More than 150 consumer class actions were filed in 2011 alleging invasions of online privacy. These claims were brought under a mix of state and federal statutes that provide attorney fees and statutory damages. Federal claims were typically brought under the Electronic Communications Privacy Act (ECPA), Computer Fraud and Abuse Act (CFAA), and Stored Communications Act (SCA). State claims typically were brought under consumer protection statutes (e.g., Ch. 93A in Massachusetts), as well as common law theories, such as breach of contract, invasion of privacy and unjust enrichment.
Common fact patterns emerged, and many of these cases alleged the following:
- Violations of terms of use agreements
- Leasing, selling and improper disclosure of personal information from social media websites
- Improper use of internet browser tracking technologies, e.g., Flash cookies (a cookie that regenerates itself when deleted), browser history sniffing code and online behavioral analysis
Common theories of harm included the following:
- Increased risk of identity theft
- Time and effort to monitor/fix credit
- Emotional distress
- Personal information as property
Despite the large number of invasion of online privacy class actions filed, plaintiffs have struggled to quantify the harm they have suffered. In fact, defendants often prevailed because plaintiffs were unable to plead sufficient economic or emotional harm (e.g., Bose v. Interclick, Low v. LinkedIn, Del Vecchio v. Amazon, In re Facebook Privacy Litigation and Krottner v. Starbucks). For example, in Bose v. Interclick, 2011 U.S. Dist. LEXIS 93663 (SDNY), the court dismissed Bose's class action CFAA claim and held that she failed to show that Interclick, an internet advertising company, caused damage to her "computers, systems or data that could require economic remedy" when it installed a Flash cookie and browser history sniffing code on her personal computer. Interclick's software had gathered and transmitted Bose's browsing habits to an online advertising network. The court reasoned that Bose failed to establish how she was deprived of the economic value of her personal information simply because it was collected by a third party and failed to demonstrate how Interclick's software caused damage, a slowdown or a shutdown to her computer. The court, however, denied Interclick's motion to dismiss Bose's state law claim brought under New York's consumer protection statute, reasoning that Interclick's conduct may have "injured" Bose's privacy rights by misleading her into believing her information was private when in reality it was being tracked without her knowledge.
The struggle to meet the harm threshold has similarly been an issue for plaintiffs in traditional security breach cases, but the U.S. Court of Appeals for the First Circuit issued a significant decision in October 2011, Anderson v. Hannaford Bros. Co., 659 F.3d 151 (1st Cir. 2011). In that case, the First Circuit reversed the lower court's dismissal of plaintiffs' negligence and implied contract claims, and held that plaintiffs' "reasonably foreseeable mitigation costs," such as credit card replacement and identity theft insurance costs, "constitute a cognizable harm under Maine law."
In 2012, plaintiffs likely will continue to file lawsuits over privacy practices that rely on a mix of harm theories and federal and state law, despite plaintiffs' traditional difficulties demonstrating actionable harm, for several reasons. As Bose v. Interclick demonstrates, whether plaintiffs can show harm resulting from the collecting and sharing of personal information, or use of online behavior tracking devices, is still in flux and depends on the circuit and state in which the case is heard. In addition, there are unresolved issues regarding the applicability of federal statutes. For example, major amendments to the ECPA in 1986 did not contemplate technologies like Flash cookies and browser sniffing. Finally, the Anderson decision could pave the way for more cases to be filed and survive motions to dismiss in 2012.
To read "Privacy and Data Protection 2011 Year in Review" in full, please click here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.