Key Privacy Cases

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Federal Privacy Cases

  1. Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002). In Konop, plaintiff sued an airline after the airline’s officers gained unauthorized access to password-protected message boards on plaintiff’s Web site where the plaintiff had been posting information critical of the airline. Defendant airline used the names of two pilots, with their permission, to create a password on plaintiff’s site and thereby gain access to it. After withdrawing its previous opinion in this case, the Ninth Circuit issued a new opinion holding that defendant airline did not violate the Wiretap Act because the plaintiff pilot’s Web site was not intercepted during transmission, but rather while it was in electronic storage on the web server. The Court also held that defendant airline violated the Stored Communications Act because, although the two pilots could have authorized the airline to view the content, the pilots had not yet created user accounts on the Web site at the time they gave permission for the use of their names to gain access. Thus, the pilots were not “users” of the Web site when they gave authorization.
  2. In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9 (1st Cir. 2003). In a case that closely matched the legal and factual conclusions of the Doubleclick and Chance opinions, see below, the Court in Pharmatrak dismissed plaintiffs’ class action claims under the Wiretap Act, the Stored Communications Act and the Computer Fraud and Abuse Act. Pharmatrak sold a service to pharmaceutical companies allowing them to collect traffic and usage information from their Web sites. Despite assurances otherwise, Pharmatrak collected personal information about the pharmaceutical companies’ users. The First Circuit held that the district court had incorrectly interpreted the Electronic Communications Privacy Act (ECPA) consent exception, finding that the users had not consented to collection of personal information because the Web sites gave no indication that use of the site meant such consent. The court also held that Pharmatrak intercepted the communications because its acquisition was contemporaneous with transmission by the users.
  3. Ingenix, Inc. v. Lagalante, 2002 U.S. Dist. LEXIS 5795 (E.D. La. 2002). The court granted a temporary restraining order prohibiting defendant from using or disclosing information gained from unauthorized access to a protected computer in violation of the CFAA. Defendant did not immediately surrender his laptop to defendant employer upon resignation. Instead, defendant copied and deleted sensitive files from the laptop and network. Defendant emailed some of the information contained therein to his new employer, a competitor of plaintiff. The court held that these actions violated the CFAA and that plaintiff had properly alleged damages in excess of the statutory minimum due to the cost of hiring forensic experts to recover the deleted files and carry out an investigation on the laptops and email servers.
  4. EF Cultural Travel BV v. Zefer Corp., 318 F.3d 58 (1st Cir. 2003). The First Circuit Court of Appeals stated in dicta that Web site operators should define the scope of authorized access to their sites under the Computer Fraud and Abuse Act (CFAA) by placing notices on their Web sites. Implied limitations on authorized access are also possible, for example, with the use of password-protected sections or other technology that limits access. The court of appeals rejected the lower court’s “reasonable expectations” test for determining the scope of authorized access as too prone to creating litigation. It also noted that limitations placed on the use of “scrapers” to scrape information off a Web site or limitations on a competitor’s access to such information could raise serious policy concerns.
  5. Fischer v. Mt. Olive Lutheran Church, Inc., 207 F. Supp. 2d 914 (W.D. Wis. 2002). This lawsuit stemmed from defendant employer’s monitoring of plaintiff employee’s telephone conversation and accessing of plaintiff’s Web-based email account. The court refused to dismiss plaintiff’s claim under the Stored Communications Act because the facts as alleged suggested that the Act had been violated: defendant hired a computer expert and guessed plaintiff’s password so as to access and review plaintiff’s Web-based emails. The court also refused to dismiss plaintiff’s claim under the Wiretap Act, finding that defendants should have ceased to listen to the conversation when they discovered it was personal in nature. The court did, however, dismiss plaintiff’s CFAA claim because plaintiff failed to properly allege the minimum statutory damages.
  6. Thompson v. Thompson, 2002 U.S. Dist. LEXIS 9940 (D.N.H. 2002). Defendants copied emails from plaintiff’s laptop. The court dismissed plaintiff’s Wiretap Act claims because the emails were not acquired during transmission but rather after they were received. The Court declined to exercise supplemental jurisdiction over the state law claim in the interest of comity.
  7. Chance v. Ave. A Inc., 165 F. Supp. 2d 1153 (W.D. Wash. 2001). The court granted defendant’s motion for summary judgment, holding that under the CFAA plaintiffs could not aggregate damages for each time defendant accessed a cookie on plaintiff’s separate computers. On the ECPA claims, the court ruled that plaintiff’s computers were “facilities,” that the Web sites that accessed the cookies on plaintiff’s computers were “users” and that as such the ECPA excepted defendant’s actions from liability.
  8. Crowley v. Cybersource Corp., 166 F. Supp. 2d 1263 (N.D. Cal. 2001). Plaintiff brought a class action suit against an online merchant and a credit card purchase processing company, alleging that they violated the ECPA and the Wiretap Act. The court held in favor of defendant’s 12(b)(6) motion on the Wiretap Act claim, ruling that no interception occurred where plaintiff voluntarily transferred his information to defendants. The court likewise dismissed plaintiff’s ECPA claim ruling again that plaintiff had transferred his information to defendant and thus defendant had not accessed his computer without authorization.
