In re Pharmatrak, Inc., 02-2138.

Citation329 F.3d 9
Decision Date09 May 2003
Docket NumberNo. 02-2138.,02-2138.
PartiesIn re PHARMATRAK, INC. Privacy Litigation, Noah Blumofe, on behalf of himself and all others similarly situated; Rob Barring; Jim Darby; Karen Grassman, on behalf of herself and all others similarly situated; Robin McClary; Harris Perlman; Marcus Schroers, Plaintiffs, Appellants, v. Pharmatrak, Inc.; Glocal Communications, Ltd., Defendants, Appellees, Pfizer, Inc.; Pharmacia Corp.; Smithkline Beecham Plc; Glaxo Wellcome PLC; Does 1-100; American Home Products Corp.; Novartis Corp., Defendants.
CourtUnited States Courts of Appeals. United States Court of Appeals (1st Circuit)

Adam J. Levitt with whom Daniel W. Krasner, David A.P. Brower, Wolf Haldenstein Adler Freeman & Herz LLC, Seth R. Lesser, Andrew M. Gschwind, Bernstein Litowitz Berger & Grossmann LLP, Melvyn I. Weiss, Michael M. Buchman, Dennis Stewart, William J. Doyle II, Milberg Weiss Bershad Hynes & Lerach LLP, Nancy Freeman Gans, and Moulton & Gans, P.C. were on brief for appellants.

Seymour Glanzer with whom Carmela N. Edmunds and Dickstein Shapiro Morin & Oshinsky LLP were on brief for appellees.

Before LYNCH, Circuit Judge, BOWNES, Senior Circuit Judge, and HOWARD, Circuit Judge.

LYNCH, Circuit Judge.

This case raises important questions about the scope of privacy protection afforded internet users under the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2511, 2520 (2000).

In sum, pharmaceutical companies invited users to visit their websites to learn about their drugs and to obtain rebates. An enterprising company, Pharmatrak, sold a service, called "NETcompare," to these pharmaceutical companies. That service accessed information about the internet users and collected certain information meant to permit the pharmaceutical companies to do intra-industry comparisons of website traffic and usage. Most of the pharmaceutical companies were emphatic that they did not want personal or identifying data about their web site users to be collected. In connection with their contracting to use NETcompare, they sought and received assurances from Pharmatrak that such data collection would not occur. As it turned out, some such personal and identifying data was found, using easily customized search programs, on Pharmatrak's computers. Plaintiffs, on behalf of the purported class of internet users whose data Pharmatrak collected, sued both Pharmatrak and the pharmaceutical companies asserting, inter alia, that they intercepted electronic communications without consent, in violation of the ECPA.

The district court entered summary judgment for defendants on the basis that Pharmatrak's activities fell within an exception to the statute where one party consents to an interception. The court found the client pharmaceutical companies had consented by contracting with Pharmatrak and so this protected Pharmatrak. See In re Pharmatrak, Inc. Privacy Litig., 220 F.Supp.2d 4, 12 (D.Mass.2002). The plaintiffs dismissed all ECPA claims as to the pharmaceutical companies. This appeal concerns only the claim that Pharmatrak violated Title I of the ECPA.

We hold that the district court incorrectly interpreted the "consent" exception to the ECPA; we also hold that Pharmatrak "intercepted" the communication under the statute. We reverse and remand for further proceedings. This does not mean that plaintiffs' case will prevail: there remain issues which should be addressed on remand, particularly as to whether defendant's conduct was intentional within the meaning of the ECPA.

I.

Pharmatrak provided its NETcompare service to pharmaceutical companies including American Home Products, Pharmacia, SmithKline Beecham, Pfizer, and Novartis from approximately June 1998 to November 2000. The pharmaceutical clients terminated their contracts with Pharmatrak shortly after this lawsuit was filed in August 2000. As a result, Pharmatrak was forced to cease its operations by December 1, 2000.

NETcompare was marketed as a tool that would allow a company to compare traffic on and usage of different parts of its website with the same information from its competitors' websites. The key advantage of NETcompare over off-the-shelf software was its capacity to allow each client to compare its performance with that of other clients from the same industry.

