Data privacy issues continue to make headlines. A recent challenge concerned Facebook’s use of plug-ins to track users’ browsing histories when they visit third party websites. These browsing histories are compiled into personal profiles. Facebook then sells these personal profiles to advertisers. On April 9, 2020 in the matter of In re Facebook, Inc. Internet Tracking Litigation (20 Cal. Daily Op. Serv. 3227), the Ninth Circuitupheld an appeal allowing users to pursue a putative class action against Facebook for alleged common law and statutory privacy violations when it tracked their browsing histories after they had logged out of Facebook. The Ninth Circuit’s decision is noteworthy on two fronts. First, it signals a green light for other data privacy class action cases by reinforcing the premise that privacy violations are concrete injuries. Second, by excluding certain user tracking techniques from the ‘party exception’ to the Wiretap Act (18 U.S.C. §2510), internet companies that use these techniques are susceptible to liability under the Wiretap Act.
Background
Facebook’s cookies are attached to a user’s browser when visiting third-party websites featuring Facebook plug-ins. The plug-ins, such as the Facebook ‘Like” button, contain codes which are embedded into third-party websites to facilitate tracking. When a Facebook user visits a third-party website with a Facebook plug-in, the code is able to duplicate and send the user’s data back to Facebook in a separate, but simultaneous communication that is undetectable by the user.
The information in the separate-undetectable communication includes a Uniform Resource Locator (URL). A URL can provide the users identity, the web server, the website name and the search terms used to locate the page. The URL, once collected, is referred to as a “referrer header.”
The Facebook cookies on the user’s browser enable the collected personal headers to be compiled into personal user profiles. Facebook then sells the information on to advertisers to generate revenue. Allegedly, between May 27, 2010 and September 26, 2011, the Facebook cookies continued to track users in this way when they were logged out of the Facebook application.
The plaintiffs filed a consolidated complaint on behalf of themselves and a putative class of Facebook account holders during the period in question, asserting violations of the federal Stored Communications Act (SCA) (18 U.S.C. § 2701), the Wiretap Act, and the California Invasion of Privacy Act (CIPA) (Cal. Pen. Code § 631(a)), together with common law privacy claims and other complaints.
After rounds of amended pleadings, the District Court ultimately granted Facebook’s motion to dismiss. First on the basis that the plaintiffs lacked standing, and second, for failure to state a claim.
The Ninth Circuit Decision
By reversing the District Court in part, the Ninth Circuit found that the plaintiffs had standing...
