Florida and Federal Protection of Privacy in E-Commerce
The Florida Bar Business Law Section
The Quarterly Report
February 2001 (p. 6)
Florida and Federal Protection of Privacy in E-Commerce
By David J. Federbush
On-line harvesting of personal information on consumers who access commercial websites on the Internet, tracking consumers’ Internet surfing activity for marketing or other purposes (“profiling”), and the furnishing of such information to third parties have received increasing attention in the national as well as legal press. When done without the consumer’s knowledge or consent, these activities raise serious privacy concerns. The law in this area is developing, and e-commerce retailers and other e-businesses need to keep abreast in designing or modifying their information gathering practices and privacy policies. This article is intended to be a comprehensive survey of Florida and federal law potentially applicable to such activity. It also discusses, for illustrative purposes, some of the legal claims that have recently been asserted.
E-businesses may generally expect to be in the posture of defendants in litigation over these issues, and their exposure often will be as to injunctive and other equitable relief sought by governmental as well as private plaintiffs. Exposure to private damages actions under Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) may also be possible, as is discussed below. E-businesses, however, may also have claims as plaintiffs. In fact, under some of the federal statutes discussed below they may be better able than their own customers to protect information on those customers against privacy invasions by third parties. To that extent e-businesses should consider privacy claims to be a potential service they can offer to their customers that will be rewarded, rather than nothing but a threat by those customers to the corporate treasury. It is not inconceivable that businesses may also have claims under Florida’s Deceptive and Unfair Trade Practices Act (FDUTPA) when acting as consumers, e.g. purchasers, although demonstrating legally cognizable damages from collection of business information on privacy grounds seems problematic.
Florida Common Law
Florida’s common law right of privacy does not appear applicable to these activities, as it does not cover commercial misuse of personal information resulting in anything less than widespread publication of that information. Florida’s invasion of privacy action, based on the tort as set forth in the Restatement (Second) of Torts, covers four types of wrongful conduct: (1) the unauthorized use of a person’s name or likeness to obtain some benefit; (2) physically or electronically intruding into one’s private quarters; (3) public disclosure of private facts – the dissemination of truthful private information which a reasonable person would find objectionable; and (4) false light in the public eye – publication of facts which place a person in a false light even though the facts themselves may not be defamatory. Case law under the third category generally addresses communication of information to the public in general, such as publication in a newspaper, or to a large number of persons. Moreover, the Restatement test does not even address (mis)use of personal information, by the same individual or entity that collected the information for a purpose consented to by the consumer, for some other purpose.
Federal Electronic Communications and Computer Abuse Statutes
Federal statutes relied on in recent federal court Internet privacy actions are the Computer Fraud and Abuse Act (“CFAA”) and the Electronic Communications Privacy Act (“ECPA” ; the federal wiretap statute as amended in 1986). They were enacted primarily as criminal statutes prior to the widespread public use of the Internet, to regulate wiretapping activities and target computer hackers, respectively. Their civil liability provisions, however, are now being employed in the Internet privacy field.
CFAA actions by businesses
The CFAA prohibits unauthorized access, to a “protected computer”, through which information is obtained from that computer. Its civil liability provisions permit recovery of compensatory damages and injunctive and other equitable relief to anyone suffering damage or loss by reason of such an unauthorized access.
There are a few reported decisions on the use of the CFAA in the Internet privacy context, in actions brought by one e-business against another. A company operating pornographic websites (LCGM, Inc.) that was a member of America Online used extractor software programs to harvest the email addresses of many other AOL members, contrary to AOL’s terms of service. LCGM subsequently sent more than 92 million bulk e-mails (“spam”) advertising their pornographic websites to other AOL members. A federal district court held, on summary judgment, that the extraction constituted unauthorized access to AOL’s computer(s) under the CFAA and that AOL was entitled to injunctive relief under that statute. The decision left AOL’s monetary damages claim, for technical costs and problems, as well as lost customer goodwill and revenue, for trial. Whatever its motivation(s), AOL thus accomplished at least prospective privacy protection as to its own members in a manner that was likely more efficient and pervasive than what the members could have accomplished on their own. It would appear, however, that the individual AOL members could bring their own suits seeking damages, as CFAA’s statutory definitions do not state that the computer accessed must be the property of the plaintiff. Proving monetary damages from receipt of such spam would, of course, be a separate (and difficult) matter.
In another case a federal district court, in granting a TRO to a web-based dating service, held that a CFAA violation was made out when its former employee accessed the site (presumably through its server) and entered code which hijacked visitors to a pornographic website, on whose behalf he conducted such hacking. The court found a likelihood of irreparable harm in the form of damage to the service’s goodwill, as a complaining customer had asked to be removed from the service and others, in the court’s view, were likely to do so as well. User personal privacy would seem to be violated under these facts even if the operators of the pornographic site merely view, without recording, personal identifying information on the unwilling visitor (it is almost a “false light” invasion of privacy scenario). Also, the pornographic site’s capture and recording of the information could lead to additional unwanted pornographic solicitations. Again, the business’s lawsuit helped protect the privacy of its own subscribers. Individual users could conceivably bring their own actions seeking individual damages.
ECPA actions by businesses
While this author did not locate any reported cases on the use of ECPA to protect Internet privacy, a class action filed in July 2000 in the Southern District of New York against Netscape and AOL (which recently acquired Netscape) illustrates its attempted use. Notably, the case was brought on behalf of website hosters (which could include businesses as well as individuals), rather than visitors. The case’s essential thrust appears to be that a Netscape browser plug-in has been used to eavesdrop on, and permit the creation of continuing profiles on, the Internet activities of website hosters (as well as visitors).
