Online Behavioral Advertising

While the FTC and self-regulatory groups in the advertising industry and other market sectors have been discussing this issue for years, it appears that litigation and legislation concerning this issue will peak in 2011. Already this year, the FTC had closed the public-comment period for a Do Not Track option to be added to websites before targeted advertising can be served. As of March, there were 449 comments. The European Union passed a new privacy directive that will go into effect on May 25 and will require “explicit” consent before users' behaviors can be tracked to target users with customized advertising. The call for a nationwide privacy protocol has caught the interest of legislators in the United States, and on March 16, the Obama administration called for a universal privacy bill, and specifically supported the FTC's Do Not Track proposals.

As legislators, regulatory agencies, and consumer and industry groups debate the issues publicly, the plaintiffs' bar has seized the opportunity to step up class-action activity. A summary of some of the recent results obtained so far this year provides insight into strategies and tactics that might be used by plaintiffs and defendants in the remaining 30-plus class actions that were pending as of mid-April in state and federal courts across the nation.

Standing and Consent

Standing and consent have emerged as strong defenses in behavioral advertising class actions, and the first wave of federal actions, filed in February 2010, focused on cable companies providing Internet services.

Green v. Cable One. Behavioral Class Action Dismissed on Article III Standing Grounds. On Feb. 3, 2010, a putative class action was filed in the Northern District of Alabama. Green v. Cable One (Case No. 1:10-cv-00259). Cable One, a division of The Washington Post, is an Internet service provider (“ISP”) that provides online services.

In Green, the named plaintiff alleged that Cable One entered into a contract with the (now-defunct) third-party advertising-server, NebuAd. Pursuant to the contract, Green alleged that Cable One “began installing 'spyware devices' on its broadband networks.” Complaint at '1. Green also alleged that Cable One added “appliances” to its modems and that these “devices funneled all affected users' Internet communications ' inbound and outbound in their entirety ' to ' NebuAd.” Id. Green further challenged Cable One's use of so-called “super persistent” tracking “cookies” that were not detectible through security and browser settings and that allegedly permitted Cable One to use “deep packet inspection technologies” to serve ads. Id. at ”38, 47. Green also contended that Cable One and NebuAd interrupted communications with websites to include targeted advertising “other than those authorized by the publishers of the [W]eb pages downloaded by users.” Id. at '50.

Green alleged four causes of action:

1. Invasion of privacy by intrusion upon seclusion;
2. Violations of the Electronic Communications Privacy Act (“ECPA” or Wiretap Act) (18 U.S.C. '2510) for the deployment of the appliance and interception, and use of personally identifiable information;
3. Violations of the Computer Fraud and Abuse Act (“CFAA”) (18 U.S.C. '1030) for intentionally accessing users' communications in a manner that caused damage; and
4. Trespass to chattel by interfering with the operation of the users' computers.

Green filed a motion for class certification in August 2010. Shortly thereafter, Cable One requested to inspect his computer. Green refused, then voluntarily dismissed (with prejudice) three of his claims that depended on allegations of harm, leaving only the ECPA remaining. On Nov. 9, 2010, Green was deposed. He testified that he accessed his Cable One account exclusively from his home in Alabama. This admission proved fatal. Cable One's records revealed that Green's Internet subscription had been canceled one day before the NebuAd ad contract went into effect. Accordingly, Cable One filed a motion to dismiss on the ground that Green lacked Article III standing, and the Northern District of Alabama agreed. The case was dismissed on Feb. 23 of this year.

The result in Cable One shows that no matter how inflammatory privacy allegations may appear in a complaint, courts will look closely at the factual issues to determine whether the named plaintiffs can pursue the allegations. Green's refusal to permit review of his computer for purposes of determining harm under the CFAA proved costly ' forcing premature (albeit voluntary) dismissal of that claim, as well as of the dismissal of others.

