Judge Gives The Green Light To Third-Party Cookies

"Data-Driven Thinking" is written by members of the media community and contains fresh ideas on the digital revolution in media.

Today’s column is written by Richard Eisert, partner at Davis & Gilbert.

Do you switch to “incognito mode” when you browse for things you want to keep private? Do you regularly delete the cookies on your computer and clear your browsing history? Do you know what your privacy settings are on your Facebook account?

In a recent decision, US District Judge Edward Davila in San Jose, Calif., said that the responsibility to keep browsing history private falls on individual users. This is good news for marketers who serve interest-based advertisements online with the help of third-party cookies.

The plaintiffs in the case alleged that Facebook used the “like” buttons from other websites to track and build user browsing histories. The plaintiffs argued that Facebook violated federal and state privacy and wiretapping laws by storing cookies on their browsers that tracked when they visited third-party websites containing Facebook "like" buttons. The plaintiffs also argued that Facebook’s actions constituted an invasion of privacy and trespass to chattels – the interference with another’s personal non-real estate property – among other claims.

The plaintiffs contended that Facebook used cookies to “intercept” their interactions with third-party websites such as CNN.com, for example, and noted that individuals’ “likes” of pages or articles were transmitted to Facebook even if users were not logged into their Facebook accounts. The plaintiffs claimed that the “like” interactions were supposed to be communications between the individuals and third-party pages, but Facebook eavesdropped on the communication.

Judge Davila stated, "The fact that a user's web browser automatically sends the same information to both parties (the third-party website and Facebook via a third-party cookie) does not establish that one party (Facebook) intercepted the user's communication with the other (the third-party website)."

Citing Spokeo Inc. v. Robins, Judge Davila also said the plaintiffs failed to show that they had a reasonable expectation of privacy or suffered any realistic economic harm or loss. The court in Spokeo Inc. v. Robins indicated that an injury must be “concrete,” and that a “concrete” injury “must actually exist” and be “real and not abstract.” However, the Spokeo court also confirmed that in a number of previous cases, “intangible injuries can nevertheless be concrete.”

In the Facebook case, not only did the plaintiffs fail to show any concrete economic injury, they also had technical ways to prevent Facebook from tracking their data, such as using plugins and deleting cookies. So even if there were any “intangible injuries,” they could have been avoided. By putting the responsibility of maintaining privacy onto the individual and requiring consumers to opt out, while not making privacy a default – at least with respect to behavioral advertising – the decision confirms and reinforces the concepts expressed by self-regulatory entities such as the Digital Advertising Alliance (DAA) and internet privacy regulators that so long as companies give consumers appropriate disclosures and choice, consumers must opt out to ensure their privacy, with certain limited exceptions.

If privacy is desired by an individual, that individual must take active steps to cloak themselves from the reach of tracking technologies. For example, under the DAA Self-Regulatory Principles for Online Behavioral Advertising, with the exception of sensitive data, such as children’s data or health or financial data, appropriate disclosures and the ability to opt out are sufficient for the type of cookie tracking used by Facebook in this case.

This decision is bad news for privacy advocates as websites routinely embed content from third-party services like Facebook. Other social media platforms besides Facebook also routinely install cookies on user browsers, which can track data whenever a user is on a third-party website that has a “like,” “share” or “retweet” button. This allows companies like Facebook to create a catalog of an individual’s browsing histories and a map of their web activities.

On the other hand, this is good news for advertisers and others in the ecosystem who are looking to serve interest-based advertisements. To the extent controversy persists surrounding the collection of non-sensitive cookie data, the Facebook decision is a solid green light for advertisers to keep using third-party cookies to collect data used for interest based advertising so long as individuals are given appropriate notice and choice, allowing them to protect their privacy if they take steps to do so.

Follow Davis & Gilbert (@dglaw) and AdExchanger (@adexchanger) on Twitter.

2 Comments

  1. I'm not a publisher, but if I were and I embed a Facebook share or like button then am I to expect that Facebook will benefit from the data they collect to enhance their own targeting? Or do the standard FB T&C include terms prohibit them from doing so? If the former, why are publishers agreeing to these terms? Don't they realize how valuable their data are?

    Reply
  2. Interestingly, this would appear to run contrary to European notions of privacy by design and consent for non essential cookies. I suspect the outcome may have been different if the hearing was based in the EU and post GDPR.

    Reply

Add a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>