The complaint was brought on behalf of “all United States persons or entities who maintain Web sites on the Internet providing ‘zip’ or ‘exe’ files for download by visitors to the site”. It alleges that Netscape’s SmartDownload, software designed to facilitate the download process, uses “cookie” technology to secretly send information about downloads to Netscape: data on each exe or zip file downloaded, along with the (unique) identifying string from the cookie that Netscape set in the user’s computer the first time the user accessed the internet through Netscape’s browser. It thereby allegedly “permits Netscape to create a continuing profile of the Class members’ and each visitor’s file transfers over time.”
The complaint alleges violation of ECPA, which at §2511 imposes liability on any person who intentionally intercepts or endeavors to intercept any electronic communication, or (d) intentionally uses, or endeavors to use, the contents of any electronic communication, knowing or having reason to know that the information was obtained through the interception of a[n] electronic communication. The apparent legal theory of the suit is that the tracking of the download is an interception of an electronic communication. The complaint seeks damages under ECPA’s civil liability section, which provides, inter alia, for monetary damages in the amount which is the greater of (a) actual damages plus any profits made by the violator as a result of the violation, or (b) statutory damages of whichever is the greater of $100 a day for each violation, or $10,0000; recovery of attorney’s fees and costs; preliminary and other equitable relief; and punitive damages in appropriate cases. The complaint also alleges violations of the CFAA, on the apparent legal theory that the cookie’s capture of information on the downloads constitutes unauthorized access of the website hosters’ computers and obtaining of information therefrom.
Note also that Title II of the ECPA prohibits intentionally accessing without authorization a facility through which an electronic communication service is provided, and may provide a basis for claims, assuming other definitional sections are satisfied, when cookies or other technological means can be and are employed without authorization to access personal information as stored in a computer rather than as captured during the communication process. In this respect it seems similar to CFAA. A separate section of Title II imposes liability for the disclosure or use of the contents of those stored communications when the disclosing or using party is the provider of an electronic communication service.
Consumer individual and class actions under CFAA and ECPA
According to press reports, many of the individual and consumer class action suits that have been filed against DoubleClick, and the consumer class actions filed against Toys R Us, allege violations of the federal laws discussed above. DoubleClick, which has provided website banner advertising services, allegedly deployed cookies to track consumers’ surfing habits to personalize ads people see when they pull up the sites. Also, it then acquired Abacus Direct Corp., a direct marketing services company which maintains a data base on the purchasing patterns of many American households, allegedly so as to enable it to combine such on-line and off-line personal information. (It apparently backed away from that plan in March 2000 after public objection by consumer advocates and the commencement of an FTC investigation). Toys R Us allegedly used an outside firm, Coremetrics, to place cookies and monitor users’ surfing; Coremetrics allegedly shared that information with other of its corporate clients. Other similar privacy class actions have reportedly been filed against Amazon.com, RealNetworks and Buy.com.
The federal Children’s Online Privacy Protection Act
The Children’s Online Privacy Protection Act (“COPPA”), a new federal statute regulating the harvesting of personal information of website visitors who are thirteen years old or less, became effective in early 2000. The statutory scheme provides for administrative enforcement by the FTC but not private enforcement. The FTC has, as required by the statute, promulgated implementing regulations, violations of which are treated as violations of FTC trade regulation rules defining an unfair or deceptive act or practice. Website hosters are thus subject to federal court enforcement actions brought by the FTC.
In addition, because FDUTPA defines a violation to include any violation of such an FTC rule, a future updating amendment to FDUTPA by the Florida Legislature (which does not exclude incorporation of such regulations) should effectively incorporate those regulations into FDUTPA. Such incorporation would create a private right of action in Florida for violations of those COPPA regulations.
COPPA and the FTC’s regulations generally establish a notice, disclosure, and parental consent framework for collecting personal information on children on the Internet. They require that the operator of any website or online service directed to children and collecting information from a child, or any operator that has actual knowledge that it is collecting or maintaining personal information from a child, (a) provide notice of what information is collected, how the operator uses such information, and the operator’s disclosure practices for such information; (b) obtain verifiable parental consent for the collection, use, or disclosure of such information; (c) provide a reasonable means for a parent to review the personal information collected from a child and to refuse to permit its further use or maintenance; (4) not condition a child’s participation in a game, the offering of a prize, or another activity on the child disclosing more personal information than is reasonable necessary to participate in such activity; and (5) establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children (emphasis added). Among the regulations’ definitions are that child means an individual under the age of 13, and that “collects or collection” includes, but is not limited to: requesting that children submit information; enabling children to make personal information publicly available through a chat room, message board, or other means (except where identifiers are deleted); and the passive tracking or use of any identifying code linked to an individual, such as a cookie. Other subsections detail the contents and placement of the notice; the mechanisms for (and exceptions to) obtaining parental consent; parental review procedures and content; and safe harbor provisions, entailing compliance with self-regulatory guidelines submitted to and approved by the FTC.
The italicized language above means that a very substantial portion of the universe of website operators is subject to COPPA’s requirements. The FTC’s website contains additional materials providing practical compliance guidance to website operators.
Federal Financial Institution Privacy Regulation
Financial institutions such as banks, finance companies and brokerage houses are of course repositories of great concentrations of financial information on individuals. The fact that banking and other financial institution transactions are increasingly being effected on-line presents substantial privacy concerns. The ECPA and CFAA provisions discussed above may be applicable to any harvesting of previously undisclosed information on existing or prospective account holders through cookies, and any third party unauthorized access to stored personal information on an individual. (Longstanding banking privacy statutes and case law precedent would of course apply to such unauthorized third party access as well).
Also, as recently as in November 2000, new federal legislation and implementing regulations took effect governing the protection by financial institutions of the security and confidentiality of their account holders’ nonpublic personal information. The statutory scheme provides for governmental enforcement only, by the relevant institution’s respective federal enforcement agency (such as the Comptroller of the Currency, FDIC, SEC, and the FTC as the default enforcement agency) or, as to entities regulated under state insurance law, the applicable state insurance authorities. The scheme covers financial institutions generally, but certain provisions explicitly address on-line activity.
