CDR: Industry Standard: Legislating Cookies

Wed Nov 29 08:29:37 PST 2000

Legislating Cookies

By John Roemer

November 28, 2000

In the absence of legislation written specifically to regulate Net
privacy, should a 14-year-old wiretapping law be applied to Internet
privacy issues?

Two federal class actions filed last week raise this question,
claiming that online ad companies violate federal laws by tracking
consumers' browsing habits without their permission. Filed in Denver
against Excite at Home subsidiary MatchLogic and in Redmond, Wash.,
against the online advertiser Avenue A, the suits complain that the
two companies planted cookies on consumers' hard drives to track their
Web habits for commercial purposes, thereby violating the Electronic
Communications Privacy Act, passed by Congress to deter wiretapping,
and the Computer Fraud and Abuse Act.

As concerns about Internet privacy grow, legal experts believe that
the outcome of these two suits could shape the development of future
Net privacy practices. If the judges decide that existing wiretapping
laws forbid the practice of tracking consumer information via cookies,
Web advertisers will face legal liability for cookie use unless they
are scrupulous about notifying consumers of the practice. Conversely,
if the courts decide that the existing wiretapping laws don't forbid
the use of cookies without adequate notification, it could be open
season for advertisers to harvest and sell information about site
visitors, at least until Congress drafts new legislation to govern
consumers' privacy rights in cyberspace.

Although both companies declined to comment on the suits, attorneys at
the powerhouse class-action firm Milberg Weiss Bershad Hynes & Lerach
who joined both suits are trying to convince the judges that the
existing law regulating wiretapping can also be applied to the Web.
They argue that the online advertisers accessed consumers' information
without their knowledge, using a method similar to one a wiretapper
would use to intercept a phone conversation.

But Denver attorney Philip Gordon, an expert in wiretapping statutes
and a fellow of the nonprofit Privacy Foundation, points out that
Congress intended ECPA to protect the content of communications, such
as the words spoken in a phone conversation, not transactional data,
such as the number dialed and the length and cost of the call. In Web
usage, that transactional information is of value to advertisers.
Gordon noted that the cases might turn on whether the defendants can
show that users reviewed and understood the privacy policies that were
posted on the sites. Another hurdle for the plantiffs is whether all
of Net users' experiences are sufficiently similar for the cases to
qualify as a class action.

The outcome, whichever direction it takes, is likely to clarify an
area of Internet law that remains murky, at least for the time being.
"Internet law is simply not developed in this area," Gordon says.
"Ideally, the courts should grapple with these issues and decide if
federal statutes can be applied to the novel technologies presented."

Online Ad Companies Hit With Privacy Suits
http://news.cnet.com/news/0-1005-200-3821026.html

Review: Online Toy Stores Fall Short on Privacy Protection (InfoWorld)
http://tm0.com/thestandard/sbct.cgi?s=64852336&i=281243&d=672624

Privacy Foundation
http://www.privacyfoundation.org 