• by Wendy Davis  @wendyndavis, April 8, 2011

Consumers suing the defunct behavioral advertising company NebuAd scored a victory this week when a federal judge said they can proceed with claims that NebuAd violated California's privacy laws.

U.S. District Court Judge Thelton Henderson in the Northern District of California ruled that even though the consumers aren't California residents, that state's laws apply because NebuAd was based in Redwood City. A contrary decision, Henderson wrote, would "allow California residents to violate the CIPA [California Invasion of Privacy Act] and the CCCL [California Computer Crime Law] with impunity with respect to out-of-state individuals and entities."

That ruling could prove significant because California's wiretapping law are more stringent than the federal wiretapping law. In California, it's unlawful to intercept communications without the consent of both parties -- which in the case of behavioral advertising, arguably means the Web users, as well as the sites from which data is gathered. Federal law requires only one party's consent.

NebuAd worked with Internet service providers to glean information about consumers' Web activity and then serve them targeted ads. For instance, if a user conducted a search on Google for "iPods," NebuAd could discover that information through the user's ISP -- then serve that user ads for other MP3 players.

Some of the Internet service providers involved in the tests have argued that consumers consented to this arrangement by failing to opt out of the program -- although few people were aware of NebuAd or its targeting platform. But Web sites like Google clearly did not consent to the targeting platform.

Henderson's ruling this week is the latest chapter in the 3-year-old lawsuit filed against NebuAd by 15 consumers who say the company violated a host of federal and state laws. The lawsuit grew out of behavioral-targeting tests conducted in 2007 and 2008 by NebuAd and six ISPs.

Privacy advocates said that NebuAd's technology was more intrusive than older forms of behavioral targeting because ISPs could provide data about everything consumers did online -- including their search activity and visits to non-commercial sites. Older forms of behavioral targeting only collected information from a network of commercial sites.

NebuAd consistently said its data collection was anonymous, and that consumers could opt out of the program. Most of the six ISPs that tested NebuAd's service only provided notice of the program by quietly revising their online privacy policies, but some observers called that method inadequate; consumers had no reason to suspect the change in terms.

NebuAd's emergence sparked congressional hearings in 2008. At around the same time, ISPs suspended their plans to work with the company, resulting in the company's collapse.