Mortensen v. Bresnan Communications. Defendant's Motion to Dismiss Was Granted in Part. On Feb. 16, 2010, a class-action lawsuit was filed against another ISP in Mortensen v. Bresnan Communications LLC, 1:10-cv-00013 (U.S. District Court, District of Montana). The Mortensen complaint was filed by the same law firm that filed the Green action and contained many of the same allegations. The Mortensen plaintiffs alleged that from early 2008 through June of 2008, defendant Bresnan Communications diverted substantially all of its Internet communications to NebuAd. As in the Green case, the Mortensen plaintiffs alleged that Bresnan modified its network to permit NebuAd to install its “appliance.” The plaintiffs further alleged that NebuAd used the appliance to gather information to create profiles of Bresnan's customers to serve interest-based ads. The plaintiffs also alleged that Bresnan shared revenue with NebuAd and profited from the invasions of privacy. The same four causes of action alleged in the Green case were alleged against Bresnan: 1) invasion of privacy by intrusion upon seclusion; 2) violations of the ECPA; 3) violations of the CFAA; and 4) trespass to chattel.

ECPA Arguments

On April 23, 2010, Bresnan filed a motion to dismiss. First, Bresnan argued that plaintiffs failed to state a claim under ECPA. To prevail on an ECPA claim, the plaintiffs must demonstrate that the defendants intentionally intercepted, or endeavored to intercept, the contents of an electronic communication through the use of a device. See, In re Pharmatrak,Inc., 329 F.3d 9, 18 (1st Cir. 2003). Bresnan argued that it did not use a device to intercept plaintiffs' communications ' NebuAd did ' so Bresnan “cannot be liable for [NebuAd's] interception or use of electronic communications.” Bresnan also argued that its cooperation in installing NebuAd's appliance on its network did not create liability under the ECPA. The Eighth Circuit had previously ruled that “acquiescence in [another]'s plans to [engage in interception] and [] passive knowledge [thereof] are insufficient” to assign liability to a defendant under the ECPA. Reynolds v. Spears, 93 F.3d 428, 432-33 (8th Cir. 1996) (emphasis added). Bresnan also argued that “[e]ven where someone instructs another to intercept, there lies no ECPA claim, because the ECPA does not have an “aiding or abetting” component. See, “Motion to Dismiss,” at p. 7 (citing Perkins-Carrillo v. Systemax, Inc., 2006 WL 1553957, 15 (N.D.Ga. May 26, 2006)).

In their opposition to Bresnan's motion to dismiss, the Mortensen plaintiffs countered that Bresnan's liability was not limited to “aiding and abetting”:

Inasmuch as Bresnan concedes that it installed the NebuAd device into its network, its interception was intentional. Deployment of the appliance required Bresnan, physically, to take its cables that carried all user Internet traffic, outbound and inbound, and plug them into the appliance.

Plaintiff's opposition (Dkt. 23), at p. 6.

Bresnan also argued that two exceptions to the ECPA applied to its conduct.

First, the ECPA excludes activities that are “a necessary incident to the rendition of [the ISP's] service.” 18 U.S.C. '2511(2)(a)(i) & (c). In its opposition, the Mortensen plaintiffs blasted Bresnan's contention that monitoring of user activity was a “necessary” incident to providing Bresnan's Internet services. In its December 2010 order, the Montana District Court ruled that plaintiffs' allegations “that NebuAd and Bresnan deployed the Appliance on Bresnan's network infrastructure” and Bresnan had “configured” its network to “funnel all User Internet through the Appliance” were sufficient to show violations of the ECPA and were not “necessary” functions of an ISP.

Second, Bresnan argued that the ECPA exclusion of situations where “one of the parties to the communication has given prior consent to such interception” applied. Bresnan contended that it had obtained “consent” to intercept the plaintiffs' communications via three documents: 1)”Bresnan Communications OnLine Privacy Notice”; 2) Bresnan's “OnLine Subscriber Agreement”; and 3) an e-mail notice to users that the NebuAd test was taking place, which also contained instructions for users to opt out.

