Facebook Persistent Tracking Lawsuit Crashes Again
This is a lawsuit based on Facebook’s tracking of users while they are logged out. The code for a “like” button implemented by third parties apparently causes the browser of a consumer visiting the third party page to send a background request to Facebook servers. This request includes the URL of the third party page in question and also the contents of the cookie placed by Facebook on the user’s browser. The net result is that Facebook is able to track any visits by users of third party websites that contain a like button, whether or not the user is logged in to Facebook.
The court previously dismissed the complaint with leave to amend. It dismisses the complaint a second time, also with leave to amend.
Standing: The court says plaintiffs have statutory standing based on their statutory claims. Their claims for invasion of privacy and breach of contract get past the standing hurdle. The one exception is plaintiffs’ claim under section 502 (California’s version of the CFAA). The court says that this claim requires a showing of damages, and plaintiffs’ vague allegations of economic harm (loss of sales value of their personal information) is insufficient. In response to the court’s previous dismissal of this claim, plaintiffs added claims for fraud and larceny, but the court says this does not change the standing analysis.
Wiretap and SCA claims: The Wiretap Act claims fail because Facebook did not intercept a communication to which it was not a party. The code in question (that plaintiffs are complaining about) actually communicated with Facebook’s servers. Since Facebook is a party to this communication, it cannot have violated the wiretap statute. As to the SCA claim, the court says there’s nothing “in storage” that Facebook accessed. Plaintiffs first pointed to the cookie as being the thing in storage, but the court rejected this. The second time around, plaintiffs point to the URLs in question. The court says that URLs are not stored incident to transmission but are stored for the user’s own convenience (for example if the user wishes to look up their own browser history). The court also notes that a user’s personal computer is not a “facility” under the Stored Communications Act.
Invasion of Privacy: This claim requires a plaintiff to show that Facebook intruded in a way that is “highly offensive”. Citing to a string of cases rejecting this argument in the online tracking and email scanning contexts, the court says plaintiffs can’t make out an invasion of privacy claim under California law.
Breach of Contract: Plaintiffs tried to rely on Facebook’s “help pages” and matters outside the terms of service to cobble together a contract claim. The court says plaintiffs’ allegations are too vague: they fail to point to the specific terms they allege Facebook breached. The court also says that a breach of the duty of good faith has to be premised on a contract term and plaintiffs can’t use this claim to import new terms into the agreement.
There’s not a lot to say about this beyond what I mentioned in the blog post from late 2015: “Facebook Beats Privacy Lawsuit Alleging Persistent Tracking”. (Starting from scratch two years into a lawsuit can’t bode well for overall profitability.)
Facebook famously settled the Beacon lawsuit in 2009. (Has it really been that long?!) Since then, it appears to have decided to litigate rather than settle privacy lawsuits. And looks like it has a pretty good track record doing so.
1) Given that the P3P “standard” flamed out so long ago, it was jarring to see a 2017 discussion about the legal implications of a P3P policy. (The only other time we’ve blogged on the topic was the Del Vecchio v. Amazon case 5 years ago). I’m amazed any website still had a P3P policy in place in the past decade. If your site still has a P3P policy online, why?
2) It’s uncool for an online service to track logged out users. I feel that way even if the service discloses this fact–and even if it lets users opt-out. (Opt-ins are OK with me, but why would anyone do that?). I’m talking about you, too, Uber.
Case citation: In re Facebook Internet Tracking Litigation, 5:12-md-02314-EDJ, 2017 US Dist. LEXIS 102464 (N.D. Cal. June 30, 2017)