Monday, September 12, 2011

Ad Network’s Online Behavioral Profiling Could Violate New York Law

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

An individual could not go forward with purported class-action claims that an advertising network violated the Computer Fraud and Abuse Act (CFAA) by monitoring her web browsing habits, but she could pursue claims under New York’s deceptive business practices statute and New York common law, the federal district court in New York City has determined.

The network purchased advertisement display space from websites and displayed ads of interest to a computer user. The network’s clients were advertising companies and agencies.

The network allegedly used “browser cookies”—text files that gather information about a computer user’s Internet habits—to create “behavioral profiles.” The network also allegedly used “flash cookies” to “respawn” the browser cookies when they were deleted by users, without users’ consent.

The individual also accused the network of using “history sniffing” code that was invisible to computer users. This code contained a list of hyperlinks, examined the user’s computer’s browser information to determine whether the computer had previously visited those hyperlinks, and transmitted the results to the network’s servers for the purpose of selecting ads to display on the user’s computer.

Computer Fraud and Abuse Act

The individual could not satisfy the $5,000 minimum damages threshold for civil actions under the CFAA, the court said. She failed to quantify any damage that the network caused to her computers, systems, or data that could require economic remedy. Although she alleged that the network impaired the functioning of her computer, diminishing its value, she did not make specific allegations as to the cost of repairing or investigating this alleged damage.

The collection of her personal information, and any associated invasion of her privacy, would not be compensable under the CFAA, which redressed only economic damages or loss. The collection of demographic information did not constitute damage to consumers or unjust enrichment to the collectors.

The individual’s inability to delete or control the network’s cookies might constitute a de minimis injury, but not an injury sufficient to meet the $5,000 CFAA threshold, according to the court. Even if losses could be aggregated for purposes of the CFAA before a class was certified, damages resulting from the placement of cookies on multiple computers of prospective class members could not be aggregated because these losses would not result from the “same act” by the network.

In addition, even if the individual represented a class of consumers, she would have to show that she had been personally injured.

New York State Law Claims

The advertising network’s behavioral profiling conduct could constitute a deceptive business act or practice under New York law, in the court’s view. The network’s use of flash cookies and history sniffing code could constitute deceptive conduct that misled consumers into believing their digital information was private, when in reality it was being tracked by the network.

The individual and similarly-situated consumers allegedly were harmed in that they suffered the loss of privacy through the exposure of their personal and private information. The individual was not required to allege reliance to plead a claim under the New York statute.

Although collection of personal information did not cause an economic injury, such nonpecuniary harm to privacy had been recognized as an actionable injury for purposes of the New York statute, the court said. The network’s conduct also could constitute a trespass to chattels under New York common law.

Advertiser Liability

The individual failed to allege facts demonstrating that any of the companies whose products were advertised by the network (the “advertisers”) had engaged in any deceptive conduct or trespass. Claims against the advertisers were dismissed with prejudice.

The decision is Bose v. Interclick, Inc., CCH Privacy Law in Marketing ¶60,665.

Further information regarding CCH Privacy Law in Marketing appears here.

No comments: