A recent Ninth Circuit appeals case involving Facebook and Facebook users drew a clear line in the sand on multiple issues pertaining to Facebook’s practice of gathering user’s browser histories, through the use of cookies, after the user logged out of Facebook.
Plaintiffs, Facebook users, filed a complaint against the social media mogul claiming, among other things, invasion of privacy, intrusion upon seclusion, breach of contract, breach of implied covenant, violation of the Stored Communications Act (SCA), violation of the Wiretap Act, and violation of the California Invasion of Privacy Act (CIPA).
The district court granted Defendant Facebook’s motion to dismiss, finding that Plaintiffs lacked standing and that they failed to state a claim. Plaintiffs appealed. On appeal, the court focused on two issues: (1) whether Facebook users have standing pertaining to the privacy related claims against Facebook, and (2) whether Facebook users adequately allege claims that Facebook is liable for privacy violations regarding tracking users browsing history after users logged out of Facebook.
The court found that Plaintiffs had standing because they adequately alleged an invasion of a legally protected interest that was concrete and particularized. Plaintiffs’ allegations sufficiently asserted that Facebook’s tracking and collection of users’ browsing history, which was then sold to third parties for a profit, posed a material risk to users’ statutorily protected interest in controlling their own personal information. The provisions of the Wiretap Act, SCA, and CIPA codify a substantive right to privacy. Moreover, Plaintiffs had Article III standing because they adequately pled an entitlement to the profits Facebook earned by selling users’ data.
Turning to the merits of the claims, the court affirmed in part and reversed in part.
PRIVACY CLAIMS
The court found that Plaintiffs’ privacy claims, under California law, were sufficient to survive a Rule 12(b)(6) motion to dismiss. In particular, Plaintiff’s claims for relief for intrusion upon seclusion and invasion of privacy satisfied the elements discussed in Hernandez v. Hillsides, Inc., (2009) 47 Cal 4th 272, 286 and the California Constitution.
The court must consider: (1) if there exists a reasonable expectation of privacy and (2) if the intrusion was highly offensive. Specifically, the court noted that the reasonable expectation of privacy analysis focuses on the nature of the intrusion, while the second prong, the “highly offensive” analysis, focuses on the degree to which the intrusion is unacceptable as a matter of public policy.
Notably, the court emphasized that under California common law, more is needed. In a California privacy action, such invasion of privacy must be “sufficiently serious” and unwarranted, such that it constitutes an “egregious breach of social norms.” This standard required a balancing of factors such as likelihood of serious harm to the victim, degree and setting of the intrusion, the intruder’s motives and objectives, and whether countervailing interests or social norms rendered the intrusion inoffensive.
Here, the users reasonably expected that Facebook would not have access to their individual data after they logged out of Facebook. Facebook’s help center stated, “if you log out of Facebook, we will not receive information about partner websites, but you will also not see personalized experiences on these sites.” Facebook did not disclose that cookies would continue to track users browsing history after they logged out, nor did they disclose the extent of the information collected. These facts led the court to conclude that the users had a reasonable expectation of privacy with respect to their web browsing once logged out of the social media platform.
The second prong, pertaining to the highly offensive nature of the intrusion was also found in Plaintiff’s favor. Plaintiffs alleged that Facebook collected full-string URLs containing the name of a website the user visited, folders and sub-folders of the web server, and name of the precise file requested. Facebook would then correlate that information with the user’s ID, time stamp, browser settings, and even the type of the browser used. Because the information allegedly collected by Facebook was a compilation of “highly personalized” profiles from sensitive browsing histories and habits, the court felt that the manner of collection (after users logged out) violated social norms. Moreover, since Facebook admittedly then sold the profiles to other companies for a profit, their motive for intrusion as well as the potential danger of preventing a user from controlling how their private information was used supported the notion that the social media site violated social norms as a matter of public policy.
DISMISSED CLAIMS
The claims for breach of contract, breach of implied covenant of good faith and fair dealing, and that Facebook violated the SCA were properly dismissed by the district court.
The court affirmed the district court’s dismissal of Plaintiff users’ SCA claims for failure to state a claim. The SCA requires a plaintiff to plead two things: (1) Defendant gained unauthorized access to a “facility” where it (2) accessed an electronic communication in “electronic storage” 18 U.S.C. Section 2701(a).
Even when viewed in the light most favorable to Plaintiffs, Plaintiffs failed to show that the communications, the GET requests involving users’ URLs, were in “storage” as required by the SCA. Moreover, Plaintiffs’ argument that the alleged storage within a URL toolbar failed with regard to the term “storage” under the SCA’s intended scope. Specifically, the court found that browsing histories are not composed of actual communications sent by individuals, but rather are merely a record of the URLs visited by an individual.
Turning to the claims for breach of contract and implied covenant, the court’s analysis focused on Facebook’s Privacy Policy at the time of the alleged misconduct. Facebook’s December 2010 Privacy Policy did not contain any sort of agreement that Facebook would not track logged-out user data. It only stated, in relevant part, that if a user logged out, “it will not be able to access your information.” The court noted that the statement does not make any guarantees about Facebook’s receipt of the data, but rather provides users protection from third-parties receiving user information. Because Facebook did not undertake a duty to refrain from continuing to collect information after a user logged out, Plaintiffs could not possibly have hoped to state a claim.
Lastly, pertaining to Plaintiffs’ Wiretap Act and CIPA claims, the court found that although Facebook is not exempt from liability as a matter of law, because Facebook was not a party to the communication, liability still existed. Those issues, however, were not presented on appeal so the court declined to discuss whether or not plaintiffs sufficiently pleaded the necessary elements of those statutes.
Leave a Reply