Subchapter I of that legislation is, similar to COPPA, an annual notice, disclosure, and consent scheme. The FTC regulations under Subchapter I, by way of example, require among other things that account holders be given an opportunity to direct generally that nonpublic personal information not be disclosed to an unaffiliated third party, and require specifically that account numbers not be disclosed to non-affiliated third parties for marketing through e-mail. Nonpublic personal information is defined to include any information collected through an Internet cookie. Subchapter II of the statute also prohibits “pretexting” by third parties, i.e., obtaining or attempting to obtain, or causing to be disclosed or attempting so to cause disclosure of, customer information from a financial institution under false pretenses directed to a financial institution or its customer. To the extent that such pretexting activity could itself be accomplished on-line, Subchapter II appears to provide Internet privacy protection coverage as to such third party actions. (The growing problem of information pretexting is discussed further below; it presumably can also be addressed through common law fraud or FDUTPA claims).
The statutory scheme does not appear to provide a basis for any private right of action under FDUTPA. The FTC’s regulation-making authority provided explicitly by Subchapter I is not stated to derive from the FTC’s own, generic authority to promulgate rules pursuant to the Federal Trade Commission Act. It is that generic type of FTC rule whose violation constitutes a violation of FDUTPA. Subchapter II provides for FTC enforcement as under the Fair Debt Collection Practices Act. The FDCPA in turn provides that a violation shall be deemed an unfair or deceptive practice in violation of the FTC Act, that may be enforced in the same manner as if the violation had been a violation of an FTC trade regulation rule. The FDCPA also provides, however, that the FTC may not promulgate its own rules or regulations thereunder. With no rules or regulations issued by the FTC under subchapter II, there appears to be no basis for FDUTPA incorporation.
The FTC Act’s, and FDUTPA’s, Deception and Unfairness Prohibitions
The FTC Act prohibits unfair or deceptive acts or practices in or affecting commerce; FDUTPA similarly prohibits unfair or deceptive acts in the conduct of any trade or commerce, and expressly provides that violations may be made out by violations of the Federal Trade Commission Act’s standards of deception and unfairness as set forth and interpreted by the FTC or the federal courts. Both the deception and unfairness prohibitions of each statute can potentially address Internet privacy invasions.
The FTC Act does not provide for a private right of action, but it does give the FTC a broad range of administrative and federal court enforcement powers. In the Internet privacy area, the FTC has initiated cases in both types. FDUTPA permits (similar) governmental enforcement actions and remedies, as well as private actions for actual damages, attorney’s fees and costs.
The following exposition of the FTC’s enforcement actions in the Internet privacy area over the last several years should thus provide some indication as to what to expect from the FTC, as well as some guidance as to the viability of such types of claims under FDUTPA. It should be mentioned that none of these FTC cases has reached a litigated result, and they thus cannot establish binding precedent. However, the FTC’s issuance of a complaint in itself provides a measure of interpretation by the FTC of the scope of its own jurisdiction. It constitutes a determination, by at least a majority of the five-member Commission, that there is reason to believe that the respondent’s alleged actions constitute a violation of the FTC Act and that an enforcement proceeding is in the public interest.
FDUTPA Individual Damages Issues
Before proceeding to the FTC cases, however, it is necessary to keep in mind that private FDUTPA claims other than those seeking declaratory or injunctive relief present the additional, substantial issue of alleging and proving cognizable “actual damages” under that statute. Under the current state of the law, it appears unlikely that such damages will usually exist in Internet privacy invasions.
Existing FDUTPA precedent holds that the proper measure of actual damages is the difference between the actual market value of the good or service in question as delivered, and the market value as it should have been delivered under the terms of the contract (except that its purchase price is the appropriate measure when a defect renders it valueless). Also, the cases hold that consequential damages are not permitted. Costs of car repairs, damages for loss of items due to defective installation of a home security system, and recovery for missed opportunities have been disallowed.
In Internet privacy invasions, the damage suffered does not generally involve the quality of the good or service purchased. In fact, there may not be any good or service purchased at all. FDUTPA’s coverage, however, is not on its face restricted to completed sales. FDUTPA covers activities “in the conduct of any trade or commerce”, and “trade or commerce” is defined to include advertising, soliciting, and offering, whether by sale, rental or otherwise, of any good, service, or thing of value. It appears that a visit to a commercial website, which offers goods or services for sale, could be covered.
The greatest obstacle in Internet privacy cases, though, is that there may not be a direct, out-of-pocket monetary loss. Under existing precedent, that absence would be dispositive. One must consider, however, that actual damages inherent in loss of personal privacy, in the form of mental and emotional suffering akin to public humiliation, have been held compensable in Florida common law right of privacy actions for public disclosure of private facts. Of course, an Internet privacy invasion does not present such humiliation, but rather a disconcerting suspicion or knowledge that large commercial entities are learning about one’s private life and commercial activities, and are spreading that information to additional, unidentified third parties. In invasion of privacy actions in other jurisdictions, damages such as feelings of powerlessness and nervousness have also been held compensable. The right case might lend itself to other potential theories, such as recovery of revenue or profits made when a website hoster sells harvested personal information to a third party.
Whether the Florida courts would adopt additional, alternative measures of damages in FDUTPA actions to comport with these types of injuries is an open question. Coincidentally, the FTC has in fact already begun to grapple with the issue of the consumer injury inherent in such privacy invasions, particularly as bearing upon unfairness claims as discussed below.
Deception issues in Internet privacy cases most obviously arise when a website makes affirmative representations concerning collection or maintenance of personal information provided by consumers, or policies concerning non-disclosure of such information to third parties, which are untrue. The FTC’s first Internet privacy case was a deception complaint brought against GeoCities in 1998, and was based on provision of personal information to, and maintenance of personal information by, third parties.
