Last week the United States District Court for the District of New Jersey dismissed, with prejudice, class action claims against Google and Viacom concerning targeted advertising and the online tracking of children through cookies. Perhaps surprisingly, the claims did not involve allegations that the parties violated the Children’s Online Privacy Protection Act (COPPA). The suit arose from allegations that when users register on Viacom’s Nick.com website, they are asked to input their gender and birthday and create a username. Viacom collects this information and gives each user a unique internal code that reflects their gender and age. Viacom then places a cookie on each user’s computer, which tracks the user’s IP address, browser settings, unique device identifier, certain system and browser information, and the URLs and videos requested from Viacom’s children’s websites. Viacom would share with Google its unique internal code, along with the record of what parts of the site users interacted with, and Google would place its own cookie on each user’s computer. Google and Viacom would then use this information to target the user’s with advertising.
The plaintiff’s alleged violations of the Wiretap Act, Stored Communications Act, California’s Invasion of Privacy Act, the Video Privacy Protection Act (VPPA), New Jersey’s Computer Related Offenses Act (CROA), and two New Jersey torts, including Intrusion upon Seclusion. The plaintiffs did not allege violations of the Children’s Online Privacy Protection Act (COPPA). In July 2014, the Court dismissed with prejudice all claims except the VPPA claim against Viacom and the CROA and Intrusion upon Seclusion claims against both defendants, about which the court allowed the plaintiffs to amend their complaint.
In January 2015, the court dismissed the amended complaints with prejudice. With regard to the VPPA claim against Viacom, the court found that the plaintiffs had not alleged sufficient facts to show that the information collected by Viacom could actually identify the plaintiffs. The Court noted that the VPPA requires disclosure of personally identifiable information (PII) concerning a consumer, but that there is no support for the proposition that PII includes the kind of information Viacom collected and shared, such as IP address, gender, and age. Further, the court found that this information was insufficient to identify an individual plaintiff and a video that plaintiff watched, as required for a violation of the VPPA to be found. Therefore, the court holds that the VPPA claim fails.
With regard to the CROA claim, the statute requires a showing of business or property damage for a civil suit to go forward. The plaintiffs suggested that unjust enrichment – because Google and Viacom could monetize their PII – is not a form of damage recognized under the statute. In addition, the court was not convinced that a statute designed to target hacking could cover the situation alleged in the facts here. As to the intrusion upon seclusion claim, the court rejects this because such a claim requires a showing that the activities alleged are “highly offensive.” Even though many may disapprove of the defendant’s actions, the court holds that people routinely understand that companies collect information about them as they browse the Internet.
The court’s rejection of unique device identifiers and IP addresses as PII does include such unique persistent identifiers in the COPPA rule adopted by the FTC in 2012. While this court stuck closely to the text of the VPPA, it is entirely possible that some other court would look to the FTC or other statutes for the modern understanding of PII, and particularly children’s PII as what was at issue in this case, and come to the opposite conclusion. As to the CROA claims that failed, this is similar to many cases in which prosecutors will charge violations of the Computer Fraud and Abuse Act’s unauthorized access provisions to what might otherwise be considered outside the scope of “hacking,” which that law was intended to stop. Indeed, this court found the New Jersey equivalent of that statute to be inapplicable. But enough similar claims have moved forward under the CFAA that some of the President’s recently proposed revisions to the CFAA are attempts to address such use of the statute – for example, by limiting the scope of liability for exceeding authorized access for breaches of a written policy.