising Class Actions

The first wave of federal class actions filed in February 2010, were focused on cable companies providing Internet services. In those initial cases, the website publishers, on whose pages the targeted ads appeared, were not named.

  1. Green v. Cable One Dismissed February 23, 2011 on Article III Standing Grounds

On February 3, 2010, a putative class action was filed in the Northern District of Alabama against Cable One styled Green v. Cable One (Case No. 1:10-cv-00259, N.D. Alabama, filed February 3, 2010). Cable One is a division of the Washington Post. As a cable company, it is also an Internet Service Provider (“ISP”) in that it provides online services in 19 states.

In Green, the class action plaintiff alleged that Cable One entered into a contract with a third-party advertising-server company (now defunct), NebuAd. Pursuant to the Cable One contract with NebuAd, the Green plaintiff alleged that Cable One “began installing ‘spyware devices’ on its broadband networks.”2 The plaintiff alleged that Cable One added “Appliances” to its modems and that these “devices funneled all affected users’ Internet communications – inbound and outbound in, their entirety – to … NebuAd.” Id. Specifically, the plaintiff claimed that, a certain portion of Cable One’s customers were part of a test group. And, without notice to or consent from those users, all their communications including via web-based email, http traffic, and https encrypted traffic were shared with NebuAd. Id. at ¶24, 53-56. Through the complaint, the Green plaintiff objected to the use by Cable One of purported “super persistent” tracking “cookies” that were not detectible through security and browser settings and used “deep packet inspection technologies” to serve ads. Id. at ¶¶38, 47. Green further contended that Cable One and NebuAd interrupted communications with websites to include targeted advertising “other than those authorized by the publishers of the web pages downloaded by users.” Id. at ¶50.

For these activities, the plaintiff alleged four causes of action for (1) Invasion of Privacy by Intrusion Upon Seclusion3; (2) Violations of the Electronic Communications Privacy Act (“ECPA” or Wiretap Act) (18 U.S.C. § 2510) for the deployment of the Appliance and interception and use of personally identifiable information; (3) Violations of the Computer Fraud and Abuse Act (“CFAA”)(18 U.S.C. § 1030) for intentionally accessing users’ communications in a manner that caused damage; and (4) trespass to chattels by interfering with the operation of the users’ computers.

Plaintiff filed a motion for class certification in August 2010. Cable One served a demand to copy and inspect plaintiff’s computer. The plaintiff then voluntarily dismissed with prejudice three of the four claims that depended upon allegations of harm/damage, leaving only the claim for violations of the ECPA remaining. (Dkt 43, October 2010). On November 9, 2010, the named plaintiff Green was deposed. During that deposition, he testified that he only accessed his Cable One account from one computer/IP address located in Alabama. Cable One’s records revealed that the Internet subscription had been canceled for that home address on November 19, 2007, one day before the NebuAd ad serving technology went into use by Cable One. Accordingly, Cable One filed a motion to dismiss on the ground that the named plaintiff lacked Article III standing to pursue the claim, and the Northern District of Alabama agreed. The Green Court’s Order granting Cable One’s motion to dismiss was entered on February 23, 2011.4

The result in Cable One shows that no matter how inflammatory the privacy allegations may appear in the complaint, courts will look closely at the factual issues to determine whether the named plaintiffs can pursue the claims and whether there are valid defenses to a claim. Also, the plaintiffs’ failure to permit review of his computer for purposes of determining harm under the CFAA or Trespass to Chattel claims proved fatal to those causes of action - forcing the Green plaintiff to dismiss them.

  1. Mortensen v. Bresnan Communications Flied February 16, 2010 -- Defendent's Motion to Dismiss Granted in Part and Denied in Part Such That Case is Pending in 2011

On February 16, 2010, a similar class action lawsuit was filed against another ISP styled: Mortensen v. Bresnan Communications LLC, 1:10-cv-00013 (United States District Court, District of Montana). The Mortensen complaint, was filed by the same law firm as the Green action (just 13 days prior in Alabama) and contained many of the same allegations. Specifically, plaintiffs, representing a putative class, alleged that from early 2008 through June of 2008, Defendant Bresnan Communications (“Bresnan”) diverted substantially all of the Mortensen Plaintiffs’ Internet communications to third party advertiser, NebuAd. As was alleged in the Green case, the Mortensen Plaintiffs alleged that Bresnan allowed NebuAd to install its “Appliance” onto Bresnan’s network. The Mortensen Plaintiffs further alleged that NebuAd used the Appliance Bresnan installed to gather information to create profiles of Bresnan’s customers in order to target interest-based ads. The Mortensen plaintiffs further alleged that Bresnan profited from the alleged privacy invasion. The same four causes of action alleged in the Green case were alleged against Bresnan, i.e., (1) Invasion of Privacy by Intrusion Upon Seclusion5; (2) Violations of the ECPA (18 U.S.C. § 2510); (3) Violations of the CFAA (18 U.S.C. § 1030); and (4) trespass to chattel.

