Consumer privacy regulation and litigation

Consumer privacy regulation and litigation

Federal agencies to regulate directly the collection, use, and disclosure of personal financial information by financial institutions.


Over the past several years, the collection, use, and dissemination of information about individuals by companies and organizations has come under increased scrutiny from regulators, lawmakers, and private plaintiffs. As the Gramm-Leach-Bliley Act of 1999 (GLB Act) and its implementing regulations took effect on July 1,2001, several federal agencies began to regulate directly the collection, use, and disclosure of personal financial information by financial institutions. (1) In addition to the regulatory developments, there have been significant lawsuits and enforcement actions involving privacy issues, including enforcement actions against various Internet-related companies brought by the Federal Trade Commission (FTC) to enforce the Children’s Online Privacy Protection Act (COPPA) and the regulations promulgated thereunder. (2) Indeed, it is likely that there will be an increased emphasis on law enforcement as related to privacy, including through private lawsuits. (3)

This Article summarizes major court decisions, consent decrees, and other resolutions of regulatory enforcement actions and private litigation related to consumer privacy. It is intended to identify and review issues and doctrines that courts and litigants have addressed in the past year. (4) The first part of this Article addresses cases relating to the financial services industry, and the second part of the Article discusses litigation related to the Internet and other economic sectors. Although these two areas are separated for purposes of this Article, the kinds of claims brought in both areas and the fact patterns giving rise to those claims relate to one another, and conscientious lawyers should be cognizant of the privacy issues arising in all industries. (5)



During the first half of 2001, a U.S. district court rendered a decision in a lawsuit filed by Trans Union Inc., a consumer reporting agency, and Individual Reference Services Group, Inc. (IRSG), a nonprofit trade association representing leading information industry companies, which sought to invalidate the regulations promulgated under the GLB Act (7) concerning financial institutions’ obligation to protect the privacy of personal financial information. The GLB Act was intended “to enhance competition in the financial services industry by providing a prudential framework for the affiliation of banks, securities firms, insurance companies, and other financial service providers.” (8) The GLB Act regulates the manner in which banks, insurance companies, and securities firms, as well as other “financial institutions” can collect, use, and disclose personally identifiable financial information.

The plaintiffs’ challenge was leveled against the GLB Act regulations (“Regulations”) promulgated in a joint effort of the defendant administrative agencies: the FTC, the Federal Reserve System Board (FRB), Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and the National Credit Union Administration (NCUA). (9)

The core of Trans Union’s business is its database, which is composed of information about consumers and is used to generate credit reports concerning individuals. While the data is collected from tens of thousands of different sources, the main source of information is financial institutions. Trans Union believed its “credit header” products (essentially marketing lists made up of non-credit information derived from its database), targeted marketing products, and aggregate or average data products would be adversely affected by the Regulations. IRSG contended that the GLB Act should not apply to credit header data. The credit header data at issue in the litigation refers to the name, address, social security number, and phone number of the consumer. (10) Trans Union uses such information, occasionally along with information known as “tradeline” information, (11) to offer ancillary products to private companies, as well as governmental entities. For example, Trans Union offers governmental and private entities services that use credit header information to match individuals’ addresses, names, and social security numbers for such purposes as prosecution of financial crimes, fraud prevention, and organ donor identification. Trans Union also offered targeted marketing products that used both credit header and tradeline information to identify consumers who might be interested in specific marketing offers. Trans Union’s aggregate data products, which do not involve disclosure of individual customer information, involve analyses of consumers’ financial characteristics or propensity to purchase goods or services, which analyses are made available to marketing companies.

The court, in rejecting the plaintiffs’ attack on the validity of the Regulations, held that credit header information and credit reporting agencies are covered by the Regulations and that the Regulations are constitutional. (12) Accordingly, applying the doctrine announced in Chevron U.S.A., Inc. v. Natural Resources Defense Council, Inc., (13) the district court granted summary judgment to the defendant administrative agencies. (14)

Non-constitutional Arguments

The first of the plaintiffs’ arguments for invalidating the Regulations was that the definition of “personally identifiable financial information” conflicted with the unambiguous meaning of the statute, and thus the administrative interpretations should not be accorded any deference under the Chevron analysis. (15) The GLB Act requires that “each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” (16) As defined in the statute, nonpublic personal information is defined as “personally identifiable financial information–(i) provided by a consumer to a financial institution

In the Regulations implementing the privacy provisions of the GLB Act, the agencies defined “nonpublic personal information,” in part, as “personally identifiable financial information.” (19) In turn, “personally identifiable financial information” was defined as information

(i) [a] consumer provides to [a financial institution] to obtain a financial product or service from [a financial institution] consumer resulting from any transaction involving a financial product or service between [a financial institution] and a consumer financial institution] otherwise obtains about a consumer in connection with providing a financial product or service to that consumer. (20)

Essentially, information is considered financial information “if it is requested by a financial institution for the purpose of providing a financial service or product.” (21)

The plaintiffs believed that the identifying information–the content of a credit header–was beyond the definition of “personally identifiable financial information.” The plaintiffs argued that Congress intended to categorize separately identifying information on the one hand and intrinsically financial information on the other, excluding the former and including the latter in the definition of “personally identifiable financial information.” The court held, however, that the meaning of “personally identifiable financial information” is not clear from the GLB Act. (22) Thus, the court turned to the second step of the Chevron analysis and examined whether the definition of “personally identifiable financial information” is a reasonable and permissible construction of the statute. (23) The court concluded that the Regulations are reasonable and consistent with the statutory purpose because they are linked directly to the goal of giving customers of financial institutions control over their personal information. (24)

As part of this same argument, the plaintiffs asserted that the definition of “personally identifiable financial information” is arbitrary and capricious because “there is no rational connection between the facts found by defendants and the choices they made in promulgating the Regulations.” (25) In ruling against the plaintiffs, the court found that the Regulations promote the policy aims of the GLB Act by protecting information that consumers are required to provide in order to obtain financial services. (26)

The second argument put forth by Trans Union was that consumer reporting agencies are not “financial institutions” as defined under the GLB Act, and that Congress intended to give the FTC enforcement, but not rulemaking, authority over these entities. The court held, however, that the GLB Act unambiguously grants rulemaking authority to the FTC over consumer reporting agencies and that they are covered by the Act. (27)

Trans Union’s third argument was that if the general prohibitions of the Regulations were applied to consumer reporting agencies, they would contradict a special exemption within the GLB Act for consumer reporting agencies. Section 502 of the GLB Act generally prohibits financial institutions from disclosing account numbers for marketing purposes, but excepts from such prohibition disclosures of account numbers to consumer reporting agencies. (28) Interpreting this provision in conjunction with the GLB Act’s other requirements, the court concluded that GLB Act section 502(d) provides heightened protection for particularly sensitive nonpublic personal information (i.e., account numbers), but exempts consumer reporting agencies in order to avoid a conflict with the Fair Credit Reporting Act (FCRA). (29) Thus, the court, analyzing the text of the GLB Act itself, held that the plaintiffs’ contentions were incorrect, and concluded that the Regulations merely incorporated the text of the GLB Act itself. (30)

Trans Union’s fourth argument was that the Regulations unlawfully restrict the use and redisclosure of nonpublic personal information that is provided to a consumer reporting agency in accordance with the FCRA. Trans Union argued that its aggregate data products and target marketing lists would be adversely impacted because Trans Union would be required to offer consumers notice and an opportunity to opt out before the aggregation of such data and disclosure of the lists. Turning again to the Chevron analysis, the court upheld the reuse and redisclosure provisions of the Regulations and held that Trans Union’s arguments that consumer reporting agencies should be allowed to reuse information obtained under one of the GLB Act’s exceptions to notice and opt out procedures, if accepted, would contravene the Act’s general policy of granting consumers control over disclosure of nonpublic personal information and would result in an exception to that control swallowing the general rule of the statute. (31)

