Implications of the Proposed Toys R Us Privacy Class Action Settlement

Date: Jan 16, 2003

Various suits against Toys R Us and Coremetrics were filed in 2001 in California and New Jersey stemming from activities the two companies conducted at the Toys R Us website. Toys R Us previously settled a privacy enforcement action brought by New Jersey state authorities last year. Both settlements reflect the importance of assuring that posted privacy policies carefully and accurately describe a web site's privacy and security practices.

  1. The Class Action Suits
  2. The class action suits alleged violations of common law privacy and various federal and state laws, including the Electronic Communications Privacy Act, the Computer Fraud and Abuse Act, and California and New Jersey consumer protection laws. (Toys R Us earlier settled an enforcement action by the New Jersey Department of Consumer Affairs, paying $50,000 as part of the settlement.) The cases were consolidated in the U.S. District Court for the Northern District of California.1 A settlement agreement has been filed with the court, and a settlement conference is scheduled for February 21. The settlement agreement requires Toys R Us to pay $900,000 and Coremetrics $400,000 to settle the case. The agreement also includes specific obligations on both parties with respect to privacy notices and practices.

    Toys R Us had contracted with Coremetrics to assist it in evaluating traffic and visitor information at its website. Coremetrics used cookies and "web beacons," "web bugs" and/or clear GIFs at the Toys R Us site, and linked that information to personally identifiable visitor information. In its posted privacy policy, however, Toys R Us represented that it did not share "any" personally identifying data with "anyone outside of Toysrus.com, its parents, affiliates, subsidiaries, operating companies and other related entities." Coremetrics was not an affiliate or operating unit of Toys R Us, but rather was a contractor, and was engaged in activities to some degree similar to those offered by companies like DoubleClick. Thus, close attention to the phrasing of a privacy policy - including explicit reference to reliance on technical and other consultants in making web sites available - will minimize the likelihood of action similar to the Toys R Us scenario. It is also essential to include an explanation of a site's use of cookies, clear GIF's and other similar tools that may result in linking browsing information with personally identifiable information.

    1. Key Allegations of the Amended Complaint
    2. The key allegations in the Consolidated Amended Complaint in the Toys R Us Privacy Litigation are that:

      1. Toys R Us violated its own privacy policy with a deliberate scheme to intercept records of confidential online purchases and browsing information and transmit these data to Coremetrics.

      2. Coremetrics used these illegal data collection methods to secretly intercept and access Web users' confidential online purchase and browsing information.

      3. Both companies accessed and used these data without consumer consent.

      4. Toys R Us disclosed the confidential information of its customers, including children, in direct contraction to its stated confidentiality policy, which said it, did not share personally identifiable data with anyone "outside of Toysrus.com, its parent, affiliates, subsidiaries, operating companies and other related entities."

      5. Toys R Us and Coremetrics implemented a comprehensive online targeting and profiling scheme, using "data tags," "web bugs," "cookies" and "unique identifiers."

      6. This technology allowed the companies to develop valuable commercial databases containing detailed user profiles.

      7. Toys R Us used this unlawfully intercepted information to enrich itself.

      8. Toys R Us had a misleading and deceitful privacy policy.

    3. Alleged Violations
    4. As noted above, the Consolidated Complaint charges violations of the Federal Trade Commission's (FTC) Fair Information Practice Principles, the Electronic Communications Privacy Act ("Interception of Electronic Communications")2, the Computer Fraud and Abuse Act3, the California Invasion of Privacy Act4, as well as California and New Jersey consumer protection and fraud statutes.5 It also included an unjust enrichment count, alleging that the defendants misappropriated the economic value of the class members, who have a right to sell personal information to third parties.6

      Among the interesting aspects of this complaint are: 1) its characterization of Coremetrics and Toys R Us as co-conspirators who specifically intended to violate the privacy rights of consumers, 2) the proposition that the undisclosed use of cookies and Web Bugs is almost per se a violation of privacy, and 3) collecting personal information in this manner has resulted or will result in unjust enrichment of these companies at the consumer's expense.

  3. Toys R Us Settlement with N.J. Department
  4. The New Jersey Department of Law and Public Safety, a division of Consumer Affairs investigated Toys R Us and reached a settlement with the company, announced January 3, 2002. The focus of the investigation was on how the company used cookies, and whether or not the company violated its own stated privacy policy, which could constitute consumer fraud under New Jersey law. This action was part of the state's crackdown on the alleged improper use of cookies among companies doing business in New Jersey. Toys R Us maintained that it was true to its privacy policy since it did not sell or rent personal information about customers.

    In the settlement, the company agreed to clarify its privacy policy while not admitting any liability or wrongdoing. It agreed not to make misrepresentations in its privacy policy as to its collection, use and transmission of personally identifiable information, and agreed to maintain a clear and conspicuous link to its privacy policy on its website and to fully disclose the use of cookies or other devices to track consumers on the Net. The focus in the settlement is on clear and conspicuous disclosure, particularly with regard to distribution of information to third parties. There is no reference to a conspiracy or to unjust enrichment at the expense of the consumer. Instead, Toys R Us is mainly guilty of "confusing wording," which can be improved.

  5. Lessons Learned
  6. The Toys R Us and Coremetrics privacy problems began when someone noticed that cookies were being set by Coremetrics at the Toys R Us website. While Coremetrics was working as a consultant for Toys R Us in what Toys R Us describes was a "trial arrangement" to assist it in evaluating information about how visitors used the site," the Toys R Us privacy policy did not reference the use of consultants or agents. The failure to disclose certain information collection practices, and an imprecisely worded privacy policy that failed to accommodate the use of consultants, were major factors that gave rise to the suits.


1 In re Toys R Us, Inc., Privacy Litigation. MDL No. M-00-1381-MMC (N.D. CA. 2001)

2 18 U.S.C. §2510 et seq.

3 18 U.S.C. §1030.

4 Cal. Penal Code § 630 et seq.

5 See Cal. Bus. & Prof. Code §17200 et seq.; N.J. Stat. §56:8-1 et seq.

6 The Consolidated Amended Complaint notes that "several Internet marketing and market research companies have paid Internet users a fee to allow them to track their Internet movements or surfing habits, thus paying for the right to gather information on a person's online habits." Id. At paragraph 58.

For more information, please contact Sheila Millar at (202)434-4143 or by e-mail at millar@khlaw.com