The Bresnan documents asked users to: “[A]cknowledge[] and agree[] Bresnan [] and its agents shall have the right to monitor ' postings and transmissions, including without limitation ' [W]eb space content.” Bresnan contended, too, that these documents notified subscribers that Bresnan's “equipment automatically collects information on your use of the Service including information on ' the programs and [websites] you review or services you order, the time [] you ' view [them, and] other information about your 'electronic browsing.'” Id.

In addition, the documents disclosed to users that “Bresnan [], its partners, affiliates and advertisers may [] use cookies, and/or small bits of code called 'one pixel gifs' or 'clear gifs' to make cookies more effective.”

For purposes of the ECPA claim, the court agreed with Bresnan that users were notified and provided express consent to the monitoring of their electronic communications. The decision said:

[T]he Court concludes that through the OnLine Subscriber Agreement, the Privacy Notice and the NebuAd link on Bresnan's website, Plaintiffs did know of the interception and through their continued use of Bresnan's Internet Service, they gave or acquiesced their consent to such interception.

Order, Dkt. 30 at p. 12 (citing In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497, 514 (S.D.N.Y.2001) in support of its ruling).

Bresnan also successfully used the “consent” defense to obtain dismissal of plaintiff's intrusion upon seclusion claim. Relying on Bresnan's online privacy policy, subscriber agreement and disclosure of the NebuAd service via e-mail, the Montana District Court concluded that: “Plaintiffs cannot demonstrate that their expectation of privacy was objectively reasonable.” Dkt. 30 at p. 14.

CFAA Arguments

Bresnan's challenges to the plaintiffs' CFAA claims met greater resistance. To maintain a claim under 18 U.S.C. '1030(a), plaintiffs must show that the defendant: 1) intentionally accessed a computer; 2) accessed that computer without authorization or exceeded authorized access to the computer; 3) obtained or altered information; 4) obtained or altered information that was accessed without authority from a protected computer; and 5) accessed and altered information and that the actions resulted in damage to one or more persons during any one-year period, aggregating costs of at least $5,000. LVRC Holdings LLC v. Brekka, 581 F.3d 1127, 1132 (9th Cir. 2009).

Bresnan argued that the plaintiffs failed to state claims for violations of the CFAA because Brensan had obtained user consent, and therefore insufficient allegations of intentional conduct were present. The plaintiffs countered that any consent provided via the privacy policy was not meaningful, because the opt-out feature permitted users to opt out of receiving NebuAd's targeted advertisements, but would not prevent the collection and accessing of the data. In contrast to its ruling in favor of Bresnan on the consent defense to the ECPA, the Mortensen court determined that there was no user consent for “reversal of their privacy settings” for purposes of the plaintiffs' CFAA claims. The court commented:

For purposes of a 12(b)(6) motion, Plaintiffs have sufficiently alleged that Bresnan's act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given.

Bresnan also argued that the CFAA claim could not be maintained because the allegations of harm in excess of $5,000 were insufficiently pled. The Montana District Court concluded that the Mortensen plaintiffs' allegations of harm met the requisite pleading standards of the CFAA, “because defendants caused identical cookies to be placed on plaintiff's computers, unbeknownst to them.”

For many of the same reasons, Bresnan's challenge to the plaintiffs' trespass to chattel claim also failed. The Mortensen court ruled that:

Plaintiffs have granted Bresnan conditional access for purposes of monitoring Plaintiffs' electronic transmissions as well as placing “cookies” on Plaintiffs' computers for purposes of tracking [W]eb activity. However, like Plaintiffs' CFAA claim, Bresnan's alleged actions of altering the privacy and security controls on Plaintiffs' computers activity is sufficiently outside of the scope of the use permitted by Plaintiffs. As such, ' Plaintiffs have sufficiently alleged that Bresnan intentionally interfered with the possession of their personal property.

Deering v. Centurytel, Inc. Motion to Dismiss on Grounds of Authorization and Consent Is Pending. On Feb. 11, 2010, the same plaintiffs' law firms that filed the complaint in the Green and Mortensen matters filed a complaint against Centurytel Inc., another commercial ISP.