The plaintiffs also argued that the Regulations violated the plain meaning of the GLB Act’s “savings clause,” which states that the GLB Act should not be construed to modify, limit, or supersede the operation of FCRA. (32) The court held, however, that simply because Congress did not regulate disclosure of credit header information in the FCRA does not mean Congress could not do so in the GLB Act. (33) The court concluded that there is no tension between the restrictions in the GLB Act and the lack of such restrictions in the FCRA, holding that “the two statutes–and the Regulations passed pursuant to them–complement each other.” (34)

Constitutional Claims

Under their constitutional analysis, the plaintiffs first argued that the use and dissemination of credit header information is protected speech under the First Amendment commercial speech doctrine. Applying that doctrine, the court undertook a three-part test to determine if the Regulations survive under the First Amendment. (35) The court held that the privacy interest at stake constitutes a substantial governmental interest, the Regulations clearly advance the interests of the GLB Act, and the restrictions placed on commercial speech by the Regulations are no more extensive than necessary to serve the substantial governmental interest of protecting consumer privacy over personally identifiable financial information. (36)

The court also rejected Trans Union’s arguments that its Fifth Amendment rights to due process and equal protection were violated by the Regulations, holding that the Regulations did not affect Trans Union any differently than any other third party that receives nonpublic personal information from a financial institution and is subject to the Regulation. (37) Furthermore, the court concluded that because both consumer reporting agencies and non-consumer reporting agencies are subject to the same restrictions on information that is equally accessible to both, the Regulations do not violate Trans Union’s right to equal protection. (38)


In an opinion dated June 21, 2001, the U.S. District Court for the District of Minnesota rejected a motion to dismiss that presented, among other issues, the question of whether a state attorney general may bring an action against an entity regulated primarily by the Office of the Comptroller of the Currency. (40)

On January 10, 2001, the Minnesota Attorney General filed an action on behalf of the State of Minnesota against Fleet Mortgage Corporation (“Fleet”), alleging that Fleet provided mortgage account numbers and other detailed financial and personally identifiable information about its Minnesota customers to companies engaged in telemarketing solicitations in violation of various state fraud statutes and the federal telemarketing law. (41) The Minnesota Attorney General alleged that in the three years prior to the filing of the complaint, Fleet, a mortgage servicing company, entered into business relationships with at least six companies that sold membership programs offering discounts on services such as home shopping, health care, and car repair to Fleet customers through telemarketing. The complaint alleged that Fleet had supplied such companies with Fleet customers’ names, addresses, and phone numbers, as well as specific information about their mortgage accounts, including the original loan amount, current loan balance, monthly payment, loan origination date, and loan maturity date. Fleet allegedly determined not only which membership programs would be offered to its mortgagor homeowners, but also the content and details of the programs. In addition, the Minnesota Attorney General alleged that Fleet reviewed and approved the telemarketing scripts that its telemarketing partners used, which scripts offered Fleet customers a “free trial offer” and informed them that if the item was not cancelled within thirty days, a monthly fee would be automatically billed to their mortgage account. In accordance with this sales practice, known as “pre-acquired account telemarketing,” Fleet allegedly retained a percentage of the membership fee and remitted the balance to the marketing companies.

The complaint alleged that, prior to May 1999, Fleet failed to disclose to its customers that it was sharing personal financial data with telemarketing companies. In May 1999, Fleet announced a data privacy policy, which stated that while Fleet would provide unaffiliated companies with customer information if such companies provided a product or service that benefited its customers, it would share only the “minimum amount of information necessary for that company to offer its product or service.” (42) Thus, the Fleet privacy policy allegedly did not reveal either the solicitation efforts of Fleet’s telemarketing partners, or the practice of charging customers’ mortgage accounts allegedly without their consent.

The Minnesota Attorney General asserted that Fleet’s information sharing practices and membership program telemarketing scheme violated the Minnesota Consumer Fraud Act (MCFA)

Fleet moved to dismiss the lawsuit. Concluding that the deceptive practice allegations withstood a challenge under Rule 12(b) of the Federal Rules of Civil Procedure, the district court denied Fleet’s request to dismiss the lawsuit. (48) The court held that despite the fact that Fleet is a subsidiary of a national bank, and is thus regulated directly by the OCC, the fraud and deceptive trade practice claims brought by the Minnesota Attorney General do not directly concern a banking practice, and therefore the OCC could not have exclusive jurisdiction to regulate them. (49)

The court further held that sharing of financial information may fall under the “catch-all” provision of MCFA and UDTPA, even if it is not specifically listed among those practices specifically defined as illegal. (50) Acknowledging that Fleet personnel may not have placed the telemarketing calls involved in marketing products and services to its customers, the allegation that Fleet had approved telemarketing scripts and allowed companies to use its name during telemarketing calls was sufficient to survive a motion to dismiss. (51) Similarly, the court held that Fleet did not have grounds to dismiss claims under the federal Telemarketing Act, because the Minnesota Attorney General had alleged that Fleet had provided “substantial assistance” to companies whose activities were allegedly fraudulent. (52)


Girls Life, Inc.

In April 2001, the operators of three Web sites directed toward children agreed to settle FTC charges that they violated the Children’s Online Privacy Protection Act (COPPA) and the FTC’s COPPA Rule by illegally collecting personal information from the children without parental consent. (53) In general, COPPA and the COPPA Rule prohibit Web site operators from collecting personally identifiable information from children, defined by the statute as individuals under age thirteen, without verifiable parental consent. (54) The Web operators charged were Girls Life, Inc., Monarch Services, Inc.,, Inc., Looksmart Ltd., and an individual operator of one of the Web sites. (55) According to the FTC, the defendants collected personal information from children including their names, home addresses, e-mail addresses, and telephone numbers without first obtaining parental consent. In addition, one defendant was charged with disclosing children’s personal information to third parties without parental consent. According to the complaints, none of the Web sites posted privacy policies that complied with COPPA. (56) The FTC also alleged that one privacy policy falsely stated that children under the age of thirteen could not open an e-mail account without parental consent when, in practice, such restriction was not in place. These three cases were the first civil penalty cases brought by the FTC under COPPA. (57)

The settlements, announced by the FTC on April 19, 2001, require the three site operators to delete all personal information collected from children since April 21, 2000, when COPPA became effective. (58) In addition, the Web sites are required to post a privacy policy that complies with COPPA. (59) One settlement prohibits any fraudulent claims in the Web site’s privacy policy or elsewhere on the site. (60) All three settlements oblige the Web sites to place a clear and prominent hyperlink to the FTC COPPA Web site in their privacy policy, within the direct notice to parents, and at each location on their Web site where personal information is collected. (61) Both Looksmart and BigMailbox also agreed to pay civil penalties in the amount of $35,000 each

* a detailed description of the process by which the Web site registers new e-mail accounts, including a copy of each screen or page that posts or collects registration information

* a copy of the privacy notice for the Web site and for any other Web site operated by the defendant and subject to COPPA

* a detailed description of each place where a privacy notice is located on the Web site and on any other Web site operated by defendant, subject to COPPA, and a copy of each screen or page that collects personal information

* a copy of each privacy notice to parents and a detailed description of when and how the privacy notice is distributed to parents

* a detailed description of how the Web site obtains verifiable parental consent before collecting any personal information or disclosing any parental information to third parties

* a detailed description of how parents can review the personal information collected from their children and refuse to permit further use of such information

* a detailed description of why each type of information collected is reasonably necessary for participation in the Web site’s activities

* a detailed description of the procedures that the Web site uses to protect the confidentiality of the personal information collected from children. (64)

Lisa Frank, Inc.

