When Are Cookies Unconstitutional?

Cookie on the InternetThe Third Circuit Court of Appeals recently upheld the dismissal of most – but not all – of the claims brought on behalf of consumers against Google and other companies, claiming that the consumers were tricked into accepting advertising cookies.

The court allowed privacy claims under the California constitution to proceed.

Cookie Class Action

The class action arose from allegations that Google and the other defendants, who run internet advertising businesses, placed tracking cookies on consumers’ web browsers “in contravention of their browsers’ cookie blockers and defendant Google’s own public statements.”

As the court noted, and as the plaintiffs stated in the complaint,

To inject the most targeted ads possible, and therefore charge higher rates to buyers of the ad space, these third-party companies . . . compile the [i]nternet histories of users….

Since the advertising companies place advertisements on multiple sites, these cookies allow these companies to keep track of and monitor an individual user’s web activity over every website on which these companies inject ads.

These third-party cookies are used by advertising companies to help create detailed profiles on individuals . . . by recording every communication request by that browser to sites that are participating in the ad network, including all search terms the user has entered.

Cookie-Blocking

Virtually all website privacy policies (that virtually no one reads) say something about cookies – usually alerting visitors that they use them.

Browsers have features – “cookie blockers” -- to prevent the installation of cookies by third-party servers.

For example, Microsoft’s Internet Explorer has an “opt-in” cookie blocker and Apple’s Safari has an “opt out” cookie blocker.

Google assured visitors that “Safari is set by default to block all third party cookies.”

The Cookie Crumbles

According to the Third Circuit,

In February 2012, Stanford graduate student Jonathan Mayer published an online report revealing that Google and the other defendants had discovered, and were surreptitiously exploiting, loopholes in both the Safari cookie blocker and the Internet Explorer cookie blocker.

Mayer found that:

Google used code to command users’ web browsers to automatically submit a hidden form to Google when users visited websites embedded with Google advertisements. This covert form triggered the exception to the cookie blocker, and, used widely, enabled the broad placement of cookies on Safari browsers notwithstanding that the blocker—as Google publicly acknowledged—was designed to prevent just that.

The other defendants in the case performed similar circumventions, as reported by the Wall Street Journal.

The Lawsuits

After Mayer’s report became public, a number of lawsuits were filed against the cookie circumventers and these cases were eventually consolidated in a Delaware federal court, which dismissed them.

The “class” in the class action is defined as:

all persons in the United States of America who used the Apple Safari or Microsoft Internet Explorer web browsers and who visited a website from which doubleclick.net (Google’s advertising serving service), PointRoll, Vibrant Media, Media Innovation Group, or WPP cookies were deployed as part of a scheme to circumvent the users’ browsers’ settings to block such cookies and which were thereby used to enable tracking of the class members[’] [i]nternet communications without consent.

“An egregious breach of the social norms”

Although the Third Circuit upheld dismissal of most of the claims, it allowed the case to proceed with respect to privacy claims under the California constitution.

Under California law, a privacy violation has two elements:

“First, the defendant must intentionally intrude into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy.” This means “the defendant must have ‘penetrated some zone of physical or sensory privacy . . . or obtained unwanted access to data’ by electronic or other covert means, in violation of the law or social norms.”

Second, “the intrusion must occur in a manner highly offensive to a reasonable person.”

The Third Circuit also noted that

California tort law treats as actionable an “unwanted access to data by electronic or other covert means, in violation of the law or social norms.”

The court thus concluded that

A reasonable jury could conclude that Google’s alleged practices constitute the serious invasion of privacy contemplated by California law.

The case is In Re: Google Inc. Cookie Placement Consumer Privacy Litigation.

comments powered by Disqus

Find the Right Lawyer for Your Legal Issue!

Fast, Free, and Confidential

Call us today for a free consultation (855) 466-5776