The case, Deering v. Centurytel, Inc., et al., 1:10-cv-00063 (District of Montana), is a mirror image of the Green and Mortensen class actions. In light of the Montana District Court's dismissal of the ECPA and intrusion upon seclusion counts in the Mortensen class action, Centurytel filed a similar motion to dismiss on Jan. 25, 2011; that motion was pending as of late April.

Like the defendant in the Mortensen case, Centurytel argued that it notified consumers of the possibility of monitoring their activities and sharing data with third-party advertisers through its privacy policy and other customer communications.

Potential Impact on Pending Class Actions

As discussed above, since January of this year until press time, about 20 additional class-action complaints had been filed against numerous companies such as Nordstrom, Metacafe, Phillips Electronics of North America, YouTube, Skype, TV Guide Online Holdings, BuySafe, Pandora Media, E*Trade Financial Corp, C3 Metrics, ShopLocal, Google, Apple, Skechers USA, Reebok International and Amazon ' among many others. Each of these complaints differs from the earlier ISP cases in that direct allegations are made against the website publisher for use of device identifiers, such as Flash, to serve targeted ads. A Flash cookie (or Flash local shared object) is a unique form of data file that is stored on a consumer's computer. Flash cookies are stored in areas of the computer not controlled by the browser, which has provided the impetus for many of the complaints.

Conclusion

The recent decisions in the Green and Mortensen cases are instructive for the pending cases. Emerging as important trends for defendants are motions to dismiss to challenge the named plaintiffs':

• Standing;
• Consent to targeted advertising; and
• Alleged damages under the CFAA.

Also, as CFAA claims proceed to trial, defendants should attempt to argue that they did not intentionally access or track user behavior, because their websites were enabled by vendors and not by the defendant companies themselves.

Also, the dormant-commerce clause might emerge as a defense that defendants use to prevent decisions in one case from creating a de facto national policy regarding behavioral tracking.

Although the state of the law is in progress, 2011 promises to bring decisions that will define the scope and reach of behavioral advertising class actions, and claims under the ECPA and CFAA.

Find Out More

For more about online behavioral advertising and related topics, see the following articles.

1. “Evolving Online Advertising Techniques: Federal Scrutiny Increasing,” in the April 2011 edition of e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/27_12/news/155061-1.html.

2. “Privacy and Online Data Collection: At a Crossroads? Several Key Recent Developments Suggest a Move Toward Federal Data-Privacy Legislation,” in the March 2011 edition of Internet Law & Strategy, at www.ljnonline.com/issues/ljn_internetlaw/9_3/news/154918-1.html.

3. “Retargeting Keyword Ads for Potential New Uses,” in the January 2011 edition of LJN's Franchising Business & Law Alert, at www.ljnonline.com/issues/ljn_franchising/17_4/news/154637-1.html.

4. “The 'New and Improved' FTC?: Some Recent FTC Efforts That Could Significantly Affect e-Commerce Law,” in the March 2010 edition of
e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/26_11/news/153450-1.html.

5. “FTC Signals Tougher Standard for Online Tracking Disclosures,” in the August 2009 edition of e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/26_4/news/152454-1.html.

Dominique Shelton, a partner in the Intellectual Property Department of the Los Angeles office of Wildman Harrold, practices with a focus on complex commercial litigation with a concentration in unfair competition, intellectual property, and antitrust. Shelton also practices law in the areas of advertising, marketing and promotions, and media and entertainment. She can be reached at [email protected].

The first quarter of this year has been marked by a rise of awareness and legal activity surrounding the question of behavioral, or targeted, advertising ' a significant area of operation and interest for e-commerce firms.

The Federal Trade Commission (“FTC”) defines behavioral advertising as: “the process of tracking consumers' activities online to target advertising.”