GeoCities, through its GeoCities.com website, provided personal internet home pages, e-mail addresses, contests and children’s club services to adults and children who revealed personal information when they registered, including the required fields of first and last names, zip code, e-mail address, gender, date of birth and member name, and the optional fields of education level, income, marital status, occupation and interests, and whether the applicant wishes to receive designated special offers from advertisers. The several member and club application forms represented that such information would only be used for gaining a better understanding of who visited the website and (by implication) for providing members e-mail advertising offers, and that such information would never be given to anyone without the member’s permission. The FTC’s complaint alleged, however, that GeoCities sold, rented, or otherwise marketed or disclosed the personal identifying information it had collected to third parties “for purposes other than those for which members had given permission. For example, third parties have targeted unrequested e-mail advertising offers to individual members based on their chosen GeoCities neighborhoods.” The Complaint also alleged that GeoCities (falsely) represented, expressly or by implication, that GeoCities collected and maintained such information from children joining the GeoCities Kidz Club when, in fact, third parties hosted on the GeoCities website actually collected and maintained the information. The FTC obtained a consent order from GeoCities, containing required privacy notice and other provisions.
The FTC subsequently issued a complaint against (and obtained a consent agreement from) Liberty Financial Companies, Inc., which operated the youngivestor.com website. The complaint did not allege or rely on provision of information to third parties, but rather addressed Liberty’s own manner of maintaining the personal information it collected. The website featured several different pages directed to children. In one such area, the Measure Up Survey, Liberty requested financial information including the child’s weekly allowance; types of financial gifts received such as stocks, bonds, and mutual funds; spending habits; part-time work history; plans for college; and family finances. The site stated that in each quarter, a survey participant would be selected to win his or her choice of specified prizes. The site also told the children to supply name, age, gender, e-mail address and street address for identification purposes if they won, and in addition to receive Liberty’s Young Investor e-mail newsletter. The survey expressly stated that “All of your answers will be totally anonymous.”
The FTC’s complaint alleged that, in fact, Liberty did not maintain the collected information in an anonymous manner
“because individuals can be identified with their responses to the survey. While respondent has not sold, rented, or otherwise marketed the information to any third party, respondent compiles and maintains a database that combines the personal identifying information that it collects in the Entry form section of the survey, including name, address, and e-mail address, with all other survey responses. Therefore, the representation [of maintenance in any anonymous manner] was, and is, false or misleading.”
Next, in July, 2000, the FTC filed a federal district court deception action in Massachusetts seeking injunctive relief to prevent Toysmart.com LLC, an internet retailer of children’s toys that had ceased operations, from offering or selling its customer lists to any potential third party purchasers. The information collected by Toysmart included customers’ names, addresses, billing information, shopping preferences, and family profile information. Toysmart had begun soliciting bids for its assets, allegedly contrary to the website’s (prior) privacy representations (“when you register with toysmart.com, you can rest assured that your information will never be shared with a third party”). Its creditors then put it into involuntary bankruptcy. The FTC’s complaint alleged that the proposed sale “will injure consumers throughout the United States by invading their privacy.”
The FTC’s consent agreement with Toysmart provided that such customer information could be sold or disclosed only as expressly provided in an order of the bankruptcy court restricting buyers to family commerce market businesses who agreed to be successors in interest as to, and who agreed to stipulated conditions providing for privacy protection of, the information. Two Commissioners, however, had voted against acceptance of the consent order. One’s dissenting statement argued that no sale to a third party should be permitted, as Toysmart had represented that none would ever occur. The other’s statement argued that consumer privacy could not be adequately protected without providing the customers notice of the proposed sale and a choice as to whether their information should be transferred to the purchaser. The bankruptcy court had declined, at least as of several months ago, to enter the FTC’s proposed stipulated order as to the conditions for such sale in light of the fact that there was of yet is no approved purchaser.
Thus, both Toysmart and Liberty Financial reflect the FTC’s position that deceptions as to privacy protection can be actionable as “in the public interest” even when based only on manner of maintenance of information or preliminary steps taken toward third party disclosure.
Most recently, the FTC filed a federal court action, resulting in a consent agreement, against International Outsourcing Group, Inc. That company, together with other defendants, sold medical consultations and prescription medications, including Viagra and Propecia, on-line. Its website sought personal medical history information from users placing orders, and allegedly represented that the information was encrypted and securely transmitted to its own physicians; that prescriptions were filled by an on-site pharmacy and shipped directly to consumers; and that personal information would be used solely to supply customers with requested products and services. The complaint alleged that, in fact, there was only one out-of-state physician reviewing prescription requests; that approved requests were forwarded to an independent, off-site pharmacy; that the site did not encrypt or secure the information furnished by customers; and that the information was also used to send e-mail to customers in an attempt to get them to pay $50 each for a phony, non-existent Y2k system remediation scheme. In a concurring and dissenting statement, however, one Commissioner wrote that in the absence of any allegation that defendants ever transferred the information to a third party (presumably for marketing purposes), imposition of privacy requirements in the consent order was not justified. That Commissioner apparently did not believe that transferring the information to an out-of-state physician, or transferring actual prescription requests to an independent pharmacy, constituted significant third party transfers.
The FTC has recently made public pronouncements, and has brought a federal court action, targeting Internet privacy invasions based on its unfairness jurisdiction. In doing so, it has revived (non-Internet) privacy-related unfairness precedent from a quarter century ago. A review of the development of that precedent is useful, in light of the relative lack of reported unfairness decisions.
The FTC’s recent activity reflects some disagreement among the Commissioners as to whether a privacy invasion, absent monetary or other additional demonstrable damages, can satisfy the first prong of the FTC’s current unfairness standard: substantial injury to consumers. Of course, the other two prongs must also be satisfied: the injury is not out weighed by offsetting benefits to consumers or competition that the practice produces, and is such that the consumers could not have reasonably avoided it.
