Second Circuit Rejects Secret-Cookie Suit

By now, anyone who uses a cell phone or other method to access the Internet—virtually everyone—has heard of “cookies” intended to track their online activities. Many individuals who object to tracking take steps to block cookies through privacy settings on their web browsers and other technologies. However, in a decision with important implications for those individuals and for the online advertisers that seek information about them, the U.S. Court of Appeals for the Second Circuit has upheld the dismissal of a lawsuit challenging a digital media company’s use of third-party tracking cookie technology that overcame settings intended to block cookies.

The ruling, in Mount v. PulsePoint, No. 16-3194-cv (2d Cir. March 27, 2017), affirming Mount v. PulsePoint, No. 13 Civ. 6592 (NRB) (S.D.N.Y. Aug. 17, 2016), made clear that companies that circumvent web browser privacy features to place cookies on computers to gather information about Internet use are not subject to liability for the typical legal claims that might be asserted under New York law.

How Do Cookies Really Work?

Cookies are small text files placed on a user’s computing device so that certain information about the user can be “remembered.” Generally speaking, cookies can be divided into two categories: “session” cookies and “persistent” cookies.

Session cookies (also known as “first-party” cookies) are transitory. They are set by the website to help the visitor navigate the website as it is being visited. A session cookie typically is erased when the browser is closed.

Persistent, or “tracking,” cookies are set by third parties—not the website being visited—and are designed to remain on the device after the computer user moves on to a different website or even after the browser is closed. Indeed, they can remain on a device for months or years, often until manually “cleaned out” by the user, and help a website identify a returning user. Persistent cookies are particularly helpful for online advertisers as they collect information on an Internet user’s interests and preferences. Through persistent cookies, companies create a digital profile of an Internet user that enables them to deliver specific targeted ads on the websites visited by that particular user. Because many people object to their computer use being tracked and monetized, most browsers as well as certain companion technologies can be set to automatically prevent these cookies.

The Complaint

Suppose that a computer user has decided to block third-party cookies or is using an Internet browser that, as a default, blocks those cookies. Can a company circumvent that block, without informing the user, and place tracking cookies on the user’s computer—and do so without being subjected to civil liability?

That was the essence of a putative class action lawsuit brought by two individual plaintiffs against PulsePoint, the operator of an ad exchange serving as an intermediary between website publishers selling ad space and advertisers seeking to advertise on the publishers’ websites.

The plaintiffs alleged that they were users of Apple’s Safari browser and that the default setting for Safari on computers, iPhones, and iPads was to block third-party cookies while accepting cookies from sites visited.

According to the plaintiffs, PulsePoint’s predecessor had developed a workaround of Safari’s default cookie-blocking setting and, using that workaround, PulsePoint was able to effectively track and monitor users’ web surfing in real time and intercept “personally identifiable information” that they sold to advertisers so that the advertisers could better target ads to users based on their browsing habits.

In particular, according to the plaintiffs, PulsePoint employed a JavaScript code in the ads it placed on websites to set cookies on Safari browsers whose privacy settings were arranged to block third-party cookies. The code included a mechanism replicating a submission of a particular “form” that made Safari act as if the user had clicked on the ad on a webpage, when in fact the user had not. As a result, Safari would permit PulsePoint to place cookies on the user’s device.

The plaintiffs did not assert that PulsePoint was able to associate any information it collected or maintained on Safari users with the users’ actual identities but, rather, that it was able to aggregate sites visited by a particular browser or device, which allowed PulsePoint or third-party ad buyers to associate the web browsing of a single browser or device over multiple websites.

The plaintiffs asserted claims against PulsePoint under the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. §1030, New York General Business Law §349, and New York common law.

PulsePoint moved to dismiss.

The District Court’s Decision

The district court granted PulsePoint’s motion to dismiss under Rule 12(b)(6).

In its decision, the district court first found that the plaintiffs had standing to bring their action based on two claimed harms: loss of privacy, and PulsePoint’s alleged unauthorized setting of cookies on their devices.

Although the district court found that the plaintiffs had asserted harm for standing purposes, it decided that the alleged injuries that they had suffered were insufficient for their claims to withstand PulsePoint’s motion to dismiss.

The district court first rejected the plaintiffs’ CFAA claim because the plaintiffs had not alleged at least a $5,000 loss as required to bring a civil action for a CFAA violation. The district court was not persuaded that the damage asserted by the plaintiffs—the “burdening” of their devices with the PulsePoint cookies, the disabling of their browsers’ cookie blockers, and the misappropriation of their personal data—met the loss requirement.

The district court also decided that the plaintiffs’ §349 claim failed. It found that the injuries that the plaintiffs contended gave rise to their §349 claim—the degradation in value of their devices, including the disabling of the blocking feature of their browser; violation of their privacy; and the theft and monetization of their personal data—were insufficient on which to base a §349 claim.

