In Re Google Inc. Cookie Placement Consumer Privacy Litigation
2015 U.S. App. LEXIS 19581
| 3rd Cir. | 2015Background
- Plaintiffs (consolidated class) allege that Google and other ad companies placed third-party tracking cookies on users’ Safari and Internet Explorer browsers by exploiting browser cookie-blocker exceptions, despite users’ cookie-blocker settings and Google’s public statements.
- Jonathan Mayer’s February 2012 research and Wall Street Journal reporting revealed code that caused browsers to submit hidden forms, triggering exceptions that allowed cookie placement; government agencies later settled with Google (FTC and state AG settlements).
- Plaintiffs sued as a putative class asserting three federal claims (Wiretap Act, Stored Communications Act, CFAA) against all defendants and six California state-law claims (including California constitutional privacy and intrusion upon seclusion) against Google alone.
- The District Court dismissed all claims under Rule 12(b)(6); plaintiffs appealed. The Third Circuit considered Article III standing and addressed the merits of each statutory and state-law claim.
- The Third Circuit held plaintiffs have Article III injury-in-fact (statutory/privacy interests suffice), vacated dismissal of California freestanding privacy claims against Google, and otherwise affirmed dismissal of most federal and state statutory claims.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing (Article III injury) | Alleged unauthorized placement of cookies and tracking is a concrete, particularized invasion of privacy sufficing for injury-in-fact | Plaintiffs lacked pecuniary loss and therefore no concrete injury | Plaintiffs have injury-in-fact; Article III jurisdiction exists |
| Wiretap Act (whether acquired data is “contents” and party-exception) | Tracked URLs and associated browsing data can be "contents" of electronic communications; defendants intercepted third-party communications | URLs are routing metadata, not content; even if content, defendants were intended recipients (parties) so §2511(2)(d) bars liability | Some queried URLs may be content; but alleged facts show defendants were parties to the GET requests, so §2511(2)(d) applies and Wiretap Act claim dismissed |
| Stored Communications Act (whether plaintiffs’ devices are protected “facilities”) | ‘‘Facility’’ and ‘‘electronic communication service’’ encompass modern personal devices used to send/receive communications | SCA targets third-party network/service providers (ISPs, mail/bulletin boards); personal devices are not the protected facilities the 1986 Act contemplated | Personal browsers/devices are not SCA "facilities"; SCA claim dismissed |
| CFAA (damage or loss requirement) | Plaintiffs’ browsing data has market value; defendants’ appropriation caused "loss" (deprived plaintiffs of monetizing data) | Plaintiffs alleged no costs, lost revenue, or impairment; no concrete statutory "loss" or "damage" pleaded | Complaint fails to plead CFAA "damage" or statutory "loss"; CFAA claim dismissed |
| California freestanding privacy & intrusion claims | Deceitfully overriding cookie-blockers and public promises to respect settings invaded reasonable expectations of privacy and was highly offensive | Users voluntarily sent browsing data; cookie-tracking and ad-targeting are routine and not egregious | Dismissal vacated: reasonable jury could find actionable invasion given deceit, scale, and reliance on Google’s representations |
| California Invasion of Privacy Act (§631) | (Plaintiffs argued interception of communications) | Google was a party to the communications (ad servers were intended recipients); §631 targets third-party eavesdropping | §631 claim dismissed for same reason as Wiretap Act: no third-party eavesdropping shown |
| Other California statutory claims (UCL, §502, CLRA) | Alleged unfair practices, unauthorized access, and a forced “sale” of browsing data | Plaintiffs lack the required losses/damages; no sale as defined under CLRA | Dismissals affirmed: no loss/damage for UCL/§502; no cognizable "sale" for CLRA |
Key Cases Cited
- Smith v. Maryland, 442 U.S. 735 (U.S. 1979) (distinguishes content from routing/dialing information and frames metadata/content analysis)
- Katz v. United States, 389 U.S. 347 (U.S. 1967) (Fourth Amendment wiretapping principles and expectation of privacy backdrop)
- In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9 (1st Cir.) (discusses third-party tracking and mechanisms that duplicate user communications)
- Garcia v. City of Laredo, 702 F.3d 788 (5th Cir. 2012) (holding a home/end-user computer is not a "facility" under the Stored Communications Act)
- In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir.) (recognizes that some queried URLs reproducing search terms may be content)
- Caro v. Weintraub, 618 F.3d 94 (2d Cir. 2010) (interprets §2511 exception—interception must be for an independent tort/crime beyond the recording itself)
- United States v. Pasha, 333 F.2d 193 (7th Cir. 1964) (holds impersonation/being the recipient of a communication does not constitute unlawful interception)