California Federal Court Dismisses Bulk of Privacy Suit Against Facebook

In late 2010, David Gould and Mike Robertson filed a class action lawsuit against Facebook for disclosing users’ personal information to third-party advertisers without users’ consent. The Plaintiffs asserted eight causes of action against Facebook, including violations of the Electronic Communications Privacy Act (“ECPA”) and California’s Unfair Competition Law (“UCL”). Expressing skepticism about the actual harm alleged by the Plaintiffs, the United States District Court for the Northern District of California dismissed the claims against Facebook on May 12, 2011.

According to the complaint, when a user clicks on one of Facebook’s third-party advertisements, Facebook sends a “Referrer Header” to the corresponding advertiser. This header contains the specific webpage address that the user was viewing before clicking on the advertisement, and reveals personally identifiable information to the advertiser such as the user’s name, gender, and picture. The Plaintiffs brought this class action suit on behalf of themselves and all Facebook users in the United States who clicked on a third-party advertisement displayed on Facebook after May 28, 2006.

ECPA Claims

The Plaintiffs alleged violations of the Wiretap Act (which applies to communications in transmission) and the Stored Communications Act (which applies to communications in storage). Both prohibit electronic communication services such as Facebook from divulging the contents of communications to parties other than the “addressee or intended recipient.” According to the complaint, when a Facebook user clicks on a third-party advertisement, the user asks Facebook to send an electronic communication – the Referrer Header - to the advertiser. The Plaintiffs claimed that users do not expect and do not consent to Facebook’s disclosure of all of the contents of those communications (e.g. their personal information) to the advertisers.

The court interpreted these allegations in two ways. Under the first interpretation, a user’s click on an advertisement constitutes a communication from the user to Facebook - the content of the user’s communication to Facebook is a request that Facebook send a subsequent communication to the advertiser. As the communication is sent from the user to Facebook in this scenario, Facebook is the intended recipient of the communication and therefore not liable under ECPA for disclosing the communication to advertisers. Under the second interpretation, a user’s click on an advertisement constitutes a communication from the user to the advertiser; by clicking on an advertisement, a user asks Facebook to pass the communication along to the advertiser. In this scenario, Facebook cannot be liable under ECPA for divulging the communication to the advertiser because the advertiser is the addressee or intended recipient. As such, the court held as a matter of law that the Plaintiffs failed to state a claim for violations of ECPA under either interpretation.

California Consumer Protection - Personal Information is Not Property

The Plaintiffs also sought damages under the UCL. To assert a UCL claim, a plaintiff needs to have “suffered injury in fact and . . . lost money or property as a result of the unfair competition.” The Plaintiffs claimed they lost property – their personally identifiable information – as a result of Facebook’s conduct. The court dismissed the claim, expressly holding that personal information does not constitute property for purposes of the UCL. In addition, the court limited the scope of its prior ruling in Doe 1 v. AOL, LLC , which considered claims under the UCL after AOL inadvertently disclosed sensitive personal information of its users to the public. In contrast to that alleged by the Plaintiffs, AOL’s disclosure of personal information was not something users’ bargained for when they “signed up and paid fees for” AOL’s services. According to the court “a plaintiff who is a consumer of certain services (i.e. who ‘paid fees’ for those services) may state a claim under certain California consumer protection statutes when a company, in violation of its own policies, discloses personal information about its consumers to the public.” Because the Plaintiffs did not pay to use Facebook, the court dismissed the UCL claim with prejudice.

What is Left?

While dim, there is some light at the end of the tunnel for the Plaintiffs in this case. The court rejected Facebook’s argument that the Plaintiffs lacked standing, holding that the Plaintiffs alleged sufficient injury-in-fact to continue the case in federal court. Additionally, the court permitted the Plaintiffs to re-file five of the eight dismissed claims. Yet even with the chance to re-file, actual harm in the privacy litigation context remains a difficult concept for plaintiffs to prove - just recently another privacy-related lawsuit involving flash cookies was dismissed for lack of actual harm. This decision once again demonstrates that plaintiffs attempting to recover damages for privacy violations face an uphill battle. We will keep you updated if and when this case progresses.