News & Insights  |  Newsletters

Current Litigation Focuses New Claims to Rights

February 2000

Will Cookies Crumble? - Increasing Pressure by Consumers
The aggregation of Internet clickstream data (consumer Web surfing patterns) with names and other identifying information has spawned several recent lawsuits against some of the best known names on the Internet. DoubleClick, Inc., the Internet advertising company, is the defendant in a California lawsuit and a Federal Trade Commission investigation; Alexa Internet, a subsidiary of Inc., is the defendant in two additional California lawsuits; and Yahoo! Inc. is a defendant in Texas lawsuits. Already there is activity in Congress to restrict the use of certain online information-gathering technologies without explicit opt-in requirements. Such initiatives spotlight the unsettled scope of what claimed rights in consumer information are, or might be, legally protected.

The DoubleClick Actions
When DoubleClick first began using "cookies” – digital ID badges that are installed on the hard drives of an Internet user – the company allegedly represented in its privacy policy that it would not collect personally identifiable information along with the Internet usage data that it was collecting. The data gathered by DoubleClick through the use of "cookie” technology could not be used to personalize advertising without the additional ingredient of personally identifiable information.

In 1999, however, DoubleClick acquired a direct marketing company called Abacus Direct Corp. The Abacus marketing database allegedly contains extensive personal information about the majority of American consumers which, in combination with DoubleClick's data, permits specific referencing of consumer use and identity. The correlation of a broader range of personal information about users would permit more sophisticated targeting of advertising. A lawsuit filed by Harriett M. Judnick alleges that the combination of the two databases of information would invade consumers' privacy without their consent. The lawsuit seeks to enjoin DoubleClick's use of "cookies” without the prior written consent of consumers whose information is being gathered.Judnick v. DoubleClick, Inc. No. CIV 00421 (Cal. Super. Ct., Marin Cty.).

In the meantime, DoubleClick has changed its privacy policy to inform users of the possibility that their clickstream data will be associated with personally identifiable information and to permit Internet users to opt-out of collection of data. In order to opt-out, however, users must go to DoubleClick's Web site. Due to DoubleClick's limited, advertising-related role, Internet users often are not aware that a "cookie” has been installed on their hard drive by DoubleClick when they visit some other Web site, and thus may not recognize that they have reason to visit DoubleClick's Web site or to make an opt-out decision there.

On February 10, the Electronic Privacy Information Center, privacy advocates, filed a complaint with the Federal Trade Commission requesting an injunction against DoubleClick's practices and the destruction of the data collected under the old policy during the past several years. The complaint alleges that DoubleClick's change in policy constitutes a deceptive trade practice and that the invasion of privacy constitutes an unfair trade practice, both in violation of the Federal Trade Commission Act. Shortly, thereafter, on February 16, the FTC announced that it was "conducting a routine inquiry of DoubleClick, Inc.” and that the "company has been cooperating in the inquiry.” Regulatory inquiries by New York and Michigan also have been reported.

The Alexa Internet Actions
Two putative class action consumer lawsuits have been filed against Alexa Internet, a subsidiary of, for gathering information made available to According to the complaints, the Alexa software permits the collection of more information than the consumer Internet users would be aware was being collected. In particular, the software allegedly permits the gathering of information about the URLs visited by the user.

The two federal court suits are brought pursuant to various statutes, including the federal Electronic Communications Privacy Act, 18 U.S.C. §2701 et seq., the federal Computer Fraud and Abuse Act, 18 U.S.C. §1030 et seq., federal wiretapping laws, and California business practices laws. Bieles v. Alexa Internet, 00-CV-187 (N.D. Cal.); Newby v. Alexa Internet, 00-CV-54 (N.D. Cal.).

