Recently, several pharmaceutical companies narrowly dodged a privacy class-action bullet concerning their collection of data about Web-site visitors. See In re Pharmatrak, Inc. Privacy Litigation, No. 00-11672-JLT (D. Mass. Nov. 6, 2003) (granting summary judgment for defendants), copy available at the BNA Web site, on remand from 329 F.3d 9 (1st Cir. 2003) (reversing and remanding summary judgment dismissing action).
The lesson for marketing managers is to check whether your Web-site programmers are using GET statements in a way that results in saving personaly-identifying information about your site’s visitors.
Each of the pharma companies wanted to compare usage of different parts of its Web site with the same information from competitors’ sites. To do this, they signed up with Pharmatrak, which provided a service that utilized browser “cookies” to collect information about which users had visited which Web sites.
Privacy apparently was a concern from the start. Pharmatrak emphasized in its marketing that it did not collect personally identifiable information. In signing up with Pharmatrak, most of the pharmaceutical companies sought and received assurances from Pharmatrak that the tracking service would not collect personal or identifying data about their Web site visitors.
Alas, it didn’t work out exactly that way. It turned out that, through inappropriate programming practice at various companies, Pharmatrak did indeed unintentionally collect some such personal data for a few Web site visitors. That led to a class-action privacy lawsuit under the Electronic Communications Privacy Act of 1986 (ECPA), 18 U.S.C. §§ 2511, 2520.
The Technology Problem
Apparently the main culprit was a Pharmatrak customer’s use of a GET statement, instead of a POST statement, for collection of user information. As explained by the appellate court:
The personal information in 197 of the 232 user profiles [for which personally-identifiable information was improperly collected] was recorded due to an interaction between NETcompare and computer code written by one pharmaceutical client, Pharmacia, for one of its webpages.
Starting on or before August 18, 2000 and ending sometime between December 2, 2000 and February 6, 2001, the client Pharmacia used the “get” method to transmit information from a rebate form on its Detrol website; the webpage was subsequently modified to use the “post” method of transmission. This was the source of the personal information collected by Pharmatrak from users of the Detrol website.
Web servers use two methods to transmit information entered into online forms: the get method and the post method. The get method is generally used for short forms such as the “Search” box at Yahoo! and other online search engines. The post method is normally used for longer forms and forms soliciting private information.
When a server uses the get method, the information entered into the online form becomes appended to the next URL. For example, if a user enters “respiratory problems” into the query box at a search engine, and the search engine transmits this information using the get method, then the words “respiratory” and “problems” will be appended to the query string at the end of the URL of the webpage showing the search results.
By contrast, if a website transmits information via the post method, then that information does not appear in the URL. Since NETcompare was designed to record the full URLs of the webpages a user viewed immediately before and during a visit to a client’s site, Pharmatrak recorded personal information transmitted using the get method.
* * *
In addition to the problem at the Detrol website, there was also another instance in which a pharmaceutical client used the get method to transmit personal information entered into an online form. The other personal information on Pharmatrak’s servers was recorded as a result of software errors. These errors were a bug in a popular email program (reported in May 2001 and subsequently fixed) and an aberrant web browser.
(Footnotes omitted, paragraphing edited.)
A Happy Ending — So Far
The pharmaceutical companies eventually won, because the trial court found they did not have the requisite “intent” to commit the privacy-violating acts, as defined in the ECPA. We’ll see if the judgment survives the inevitable appeal.
The lesson learned here is a technical one, but it applies to both Web-site programmers and to marketing people: Be careful about the use of GET statements — make sure you’re not inadvertently collecting private information about your Web-site users.