Internet Library of Law
and Court Decisions

Dane Chance, et al. v. Avenue A, Inc.

Court dismisses claims brought by plaintiffs under the Computer Fraud and Abuse Act ("CFAA"), the Wiretap Act and the Stored Communications Act, arising out of Avenue A's use and placement of cookies on plaintiffs' computers. Avenue A uses such cookies to gather information about the user's use of Avenue A client web sites, and to present various advertisements on those web sites that Avenue A believes will be of interest to the user based on such information. The claims under the CFAA were dismissed because any damages plaintiffs' sustained as a result of Avenue A's actions did not meet the threshold necessary to assert a claim under the CFAA. Plaintiffs' claims under both the Stored Communications Act and the Wiretap Act were dismissed because Avenue A's client web sites gave Avenue A permission to review the communications between those sites and the plaintiff users related to their use of the sites. Having dismissed the federal claims plaintiffs asserted, the court declined to exercise supplemental jurisdiction over the remaining state law claims, which it accordingly dismissed without prejudice.

Plaintiffs are Internet users who allege that Avenue A placed cookies on their personal computers. Avenue A, among other things, supplies targeted banner advertisements for its clients' web sites. An Avenue A client will maintain a web site, certain portions of which are blank and reserved for the insertion of banner advertisements. A user, such as plaintiff, will direct his computer, through a browser, to visit an Avenue A client web site. In response to the user's request, the server on which the web site is stored will send the requested web page. It will also send the user a link which causes the user's computer to send a communication to the Avenue A server. Upon receipt of this communication, Avenue A's server analyzes the cookie information present on the hard drive of the user's computer. Typically, this is information as to the user's previous viewing history of Avenue A client web sites, and the Avenue A banner ads he has previously responded to. These cookies will also identify those portions of the client's web site the user visited, which information is gathered by action, or GIF tags, found on the client's web site. Based on this information, Avenue A's server will select a banner ad it believes will interest the user, and cause that ad to be displayed in the blank portion of the client's web site reserved therefor.

Avenue A also has a relationship with Doubleclick, pursuant to which it supplies some of the advertisements that appear on Doubleclick client web sites. Pursuant to this arrangement, the Doubleclick client web site, upon receipt of an inquiry from a user, sends the user a link which directs the user to Doubleclick for the banner advertisements. Doubleclick, in turn, forwards that request to Avenue A. Upon receipt, Avenue A acts as if it received the initial request, accessing cookie information and delivering a selected advertisement.

Plaintiffs claimed that Avenue A's activities violated the Computer Fraud and Abuse Act 18 U.S.C. Section 1030(a), the Wiretap Act, 18 U.S.C. Section 2510, et seq., and the Stored Communications Act, 18 U.S.C. Section 2701, et seq. The plaintiffs also asserted various state law claims, including invasion of privacy and trespass. Following the lead of the United States District Court for the Southern District of New York in In re Doubleclick Inc. Privacy Litigation, 2001 WL 303744 (S.D.N.Y. March 28, 2001), the court found that each of plaintiffs' federal court claims lacked merit, and, on defendant's motion for summary judgment, dismissed the same. The court then declined to exercise jurisdiction over the remaining state law claims, which it dismissed without prejudice.

The CFAA prohibits a defendant from "intentionally accessing a computer without authorization … and thereby [] obtain … information from any protected computer …". However, the statute sets a damage threshold that must be met before a claim for damages can be pursued. Under the statute, 18 U.S.C. Section 1030(g), any person who suffers damage or loss by reason of a violation of this section may maintain a civil action ... to obtain compensatory damages and injunctive relief or other equitable relief. Damages for violations involving damage as defined in section (e)(8)(A) are limited to economic damages. Under section 18 U.S.C. section 1030(e)(8), damage is defined as "any impairment to the integrity or availability of data, a program, a system or information that - (a) causes loss aggregating at least $5000 in value during any 1-year period to one or more individuals; (b) impairs medical care; (c) causes physical injury; (d) threatens public health or safety."

Plaintiffs argued that this damage threshold did not apply because it was inapplicable to "losses" caused by Avenue A's actions. As noted above, the statute creates a cause of action in any individual "who suffers damage or loss by reason of a violation ...". While the court conceded that the statute was "ambiguous" on this issue, it held that the Legislative history and existing case law indicated that whatever type of injury a plaintiff sustained, be it damage or loss, had to meet the statutory minimum. Said the court:

The CFAA requires that the $5000 threshold of damage be met in order to state a valid cause of action. … Plaintiffs attempt to circumvent the statute's $5000 threshold by arguing that "loss" as opposed to "damages" is not subject to the threshold. … [T]he context of the statute requires an inclusion of "loss" within the $5000 damages threshold.

Plaintiffs' claim failed to meet this requirement because plaintiffs could not show that any of the specific acts at issue, the accessing by Avenue A of a single user's cookie on a single occasion, caused $5000 in damages. Importantly, the court held that plaintiffs could not aggregate the damages caused by Avenue A's separate acts of accessing numerous cookies to meet the statutory threshold. Said the court:

The damage amount can be aggregated across both time and individual computers, but it cannot be aggregated across separate acts. By its plain language, the statute uses the singular of "impairment" to limit the damages threshold to a single act or event.

The court held that the damages caused by the act of accessing a single cookie did not amount to $5000. Said the court:

Unlike a computer hacker's illegal destruction of computer files or transmission of a widespread virus which might cause substantial damage to many computers as the result of a single act, here the transmission of an internet cookie is virtually without economic harm. Plaintiffs present no evidence to contradict this simple fact.

The court also rejected plaintiffs' claims under the Stored Communications Act. It is a violation of the Stored Communications Act to "access[] without authorization a facility through which an electronic information service is provided ... and thereby obtain[] ... access to a wire or electronic communication while it is in electronic storage in such system ...". The statute contains an express exception, however, exempting from its coverage "conduct authorized ... (2) by a user of that service with respect to a communication of or intended for that user." 18 U.S.C. 2701(c)(2). The court held that Avenue A's conduct fell within this exception, as it was authorized by its client web sites, who were parties to the communications in question. Said the court:

Any web site for which Avenue A provides advertisements must have written the programming code required to direct Plaintiffs' computers to Avenue A's server. Given the technological and commercial relationship between web sites and Avenue A, it is implausible to suggest that any such access by Avenue A was not intended or authorized by the web site. In fact, the opposite conclusion is inescapable: the very raison d'etre of Avenue A is to provide web sites with targeted advertising, and it cannot do so without the collaboration and consent of those sites.

The court held the same was true of Doubleclick's clients web sites, which Doubleclick had the authority to access.

Lastly, the court rejected plaintiffs' Wiretap Act claims. The Wiretap Act prohibits the intentional interception of any "wire, oral or electronic communication." However, pursuant to the Act, "it shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortuous act in violation of the Constitution or laws of the United States or any State."

The court held that, as with the Stored Communications Act, Avenue A has been authorized by one of the participants of the communications in question, its web site clients, to access the communications.

One party consent is sufficient to negate liability under the consent prong of the Wiretap Act's exception.

Because plaintiffs had pointed to no evidence that revealed that Avenue A intercepted the communications in question for an illegal or tortuous purpose, the court rejected plaintiffs' Wiretap Act claims. Said the court:

It is simply implausible that the entire business plan of one of the country's largest Internet media companies would be "primarily motivated" by a tortuous or criminal purpose. Further discovery would only confirm this inevitable conclusion.