The FTC’s only litigated privacy decision was issued in 1975. Beneficial Corporation, a tax preparation service, used the financial information provided by customers to subsequently solicit some of them (without their consent) for personal loans or other credit extensions. The Commission, in reviewing the decision of the administrative law judge, held such conduct to be unfair, based on the then current unfairness standard set forth in the Supreme Court’s decision in FTC v. Sperry & Hutchinson. The Commission’s finding was based on breach of a fiduciary relationship, between the tax preparer and the customer, deriving from public policy relating to the use of confidential tax data, together with consumers’ expectations (based on consumer testimony) of confidentiality from tax preparers. The public policy was found to be expressed in statutes prohibiting or conditioning the disclosure of federal and state tax returns, and the ethical standards of other commercial tax preparers, accountants, and lawyers. The FTC held that the breach occurred when the preparer used the customer’s information for its financial gain. The FTC noted that its holding did not extend beyond the confidentiality of tax information, but simultaneously stated
However, we do not suggest that a generalized right of personal privacy and personal control over private data is an inadequate foundation on which to ground a finding of unlawfulness under Section 5. In fact, the right of privacy has become a widely valued public policy, with constitutional and statutory underpinning (citations omitted)… Its violation in a commercial context would likely be unlawful under the Federal Trade Commission Act.
The FTC also found that failure of the Beneficial to disclose its intention of using the financial data to solicit loans was deceptive. The Third Circuit affirmed most of the FTC’s order against Beneficial, but did not review the FTC’s unfairness finding.
The FTC’s reasoning in Beneficial was undeniably convoluted. It was also based on a now obsolete unfairness standard, which gave heavy weight to public policy violation. The FTC’s current (1980) unfairness standard reduces the role of public policy (to primarily providing evidence on the degree of consumer injury caused), and the 1994 amendments to the FTC Act provide that public policy considerations may no longer serve as a primary basis for unfairness determinations.
FTC actions in recent years, however, reflect that Beneficial has a continuing vitality despite its problems and the change in the unfairness standard. In December 1994, the FTC filed a federal district court complaint against product infomercial producers, alleging that they sold or rented their customer lists to third-party “service company telemarketers.” The lists contained customer names, addresses, phone numbers, and credit card information. The telemarketers then called the consumers and offered a product or a membership in a shopping or travel club on a trial basis, but when the consumer agreed charged the consumer’s credit card without the consumer’s knowledge or consent. There was thus discernible out-of-pocket loss. The FTC charged that the disclosure of the credit card information was unfair and, through consent agreements with defendants, obtained a measure of monetary redress for the victimized customers (Capital Club of North America).
In a July 28, 1998 prepared statement to the House’s Committee on Banking and Financial Services, the FTC addressed “pretexting” by the information broker industry; i.e. the practice of obtaining personal information, such as bank account balance, under false pretenses. The FTC stated, in applying its current three-part unfairness test, that “obtaining and reselling a consumer’s confidential information may be unfair [in addition to deceptive] acts.” In addressing the substantial injury criterion in particular, the statement directly cited Beneficial for the proposition that “The Commission has held that a breach of information privacy can form the basis of a Section 5 unfairness violation”. The statement indicated that in some instances the ability of a third party to use a consumer’s financial information can cause substantial monetary harm. It further observed that whether the conduct violates public policy can still be considered, noting expressions thereof in federal and state statutory protection of financial information, state court decisions holding that banks have an implied duty to maintain the confidentiality of financial information, and the banking industry’s practices of safeguarding their account holders’ information.
The 1998 statement to the House thus did not categorically resolve the issue of whether an information privacy invasion can be unfair in the absence of significant, demonstrable monetary loss. (In a footnote concerning misrepresentations as to how financial information is obtained, though, the FTC observed that “the true harm is the privacy invasion of the individuals being investigated”)
The issue of per se substantial consumer injury came to a head in the FTC’s subsequent filing, in 1999, of a federal court complaint and consent order against an Internet information broker for just such pretexting. The complaint alleged that Touch Tone, through misleading practices such as calling financial institutions and pretending to be the account holder, obtained private financial information such as bank or brokerage account numbers and specific balances, and subsequently sold such information over the Internet to customers throughout the world. The complaint alleged that the practices were unfair, as well as deceptive.
A statement of the majority of the Commissioners, citing the Beneficial decision and the Capital Club of North America complaint, approved the unfairness claim. It explained that “For purposes of finding a reason to believe a complaint should be filed, it seems hardly a strain to posit that substantial consumer injury could flow from the use of false pretenses to obtain the unauthorized disclosure of private financial information,” and found reason to believe that Section 5 “may be violated under the facts alleged in the complaint.” Again, the critical word was “may.”
In a dissenting statement, however, one Commissioner wrote that “We have never held that the mere disclosure of financial information, without allegations of ensuing economic or other harm, constitutes substantial injury under the statute” (citing the unauthorized credit card charges in Capital Club of North America). He distinguished Beneficial as based on a fiduciary relationship not present between Touch Tone and consumers, and as relying, in finding injury, “almost exclusively on general public policy” which was no longer permissible under the FTC Act as amended in 1994. Finally, he argued that “[m]erely to ‘posit’ that substantial consumer injury could flow from the disclosure of personal financial information does not satisfy the … [unfairness] requirement that the challenged practice ‘cause or [be] likely to cause substantial injury to consumers’. 15 U.S.C. § 45(n).”
The Complaint’s unfairness count alleged that ReverseAuction’s use of the consumer information obtained from eBay was “in violation of its agreement to comply with eBay user agreement” (prohibiting registered users from using personal identifying information on other users for purposes of sending unsolicited commercial e-mail). The Complaint further alleged that ReverseAuction had injured consumers
“by invading their privacy; using their e-mail addresses, eBay user IDs, and feedback ratings for purposes other than those consented to or relied upon by such consumers, including the purpose of sending them unsolicited commercial e-mail solicitations; … and undermining their ability to avail themselves of the privacy protections promised by online companies… eBay customers reasonably expected and relied upon the compliance of all registered eBay users, including ReverseAuction, with the terms and conditions of eBay user agreement…
The concurrently accepted consent order contained, inter alia, notice requirements and a requirement that ReverseAuction.com delete, and refrain from using or disclosing, the user Ids, e-mail addresses, and feedback ratings of eBay customers.
