Facebook Beats Privacy Lawsuit Alleging Persistent Tracking

This is a lawsuit against Facebook alleging that it tracked people visiting websites throughout the web even if they were not logged on to Facebook. As the court describes the allegations, Facebook uses a persistent cookie that tracks a person’s interactions with any page containing a “like” button (regardless of whether or not the person interacts with the like button). Plaintiffs allege common law claims as well as state and federal statutory claims.

Common law claims: The common law claims all fail for Article III lack of standing. Citing to the LaCourt v. Specific Media, Low v. LinkedIn, and In re Google Inc. Cookie Placement cases, the court says that misusing a plaintiff’s information does not create standing even if the plaintiff alleges that the information had some value to them. Plaintiffs do not (and typically cannot) allege that this misuse hampered their own ability to monetize their personal information, and this undermines any harm they suffer. The court says:

That programs may exist to compensate internet users with $5 gift cards in exchange for monitoring their browsing activity is a fact of little assistance to Plaintiffs when they have not also alleged an inability to participate in these programs after Facebook collected their information

Statutory claims: As to the statutory claims, the court says that under Edwards v. First American, a plaintiff can have Article III standing solely by virtue of a violation of plaintiff’s statutory rights (to the extent the relevant statute grants the right to sue and does not require economic damages as a prerequisite). Three statutes that fall into this category are: the Wiretap Act, Stored Communications Act, and California Invasion of Privacy Act. Therefore, unlike the common law claims, Plaintiffs have standing under these statutes regardless of any allegation of economic harm. That still doesn’t mean the plaintiffs win, however.

ECPA: As to the Wiretap Act claim, the court says plaintiffs have not alleged that Facebook intercepted the “contents” of any communications, and their allegations are akin to the referer header allegations rejected by the Ninth Circuit in the Zynga case. The court says the SCA claim is also deficient because the term “electronic storage” does not encompass cookies (but rather is directed at the temporary storage of communications such as emails).

CIPA: The court also rejects the CIPA claim, questioning whether Facebook uses a “machine, instrument, or contrivance” to obtain the contents of the communications. The court also says that plaintiffs don’t credibly allege that Facebook obtained the contents of any of the plaintiffs’ communications.


Companies who track logged-out users are not respecting consumer preferences. It’s a good bet that most people, when they log-out, are expressing an implicit preference to not be tracked. Facebook is not famous for respecting user privacy, so it is not terribly surprising that they engaged in this practice. This is the sort of thing you would expect something like an FTC-mandated privacy audit (which Facebook is required to do) to prevent.

At the same time, it’s not surprising to see this lawsuit crash and burn. The communications privacy statutes are arcane and convoluted, and you get the sense sometimes that the courts engage in contortions. But it’s hard to think of an area where plaintiffs face such a wall of adverse precedent as in a case involving cookies and tracking.

Eric’s Comment: the plaintiffs claimed $15B in damages. I wonder if this laughably large number contributed to the judge’s skepticism. Then again, GOBOGH!

Case Citation: In re Facebook Internet Tracking Litigation, 2015 WL 6438744 (N.D. Cal. Oct. 23, 2015)

Related posts:

Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]