This practice often, but not always, includes a review of the searches consumers have conducted on the Internet, the Web pages consumers have visited, the purchases consumers have made, and the content consumers have viewed in order for commercial entities to be able to deliver advertising tailored to an individual consumer's interests.

While the FTC and self-regulatory groups in the advertising industry and other market sectors have been discussing this issue for years, it appears that litigation and legislation concerning this issue will peak in 2011. Already this year, the FTC had closed the public-comment period for a Do Not Track option to be added to websites before targeted advertising can be served. As of March, there were 449 comments. The European Union passed a new privacy directive that will go into effect on May 25 and will require “explicit” consent before users' behaviors can be tracked to target users with customized advertising. The call for a nationwide privacy protocol has caught the interest of legislators in the United States, and on March 16, the Obama administration called for a universal privacy bill, and specifically supported the FTC's Do Not Track proposals.

As legislators, regulatory agencies, and consumer and industry groups debate the issues publicly, the plaintiffs' bar has seized the opportunity to step up class-action activity. A summary of some of the recent results obtained so far this year provides insight into strategies and tactics that might be used by plaintiffs and defendants in the remaining 30-plus class actions that were pending as of mid-April in state and federal courts across the nation.

Standing and Consent

Standing and consent have emerged as strong defenses in behavioral advertising class actions, and the first wave of federal actions, filed in February 2010, focused on cable companies providing Internet services.

Green v. Cable One. Behavioral Class Action Dismissed on Article III Standing Grounds. On Feb. 3, 2010, a putative class action was filed in the Northern District of Alabama. Green v. Cable One (Case No. 1:10-cv-00259). Cable One, a division of The Washington Post, is an Internet service provider (“ISP”) that provides online services.

In Green, the named plaintiff alleged that Cable One entered into a contract with the (now-defunct) third-party advertising-server, NebuAd. Pursuant to the contract, Green alleged that Cable One “began installing 'spyware devices' on its broadband networks.” Complaint at '1. Green also alleged that Cable One added “appliances” to its modems and that these “devices funneled all affected users' Internet communications ' inbound and outbound in their entirety ' to ' NebuAd.” Id. Green further challenged Cable One's use of so-called “super persistent” tracking “cookies” that were not detectible through security and browser settings and that allegedly permitted Cable One to use “deep packet inspection technologies” to serve ads. Id. at ”38, 47. Green also contended that Cable One and NebuAd interrupted communications with websites to include targeted advertising “other than those authorized by the publishers of the [W]eb pages downloaded by users.” Id. at '50.

Green alleged four causes of action:

1. Invasion of privacy by intrusion upon seclusion;
2. Violations of the Electronic Communications Privacy Act (“ECPA” or Wiretap Act) (18 U.S.C. '2510) for the deployment of the appliance and interception, and use of personally identifiable information;
3. Violations of the Computer Fraud and Abuse Act (“CFAA”) (18 U.S.C. '1030) for intentionally accessing users' communications in a manner that caused damage; and
4. Trespass to chattel by interfering with the operation of the users' computers.

Green filed a motion for class certification in August 2010. Shortly thereafter, Cable One requested to inspect his computer. Green refused, then voluntarily dismissed (with prejudice) three of his claims that depended on allegations of harm, leaving only the ECPA remaining. On Nov. 9, 2010, Green was deposed. He testified that he accessed his Cable One account exclusively from his home in Alabama. This admission proved fatal. Cable One's records revealed that Green's Internet subscription had been canceled one day before the NebuAd ad contract went into effect. Accordingly, Cable One filed a motion to dismiss on the ground that Green lacked Article III standing, and the Northern District of Alabama agreed. The case was dismissed on Feb. 23 of this year.

The result in Cable One shows that no matter how inflammatory privacy allegations may appear in a complaint, courts will look closely at the factual issues to determine whether the named plaintiffs can pursue the allegations. Green's refusal to permit review of his computer for purposes of determining harm under the CFAA proved costly ' forcing premature (albeit voluntary) dismissal of that claim, as well as of the dismissal of others.