An accompanying statement by one Commissioner explained that “the Commission… does [not] suggest that privacy invasions cause substantial injury in all circumstances.” It further stated that
I believe the harm in this case is especially significant because it not only breached the privacy expectation of each and every eBay member, it also undermined consumer confidence in eBay and diminishes the electronic marketplace for all its participants. This injury is exacerbated because consumer concern about privacy and confidence in the electronic marketplace are such critical issues at this time…. A majority of the Commission believes that the specific relationship, obligations, and expectations of this electronic community make ReverseAuction’s behavior “unfair” under Section 5. Moreover, the injury caused by ReverseAuction’s conduct, far from being speculative, is a tangible misappropriation of personal protected information that enabled the company to send personalized deceptive e-mail messages to scores of consumers…”.
Two Commissioners dissented from the Complaint’s unfairness count, observing that
We do not say that privacy concerns can never support an unfairness claim. In this case, however, ReverseAuction’s use of eBay members’ information to send them e-mail did not cause substantial enough injury to meet the statutory standard.
Consumers do not have a substantial privacy interest in the e-mail addresses and other information that ReverseAuction harvested since consumers had already agreed to make this information available to millions of other eBay members (albeit with restrictions on using it for commercial solicitations). Moreover, a substantial portion of this information is available without restriction to non-members who visit eBay website. Merely obtaining consumers’ e-mail addresses without their explicit consent and sending them e-mail solicitations does not cause substantial injury…. This standard for substantial injury overstates the appropriate level of government-enforced privacy protection on the Internet, and provides no rationale for when unsolicited commercial e-mail is unfair and when it is not.
The dissenting Commissioners did not agree that there was a significant privacy invasion in this particular disclosure of e-mail addresses. They seem, however, to have edged closer to the position that a greater privacy invasion might in itself cause substantial consumer injury.
Will there be additional federal legislation?
The FTC, in addition to taking the company-specific actions referred to above, has been active in promoting privacy-protection activity by the on-line industry in general and developing “fair information practices”, including the four general principles of: notice to consumers of profiling activities on host websites; consumers’ ability to choose whether to participate in profiling activities; reasonable access by consumers to personally identifiable information obtained; and reasonable efforts to protect the data collected for profiling purposes from loss, misuse, alteration, destruction, or improper access. Although private industry has developed several self-regulatory systems addressing those principles, a majority of the FTC Commissioners in May 2000 commended those efforts but recommended the enactment of federal legislation, giving itself enforcement authority, to ensure that all commercial websites comply with those principles (to the extent that they are not already required to do so by COPPA).
A number of specific legislative proposals, incorporating those principles to varying degrees, were before Congress this past fall. For example, a bill introduced by Senator McCain, reportedly supported by AOL and Hewlett-Packard, focused on the elements of notice and an opt-out method of choice and would give the FTC enforcement authority. A bill submitted by Senator Hollings reportedly would require websites to obtain explicit permission from visitors before collecting personally identifiable information, would give consumers broader rights of access to and ability to delete or modify such data, and would additionally give the FTC rulemaking authority. While none of those proposals was enacted, Congressional action seems likely in light of the growth of Internet usage. In fact, recent reports reflect new problems. Federal agencies such as the Customs Service, FAA, FEMA, BLM, the National Park Service, the U.S. Trade and Development Agency and the Health Care Financing Administration (which runs Medicare) reportedly have used cookies to track website visitors without informing them. Also, direct marketers (and others) have reportedly begun to use technology that permits “HTML” e-mail to place cookies to alert the sender when the recipient receives, opens, and forwards the message. The technology can also be used to link a recipient’s e-mail address with previously anonymous records of websites visited by the recipient. Legislative and litigation responses will undoubtedly follow.
Businesses may have potential claims in the context of misappropriation of trade secrets (see Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817 (E.D. Mich. 2000)), but having computers configured such that such information can be harvested by a website arguably indicates that the information is not being treated with sufficient confidentiality to constitute a trade secret.
Forsberg v. Housing Authority of City of Miami Beach, 455 So.2d 373, 376 (Fla. 1984) (Overton, J., concurring); accord, Agency for Health Care Administration v. Associated Industries of Florida, Inc., 678 So.2d 1239, 1252 n. 20 (Fla. 1996); Purrelli v. State Farm, 698 So.2d 618, 620 (Fla. 2d DCA 1997); Restatement of Torts (Second) §§ 652B-652E (1976).
Williams v. City of Minneola, 575 So.2d 683, 688 (Fla. 5th DCA 1991) (‘the publicity given to private facts must be to the public at large or to so many persons that the matter must be regarded as substantially certain to become public knowledge”), citing Restatement (Second) §652D comment a (“a communication that reaches, or is sure to reach, the public”), Santiesteban v. Goodyear Tie & Rubber Company, 306 F.2d 9, 11 (5th Cir. 1962), Steele v. Offshore Shipbuilding, Inc., 867 F.2d 1311, 1315 (11th Cir. 1989), and Lewis v. Snap-on Tools Corp., 708 F. Supp. 1260, 1262 (M.D. Fla. 1989). See also Rivers v. Dillard Department Store, Inc., 698 So.2d 1328 (Fla. 1st DCA 1997).
“Every natural person has the right to be let alone and free from governmental intrusion into his private life, except as otherwise provided herein. This section shall not be construed to limit the public’s right of access to public records and meetings provided by law.” Article I, § 23, Fla. Const.; Resha v. Tucker, 670 So.2d 56, 58 (Fla. 1996) (“The language of this constitutional provision clearly provides that it applies only to government action”).
