by Wyatt Larkin, J.D. Candidate, 2023
The Ninth Circuit’s April ruling in the nearly decade-old class action case In re Facebook, Incorporated Internet Tracking Litigation1 illustrates a number of tensions in the rapidly changing field of consumer privacy law.2 While the case reaffirms defenses commonly relied upon by companies performing vast collections of user data, the court’s ruling on several issues, particularly Article III standing, may also provide powerful new tools for future privacy plaintiffs.3
The named plaintiffs represent a class of Facebook users who used the social networking platform between May 2010 and September 2011.4 They allege Facebook violated multiple federal and California laws by compiling detailed browsing histories of logged-out users, made possible by tracking cookies placed in users’ browsers via plug-ins, such as the Facebook “Like” button,5 embedded in third-party websites.6
The plaintiffs allege eleven statutory and common law claims, which fall into three general categories. First, the plaintiffs assert economic injury claims based on profits Facebook allegedly earned unjustly from their browsing history.7 Second, they allege two contractual claims contending violations of Facebook’s Statement of Rights and Responsibilities.8 Third, they assert several privacy-related claims, which focus on Facebook’s collection of users’ browsing histories.9
This wide net illustrates the uncertain landscape of data privacy law for plaintiffs, as well as the many vectors for companies facing potential privacy liabilities. When a company improperly collects or otherwise misuses a person’s private data, is that a breach of contract? An invasion of privacy? Unjust enrichment? According to Facebook, the answer is none of the above because the collection of users’ browsing histories was not a “particularized and concrete harm” necessary to establish Article III standing for any claim.10 In other words, no harm, no foul.11
The issue of Article III standing has long been a stumbling block in consumer privacy litigation,12 but beginning with the 2016 Supreme Court case Spokeo v. Robinson13 and the subsequent Ninth Circuit case Patel v. Facebook,14 courts began articulating clearer grounds for establishing standing for privacy-related claims. In re Facebook continues this trend in two respects. First, the court held the plaintiffs properly established standing for their statutory and common law privacy claims by “adequately alleg[ing] that Facebook’s tracking and collection practices would cause harm or a material risk of harm to their interest in controlling their personal information.”15
Second, the Ninth Circuit held that Facebook’s monetization of improperly collected user data can constitute an economic injury, namely unjust enrichment, allowing plaintiffs to establish standing on several state law claims.16 Going forward, unjust enrichment litigation could subject companies that rely heavily on user data to increased scrutiny regarding the valuation of their user data collection.17 More immediately, these two holdings represent important Article III standing footholds for plaintiffs in future privacy litigation.
Although Facebook’s Data Use Policy did not give rise to contractual claims, the Ninth Circuit found the policy gave users a reasonable expectation of privacy regarding their logged-out browsing activities, and that the district court thus erred in dismissing plaintiffs’ common law privacy complaints.23
Next, it considered the adequacy of the plaintiffs’ claims under the federal Wiretap Act and California Information Privacy Act (CIPA), again reversing the district court’s dismissal.24 The court’s holding turned on the technical question of whether Facebook “intercepted” users’ communications when Facebook tracked the URLs of third-party websites that users visited and users’ GET requests via embedded plug-ins.25 Here, the Ninth Circuit split with the Third Circuit’s view of the practice and sided with the First and Seventh Circuits,26 holding that Facebook was not an exempt “party” to these communications and thus the plaintiffs plausibly alleged wiretap and CIPA claims.27
The Ninth Circuit also affirmed the district court’s dismissal of another claim related to another copy of the URL, ruling that the copy of a URL appearing in a user’s address bar is not “stored communications” under the Stored Communications Act.28 The court noted that “the [Stored Communications Act (SCA)] was enacted to protect against illicit access to stored communications in remote computing operations and large data banks that stored emails . . . . Since then, the SCA has typically only been found to apply in cases involving a centralized data-management entity . . . .”29 Accordingly, the court held that “[h]ere, the allegations . . . do not show that the communications were even in ‘storage,’ much less that the alleged ‘storage’ within a URL toolbar falls within the SCA’s intended scope.”30
In re Facebook has already begun to shape internet privacy litigation; in just the few months since the Ninth Circuit handed down its ruling, district courts within the circuit have relied on the case to reject defendants’ motions to dismiss on standing grounds.31 With a deepening circuit split and a seemingly broad new validation of privacy plaintiffs’ standing, In re Facebook is likely to play an important role in shaping privacy litigation going forward.