On October 1, 2001, the FTC filed a consent judgment in the U.S. District Court for the Eastern District of Virginia, settling charges with Lisa Frank, Inc., a manufacturer of girl’s toys and school supplies. (65) In its complaint, filed with the settlement, the FTC alleged that Lisa Frank, Inc., via the Lisa Frank Web site, had violated COPPA and the COPPA Rule. (66) The Lisa Frank Web site was brought to the attention of the FTC by the Children’s Advertising Review Unit (CARU) of the Council of Better Business Bureaus, a self-regulatory body that, among other activities, evaluates Web sites’ compliance with the COPPA Rule. The FTC alleged in its complaint that the Web site is directed to children, as defined by the COPPA Rule. The FTC charged that, after the COPPA Rule became effective in April 2000, the Web site asked girls to register by providing personally identifiable information before they could access portions of the Web site. During the course of the registration, girls were requested to submit their first and last names, street addresses, phone numbers, e-mail addresses, and birth dates, as well as their favorite color and season, and the Web site allegedly did not obtain consent from parents before collecting such information. The complaint further alleged that Lisa Frank, Inc. violated the COPPA Rule by failing to provide notice directly to parents regarding the company’s privacy practices and did not inform parents that the company wanted to collect information from their children and that prior parental consent was required. Additionally, Lisa Frank, Inc. allegedly failed to include required notices in its Web site’s privacy policy stating that a Web site operator may not condition a child’s participation in an activity on the child’s disclosure of more personal information than reasonably necessary to participate in such activity

In the settlement, Lisa Frank, Inc. agreed not to violate the COPPA Rule in the future. (67) In addition, the company agreed to post specific notices on its Web site along with a link to the FTC’s “kidzprivacy” Web page. (68) Further, the company agreed to delete all personal information collected from children in violation of the COPPA Rule, implement certain training to its employees, and file periodic reports to the FTC on the status of its compliance. (69) In addition, the company will pay a civil penalty of $30,000. (70) The settlement agreement is subject to court approval.

In a letter dated May 25, 2001, the FTC notified of the conclusion of its investigation of the Web site and its Alexa Internet subsidiary for fraudulently collecting personal information and Web tracking data from customers in violation of section 5 of the FTC Act. (71)

The FTC commenced the investigation of in response to a request for an investigation by Junkbusters and by the Electronic Privacy Information Center (EPIC). In a letter dated December 4, 2000, the groups asked the FTC to investigate whether misrepresented to customers in its revised privacy policy that it would not disclose their personal information to third parties. (72) had previously submitted to the FTC that it told customers that they could choose not to allow disclosure of personal information to third parties by sending a blank e-mail to “” Junkbusters and EPIC alleged that Amazon misrepresented that customers could permanently stop the disclosure of their personal information by sending this e-mail. The prior policy also stated that Amazon could choose to disclose personal information to “reputable” third parties. The groups pointed to statements in later versions of the privacy policy indicating that Amazon would disclose customer information for fraud protection and credit risk reduction and, in the event Amazon was acquired, customer information would be a transferred asset. Furthermore, Junkbusters and EPIC argued that Amazon’s use of the word “never” was deceptive because Amazon reserved the right to amend its privacy policy at any time regardless of the effect on customer information. In addition to an investigation for violation of section 5 of the FTC Act, Junkbusters and EPIC recommended that Amazon give customers the right to delete their personal information, notify customers who e-mailed about what information it had disclosed about them, and be prohibited from ever disclosing any information about any customers who e-mailed (73)

Although the FTC stated that and its subsidiary Alexa Internet had potentially violated section 5 in the past, the FTC cited three reasons for its decision not to take formal action against the companies. (74) First, the FTC noted that zBubbles, the comparison shopping service that allegedly used to track personal consumer information, was no longer in service. (75) Second, it recognized that Alexa Internet had revised its policy statements on its Web site to describe accurately how and what kind of customer information it collected. (76) Third, the FTC highlighted the preliminary approval of a settlement of a class action lawsuit against and Alexa Internet by the U.S. District Court for the Western District of Washington. (77) The FTC found that the settlement, which required the deletion of previously collected personal information, sufficiently protected Alexa and zBubbles users from fraudulent disclosure of their personal information. (78)

The FTC’s Director of the Bureau of Consumer Protection confirmed the conclusion of the FTC investigation in a letter dated May 24, 2001 to Junkbusters and EPIC, stating “Amazon’s revised privacy policy does not materially conflict with representations Amazon made in its previous privacy policy and it likely did not violate section 5 of the FTC Act.” (79) The FTC staff based its position on assurances by Amazon that it had never disclosed personal information about customers who had e-mailed (80) Furthermore, Amazon assured that it had “never sold, traded, or rented the personal information of any of its customers, even those customers who did not e-mail” and would not do so without notice to its customers and without the option of choosing not to have their information disclosed. (81) The FTC staff concluded that, although subject to differing interpretations, the changes in the privacy policy did not constitute a violation of section 5 of the FTC Act. (82)

Following the FTC announcements, Junkbusters sent another letter to the FTC, disputing the decision not to charge with a violation of section 5 of the FTC Act. (83) Junkbusters asked that “undergo an on-site audit by a competent and independent firm to determine whether its actual past conduct (rather than just its own descriptions of its practices) conformed with the various versions of its privacy policies.” (84) Specifically, Junkbusters questioned the Consumer Protection Bureau’s reliance on Amazon’s assertions without verifiable evidence of compliance with the revised privacy policy. (85) In addition to requesting that the audit be made public, Junkbusters once again recommended that the FTC require Amazon to disclose collected personal information to customers upon request and to delete the personal information if the customers so choose. (86) The FTC has not announced a renewed investigation.

Microsoft Corp.

On July 26,2001, EPIC (spearheading a coalition of like-minded organizations) filed a formal complaint with the FTC, alleging that Microsoft engages in unfair and deceptive trade practices, in violation of section 5 of the FTC Act, regarding the privacy of individuals using its products. (87) The EPIC complaint focused on the Microsoft Windows XP operating system, which is expected to become a prevalent means of access to the Internet for American consumers. Specifically, EPIC claims that the system of Web services Microsoft intends to integrate into the new operating system, known collectively as “.NET” (incorporating components known as “Passport,” “Wallet,” and “Hailstorm”), is designed to track, profile, and monitor millions of Internet users who engage in on-line commerce, and obtain and use their personal information unfairly and deceptively. EPIC requests that the FTC investigate the information collection practices of Microsoft through Passport and associated services, as well as enjoin Microsoft from violating section 5 of the FTC Act.

Microsoft represents that “Microsoft Passport allows consumers to create a single sign-in, registration, and electronic wallet that can be shared between all of the sites that support Microsoft Passport.” (88) In expressing its objections to Windows XP, EPIC asserts that the operating system essentially forces the computer user to employ Passport because once the user starts a computer and uses a modem, a dialog box appears stating that the user needs a “Passport” to use Windows XP Internet communications features (such as instant messaging, voice chat, and video), and to access .NET-enabled features. EPIC also claims that the Windows XP operating system will enable Microsoft to collect, maintain, and disclose personal information associated with electronic commerce transactions to Microsoft partners and others. The Microsoft Passport system allows users to submit personal information such as passwords, birthdays, and anniversaries, so they do not have to re-enter data at different Web sites. EPIC claims that as a result of this Passport feature, Microsoft would become a central storage facility for personal information and that the Passport service is designed to allow Microsoft access to such information and to profile users’ activities for purposes unrelated to the initial transaction. EPIC also asserts that the collection and use of detailed personal information in this manner constitutes an unfair and deceptive trade practice.

