• by Wendy Davis  @wendyndavis, October 12, 2009

A federal judge has dismissed a privacy lawsuit against six Internet service providers who worked with defunct behavioral targeting company NebuAd.

U.S. District Court Judge Thelton Henderson in the northern district of California ruled that it would be unfair to force the ISPs -- Bresnan, CenturyTel, Embarq, Knology, WOW, and Cable One -- to defend themselves in California when they had no contact with the state except for their contract with the Redwood City-based NebuAd.

"The six ISP Defendants have sustained their burden of demonstrating that haling them to court in California is unreasonable under these circumstances," Henderson wrote. "Exercising jurisdiction over them would not comport with notions of fair play and substantial justice."

Last year, 15 Web users sued NebuAd and six ISPs for violating their privacy by deploying a behavioral targeting platform that used deep-packet inspection technology to monitor users' Web activity. They alleged that the platform violated federal wiretap laws and other statutes.

The ISPs sought to dismiss the case for several reasons. They argued that they should not have to defend a lawsuit in California when they were not based in the state and none of the subscribers who sued were residents of the state. They also made a more substantive argument that NebuAd alone was responsible for any privacy violations.

While Henderson agreed that California was the wrong locale for the lawsuit, he rejected the ISPs' contention that they were not responsible for any unlawful activity. "Defendants claim they did nothing more than allow NebuAd's devices to be installed. However, adopting that position -- and ignoring the consequences (and profits) that flowed from the installation of NebuAd's devices -- is precisely the kind of 'rigid and formalistic' analysis that this Court must avoid," Henderson wrote.

The consumers' lawyer says he intends to refile complaints against the ISPs in other states. "The decision should not be an impediment to the plaintiffs ultimately obtaining their day in court and the recovery they deserve," says Scott Kamber, a partner in the law firm KamberEdelson.

NebuAd has shuttered and is liquidating its assets, but the plaintiffs still might be able to collect damages from NebuAd's insurance company.

But even if NebuAd has insurance, the carrier might balk at paying, says Seattle-based Internet law expert Venkat Balasubramani. "There might be a battle around whether this type of incident was covered under insurance," says Balasubramani. "Insurance companies typically leave exclusions for willful misconduct."

NebuAd consistently denied infringing on users' privacy. The company said that all data collected was anonymous because the company didn't know users' names or phone numbers or keep copies of the IP addresses associated with users. NebuAd also said that it did not collect sensitive data, and that users could opt out of the platform.

But the platform was controversial because of the scope of information available to NebuAd. Unlike older behavioral targeting companies that only collected data from a network of publishers, Internet service providers have access to all Web activity -- including users' searches and their visits to non-commercial sites. The company's emergence spurred congressional hearings, following which NebuAd suspended plans for further tests.