Bresnan filed a motion to dismiss each of plaintiffs’ causes of action on April 23, 2010 as discussed further below.

Bresnan first argued that plaintiffs failed to state a claim under ECPA. To state a claim under Title I of the ECPA, a plaintiff must allege that a defendant (1) intentionally (2) intercepted or endeavored to intercept (3) the contents (4) of an electronic communication (5) using a device.6

Bresnan argued that it did not use a device to intercept plaintiffs’ communications. As such it “cannot be liable for [NebuAd’s] interception or use of electronic communications.” Bresnan argued that its cooperation with NebuAd was determinative. In so doing, relied on an Eighth Circuit decision for the proposition that under the ECPA, “acquiescence in [another]’s plans to [engage in interception] and [] passive knowledge [thereof] are insufficient” to assign liability to a defendant.7 Bresnan further argued that even if it had instructed NebuAd to engage in the monitoring, this would be insufficient for liability to attach. “Even where someone instructs another to intercept, no ECPA claim lies8 because the ECPA does not have an “aiding or abetting” component.

The Mortensen Plaintiff countered (in its opposition) that Bresnan engaged in specific acts that were separately actionable – above and beyond its collaboration with NebuAd:

“Inasmuch as Bresnan concedes that it installed the NebuAd device into its network, its interception was intentional. Deployment of the appliance required Bresnan, physically, to take its cables that carried all user Internet traffic, outbound and inbound, and plug them into the appliance.”9

The Bresnan defendant also argued that two exceptions to the ECPA statute controlled such that it could not be liable for the conduct alleged in the complaint. First the ECPA excludes activities that are “a necessary incident to the rendition of [the ISP’s] service.” Also, the ECPA excludes situations where “one of the parties to the communication has given prior consent to such interception.”10

In its Opposition, the Mortensen Plaintiffs blasted Bresnan’s contention that monitoring of user activity was a “necessary” incident to providing Internet services. The Mortensen Plaintiffs pointed out that Bresnan provided Internet connections long before (and after) its agreement with NebuAd, therefore the use of the Appliance and inspection of consumer communications was not a necessity. (Dkt. 23 at pp 10-11.) In its December 2010 ruling the Montana District Court sided with the plaintiffs on this issue. The court ruled that plaintiffs’ allegations: “that NebuAd and Bresnan deployed the Appliance on Bresnan’s network infrastructure” and Bresnan had “configured” its network to “funnel all User Internet through the Appliance” were sufficient to show violations of the ECPA and did not constitute “necessary” functions of an ISP.

On the consent issue, Bresnan was successful. Bresnan argued that it had obtained “consent” to intercept the plaintiffs’ communications via three documents: (1) Bresnan Communications OnLine Privacy Notice; (2) Bresnan’s OnLine Subscriber Agreement and (3) via email notice to users that the NebuAd test was taking place which also contained instructions for users to opt-out if they desired. By virtue of privacy policy and subscriber agreements, Bresnan argued that subscribers expressly “acknowledge[] and agree[] Bresnan [] and its agents shall have the right to monitor … postings and transmissions, including without limitation … web space content.”11 Bresnan further contended that these documents expressly notified “subscribers that Bresnan’s ‘equipment automatically collects information on your use of the Service including information on … the programs and web sites you review or services you order, the time [] you … view [them, and] other information about your ‘electronic browsing.’” Id. In addition, through the documents Bresnan argued that it advised users that “Bresnan [], its partners, affiliates and advertisers may [] use cookies, and/or small bits of code called ‘one pixel gifs’ or ‘clear gifs’to make cookies more effective.”