See, e.g., U.S. v. Reyes, 922 F. Supp. 818, 836 (S.D.N.Y. 1996), Wesley College v. Pitts, 974 F. Supp. 375, 385 n. 7 (D. Del. 1997) (ECPA), and Sherman & Co., n. 4 supra; U.S. v. Sablan, 92 F.3d 865, 868 n.1 (9th Cir. 1996) (CFAA designed to focus criminal prosecution on those whose conduct evinces a clear intent to enter, without proper authorization, computer files or data belonging to another (citing legislative history). But see Shaw v. Toshiba America Information Systems, Inc., 91 F. Supp. 2d 926, 936 (E.D. Tex. 1999) (manufacturers may also be covered by CFAA).
(2) intentionally accesses a computer without authorization or exceeds authorized
access, and thereby obtains–
(C) information from any protected computer if the conduct involved an
interstate or foreign communication;* * *
(b)… shall be punished as provided in subsection (c) of this section.
Section 1030(e)(2)(B) defines the term “protected computer” to include “a computer . . .which is used in interstate or foreign commerce or communication.” Section 1030(e)(6) defines the term “exceeds authorized access” to mean “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accessor is not entitled so to obtain or alter.” Section 1030(e)(8)(A) defines the term “damage” to include “any impairment to the integrity or availability of data, a program, a system, or information, that– . . . causes loss aggregating at least $5,000 in value during any 1-year period to one or more individuals . . .”
2. Unbeknownst to the members of the Class, and without their authorization, defendants have been spying on their Internet activities. “SmartDownload,” a product distributed by defendants to users of Netscape’s “Communicator” Web browser, secretly transmits to defendants information identifying the name, type, and source of each and every exe or zip file that a an Internet user downloads using SmartDownload from any site on the Internet, along with information uniquely identifying the visitor. SmartDownload captures and transmits this information unbeknownst to and without the consent of either the Class member or the visitor to the Web site. This continuing surveillance of the Class member’s provisioning of exe and zip files, coupled with the unique information uniquely identifying each visitor, permits Netscape to create a continuing profile of the Class member’s and each visitor’s file transfers over time.
31. Netscape’s use of its cookie in connection with SmartDownload violates the rights of the Class members as follows: Each time an Internet user downloads any zip or exe file from any site on the Internet using SmartDownload, SmartDownload automatically transmits to defendants the name and Internet location of the file, along with the identification string from the cookie previously set by Netscape. It also transmits an additional identification string identifying which user of that particular computer is performing the download.
32. For example, if an Internet user uses SmartDownload to download Microsoft’s Internet Explorer from Microsoft’s Web site, SmartDownload will transmit to defendants the Internet user’s identification string along with the name of the file and the file’s location on the Internet.
33. In so doing, Netscape is using SmartDownload to eavesdrop. It is using SmartDownload to intercept and to send to defendants information about a communication to which defendants are not a party. Moreover, by including the user identification string in the transmission, Netscape is intentionally providing defendants with all of the information that they need to create a moment-by-moment, individualized profile of Internet file transactions both of the Class member and of the individual Internet user.
35. SmartDownload’s transmission of the data is functionally unrelated to SmartDownload’s ability to resume downloads.
Section 2510(4) defines “intercept” to mean “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” Section 2510(5) defines “electronic, mechanical, or other device” to mean “any device or apparatus which can be used to intercept a wire, oral, or electronic communication,” subject to exclusions concerning telephones, telegraphs, and hearing aids.
Section 2510(12) defines “electronic communication” to mean “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photo optical system that affects interstate or foreign commerce,” subject to certain exclusions.
18 U.S.C. § 2701 et seq. See Wesley College, n. 9 supra, at 389; U.S. v. Reyes, n. 2 supra, at 837 (seizing pagers and accessing numeric messages from their memories constituted accessing stored electronic communications); U.S. v. Smith, 155 F.3d 1051, 1059 (9th Cir. 1998) (“intercept” entails actually acquiring the contents of a communication, whereas “access” merely involves being in a position to acquire the contents of a communication); State Wide Photocopy v. Tokai Financial, 909 F. Supp. 137, 145 (S.D.N.Y. 1995); Steve Jackson Games, Inc. v. U.S. Secret Service, 36 F.3d 457, 463 (5th Cir. 1994) (seizure of a computer on which were stored e-mail messages sent to an electronic bulletin board but not yet retrieved by the intended recipients).
15 U.S.C. § 6801 et seq. “It is the policy of Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.” Section 6801(a) (“Privacy obligation policy”).
Administrative complaints and civil penalty actions for administrative order violations (15 U.S.C. § 45(b), (l)); federal court actions for injunctive and other equitable relief “in proper cases”. 15 U.S.C. § 53(b). Such relief includes temporary asset freezes, appointment of receivers, and monetary consumer redress. See, e.g., FTC v. U.S. Oil & Gas Corp., 748 F.2d 1431 (11th Cir. 1984). Generally, cases involving “routine fraud” have been held to be “proper cases.” FTC v. H.N. Singer, Inc., 668 F.2d 1107 (9th Cir. 1982); FTC v. Gem Merchandising Corp., 87 F.3d 466 (11th Cir. 1996).
15 U.S.C. § 45(b). The FTC’s Unfairness Statement, and several FTC and federal court decisions, have also cited and relied on FTC complaints resulting in consent orders. FTC Unfairness Statement, 104 F.T.C. 1071 at nn.15, 29 (see also article cited at n.2, supra, at note 18); In the Matter of International Harvester Co., 104 F.T.C. 949, 1064 n.56; American Financial Services v. FTC, 767 F.2d 957, 979 n. 27 (D.C. Cir. 1985). An FTC consent order itself of course lacks the precedential force or imprimatur of a litigated decision. National Candy Co. v. FTC, 104 F.2d 999, 1004 (7th Cir.), cert. denied, 308 U.S. 610, 60 S. Ct. 174 (1939); accord, may Dept. Stores Co. v. First Hartford Corp., 435 F. Supp. 849, 852 (D. Conn. 1977).
