A cookie is a small piece of information placed on an internet user's hard drive
(usually without the user's knowledge) by a website the user visits. Cookies are
used to track a user's movements within the site and even among sites. This is
of great advantage to advertisers who can create profiles on a user and target
their ads to match the user's interests. However, they can be used not only to
track where the user goes, but also information the user supplies to another site
including the user's name, address, password information, and credit card numbers.
Also see Cookie Central: http://www.cookiecentral.com;
"Privacy In Cyberspace: Rules of the Road for the Information Superhighway": http://www.privacyrights.org/fs/fs18-cyb.htm;
Electronic Privacy Information Center: www.epic.org
Congress has not passed privacy laws specific to this issue; however, the lack
of government intervention does not make the idea of having one's movements tracked,
and one's personal information available to unknown organizations, any more palatable
to internet users. Thus, 2001 saw a number of civil suits brought by internet
users against advertisers and website operators who used cookies. See
In re Doubleclick Inc. Privacy Litigation, 154 F.Supp.2d 497 (S.D.N.Y.2001)
("Doubleclick"), In re Intuit Privacy Litigation, 138 F.Supp.2d
1272 (C.D.Cal.2001) ("Intuit"), Chance v. Avenue A, Inc., 165
F.Supp.2d (W.D.Wash.2001) ("Chance").
In all cases, plaintiffs claimed that the unauthorized placement of cookies on
internet user's hard drives violated Title I of the Electronic Communications
Privacy Act ("ECPA"), the Federal Wiretap Act ("FWA") (18 U.S.C.A. §2511 et seq.);
Title II of the EPCA, the Stored Communications Act ("SCA") (18 U.S.C.A. §2701,
et seq.); and the Computer Fraud and Abuse Act ("CFAA") (18 U.S.C.A. §1030 et
seq.). The FWA prohibits the intentional interception of "any wire, oral, or electronic
communication." 18 U.S.C.A. §2511(a)(1). The SCA is an anti-hacker law which "prohibits
unauthorized access of electronic communications stored on the facilities of certain
providers of electronic communication service." Chance at 1160. The CFAA
prohibits intentional, unauthorized access of a computer "'knowingly caus[ing]
the transmission of a program, information, code, or command,' and as a result
caus[ing] damage, 18 U.S.C.A. §1030(a)(5)(A), generally causing damage to such
a computer, §1030(a)(5)(B) & (C) , or accessing and obtaining 'information from
any protected computer if the conduct involved an interstate or foreign communication,'
§1030(a)(2)(C)." Id. at 1158.
All of the courts dismissed the claims under the FWA and the CFAA, however they
split on whether the use of cookies could potentially violate the SCA. The Intuit
court held that accessing the cookies on a user's hard drive, even those that
the accessing party placed there, could be found to be an unauthorized access
under the statute; however, the Doubleclick and Chance courts
held that the EPCA did not protect cookies and that the advertising companies
in those cases, to whom the cookies belonged, were exempted from the EPCA.
