Data privacy issues continue to make headlines. A recent challenge concerned Facebook’s use of plug-ins to track users’ browsing histories when they visit third party websites. These browsing histories are compiled into personal profiles. Facebook then sells these personal profiles to advertisers. On April 9, 2020 in the matter of In re Facebook, Inc. Internet Tracking Litigation (20 Cal. Daily Op. Serv. 3227), the Ninth Circuitupheld an appeal allowing users to pursue a putative class action against Facebook for alleged common law and statutory privacy violations when it tracked their browsing histories after they had logged out of Facebook. The Ninth Circuit’s decision is noteworthy on two fronts. First, it signals a green light for other data privacy class action cases by reinforcing the premise that privacy violations are concrete injuries. Second, by excluding certain user tracking techniques from the ‘party exception’ to the Wiretap Act (18 U.S.C. §2510), internet companies that use these techniques are susceptible to liability under the Wiretap Act.
Facebook’s cookies are attached to a user’s browser when visiting third-party websites featuring Facebook plug-ins. The plug-ins, such as the Facebook ‘Like” button, contain codes which are embedded into third-party websites to facilitate tracking. When a Facebook user visits a third-party website with a Facebook plug-in, the code is able to duplicate and send the user’s data back to Facebook in a separate, but simultaneous communication that is undetectable by the user.
The information in the separate-undetectable communication includes a Uniform Resource Locator (URL). A URL can provide the users identity, the web server, the website name and the search terms used to locate the page. The URL, once collected, is referred to as a “referrer header.”
The Facebook cookies on the user’s browser enable the collected personal headers to be compiled into personal user profiles. Facebook then sells the information on to advertisers to generate revenue. Allegedly, between May 27, 2010 and September 26, 2011, the Facebook cookies continued to track users in this way when they were logged out of the Facebook application.
The plaintiffs filed a consolidated complaint on behalf of themselves and a putative class of Facebook account holders during the period in question, asserting violations of the federal Stored Communications Act (SCA) (18 U.S.C. § 2701), the Wiretap Act, and the California Invasion of Privacy Act (CIPA) (Cal. Pen. Code § 631(a)), together with common law privacy claims and other complaints.
After rounds of amended pleadings, the District Court ultimately granted Facebook’s motion to dismiss. First on the basis that the plaintiffs lacked standing, and second, for failure to state a claim.
The Ninth Circuit Decision
By reversing the District Court in part, the Ninth Circuit found that the plaintiffs had standing under Article III (U.S. Const. art. III) to bring all claims. However, it concluded that only the Wiretap Act, the CIPA and the common law privacy claims were sufficient to overcome Facebook’s Rule 12(b)(6) motion to dismiss (Fed. R. Civ. P. 12(b)(6)).
Article III Standing
According to Spokeo v Robins, Article III standing requires a plaintiff to have “(1) suffered an injury in fact (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision” (136 S. Ct.1540 (2016)).
Turning first to the privacy claims, the Ninth Circuit focused on whether the plaintiffs had suffered a “concrete” and “particularized” injury, generally characterized by economic or physical harm, as opposed to an “abstract” or “purely procedural” injury. The absence of economic or physical harm can be a common feature in data privacy cases.
The Ninth Circuit, however, concluded that the first prong of the Spokeo test can still be satisfied, where there has been a violation of a law in which there was legislative intent to protect a concrete interest “akin to a historical common law interest.”
Here the Ninth Circuit found that the invasion of privacy allegations constituted concrete and particularized injuries for purposes of Article III standing. This is because the Ninth Circuit’s August 2019 decision in Patel v. Facebook already acknowledged a historical common law interest in the right to privacy, and legislative history indicated that the Wiretap Act and CIPA were “intended to protect these historical privacy rights.”
Next, the Ninth Circuit turned to other claims for fraud, larceny, trespass to chattels, and California’s Computer Data Access and Fraud Act. In particular, the plaintiffs alleged that Facebook was “unjustly enriched” when it sold their personal profiles to advertisers to generate revenue. Facebook argued that these profits did not create a tangible plaintiff injury for purposes of Article III standing.
On this issue, the Ninth Circuit first emphasized the principle that “state law can create interests that support standing in federal courts.” Then, using the concept of disgorgement of profits from unjust enrichment conferred through California state law, the Ninth Circuit found that in this case, unjust enrichment constitutes a concrete injury – even though the plaintiffs suffered no economic loss themselves: thereby finding that the plaintiffs had standing to bring their claims.
Failure to State a Claim – Rule 12(b)(6)
To survive a motion to dismiss for failure to state a claim, the court must be satisfied that the facts, as alleged, give rise to an entitlement to relief. In this context, the Ninth Circuit upheld the District Court’s decision that the plaintiffs failed to state a claim with respect the non-privacy related claims, including the breach of contract and SCA claims, but considered the common law privacy, CIPA and Wiretap Act claims sufficient to survive Facebook’s Rule 12(b)(6) motion to dismiss.
The contract related claims failed because the Ninth Circuit found there was no contract between the parties. As such, it rejected plaintiffs’ claims that Facebook’s September 2011 Data Use Policy contained “an explicit promise not to track logged out users.”
Plaintiffs’ URL based SCA claims were also rejected by the Court. It concluded that URLs are not within the ambit of the SCA because they are not “communications” electronically stored “incident to transmission” (such as emails). The Ninth Circuit went on to note that even if the URLs were “communications”, Facebook had not accessed the plaintiffs’ “stored” browser histories.
As to the plaintiffs’ invasion of privacy claims, California law requires the plaintiffs to have had a “reasonable expectation of privacy”, and that Facebook’s intrusion was ‘”highly offensive.” Here the Ninth Circuit determined that the plaintiffs had a reasonable expectation of privacy. This is because Facebook made “affirmative statements” in its Statement of Rights and Responsibilities and Data Use Policies that it would not collect data while users were logged out of Facebook. Here, the plaintiffs were “logged-out” of Facebook during the alleged intrusion. The Ninth Circuit concluded that it was more appropriate for the District Court to make a finding after the pleading stage as to whether Facebook’s intrusion was “highly offensive,” since the analysis involved social norms and broader policy considerations.
Finally, Facebook sought to invoke the “party” exemption in support of its motion to dismiss the plaintiffs’ CIPA and Wiretap Act claims. The term “party,” however, is undefined in both statutes, and the Circuit Courts are split as to who qualifies as a “party” to a communication for purposes of the exemption in the Wiretap Act. Ultimately, the Ninth Circuit sided with the First and Seventh Circuits’ interpretation by finding that Facebook was not a “party” to a communication in instances where it generated and sent back to itself an undetectable copy of user’s communications. In doing so, the Ninth Circuit rejected the Third Circuit’s view that these tracking practices create a discreet second channel of communication to which the internet tracking company is the intended “party” (see In re Google Cookies, 806 F.3d 125 (2015)). The Third Circuit’s interpretation places these types of tracking techniques outside the ambit of the Wiretap Act, by distinguishing them from simple “interceptions.”
Internet and advertising companies should carefully consider how they collect user data, and in particular those companies that use cookie-based browser tracking. Until the Supreme Court settles the Circuit split with respect to the scope of the “party exemption” to the Wiretap Act, companies may need to alter their targeted advertising tracking techniques. Furthermore, companies that profit from the sale of user data should be on notice that the decision in In re Facebook, Inc. Internet Tracking Litigation may well be a watershed for data privacy lawsuits in this area.