Massachusetts Federal Court Rules That Website Monitoring Company Is Not Liable Under Electronic Communications Privacy Act and Computer Fraud and Abuse Act

A Massachusetts federal court has ruled that a website monitoring company is not liable under the Electronic Communications Privacy Act (“ECPA”) or the Computer Fraud and Abuse Act for intercepting personal information from Internet users. In a consolidated class action, a group of personal computer users sued a monitoring company (“Pharmatrak”), its parent company and several pharmaceutical companies that operated websites. The computer users alleged that the pharmaceutical companies conspired with Pharmatrak to collect their personally identifiable information (“PII”) and information about their Web browsing habits.

The pharmaceutical companies had hired Pharmatrak to monitor their websites and provide a monthly analysis of traffic to those sites. Pharmatrak’s system operated through the use of HTML programming, JavaScript programming, cookies and “web bugs.” Pharmatrak specifically represented to the pharmaceutical companies that it did not collect PII. After examining Pharmatrak’s servers, however, plaintiffs’ computer science expert alleged that the logs “identified hundreds of people by name.” Based on this analysis, plaintiffs claimed that Pharmatrak collected information which included names, addresses, telephone numbers, email addresses, dates of birth, sex, insurance status, medical conditions, education levels and occupations.

Title I of ECPA, called the “Wiretap Act,” imposes criminal liability upon those who intentionally intercept wire, oral or electronic communications, unless one of the parties to the communication consented to the interception and such communication was not intercepted for the purpose of committing a criminal or tortious act. Plaintiffs argued that since Pharmatrak collected personally identifiable information without the express or implied consent of the users or pharmaceutical companies, the Wiretap Act’s statutory exception does not protect Pharmatrak. The court disagreed with plaintiffs, finding that the pharmaceutical companies consented to the monitoring company’s interceptions of those communications, despite the fact that the pharmaceutical companies did not fully understand how Pharmatrak’s software worked. Furthermore, the court found no evidence of tortious intent by Pharmatrak.

The court ruled in favor of defendants as to plaintiffs’ Title II claim as well. Title II’s purpose is to prevent hackers from obtaining, altering or destroying certain stored electronic communications. The statute criminalizes intentional, unauthorized access to “a facility through which electronic communication service is provided.” The court determined that plaintiffs’ personal computers are not “facilities” for purposes of ECPA, however, since personal computers are not servers and do not provide access to the Internet. Rather, Internet access is obtained through ISPs or other servers. Moreover, the court held that even if plaintiffs’ computers are “facilities” under Title II, ECPA does not prohibit the monitoring company’s placement of cookies on plaintiffs’ computers, since the monitoring company was “authorized” to access its own cookies.

Finally, since plaintiffs offered no evidence of economic damage or loss, the court found no liability under the Computer Fraud and Abuse Act, which limits recovery to those persons who suffer damage or loss amounting to at least $5,000.

The case is In re Pharmatrak, Inc. Privacy Litigation, No. 00-11672-JLT, 2002 U.S. Dist. LEXIS 15293 (D. Mass. 2002). Please contact us if you have any questions or if you would like a copy of this decision.