Center for Internet Law – Portland

Recent Legal Developments

Online Privacy


In re Google Inc. Cookie Placement Consumer Privacy Litigation. U.S. Third Circuit. 806 F.3d 125 (2015).
Third Circuit holds cookies placed by Google, despite cookie-blockers, intrusion on reasonable expectation of privacy.

Cookies placed by Google on plaintiff’s web browser despite plaintiff’s installation of cookie-blockers, transmitted information regarding plaintiff’s internet use to Google committed California tort of invasion of privacy because Google, “intruded upon (plaintiff’s) reasonable expectations of privacy.”

Marc Opperman v. Path Inc., U.S. District Court-California, 84 F. Supp. 3d 962 (2015).
Court upholds plaintiff’s invasion of privacy claim based on app developer, aided by Apple, selling apps that would secretly upload, store, and disseminate personal and private information contained in iDevices.

Plaintiff claims Defendant application developer for Apple devices and Apple itself knew Defendant’s apps permitted Defendant to “secretly upload, store, and in some cases disseminate Plaintiff’s personal and private address books stored in the Contacts app on iDevices without Plaintiff’s consent or knowledge.” Plaintiff alleges, in addition, Apple provided assistance and cooperation to app defendants in accessing and misusing iDevice owners’ address-book information. Court holds Plaintiffs have sufficiently pleaded resulting claim for “invasion of privacy by intrusion on their seclusion” under California law.

Court further concludes Defendants’ conduct exceeded any consent given by Plaintiffs. Court holds Defendants’ action satisfied the “highly offensive” requirement of Plaintiff’s intrusion upon seclusion claim and that Plaintiffs’ pleading of “harm and damages” resulting from the conduct of Defendants is, even without specific allegation of financial damages, sufficient to deny Defendants’ Motion to Dismiss. Affirms potential invasion of privacy claims resulting from collection of information from  online-accessing electronic devices.

In re Hulu Privacy Litigation. U. S. District Court- California, 86 F. Supp. 3d 1090 (2015).
Narrowly limits protections of Video Privacy Protection Act because only plaintiff’s watch page address transmitted by Hulu to Facebook, despite watch page address subsequently being combined by Facebook with additional data to yield personally identifiable information.

Hulu transmits Hulu-user computer identity (watch page URL) to Facebook. Facebook’s c-user cookie placed on user’s computer via Hulu provided Facebook ID information for user. Combined by Facebook to yield personally identifiable information (PII) regarding specific videos watched by user. Court holds no violation of Video Privacy Protection Act (VPPA) by Facebook because Hulu itself did not provide user-specific information to Facebook, despite that URL info transmitted by Hulu to Facebook could be combined by Facebook with information derived by Facebook cookie, placed via Hulu site, to yield specific PII.

Court does not fully address specific language of statute (18 USC 2710) barring sharing of personally-identifiable information by video providers, not just sharing of already personally-identified information. Instead sustains narrow construction of  VPPA. Court bases decision on statute language defining “personally identifiable information” as “information which identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” The statute does not, however, require that information identifying relevant videos and identifying person who rented them be transmitted by same source rather than being subsequently linked by third-party or, in this case, by Facebook itself.

Important case in placing sharp limits on definition of “personally identifiable information” which can also be potentially applied in other legal contexts regarding online transmission of information. Lacks strong support, however, for its restrictive definition of PII. Also does not address relevance of technology shifts since 1988 to fulfillment of purpose of statute. There was, for example, no widespread internet use in 1988. Limits privacy protections of VPPA by protecting providers of personally-identifiable information to data aggregators who subsequently integrate with input from other sources to generate personally-identified information. Affirms right to use data aggregated from multiple sources, then personally identified, for analytic purposes.

Larocca v. Larocca, U.S. District Court-Louisiana, 86 F. Supp. 3d 540 (2015).
“Spyware” program covertly installed on plaintiff’s computer is violation of Electronic Communications Privacy Act.

Court holds “spyware” program installed by Defendant on Plaintiff’s computer that collects and reports on e-mail and other activity on Plaintiff’s computer is an “interception of an electronic communication” prohibited under the Electronic Communications Privacy Act (ECPA) of 1986.


Campbell v. Facebook. U.S. District Court- California, 77 F. Supp. 3d 836 (2014).
Court finds no actual or implied consent by Facebook users for Facebook’s web-crawler scanning of their private messages.

Defendant Facebook used web-crawler program to scan users’ private messages on Facebook. Facebook maintains this action taken “in the ordinary course of its business” and thus within applicable exemption to U.S. Electronic Communications Privacy Act., also referred to as “Wiretap Act.” Court finds no showing by Facebook that scanning of users’ private messages by Facebook was within Facebook’s ordinary course of business, defined by Court as Facebook’s “providing of its underlying services”, and thus not within application exception to ECPA.