The Yahoo! Action
In a different twist on the "cookie” challenge, lawsuits have been filed in Texas alleging that Yahoo! and its subsidiary, Universal Image is alleging that use of cookies to collect consumers' personal information constitutes "electronic stalking,” in violation of Texas' anti-stalking and eavesdropping statutes. The Texas anti-stalking statute makes it a crime to knowingly engage in conduct another person will regard as threatening "that an offense will be committed against the other person's property.” Universal Image's attorney raises these same claims in a separate class action lawsuit filed in Texas on behalf of all users that were secretly monitored on Yahoo!'s or's sites. (See Universal Image Inc. v. Inc., Dallas Cty. Dist. Ct. No. 9905440, filed July 16, 1999; Stewart v. Yahoo! Inc., Dallas Cty. Dist. Ct., No. 0001045, filed Feb. 9). These complaints in effect assert that consumers have a legally protected right not to have personal information collected using their computers, at least not without their active consent.

Interest on Capitol Hill
Plaintiffs in the "cookie" cases assert a consumer right not to have information about them collected secretly or without prior consent. Implicit in these claims is the notion that what a consumer does online is "private” to the consumer and not generally available to the businesses or websites whose services they are using. On Feb. 10, U.S. Senator Robert Torricelli (D-NJ) introduced legislation (S.2063) that would directly address the "cookie” issue. Under the Torricelli proposal, Web sites would not be permitted to employ "cookie” technology without explicit user consent, i.e., an "opt-in.” Marketers traditionally have opposed an opt-in requirement, because they perceive that consumers are unlikely to affirmatively choose to have their information collected for marketing purposes. Such legislation is likely to be vigorously opposed by the e-commerce industry, unless, of course, emerging state law theories are perceived to become a greater threat.

Recognition of Certain Business Property Rights - Limits on Consumer Rights Claims
Policymakers typically regard certain aspects of life, such as financial and medical information, as warranting a greater than ordinary level of privacy protection, as recently reflected in the enactment of financial privacy protections in the Gramm-Leach-Bliley Act, whose implementing regulations will require financial institutions to provide notice to consumers of their privacy policies and permit consumers to prevent disclosure of personal information to third parties. Notably, however, both the Act and the proposed regulations would allow consumers to prevent disclosure of this information only with respect to third parties; financial institutions could use information themselves and share almost any information with their affiliates. This suggests that businesses – even in sensitive areas — may have a property interest in their customers' personal information that is sufficient to enable them to use that information, in a limited way, without the customers' consent. Further support for this interest is found in the Tenth Circuit's August decision inU.S. West v. Federal Communications Commission, 182 F.3d 1224 (1999), which rejected the FCC's attempt to prevent telecommunications companies from sharing without consent their customers' personal information with affiliates in order to market new services.

EBay v. ReverseAuction
Yet another recent lawsuit concerns the extent of an information collector's protectable interest in its compilations of personal information. The leading online auction firm eBay is suing a rival firm,, for allegedly attempting to use information on eBay's site about eBay customers – including "feedback ratings” which measure a user's reputation among other eBay members – on's site. eBay claims that the "feedback ratings” are its property, and may not be used on other auction sites. EBay Inc. v.,5:00CV20023 (N.D. Cal., filed Jan. 6). Recent changes to eBay's user agreement similarly prevent eBay members themselves from using their feedback ratings on other auction sites. ReverseAuction sees such data as non-proprietary, and it is of obvious interest to online auction sites where the level of fraud has spurred a "coordinated law enforcement initiative” announced on February 14 by the FTC. The eBay case will explore the extent to which data collected by a Website may be used on or by other sites and at whose discretion. Does the Website – here, eBay – that hosts the service and compiles the information have a legally protected interest in that information about its customers, and, if so, what is the nature and strength of that interest?

The foregoing cases are only initial skirmishes in what will, in all likelihood, become a full-fledged battle among online businesses, consumers, and competing businesses. Pivotal to the resolution of such battles will be the definition of the protected legal interests of numerous different types of potential parties. Harmonizing the consumer's assertion of complete control (a claim often belied by conduct and generally unsupported at common law) with a business's economic interest in its service and customer records, as well as the interest in protecting competition, promises to be a long and difficult process. The stakes are tremendous.

For additional information, please contact Bruce L. McDonald (202/719-7014 or ).