New Amazon Class Action Based on Privacy Setting Circumvention

In a class action suit filed against Amazon.com, Inc.  on March 2, 2011, plaintiffs argue that “Amazon circumvents the privacy filters of IE users by spoofing [Internet Explorer] into categorizing Amazon.com as more privacy protective than it actually is” and seek relief “under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030; the [Washington State] Consumer Protection Act, RCW § 19.86.010 et seq.; and common law [unjust enrichment, trespass to chattels, and fraud].”  Although this suit appears to be similar to the flash cookie suits filed against against marketing firms such as Quantcast and their respective clients, the case has different implications.

By way of background, according to the Quantcast complaint filed last July, Quantcast used flash cookies to “respawn” previously deleted HTTP cookies in order to continue tracking web users.  The Quantcast suit was settled this past December using a cy pres fund akin to what was done by Google a few months prior.  It is worth pointing out that none of the settlement proceeds in a cy pres fund actually go directly to any victims.  Applying a class settlement strategy only previously deployed after plaintiffs were compensated, plaintiffs’ counsel now use cy pres funds — which usually go to non-profit organizations — even if plaintiffs receive zero actual compensation.  This stands apart as a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to file and resolve class actions even when actual damages are not readily apparent.

At some point, the Amazon.com suit may also end up resolving itself via the cy pres route given the potential lack of actual damages.  Plaintiffs in the Amazon.com case are claiming that Amazon.com found a way to trick browsers into believing the site was more privacy conscious than it was.    Given that Internet Explorer automates for a user the process of reading a website’s privacy policy, such shenanigans can obviously lead visitors to go on a site she or he might not otherwise visit.   Not exactly a powder-keg of potential damages.  Plaintiffs up the ante by claiming that, in contravention to its privacy policy, Amazon.com was allegedly rewarded for its trickery by gaining access to a visitor’s personally identifiable information (PII) and providing it to third parties.  Specifically, the Complaint states:  “Amazon claims in its privacy notice that it does not share users’ information with third parties for advertising purposes and that, instead, it delivers third parties’ advertisements on their behalf.  In fact, Amazon shares users’ PII with third parties for those third parties’ independent use and does not disclose this fact to consumers.”  Complaint at paragraphs 64 – 65.  Despite several readings of the Complaint, it remains far from certain what quantum of damages were actually sustained by plaintiffs.

This suit should, nevertheless, be monitored given the new FTC online privacy framework set forth in December (“The FTC’s harm-based approach also has limitations. In general, it focuses on a narrow set of privacy-related harms – those that cause physical or economic injury or unwarranted intrusion into consumers’ daily lives.  But, for some consumers, the actual range of privacy related harms is much wider and includes reputational harm, as well as the fear of being monitored or simply having private information ‘out there.'”) as well as the bills currently being discussed that may very well use the FTC’s new perspective as a legislative springboard.  According to recent public statements from Representative Cliff Stearns, a senior member of the House Energy and Commerce Committee, he will soon propose online privacy legislation that will focus “on allowing Web users to know what personal information Internet companies are collecting about them and to control how it’s used.”