In addition, EPIC maintains that Passport will track users of its Hotmail e-mail service as they visit other sites affiliated with Microsoft, and reveal their personal information without notification and without obtaining permission for such use of the information. EPIC states that Hotmail users are required to create Passport accounts, that the Hotmail Web site does not contain an opt-out feature, and that Hotmail users are simultaneously logged in to the Passport system when they login to Hotmail. EPIC claims that unless the users click on a small “Sign-Out” button on the page each time they want to move to a different MSN site, Passport will track Hotmail users as they visit other MSN sites and provide their personal information to the operators of those sites.

Another feature of Windows XP, Hailstorm, is a software-based services initiative that can transfer personal information contained in the Microsoft Passport, as well as other information, across any operating system, platform, or device. According to the EPIC complaint, Microsoft represents that, when using Hailstorm, the user owns the information that he or she enters into Passport and controls the use of that information. EPIC, however, asserts that Microsoft, in operating Hailstorm as a business, plans to charge consumers to transmit this large amount of individually identifiable information, as well as charge recipients to use such information. EPIC claims that Microsoft will give consumers the “right” to buy a limited level of “control” over the use of their own personal information outside of Microsoft, although EPIC asserts that, in fact, the consumer has no legitimate control over the use of that information within Microsoft.

The EPIC claims were updated on August 15, 2001. (89) The amended assertions added concerns about children’s privacy, security of personal information maintained by Microsoft, as well as the accessibility of such information to computer users and obstacles to users’ ability to delete information already in Microsoft’s files. As of the preparation of this Article, and despite a follow-up letter from EPIC, (90) the FTC has not yet taken any public actions concerning privacy against Microsoft or its products.


eGames, Inc.

In September 2000, Michigan Attorney General Jennifer Granholm issued a Notice of Intended Action under the Michigan Consumer Protection Act, (91) alleging privacy related violations. (92) eGames is a national distributor of personal computer games, offering software for download, purchase on its Web site, and sale in CD-ROM format at retailers. (93) The Michigan Attorney General alleged that eGames failed to adequately disclose to consumers the existence of a “spyware” program embedded in its software that enabled Conducent, Inc., a third-party advertising company, to interact surreptitiously with eGames’ customers’ computers via the Internet when they used eGames products. In addition, the Michigan Attorney General alleged that eGames failed to disclose to users of its Web site that eGames allowed additional third parties to monitor consumers’ browsing behavior.

In January 2001, the Michigan Attorney General entered into an Assurance of Discontinuance with eGames. (94) Without admitting to any violation of law, eGames agreed to:

* post a privacy policy on its Web site that clearly, conspicuously, and completely discloses all material facts concerning the collection, retention, and use of Personally Identifiable Information (PII) such as a user’s name, address, e-mail address, social security number, and credit card information by eGames and any affiliated third parties

* clearly and conspicuously place a hyperlink to the privacy policy on the first screen a user views on the eGames home page, as well as at the top or bottom of every eGames Web page

* collect no data from consumers, whether PII or non-PII, in an undisclosed manner or in a manner inconsistent with the representations made in the privacy policy

* remove all Conducent software from eGames products within two weeks to three months, depending on the type of the product

* immediately develop a software patch enabling eGames software users to remove Conducent software from their system, and make the patch conspicuously available for download on its Web site within two weeks. The Michigan Attorney General’s Web site may link to the patch, providing it discloses that the patch will only work on eGames products

* not collect PII from consumers unless and until the consumer has had a meaningful opportunity to review the privacy policy and has affirmatively consented to collection of the PII

* not engage in, or advocate a position that could result in the treatment of data from consumers, whether PII or non-PII, in a manner inconsistent with the privacy policy representations should eGames file for bankruptcy, unless otherwise ordered to do so by a court. (95)

In re Stockpoint, Inc.

On June 12, 2000, the Michigan Attorney General issued Notices of Intended Action to four separate Internet-related companies, alleging that their privacy practices violated Michigan’s deceptive trade practices laws in that third parties obtained consumer information through their Web sites without the knowledge of their consumers. (96)

Stockpoint, Inc., through its Web site at, offers free investment information and delayed stock quotes to investors. According to the Michigan Attorney General’s notice, users were encouraged to submit personal information to the Web site, such as age range, gender, and e-mail address and to store stock portfolios on-line. Various third-party on-line advertising agencies, such as Adforce, Inc. and DoubleClick, Inc., delivered banner ads for the Stockpoint Web site. These agencies also monitored Stockpoint visitors’ browsing behavior across Web sites and over time through the use of small text files known as “cookies,” (97) although consumers were allegedly not made aware that such cookies were being stored on their hard drives.

The Michigan Attorney General alleged that Stockpoint’s failure to post a privacy policy, particularly where personal information is collected and third parties are exchanging cookie information with visitors’ browsers, is a material omission constituting a deceptive act or practice under Michigan law. (98) Accordingly, although a consumer may expect a Web site they have chosen to visit to interact with their computer, most consumers would not expect a third party with whom the user has not chosen to establish an on-line relationship to place a cookie on their computer. This failure to disclose a material fact allegedly violated the Michigan Consumer Protection Act by allowing third parties to interact with computers of consumers who visit without the knowledge, consent, or authorization of the consumers.

In re Ortho Biotech, Inc.

Ortho Biotech, Inc., a wholly-owned subsidiary of Johnson & Johnson, Inc., operates the Web site which markets Procrit, a drug used in the treatment of patients with anemia associated with AZT treatment of HIV-infected patients, early kidney disease patients not yet on dialysis, and patients undergoing cancer chemotherapy. (99) The Web site offers information about the drug and the diseases, the symptoms of which it is designed to treat and contains prominent links to pages devoted to the targeted diseases.

Some of Procrit’s HIV/AIDS, cancer, and early kidney disease pages contain a “web bug” that directs the consumers’ browsers to interact with DoubleClick, Inc., an on-line service provider, allowing DoubleClick to place or retrieve a cookie on the visitors’ hard drives. The Michigan Attorney General noted that a link to’s “Legal Disclaimer” was located at the bottom of the page, and only from the disclaimer is there a link to the “Internet Privacy Policy.” The privacy policy is not listed on the sitemap, and neither the disclaimer nor the privacy policy discloses the fact that a third party can place a cookie on the consumers’ hard drive to monitor their movement around the Web site. Given the highly personal and sensitive information involved, the Michigan Attorney General believed that Procrit’s disclosures were insufficient. Ortho Biotech allegedly violated the Michigan Consumer Protection Act by allowing DoubleClick to interact with the computers of visitors to without the knowledge, consent, or authorization of the consumers.

In re, Inc. operates a Web site that markets baby products. (100) allowed various third party on-line advertising companies, such as DoubleClick, Inc. and Matchlogic, to place cookies on consumers’ hard drives, which enabled the third parties to track the Web browsing behavior of consumers. The source code for the Web site directed consumers’ browsers to request a tiny graphic file, or “web bug,” (101) that allowed the third parties to track consumer navigation of the World Wide Web. The Web site contained no visible indication or disclosure that consumers’ computers would be interacting with third parties. The “Privacy and Security Policy” refers only to cookies used by, which the Attorney General alleged was also misleading in that it said the cookies were “temporary,” despite the approximately thirty-year duration of some of the cookies. Further, the policy instructs consumers to turn on the cookie option on their browser, forcing consumers to accept cookies unknowingly from all sites seeking to place them.

The Michigan Attorney General alleged that Americasbabycom’s privacy policy failed to inform consumers of material facts about the use of cookies in general and also failed to disclose the exchange of cookie information with third parties in violation of the Michigan Consumer Protection Act.