Notably, the district court rejected the plaintiffs’ argument that PulsePoint had violated their privacy rights by aggregating their web browsing history, explaining that there were “no allegations that PulsePoint was able to link that information to specific persons, rather than to a particular browser and/or device.” Moreover, the district court added, the plaintiffs had not claimed that they had suffered “any resulting embarrassment or distress.”

It also pointed out that there was no New York statute or New York state court decision “enshrining their right to privacy in anonymous (or perhaps pseudonymous) Internet browsing history information.”

The district court reached the same result with respect to the plaintiffs’ claims under New York common law. The plaintiffs’ trespass to chattels claim could not stand because the plaintiffs had not demonstrated that they had been harmed. In the online context, the district court stated, trespass did not encompass an electronic communication that neither damaged the recipient computer system nor impaired its functioning. The plaintiffs, the district court added, had to do more than “simply claim an unspecified demand on their devices’ resources to plausibly allege harm from trespass.”

The district court concluded by also rejecting the plaintiffs’ unjust enrichment claim because they had not pleaded injury based on the alleged misappropriation of the value of their browsing information.

The plaintiffs appealed the dismissal of their §349 and unjust enrichment claims to the Second Circuit.

The Second Circuit’s Decision

The circuit court affirmed, for substantially the reasons stated by the district court in what the circuit court characterized as its “thorough and well-reasoned decision.”

In its decision, the Second Circuit first agreed with the district court that the plaintiffs had adequately alleged an injury in fact—loss of privacy stemming from PulsePoint’s alleged unauthorized accessing and monitoring of their web-browsing activity—for Article III standing purposes. (Given its ruling on loss of privacy, the circuit court said that it did not have to determine whether the plaintiffs also had alleged injury from the effect of the PulsePoint cookies on the functionality of their web browsers.)

The circuit court then agreed with the district court that the plaintiffs had failed to state claims under §349 and for unjust enrichment.

It explained that a claim for §349 required “actual injury,” adding that the plaintiffs’ satisfaction of the injury requirement for standing did not necessarily satisfy the injury requirement of §349.

The Second Circuit pointed out that no New York court had ever construed §349 to reach the privacy invasion alleged by the plaintiffs—that is, the collection of Internet users’ “aggregated, anonymized web-browsing data.” Section 349 injury, the circuit court continued, had been recognized only where confidential, individually identifiable information, such as medical records or a Social Security number, had been collected without the individual’s knowledge or consent.

Simply put, the Second Circuit stated, absent any allegations from the plaintiffs that the data collected would or could be associated with individual users (or some other alleged factual basis for a cognizable privacy injury), there was “no basis in New York law” to recognize a cognizable injury under §349.

The circuit court also was not persuaded by the plaintiffs’ other two arguments for identifying §349 injury: degradation in the value of their computers and misappropriation of their personal information. It noted that the plaintiffs had alleged “no performance issues or other tangible harm to their devices,” and it ruled that their contention that the disabling of a cookie-blocker and installation of cookies on their computers was “unauthorized access” amounting to a §349 injury had “no support in case law.”

It also ruled that the plaintiffs’ “misappropriation” theory of injury, which rested on their professed loss of the ability to monetize the anonymous web browsing information allegedly collected by PulsePoint, failed because they had not alleged that PulsePoint’s data collection practices actually had deprived them of any opportunity to sell their own personalized information.

Finally, the circuit court decided that the plaintiffs’ unjust enrichment claim also could not stand because, even assuming PulsePoint’s enrichment, the plaintiffs could not show enrichment at their expense given that they had not alleged specific loss or deprivation of opportunity to profit from their personalized information.

Conclusion

The district and circuit court opinions in Mount reflect the ongoing tension between consumer privacy interests and data collection for commercial purposes. Of course, the decisions do not mean that no “cookie” claims will ever be successful. Just last year, the U.S. Court of Appeals for the Third Circuit, in In re Nickelodeon Consumer Privacy Litigation, 827 F.3d 262 (3d Cir. 2016), permitted plaintiffs to proceed with an invasion of privacy claim under New Jersey law based on allegations that Viacom had used cookies to track children’s web browsing and video-watching habits on Viacom’s websites despite its assurances that it would not do so. In another cookie-placement ruling the year before, In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015), the Third Circuit also permitted claims for invasion of privacy and intrusion upon seclusion to proceed under California law.

But allowing actions where companies allegedly promise to respect consumer privacy and then disregard their commitments is different from allowing claims for damages resulting from secret cookies to go forward. The Mount rulings suggest that in the absence of a change in New York law that recognizes a more robust privacy right, those kinds of claims will not stand.

Reprinted with permission from the April 18, 2017 issue of the New York Law Journal. © ALM Media Properties, LLC.  Further duplication without permission is prohibited.  All rights reserved.