Ninth Circuit Reinstates Decade-Old Lawsuit Against Facebook For Tracking Logged-Out Users–In re Facebook Internet Tracking

Users sued Facebook in 2012 alleging it improperly tracked users’ browsing while they were logged out of Facebook. Facebook apparently included code in its “like” button on third party websites that would inform Facebook when the user visited the website (and the particular URL visited).

Users asserted a variety of claims: (1) violations of state and federal privacy statutes; (2) invasion of privacy claims; (3) breach of contract and breach of the duty of good faith; (4) fraud; (5) trespass to chattels; and (6) larceny.

The district court found the users lacked standing to pursue the trespass, the California Data Access and Fraud Act, fraud, and larceny claims. It found users had standing to pursue the remaining claims but dismissed them on the merits.

Standing: The Ninth Circuit agrees that plaintiffs had standing to pursue the invasion of privacy, breach of contract, breach of the duty of good faith, Wiretap Act and California Invasion of Privacy Act claims. Both the common law privacy claims and the statutory claims were designed to protect users’ well-established privacy interests. The court concludes that plaintiffs adequately alleged harm to these privacy interests:

Plaintiffs have adequately alleged that Facebook’s tracking and collection practices would cause harm or a material risk of harm to their interest in controlling their personal information, As alleged, Facebook’s tracking practices allow it to amass a great degree of personalized information. . . .

[A]dvances in technology can increase the potential for unreasonable intrusions into personal privacy.” [citing Patel]

The district court dismissed the remaining claims because they required economic losses, which the district court said plaintiffs failed to allege. The Ninth Circuit disagrees, and finds plaintiffs adequately alleged economic injury. The court says that California law requires disgorgement of unjustly earned profits, and plaintiffs have a legal interest under state law in these profits. Plaintiffs adequately alleged (anecdotally) that users’ browsing histories can be valued, research panels pay participants access for their browsing histories, and Facebook “profited from this valuable data.” Based on this, the opinion concludes that plaintiffs have sufficiently alleged an economic interest to satisfy Article III standing.

Merits: Having found plaintiffs satisfied Article III standing, the court examines the merits and finds that plaintiffs have satisfied their pleading burden as to several of the claims.

Invasion of privacy: An invasion of privacy claims requires a plaintiff to show (1) a reasonable expectation of privacy and (2) an intrusion that is highly offensive. The court points to vague statements in Facebook’s privacy policy that would lead a reasonable user to conclude that Facebook would not engage in offline tracking. Facebook argued that even if the collection was unexpected, plaintiffs do not allege that Facebook’s collection of information was “highly offensive” and an “egregious breach of the social norms.” The court says this latter question cannot be resolved at the pleading stage.

Wiretap Act/CIPA claims: The court says plaintiffs adequately allege claims under the Wiretap Act and its California counterpart. The court says Facebook is not a “party” to the communication. It analogizes Facebook to someone who configures another person’s email to forward emails. It does note conflicting circuit court authority on this issue.

Stored Communications Act claims: The court says the district court properly dismissed the claims under the SCA. Plaintiffs’ communications at issue—the requests to the servers of websites—are not in “electronic storage.”

Breach of Contract claims: The court says the plaintiffs cannot state a claim for breach of contract. Plaintiffs point to language from the “Data Use Policy” and “Help Center” pages in support of their argument that Facebook had an obligation to not track users in this manner. However, the court says these documents are not part of any contract between Facebook and the user. The Facebook terms (or in Facebook parlance, the “Statement of Rights and Responsibilities”) do not reference the Data Use Policy and thus cannot be incorporated by reference into the terms. Plaintiffs argued as a fallback that the Data Use Policy was its own contract that Facebook had to abide by, but the court rejects this argument. The court says that the Data Use Policy does not “outline shared commitments to which users must abide.” The Data Use Policy is just a one-sided statement from Facebook “regarding Facebook use of information and how users can control that information.”

___

Here’s a million dollar question that isn’t directly answered by this decision: has Facebook unequivocally agreed to stop this practice, or is it subject to some legal obligation to not engage in it? The opinion notes that plaintiffs allege “Facebook stopped tracking logged-out users . . . after Australian blogger Nik Cubrolivic published a blog detailing Facebook’s tracking practices.” Did public pressure cause Facebook to cease this practice forever?

It’s possible that Facebook bolstered its disclosure to end users and started tracking after more clearly advising users of this practice. I’m probably being naïve in thinking that Facebook ceased this practice entirely.

The court also footnotes that these practices prompted an FTC complaint and, predictably, a settlement (in 2011). Facebook settled an investigation with the FTC that resulted in a 20 year consent decree and required Facebook to jump through numerous hoops. I think this is the same investigation that the court refers to here. I’m curious as to whether the FTC consent decree has resulted in Facebook’s privacy practices being policed in any meaningful way.

Facebook dodged a bullet in successfully arguing that its data usage policies did not contractually bind it. Whether a privacy policy breach supports a breach of contract claim is a decades-old question in internet law, and it’s interesting to still see it being litigated.