  9. In re Toys ‘R’ Us, Inc., Privacy Litig., 2001 U.S. Dist. LEXIS 16947 (N.D. Cal. 2001). Plaintiffs alleged that defendants used “Web bugs,” Javascript code and cookies to secretly intercept plaintiffs’ confidential purchase and Web browsing information. The court held that cookies placed on hard drives are not in “electronic storage” for purposes of the Stored Communications Act. The court further held that the law excepted from liability defendants’ accessing of those cookies as a party to the communication or as a party with consent to access the communication. The court held the Wiretap Act does not provide a cause of action against aiders and abetters. The court dismissed plaintiffs’ Wiretap Act claim against one defendant, finding that Toys ‘R’ Us was a party to the communication, but the court denied the motion to dismiss the second defendant in the absence of evidence disproving a tortious purpose on its part. On the CFAA claim, the court denied defendants’ motion to dismiss, finding that plaintiffs had properly alleged $5,000 in aggregate damages due to the misappropriation of the economic value of plaintiffs’ personalities resulting from defendants’ placement of identical cookies on their hard drives.
  10. In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001). Plaintiffs filed a class action lawsuit claiming that DoubleClick’s tying of an acquired database with Internet users’ online activities collected through DoubleClick’s cookies constituted unauthorized access in violation of the Stored Information Act. Users also argued the numbers assigned to cookies were in electronic storage and therefore subject to protection under the ECPA. Plaintiffs’ suit was dismissed because the Court determined that the Web sites affiliated with DoubleClick authorized the data collection practices. Plaintiffs also claimed that DoubleClick violated the Wiretap Act. The Court dismissed this claim because it determined that DoubleClick did not act surreptitiously or with the intent to commit a crime. Finally, a claim under the CFAA was dismissed because the Court found that no plaintiff could rise to the $5,000 damage threshold required by the Act. The U.S. District Court for the Southern District of New York granted final approval of the class-action settlement agreement. Under the settlement’s terms, DoubleClick was required to explain its privacy policy in “easy-to-read” language; conduct a public information campaign consisting of 300 million banner ads inviting consumers to learn more about protecting their privacy; and institute data purging and opt-in procedures among other requirements.
  11. Anderson Consulting LLP v. UOP, 991 F. Supp. 1041 (N.D. Ill. 1998). Plaintiff filed an action against defendants UOP and its counsel for having knowingly divulged, or having caused to be divulged, contents of plaintiff’s email messages in violation of the ECPA. UOP had hired Anderson for a systems integration project, during which Anderson employees used UOP’s internal email system. UOP subsequently disclosed to a newspaper email messages sent on its system by Anderson employees. The Court dismissed plaintiff’s claim, finding that UOP’s access to Anderson’s email and subsequent disclosure was not subject to the ECPA, as UOP did not provide “electronic communication service to the public” or community at large.
  12. Supnick v. Amazon.com, Inc., 2000 U.S. Dist. LEXIS 7073 (W.D. Wash. 2000). A class action lawsuit against Amazon and Alexa alleged that Alexa, whose software program monitors surfing habits and then suggests related Web pages, stored and transmitted this information to third parties (including Amazon) without informing users of the practice or obtaining users’ consent. Plaintiffs claimed these practices violated the ECPA and constituted a common law invasion of privacy. In an April 19, 2001, order, the Court preliminarily approved a settlement agreement. The terms of the settlement required Alexa to: (1) delete four digits of the IP addresses in its databases, (2) add privacy policy information to its Web site, (3) require customers to opt-in to having their data collected before they are permitted to download Alexa software, and (4) pay up to $40 to each customer whose data was found in Alexa’s database. Settlement available at http://pages.alexa.com/settlement/settle.html.
  13. Lieschke v. RealNetworks, Inc., 2000 U.S. Dist. LEXIS 1683 (N.D. Ill. 2000). A class action lawsuit against RealNetworks alleged that RealNetworks improperly used its RealJukebox software to access personal information stored on plaintiffs’ hard drives in violation of ECPA, the CFAA, and several state claims. The Court granted RealNetworks’ motion to stay and to enforce arbitration, finding that the End User License Agreement required arbitration.
  14. In re Intuit Privacy Litig., 138 F. Supp. 2d 1272 (C.D. Cal. 2001). A class action lawsuit against Intuit alleged that Intuit’s Quicken.com Web site violated consumers’ privacy rights through its unauthorized and undisclosed use of cookies. The complaint alleged violations of the ECPA, the CFAA and two state law claims. Defendant Intuit moved to dismiss plaintiffs’ claims. The court held that plaintiffs’ ECPA II claim was pled sufficiently to survive a 12(b)(6) motion. The court dismissed plaintiffs’ ECPA I claim, however, finding that plaintiffs failed to allege that defendants intercepted plaintiffs’ electronic communications for the purpose of committing a tortious or criminal act. Finally, the court dismissed plaintiffs’ claim under the CFAA because the complaint did not allege that any plaintiff suffered at least $5,000 in damages.
  15. Fraser v. Nationwide Mutual Ins. Co., 135 F. Supp. 2d 623 (E.D. Pa. 2001). Fraser, a Nationwide agent, sued the company for violations of the Wiretap Act and Stored Communications Act for its retrieval of a stored email message from a Nationwide computer leased to and used by one of Nationwide’s other agents. The Court held that the Wiretap Act did not apply, since the message was not “intercepted” but instead was retrieved after it had already been sent and received. The Court also found that the Stored Communications Act only applies to messages while they are in the course of transmission, including the storage area for messages that have been sent but not received. As a result, the Stored Communications Act did not apply to the message at issue, which was in post-transmission storage after being received and discarded by the recipient.

