Stanford CIS

Federal District Court Dismisses Class Action Against Pharmatrak that Alleged Violation of Electronic Communications Privacy Act

By Stanford Center for Internet and Society on

Plaintiffs, in a consolidated class action, sued Pharmatrak, Inc., an Internet marketing service company for the healthcare industry specializing in website traffic analysis and monitoring, and numerous pharmaceutical companies, alleging that they secretly intercepted and accessed Plaintiff’s personal information through the use of “cookies” and other devices, in violation of state and federal law.  On August 13, 2002, the Court granted summary judgment in favor of defendants on all counts (see In re Pharmatrak, Inc. Privacy Litigation, 220 F.Supp. 2d 4). Plaintiffs’ sole claim on appeal was that Pharmatrak violated Title I of the Electronic Communications Privacy Act (“ECPA”) (18 U.S.C. §2511(1)(a)). On May 9, 2003, the U.S. Court of Appeals for the First Circuit reversed the summary judgment, finding that Pharmatrak had “intercepted” personal information, but remanded the case to determine whether or not defendants’ conduct was intentional within the meaning of the ECPA (see In re Pharmatrak, Inc. Privacy Litigation, 329 F.3d 9). On November 6, 2003, the District Court again granted summary judgment in favor of defendants.The pharmaceutical companies invited users to visit their websites to learn about their drugs and to obtain rebates. Pharmatrak supplied a service called "NETcompare" to the companies, which accessed information about the Internet users and collected certain information meant to permit them to do intra-industry comparisons of website traffic and usage.  Most of the pharmaceutical companies did not want personal or identifying data collected and sought and received assurances from Pharmatrak that such data collection would not occur.  As it turned out, some such personal data was found, using easily customized search programs, on Pharmatrak's computers.

Defendants argued that none of the facts showed any kind of actionable intent on their part, setting forth the following three arguments in support of their motion for summary judgment:

First, they pointed out that only a small amount of personal data was actually be found. They asserted that, while between October, 1999 and February 2001, roughly 18.7 million unique website users visited the tracked pharmaceutical company websites, plaintiffs’ expert found personal information of only 232 individuals, so that any transfer of personal information was inadvertent.   Second, defendants argued that the collection of the personal information was caused by known errors by third parties. They asserted that 166 transmissions were the result of the inappropriate use of the “GET” method by two of the defendant pharmaceutical companies, and that the remaining 76 occurred because of a mistake in Netscape’s Navigator browser. Referring to the First Circuit’s definition of “intentional” (“when one has no control over the existence of circumstances, one cannot intend them”), defendants argued that the transmissions were the result of circumstances beyond their control, so that they could not have intended to collect the information. Plaintiffs argued that, because Pharmatrak did not implement certain safeguards to prevent such transmissions, it must have intended to collect personal information. The Court, found even if such safeguards existed and were used, Pharmatrak would at most have been liable under a theory of negligence, or even gross negligence, and that neither is sufficient to satisfy the specific intent requirement under the EPCA. Third, defendants argued that Pharmatrak had no knowledge of the personal information until April, 2002, which was more than a year and a half after plaintiffs filed the suit. The court found that plaintiffs provided no testimony that indicates that anyone at Pharmatrak intentionally sought to collect personal information through its NETcompare program.

Published in: Blog , Vol. 1, No. 5 , Packets