For purposes of the ECPA claim, the Court agreed that users’ were notified and provided express consent to the monitoring of their electronic communications by Bresnan:

"the Court concludes that through the OnLine Subscriber Agreement, the Privacy Notice and the NebuAd link on Brenan’s website, Plaintiffs did know of the interception and through their continued use of Bresnan’s Internet Service, they gave or acquiesced their consent to such interception."12

Bresnan also successfully used the “consent” defense to seek dismissal of plaintiff’s intrusion upon seclusion claim. Plaintiffs alleged that by monitoring and transmitting Plaintiffs’ electronic communication, Bresnan wrongful intruded into Plaintiffs’ private activities in such a manner as to outrage or cause mental suffering, shame or humiliation to a person of ordinary sensibilities.” (Dkt 30 at p. 12). Bresnan argued that “[g]iven receipt of and assent to the Privacy Notice, Subscriber Agreement, and NebuAd-specific notice…, Plaintiffs lacked subjective expectations that ‘all communications, … web mail, [] VoIP traffic, [and] … Internet navigation’ …would be hidden from Bresnan, carrier of the transmissions.”13 The Montana District Court agreed. Relying on the notices provided in the Online Privacy Policy, Subscriber Agreement and disclosure of the NebuAd service via email, the Court concluded that: “Plaintiffs cannot demonstrate that their expectation of privacy was objectively reasonable.”14

Bresnan challenges to the plaintiffs’ CFAA claims met with less success. To maintain a claim under 18 U.S.C. §1030(a), Plaintiffs must show that the defendant: (1) intentionally accessed a computer, (2) without authorization or exceeding authorized access, (3) obtained or altered information (4) from a protected computer that (5) resulted in damage to one or more persons during any one-year period aggregating at least $5,000 in value. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009). Bresnan argued that plaintiffs failed to state claims for violations of the CFAA because there were insufficient allegations of intentional conduct. Specifically, with regard to the intent prong of the CFAA allegation, Bresnan argued that the plaintiffs’ consent to the conduct via the Online Privacy Agreement, vitiated the requisite intent to engage in harmful conduct necessary to maintain a CFAA claim. The plaintiffs countered that any consent provided via the privacy policy was not meaningful, because the opt-out feature permitted users to opt-out of receiving NebuAd’s targeted advertisements, but would not prevent the collection and accessing of the data by Bresnan and subsequent conveyance to NebuAd. Unlike the consent for monitoring of user activity found for the ECPA claim, the court sided with the plaintiffs. In so doing, the Mortensen Court determined that there was no user consent for “reversal of their privacy settings” as alleged by the complaint:

"For purposes of a 12(b)(6) motion, Plaintiffs have sufficiently alleged that Bresnan’s act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given."15

Bresnan also argued that the CFAA claim could not be maintained because the allegations of harm in excess of $5,000 were insufficiently pled. The Mortensen Court disagreed. Relying on In re Toys R Us, Inc., Privacy Litigation, 2001 WL 34517252 (N.D.Cal. 2001), the Montana District Court concluded that the Mortensen plaintiffs’ allegations of harm met the requisite pleading standards of the CFAA:

"… plaintiffs had met the $5,000 loss requirement under the CFAA because defendants caused identical cookies to be placed on plaintiff’s computers, unbeknownst to them. Contrary to Bresnan’s argument, these identical files or “cookies” implanted on each of plaintiff’s computers resulting in damages of a uniform nature…As such, the Toys R Us court found that plaintiffs could aggregate their damages and therefore had sufficiently pled the existence of a single act resulting in damages exceeding $5,000 during any one-year period to one or more individuals."16

For many of the same reasons, Bresnan challenge to the plaintiffs’ trespass to chattel claim also failed. The elements of a cause of action for trespass to chattels are largely uniform across jurisdictions and include: (1) the plaintiff’s possession of the property, (2) the defendant’s intentional interference with the plaintiff’s use of the property, (3) without the plaintiff’s consent, and (4) damages. Restatement (2nd) of Torts § 217. Here again, the Court sided with plaintiffs:

"Plaintiffs have granted Bresnan conditional access for purposes of monitoring Plaintiffs’ electronic transmissions as well as placing “cookies” on Plaintiffs’ computers for purposes of tracking web activity. However, like Plaintiffs’ CFAA claim, Bresnan’s alleged actions of altering the privacy and security controls on Plaintiffs’ computers activity is sufficiently outside of the scope of the use permitted by Plaintiffs. As such, for purposes of a 12(b)(6) motion, Plaintiffs have sufficiently alleged that Bresnan intentionally interfered with the possession of their personal property. Bresnan’s Motion to Dismiss Plaintiffs’’ trespass to chattel claim is DENIED."17

Bresnan filed its answer to the complaint on January 14, 2011 and the affirmative defenses make clear that the arguments relating to NebuAd’s liability for the plaintiffs’ claims, lack of harm/damage to the plaintiffs and user consent will be litigated in the days and weeks ahead, perhaps on summary judgment.

