In the past year, the federal law claims in two cases involving Google’s cookie collection practices have been dismissed. Federal Wiretap Act, Stored Communications Act and Computer Fraud and Abuse Act claims against Google were dismissed in In re: Google Inc. Cookie Placement Consumer Privacy Litigation. Federal Wiretap Act, Stored Communications Act and Video Privacy Protection Act claims were dismissed in In re: Nickelodeon Consumer Privacy Litigation. Left standing in both cases were the state law intrusion upon seclusion claims. Intrusion upon seclusion is one of the four privacy torts arising out of litigation during the years following the 1890 Warren and Brandeis article, The Right to Privacy. The Right to Privacy brought public awareness to the need to protect individual privacy and provided a legal basis for doing so. Public disclosure of private facts, false light and appropriation are the other three common law privacy torts.
With all of the federal and state statutes that have been enacted specifically addressing computers and online activity, who would have thought that the analog age tort of intrusion upon seclusion would swoop in like a super hero to act as the vanguard for online consumer privacy rights?
I posted about In re: Google Inc. Cookie Placement Consumer Privacy Litigation in State Law Privacy Claims Still Baking in Google Cookie Suit. This post is about the Third Circuit’s discussion of the intrusion upon seclusion tort in the recent case, In re: Nickelodeon Consumer Privacy Litigation.
Viacom owns the Nickelodeon website, Nick.com. Nick.com is directed towards children, offering streaming videos and interactive games. Google contracted to place advertisements on Viacom’s websites. The plaintiffs alleged that Viacom and Google unlawfully used Internet cookies to track children’s web browsing and video-watching habits on Viacom’s websites. The plaintiffs alleged that Viacom collected and disclosed to Google, and that Google collected and tracked, children’s user name/alias, gender, birthdate, IP addresses, browser settings, unique device identifier, operating system, screen resolution, browser version, web communications and persistent cookie identifiers.
The plaintiffs argued that this message on the Nickelodeon website
HEY GROWN-UPS: We don’t collect ANY personal information about your kids. Which means we couldn’t share it even if we wanted to!
coupled with Viacom’s collection, and sharing with Google, of personal information about children, invaded the children’s privacy by encroaching on their reasonable expectations of solitude.
The district court dismissed plaintiffs’ New Jersey state common law intrusion upon seclusion claim. The Third Circuit vacated and remanded.
Viacom argued that the Children’s Online Privacy Protection Act (COPPA) preempts the intrusion upon seclusion claim. COPPA places limits on gathering personal information from children under the age of 13 over the Internet. COPPA bars state governments from imposing any liability for commercial activities in a way that is inconsistent with COPPA’s treatment of those activities. The Federal Trade Commission (FTC) enforces COPPA. Private citizens cannot bring claims for COPPA violations.
There is a presumption against federal preemption of state statutes in areas of traditional state regulation. In those situations, when a federal statute contains a preemption clause that presents more than one plausible reading, courts usually accept the reading disfavoring preemption.
The question we confront is whether the plaintiffs’ intrusion claim is truly ‘inconsistent’ with the obligations imposed by COPPA, or whether the plaintiffs’ intrusion claim rests on common-law duties that are compatible with those obligations. Because we reach the latter conclusion, Viacom’s preemption argument is unavailing.
In our view, the wrong at the heart of the plaintiffs’ intrusion claim is not that Viacom and Google collected children’s personal information, or even that they disclosed it. Rather, it is that Viacom created an expectation of privacy on its websites and then obtained the plaintiffs’ personal information under false pretenses. Understood this way, there is no conflict between the plaintiffs’ intrusion claim and COPPA. While COPPA certainly regulates whether personal information can be collected from children in the first instance, it says nothing about whether such information can be collected using deceitful tactics. Applying the presumption against preemption, we conclude that COPPA leaves the states free to police this kind of deceptive conduct.
Indeed, we confronted a similar allegation last year in Google. The plaintiffs there alleged that Google had evaded browser-based cookie blockers even as it held itself out as respecting them. We concluded that the alleged gap between Google’s public-facing comments and its actual behavior was problematic enough for a jury to conclude that Google committed ‘an egregious breach of social norms.’ In our view, the problem was not disclosure per se. Rather, what was notable was how Google accomplished its tracking—i.e., through deceit and disregard that raised different issues than tracking or disclosure alone. In those circumstances, a reasonable factfinder could indeed deem Google’s conduct highly offensive or an egregious breach of social norms. We think the same is true here.
Accordingly, we conclude that COPPA does not preempt the plaintiffs’ state-law claim for intrusion upon seclusion.
(Opinion pdf pages 67 – 69).
This case is In re: Nickelodeon Consumer Privacy Litigation, No. 15-1441, Third Circuit Court of Appeals.