Privacy Cases Not Yielding Much Payoff

Not long ago, invasion of privacy looked as if it might follow in the legal footsteps of securities fraud, tobacco deaths and exploding tires as a source of multimillion-dollar court judgments for consumers doing battle with giant corporations.

Instead, consumers suing over alleged misuse of their personal information have suffered a string of courtroom setbacks and paltry settlements. Based on several pending out-of-court deals, the going rate for corporate invasions of personal privacy appears to be about $50 a pop, hardly the gold mine predicted by class-action attorneys.

DoubleClick Inc., an online ad firm, got its privacy lawsuit tossed out of federal court. RealNetworks Inc. forced its litigants into arbitration. Amazon.com Inc. settled for far less than consumers originally sought.

Corporations have benefited from the fact that most privacy law protects citizens against invasions by the government, not by business. And much of the case law on the subject dates back 50 years, long before the Internet and other technology gave companies new tools to collect and use personal information about consumers.

With Congress still unsure about the need to strengthen privacy protections, plaintiffs’ attorneys are resorting to creative legal arguments. “You have to stitch and quilt existing laws to make it work,” said Evan Hendricks, a Washington privacy advocate. “It’s not clean and it’s not easy.”

A New York federal judge unraveled the latest product of such legal stitching March 30 when she dismissed a privacy class-action suit against DoubleClick.

Plaintiffs argued that the firm’s use of cookies--small files placed on an individual’s computer to store personal data--violated criminal wiretap and computer hacking laws. DoubleClick countered that the laws, which were originally crafted to protect against hacking and e-mail spying, should not apply to privacy cases.

The federal statute at the center of the case, known as the Electronic Communications Privacy Act, has caught the attention of privacy class-action attorneys because it calls for fines of as much as $10,000 per violation. Because Internet firms such as DoubleClick have installed millions of cookies, damages could reach hundreds of millions of dollars.

But District Judge Naomi Buchwald refused to apply the wiretap statute to the DoubleClick suit and dismissed the case before trial. Plaintiffs are appealing.

The ruling does not bode well for similar cases brought in federal courts nationwide based on the same statute, including suits against Web advertisers Avenue A Inc. and MatchLogic, a unit of Excite@Home.

“It’s a mistake for plaintiffs’ attorneys to believe that they’ve struck gold in privacy,” said Alan Westin, a privacy expert and business consultant. “The courts have been very careful in their decisions. I don’t see any home runs for class-action attorneys so far.”

Westin’s research firm, Privacy & American Business, is tracking 57 consumer privacy cases in state and federal courts. He expects many to end in settlements out of court.

Alexa Internet, a unit of Amazon.com, revealed last week that it had agreed to pay up to $40 each to consumers who could demonstrate that their personal information was improperly gathered by the company. Alexa distributes software that monitors Internet surfing and then recommends related Web sites that might be of interest to users.

But a preliminary survey found that less than 5% of the class of victims would qualify for the payments or bother to make a claim, according to an attorney familiar with the case.

Minneapolis-based U.S. Bank was sued in 1999 for selling customer data to a telemarketer. Under a proposed settlement, payouts would range from $25 to $400 per customer, although most are expected to be less than $50. Consumers have not received their checks because attorneys are wrangling over fees, which could reduce how much consumers get.

Other companies have rebuffed privacy suits by invoking arbitration clauses.

RealNetworks, which was accused of using software that secretly collected information about users’ music-listening habits, convinced a federal judge that its standard software licensing agreement, which users must accept before downloading the program, required that disputes be settled by arbitration.

Companies prefer arbitration because it is usually confidential, often yields lower payouts and does not permit class-action status.

Now AOL Time Warner Inc., whose Netscape browser unit is battling its own privacy suit, is hoping to use the same strategy to push its pending cases into arbitration.

Though consumer payouts for privacy invasion have not been substantial so far, Westin noted that class-action attorneys themselves are reaping large fees. For example, fees in the U.S. Bank case are expected to top $1.25 million. Plaintiffs’ attorneys for Alexa users are set to receive $1.9 million.

Class-action attorneys and privacy advocates concede that they are off to a bumpy start. But if they have not won large monetary awards, they argue that they are forcing businesses to improve their privacy protections.

“As a result of these cases, Web users’ privacy has been increased and additional protections have been put into place,” said Adam Levitt, a Chicago attorney representing DoubleClick, RealNetworks and Amazon plaintiffs.

In addition, privacy advocates can point to a handful of promising legal cases, including a recently certified class-action suit against CVS Corp., a drugstore chain. The suit was filed by an AIDS patient after CVS bought his local pharmacy and disseminated his prescription records to CVS stores nationwide without his permission. CVS says it broke no laws.

Another widely watched case, based partially on invasion of privacy claims, is in the final stages of a settlement that could yield $15 million for as many as 23,000 consumers nationwide.

The suit, filed in Texas, was spurred by Beverly Dennis, an Ohio woman who received a consumer questionnaire from information broker Metromail, which offered to compensate Dennis for her participation by sending free coupons.

Instead, Dennis received a threatening, sexually explicit letter from a convicted rapist in Texas, one of many prisoners used by Metromail to input the survey data into computers.

Dennis sued Metromail, now part of Orange-based credit bureau Experian, for invasion of privacy, fraud and negligence.

But such a large settlement is more an exception than the rule, said her attorney, Michael Lenett. Not only were the circumstances of the case unusually shocking, but the prisoner’s letter also provided tangible evidence of the harm caused by the invasion of Dennis’ privacy.

“Most of the injury in privacy cases is emotional and intangible,” Lenett said. “It’s hard to prove actual harm.”

Setting a price tag on that kind of injury remains elusive. Unless consumers are the victims of fraud, embarrassment or identity theft, they have difficulty showing injury from the collection and use of their Web-surfing habits, the sale of their bank records to a telemarketing firm or the sharing of pharmacy records with affiliated drugstores.

Attorneys Turn to State Laws

The lack of specific privacy invasion statutes is another stumbling block for consumers. Most federal privacy laws were adopted in the 1970s and restrict government use of information about citizens, not commercial use. In most cases, enforcement rests with federal agencies, not private citizens.

As a result, many class-action attorneys are turning to state courts, where there are more established consumer protection laws dealing with invasion of privacy, breach of contract, deceptive business practices and trespassing. DoubleClick still faces state lawsuits in California and Texas.

But even state laws related to invasion of privacy were written to address such things as improperly using a celebrity’s likeness and portraying someone in a false light, not collecting or selling personal information.

“We urgently need laws that address the collection of data on the Internet,” said Jason Catlett, president of Junkbusters, a privacy advocacy group. Even business might benefit by having a clearer idea of which practices are appropriate and which cross the line.

Companies say they are highly concerned about losing the trust of consumers over their privacy practices and worry about the negative publicity that privacy lawsuits generate. “Companies react strongly to public attention,” said Jules Polonetsky, chief privacy officer at DoubleClick, whose stock declined and customers dropped after its privacy controversy.

Nor is the courtroom battle over. “All it takes is one judge or one jury,” Westin said. “Most the cases are still pending. . . . No company wants to become the poster boy” for invading privacy.