Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook

In separate lawsuits, plaintiffs alleged Facebook and Zynga violated the Stored Communications Act (in Zynga’s case, also the Wiretap Act). The crux of plaintiffs’ allegations was that when a Facebook user clicked on an ad or a link, the HTTP request sent by the browser included the user’s Facebook ID and the address of the webpage the user was viewing when he or she clicked the link. An end user’s request to play Farmville would result in the transmission of similar information to third parties.

The district court dismissed the claims on the basis that anyone who received the information was an “intended recipient” and thus these disclosures were excluded from the reach of the statute. (Previous post on the case here: “Facebook and Zynga Privacy Litigation Dismissed With Prejudice”.)

On appeal, the court tackles a foundational issue: is the information disclosed by Facebook or Zynga the “content”—the “substance, meaning, or purport”—of the communication. The ECPA distinguishes between a message’s content and “record” information, which includes the name, address, “subscriber number or identity” of a subscriber (what we usually call metadata). According to the court, this distinction indicates that the statutory concept of “content” doesn’t encompass a user ID or the page from which the end user initiated the request. The court says this conclusion is bolstered by the fact that ECPA’s amendments to the Wiretap Act expressly excluded the identity of the parties or the existence of a communication (these previously could be considered content).

Plaintiffs argued that the Facebook IDs can be used to uncover personal information, but the court says this doesn’t change the analysis. Plaintiffs also argued that the record information and content information may overlap in some instances (citing to In re Pharmatrak). The court distinguishes Pharmatrak because, in that case, the users communicated with a website by entering their personal information into a form, and this information was then accessed by third parties. Finally, plaintiffs tried to rely on Fourth Amendment cases where disclosure of a URL would result in disclosure of contents of a communication. The court says that its job is to construe the relatively clear statutory language, and the scope of privacy under the Fourth Amendment is not illuminating to this.


The real bombshell is that in a memorandum disposition, the court reverses the breach of contract and fraud claims against Facebook! So what the court taketh away in a detailed opinion, it gives back in a breezy memo.

As tortuous as the ECPA analysis usually is, the court’s conclusion that Facebook’s IDs and the web pages or links in question are not “content” is common sensical. LinkedIn was able to defeat a similar lawsuit. (See Low v. LinkedIn.) Although I don’t recall if the court delved into it in Gaos, contrast this result with the one in Gaos v. Google, where Google lost a motion to dismiss, and (recently) settled a search referral case for $8.5 million.

Plaintiffs’ argument that knowing the identity of the Facebook user plus the identity of the web page in question could divulge contents has a superficial appeal. Undoubtedly, the URL often provides some clue into the substance of a webpage in question, and the thought of anyone having access to the full list of URLs we’ve accessed is not comforting. However, even if this somehow amounts to an argument that it could result in disclosure of the “content” under the ECPA, it would be a tough sell to make this argument work on a class-wide basis in this context.

Including user IDs in URLs was a short-lived practice that Facebook (and others) fixed when they were advised of it. Presumably, plaintiffs won’t continue to try to litigate their breach of contract claims, which would be comical from a damages standpoint. In any event, as with the cookie lawsuits of the early 2000s, the court makes quick work of this genre of claims.

Case citationIn re: Zynga & Facebook Privacy Litigation, Nos. 11-18044; 12-15619 (9th Cir. May 8, 2014)

Related Cases

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]