In re DoubleClick

From Privacy Wiki
Jump to navigation Jump to search
In re DoubleClick
Case Title In Re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001)
Date 2001/03/21
Appealed No
Personal Information
Link to Ruling
Country/Jurisdiction United States
State or Province New York
Regulatory Bodies
Decided Yes
Arbitrator United States District Court for the Southern District of New York
Related Laws Stored Communications Act, Computer Fraud and Abuse Act, Omnibus Crime Control and Safe Streets Act of 1968

Short Summary

In re DoubleClick Inc. Privacy Litigation, 154 F. Supp. 2d 497 (S.D.N.Y. 2001) ("DoubleClick"), had Internet users initiate proceedings against DoubleClick, alleging that DoubleClick's placement of web cookies on computer hard drives of Internet users who accessed DoubleClick-affiliated web sites constituted violations of three federal laws: The Stored Communications Act, the Wiretap Statute and the Computer Fraud and Abuse Act.


DoubleClick, a Delaware corporation, is the largest provider of Internet advertising products and services in the world. Its Internet-based advertising network of over 11,000 Web publishers has enabled DoubleClick to become the market leader in delivering online advertising. DoubleClick specializes in collecting, compiling and analyzing information about Internet users through proprietary technologies and techniques, and using it to target online advertising. DoubleClick has placed billions of advertisements on its clients' behalf and its services reach the majority of Internet users in the United States.

Although a comprehensive description of the Internet is unnecessary to address the issues raised in this motion, a rudimentary grasp of its architecture and engineering is important. The Internet is accurately described as a "network of networks." Computer networks are interconnected individual computers that share information. Anytime two or more computer networks connect, they form an "internet." The "Internet" is a shorthand name for the vast collection of interconnected computer networks that evolved from the Advanced Research Projects Agency Network ("ARPANet") developed by the United States Defense Department in the 1960's and 1970's. Today, the Internet spans the globe and connects hundreds of thousands of independent networks.

The World Wide Web ("the Web" or "WWW") is often mistakenly referred to as the Internet. However, the two are quite different. The Internet is the physical infrastructure of the online world: the servers, computers, fiber-optic cables and routers through which data is shared online. The Web is data: a vast collection of documents containing text, visual images, audio clips and other information media that is accessed through the Internet. Computers known as "servers" store these documents and make them available over the Internet through "TCP/IP" (Transmission Control Protocol/Internet Protocol), a set of standard operating and transmission protocols that structure the Web's operation. Every document has a unique "URL" (Universal Resource Locator) that identifies its physical location in the Internet's infrastructure. Users access documents by sending request messages to the servers that store the documents. When a server receives a user's request (for example, for's home page), it prepares the document and then transmits the information back to the user.

The Internet utilizes a technology called "packet switching" to carry data. Packet switching works as follows. The computer wishing to send a document ("originating computer"), such as a music file or digital image, cuts the document up into many small "packets" of information. Each packet contains the Internet Protocol ("IP") address of the destination Web site, a small portion of data from the original document, and an indication of the data's place in the original document. The originating computer then sends all of the packets through its local network to an external "router." A router is a device that contains continuously-updated directories of Internet addresses called "routing tables." The router takes each packet from the original document and sends it to the next available router in the direction of the destination Web site. Because each router is connected to many other routers and because the connection between any two given routers may be congested with traffic at a given moment, packets from the same document are often sent to different routers. Each of these routers, in turn, repeats this process, forwarding each packet it receives to the next available router in the direction of the destination Web site. Collectively, this process is called "dynamic routing."

The result is that packets of information from the originating computer may take entirely different routes over the Internet (i.e., traveling over different routers and cables) to their ultimate destination. Obviously, the packets arrive out of their original order because some have been forced to take much longer or slower routes between the originating and destination computers. However, because each packet *502 contains code that identifies its place in the original document, the destination computer is able to reassemble the original document from the disorganized packets. At that point, the destination computer sends a message back to the originating computer either reporting that it received the full message, or requesting that the originating computer re-send any packets that never arrived. This entire process typically occurs in a matter of seconds. Packet-switching technology and dynamic routing have helped to give the Internet's infrastructure its extraordinary efficiency and resiliency.


The court held that DoubleClick was not liable under any of the three federal laws because it fell within the consent exceptions under the Stored Communications Act and the Wiretap Statute. DoubleClick was not excluded from the consent exception of the Wiretap Statute because it did not intercept the communications for criminal or tortious purposes. DoubleClick was also not liable under the Computer Fraud and Abuse Act because the plaintiffs had failed to meet the statutory threshold of $5,000 in losses. The court established that damages under the Computer Fraud and Abuse Act may only be aggregated for the unauthorized access of each cookie.

DoubleClick engaged in behavioral targeting and placed a cookie on each user's computer hard drive when the user accessed DoubleClick-affiliated web sites. DoubleClick was then able to track the users' web surfing activities and build user profiles for the purposes of delivering targeted advertisements.

DoubleClick's server identifies the user's profile by the cookie identification number and presents the user with advertisements tailored to the user's interest. The plaintiffs claimed that DoubleClick's obtaining of user information stored in the web cookies constituted unauthorized access and interception of their electronic communications with the web sites they were accessing.

DoubleClick eventually entered into a settlement agreement with the plaintiffs. Under the settlement's terms, DoubleClick was required to explain its privacy policy in "easy-to-read" language; conduct a public information campaign consisting of 300 million banner ads inviting consumers to learn more about protecting their privacy; and institute data purging and opt-in procedures among other requirements.