Facebook Persistent Tracking Lawsuit Crashes Again

Screen Shot 2017-07-13 at 7.50.28 AMThis is a lawsuit based on Facebook’s tracking of users while they are logged out. The code for a “like” button implemented by third parties apparently causes the browser of a consumer visiting the third party page to send a background request to Facebook servers. This request includes the URL of the third party page in question and also the contents of the cookie placed by Facebook on the user’s browser. The net result is that Facebook is able to track any visits by users of third party websites that contain a like button, whether or not the user is logged in to Facebook.

The court previously dismissed the complaint with leave to amend. It dismisses the complaint a second time, also with leave to amend.

Standing: The court says plaintiffs have statutory standing based on their statutory claims. Their claims for invasion of privacy and breach of contract get past the standing hurdle. The one exception is plaintiffs’ claim under section 502 (California’s version of the CFAA). The court says that this claim requires a showing of damages, and plaintiffs’ vague allegations of economic harm (loss of sales value of their personal information) is insufficient. In response to the court’s previous dismissal of this claim, plaintiffs added claims for fraud and larceny, but the court says this does not change the standing analysis.

Wiretap and SCA claims: The Wiretap Act claims fail because Facebook did not intercept a communication to which it was not a party. The code in question (that plaintiffs are complaining about) actually communicated with Facebook’s servers. Since Facebook is a party to this communication, it cannot have violated the wiretap statute. As to the SCA claim, the court says there’s nothing “in storage” that Facebook accessed. Plaintiffs first pointed to the cookie as being the thing in storage, but the court rejected this. The second time around, plaintiffs point to the URLs in question. The court says that URLs are not stored incident to transmission but are stored for the user’s own convenience (for example if the user wishes to look up their own browser history). The court also notes that a user’s personal computer is not a “facility” under the Stored Communications Act.

Invasion of Privacy: This claim requires a plaintiff to show that Facebook intruded in a way that is “highly offensive”. Citing to a string of cases rejecting this argument in the online tracking and email scanning contexts, the court says plaintiffs can’t make out an invasion of privacy claim under California law.

Breach of Contract: Plaintiffs tried to rely on Facebook’s “help pages” and matters outside the terms of service to cobble together a contract claim. The court says plaintiffs’ allegations are too vague: they fail to point to the specific terms they allege Facebook breached. The court also says that a breach of the duty of good faith has to be premised on a contract term and plaintiffs can’t use this claim to import new terms into the agreement.

__

There’s not a lot to say about this beyond what I mentioned in the blog post from late 2015: “Facebook Beats Privacy Lawsuit Alleging Persistent Tracking”. (Starting from scratch two years into a lawsuit can’t bode well for overall profitability.)

A noteworthy part of the opinion relates to Facebook’s discussion of Facebook’s P3P policy, or lack thereof. Facebook apparently maintained a P3P policy that signaled that its policy “references a law that may determine remedies for breaches of their privacy policy and that there are ways to resolve privacy-related disputes.” Plaintiffs said this was inaccurate. Facebook also changed its P3P policy, saying that the protocol “does not allow a rich enough description to accurately reference [its] privacy policy.” In any event, the court says this is all a red herring because plaintiffs failed to allege that any plaintiff used versions of internet explorer that implemented P3P. The court also says that P3P is voluntary: “Facebook can choose to establish a machine-readable version of its privacy policy, but it has no legal duty to do so.” As the ruling confirms, P3P was an effort that never really got off the ground.

Facebook famously settled the Beacon lawsuit in 2009. (Has it really been that long?!) Since then, it appears to have decided to litigate rather than settle privacy lawsuits. And looks like it has a pretty good track record doing so.

Eric’s Comments:

1) Given that the P3P “standard” flamed out so long ago, it was jarring to see a 2017 discussion about the legal implications of a P3P policy. (The only other time we’ve blogged on the topic was the Del Vecchio v. Amazon case 5 years ago). I’m amazed any website still had a P3P policy in place in the past decade. If your site still has a P3P policy online, why?

2) It’s uncool for an online service to track logged out users. I feel that way even if the service discloses this fact–and even if it lets users opt-out. (Opt-ins are OK with me, but why would anyone do that?). I’m talking about you, too, Uber.

Case citation: In re Facebook Internet Tracking Litigation, 5:12-md-02314-EDJ, 2017 US Dist. LEXIS 102464 (N.D. Cal. June 30, 2017)

Related posts:

Facebook Beats Privacy Lawsuit Alleging Persistent Tracking

Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]