Nancy Graf v. Zynga Game Network, Inc.
750 F.3d 1098 (2014)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
The Electronic Communications Privacy Act (ECPA), which includes the Wiretap Act and the Stored Communications Act, only prohibits the disclosure of the 'contents' of a communication, defined as information concerning the substance, purport, or meaning of a message, and does not extend to 'record information' such as subscriber identities or webpage addresses.
Facts:
- Facebook operates a social networking website where users register, create profiles with personal information (name, email, gender, birth date, interests, photos, etc.), and connect with others.
- Facebook offers a platform service for developers to design applications, and Zynga provides social gaming applications through this platform, accessible to Facebook users.
- When a Facebook user clicks on an ad or icon on a Facebook webpage, or launches a Zynga game through Facebook, their web browser sends an HTTP request to access the linked resource.
- These HTTP requests automatically include a 'referer' header, which provides the user's Facebook ID and the address (URL) of the Facebook webpage the user was viewing prior to clicking.
- Both Facebook and Zynga allegedly programmed their systems to collect this referer header information.
- Facebook and Zynga then allegedly transmitted this collected referer header information to third-party advertisers and other third parties.
Procedural Posture:
- Plaintiffs filed consolidated class action complaints against Facebook and Zynga in the United States District Court for the Northern District of California.
- In Robertson v. Facebook, plaintiffs alleged violations of the Stored Communications Act (SCA).
- In Graf v. Zynga, plaintiffs alleged violations of both the SCA and the Wiretap Act.
- The district court granted Facebook and Zynga's motions to dismiss the claims under both the Wiretap Act and the Stored Communications Act for failure to state a claim, concluding that the complaints alleged disclosures to intended recipients.
- Plaintiffs appealed the district court's dismissal to the United States Court of Appeals for the Ninth Circuit.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does the disclosure of a user's Facebook ID and the URL of a previously viewed Facebook webpage via an HTTP 'referer' header constitute the disclosure of the 'contents' of a communication under the Electronic Communications Privacy Act (ECPA)'s Wiretap Act or Stored Communications Act?
Opinions:
Majority - Ikuta
No, the disclosure of a user's Facebook ID and the URL of a previously viewed Facebook webpage via an HTTP 'referer' header does not constitute the disclosure of the 'contents' of a communication under the Electronic Communications Privacy Act (ECPA)'s Wiretap Act or Stored Communications Act. The court reviewed the definition of 'contents' in 18 U.S.C. § 2510(8) as 'any information concerning the substance, purport, or meaning of that communication.' Drawing on dictionary definitions and the statutory context, the court determined 'contents' refers to a person's intended message—the 'essential part,' 'meaning conveyed,' or 'thing one intends to convey.' The Stored Communications Act (SCA) specifically differentiates 'contents' from 'record or other information pertaining to a subscriber or customer,' which includes 'name,' 'address,' and 'subscriber number or identity' (18 U.S.C. §§ 2702(c), 2703(c)). Furthermore, Congress amended the Wiretap Act's definition of 'contents' in 1986 to eliminate 'identity of the parties to such communication,' reinforcing the exclusion of record information. Thus, 'contents' does not include record information generated in the course of communication. Applying this interpretation, a Facebook ID functions as a 'subscriber number or identity,' and a webpage address functions as an 'address.' These are categorized as record information, not the 'substance, purport, or meaning' of a communication. The court distinguished situations where personally identifiable information was considered content because it was the subject of a communication (e.g., information entered into a form), from merely being record information about a communication (e.g., an automatically generated referer header). The court also rejected arguments based on Fourth Amendment jurisprudence, noting that while distinct from statutory interpretation, Fourth Amendment precedent similarly distinguishes communication content from record information. The Forrester dicta regarding URLs containing search terms was distinguishable because the referer headers in this case contained only basic identification and address information, not a specific communication like a search term. Therefore, the plaintiffs' complaints failed to state a claim under ECPA because they did not plausibly allege the disclosure of 'contents'.
Analysis:
This decision significantly narrows the interpretation of 'contents' under the ECPA, clarifying that mere personally identifiable information or metadata generated during online activity, such as a user ID and the referring URL, does not qualify as protected 'contents' unless it conveys the 'substance, purport, or meaning' of an intended message. This ruling protects tech companies like social networks and gaming platforms from ECPA liability for disclosing such record information, which is a common practice for targeted advertising. It emphasizes a strict textual reading of 'contents' and limits the scope of privacy protections under these specific federal statutes, potentially pushing future privacy claims related to such data towards state laws or different federal statutes if available.
