THE LEGAL case of Pharmatrak is still unfolding, and has direct implications for all of us. This case drives home the point that very detailed personal information about us can be obtained as we surf the web without our knowledge or consent unless we take precautions.

How the gathering of this information is accomplished, who is doing the gathering, and what types of personal information are gathered, become very important depending on what types of information the web surfer is searching for.

The Case

Pharmatrak sold a service to pharmaceutical companies that allowed the pharmacies to compare how visitors used their websites, and what the most common areas of the Internet these visitors were coming from. Most of the companies didn’t want to see details about their visitors, and in fact Pharmatrak made assurances to them that identifying or personal information would not be collected about visitors. However, even though Pharmatrak claimed that they were not collecting personal information and that their systems were designed not to collect personal information, personal information on a small number of visitors was in fact found on their servers. Types of information collected included names, addresses, phone numbers, email addresses, birthdates, education levels, medical conditions, and gender.

Individuals sued Pharmatrak claiming that Pharmatrak had violated the federal Electronic Communications Privacy Act (ECPA) by intercepting electronic communications without consent. In this case, the electronic communications would be the personal information about visitors to the sites.

The District Court originally ruled in favor of Pharmatrak saying that there had been consent. This means that the Court found that the pharmaceutical companies that contracted with Pharmatrak had implicitly consented to the collection of personal information. In the Court’s view, since the companies had consented, it did not matter whether the individual website visitor consented. In a practical sense this would mean that if you went to a medical site and wanted to find out if Viagra was right for you, your personal information could be shared with others even if you actually read the site’s privacy policy which says they won’t share information. The District Court also ruled that Pharmatrak’s actions did not constitute interception under the ECPA.

Not a good result.

The case was appealed, and in May of this year, the appeals court ruled that the District Court had incorrectly interpreted “consent”, and that Pharmatrak had in fact intercepted communications under the ECPA. The case now goes back to the District Court for further proceedings.

What This Case Means For Us

Even though the case against Pharmatrak has been resurrected, there is still no guarantee that the outcome will be a good one for consumers. The appeals court found that the District Court’s interpretation of “consent” was deficient, but whether or not Pharmatrak’s conduct was intentional is still at issue. In other words, did Pharmatrak mean to cause an interception? It’s a very technical issue, but one that has the potential to deny people remedies when privacy intrusions occur. If there are no consequences for such intrusions, this in turn is likely to lead corporations to be less careful and thus lead to privacy problems.

On the other hand, the outcome is also not necessarily a good one for corporations. Although it was not an issue in this case, suppose Pharmatek’s actions had inadvertently led the pharmaceutical companies to breach their web site’s privacy policy; would similar logic mean that companies themselves were liable, rather than Pharmatek?

This case shows us that the law is not always there to protect us against actions that most people would view as privacy invasions. Fortunately, there are several things that we can do to protect our privacy online.