Facebook maintains, in addition, Plaintiff users consented to Facebook’s scanning of their private Facebook messages by agreeing to Facebook’s posted Data Use Policy. Court holds relevant disclosure by Facebook in its Data Use Policy not specific enough to establish users “expressly consented” to scanning of content of their messages for use in targeted advertising. Court finds, in addition no implied consent by users to Facebook’s scanning of their private messages.

Paul Perkins v. Linkedin. U.S. District Court- California, 53 F. Supp. 3d 1222 (2014).
Court finds “mental and subjective” damages from Linkedin’s invasion of privacy in sending solicitation e-mails in plaintiff’s name but without plaintiff’s consent.

Linkedin sent e-mails containing Plaintiff’s name and likeness and creating impression Plaintiff endorsed Linkedin despite no prior permission or consent by Plaintiff. Court holds messages sent by Linkedin are commercial speech and therefore not protected under First Amendment. Court affirms that, under California publicity rights law, resulting right of privacy damages can be “mental and subjective” and financial injury not required to support cause of action. Applicable damages can instead be “to a plaintiff’s mental feelings and peace of mind.”

Palay v. Mc Mahon, Supreme Court of Massachusetts, 468 Mass. 379 (2014).
Massachusetts Supreme Court holds continuous surveillance of neighboring home interior, even though from off of property, violates plaintiff’s privacy rights because plaintiff still had reasonable expectation of privacy and surveillance was for purpose of harassment.

Defendant Mc Mahon installed video cameras in his house pointed at Plaintiff’s home that enabled Defendant to see through windows of Plaintiff’s home and witness activities therein. Court holds that “even where an individual’s conduct is observable by the public, the individual may still possess a reasonable expectation of privacy against the use of electronic surveillance that monitors and records such conduct for a continuous and expended duration.”

Court concludes that “because plaintiffs have alleged a continuous surveillance of the interior of their home that was conducted for purposes of harassment, the Plaintiffs have made out a plausible claim for invasion of privacy.” Court cites that Defendant allegedly acted for “illegitimate purposes”, but does not address whether similar conduct which is not “for purposes of harassment” and instead for curiosity, voyeurism, etc. would support invasion of privacy claim in this situation. Also does not address whether “online snooping” into computer in home via cookies, etc. can support invasion of privacy claim. Court rejects Defendant’s Motion to Dismiss despite that no economic or financial damages are plead by Plaintiff.

Ellis v. Cartoon Network. U.S. District Court-Georgia. 2014 WL 50235 35 (2014).
Holds disclosure of plaintiff’s Android ID to third-party analytic services provider not transmission of “personally identifiable” information under VPPA because Android ID must be combined with additional data to become “personally-identifiable.”

Video Privacy Protection Act (VPPA)  prohibits “video tape service providers” from knowingly disclosing “personally identifiable information” regarding their customers video choices. Defendant Cartoon Network disclosed Plaintiff’s Android ID to Bongo, an online analytic services provider. Court holds no disclosure of personally identifiable information, as defined under the VPPA, occurred because Cartoon Network did not itself reveal both the personal identity of the viewer and specific videos viewed to a third-party. Court concludes instead that third-party Bango needed to “take further steps to match that ID to a specific person” and that additional information was “collected by Bango from a variety of sources.”

Court does not address why “personally-identifiable information” should instead be interpreted more narrowly as limited to already “personally-identified” information communicated to a third-party. Continues highly limited application of the VPPA and bolsters case law making transmission of specific information subsequently aggregated with identity of specific person by third-party not violation of privacy laws restricting conveyance of “personally–identifiable information.”

Online Privacy. Byrd v. Aaron’s, U.S. District Court- Pennsylvania , 14 F. Supp 3d 667 (2014).
Court holds covert installation of software on plaintiff’s computer, enabling defendant to remotely access, monitor, intercept, and transmit plaintiff’s online information and activity, to be violation of Electronic Communications Privacy Act.

Plaintiff alleges Defendant Aaron’s franchisee stores secretly installed PC Rental Agent software in Defendant’s rent-to-own computers, enabling Defendants to “remotely and surreptitiously access, monitor, intercept, and transmit Plaintiff’s personal information and Plaintiff’s online activity on the rented computers” as well as for Defendants to take photographs, using computer’s web-cam,  of computer’s users including Plaintiff. Plaintiff asserts claim under Electronic Communications Privacy Act (ECPA). Defendant argues ECPA not applicable because material and images not obtained from Plaintiff’s computer “while in transmission” as required under ECPA. Court holds, however, allegation Plaintiff’s computer accessed by Defendants “over three hundred times on eleven separate days” sufficient for cause of action under ECPA.

Court includes accompanying discussion of law regarding contracts of adhesion and doctrine of unconscionability and applicability to current online browsewrap and clickwap agreements. Moves toward advocating more rigorous standards regarding requirements for online posted terms of service and privacy policies, but does not address practicality of detailed review by users of provisions of posted terms and policies on all websites accessed by users.

How Can We Help?

Call 503.335.1406 or click to send an e-mail: