New Jersey Law Journal            Volume 203, No. 8, Index 525       February 21, 2011

ADVANCES IN INTERNET USER TRACKING TECHNOLOGY YIELD NEW PRIVACY VIOLATION CLAIMS

Jonathan    Bick, of Brach Eichler in Roseland, is an adjunct professor at Pace Law School and Rutgers Law School, and the author of 101 Things You Need to Know About Internet Law (Random House 2000).

Behavioral-based marketing targeting is a technique used by traditional and Internet publishers and advertisers to increase the effectiveness of their campaigns. In the past, marketing firms conducted surveys of readers' preferences and affiliations. Today, Internet marketing firms collect data associated with individuals' Internet behavior. Said collection efforts have been found to be lawful. However, the use of new technology makes keeping Internet behavior private more difficult and has given rise to renewed claims of unlawful intrusiveness by Internet data. It has also revived an argument that such behavior violates privacy expectations and thus is unlawful.

Internet data behavioral-based marketing has been such an issue because it represents a wealth of possible information for behavioral-marketing purposes, such as data about an individual user's friends, linkages, locations and influences. The data is even more valuable because it can be used to determine not only what an individual user wants, but what his or her friends want as well. But Internet data behavioral-based marketing may encompass a number of Internet websites.

Individual websites collect user information by placing cookies on the computers of users who visit the websites. An independent academic report run by the University of California Berkeley School of Law, Center for Law & Technology, published in 2009, titled ‘Flash Cookies and Privacy,‘ found that use of cookies is widespread amongst the most popular Internet sites. The report found that more than 50 percent of the 100 most popular websites examined used cookies.

These cookies provide several opportunities to improve the user experience, such as saving individual user preferences to make return visits to the websites easier. However, the use of cookies may result in a privacy violation claim. Most such claims have proved to be unfounded.

In In re DoubleClick Inc. Privacy Litigation (154 F. Supp. 2d 497), Internet users initiated proceedings against DoubleClick, a company responsible for a large amount of Internet advertising. The Internet users alleged that DoubleClick's practice of placing cookies on the hard drives of Internet users who accessed DoubleClick-affiliated websites constituted violation of the Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse act. The court found that DoubleClick was not liable under the Stored Communications Act or the Wiretap Statute, because DoubleClick fell into the consent exceptions of those statutes. The court reasoned that when the Internet users had agreed to the terms and conditions of the DoubleClick-affiliated site, they essentially were consenting to the use of their information by those sites, and so DoubleClick could not be held liable for the use of such information.

Ultimately, DoubleClick's legal difficulties arose from engaging in deceptive trade practices. They said one thing (we will not sell users' data) and did another (sold users' data).

Rather than pursuing a claim that the use of Internet data collection violates Internet users' privacy, Internet users are using a new tactic. In particular, they claim that it is unlawful for data collection companies to use certain technology to collect data, such as flash cookies. See Edward Valdez et al v. Quantcast Corporation et al (2:2010cv05484, filed July 23, 2010, U.S. District Court for Central California).

Flash technology, created by Adobe, is the standard technology that most Internet users have installed on their system that allows them to view interactive content online. The flash cookies allow new cookies to be installed when an Internet user deletes the old cookies. The QuantCast complaint alleges that the defendants tracked, stored and resold personal information about consumers, including finances and health information.

The new cookie technology was developed to overcome the shortcomings of the existing technology. The existing technology uses a string of text transmitted to an Internet site user by the Internet site's server, which is stored by the user's web browser. When the Internet user contacted the Internet site's server, stored cookies were then used to identify the Internet user. Existing cookies are often used for purposes of authentication and as identifiers for an online session such as a membership website. These stored strings of text may be easily erased, thus requiring more of an Internet site's server resource to be used after said erasure and before a second interaction.

Additionally, cookie erasure presents tracking problems for Internet data behavior trackers, such as advertisers. Cookie deletion may skew various measures of a particular Internet user's behavior. This results in less accurate targeted behavioral ads and traffic counts.

From a technological perspective, controlling cookies isn't that difficult. In particular, an Internet user can simply refuse all cookies. All standard browsers allow for this option. This is not a very practical solution, however, because most sites use cookies for useful or benign purposes. Also, many sites require cookies to be enabled before they let you view them.

A better alternative is to selectively block and/or remove undesirable cookies while keeping good ones. There are a number of approaches, including editing the actual contents of the cookie folder to selectively block cookies from sites to which you choose not to give data, and using the features of any of the major browsers that have added ways to limit or eliminate some or all information sent from a cookie. However, it should be noted that the problem with flash cookies is that they are all linked to the Adobe website. If an Internet user attempted to block all flash cookies from Adobe, the user would no longer be able to access websites that require flash technology to function.

As noted in Ashcroft v. ACLU, 542 U.S. 656 (2004), courts are loath to impose legal restrictions when technological alternatives are both easy to use and inexpensive (or free). The Court's reasoning largely mirrored that of the district court. The district court focused on the existence of plausible, less restrictive technical alternatives and determined that the plaintiffs were likely to prevail on this issue. Any attempted solution to a legal difficulty that does not take into account and leverage the power of existing and emerging technologies is not only likely to be invalidated by the courts, as in Ashcroft and United States v. Playboy Entertainment Group, 529 U.S. 803 (2000), but is also likely to be ineffective. The best solution to this dilemma is a governmental scheme that avoids broadly applicable statutory restrictions and encourages the naturally developing use of technological solutions to the problem.

While flash cookies are a new technology, their use appears to be covered by existing case law. Additionally, it appears that so long as the use of flash cookies is disclosed in the appropriate terms of use agreement and/or the appropriate privacy policy, the new technology may be used lawfully. Indeed, a plaintiff would be more likely to succeed in a claim against a website that uses flash cookies, but does not disclose the use of such cookies in their terms of service in a clear and conspicuous manner.

The Federal Trade Commission (FTC) has taken the position that behavioral marketing should be self-regulated. However, it has prosecuted website owners who fail to disclose behavioral targeting techniques in such a clear and conspicuous manner as a violation of Section 5(a) of the Federal Trade Commission Act.

In FTC and Sears Holding Management Corporation (Docket NO.4264 Issued: Aug. 31, 2009), the FTC found that Sears invited Internet users who visited its website to disclose information, in exchange for a $10 coupon. The FTC also found that Sears obscured the extent of the data collection, which included health, banking and other sensitive data, in its privacy statements. The Sears settlement agreement required Sears to provide clear and conspicuous disclosure to consumers about the extent of data collection separate from other privacy agreements in a way that was unavoidable to ensure that the consumer had proper notice.

In short, a court considering the lawful use of flash cookies will likely hold that flash cookie users will not be liable under any federal laws because their use will fall within the consent exceptions under the Stored Communications Act and the Wiretap Statute. Additionally, flash cookie users will not be liable under the Computer Fraud and Abuse Act because it is unlikely the plaintiffs will meet the statutory threshold of $5,000 in losses. Nevertheless, as the FTC becomes more stringent in enforcing notice requirements for behavioral targeting, websites that use flash cookies should be prudent in ensuring that they provide the appropriate notice to consumers.