Finally, the court’s conclusion on standing is worth noting. A key standing case, Spokeo v. Robins, came out of the Ninth Circuit. The Supreme Court remanded that case to the Ninth Circuit asking it to take a closer look at whether Robins (an FCRA plaintiff) had alleged concrete enough injury to satisfy Article III standing. On remand, the Ninth Circuit concluded that he had alleged sufficient injury. As Eric notes, the opinion here embraces a very broad view of standing. It may or may not be useful to data breach plaintiffs. But using economic gain from tracking as a hook will make it much easier for plaintiffs to satisfy Article III standing when suing platforms for improper privacy practices.

On the heels of Patel v. Facebook (the biometric tracking case), this is the second tough ruling from the Ninth Circuit for Facebook. It’s obviously at the earliest possible stages, so expect more activity both in the Ninth Circuit and in the trial court.

___

Eric’s Comments: This is one of those long, detailed, technical opinions that the Ninth Circuit is famous for. It’s never obvious at the time which of these opinions actually change Ninth Circuit law, and which ones are soon forgotten. Here’s why I think this case will cast a long shadow on Internet privacy litigation.

First, the opinion says: “Plaintiffs have adequately alleged that Facebook’s tracking and collection practices would cause harm or a
material risk of harm to their interest in controlling their personal information.” This doesn’t have a limiting principle. It’s carte blanche authorization to plaintiffs to claim they have Article III standing whenever they can claim they’ve lost control over their information.

Second, the opinion says that the commercialization of personal information could constitute an unjust enrichment sufficient to support Article III standing:

Because California law recognizes a legal interest in unjustly earned profits, Plaintiffs have adequately pleaded an entitlement to Facebook’s profits from users’ personal data sufficient to confer Article III standing. Plaintiffs allege that their browsing histories carry financial value. They point to the existence of a study that values users’ browsing histories at $52 per year, as well as research panels that pay participants for access to their browsing histories. Plaintiffs also sufficiently allege that Facebook profited from this valuable data….

As stated in the complaint, “despite Facebook’s false guarantee to the contrary,” the platform “charges users by acquiring the users’ sensitive and valuable personal information” and selling it to advertisers for a profit. Plaintiffs allegedly did not provide authorization for the use of their personal information, nor did they have any control over its use to produce revenue. This unauthorized use of their information for profit would entitle Plaintiffs to profits unjustly earned. [emphasis added]

Again, this lacks any limiting principle. Privacy plaintiffs routinely claim that their data had value and a for-profit enterprise was unjustly enriched by capturing some of that value. Why wouldn’t every privacy plaintiff make this argument? It should get the plaintiffs over the Article III standing hurdle. It also raises the question of whether the Ninth Circuit has created a new common-law meaning for the substantive unjust enrichment tort. The unqualified statement–“This unauthorized use of their information for profit would entitle Plaintiffs to profits unjustly earned”–seems to suggest that. I’m sure the plaintiffs will be excited to explore how other courts interpret this language.

Venkat connects this case to the Patel case, but I would actually connect this case to March’s Campbell v. Facebook ruling, which also took an expansive view of Article III standing for virtually any statutory violation. Between the two cases, it seems like the Ninth Circuit is fed up with Internet privacy violations, at least when it comes to Facebook. As a result, the Ninth Circuit has basically ensured Article III standing in most Internet privacy cases.

On the substantive analysis, this ruling  apparently does some damage to the Zynga precedent, which held that collecting consumer referer URLs didn’t violate the consumers’ privacy. At minimum, the court seems to say that the Zynga holding applies only so long as the collected URLs don’t contain sensitive information; otherwise, all bets are off. Of course, the court doesn’t say how we’ll figure out if URLs contain sensitive information or not. That leaves plenty of room for plaintiffs to allege collection of sensitive URLs and hope to get to discovery to back it up.

A final note: this litigation has been going on for nearly a decade. The FTC resolved its enforcement action in this same matter in 2011, yet here we are, in 2020, with this case just clearing the motion-to-dismiss stage and moving towards potentially years of additional litigation. We’re basically onto a whole different generation of the Internet, but we’re still adjudicating a legacy matter from the past generation. It’s hard to believe this kind of generations-long class-action litigation is really the best way to resolve these questions.

Case citation: In re Facebook, Inc., Internet Tracking Litigation, No. 17-17486 (9th Cir. April 9, 2020)

Related posts:

Ninth Circuit Declines to Shelve Lawsuit Alleging Facebook Violated Illinois Biometric Privacy Statute

Disclosing Unique User IDs In URLs Doesn’t Violate ECPA–In re Zynga/Facebook

Judge Koh Puts the Kibosh on LinkedIn Referral ID Class Action — Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

A Look at the Commercial Privacy Bill of Rights Act of 2011

Flash Cookies Lawsuit Tossed for Lack of Harm–La Court v. Specific Media

Judge Recognizes Loss of Value to PII as Basis of Standing for Data Breach Plaintiff — Claridge v. RockYou

Another Lawsuit over Flash Cookies Fails — Bose v. Interclick

LinkedIn Beats Referrer URL Privacy Class Action on Article III Standing Grounds–Low v. LinkedIn

The Cookie Crumbles for Amazon Privacy Plaintiffs – Del Vecchio v. Amazon

Facebook and Zynga Privacy Litigation Dismissed With Prejudice [Catch up Post]