NETcompare was designed to record the webpages a user viewed at clients' websites; how long the user spent on each webpage; the visitor's path through the site (including her points of entry and exit); the visitor's IP address;1 and, for later versions, the webpage the user viewed immediately before arriving at the client's site (i.e., the "referrer URL").2 This information-gathering was not visible to users of the pharmaceutical clients' websites. According to Wes Sonnenreich, former Chief Technology Officer of Pharmatrak, and Timothy W. Macinta, former Managing Director for Technology of Pharmatrak, NETcompare was not designed to collect any personal information whatsoever.

NETcompare operated as follows. A pharmaceutical client installed NETcompare by adding five to ten lines of HTML3 code to each webpage it wished to track and configuring the pages to interface with Pharmatrak's technology. When a user visited the website of a Pharmatrak client, Pharmatrak's HTML code instructed the user's computer to contact Pharmatrak's web server and retrieve from it a tiny, invisible graphic image known as a "clear GIF" (or a "web bug"). The purpose of the clear GIF was to cause the user's computer to communicate directly with Pharmatrak's web server. When the user's computer requested the clear GIF, Pharmatrak's web servers responded by either placing or accessing a "persistent cookie" on the user's computer. On a user's first visit to a webpage monitored by NETcompare, Pharmatrak's servers would plant a cookie on the user's computer. If the user had already visited a NETcompare webpage, then Pharmatrak's servers would access the information on the existing cookie.

A cookie is a piece of information sent by a web server to a web browser that the browser software is expected to save and to send back whenever the browser makes additional requests of the server4 (such as when the user visits additional webpages at the same or related sites). A persistent cookie is one that does not expire at the end of an online session. Cookies are widely used on the internet by reputable websites to promote convenience and customization. Cookies often store user preferences, login and registration information, or information related to an online "shopping cart." Cookies may also contain unique identifiers that allow a website to differentiate among users.

Each Pharmatrak cookie contained a unique alphanumeric identifier that allowed Pharmatrak to track a user as she navigated through a client's site and to identify a repeat user each time she visited clients' sites. If a person visited www.pfizer.com in June 2000 and www.pharmacia.com in July 2000, for example, then the persistent cookie on her computer would indicate to Pharmatrak that the same computer had been used to visit both sites.5 As NETcompare tracked a user through a website, it used JavaScript and a JavaApplet to record information such as the URLs the user visited. This data was recorded on the access logs of Pharmatrak's web servers.

Pharmatrak sent monthly reports to its clients juxtaposing the data collected by NETcompare about all pharmaceutical clients.6 These reports covered topics such as the most heavily used parts of a particular site; which site was receiving the most hits in particular areas such as investor or media relations; and the most important links to a site.

The monthly reports did not contain any personally identifiable information about users. The only information provided by Pharmatrak to clients about their users and traffic was contained in the reports (and executive summaries thereof). Slides from a Pharmatrak marketing presentation did say the company would break data out into categories and provide "user profiles."7 In practice, the aggregate demographic information in the reports was limited to the percentages of users from different countries; the percentages of users with different domain extensions (i.e., the percentages of users originating from for-profit, government, academic, or other not-for-profit organizations);8 and the percentages of first-time versus repeat users. An example of a NETcompare "user profile" is: "The average Novartis visitor is a first-time visitor from the U.S., visiting from a .com domain."

While it was marketing NETcompare to prospective pharmaceutical clients, Pharmatrak repeatedly told them that NETcompare did not collect personally identifiable information. It said its technology could not collect personal information, and specifically provided that the information it gathered could not be used to identify particular users by name. In their affidavits and depositions, executives of Pharmatrak clients consistently said that they believed NETcompare did not collect personal information, and that they did not learn otherwise until the onset of litigation. Some, if not all, pharmaceutical clients explicitly conditioned their purchase of NETcompare on Pharmatrak's guarantees that it would not collect users' personal information. For example, Pharmacia's April 2000 contract with Pharmatrak provided that NETcompare would not collect personally identifiable information from users. Michael Sonnenreich, Chief Executive Officer of Pharmatrak, stated unequivocally at his deposition that none of his company's clients consented to the collection of personally identifiable information.

