Legislating Cookies By John Roemer November 28, 2000 In the absence of legislation written specifically to regulate Net privacy, should a 14-year-old wiretapping law be applied to Internet privacy issues? Two federal class actions filed last week raise this question, claiming that online ad companies violate federal laws by tracking consumers' browsing habits without their permission. Filed in Denver against Excite@Home subsidiary MatchLogic and in Redmond, Wash., against the online advertiser Avenue A, the suits complain that the two companies planted cookies on consumers' hard drives to track their Web habits for commercial purposes, thereby violating the Electronic Communications Privacy Act, passed by Congress to deter wiretapping, and the Computer Fraud and Abuse Act. As concerns about Internet privacy grow, legal experts believe that the outcome of these two suits could shape the development of future Net privacy practices. If the judges decide that existing wiretapping laws forbid the practice of tracking consumer information via cookies, Web advertisers will face legal liability for cookie use unless they are scrupulous about notifying consumers of the practice. Conversely, if the courts decide that the existing wiretapping laws don't forbid the use of cookies without adequate notification, it could be open season for advertisers to harvest and sell information about site visitors, at least until Congress drafts new legislation to govern consumers' privacy rights in cyberspace. Although both companies declined to comment on the suits, attorneys at the powerhouse class-action firm Milberg Weiss Bershad Hynes & Lerach who joined both suits are trying to convince the judges that the existing law regulating wiretapping can also be applied to the Web. They argue that the online advertisers accessed consumers' information without their knowledge, using a method similar to one a wiretapper would use to intercept a phone conversation. But Denver attorney Philip Gordon, an expert in wiretapping statutes and a fellow of the nonprofit Privacy Foundation, points out that Congress intended ECPA to protect the content of communications, such as the words spoken in a phone conversation, not transactional data, such as the number dialed and the length and cost of the call. In Web usage, that transactional information is of value to advertisers. Gordon noted that the cases might turn on whether the defendants can show that users reviewed and understood the privacy policies that were posted on the sites. Another hurdle for the plantiffs is whether all of Net users' experiences are sufficiently similar for the cases to qualify as a class action. The outcome, whichever direction it takes, is likely to clarify an area of Internet law that remains murky, at least for the time being. "Internet law is simply not developed in this area," Gordon says. "Ideally, the courts should grapple with these issues and decide if federal statutes can be applied to the novel technologies presented." Online Ad Companies Hit With Privacy Suits http://news.cnet.com/news/0-1005-200-3821026.html Review: Online Toy Stores Fall Short on Privacy Protection (InfoWorld) http://tm0.com/thestandard/sbct.cgi?s=64852336&i=281243&d=672624 Privacy Foundation http://www.privacyfoundation.org