  1. Deering v. Centurytel, Inc. filed February 11, 2010 -- Motion to Dismiss on Grounds of Authorization and Consent Pending

On February 11, 2010 the same plaintiffs’ law firms that filed the complaint in the Green and Mortensen matters filed a complaint against Centurytel, Inc. – a commercial provider of Internet services in the United States District Court of Montana. The case name is Deering v. Centurytel, Inc., et al. 1:10-cv-00063 (District of Montana). The Deering complaint was a mirror image of the Green and Mortensen class action lawsuits and included the same essential claims and causes of action. In light of the Montana District Court’s dismissal of the ECPA and intrusion upon seclusion counts in the Mortensen class action on December 13, 2010, Centurytel filed a similar motion to dismiss on January 25, 2011, which is currently pending. Centurytel argued that like Bresnan’s online privacy disclosure and subscriber agreement, Centurytel notified consumers of the monitoring activities via its privacy policy.

  1. Potential Impact of Green and Mortensen on Over 30 Pending Class Actions

As discussed above, Since January, 2011, some 20 additional class action complaints have been filed against numerous companies such as Nordstrom, Metacafe, Phillips Electronics of North America, YouTube, Skype, TV Guide Online Holdings, BuySafe, Pandora Media, E*Trade Financial Corp, C3 Metrics, ShopLocal, Google, Apple, Skechers USA, Reebok International, and Amazon among many others. Each of these complaints differs from the earlier ISP cases in that direct allegations are made against the website publishing targeted advertisement for device identifiers including Flash cookies and HTML-518 that are used to serve targeted ads.

The recent decisions in the Green and Mortensen cases, provide important insights into how courts may address these cases. Emerging as important trends are affirmative defenses based upon (1) standing; (2) lack of damages under the CFAA; and (3) consent via online privacy policies. Although not challenged in the prior briefing, the issue of consumer consent to online privacy policies and the enforceability of browse-wrap agreements in connection with privacy claims will likely be briefed in the months ahead.

For those cases that proceed beyond the motion to dismiss stage, defendants should also consider asserting defenses based upon lack of intentional conduct. Defendant companies (like McDonalds, Skechers and others) can argue that because their vendors used installed tracking device identifiers (such as Flash cookies or HTML-5 code), without their knowledge or consent, they did not engage in any “intentional” accessing or tracking of user information online, such that claims under the ECPA and CFAA cannot be maintained.

Also, in those state class actions cases involving state law claims for computer trespass, where no federal allegations are asserted, defendants may consider raising a dormant commerce clause defense to obtain dismissal. In other contexts, courts have found that state class actions cannot be maintained where they would affect national policy. For example, in the context of medical/pharma drug advertising courts refused to permit state class actions that would contravene federal policy – in context such as this where preemption did not exist. See e.g., Congress of Cal. Seniors v. Catholic Healthcare 87 Cal. App. 4th 491, 512 (2001) (noting “had we decided that…the claims were not preempted, we would have concluded that the federal system rather than the state court is the appropriate place” to enforce the issue. Emphasis added). Several of the state computer trespass statutes at issue in the pending state court class actions basically mirror the federal CFAA. Although in enacting the CFAA, Congress did not preempt states legislating in the area of behavorial tracking, Congress clearly envisioned that the federal and state governments would share in the creation of policies pertaining to the ability of websites to access and track users’ online behavior for advertising purposes. Here, FTC (and FCC) have taken steps to address privacy as it pertains to tracking users’ online activity, and legislation is underway as well. Accordingly a credible argument could be crafted that the dormant commerce clause should prevent the institution of state court class actions that could affect national policy.

Numerous other arguments are likely to unfold in the days and weeks ahead as the cases wind themselves through the various district and state courts. Clients that are operating websites that deliver targeted advertising should be aware of the litigation environment and take steps to avoid exposure, as outlined in the accompanying client alert titled “How to Respond to Recent Developments in Regulation of Behavioral Advertising.”