In re Intimate Friends Network

WebPower Inc. and Intimate Friends Network run an adult-oriented Web site, doing business as and Internet Friends Network (collectively IFN). (102) In order to help direct traffic to its Web site, IFN uses banner ads at popular search engine Web sites, such as Yahoo! and Altavista. When users of the search engines type in “sex” (and possibly other related words) as a search term, the resulting page containing the results of the search also includes a banner ad for IFN, served by DoubleClick, Inc. When a consumer clicks on the banner ad, their browser is directed to Once at the IFN Web site, a “web bug” embedded in the source code of the page allows DoubleClick to access cookies that it had previously placed on the consumer’s hard drive, enabling DoubleClick to compile a profile of the consumer’s browsing behavior.

IFN’s privacy policy, which the Michigan Attorney General claims is not prominently displayed on the Web site, discusses only cookies set by IFN, not those placed or read by third parties. The “Terms of Service” also includes additional information about IFN’s privacy policy, but the Attorney General alleges that neither statement is likely to be seen by visitors entering the site from Yahoo! or Altavista before users access pages on which DoubleClick Web bugs are present. In addition to being inaccessible, the Michigan Attorney General believes that IFN’s disclosures are insufficient, as they fail to disclose the material fact that code on certain of IFN’s pages allows DoubleClick to track consumers’ browsing behavior over time and across Web sites. The Michigan Attorney General alleged that IFN had violated the Michigan Consumer Protection Act by permitting DoubleClick to interact with computers of consumers through the use of cookies without the consumers’ knowledge, consent, or authorization.


Supnick v., Inc.

Several plaintiffs filed a series of lawsuits against, Inc. (“Amazon”) and its wholly-owned subsidiary, Alexa Internet, Inc. (“Alexa”) arising out of software created by Alexa and distributed by Amazon. (103) The lawsuits were consolidated and certified to proceed as a class action on May 4, 2000. (104) Alexa software is designed to enable more efficient navigation of the World Wide Web. The software maintains records of the Web sites visited by its users, and based on usage patterns, suggests related links that users might like to visit. The address of each page the user visited is transmitted back to the defendants’ computers in the form of a Uniform Resource Locator (URL). (105) Alexa’s URL-based tracking system, however, allegedly allows defendants to gather more information than just the “paths” that a user takes through the Web. Through the Alexa software, personal information such as the software user’s home address, information concerning on-line purchases, including credit card information, and the software user’s confidential Web site identification number and/or site passwords, is allegedly transmitted back to the defendants without the users’ informed authorization or consent. In addition, Alexa software is allegedly designed to enable defendants to manipulate the software to intercept and acquire information on a particular Web page, whether or not that page is secure.

Plaintiffs are Alexa users who were allegedly affected by defendants’ practice of obtaining personal information from users without their knowledge, authorization, or consent. They claim that the Alexa software allowed Alexa and Amazon to intercept and access users’ personal information in violation of their privacy rights. Specifically, plaintiffs allege violations of the Electronic Communications Privacy Act (ECPA)

The parties agreed to settle the actions subject to court approval and other terms and conditions. On April 19, 2001, the U.S. District Court for the Western District of Washington preliminarily approved the terms of the following proposed settlement of the consolidated class action lawsuits:

* Alexa will destroy certain previously collected personal information so as to minimize, if not eliminate, the possibility of defendants linking such information to an individual consumer’s personally identifiable information

* Alexa will modify certain aspects of its notifications to users about its data use and collection practices and communication of choice to participate in such a process

* Defendants will administer a claim process whereby defendants will investigate whether, for each person who submits a timely claim, Alexa obtained through that person’s use of Alexa’s Web Browsing Software information about such class member that matches information provided in that person’s claim, and pay each class member from whom such information was collected the lesser of forty dollars or their pro rata share of $1.9 million and delete certain matched data upon request

* Defendants will pay $100,000, plus the difference between what it pays in claims to individual class members and $1.9 million to a fund that will be used to make grants to university-based programs concerned with Internet public policy issues or other non-profit consumer organizations

* Defendants will pay the attorneys representing the class $1.9 million for legal fees and reimbursement of expenses. (108)

The court scheduled a fairness hearing for July 27, 2001 and on that date approved the settlement and dismissed the action. (109)

In re DoubleClick, Inc. Privacy Litigation (110)

DoubleClick, Inc., the world’s largest provider of Internet advertising products and services, has faced several legal actions concerning whether its business practices violate computer users’ privacy rights. Through its technology, DoubleClick compiles and analyzes information about Internet users in order to offer its clients targeted on-line advertising. DoubleClick obtains such information, in part, by placing a “cookie” (111) on the hard drives of user (112) who access a DoubleClick-affiliated Web site. When the user subsequently accesses other DoubleClick-affiliated Web sites, DoubleClick’s technology uses the compiled information to determine which advertisements should appear for the user on the Web site. For example, if the information gathered through a cookie indicates that the user has frequented golf Web sites and has made several expensive on-line purchases, DoubleClick might place an advertisement for a Web site that sells golf clubs.

DoubleClick’s business practices prompted the filing of several lawsuits throughout the country, including class action suits consolidated in the U.S. District Court for the Southern District of New York in January 2000. (113) In In re DoubleClick, Inc., the plaintiffs raised three federal statutory law claims as well as state law claims for common law invasion of privacy, unjust enrichment, trespass to property, and statutory violations. (114) The plaintiffs alleged that the information compiled by DoubleClick included individuals’ names, e-mail addresses, home and business addresses, telephone numbers, searches performed on-line, and Web sites visited. The plaintiffs further alleged that DoubleClick planned to combine its database of on-line profiles with a database of personal profiles maintained by Abacus Direct Corp. to create a merged database matching users’ on-line activities with their names and addresses. (115)

In granting DoubleClick’s motion to dismiss pursuant to Rule 12(b)(6), the court considered each of the plaintiffs’ three federal claims. The plaintiffs first alleged a violation of Title II of the ECPA, (116) which generally seeks to prevent computer hackers from obtaining, altering, or destroying certain stored electronic communications. Title II specifically provides for criminal sanctions and a private right of action against persons who, without authorization, access communications facilities and thereby also access stored electronic communications. (117) The plaintiffs claimed that DoubleClick’s placement of cookies on plaintiffs’ hard drives constituted unauthorized access. The court, however, held that DoubleClick’s conduct fell within an exception to Title II’s general prohibition, whereby the prohibition does not apply to interceptions “authorized” by a “user” of the electronic communications service “with respect to a communication of or intended for that user.” (118) In reaching that conclusion, the court determined that “users” are not limited to individuals and therefore that DoubleClick-affiliated Web sites are “users” under the exception. (119) Moreover, the court determined that the Web sites authorized DoubleClick’s interceptions of the plaintiffs’ electronic communications, stating it is “implausible to infer that the Web sites have not authorized DoubleClick’s access. In a practical sense, the very reason clients hire DoubleClick is to target advertisements based on users’ demographic profiles.” (120)

As their second claim, the plaintiffs argued that DoubleClick had violated the Federal Wiretap Act, (121) which provides for criminal punishment and a private right of action against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication [except as provided in the statute].” (122) DoubleClick again relied on a statutory exception, which allows for interception when the communication is intercepted by a person who is a party to the communication or when one of the parties to the communication has given prior consent to interception. (123) The exception applies so long as the communication is not intercepted for the purpose of committing any criminal or tortious act. (124) In holding that DoubleClick’s business practices fell within the exception, the court first determined that the DoubleClick-affiliated Web sites were clearly one of the parties to the communications from plaintiffs, and that the Web sites had given prior consent to interception, just as they had given “authorization” under the ECPA. (125) The court then determined that DoubleClick’s motivation for intercepting the communications was not to commit a criminal or tortious act. (126) Even had DoubleClick, in fact, committed criminal or tortious conduct, as the plaintiffs alleged, the plaintiffs did not establish that DoubleClick intended to commit such conduct. (127) Absent evidence of such intent, which the plaintiffs failed to show, the plaintiffs could not prevail on the claim. (128)