Mortensen v. Bresnan Communications. Defendant's Motion to Dismiss Was Granted in Part. On Feb. 16, 2010, a class-action lawsuit was filed against another ISP in Mortensen v. Bresnan Communications LLC, 1:10-cv-00013 (U.S. District Court, District of Montana). The Mortensen complaint was filed by the same law firm that filed the Green action and contained many of the same allegations. The Mortensen plaintiffs alleged that from early 2008 through June of 2008, defendant Bresnan Communications diverted substantially all of its Internet communications to NebuAd. As in the Green case, the Mortensen plaintiffs alleged that Bresnan modified its network to permit NebuAd to install its “appliance.” The plaintiffs further alleged that NebuAd used the appliance to gather information to create profiles of Bresnan's customers to serve interest-based ads. The plaintiffs also alleged that Bresnan shared revenue with NebuAd and profited from the invasions of privacy. The same four causes of action alleged in the Green case were alleged against Bresnan: 1) invasion of privacy by intrusion upon seclusion; 2) violations of the ECPA; 3) violations of the CFAA; and 4) trespass to chattel.

ECPA Arguments

On April 23, 2010, Bresnan filed a motion to dismiss. First, Bresnan argued that plaintiffs failed to state a claim under ECPA. To prevail on an ECPA claim, the plaintiffs must demonstrate that the defendants intentionally intercepted, or endeavored to intercept, the contents of an electronic communication through the use of a device. See, In re Pharmatrak,Inc., 329 F.3d 9, 18 (1st Cir. 2003). Bresnan argued that it did not use a device to intercept plaintiffs' communications ' NebuAd did ' so Bresnan “cannot be liable for [NebuAd's] interception or use of electronic communications.” Bresnan also argued that its cooperation in installing NebuAd's appliance on its network did not create liability under the ECPA. The Eighth Circuit had previously ruled that “acquiescence in [another]'s plans to [engage in interception] and [] passive knowledge [thereof] are insufficient ” to assign liability to a defendant under the ECPA. Reynolds v. Spears , 93 F.3d 428, 432-33 (8th Cir. 1996) (emphasis added). Bresnan also argued that “[e]ven where someone instructs another to intercept, there lies no ECPA claim, because the ECPA does not have an “aiding or abetting” component. See, “Motion to Dismiss,” at p. 7 (citing Perkins-Carrillo v. Systemax, Inc., 2006 WL 1553957, 15 (N.D.Ga. May 26, 2006)).

In their opposition to Bresnan's motion to dismiss, the Mortensen plaintiffs countered that Bresnan's liability was not limited to “aiding and abetting”:

Inasmuch as Bresnan concedes that it installed the NebuAd device into its network, its interception was intentional. Deployment of the appliance required Bresnan, physically, to take its cables that carried all user Internet traffic, outbound and inbound, and plug them into the appliance.

Plaintiff's opposition (Dkt. 23), at p. 6.

Bresnan also argued that two exceptions to the ECPA applied to its conduct.

First, the ECPA excludes activities that are “a necessary incident to the rendition of [the ISP's] service.” 18 U.S.C. '2511(2)(a)(i) & (c). In its opposition, the Mortensen plaintiffs blasted Bresnan's contention that monitoring of user activity was a “necessary” incident to providing Bresnan's Internet services. In its December 2010 order, the Montana District Court ruled that plaintiffs' allegations “that NebuAd and Bresnan deployed the Appliance on Bresnan's network infrastructure” and Bresnan had “configured” its network to “funnel all User Internet through the Appliance” were sufficient to show violations of the ECPA and were not “necessary” functions of an ISP.

Second, Bresnan argued that the ECPA exclusion of situations where “one of the parties to the communication has given prior consent to such interception” applied. Bresnan contended that it had obtained “consent” to intercept the plaintiffs' communications via three documents: 1)”Bresnan Communications OnLine Privacy Notice”; 2) Bresnan's “OnLine Subscriber Agreement”; and 3) an e-mail notice to users that the NebuAd test was taking place, which also contained instructions for users to opt out.

