Perrin Davis v. Facebook, Inc.
For Publication (Citation not yet assigned) (2020)
Premium Feature
Subscribe to Lexplug to listen to the Case Podcast.
Rule of Law:
An online platform that surreptitiously duplicates and forwards users' browsing data after they log out, without their consent, is not exempt from liability under the Wiretap Act or the California Invasion of Privacy Act (CIPA) under the 'party exception,' and users can establish Article III standing for privacy and economic harm claims based on such conduct.
Facts:
- Facebook embedded plug-ins (e.g., 'Like' button) containing its code on various third-party web pages.
- When a user visited a web page with Facebook plug-ins, the Facebook code replicated and sent user data, including Uniform Resource Locators (URLs) and Internet Protocol (IP) addresses, to Facebook through a separate, undetectable channel.
- Facebook utilized 'cookies' (small text files stored on users' devices) to collect and compile these 'referer headers' (URLs) into personal user profiles.
- These cookies allegedly continued to capture user information, including full-string detailed URLs, even after users had logged out of Facebook and visited other websites.
- Internal Facebook communications reportedly revealed that company executives were aware of the tracking of logged-out users and recognized that these practices posed various user-privacy issues.
- Facebook ceased tracking logged-out users only after an Australian blogger, Nik Cubrilovic, published a blog detailing Facebook’s tracking practices.
- Plaintiffs Perrin Davis, Brian Lentz, Cynthia Quinn, and Mathew Vickery were active Facebook account holders between May 27, 2010, and September 26, 2011.
- Facebook allegedly sold compiled user profiles, which comprised over 90% of its revenue during the relevant period, to advertisers to generate revenue.
Procedural Posture:
- Plaintiffs filed a consolidated complaint on behalf of themselves and a putative class of active Facebook account holders.
- The United States District Court for the Northern District of California dismissed the first complaint with leave to amend.
- Plaintiffs filed an amended complaint alleging various claims, including Wiretap Act, SCA, CIPA, common law privacy, breach of contract, breach of implied covenant, civil fraud, trespass to chattels, CDAFA, and statutory larceny.
- The district court granted Facebook’s motion to dismiss the amended complaint, ruling that Plaintiffs lacked standing for claims requiring economic damages (trespass to chattels, CDAFA, fraud, statutory larceny), and dismissing other claims for failure to state a claim (Wiretap Act, CIPA, SCA, common law privacy).
- The district court dismissed the claims for breach of contract and the breach of the implied covenant of good faith and fair dealing, but granted leave to amend these claims.
- In response, Plaintiffs amended their complaint as to the breach of contract and implied covenant claims.
- The district court subsequently granted Facebook’s motion to dismiss these amended breach of contract and implied covenant claims.
- Plaintiffs-Appellants appealed the district court's dismissals to the United States Court of Appeals for the Ninth Circuit.
Premium Content
Subscribe to Lexplug to view the complete brief
You're viewing a preview with Rule of Law, Facts, and Procedural Posture
Issue:
Does a social media company's undisclosed tracking and collection of logged-out users' browsing histories via third-party website plug-ins, to compile personal profiles for advertising revenue, establish Article III standing for users and state plausible claims for common law privacy violations and statutory violations under the Wiretap Act and CIPA?
Opinions:
Majority - Chief Judge Thomas
Yes, users have Article III standing to bring privacy-related claims and claims for economic damages, and they have adequately stated claims for common law invasion of privacy, intrusion upon seclusion, and violations of the Wiretap Act and CIPA. First, for standing, Plaintiffs adequately alleged an invasion of a legally protected interest that was concrete and particularized, as privacy rights (control of personal information) are historical common law interests protected by the Wiretap Act, SCA, and CIPA. Facebook's alleged tracking of 'no matter how sensitive' browsing history after log-out, to compile a 'cradle-to-grave profile' without consent, was deemed to cause harm or a material risk of harm to these interests. For economic claims, California law recognizes a right to disgorgement of unjustly earned profits, which establishes Article III standing even without a corresponding loss to the plaintiff; Plaintiffs plausibly alleged Facebook unjustly profited by selling their browsing histories to advertisers without authorization. Second, on the merits, Plaintiffs adequately stated claims for intrusion upon seclusion and invasion of privacy because they plausibly alleged a reasonable expectation of privacy, given that Facebook's privacy disclosures at the time suggested logged-out user data would not be tracked, and the significant, surreptitious collection of potentially sensitive full-string URLs. The alleged intrusion was also plausibly 'highly offensive' to a reasonable person, as Facebook officials themselves recognized it as a privacy issue. Third, Facebook is not exempt from Wiretap Act and CIPA liability under the 'party exception.' The court adopted the First and Seventh Circuits' view that simultaneous, unknown duplication and communication of GET requests (where Facebook's code copies the referer header and sends a separate, identical request to Facebook's server) constitutes an 'interception' and does not make Facebook a 'party' to the communication. This aligns with the legislative intent to protect communication privacy from 'unseen auditors.' However, the court affirmed the dismissal of the Stored Communications Act (SCA) claims because the URL displayed in a browser toolbar is for user convenience, not 'temporary, intermediate storage incidental to transmission' or 'backup protection' of the GET request communication itself, and thus not 'electronic storage' within the SCA's scope. The court also affirmed dismissal of the breach of contract and implied covenant claims, finding Plaintiffs failed to allege a contract specifically prohibiting logged-out tracking, and the relevant privacy policies were not properly incorporated or did not constitute standalone contracts outlining mutual commitments.
Analysis:
This case significantly strengthens consumer privacy protections on the internet, particularly against undisclosed data collection by online platforms. By affirming Article III standing based on both privacy interests and an entitlement to unjustly earned profits under state law, the Ninth Circuit opens the door for a broader range of privacy-related lawsuits. The ruling on the Wiretap Act's 'party exception' rejects a narrow interpretation, making it harder for companies using surreptitious data duplication techniques to avoid liability, and creates a circuit split (with the Third Circuit), potentially signaling future Supreme Court review on this specific issue.