The plaintiffs alleged a final federal claim under the Computer Fraud and Abuse Act, (129) which provides that anyone who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains … information from any protected computer if the conduct involved an interstate or foreign communication … shall be punished.” (130) The Computer Fraud and Abuse Act also provides a civil right of action for “[a]ny person who suffers damage or loss by reason of a violation” of the Act. (131) Damages recoverable under such a civil action are limited to economic damages, including “any impairment to the integrity or availability of data, a program, a system, or information … that causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals.” (132) Applying these provisions to the plaintiffs’ claim, the court held that the plaintiffs failed to meet the minimum statutory damage amount. (133) In reaching its conclusion, the court first rejected the plaintiffs’ argument that “loss,” which the plaintiffs claimed they had suffered, is distinct from “damage” and therefore not subject to the $5,000 statutory minimum. (134) The terms, according to the court, are interchangeable and thus both subject to the statutory minimum. (135) The court next rejected the plaintiffs’ argument that damages should be aggregated across all plaintiffs and all of DoubleClick’s acts for any given year. (136) Because the statute is phrased in the singular, the court reasoned, it can only apply to single acts, thus prohibiting aggregation. (137) Finally, the court rejected the plaintiffs’ claim that their damages should be measured by the cost in remedying their computers and by the economic value of the plaintiffs’ demographic information and their attention to DoubleClick’s ads. (138) The plaintiffs faced no cost to remedy, the court stated, because DoubleClick had provided an easy and free means on its Web site to deactivate cookies. (139) Moreover, the plaintiffs suffered no economic loss when their demographic information was used or when their attention was drawn to DoubleClick’s ads. (140)

In concluding that all of the plaintiffs’ federal claims failed, the court emphasized that Congress had specific purposes in mind when passing each of the three statutes at issue and that the plaintiffs’ claims did not fall under those purposes. (141) The court stated: “Where Congress appears to have drawn the parameters of its regulation carefully and is actively engaged in the subject matter, we will not stray from its evident intent.” (142) Because the court dismissed all of the plaintiffs’ federal claims, it declined to exercise supplemental jurisdiction over the remaining state law claims and thus dismissed those as well. (143) The plaintiffs have appealed the decision. (144)

Although the federal cases consolidated in the U.S. District Court for the Southern District of New York have been dismissed, DoubleClick was left to face legal hurdles in several state court actions, most notably in California. (145) In early June, a California Superior Court judge denied DoubleClick’s motion to dismiss four state class action suits filed against the company in that state. The complaint upheld by the court raises several state common law and statutory claims, including alleged violations of consumers’ rights to privacy under the California Constitution and of provisions of California’s penal code concerning illegal eavesdropping on communications. (146) The suit also alleges that DoubleClick was unjustly enriched at Internet users’ expense and that DoubleClick’s practices violate California’s state consumer protection act. (147)

In addition to private litigation, DoubleClick faced an investigation by the FTC, which was closed in January 2001. (148) In a letter to DoubleClick’s counsel, the FTC staff concluded that DoubleClick had never used or disclosed consumers’ personal information for purposes other than those disclosed in DoubleClick’s privacy policy. (149) Such use or disclosure would have violated section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. (150) The FTC staff specifically investigated whether DoubleClick ever combined personal information from Abacus Direct, the direct-marketing services company that DoubleClick purchased in June 1999, with information that DoubleClick had compiled. The staff also inquired into whether DoubleClick ever used or disclosed sensitive information about consumers in contravention of its privacy policy. Finding no evidence of any such conduct, the FTC closed the investigation. The FTC staff also endorsed DoubleClick’s ongoing efforts to enhance its privacy policy, the most recent version of which was released in June 2001. (151)

City of Kirkland v. Sheehan (152)

The regulation of the use of social security numbers has recently arisen as an issue in the context of consumer privacy. (153) In March 2001, the city of Kirkland, Washington filed a lawsuit alleging invasion of privacy against the operators of a Web site that posted content critical of local law enforcement personnel. The Web site contained the names, addresses, telephone numbers, birthdates, and social security numbers of local police officers in addition to their spouses’ names and personal information about other relatives. The site listed information concerning Kirkland police officers as well as police officers in fifteen other jurisdictions. (154) Kirkland filed a motion for preliminary and permanent injunctive relief prohibiting the publication of all of the personal information on the lists. It argued that the Web site was causing the police officers and their families continuing stress and security expenses. In response, the defendants asserted that their activities were protected by the First Amendment.

On May 5, 2001, the King County Superior Court granted Kirkland’s motion for injunctive relief as to the social security numbers and ordered the defendants to remove all of the social security numbers from the Web site. (155) In its memorandum ruling, the court emphasized that the issue presented by the motion was not whether the defendants had lawful prior access to the information, but whether the plaintiffs, by asserting a privacy interest m the information, could stop the “dissemination” of any or all personal information accessed by plaintiffs. (156) The court found that the content of the Web site was political speech and, therefore, was subject to First Amendment protection. (157) It noted that the publication of legally obtained telephone numbers and addresses could promote political speech by, for example, facilitating the picketing of homes or workplaces. (158) The publication of social security numbers, however, did not serve a similar political purpose. The court found that the government and individuals had a compelling interest in keeping social security numbers private because access to social security numbers facilitates the fraudulent use of an individual’s personal information. (159) The court also noted that the defendants conceded on the Web site that some may find their listings to be an invasion of privacy. (160) The police officers had not waived their privacy rights as to any of the published information. (161) Thus, the court found a compelling privacy interest in social security numbers sufficient to preclude their publication on the site. (162)

Kirkland’s lawsuit named William Sheehan, the network engineer who provided the server space for the Web site, as the primary defendant. (163) In June 2001, William and Roberta Sheehan filed a third-party complaint against Yahoo!, Infospace,, and US (164) The Sheehans alleged that the third-party defendants operated or maintained Web sites that provided personal information about employees of the city of Kirkland and their families, including their names, addresses, telephone numbers, and social security numbers. The Sheehans also asserted that the third-party defendants provided commercial access to the personal information either for free or for a nominal fee. In addition to contributory damages and indemnification, the Sheehans sought a declaratory judgement ordering that their First Amendment rights to publish the personal information be equal to or greater than those of the third-party defendants. Furthermore, the third-party complaint requested that any injunctive relief granted to plaintiffs apply equally, without exception, to all parties under the court’s jurisdiction, including third-party defendants. Judgment on the third-party complaint is pending.


If one thing seems likely in the uncertain world of privacy, it is that private lawsuits and governmental enforcement actions will continue to be filed against companies engaged in information practices that businesses may view as innovative or beneficial to consumers, but which may be regarded by regulators and privacy advocates as violating individuals’ expectations and rights. As privacy laws change and as courts hear regulators’ and private plaintiffs’ challenges, a body of law will continue to evolve.

(1.) Pub. L. No. 106-102, 113 Stat. 1338 (1999) (codified in scattered sections of 12 and 15 U.S.C.)

(2.) Children’s Online Privacy Protection Act of 1998, 15 U.S.C. [subsection] 6501-6506 (2000)

(3.) See, e.g., FTC Chairman Timothy J. Muris, Protecting Consumers’ Privacy: 2002 and Beyond, Remarks at Privacy 2001 Conference (Oct. 4, 2001), available at privisp1002.htm.

