Summary: Ninth Circuit Permits Federal Wiretap Act Claim Against Facebook

In its opinion filed April 9, the U.S. Court of Appeals for the Ninth Circuit greenlighted a mix of privacy claims levied against Facebook in In Re Facebook, Inc. Internet Tracking Litigation, reversing the lower court’s decision to dismiss the case. The plaintiffs in the case are a class of Facebook users alleging that the social media company tracked their browser histories from May 2010 to September 2011 when they visited third-party websites featuring Facebook “Like” buttons.

The Ninth Circuit’s opinion in In Re Facebook has significant implications for industry and data privacy. Data privacy norms have been enforced most aggressively by the Federal Trade Commission and state attorneys general, while comparable class actions have met resistance in federal courts. In Re Facebook, however, signals a departure from that status quo.

First, this opinion reinforces the Ninth Circuit’s view that privacy violations are, in and of themselves, concrete injuries that confer Article III standing. This position, first articulated by the court last year in Patel v. Facebook, makes it easier for plaintiffs’ attorneys to cross the motion-to-dismiss hurdle for privacy-related claims, increasing the likelihood that successful data-privacy class actions will crop up in the Ninth Circuit. Second, the court joined the First and Seventh Circuits in adopting an industry-unfriendly interpretation of the party exception to the Wiretap Act, 18 U.S.C § 2510. The Third Circuit, by contrast, uses a more industry-sympathetic interpretation. The Ninth Circuit’s reading of the Wiretap Act exposes internet advertisers and other internet-based technology companies to potential liability for cookie-enabled browser monitoring of web users—a fairly common practice employed in targeted advertising.

Due to both the circuit split and the opinion’s potential for disruption of tech revenue streams, In Re Facebook is a candidate for the Supreme Court’s docket. Stewart Baker recently expressed the same sentiment, forecasting a grant of certiorari should Facebook appeal. Baker also discussed what the opinion reflects about the court’s changing posture toward Silicon Valley, contending that such an opinion would have been “unthinkable” from the Ninth Circuit just 10 years ago. In the coming months, Silicon Valley and data privacy lawyers alike are sure to watch this case closely.

Technical Background

The plaintiffs allege that Facebook collected a slate of “personally-identifiable URL information” from user traffic on third-party websites—so long as these websites carried the Facebook “Like” button. The data collected included user identities, the URLs of these websites that users visited, and the information contained in “referrer headers”—that is, referring web addresses, usually google.com, followed by the string of search terms used to get to one of these third-party websites. According to the plaintiffs, Facebook then correlated URLs and referrer headers with “user ID[s], time stamp[s], browser settings, and even the type[s] of browser used,” allowing the social media company to create detailed personal profiles informed by activity off its platform. Facebook’s surveillance, the plaintiffs argue, was facilitated by the interplay between its plug-ins and “tracking” cookies.

Cookies are small, deletable text files that get stored on our devices as we browse the internet. Virtually all companies deploy cookies once we visit their websites. These cookies store browsing information and make it easier to identify web users across repeated visits.

Companies use cookies in a variety of ways. The New York Times, for example, maintains its paywall by placing cookies on readers’ web browsers so that it can keep count of how many free articles an unsubscribed user has read. Facebook similarly places cookies on users’ web browsers once they visit the Facebook webpage. Some of these cookies—“session cookies”— enhance a user’s experience while on Facebook’s platform by helping the site track and broadcast at any given time, for example, whether a user is active in Messenger. But Facebook also uses “tracking cookies.” These cookies attach to individuals’ web browsers not only when visiting Facebook.com but also upon visiting third-party websites that feature Facebook plug-ins, tracking Facebook users and non-Facebook users alike.

Plug-ins are bits of code created and made available to web developers, who can then easily embed them into websites. Facebook’s software developers create many such plug-ins for third-party use. The plug-in at issue in this case is the Facebook “Like” button, which was commonplace on most online publications, forums and blogs.

Plaintiffs allege that Facebook’s cookies “compiled” revealing browser data every time a user visited a website featuring a Facebook “Like” button, and the code buried in the “Like” button “intercepted” that information, kicking it back to Facebook. Here are the mechanics: When we click links to websites, or directly type web addresses into our toolbars, our web browsers send “GET requests” to the websites we are trying to access. GET requests tell websites what remote data we need in order to load a webpage, allowing websites to send that requested information back to our browsers. Absent any interference, there is only one channel of communication upon loading a website—the channel between a user and a website. Plaintiffs argue, however, that when they visited websites featuring “Like” buttons, Facebook code embedded in these websites instructed users’ web browsers to open up second, “unauthorized” channels of communication directly to the Facebook servers, funneling the relevant URL information and cookies to the social media company. Facebook has not disputed any of these tracking practices.

The Ninth Circuit’s Opinion

The plaintiffs asserted violations of the Wiretap Act, the Stored Communications Act (SCA) and the California Invasion of Privacy Act (CIPA), alongside common law privacy claims and a hodgepodge of other grievances. The Ninth Circuit found Article III standing for all claims, but only the Wiretap Act, the CIPA and the two common law privacy claims ultimately made it over the motion-to-dismiss hurdle. In Re Facebook marks the first time the Ninth Circuit has permitted claims against commercial browser monitoring under the Wiretap Act and CIPA.

