Barbara Miller co-authored this post.
A few years back, the use of deep packet inspection software – software that examines individual data packets in a broadband transmission – to deliver targeted advertising was a hot topic in regulatory and privacy circles. Those activities spawned a series of cases against the DPI companies and their Internet Service Provider (“ISP”) partners. In one such case, the ISP just won an important victory closing a potentially troublesome area of liability. On December 28, 2012, in Kirch v. Embarq Management Co, the Tenth Circuit held that an ISP was not liable under the Electronic Communications Privacy Act of 1986 (“ECPA”) for authorizing an online advertising company to collect and use certain customer electronic information for the purpose of targeted direct online advertising. This ruling effectively ends this particular case against Embarq and likely will close a chapter in the deep-packet inspection saga. However, because the Tenth Circuit’s finding is closely tied to the facts of this case, ISPs should carefully consider potential liability under the ECPA for any actions involving the collection of customer information for purposes other than provision of ISP services.
The ECPA prohibits the interception of electronic communications and imposes civil liability for those that intercept such communications. The electronic communications covered under the ECPA include traffic on the Internet.
In 2007, Embarq authorized a third party (NebuAd) to collect certain information from Embarq’s network relating to the websites visited by some Embarq customers in order to permit NebuAd to target these customers with specific online advertisements. The information was collected using an Ultra Transparent Device installed on Embarq’s network that then sent the customer information to NebuAd servers. The information provided enabled NebuAd to identify user computers based on an assigned number, but not to identify the customers themselves. One of these customers filed suit in federal asserting that this violated the ECPA.
The Tenth Circuit held that Embarq did not “intercept” electronic communications under the ECPA because Embarq did not collect or use the data collected by NebuAd and “the only access Embarq had to the data extracted by NebuAd was in its capacity as an ISP.” There is an exception to prohibited interceptions in the ECPA when the interception occurs via equipment used by a provider of electronic communication service in the ordinary course of business. Because Embarq had no access to data other than that to which it has access in the ordinary course of business providing internet service, its actions here fell within that exception. Thus, the ruling likely will insulate future ISPs from liability under the ECPA where the ISP does not itself intercept any customer communications or data. In light of the prevalence of targeted online advertising, a contrary holding could have had far-reaching implications for ISPs.
Moreover, the Tenth Circuit held that the ISP does not have third-party liability for the actions of NebuAd. Consistent with other courts, the court held that there is no “aider and abettor” liability under the ECPA. Therefore, Embarq could not be liable to plaintiffs, even if NebuAd (rather than Embarq) violated the ECPA. The court thus did not need to determine whether NebuAd’s actions violated the ECPA.