(4.) Of course, this Article can discuss only those events that have occurred as of the time of its preparation (November 2001).

(5.) The law in this field changes rapidly, and although this Article should not be considered a comprehensive list of all privacy cases or possible claims, it discusses important examples of recent litigation in the privacy area. This Article is intended as a general informative guide for practitioners possessing familiarity and experience with litigation and the laws discussed herein.

(6.) 145 F. Supp. 2d 6 (D.D.C. 2001).

(7.) This is the commonly known name for the Federal Financial Modernization Act, which was signed into law by President Clinton in November 1999.

(8.) See Individual Reference Servs., 145 F. Supp. 2d at 17 (citing H.R. CONF. REP. NO. 106-434, at 151 (1999), reprinted in 1999 U.S.C.C.A.N. 245).

(9.) See 12 C.F.R. [section] 30 (2001)

(10.) Individual Reference Servs., 145 F. Supp. 2d at 14.

(11.) Tradeline information consists of descriptions of a consumer’s account and payment history. See id.

(12.) See id. at 46.

(13.) 467 U.S. 837 (1984).

(14.) Individual Reference Servs., 145 F. Supp. 2d at 23, 46.

(15.) See id. at 23.

(16.) Id. at 18 (citing 15 U.S.C. [section] 6801).

(17.) Id. at 19 (citing 15 U.S.C. [section] 6809(4)),

(18.) See id.

(19.) See id. at 21 (citing 16 C.F.R. [section] 313.3(n)(1)(i)).

(20.) See id. at 22 (citing 16 C.F.R. [section] 313.3(o)(1)).

(21.) See id. (citing Final Rule, Federal Trade Commission, Privacy of Consumer Financial Information, 65 Fed. Reg. 33,646, 33,658 (May 24, 2000))

(22.) Individual Reference Servs., 145 F. Supp. 2d at 28.

(23.) See id. at 29.

(24.) See id. at 30.

(25.) Id. at 31.

(26.) See id.

(27.) See id.

(28.) See id.

(29.) See id. at 33-34

(30.) See Individual Reference Servs., 145 F. Supp. 2d at 34.

(31.) See id. at 33-39.

(32.) GLB Act, 15 U.S.C. [section] 6806 (2000).

(33.) See Individual Reference Servs., 145 F. Supp. 2d at 37-38.

(34.) Id. at 38.

(35.) See id. at 41.

(36.) See id. at 43-44.

(37.) See id. at 45-46.

(38.) See id. at 46.

(39.) Minnesota v. Fleet Mortgage Corp., Civ. No. 01-48 ADM/AJB (D. Minn. June 19, 2001), available at [hereinafter Memorandum Opinion Fleet Mortgage Corp.]

(40.) Id.

(41.) See generally Attorney General’s Complaint, Minnesota v. Fleet Mortgage Corp., Civ. No. 0148 ADM/AJB (D. Minn. June 19, 2001) (filed Dec. 28, 2000) [hereinafter Fleet Mortgage Corp. Complaint], available at

(42.) See id. [paragraph] 19.

(43.) MINN. STAT. [section] 325F.69(1) (1995).

(44.) Id. [section] 325D.44(1).

(45.) Id. [section] 325F.67.

(46.) 15 U.S.C. [subsection] 6101-6108 (2001).

(47.) See Fleet Mortgage Corp. Complaint, supra note 41, [paragraphs] 56-58.

(48.) See Memorandum Opinion Fleet Mortgage Corp., supra note 39, at 1.

(49.) See id. at 4.

(50.) See id. at 5.

(51.) See id. at 7.

(52.) See id. at 8.

(53.) See Press Release, Federal Trade Commission, FTC Announces Settlements with Web Sites That Collected Children’s Personal Data Without Parental Permission (Apr. 19, 2001), available at http:// [hereinafter COPPA Press Release]. The FTC also charged the three defendants with collecting from children more personal information than was necessary for participation in the Web sites’ activities, in violation of COPPA. See id.

(54.) See id.

(55.) See id.

(56.) See Complaint, United States v. Looksmart Ltd., Civil Action No. 01-606-A (E.D. Va. 2001), available at

(57.) See COPPA Press Release, supra note 53.

(58.) See Consent Decree and Order, United States v. Looksmart Ltd., Civil Action No. 01-606-A (E.D. Va. filed Apr. 2001), available at [hereinafter Looksmart Agreement]

(59.) See Looksmart Agreement, supra note 58, [paragraph] 7

(60.) See Bigmailbox Agreement, supra note 58, [paragraph] 7.

(61.) The text of the hyperlink is prescribed as follows: “NOTICE Visit for more information from the Federal Trade Commission about protecting children’s online privacy.” See Looksmart Agreement, supra note 58, [paragraph] 6

(62.) See Looksmart Agreement, supra note 58, [paragraph] 8

(63.) See Looksmart Agreement, supra note 58, [paragraph] 14

(64.) See Bigmailbox Agreement, supra note 58, [paragraphs] 6-8.

(65.) See Press Release, Federal Trade Commission, Web Site Targeting Girls Settles FTC Privacy Charges (Oct. 2, 2001), available at

(66.) See generally Complaint, United States v. Lisa Frank, Inc. (E.D. Va. Oct. 1, 2001), available at

(67.) See Consent Decree and Order, United States v. Lisa Frank, Inc. (E.D. Va. filed Oct. 1, 2001), available at

(68.) See id. [paragraph] 8.

(69.) See id. [paragraphs] 12-16.

(70.) See id. [paragraph] 9.

(71.) Letter from C. Lee Peeler, Associate Director, Division of Advertising Practices, Federal Trade Commission, to David A. Zapolsky, Associate General Counsel, and Barry J. Reingold, Perkins Coie LLP (May 25, 2001), available at [hereinafter FTC Letter].

(72.) Letter from Jason Catlett, President, Junkbusters Corp., and Marc Rotenberg, Executive Director, Electronic Privacy Information Center to Jodie Z. Bernstein, Director, Bureau of Consumers Protection, Federal Trade Commission (Dec. 4, 2000), available at amazon.html.

(73.) See id. [paragraphs] 17-19.

(74.) See FTC letter, supra note 71.

(75.) See id.

(76.) See id.

(77.) See id.

(78.) See FTC letter, supra note 71.

(79.) Letter from Jodie Z. Bernstein, Director, Bureau of Consumer Protection, Federal Trade Commission, to Jason Catlett, President, Junkbusters Corp., and Marc Rotenberg, Executive Director, Electronic Privacy Information Center (May 24, 2001), available at amazonletter.htm.

(80.) See id.

(81.) Id.

(82.) See id.

(83.) Letter from Jason Catlett, President, Junkbusters Corp. to Timothy Muris, Chairman, Federal Trade Commission (May 30, 2001), available at

(84.) Id.

(85.) See id.

(86.) See id.

(87.) See Complaint, In re Microsoft Corp., F.T.C., [paragraph] 2 (July 26, 2001), available at http:// [hereinafter EPIC Complaint]

(88.) See EPIC Complaint, supra note 87, [paragraph] 34.

(89.) Supplemental Materials in Support of Pending Complaint and Request for Injunction, Request for Investigation and for Other Relief, In re Microsoft Corp., available at consumer/MS_complaint2.pdf.

(90.) Coalition Letter to FTC on Windows XP and Passport (Oct. 23, 2001), available at http://

(91) MICH. COMP. LAWS [subsection] 445.901-.922 (1989 & Supp. 2001).

(92.) See Press Release of Michigan Attorney General Jennifer Granholm (Jan. 10, 2001), available at

(93.) See id.

(94.) See Assurance of Discontinuance, In re eGames, Inc. (Jan. 10, 2001), available at http://

(95.) An initial form of the privacy policy was attached as an exhibit to the Assurance of Discontinuance.