State Privacy Claims and Litigation

Data collection lawsuits allege various state law claims in addition to fed eral claims, including invasion of privacy (principally, intrusion into another’s private affairs or concerns), trespass to chattels and unfair business practices.

Intrusion into Seclusion

At common law, “intrusion into seclusion” is a form of invasion of privacy in which one intentionally intrudes into the “seclusion” or private affairs of another in a manner that would be considered offensive or objectionable to a reasonable person. Under recent online data collection suits, plaintiffs have alleged that the collection of certain personal data intrudes into their private affairs.

  1. Boring v. Google, Inc., No. 09-2350, 2010 U.S. App. LEXIS 1891 (3rd Cir., Jan. 25, 2010). The Borings sued Google for invasion of privacy and trespass after Google's Street View car drove down their private road and captured the Boring's house and pool on its camera, which was then displayed in Google's Street View feature. Id. at *3. In dismissing the Borings' intrusion upon seclusion and publicity given to private life claims, the court found that no reasonable person would find a car driving down a driveway and taking a picture "highly offensive," pointing out that salespersons or delivery persons would make the same trip, and the picture did not actually display the Borings. Id. at *10-11. However, the Third Circuit reversed the District Court on the trespass claim and allowed it to stand, holding that because physical trespass is a strict liability tort and the complaint did allege that Google's car entered onto the Borings' private land, the Borings could be entitled to nominal damages. Id. at *13-14.
  2. DeLise vs. Fahrenheit Entm’t, Civ. Action No CV-014297 (Cal. Sup. Ct. Marin Cty. Sept. 2001). In a suit brought in state court against Sunncomm and Music City Records, plaintiffs alleged, inter alia, that an interactive music CD sold by defendants to consumers used cookies, Web bugs and other technologies to track users’ personally identifying information and invade their privacy. Under the terms of the settlement reached in February 2002, defendants agreed to purge the user information they had collected and update their privacy policies and CD warning labels to adequately disclose their data practices.
  3. Stewart v. Yahoo, Inc., Case No. 00-00010405 (Dallas Co. Tex. 2000) and Schiller v. Broadcast.com, Inc., Civ. Action No. 8-00 CB78 (E.D. Tex. 2000). Plaintiffs alleged claims of theft, trespassing and stalking based upon Yahoo!’s use of cookies.
  4. Condon v. Reno, 155 F.3d 453 (4th Cir. 1998), rev’d on other grounds, 528 U.S. 141 (2000). The court found that individuals possess no reasonable expectation of privacy in their names, addresses and telephone numbers held by the state motor vehicles department because the same information is easily available from many other sources. See also Shibley v. Time, Inc., 341 N.E.2d 337 (Ohio 1975) (practice of selling and renting magazine subscription lists without the subscribers’ prior consent was not an invasion of privacy); but see Shulman v. Group W Productions, Inc., 18 Cal. 4th 200 (1998) (unauthorized collection of data in video and audio news-gathering may be an intrusion into another’s seclusion).
  5. Dwyer v. American Express, 652 N.E.2d 1351 (Ill. App. 1995). Class action plaintiffs alleged, inter alia, that American Express unreasonably intruded on the seclusion of cardholders by analyzing their behavioral characteristics and spending histories. It would then offer to create a list of cardholders’ names and addresses who would most likely shop in a particular store and rent that list to a merchant. Finally, American Express would mail targeted special promotions devised by the merchants to its cardholders and share the profits generated by sales derived from these advertisements. The court held that the plaintiffs failed to satisfy the first element of the claim (i.e., unauthorized intrusion).

