In re Pharmatrak, Inc. Privacy Litigation, CIV.A.00-11672-JLT.

• Decision Date: 13 August 2002
• Docket Number: No. CIV.A.00-11672-JLT.,CIV.A.00-11672-JLT.
• Parties: In re PHARMATRAK, INC. PRIVACY LITIGATION
• Court: U.S. District Court — District of Massachusetts

Page 4

220 F.Supp.2d 4

In re PHARMATRAK, INC. PRIVACY LITIGATION

No. CIV.A.00-11672-JLT.

United States District Court, D. Massachusetts.

August 13, 2002.

Seth R. Lesser, Bernstein, Litowitz, Berger & Grossman, New York City, Dennis Stewart, Alan M. Mansfield, Milberg Weiss Bershad Hynes & Lerach, San Diego, CA, Douglas G. Thompson, Finkelstein, Thompson & Loughran, Washington, DC, Stephen Moulton, Nancy F. Gans, Moulton & Gans, LLP, Boston, MA, Ann D. White, Mager & White, Jenkintown, PA, Andrew M. Gschwind, Bernstein Litowitz Berger & Grossmann, New York City, Marvin A. Miller, Miller Faucher and Cafferty LLP, Chicago, IL, Shannon P. Keniry, Finkelstein Thompson & Loughran, Washington, DC, Louis Gottlieb, Goodkind Labaton Rudoff & Sucharow, New York City, George E. Barrett, Barret Johnston & Parsley, Nashville, TN, William J. Doyle, II, Milberg Weiss Bershad Hynes & Lerach LLP, Brian J. Robbins, Robbins Umeda & Fink LLP, San Diego, CA, Bryan L. Clobes, Philadelphia, PA, Daniel W. Krasner, Wolf, Haldenstein, Adler, Freeman & Herz, New York City, Adam J. Levitt, Wolf, Haldenstein, Adler, Freeman & Herz, LLC, Chicago, IL, Michael M. Buchman, Schaumburg, IL, for Plaintiffs.

Carmela Edmunds, Dickstein, Shapiro & Morin, Washington, DC, Richard F. O'Malley, Sidley & Austin, New York City, Mark C. Laredo, Mark D. Smith, Faxon & Laredo, Matthew H. Feinberg, Matthew A. Kamholtz, Feinberg & Kamholtz, Boston, MA, James T. Ardin, Sidley & Austin, New York City, Adam J. Levitt, Wolf, Haldenstein, Adler, Freeman & Herz, LLC, Chicago, IL, Seymour Glanzer, Dickstein, Shapiro, Morin & Oshinsky, LLP, David N. Sonnenreich, The Sonnenreich Law Office, P.C., Salt Lake City, UT, Daniel S. Savrin, Bingham, Dana & Gould, Boston, MA, Dennis J. Block, H. Peter Haveles, Jr., Cadwalader, Wickersham & Taft, New York City, John J. Curtin, John J. Curtin, Jr., Bingham, McCutcheon L.L.P., Boston, MA, Paul A. Hemmersbaugh, Sidley & Austin, Washington, DC, Donald N. David, Fishbein, Badillo, Wagner & Harding, Boston, MA, Ralph T. Lenore, Holland & Knight LLP, Boston, MA, Deborah E. Barnard, Ralph T. Lepore, III, Elizabeth Marlene Mitchell, Holland & Knight LLP, Boston, MA, Frederic W. Yerman, Paul C. Llewellyn, Kay, Scholer, Fierman, Hayes & Handler, New York City, William F. Lee, David B. Bassett, Douglas J. Nash, Hale & Dorr, Boston, MA, Daniel J. Tomasch, Diana Weiss, Orrick, Herrington & Sutcliffe LLP, New York City, for Defendants.

MEMORANDUM

TAURO, District Judge.

Plaintiffs Rob Barring, Noah Blumofe, Jim Darby, Karen Gassman, Robin McClary, Harris Perlman, and Marcus Schroers ("Plaintiffs") bring this consolidated action against Pharmatrak, Inc. ("Defendant Pharmatrak")¹ and several pharmaceutical companies: Pfizer, Inc., Pharmacia Corporation, SmithKline Beecham Corporation, Glaxo Welcome, Inc., and American Home Products Corporation (the "Pharmaceutical Defendants"). The Consolidated Amended Class Action Complaint alleges that Defendants secretly intercepted and accessed Plaintiffs' personal information and Web browsing habits through the use of "cookies" and other devices, in violation of state and federal law.

The Parties' cross-motions for summary judgment are now before the court.

PROCEDURAL BACKGROUND

Plaintiffs Blumofe and Gassman filed suit in this court on August 18, 2000. The remaining Plaintiffs filed complaints in the Southern District of New York. On April 18, 2001, the Judicial Panel on Multi-District Litigation issued an order transferring the six New York actions to the District of Massachusetts.

Plaintiffs filed the Amended Consolidated Class Action Complaint ("Complaint") on June 28, 2001. In December 2001, the court held a scheduling conference and authorized the Plaintiffs to examine Defendant Pharmatrak's computer servers. This limited discovery took place during December 2001 and January 2002 at Pharmatrak's former corporate headquarters in Boston, Massachusetts.