(96.) See Will Rodger, Sites Targeted for Privacy Violations (June 13, 2000), available at http:// www.usatodaycom/life/cyber/tech/ct1085.htm

(97.) Cookies are small text files holding pieces of information that Web sites can transfer to an individual’s hard drive. The cookie can then transmit information back to the server that placed it.

(98.) See Notice of Intended Action, In re Stockpoint, Inc. (June 12, 2000), available at http://

(99.) See Notice of Intended Action, In re Ortho Biotech, Inc. (June 12, 2000), available at http://

(100.) See Notice of Intended Action, In re Americasbaby.Com, Inc. (June 12, 2000), available at

(101.) A “web bug” is a tiny graphic, the size of one pixel, that is essentially invisible and which causes consumers’ browsers to exchange information with a third party, including cookie information.

(102.) See Notice of Intended Action, In re Intimate Friends Network (June 12, 2000), available at

(103.) See Complaint, Supnick v., Inc., No. COO-0221-P (W.D. Wash. June 20, 2000), available at

(104.) See Official Court Notice of Class Certification and Proposed Settlement of Class Action, Supnick v., Inc. (W.D. Wash. Apr. 19, 2001), available at settlement/notice/html [hereinafter Official Class Certification and Proposed Settlement Notice].

(105.) Id.

(106.) 18 U.S.C. [section] 2510 (2000).

(107.) Id. [section] 2701.

(108.) Official Class Certification and Proposed Settlement Notice, supra note 104.

(109.) Supnick v., Inc., No. COO-0221-P (W.D. Wash. July 27, 2001), available at

(110.) 154 F. Supp. 2d 497 (S.D.N.Y. 2001).

(111.) Cookies are computer programs used by Web sites to store information such as usernames, passwords, and preferences. Id. Cookies store this information on users’ hard drives until DoubleClick electronically accesses the cookies and uploads it. Id. at 503.

(112.) The term “user” actually refers to a particular computer, not to a particular person. As such, DoubleClick tracks information of a particular computer’s activity, regardless of who is actually using the computer. Id. at 502.

(113.) The suit was consolidated with other similar cases filed in the Southern and Eastern Districts of New York. Two additional cases, Steinbeck v. DoubleClick, 00 Civ. 5705, C.A., N.O. 8:00-98 (C.D. Cal.) and Freedman v. DoubleClick, 00 Civ. 7194, 2:00-1559 (E.D. La.), were also later transferred to the Southern District of New York in 2000. DoubleClick, 154 F. Supp. 2d at 500.

(114.) The class-action plaintiffs were defined as “`[a]ll persons who, since 1/1/96, have had information about them gathered by DoubleClick as a result of viewing any DoubleClick products or services on the Internet or who have had DoubleClick “cookies,” as defined below, placed upon their computers.'” Id. at 500 n. 1 (quoting Plaintiffs’ May 26, 2000, Amended Complaint). The plaintiffs sought injunctive and monetary relief.

(115.) In June 1999, DoubleClick had purchased Abacus Direct, a direct-marketing services company that kept a database of names, addresses, telephone numbers, shopping habits and other personal information on approximately ninety percent of American households, a database which it sold to direct marketing companies. Id. at 505.

(116.) 18 U.S.C. [section] 2701 (1994 & Supp. V 1999).

(117.) Id. [section] 2701(a). Title II specifically states in relevant part:

Except as provided in subsection (c) of this section whoever–(1) intentionally accesses without authorization a facility through which an electronic communication service is provided an authorization to access that facility a wire or electronic communication while it is in electronic storage in such system shall be punished….


(118.) Id. [section] 2701(c). The exception provides: “Subsection (a) of this section does not apply with respect to conduct authorized … (2) by a user of that [wire or electronic communications] service with respect to a communication of or intended for that user.” Id.

(119.) DoubleClick, 154 F. Supp. 2d at 509. The ECPA defines a “user” as “any person or entity.” 18 U.S.C. [section] 2510(13).

(120.) DoubleClick, 154 F. Supp. 2d at 510. The court also concluded that some of the plaintiffs’ communications fell outside the scope of Title II altogether. Id. at 511.

(121.) 18 U.S.C. [section] 2510 (1994 & Supp. V 1999).

(122.) Id. [section] 2511(1)(a).

(123.) Id. [section] 2511(2)(d). The exception specifically provides:

It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.


(124.) Id.

(125.) DoubleClick, 154 F. Supp. 2d at 514.

(126.) Id. at 515-19.

(127.) Id. at 518-19.

(128.) Id. at 519.

(129.) 18 U.S.C. [section] 1030 (2000).

(130.) Id. [section] 1030(a)(2).

(131). Id. [section] 1030(g).

(132.) Id. [section] 1030(e)(8).

(133.) DoubleClick, 154 F. Supp. 2d at 524.

(134.) Id. at 520-23.

(135.) Id. at 523.

(136.) Id. at 524.

(137.) Id. at 523-24.

(138.) Id. at 524-25.

(139.) Id. at 524.

(140.) Id. at 525.

(141.) Id. at 526.

(142.) Id.

(143.) Id.

(144.) Michael Bartlett, Court Gives Green Light to DoubleClick Privacy Suits, NEWSBYTES (June 14, 2001), at

(145.) Notably, actions against other network advertising companies, alleging claims substantially similar to those in the DoubleClick litigation have been dismissed as well. See Chance v. Ave. A, Inc., 165 F. Supp. 2d 1153, 1163 (W.D. Wa. 2001) (dismissing purported class action that alleged that Internet advertising company’s use of cookie technology violated the Wiretap Act, Stored Communications Act, Computer Fraud and Abuse Act, and declining to exercise supplemental jurisdiction over state law claims).

(146.) Press Release, Milberg Weiss Bershad Hynes & Lerach LLP, California Trial Court Sustains Internet Privacy Complaint Against DoubleClick, Inc. (June 13, 2001), available at http://

(147.) Id.

(148.) Letter from Joel Winston, Federal Trade Commission, to Christine Varney, Hogan & Hartson LLP (Jan. 22, 2001), available at

(149.) Id.

(150.) Id.

(151.) Press Release, DoubleClick, DoubleClick Invites Public Review of New Privacy Policy (June 1, 2001), available at object_1 = &press%5Frelease%5Fid = 2523.

(152.) City of Kirkland v. Sheehan, No. 01-2-09513-7 SEA (Wash. Super. Ct. May 10, 2001), available at

(153.) On May 22, 2001, the House Subcommittee on Social Security held a hearing on the use of social security numbers. The testimony of Marc Rotenberg, Executive Director of EPIC, can be found at

(154.) See Michael Ko, Kirkland Sues over Web Site Listing Officers’ Personal Details, SEATTLE TIMES, Apr. 3, 2001, at B2.

(155.) See id. The amended Web site without the social security numbers can be found at http://

(156.) See Sheehan, No. 01-2-09513-7 SEA.

(157.) See id.

(158.) See id.

(159.) See id.

(160.) See id.

(161.) See id.

(162.) See id.

(163.) See Ko, supra note 154.

(164.) Third-Party Complaint, City of Kirkland v. Sheehan, No. 01-2-09513-7 SEA (Wash. Super. Ct. June 2001), available at %20Complaint.doc.

Stephen F. Ambrose, Jr. and Joseph W. Gelb *

* Stephen F. Ambrose, Jr. is the General Counsel of GE Card Services, a business unit of General Electric Capital Corporation. Joseph W. Gelb is a partner in the Trade Practices & Regulatory Law Department of Weil, Gotshal & Manges LLP in New York City. The authors would like to acknowledge the assistance of David M. Lange in the preparation of this Article.