The Bresnan documents asked users to: “[A]cknowledge[] and agree[] Bresnan [] and its agents shall have the right to monitor ' postings and transmissions, including without limitation ' [W]eb space content.” Bresnan contended, too, that these documents notified subscribers that Bresnan's “equipment automatically collects information on your use of the Service including information on ' the programs and [websites] you review or services you order, the time [] you ' view [them, and] other information about your 'electronic browsing.'” Id.

In addition, the documents disclosed to users that “Bresnan [], its partners, affiliates and advertisers may [] use cookies, and/or small bits of code called 'one pixel gifs' or 'clear gifs' to make cookies more effective.”

For purposes of the ECPA claim, the court agreed with Bresnan that users were notified and provided express consent to the monitoring of their electronic communications. The decision said:

[T]he Court concludes that through the OnLine Subscriber Agreement, the Privacy Notice and the NebuAd link on Bresnan's website, Plaintiffs did know of the interception and through their continued use of Bresnan's Internet Service, they gave or acquiesced their consent to such interception.

Order, Dkt. 30 at p. 12 (citing In re DoubleClick Inc. Privacy Litigation, 154 F.Supp.2d 497, 514 (S.D.N.Y.2001) in support of its ruling).

Bresnan also successfully used the “consent” defense to obtain dismissal of plaintiff's intrusion upon seclusion claim. Relying on Bresnan's online privacy policy, subscriber agreement and disclosure of the NebuAd service via e-mail, the Montana District Court concluded that: “Plaintiffs cannot demonstrate that their expectation of privacy was objectively reasonable.” Dkt. 30 at p. 14.

CFAA Arguments

Bresnan's challenges to the plaintiffs' CFAA claims met greater resistance. To maintain a claim under 18 U.S.C. '1030(a), plaintiffs must show that the defendant: 1) intentionally accessed a computer; 2) accessed that computer without authorization or exceeded authorized access to the computer; 3) obtained or altered information; 4) obtained or altered information that was accessed without authority from a protected computer; and 5) accessed and altered information and that the actions resulted in damage to one or more persons during any one-year period, aggregating costs of at least $5,000. LVRC Holdings LLC v. Brekka , 581 F.3d 1127, 1132 (9th Cir. 2009).

Bresnan argued that the plaintiffs failed to state claims for violations of the CFAA because Brensan had obtained user consent, and therefore insufficient allegations of intentional conduct were present. The plaintiffs countered that any consent provided via the privacy policy was not meaningful, because the opt-out feature permitted users to opt out of receiving NebuAd's targeted advertisements, but would not prevent the collection and accessing of the data. In contrast to its ruling in favor of Bresnan on the consent defense to the ECPA, the Mortensen court determined that there was no user consent for “reversal of their privacy settings” for purposes of the plaintiffs' CFAA claims. The court commented:

For purposes of a 12(b)(6) motion, Plaintiffs have sufficiently alleged that Bresnan's act of tampering with the security and privacy protocols exceeded any authorization that Plaintiffs may have given.

Bresnan also argued that the CFAA claim could not be maintained because the allegations of harm in excess of $5,000 were insufficiently pled. The Montana District Court concluded that the Mortensen plaintiffs' allegations of harm met the requisite pleading standards of the CFAA, “because defendants caused identical cookies to be placed on plaintiff's computers, unbeknownst to them.”

For many of the same reasons, Bresnan's challenge to the plaintiffs' trespass to chattel claim also failed. The Mortensen court ruled that:

Plaintiffs have granted Bresnan conditional access for purposes of monitoring Plaintiffs' electronic transmissions as well as placing “cookies” on Plaintiffs' computers for purposes of tracking [W]eb activity. However, like Plaintiffs' CFAA claim, Bresnan's alleged actions of altering the privacy and security controls on Plaintiffs' computers activity is sufficiently outside of the scope of the use permitted by Plaintiffs. As such, ' Plaintiffs have sufficiently alleged that Bresnan intentionally interfered with the possession of their personal property.

