The Supreme Court recently declined to review In re Google Inc. Cookie Placement Consumer Privacy Litigation—a consolidated class action alleging that Google and third-party advertisers evaded web browser privacy settings, causing cookies to be placed on plaintiffs’ computers. 806 F.3d 125 (3d Cir. 2015), cert. denied sub nom. Gourley v. Google, Inc., 84 U.S.L.W. 3531 (U.S. Oct. 3, 2016) (No. 15-1141).
Given the Court’s denial of review, significant questions remain regarding the applicability of the Wiretap Act to internet communications. The Third Circuit’s opinion offers guidance to online advertisers, data privacy attorneys, and other courts as they examine the applicability of the Wiretap Act to cookie-related activities. This guidance and other notable aspects of the Third Circuit’s opinion are discussed below.
Background
Apple’s Safari and Microsoft’s Internet Explorer include built-in cookie-blocking features. In 2012, the Wall Street Journal published an article asserting that Google and other advertising companies had “bypass[ed] the privacy settings of millions of people using Apple Inc.’s Web browser on their iPhones and computers—tracking the Web-browsing habits of people who intended for that kind of monitoring to be blocked.” It noted Google’s conduct contradicted its “own instructions to Safari users on how to avoid tracking. Until recently, one Google site told Safari users they could rely on Safari’s privacy settings to prevent tracking by Google.” Google subsequently paid $22.5 million to settle FTC charges that it had misrepresented privacy assurances to Safari users and $17 million more to settle similar claims brought by 37 states and the District of Columbia.
That same year, plaintiffs brought In re Google Inc. Cookie Placement Consumer Privacy Litigation, multidistrict litigation consolidated in the U.S. District Court for the District of Delaware. The plaintiffs alleged Google and other third-party advertisers had circumvented cookie-blockers on Safari and Internet Explorer in violation of the Wiretap Act, the Stored Communications Act (“SCA”), the Computer Fraud and Abuse Act (“CFAA”), and California state law. The district court granted the defendants’ motion to dismiss for failure to state a claim. In November 2015, the Third Circuit affirmed in part, vacated in part, and remanded for additional proceedings.
The Third Circuit’s Opinion and the Questions that Remain Following the Supreme Court’s Denial of Certiorari
The Wiretap Act
In its opinion, the Third Circuit first addressed whether the plaintiffs stated a claim under the Wiretap Act, which requires plaintiffs to allege a defendant (1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device. The Wiretap Act provides in pertinent part, “[i]t shall not be unlawful . . . for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication.” 18 U.S.C. § 2511(2)(d).
At issue was (1) whether the defendants acquired communications “content,” defined under the Act as “any information concerning the substance, purport, or meaning of th[e] communication,” § 2510(8), and, if so, (2) whether dismissal was nevertheless proper because the defendants were “parties” to electronic transmissions that they acquired and tracked, § 2511(2)(d).
Content
The district court held the URLs tracked by the cookies were not “content,” reasoning a URL is a mere location identifier and therefore does not concern the substance, purport, or meaning of an electronic communication. The Third Circuit rejected this categorical approach, noting a URL can contain content in that it identifies which document in a website a person views. The court suggested that whether a URL is content or a mere “means of establishing communication,”—that is, metadata—depends on its function:
URLs may be . . . routing . . . information, but only when they are performing such a function. If a[] . . . URL is instead part of the substantive information conveyed to the recipient, then by definition it is “content.” . . . . Thus, there is no general answer to the question of whether locational information is content. Rather, a “content” inquiry is a case-specific one turning on the role the location identifier played in the “intercepted” communication.
806 F.3d at 137. It added an important consideration was “how much information would be revealed by disclosure of the URL.” Id. at 138.
In short, the Third Circuit suggested factors for determining whether a URL is content—its function and how much information it reveals—without committing to a test. See id. at 139 n.50 (“We need not make a global determination as to what is content, and why, in the context of queried URLs.”). It held that, regardless of the precise line between content and metadata, the plaintiffs plausibly alleged that at least some of the URLs at issue were content.
Having decided the plaintiffs plausibly alleged the content element, the Third Circuit nevertheless affirmed dismissal on the ground that defendants were “parties” to the communications (discussed further below). Given this resolution of the claim, the Third Circuit need not have addressed the distinction between content and metadata at all. It could have assumed without deciding that URLs were “content” and then affirmed, as it did, based on the clearer question of whether the “party exception” applied. Instead, it entered the murky space where content and metadata reside, suggesting factors for distinguishing the two. In doing so, it effectively shaped future courts’ determinations of content versus metadata, guiding the debate without attempting to resolve it.
What remains unclear following the Third Circuit’s opinion is (1) what aspects of its content analysis are binding in the Third Circuit itself, and (2) how other courts will distinguish between regulated content and metadata. With the Supreme Court’s denial of certiorari, other courts will be free to define this distinction on their own. No doubt, they will look to the Third Circuit’s suggested factors as persuasive.
Party Exception
After determining that the URLs plausibly included “content,” the Third Circuit affirmed dismissal on the ground that the party exception applied. It reasoned the exception applied because the URLs were captured from requests, sent by the plaintiffs’ browsers to the defendants, to view the defendants’ own websites. Put differently, the defendants were themselves the intended recipients of the requests that allegedly conveyed URLs.
The plaintiffs had argued the party exception shouldn’t apply on equitable grounds, asserting the requests included cookie information only because the defendants deceitfully circumvented their browsers’ cookie blockers. The Third Circuit rejected this argument, holding it didn’t matter whether plaintiffs were tricked. Like several other circuits, the Third Circuit interpreted the Wiretap Act to incorporate prior case law holding that one who impersonates the intended receiver of a communication may still be a party to that communication. In short, the Third Circuit held the “Wiretap Act is a wiretapping statute, and just because a scenario sounds in fraud or deceit does not mean it sounds in wiretapping.” Id. at 144.
The Third Circuit’s reasoning provides internet advertisers significant protection from Wiretap Act claims alleging similar facts. Given the number of other circuits that have held the party exception applies despite deceit, other circuits may well adopt the Third Circuit’s reasoning on similar facts.
Remaining Claims
The Third Circuit also affirmed the dismissal of the plaintiffs’ claim brought under the SCA, joining the Fifth Circuit in holding that the SCA governs centralized communication providers, not end-users’ home computers. It also affirmed dismissal under the CFAA, concluding the plaintiffs failed to plausibly allege damage or loss. In doing so, it provided examples of allegations that would have been plausible, effectively guiding plaintiffs’ lawyers on how to more effectively craft future complaints.
Finally, the Third Circuit revived the privacy claims brought against Google under the California Constitution and California state tort law, concluding the plaintiffs plausibly alleged a serious invasion of privacy or an egregious breach of social norms by alleging Google circumvented the cookie blockers in violation of its own privacy policy, which stated it respected cookie blockers. The Third Circuit’s reasoning reflects the importance of the oft-repeated theme in data privacy law: say what you do, and do what you say.
Conclusion
Businesses and privacy practitioners hoping to receive more definitive guidance on these issues of fundamental importance to the digital advertising and analytics industry will need to continue to monitor the evolving case law. We will provide updates as key developments arise.