In re Google Inc.

• Decision Date: 10 November 2015
• Docket Number: No. 13–4300.,13–4300.
• Citation: 806 F.3d 125
• Parties: In re GOOGLE INC. COOKIE PLACEMENT CONSUMER PRIVACY LITIGATION. William Gourley; Jose M. Bermudez; Nicholas Todd Heinrich; Lynne Krause, Appellants.
• Court: U.S. Court of Appeals — Third Circuit

806 F.3d 125

In re GOOGLE INC. COOKIE PLACEMENT CONSUMER PRIVACY LITIGATION. William Gourley; Jose M. Bermudez; Nicholas Todd Heinrich; Lynne Krause, Appellants.

No. 13–4300.

United States Court of Appeals, Third Circuit.

Argued Dec. 11, 2014.

Opinion Filed: Nov. 10, 2015.

Amended Nov. 12, 2015.

Jason O. Barnes, Esq. [Argued], Barnes & Associates, Edward D. Robertson, Jr., Esq., Bartimus Frickleton Robertson & Gorny, Jefferson City, MO, James P. Frickleton, Esq., Bartimus Frickleton Robertson & Gorny, Leawood, KS, Brian R. Strange, Esq., Strange & Carpenter, Los Angeles, CA, for Plaintiff–Appellants.

Colleen Bal, Esq., Michael H. Rubin, Esq. [Argued], Wilson, Sonsini, Goodrich & Rosati, San Francisco, CA, Michael H. Rubin, Esq., Wilson, Sonsini, Goodrich & Rosati, San Francisco, CA, Anthony J. Weibell, Esq., Wilson, Sonsini, Goodrich & Rosati, Palo Alto, CA, for Defendant–Appellee Google Inc.

Edward P. Boyle, Esq., David N. Cinotti, Esq., Venable, New York, N.Y., Travis S. Hunter, Esq., Rudolf Koch, Esq., Richards, Layton & Finger, Wilmington, DE, for Defendant–Appellee Vibrant Media Inc.

Lisa M. Coyle, Esq., Ropes & Gray, New York, N.Y., Douglas H. Meal, Esq., Ropes & Gray, Boston, MA, for Defendant–Appellees Media Innovation Group LLC and WPP PLC.

OPINION OF THE COURT

FUENTES, Circuit Judge:

This class action arises from allegations that the defendants, who run internet advertising businesses, placed tracking cookies on the plaintiffs' web browsers in contravention of their browsers' cookie blockers and defendant Google's own public statements. At issue in this appeal is the District Court's dismissal of each of the nine claims brought by the plaintiffs. As follows, we will affirm in part, vacate in part, and remand to the District Court for additional proceedings.

I. Background

A. Internet Advertising and Cookie–Based Tracking

In most users' experience, webpages appear on browsers as integrated collages of text and images. As a technical matter, this content is delivered and aggregated from multiple independent servers. This includes advertising content, which is typically drawn from “third-party” servers owned by the advertisers themselves. The defendants in this case are internet advertising companies, and this suit concerns their practices in serving advertisements to the browsers of webpage visitors.

The delivery of advertising content from third party servers to webpage visitors' browsers is a highly technical process involving a series of communications between the visitor's browser, the server of the visited website, and the server of the advertising company. In its specifics:

The host website leaves part of its webpage blank where the third-party advertisements will appear. Upon receiving a “GET” request from a user seeking to display a particular webpage, the server for that webpage will subsequently respond to the browser, instructing the browser to send a “GET” request to the third-party company charged with serving the advertisements for that particular webpage.... The third-party server responds to the GET request by sending the advertisement to the user's browser, which then displays it on the user's device. The entire process occurs within milliseconds and the third-party content appears to arrive simultaneously with the first-party content so that the user does not discern any separate GET requests from the third-parties.¹

As the defendants deliver their advertisements directly to users from their own servers, the defendants have the capacity to vary how they populate their rented webpage space. This capacity permits targeting by which the defendants may serve different advertisements to different visitors. The general principle is that the more that an advertisement is tailored to its audience—sneakers for runners, legal pads for lawyers—the greater the advertisement's expected value. Here, the value of customization, combined with the capacity for individuated advertisement service, impels internet advertisers to surmise whatever they can about each particular person requesting webpage content.

