West Case Update

Cookies Used to Collect Personal Data Violate ECPA Unless Consent Given

Description Appeals court held that if cookies are used by a website operator to gather personal information about the website users, the Electronic Communications Privacy Act has been violated unless consent was given.

Topic Cyberlaw

Key Words Privacy; Cookies; Consent

C A S E S U M M A R Y

Facts Pharmaceutical companies invited users to visit their websites to learn about their drugs and to obtain rebates. Pharmatrak sold a service to the companies that accessed information about the Internet users and collected information meant to allow the companies to do intra-industry comparisons of website traffic and usage. Most companies did not want personal or identifying data about their site users, but Pharmatrak collected such information and kept it in its computers. Plaintiffs sued Pharmatrak and the drug companies on behalf of a class of Internet users whose data had been collected. The district court dismissed the suit, finding that the actions fell within an exception of the Electronic Communications Privacy Act (ECPA) where a party consents to data interception. Plaintiffs appealed.

Decision
Reversed. To make an interception claim under ECPA, a plaintiff must show that defendant 1) intentionally 2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept 3) the contents of 4) an electronic communication 5) using a device. An exception is based on consent. The burden of showing a statutory exception for consent under ECPA is on the party seeking the benefit of the exception. That has not been demonstrated as neither the drug companies nor the Internet users consented to the interception of private information. Hence, Pharmatrak intercepted personal information within the meaning of ECPA.

Citation In re: Pharmatrak, Inc., 329 F.3d 9 (1st Cir., 2003)

Back to Cyberlaw Listings

Cookies Used to Collect Personal Data Violate ECPA Unless Consent Given
Description	Appeals court held that if cookies are used by a website operator to gather personal information about the website users, the Electronic Communications Privacy Act has been violated unless consent was given.
Topic	Cyberlaw
Key Words	Privacy; Cookies; Consent
C A S E S U M M A R Y
Facts	Pharmaceutical companies invited users to visit their websites to learn about their drugs and to obtain rebates. Pharmatrak sold a service to the companies that accessed information about the Internet users and collected information meant to allow the companies to do intra-industry comparisons of website traffic and usage. Most companies did not want personal or identifying data about their site users, but Pharmatrak collected such information and kept it in its computers. Plaintiffs sued Pharmatrak and the drug companies on behalf of a class of Internet users whose data had been collected. The district court dismissed the suit, finding that the actions fell within an exception of the Electronic Communications Privacy Act (ECPA) where a party consents to data interception. Plaintiffs appealed.
Decision	Reversed. To make an interception claim under ECPA, a plaintiff must show that defendant 1) intentionally 2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept 3) the contents of 4) an electronic communication 5) using a device. An exception is based on consent. The burden of showing a statutory exception for consent under ECPA is on the party seeking the benefit of the exception. That has not been demonstrated as neither the drug companies nor the Internet users consented to the interception of private information. Hence, Pharmatrak intercepted personal information within the meaning of ECPA.
Citation	In re: Pharmatrak, Inc., 329 F.3d 9 (1st Cir., 2003)