FDUTPA’s provision for giving “due consideration and great weight… to the interpretations of the Federal Trade Commission …relating to s. 5(a)(1) of the Federal Trade Commission Act…” (Fla. Stat. § 501.204(2)) does not on its face restrict such interpretations to litigated decisions.
Fla. Stat. § 501.211(2). Governmental enforcement actions may seek broad relief, including but not limited to “carry[ing] out a transaction in accordance with consumers’ reasonable expectations.” Section 501.207(3).
Rollins, Inc. v. Heller, 454 So.2d 580, 584 (Fla. 3d DCA 1984); Urling v. Helms Exterminators, Inc.468 So.2d 451, 454 (Fla. 1st DCA 1985); Fort Lauderdale Lincoln v. Corgnati, 715 So.2d 311, 314 (Fla. 4th DCA 1998); GMAC v. Laesser, 718 So.2d 276 (Fla. 4th DCA 1998); Delgado v. J.W. Courtesy Pontiac GMC Truck, inc., 693 So.2d 602 (Fla. 2d DCA 1997); Macias v. HBC of Florida, Inc., 694 So.2d 88, 89 (Fla. 3d DCA 1997); Himes v. Brown & Co. Securities Corp., 518 So.2d 937, 938 (Fla. 3d DCA 1987).
Doe v. Univision, 717 So.2d 63 (Fla. 3d DCA 1998), following the Restatement of Torts 2d (1976) § 652. See also School Board of Broward County v. Greene, 739 So.2d 668 (Fla. 4th DCA 1999). Compare Brown v. Cadillac Motor Car Division, 468 So.2d 903 (Fla. 1985) (“impact rule”: in negligence action, person cannot recover compensatory damages for mental distress or psychiatric injury in absence of a discernible physical injury); accord, Time Insurance Co. v. Burger, 712 So.2d 389 (Fla. 1998); Alexander Kammer, M.D. v. Hurley, 765 So.2d 975 (Fla. 4th DCA 2000) (noting that Tanner v. Hartog, 678 So.2d 1317 (Fla. 2d DCA 1996), aff’d, 696 So.2d 705 (Fla. 1999), is exception, for negligent stillbirths, to Florida’s impact rule).
The most closely analogous common law decisions are in states that permit recovery for the “intrusion upon seclusion” type of privacy invasion. See, e.g., Doe v. High-Tech Institute, Inc., 972 P.2d 1060 (Colo. App. 1998) (additional unconsented blood test confirming student was HIV-positive; damages for mental suffering), citing Monroe v. Dan, 559 P.2d 322, 327 (Kan. 1977) (plaintiff not required to show general damages in specific amounts, but must introduce evidence to show anxiety, embarrassment, or some other form of mental anguish); Sabrina v. Willman, 540 N.W. 2d 364, 371-73 (Neb. App. 1995) (tanning salon customer photographed without her knowledge in stages of undress; cognizable emotional damage includes nervousness affecting one’s personal and/or professional life, and feelings of powerlessness).
In the original suit filed against DoubleClick, alleging deception and other wrongs under California’s unfair business practices statute, plaintiff apparently requested only injunctive relief. See First Amended Complaint in Judnick v. DoubleClick, Inc. (Civil No. CV 000421), Superior Court, San Marin County, California, filed Feb. 24, 2000, at www.techfirm.com
FTC File No. 982 3015. Copies of FTC complaints and consent orders are available at www.ftc.gov.
FTC’s Deception Statement: 104 F.T.C. at 175-76, citing, inter alia, Peacock Buick, 86 F.T.C. 1532 (1975), aff’d, 553 F.2d 97 (4th Cir. 1997), and Simeon Management Corp., 87 F.T.C. 1184, 1230 (1976), aff’d, 579 F.2d 1137 (9th Cir. 1978). See also FTC v. Gem Merchandising, n. 45 supra, at 470. Peacock Buick was cited for this proposition in D.L.A. v. Father & Son Moving & Storage, 643 So.2d 22, 26 (Fla. 4th DCA 1994).
After the enactment of the federal Revenue Act of 1971, imposing criminal penalties on commercial tax preparers for using customers’ tax data for non-tax purposes, Beneficial changed its procedures to obtain signed (but ambiguous) consent forms from customers prior to soliciting loans.
405 U.S. 233, 244 (1972). That test employed three criteria to be evaluated: whether the practice offended established public policy; whether the practice was immoral, unethical, oppressive, or unscrupulous; and whether the practice caused substantial injury to consumers.
Such public pronouncements reflect the FTC’s interpretation of its authority and jurisdiction, and courts can give them deference in construing that authority and jurisdiction. See, e.g., American Financial Services, n. 46 supra, 767 F.2d at 972 n.18 (citing 1982 letter from FTC Chairman to Senators Packwood and Kasten on the FTC’s view on what constitutes a substantial injury).
FTC v. Reverseauction.com, Inc., Civil No.___ (D.D.C., filed January __, 2000), FTC File No. 002 3046 (www.ftc.gov/os/2000/01/reversecmp.htm)
See the FTC’s Report to Congress dated May, 2000: Privacy Online: Fair Information Practices in the Electronic Marketplace, www.ftc.gov/reports/privacy2000/privacy2000.pdf
David J. Federbush practices in Largo, Maryland. He was a litigator in the Federal Trade Commission’s Bureau of Consumer Protection and subsequently has had a commercial and plaintiff’s litigation practice in Miami and the Washington D.C. area. Mr. Federbush graduated summa cum laude from Yale University in 1971 and received his J.D. in 1976 from Stanford Law School.