As pled in the complaint:

To inject the most targeted ads possible, and therefore charge higher rates to buyers of the ad space, these third-party companies ... compile the [i]nternet histories of users. The third-party advertising companies use “third-party cookies” to accomplish this goal. In the process of injecting the advertisements into the first-party websites, the third-party advertising companies also place third-party cookies on user's computing devices. Since the advertising companies place advertisements on multiple sites, these cookies allow these companies to keep track of and monitor an individual user's web activity over every website on which these companies inject ads.²

These third-party cookies are used by advertising companies to help create detailed profiles on individuals ... by recording every communication request by that browser to sites that are participating in the ad network, including all search terms the user has entered. The information is sent to the companies and associated with unique cookies—that is how the tracking takes place. The cookie lets the tracker associate the web activity with a unique person using a unique browser on a device. Once the third-party cookie is placed in the browser, the next time the user goes to a website with the same [d]efendant's advertisements, a copy of that request can be associated with the unique third-party cookie previously placed. Thus the tracker can track the behavior of the user....³

B. Cookie Blocking, Circumvention, Deceit, and Discovery

Individually tailored webpage advertisements are now ubiquitous. But, where cookie-based tracking is concerned, leading web browsers have designed built-in features to prevent the installation of cookies by third-party servers. The complaint calls them “cookie blockers.” The cookie blockers of two browsers are at issue in this case. One is Microsoft's Internet Explorer, which featured an “opt-in” cookie blocker that a user could elect to activate. The other is Apple's Safari browser, which featured an “opt-out” cookie blocker that was activated by default. The complaint notes that the main Apple website page dedicated to Safari advertised its opt-out cookie blocker as a unique feature, stating that, “to better protect[ ] your privacy[,] Safari accepts cookies only from the websites you visit.”⁴Likewise, the Safari browser labeled its default cookie setting as “Block cookies: From third parties and advertisers.”⁵

According to the complaint, the Safari and Internet Explorer cookie blockers were well-known to industry participants, including as to their existence, functionality, and purpose. More is alleged about Google in particular. Google's Privacy Policy explained that “most browsers are initially set up to accept cookies, but you can reset your browser to refuse all cookies or to indicate when a cookie is being sent.”⁶Google provided further assurances about the Safari cookie blocker specifically. Google offered a proprietary cookie blocker, a so-called “opt-out cookie” that, when downloaded, would prevent the installation of tracking cookies. On the public webpage Google maintained to describe its opt-out cookie, Google assured visitors that “Safari is set by default to block all third party cookies. If you have not changed those settings, this option essentially accomplishes the same thing as setting the opt-out cookie.”⁷

In February 2012, Stanford graduate student Jonathan Mayer published an online report revealing that Google and the other defendants had discovered, and were surreptitiously exploiting, loopholes in both the Safari cookie blocker and the Internet Explorer cookie blocker.⁸Safari's cookie blocker turns out to have had a few exceptions, one of which was that it permitted third-party cookies if the browser submitted a certain form to the third-party. Because advertisement delivery does not, in the ordinary course, involve such forms, the exception ought not have provided a pathway to installing advertiser tracking cookies. But according to Mayer's report, Google used code to command users' web browsers to automatically submit a hidden form to Google when users visited websites embedded with Google advertisements. This covert form triggered the exception to the cookie blocker, and, used widely, enabled the broad placement of cookies on Safari browsers notwithstanding that the blocker—as Google publicly acknowledged—was designed to prevent just that. The other defendants, meanwhile, accomplished similar circumventions. As a result, the defendants could—and did—place third-party cookies on browsers with activated blockers.

Mayer's findings were concurrently published in the Wall Street Journal⁹and drew the attention of the Federal Trade Commission and a consortium of state attorneys general. The Department of Justice filed suit under the Federal Trade Commission's authorizing statute in the Northern District of California, and the action resolved by way of a stipulated order providing for a $22.5 million civil penalty.¹⁰Google further agreed to certain forward-looking conditions related to internet privacy, but admitted no past acts or wrongdoing.¹¹Google similarly reached a $17 million settlement with 38 state attorneys general, including the California Attorney General.¹²

C. The Instant Suit

Following Mayer's report, a series of lawsuits were filed in federal district courts around the country. Those lawsuits were consolidated by the Multi–District Litigation panel and assigned to Judge Sue Robinson of the District of Delaware. This appeal is from the District Court's dismissal of that consolidated case.

The consolidated case was presented to the District Court as a putative class action, and four named plaintiffs—our appellants here—filed a consolidated class action complaint. The putative class consists of:

all persons in the United States of America who used the Apple Safari or Microsoft

...