Deering v. Centurytel, Inc. Motion to Dismiss on Grounds of Authorization and Consent Is Pending. On Feb. 11, 2010, the same plaintiffs' law firms that filed the complaint in the Green and Mortensen matters filed a complaint against Centurytel Inc., another commercial ISP.

The case, Deering v. Centurytel, Inc., et al., 1:10-cv-00063 (District of Montana), is a mirror image of the Green and Mortensen class actions. In light of the Montana District Court's dismissal of the ECPA and intrusion upon seclusion counts in the Mortensen class action, Centurytel filed a similar motion to dismiss on Jan. 25, 2011; that motion was pending as of late April.

Like the defendant in the Mortensen case, Centurytel argued that it notified consumers of the possibility of monitoring their activities and sharing data with third-party advertisers through its privacy policy and other customer communications.

Potential Impact on Pending Class Actions

As discussed above, since January of this year until press time, about 20 additional class-action complaints had been filed against numerous companies such as Nordstrom, Metacafe, Phillips Electronics of North America, YouTube, Skype, TV Guide Online Holdings, BuySafe, Pandora Media, E*Trade Financial Corp, C3 Metrics, ShopLocal, Google, Apple, Skechers USA, Reebok International and Amazon ' among many others. Each of these complaints differs from the earlier ISP cases in that direct allegations are made against the website publisher for use of device identifiers, such as Flash, to serve targeted ads. A Flash cookie (or Flash local shared object) is a unique form of data file that is stored on a consumer's computer. Flash cookies are stored in areas of the computer not controlled by the browser, which has provided the impetus for many of the complaints.

Conclusion

The recent decisions in the Green and Mortensen cases are instructive for the pending cases. Emerging as important trends for defendants are motions to dismiss to challenge the named plaintiffs':

• Standing;
• Consent to targeted advertising; and
• Alleged damages under the CFAA.

Also, as CFAA claims proceed to trial, defendants should attempt to argue that they did not intentionally access or track user behavior, because their websites were enabled by vendors and not by the defendant companies themselves.

Also, the dormant-commerce clause might emerge as a defense that defendants use to prevent decisions in one case from creating a de facto national policy regarding behavioral tracking.

Although the state of the law is in progress, 2011 promises to bring decisions that will define the scope and reach of behavioral advertising class actions, and claims under the ECPA and CFAA.

Find Out More

For more about online behavioral advertising and related topics, see the following articles.

1. “Evolving Online Advertising Techniques: Federal Scrutiny Increasing,” in the April 2011 edition of e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/27_12/news/155061-1.html.

2. “Privacy and Online Data Collection: At a Crossroads? Several Key Recent Developments Suggest a Move Toward Federal Data-Privacy Legislation,” in the March 2011 edition of Internet Law & Strategy, at www.ljnonline.com/issues/ljn_internetlaw/9_3/news/154918-1.html.

3. “Retargeting Keyword Ads for Potential New Uses,” in the January 2011 edition of LJN's Franchising Business & Law Alert, at www.ljnonline.com/issues/ljn_franchising/17_4/news/154637-1.html.

4. “The 'New and Improved' FTC?: Some Recent FTC Efforts That Could Significantly Affect e-Commerce Law,” in the March 2010 edition of
e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/26_11/news/153450-1.html.

5. “FTC Signals Tougher Standard for Online Tracking Disclosures,” in the August 2009 edition of e-Commerce Law & Strategy, at www.ljnonline.com/issues/ljn_ecommerce/26_4/news/152454-1.html.

Dominique Shelton, a partner in the Intellectual Property Department of the Los Angeles office of Wildman Harrold, practices with a focus on complex commercial litigation with a concentration in unfair competition, intellectual property, and antitrust. Shelton also practices law in the areas of advertising, marketing and promotions, and media and entertainment. She can be reached at [email protected].