Cookies refuse to crumble

17 April 2001

Rob Deans

In a recent ruling a district court judge in New York dismissed claims against DoubleClick, the Internet's largest advertising company, that its use of cookies in online advertising was unlawful.

Cookies are text strings which can be written on to the user's hard drive when visiting a web site (subject to the user not having set the browser to reject cookies). On subsequent visits to the Web site the server will recognise the cookie which it previously placed on the user's hard drive.

Servers can only check for cookies they have placed, not for cookies created by other servers. Cookies are used by web site operators to allocate individual references to users of their sites. Although these references do not identify the individual users they can be matched with other information collected by the web site operator. In the case of DoubleClick, this information includes search queries, information posted by users online (including personal information) and surfing habits recorded through the use gif tags.

DoubleClick's advertising network spreads over 11,000 Web sites and it has been able to use this network to compile a Sophisticated database comprising detailed demographic profiles of millions of Internet users. DoubleClick can use this database to enable advertisements to appear on web sites, depending on the profile of the user of the site. This ability to "personalise" Web sites is extremely useful to advertisers such as DoubleClick.

However, privacy activists were concerned by the actual and potential uses of DoubleClick's cookie database, particularly once DoubleClick bought Abacus Direct, a direct marketing company that maintained a database comprising information on 90 per cent of United States households.

The legal action against DoubleClick is a class-action suit based on a number of grounds, including its use of cookies amount to unlawful hacking, wiretapping, invasion of privacy, ' unjust enrichment and trespass.

All arguments were dismissed by the court as being without merit or on technical grounds. However, this is unlikely to mark the end of proceedings against DoubleClick because the plaintiffs ate planning to appeal against this decision and further proceedings are pending in California and Texas State courts.

The DoubleClick decision will only nave limited value in countries outside the US, where the courts will apply the laws of their own jurisdictions. In Hong Kong, a claim based on the facts of the DoubleClick case may well include claims for unlawful hacking (under the Telecommunications Ordinance) and trespass. In relation to such claims (which have similarities to those presented in the DoubleClick case) Hong Kong courts would almost certainly seek to obtain guidance from the DoubleClick decision.

Hong Kong and Britain have enacted data privacy legislation relevant to the use of cookies. In Britain, the Data Protection Act 1998 permits only personal data to be processed once the relevant individual has provided consent. Web site operators in Britain who match cookies to personal data of their users should first obtain consent of their users. Hong Kong's Personal Data (Privacy) Ordinance has no equivalent provision, although it does prohibit the use of personal data in circumstances outside the scope of the purpose for which the data have been collected.

Accordingly, Hong Kong's Privacy Commissioner has stated that Web sites should include in their privacy policies a statement as to whether they use cookies on their site and whether use of the web site is permitted if the user decides not, to accept cookies. It is advisable to follow the Privacy Commissioner's recommendation to ensure compliance With the Personal Data (Privacy) Ordinance and because this reduces risk of liability for other causes of action.

First published in Technology Post 17 April 2001.