Article III Standing

Under Spokeo v. Robins, standing requires that plaintiffs (1) “suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Standing analysis in the data privacy context typically focuses on element number one. More specifically, element number one asks whether a plaintiff has suffered a “concrete” and “particularized” injury—usually some sort of economic or physical harm—rather than a “bare procedural violation.” Analyzing first the privacy claims and then the remaining claims, the Ninth Circuit found that the plaintiffs had indeed suffered concrete injuries related to all claims.

The Ninth Circuit affirmed that the plaintiffs had standing to bring their privacy claims even though the alleged invasions of privacy had not caused any economic or physical harm. According to Ninth Circuit case law, even when there is no economic or physical harm, violation of a law in which there was legislative intent to protect a concrete interest—“akin to a historical, common law interest”—can satisfy element one of Spokeo v. Robins. In August 2019, in Patel v. Facebook, the Ninth Circuit identified a long-standing common law interest in the right to privacy, satisfying the second leg of this analysis. And to satisfy the first leg, the Ninth Circuit concluded that the legislative history behind the Wiretap Act and CIPA demonstrated that both Congress and the California legislature “intended to protect these historical privacy rights.” This has important implications for future Ninth Circuit privacy cases. So long as any future plaintiff in the Ninth Circuit alleges invasion of privacy under either a common law theory or a statute intended to protect privacy, In Re Facebook would likely permit the plaintiff to establish Article III standing. With this ruling, the Ninth Circuit has eliminated that barrier to the courthouse.

Next, the Ninth Circuit Court reversed the lower court’s conclusion as to the remaining claims (trespass to chattels, fraud, larceny and the Computer Data Access and Fraud Act), finding standing through an interest in the “disgorgement of profits,” conferred not through federal law, or common law generally, but through California state law. At issue, again, was the first element from Spokeo. For the non-privacy-related claims, the plaintiffs contended that Facebook was “unjustly enriched,” presumably through the increased ad revenue that resulted from the alleged third-party tracking. Facebook, however, argued that there was still no injury to the plaintiffs—although Facebook had made profits on the data, the plaintiffs had not suffered from the data monetization in any tangible sense. The Ninth Circuit ultimately sided with the plaintiffs. Per the court, “state law can create interests that support standing in federal courts.” And “California law recognizes a right to disgorgement of profits resulting from unjust enrichment” even when a plaintiff does not suffer any sort of economic loss. Under the Ninth Circuit’s analysis, unjust enrichment constitutes a concrete injury whether or not it imposes economic losses on plaintiffs.

12(b)(6) Motion to Dismiss and Failure to State a Claim

Having reversed part of the lower court’s decision on Article III standing, the Ninth Circuit remanded the slate of non-privacy-related claims back to the lower court for a motion-to-dismiss ruling. The bulk of the Ninth Circuit opinion focused on the plaintiffs’ contract, SCA, common law privacy, CIPA and Wiretap Act claims. Ultimately, only the common law privacy, CIPA and Wiretap Act claims survived Facebook’s motion to dismiss.

The Ninth Circuit made short work of the plaintiffs’ contract claims. The plaintiffs pointed to Facebook’s September 2011 data use policy, which “promise[d] … to help [users] protect [their] property rights.” The court, however, found that the document did not contain “an explicit promise not to track logged-out users.” The court also rejected the notion that the policy was a contract, emphasizing that there was no “exchange for [Facebook’s] promise.” This refusal to construe Facebook’s data use policy as a contract is consistent with the jurisprudence of most circuit courts.

The Ninth Circuit also dismissed the plaintiffs’ claim under the SCA, 18 U.S.C § 2701(a). The plaintiffs argued that Facebook gained unauthorized access to URLs that were contained in “electronic storage.” The court found three problems with this argument. First, the URLs were not electronically stored “incident to transmission,” per the language of the statute. Second, the court concluded that Congress never intended the SCA to protect URLs and individuals. Rather, it intended the law to protect electronic “communications” held by “centralized data-management” entities that store, for example, “emails” for transmission. And third, assuming for a moment that the plaintiffs’ URLs were communications, the plaintiffs pointed to the wrong ones. The court argued that Facebook had not accessed the plaintiffs’ browser toolbars or browser histories. Facebook did collect a lot of the same information found in browser toolbars and saved history, but rather than obtain the information from those sources, the social media company had obtained the relevant information from GET requests.

The plaintiffs had better luck with their common law privacy claims. The Ninth Circuit evaluated whether they had a “reasonable expectation of privacy” and whether Facebook’s intrusion was “highly offensive.” Looking at Facebook’s Statement of Rights and Responsibilities and Facebook’s data use policies, the court determined that users had a reasonable expectation of privacy regarding their data obtained while logged-out of Facebook. Further, the Ninth Circuit held that, even if the plaintiffs had never explicitly denied Facebook the consent to collect such data, Facebook’s “affirmative statements” not to track data were enough to establish a reasonable expectation of privacy. Turning the analysis to whether Facebook’s intrusion was “highly offensive,” the court determined that the lower court would have to make such a finding after the pleading stage. The court reasoned that such a determination would require a holistic, multifactor analysis of the intrusion, the social norms surrounding the intrusion and broader policy considerations.

Most significantly, the Ninth Circuit refused

[…]

Read the original article: Summary: Ninth Circuit Permits Federal Wiretap Act Claim Against Facebook