Skip to main content

Privacy Class Actions – It’s Still About the Damages

 Written by Kevin McGinty

In a mixed decision, a federal court judge in New York dismissed federal statutory claims arising from Web-based advertisers' use of cookies that tracked users' Web browsing activities, but denied a motion to dismiss claims under state law.  The plaintiff in Bose v. Interclick  alleged that Interclick and clients McDonalds, CBS, Mazda and Microsoft violated the federal Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, and the New York deceptive business practices statute, , N.Y. General Business Law § 349 (“Section 349”) through their use of such cookies.  The court reached different results based on the respective statutes’ damages requirements.

The CFAA claim was dismissed for failure to meet the statute’s minimum damages requirement.  The CFAA permits civil claims where the defendants’ conduct caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value.”  Id., § 1030(c)(4)(A)(i)(I).  Plaintiff, however, failed to allege that she had suffered losses sufficient to meet the statutory threshold.  Her complaint alleged three types of injury; damage due to impairment of computer processing, losses resulting from Interclick’s collection of personal information and loss due to interruption of her Internet service.  As to the first, while costs associated with impairment of computer functioning, including the cost of repair, can be cognizable damages under the CFAA, plaintiff failed to allege any specific cost associated with such injury to her computer, let alone that the cost exceeded $5,000.  Similarly, plaintiff did not and could not ascribe any value to the mere possession of her personal information, nor is there anything inherently wrongful in business collection of demographic information about customers.  In addition, plaintiff did not specifically allege the extent of purported service interruptions, nor did she allege facts showing that the cost of such interruptions exceeded $5,000.  Finally, the court concluded that the statutory language of the CFAA did not permit aggregation of putative class injuries for purposes of meeting the $5,000 threshold and in any event, there were insufficient allegations in the complaint to permit the court to infer that even aggregated injuries would exceed that amount.

Conversely, the court denied Interclick’s motion to dismiss plaintiff’s state law claim Section 349.  The court rejected Interclick’s argument that plaintiff had the burden to allege reliance under Section 349.  Moreover, unlike the CFAA, Section 349 does not require a plaintiff to allege or prove that there has been a pecuniary loss.  In support of that latter point, the court notes that prior New York state court decisions have held that a complaints alleging a purported breach of privacy stated claims under Section 349 even in the absence of any allegation of pecuniary loss.  Left unresolved by this decision is the question of whether injury can be established for any class members without engaging in individualized fact finding that would preclude certification of a plaintiff class.  Even so, this case demonstrates how allegations under state consumer protection statutes can, in some jurisdictions, provide a basis at the pleading stage to keep a privacy class action alive even in the absence of actual damages.  In other states – including, notably, California – actual damages requirements under state consumer protection laws pose an obstacle to maintaining such claims.

The court did grant the motions of McDonalds, CBS, Mazda and Microsoft to dismiss the Section 349 claims against them based on the failure of plaintiff to allege that they had engaged in any of the purportedly deceptive conduct set forth in the complaint.

Subscribe To Viewpoints

Author

Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.