Trespass to Chattels

Another common law cause of action that has been recognized by state courts in online privacy actions is trespass to chattels. See main article on Trespass to Chattels.

Unfair Business Practices/Consumer Fraud Statutes

Most states also have laws prohibiting false, deceptive or unfair business practices. Generally, such laws prohibit false or deceptive statements intended to induce the plaintiff into a commercial transaction. In recent online data collection suits, plaintiffs allege that the online service’s failure to fully and accurately disclose their data collection, use and disclosure practices amounts to a false representation or deceptive business practice.

Rights of Publicity

Under various state laws, permission is needed for the commercial exploitation of the name, image, or personal attribute of an individual, including dead celebrities. See main article on Right of Publicity.

State Privacy Cases

A number of states have enacted privacy laws and rules, in some cases exceeding federal protections.

  1. State of Wash. v. Townsend, 2001 Wash. App. LEXIS 567 (Wash. 2001). Appellant appealed his conviction for attempted child rape, contending that the trial court erroneously introduced emails and ICQ messages into evidence. The court held that the Washington Privacy Act protected the private messages between appellant and a fictitious 13-year-old child. However, because both email and ICQ messages involve automatic recordation, the court found that appellant impliedly consented to the recording and that the state did not violate the Washington Privacy Act during its investigation.
  2. American Council of Life Insurers v. State of Vermont (Vt. 2002). Insurance industry trade groups filed suit against the state of Vermont over the state’s new financial privacy regulations (Vermont Regulation B-2001-01). Vermont’s regulations provide even greater financial privacy protection than the Gramm-Leach-Bliley Act. The regulations contain an “opt-in” standard that requires customers to affirmatively consent before a financial institution may share a customer’s personal financial information.
  3. Locate.plus.com Inc. v. Iowa Department of Transportation, No. 78/01 – 1411 (Iowa, Sep. 9, 2002). Plaintiff Locate.plus.com, Inc., a company that obtained information on motor vehicles and drivers from state motor vehicle records, formatted the data into searchable form and sold it to government agencies. Plaintiff filed suit against the Iowa Department of Transportation when it refused to provide information from its records. The court held that state and federal law did not permit the disclosure of information to an information reseller, since it was not a legitimate receiver of such information under the applicable Iowa statute.
  4. Felsher v. University of Evansville, 755 N.E.2d 589 (Ind. Sup. Ct. 2001). The University of Evansville sued defendant who, in retaliation for being dismissed from the university’s faculty, had created fictitious Web pages and email accounts using the names of his colleagues and superiors at the school. Defendant then used the fictitious email accounts to direct school officials to Web sites containing defamatory statements about his former colleagues. The Supreme Court of Indiana held that corporations, including the university, could not sue for invasion of privacy but that the individuals could bring invasion of privacy actions based on misappropriation of email identity.
  5. Helen Remsburg, Administratrix of the Estate of Amy Lynn Boyer v. Docusearch, Inc., 149 N.H. 148 (N.H. 2003). Plaintiff filed suit in federal court against defendant, an information broker, because the broker disclosed information to his client about the decedent that he later used to find the decedent and kill her. Plaintiff claimed defendant violated the decedent’s privacy and broke other laws. After the federal court requested that the New Hampshire Supreme Court rule on the suit’s validity, the state court held that an information broker could be held liable for “foreseeable harm” when the information it sells places others at risk due to criminal misconduct. The court included in the definition of foreseeable harm only the crimes of identity theft and stalking. The court also held that if a broker obtained a person’s social security number without the person’s permission and sold the number to a client, the broker could be liable for damages caused by the sale based on intrusion upon seclusion. Lastly, the state court ruled that although a broker who obtained a person’s work address through a pretextual phone call and later sold the information to a client could not be sued based on intrusion upon seclusion, the broker would be liable for damages caused by the sale of the information.