Facebook Scores Initial Win Against Privacy Plaintiffs Over Data Leakage Claims — In re Facebook Privacy Litigation
[Post by Venkat Balasubramani]
In re Facebook Privacy Litigation, 2011 WL 2039995 (N.D. Cal.; May 12, 2011)
There are so many recent privacy class actions out there, it’s become tough to keep track of them all. One of the early lawsuits against Facebook was consolidated in the Northern District of California, in front of Judge Ware. In an order issued yesterday, Judge Ware granted Facebook’s motion to dismiss the complaint. Although he granted leave to amend on certain counts, he certainly expressed some skepticism about the overall merits of the case.
As the court summarizes them, the facts boil down to Facebook’s transmission to third-party advertisers of the user ID or “username” of Facebook users who clicked on advertisements. This started “no later than February 2010 and … continued until May 21, 2010.” The transmission of this information forms the basis of putative class action claims for violations of the Stored Communications Act and the Electronic Communications Privacy Act, California’s anti-hacking law, and a slew of state law claims.
Standing: The court first tackles Facebook’s argument that plaintiffs lack Article III standing because they have not suffered “injury in fact.” Because plaintiffs have alleged violations under a statute which “can be understood as granting persons in the plaintiff’s position a right to judicial relief,” the court finds that plaintiffs have standing to sue.
Wiretap Act/Stored Communications Act: With respect to plaintiffs’ claims under the Wiretap Act and the Stored Communications Act, court says that:
there are two possible ways to understand Plaintiffs’ allegations. On the first view, Plaintiffs alleged that when a user of Defendant’s website clicks on an advertisement banner displayed on that website, that click constitutes an electronic communication from the user to Defendant. Under this interpretation, the content of the user’s communication with Defendant is a request that Defendant “send [a further] electronic communication to [an] advertiser.” On the second view, Plaintiffs allege that when a user of Defendant’s website clicks on an advertisement banner, that click constitutes an electronic communication from the user to the advertiser. Under this interpretation, Plaintiffs are merely “asking [Facebook]” to pass the communication along to its intended recipient, who is the advertiser.
The court finds that neither approach states a claim under the Wiretap Act. Citing to the language of the statute, the court notes that it restricts entities who provide electronic communication services from divulging the contents of any communication, other than a communication “to such person or entity or an agent thereof.” Similarly, the statute restricts a provider from divulging the content of a communication to any person or entity “other than an addressee or intended recipient of such communication.”
The court arrives at a similar conclusion under the Stored Communications Act, which contains an exception for disclosure where the “addressee or intended recipient” consents to the disclosure.
Unfair Competition Claim: The unfair competition claim requires plaintiffs to have “lost money or other property as a result of the unfair competition.” The court finds that “personal information” does not constitute “property” for purposes of California’s unfair competition law. Plaintiffs cited to the AOL data search case (Does v. AOL, LLC) for the proposition that “personal information” can be property for this purpose, but the court points to a significant difference between the two cases: plaintiffs in the AOL case paid fees for the service. In contrast, plaintiffs in this case used Facebook’s service for free. The court footnotes plaintiffs’ argument that personal information “constitutes currency” as not being supported by any case law. The unfair competition law claims are dismissed with prejudice.
California Penal Code sec. 502: Plaintiffs brought claims under California anti-hacking statute. This was most recently construed in Facebook v. Power.com, where the same judge said that the words “without permission” should be interpreted to require circumvention of some technological measure and not just access in violation of a website or service terms of use. The court finds that plaintiffs failed to allege that Facebook bypassed any technical barriers in transmitting plaintiffs’ personal information. The court dismisses these claims with prejudice, but gives plaintiffs leave to re-allege the claim under subsection (c)(8) of the statute, which covers the introduction of “any computer contaminant into any computer.”
Consumer Legal Remedies Act: The court finds that this only applies to individuals who “purchase or lease” goods or services for personal or household use. Plaintiffs have not paid any money to use Facebook. Plaintiffs relied on their “personal information is currency” argument, but the court doesn’t give it the slightest credit. This claim is dismissed with prejudice.
Contract Claim: The contract claims fail for lack of any allegation of “actual damages.” The court will allow plaintiffs to amend to “allege specific facts showing appreciable and actual damages in support of their claim.”
Fraud: No luck on the fraud claim either. Plaintiffs fail to allege reliance on any alleged fraudulent misrepresentations. The court grants leave to allege reliance.
Unjust Enrichment: The court says plaintiffs cannot simultaneously pursue an unjust enrichment claim while simultaneously pursuing a contract claim. This claim is also dismissed with prejudice.
__
Plaintiffs have one more chance with respect to several of these claims, but the court is pretty unimpressed with the lawsuit overall. In the last paragraph of the court’s recitation of the facts, it notes plaintiffs “suffered injury.” This looks like the judicial version of using air quotes.
I’m somewhat surprised at how easy the court’s conclusions seemed on the ECPA and SCA claims. The court’s conclusion on these issues is similar to the conclusion from the Doubleclick lawsuit over cookies from 2001 (In re Doubleclick). With respect to California penal code section 502, I don’t see how the transmission of information states a claim under this statute. There have not been many rulings construing this statute, but it looks like the Power.com ruling will certainly be a meaningful hurdle for claims under this statute.
The interesting part of the lawsuit is the treatment of personal information as “property.” The court is extremely skeptical of this theory. There was speculation as to whether acceptance of the classification of personal information as property for standing purposes would empower privacy plaintiffs when it came to the merits. Only a few results are in, but so far this does not seem to be the case. (See the discussion of Claridge v. RockYou, where this theory seems to have first been given credit for standing purposes: “Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff.”) A lawsuit over flash cookies was recently dismissed for lack of actual harm, and the court in that case also expressed skepticism over the “personal information as valuable property” theory. (See Professor Goldman’s post on that case: “Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media.”) I don’t know if there was a hearing on this particular motion, but if there was, I can see the judge taking off his glasses, looking down at plaintiffs’ counsel and giving the “you can’t be serious here” look. At least, that’s the tone of the order. It’s also worth noting that plaintiffs who are subscribers of free services will have challenges bringing claims under some of the state statutes because they are not paying customers. Whatever the viability of the “personal information as valuable property” theory for other causes of action, courts do not appear very willing to treat personal information as the equivalent of money, in order to turn an otherwise free service into a paid service.
I’m with Professor Goldman on these lawsuits. I have a really tough time seeing the harm here. Maybe there’s an example out there of a company finding out the identity of someone on Facebook who clicked on their banner ads, and all sorts of real-life negative consequences that flow from this. This sounds implausible enough that plaintiffs should have made some sort of attempt to explain why this is the case or provide an example or two. Judging from the court’s order, plaintiffs didn’t bother doing this, or did not do so effectively. I haven’t even read any newspaper articles which points to any compelling examples of real world harm that resulted from this disclosure of information by Facebook.
Plaintiffs get another chance for some of the claims, but it looks like they have a judge who is going to take a serious look at their claims. It’s going to be a long road for these plaintiffs.