Pharmatrak nevertheless collected some personal information on a small number of users. Pharmatrak distributed approximately 18.7 million persistent cookies through NETcompare. The number of unique cookies provides a rough estimate of the number of users...

To continue reading

Request your trial
105 cases
  • Lopez v. Apple, Inc.
    • United States
    • U.S. District Court — Northern District of California
    • 10 Febrero 2021
    ...consents to interception "of only part of a communication" or only a "subset of its communications." Id. (quoting In re Pharmatrak, Inc. , 329 F.3d 9, 19 (1st Cir. 2003) ). The party seeking to establish consent has the burden of proof. Id. (citing Pharmatrak , 329 F.3d at 19 ). Here, the C......
  • In re Yahoo Mail Litig., Case No.: 5:13–CV–04980
    • United States
    • U.S. District Court — Northern District of California
    • 12 Agosto 2014
    ...to the interception of only part of a communication or to the interception of only a subset of its communications.” In re Pharmatrak, Inc., 329 F.3d 9, 19 (1st Cir.2003). Furthermore, as “the party seeking the benefit of the exception,” the burden is on Yahoo to prove it obtained consent. I......
  • In re Iphone Application Litig.
    • United States
    • U.S. District Court — Eastern District of California
    • 12 Junio 2012
    ...the intent of the user, and therefore does not constitute “content” susceptible to interception. Plaintiffs cite In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir.2003), for the proposition that the definition of “contents” “encompasses personally identifiable information.” Opp'n to Apple MTD at ......
  • United States v. Christensen
    • United States
    • U.S. Court of Appeals — Ninth Circuit
    • 25 Agosto 2015
    ...goal of intercepting wire communications. “The intentional state of mind is applicable only to conduct and results.” In re Pharmatrak, Inc. , 329 F.3d 9, 23 (1st Cir. 2003) (quoting S. Rep. No. 99–541 ). “[L]iability for intentionally engaging in prohibited conduct does not turn on an asses......
  • Request a trial to view additional results
9 books & journal articles
  • COMPUTER CRIMES
    • United States
    • American Criminal Law Review No. 58-3, July 2021
    • 1 Julio 2021
    ...at 1107 (suggesting that “record information can become content if the record is the subject of a communication” (citing In re Pharmatrak, 329 F.3d 9, 15, 18–19 (1st Cir. 2003))); In re Application of United States for Use of Pen Register & Trap, 396 F. Supp. 2d 45, 48 (D. Mass. 2005) (hold......
  • Computer Crimes
    • United States
    • American Criminal Law Review No. 60-3, July 2023
    • 1 Julio 2023
    ...F.3d at 1107 (suggesting “record information can become content if the record is the subject of a communication” (citing In re Pharmatrak, 329 F.3d 9, 15, 18–19 (1st Cir. 2003))); In re Application of United States for Use of Pen Register & Trap, 396 F. Supp. 2d 45, 48–49 (D. Mass. 2005) (n......
  • Computer Crimes
    • United States
    • American Criminal Law Review No. 59-3, July 2022
    • 1 Julio 2022
    ...at 1107 (suggesting that “record information can become content if the record is the subject of a communication” (citing In re Pharmatrak, 329 F.3d 9, 15, 18–19 (1st Cir. 2003))); In re Application of United States for Use of Pen Register & Trap, 396 F. Supp. 2d 45, 48 (D. Mass. 2005) (noti......
  • Computer crimes.
    • United States
    • American Criminal Law Review Vol. 47 No. 2, March 2010
    • 22 Marzo 2010
    ...Jackson Games, Inc. v. United States Secret Serv., 36 F.3d 457, 461-62 (5th Cir. 1994) (pre-retrieval)"). (309.) In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003); Fraser v. Nationwide Mut. Ins. Co., 352 F.3d 107 (3rd Cir. (310.) 36 F.3d 457 (5th Cir. 1994). (311.) Id. at 458. (312.) Unite......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT