Half Baked: The Need for Clarity on the Party Exemption to the Wiretap Act for Private Actors Using Tracking Cookies.

• Author: Tower, Joseph F., IV

"Permitting an entity to engage in the unauthorized duplication and forwarding of unknowing users' information would render permissible the most common methods of intrusion, allowing the exception to swallow the rule." (1)

1. Introduction

   Consumer privacy has been a growing concern among policymakers. (2) As technology advances, the ability to aggregate data about consumer choices and user activity increases. (3) The value of consumer data and behavioral profiles has grown substantially over the past twenty years, incentivizing firms to maximize their ability to build individualized consumer profiles. (4) Simultaneously, consumers have difficulty understanding the methods and ubiquity of commercial tracking techniques. (5) The ease of consumer tracking--coupled with a lack of consumer knowledge--leaves little room for the informed consent required for effective privacy protection. (6) With varying success among circuit courts, consumer litigants are utilizing the Wiretap Act--part of the Electronic Communications Privacy Act (ECPA)--to prevent big technology companies from tracking user behavior with browser cookies, which are small text files that web browsers place on user hard drives. (7)

   This Note addresses the question of whether users must give consent to third-party advertisers to collect their data through browser cookies. (8) Third-party advertisers argue an exception to the Wiretap Act--known as the party exemption rule--permits the use of cookies to collect users' data without their knowledge. (9) The party exemption rule allows a party to a communication to record or "intercept" that communication as long as they do not do so for a tortious purpose. (10)

   In 2020, the Ninth Circuit Court of Appeals revisited the Wiretap Act's party exemption rule as applied to tracking techniques used in internet browsers. (11) In Davis V. Facebook, users brought a class action suit against Facebook for its use of browser cookies to track users without their consent. (12) These cookies generated copies of users' browser communications and sent those copies to Facebook's servers. (13) In holding that Facebook's use of surreptitious and simultaneous parallel communications violated the ECPA, the court weighed in on an ongoing debate of how the party exemption rule applies to the use of browser tracking technologies. (14) The court reasoned that the use of deceitful means to induce a user to create a parallel browser communication violated the intent behind the party exemption rule. (15) Armed with this recent ruling, private parties and state attorneys general filed an increasing number of claims in state courts against entertainment and technology companies utilizing different website tracking methods. (16)

   In contrast, in In re Google Inc. Cookie Placement Consumer Privacy Litigation, the Third Circuit interpreted the party exemption rule as applicable when a browser sends an intended communication to a Webserver, even if the user is deceitfully induced to make that communication. (17) This ruling protects advertisers from liability when using browser cookies to "copy" user internet traffic generated by browsing websites. (18) Despite being faced with the circuit courts' contrasting approaches to the party exemption rule, the Supreme Court denied certiorari on Facebook's appeal of the Davis decision, leaving the circuit split unaddressed. (19)

   This Note argues that a uniform approach to the application of the Wiretap Act is required to resolve confusion about the use of common technology among social media firms, search engines, and online advertisers so as to protect consumers' reasonable expectations of privacy against abuse. (20) This Note details the historical approaches among the circuits, as well as the legislation defining party exemption. (21) It then analyzes the merits of the circuit courts' competing interpretations to explore practical solutions to interceptions by browser cookies. (22) This Note concludes by offering an interpretation of the party exemption rule that will ensure adaption to changing technology, arguing that explicit user notice and consent prioritizes the legislature's intent to protect private communications from third-party intrusions. (23)

2. HISTORY

   1. Wiretapping Legislation and Previous Iterations of the Wiretap Act

      Statutes regulating the interception of communications in the United States have their roots in the regulation of the telephone and telegraph. (24) While these devices were advanced at the time and allowed for easy communications over vast distances, they were also unsecure. (25) A person could listen in on conversations by attaching a rod along the telephone wire, giving rise to the name "wiretap." (26) Both governmental and private actors have used wiretaps to access telephone conversations, prompting many state legislatures to pass their own laws regulating wiretaps. (27)

      In Katz v. United States, (28) the Supreme Court held that the use of warrantless wiretaps by a government entity constituted an unreasonable search in violation of the Fourth Amendment. (29) Katz concerned the investigation of a sports bettor via the wiretapping of a phone booth. (30) The Court held that this warrantless wiretapping constituted an invasion of Katz's right to privacy, stating the Fourth Amendment "protects people, not places." (31) Further, the Court introduced the concept of an individual's "reasonable expectation of privacy," which requires both a personal, subjective expectation of privacy, and an objective, societal recognition of privacy. (32)

      At the federal level, Congress took steps to regulate the use of wiretaps. (33) In 1934, Congress passed the Federal Communications Act, and its comments focused on the importance of user privacy. (34) Congress then passed the Wiretap Act of 1968--the basis for the current wiretapping statute. (35) The Act focused on wire and oral communications between at least two private parties. (36) At that time, however, much of the jurisprudence surrounding wiretaps concentrated on protecting against unauthorized government wiretaps. (37) Wiretaps were primarily a method to conduct criminal investigations rather than a method to intercept private calls. (38) The methods available--either for a private party or the government--to conduct a wiretap of telephones--the most common communication channel--were easily employed, but required physically tapping the phoneline. (39)

      While Congress aimed to restrict the interception of wire communications, they also acted to expand protections to communications made through the fast-growing internet. (40) In 1986, Congress passed the ECPA, which revised the Wiretap Act of 1968. (41) The ECPA included provisions protecting data at rest; data that is "in storage" as opposed to being transferred between parties; and metadata--defined as the "routing information" of electronic data. (42) Congress determined that communications "in transit" require separate protections and ultimately passed the updated Wiretap Act. (43) Using the prior Wiretap Act of 1968 as a model, the Wiretap Act of 1986 states that it is illegal to "intentionally intercept [o]r procure[] any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication." (44)

      This statute is further limited by the ECPA, which includes the exceptions to liability under the Wiretap Act. (45) One delineated exception is the party exemption, which allows a party to a communication to "intercept" the contents of the communication without incurring any liability under the Wiretap Act so long as one party has given consent. (46) The Wiretap Act defines electronic communication as "[a]ny transfer of signs, signals, writing, images, sounds, data, or intelligence ... transmitted ... by a wire, radio, electromagnetic, photo-electronic or photooptical system." (47) Browser communications between computers through the use of cookies fall within the Act's definition of communications. (48)

      In implementing the ECPA and the revised Wiretap Act, Congress intended to balance the privacy expectations of individuals and businesses with the realities of technology. (49) In particular, Senator Charles Mathias noted that "inadvertent overhearing" should not be penalized--the Act should only cover intentional acts of interception. (50) Congress cited the alliance of different stakeholders supporting privacy-centric goals, providing carveouts for law enforcement purposes, as one reason why it passed the Act. (51) During the ratification process, senators highlighted the ECPA's goal to "enhance the privacy of Americans and update the provisions of the 1968 wiretap act." (52) In light of these goals, Senator Mathias described the Act as "uncontroversial," and President Reagan signed it into law on October 21, 1986. (53)

   2. Browser Communications

      Companies use electronic communications to track the behavior of users that visit their websites. (54) Companies often use browser cookies as a unique identifier for individual users. (55) A browser cookie is a small text file that a website places on a user's common directory of their hard drive. (56) The website that a user visits injects a cookie onto the user's browser the moment they connect with that website. (57) When the user revisits that website, the site recognizes the cookie that sat on the user's browser since their last visit to the site, allowing the company to tailor aspects of its website to the recognized user who visits. (58)

      There are always at least two parties to the communication when a user visits a website--the user and the Webserver itself--which often places at least one cookie on the user's browser. (59) The manner in which a user's web browser sends a message to the desired website to display its contents is called a GET request, which acts as a "digital call and response." (60) Third parties may also communicate with the user when that user visits a website. (61) A...