Pursuant to the court's March 26, 2002 Order, the Parties refiled motions for summary judgment. The court held a hearing on Defendants' and Plaintiffs' motions for summary judgment on July 24, 2002.

FACTUAL BACKGROUND

Plaintiffs allege that Defendants "secretly intercepted and accessed Internet users' electronic communications with various health-related and medical-related Internet Web sites and secretly accessed their computer hard drives in order to collect private information about their Web browsing habits [and] confidential health information without their knowledge, authorization, or consent."² Plaintiffs contend that the Pharmaceutical Defendants conspired with Plaintiff Pharmatrak to "collect and share this wrongfully obtained personal and sensitive information."³ This activity was allegedly accomplished through the use of "web bugs," "persistent cookies," and other devices.⁴

The general principles of computers, the Internet, and the Web have been detailed elsewhere,⁵ and because such facts are undisputed in this case, further elaboration is unnecessary. Analysis of the Parties' relationships in this case, however, requires a brief discussion of the specific methods by which the Parties communicated with each other, and the manner in which Defendants allegedly accessed and intercepted private information.

As stated in the Complaint, the Plaintiffs "access the Internet and communicate with other computers through use of commercial ISPs ... or through computers known as `servers' that are operated by the entity which provides their computer access, such as their employer. In each case, the ISP or the server provides the electronic communication service that allows the user's computer to connect with other computers on the Internet."⁶ Plaintiffs assert that personal computers "can and sometimes do act as servers,"⁷ but do not allege that any of the named Plaintiffs' computers were used in such a capacity.

The Pharmaceutical Defendants hired Defendant Pharmatrak to monitor their corporate web sites and provide monthly analysis of web site traffic.⁸ Pharmatrak offered its clients two relevant products: NETcompare, which was designed to monitor activity across clients' web pages, and DRUGcompare, which was designed to monitor activity across disease categories and drug product pages.⁹ All of the Pharmaceutical Defendants purchased NETcompare, and Defendant Pharmacia may have licensed DRUGcompare during testing phases.¹⁰ Pharmatrak specifically represented to the Pharmaceutical Defendants that these products did not collect "personally identifiable information."¹¹ Even though the Pharmaceutical Defendants may not have known precisely how Pharmatrak's software worked, Plaintiffs readily admit that "the Pharmaceutical Defendants did authorize Pharmatrak's presence upon their Web sites ...."¹²

Pharmatrak's system operated through the use of HTML programming,¹³ JavaScript programming,¹⁴ cookies,¹⁵ and "web bugs."¹⁶ Each of the Pharmaceutical Defendants' web pages were programmed with Pharmatrak code, which allowed Pharmatrak to monitor web site activity.¹⁷ When a computer browser requested information from a Pharmaceutical Defendant's web page, the web page would send the requested information to the user, and the site's programming code would instruct the user's browser to contact Pharmatrak's web server and retrieve a "clear GIF" from it.¹⁸ A clear GIF is a one pixel-by-one pixel or two pixels-by-two pixels graphic image, and is sometimes called a web bug or a "pixel tag."¹⁹ The purpose of a clear GIF was to cause the user's computer browser to communicate directly with Pharmatrak's web server.²⁰ Some communications may have also included code referencing JavaApplet, a software program that runs in a user's browser, or JavaScript, an Internet programming language.²¹

Having caused the user's Internet browser to contact Pharmatrak, Pharmatrak then sent a cookie back to the browser.²² A cookie is an electronic file "attached" to a user's computer by a computer server. Plaintiffs concede that "[c]ookies generally perform many convenient and innocuous functions."²³ Commonly, cookies are used to store users' preferences and other information, which allows users to easily access and utilize personalized services on the web or to maintain an online "shopping cart."²⁴ Cookies also allow web sites to differentiate between users as they visit by assigning each individual browser a unique, randomly generated numeric or alphanumeric identifier.²⁵ If an individual browser had already visited the "Pharmatrak-enabled" website, Pharmatrak would recognize the previously placed cookie and could therefore differentiate between a repeat visit and an initial visit.²⁶ Pharmatrak programmed its cookies to expire after 90 days.²⁷ It is possible that many individual users were unaware that, in addition to their browser communicating with a Pharmaceutical Defendant's web site, it was also communicating with Pharmatrak.²⁸

Plaintiffs allege that the JavaApplet used by Pharmatrak allowed Pharmatrak to monitor the length of time that a particular user viewed one of the Pharmaceutical Defendants' web pages.²⁹ Plaintiffs also allege that the JavaScript programming allowed Pharmatrak to "intercept the full URL³⁰ of the tracked Web page visited by the user," as well as "the full URL of the Web page visited by the Internet user immediately prior to the user's visit to the Pharmatrak-coded Web page. This prior Web page address is know as a `referrer URL.'"³¹ According to Plaintiffs, Pharmatrak used JavaScript "to extract referring URLs from the client's history, thereby bypassing any security or privacy mechanisms put in place to control the flow of potentially sensitive data."³² The JavaScript and JavaApplet, therefore, also caused users' computer browsers to communicate with Pharmatrak's server while they intentionally communicated with the Pharmaceutical Defendants' servers.

In a subheading on page 21 of the Complaint, Plaintiffs also assert that Pharmatrak was...