Data Protection Report - Norton Rose Fulbright

In re: Google Inc. Cookie Placement Consumer Privacy Litigation, involves 24 consolidated lawsuits that were initially brought against several internet advertisers alleging violations of various state and federal privacy statutes, including the Computer Fraud and Abuse Act, the Wiretap Act and the Electronic Communications Privacy Act. In October of 2013, the District of Delaware dismissed the consolidated case, finding that “that plaintiffs have not alleged injury-in-fact sufficient to confer Article III standing” and that they had failed to “[plead] sufficient facts to establish a plausible invasion of the rights” under various statutes asserted in the complaints. However, on November 10, 2015, the Third Circuit Court of Appeals issued an order restoring some of the plaintiffs’ claims alleging that Google’s internet tracking practices violate California’s Constitution and state privacy laws.

Addressing the standing argument presented by Google and adopted by the District Court, the Third Circuit stated that the argument that “the plaintiffs fail[ed] to demonstrate injury in fact because they [made] insufficient allegations of pecuniary harm,” was misplaced. The court explained that “the actual or threatened injury required by Art. III may exist solely by virtue of statutes creating legal rights, the invasion of which creates standing” and, therefore, standing may exist “for violations of federal privacy law absent any indication of pecuniary harm.”

The Third Circuit panel stated that to prevail with respect to privacy claims under California law, the court “consider[s] (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion, including any justification and other relevant interests. In evaluating the offensiveness of an invasion, the court is to consider ‘pragmatic policy concerns’ such that ‘no cause of action will lie for accidental, misguided, or excusable acts of overstepping upon legitimate privacy rights.’”

Google argued that the privacy claims must fail because “the plaintiffs voluntarily sent Google all the internet usage information at issue,” and that the use of “tracking cookies [is] routine,” citing cases that describe cookies as “more or less, innocuous.” Google further contended that courts “‘routinely’ find no actionable privacy invasion in cases involving tracking, collation, and disclosure of internet usage information.”

The panel disagreed, explaining that Google’s conduct could be viewed as inconsistent with Google’s Privacy Policy. The court therefore held that “a reasonable factfinder could indeed deem Google’s conduct ‘highly offensive’ or ‘an egregious breach of social norms.’”

Our Take

On its face, the Third Circuit’s decision appears to create potential exposure to other businesses that similarly track individuals’ internet usage through the use of cookies. Although the restoration of these claims may identify a potential path forward for future litigants alleging privacy violations, it is important to note that the Third Circuit’s decision was based largely on its determination that Google was acting in a manner that was inconsistent with its own published privacy policies. The panel’s reference to Google’s “smokescreen” suggests that it was not the use of cookies themselves that were problematic, but rather the fact that Google allegedly “contravened the cookie blockers” even though “it held itself out as respecting the cookie blockers.” Therefore, this decision creates substantially less risk for companies that have privacy policies that clearly establish what user data is and is not collected and act in accordance with those policies.

To subscribe for updates from our Data Protection Report blogvisit the email sign-up page.