ISP Falls Beyond Reach of ECPA for Role In Transmitting User Traffic to NebuAd

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

An internet service provider that permitted third-party advertiser NebuAd Inc. to install a device that scanned traffic on its network for purposes of serving targeted advertising did not unlawfully “intercept” the contents of subscribers' communications in violation of the Electronic Communications Privacy Act, the U.S. Court of Appeals for the Tenth Circuit affirmed Dec. 28 (Kirch v. Embarq Management Co. , 10th Cir., No. 11-3275, 12/28/12).

The court held that the ECPA's civil liability provision, at 18 U.S.C. § 2520, does not provide for aiding and abetting liability, affirming a decision from the district court (Kirch v. Embarq Management Co., No. 2:10-cv-02047 (D. Kan. Aug. 19, 2011) (166 PRA, 8/26/11).

The ISP could be held liable only if it itself intercepted the communications, the court said. The court concluded that the ISP did not, looking to the statute's carve-out for the ordinary business activities of ISPs.

“[T]he undisputed facts establish that NebuAd's use of the UTA [Ultra Transparent Appliance] gave Embarq access to no more of its users' electronic communications than it had in the ordinary course of its business as an ISP[,]” the court concluded.

No ISP Liability for 'Ordinary' Intercepts.

The ECPA imposes civil liability on those who unlawfully intercept electronic communications through the use of any electronic, mechanical, or other device. However, the statute excludes from its definition of “device” any equipment “being used by a provider of wire or electronic communication service in the ordinary course of its business,” § 2510(5)(a).

The plaintiffs' complaint alleged only that the ISP permitted NebuAd to collect data by placing a collection device on its network. It was undisputed that the ISP did not have access to the data collected by the NebuAd system.

The ISP had the same access to the communications at issue as it had to all other information flowing through its network. As a result, it was protected from liability through the statutory exemption for activities conducted during the ordinary course of its business.

The court looked to Hall v. Earthlink Network Inc., 396 F.3d 500 (2005) (18 PRA, 1/28/05), for support. In that case, the court held that an ISP's continued receipt of email sent to a closed email account was not an unlawful interception because it acquired the messages in the ordinary course of its business.

The plaintiffs in Kirch sought to avoid the exemption by arguing that the ISP controlled and possessed NebuAd's data-collection device. The court was not persuaded. “If such control or possession gave Embarq access to the contents of communications beyond what it acquired in the ordinary course of business, the Kirches need to provide evidence of such access in response to Embarq's assertion of undisputed fact[,]” the court said.

Rahul Ravipudi of Panish Shea & Boyle LLP, in Los Angeles; and Paul A. Traina and Steven J. Lipscomb of Engstrom Lipscomb & Lack, in Los Angeles, represented the plaintiffs. Matthew E. Price and David. A. Handzo of Jenner & Block LLP, in Washington; and J. Emmett Logan of Stinson Morrison Hecker LLP, Kansas City, Mo., represented the defendants.

Full text of the court's opinion is available at

Request Bloomberg Law: Privacy & Data Security