v.
Facebook, Inc.
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
IN RE FACEBOOK, INC. INTERNET No. 17-17486
TRACKING LITIGATION,
D.C. No.
5:12-md-02314-
PERRIN AIKENS DAVIS; BRIAN K. EJD
LENTZ; CYNTHIA D. QUINN;
MATTHEW J. VICKERY,
Plaintiffs-Appellants, OPINION
v.
FACEBOOK, INC.,
Defendant-Appellee.
Appeal from the United States District Court
for the Northern District of California
Edward J. Davila, District Judge, Presiding
Argued and Submitted April 16, 2019
San Francisco, California
Filed April 9, 2020
2 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Before: Sidney R. Thomas, Chief Judge, Milan D.
Smith, Jr., Circuit Judge, and Katherine H. Vratil,*
District Judge.
Opinion by Chief Judge Thomas
SUMMARY**
Standing / Privacy Law
The panel affirmed the district court’s dismissal of the
Stored Communications Act (“SCA”), breach of contract, and breach of implied covenant claims; reversed the dismissal of the remaining claims; and remanded for further consideration, in an action alleging privacy-related claims against Facebook, Inc.
Facebook uses plug-ins to track users’ browsing histories
when they visit third-party websites, and then complies these browsing histories into personal profiles which are sold to advertisers to generate revenue. Plaintiffs filed an amended complaint on behalf of themselves and a putative class of people who had active Facebook accounts between May 27, 2010 and September 26, 2011. They alleged that Facebook executives were aware of the tracking of logged-out users and
*
The Honorable Kathryn H. Vratil, United States District Judge for the District of Kansas, sitting by designation. ** This summary constitutes no part of the opinion of the court. It has been prepared by court staff for the convenience of the reader.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 3
recognized that these practices posed various user-privacy
issues.
As an initial matter, the panel held that plaintiffs had
standing to bring their claims. Specifically, the panel held
that plaintiffs adequately alleged an invasion of a legally
protected interest that was concrete and particularized.
As to the statutory claims, the panel held that the
legislative history and statutory text demonstrated that
Congress and the California legislature intended to protect
these historical privacy rights when they passed the Wiretap
Act, SCA, and the California Invasion of Privacy Act
(“CIPA”). In addition, plaintiffs adequately alleged that Facebook’s tracking and collection practices would cause harm or a material risk to their interest in controlling their personal information. Accordingly, plaintiffs sufficiently alleged a clear invasion of their right to privacy, and plaintiffs had standing to pursue their privacy claims under these statutes.
As to plaintiffs’ alleged theories of California common
law trespass to chattels and fraud, statutory larceny, and
violations of the Computer Data Access and Fraud Act, the
panel held that plaintiffs sufficiently alleged a state law
interest whose violation constituted an injury sufficient to
establish standing to bring their claims. Because California
law recognizes a legal interest in unjustly earned profits,
plaintiffs adequately pled an entitlement to Facebook’s profits from users’ data sufficient to confer Article III standing. Plaintiffs also sufficiently alleged that Facebook profited from this valuable data.
4 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Turning to the merits, the panel held that plaintiffs
adequately stated claims for relief for intrusion upon
seclusion and invasion of privacy under California law. First, the panel held that in light of the privacy interests and Facebook’s allegedly surreptitious and unseen data collection, plaintiffs adequately alleged a reasonable expectation of privacy to survive a Fed. R. Civ. P. 12(b)(6) motion to dismiss. Second, plaintiffs identified sufficient facts to survive a motion to dismiss on the ultimate question of whether Facebook’s tracking and collection practices could highly offend a reasonable individual.
The panel held that plaintiffs sufficiently alleged that
Facebook’s tracking and collection practices violated the
Wiretap Act and CIPA. Both statutes contain an exemption
from liability for a person who is a “party” to the
communication. Noting a circuit split, the panel adopted the
First and Seventh Circuits’ understanding that simultaneous unknown duplication and communication of GET requests did not exempt Facebook from liability under the party exception. The panel concluded that Facebook was not exempt from liability as a matter of law under the Wiretap Act or CIPA, and did not opine whether plaintiffs adequately pleaded the other requisite elements of the statutes.
The panel held that the district court properly dismissed
plaintiffs’ claims under the SCA, which required plaintiffs to plead that Facebook gained unauthorized access to a “facility” where it accessed electronic communications in “electronic storage.” The panel agreed with the district court’s determination that plaintiffs’ data was not in electronic storage. The panel concluded that plaintiffs’ claims for relief under the SCA were insufficient.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 5
The panel held that the district court properly dismissed
plaintiffs’ breach of contract claim for failure to state a claim. Plaintiffs alleged that Facebook entered into a contract with each plaintiff consisting of the Statement of Rights and Responsibilities, Privacy Policy, and relevant Help Center pages. The panel held that plaintiffs failed to adequately allege the existence of a contract that was subject to breach. The panel also held that the district court properly dismissed plaintiffs’ claim that Facebook’s tracking practices violated the implied covenant of good faith and fair dealing, where the allegations did not go beyond the asserted breach of contract theories.
COUNSEL
David A. Straite (argued), Frederic S. Fox, and Ralph E.
Labaton, Kaplan Fox & Kilsheimer LLP, New York, New
York; Laurence D. King, Matthew George, and Mario M.
Choi, Kaplan Fox & Kilsheimer LLP, San Francisco,
California; Stephen G. Grygiel, Silverman Thompson Slutkin
White LLC, Baltimore, Maryland; for Plaintiffs-Appellants.
Lauren R. Goldman (argued) and Michael Rayfield, Mayer
Brown LLP, New York, New York; Matthew D. Brown,
Cooley LLP, San Francisco, California; for Defendant-
Appellee.
Marc Rotenberg, Alan Butler, Natasha Babazadeh, and Sam
Lester, Electronic Privacy Information Center, Washington,
D.C., for Amicus Curiae Electronic Privacy Information
Center (EPIC).
6 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Douglas Laycock, University of Virginia Law School,
Charlottesville, Virginia; Steven W. Perlstein, Kobre & Kim LLP, New York, New York; Beau D. Barnes, Kobre & Kim LLP, Washington, D.C.; for Amicus Curiae Professor Douglas Laycock.
OPINION
THOMAS, Chief Judge:
In this appeal, we are asked to determine whether: (1) Facebook-users Perrin Davis, Brian Lentz, Cynthia Quinn, and Mathew Vickery (“Plaintiffs”) have standing to allege privacy-related claims against Facebook, and (2) Plaintiffs adequately allege claims that Facebook is liable for common law and statutory privacy violations when it tracked their browsing histories after they had logged out of the Facebook application. We have jurisdiction pursuant to 28 U.S.C. § 1291. We affirm in part; reverse in part; and remand for further proceedings.
I
Facebook uses plug-ins1 to track users’ browsing histories when they visit third-party websites, and then compiles these browsing histories into personal profiles which are sold to advertisers to generate revenue. The parties do not dispute that Facebook engaged in these tracking practices after its users had logged out of Facebook.
[*589]The existence of a reasonable expectation of privacy, given the circumstances of each case, is a mixed question of law and fact. Hill v. NCAA, 7 Cal. 4th 1, 40 (1994). “[M]ixed questions of fact and law are reviewed de novo, unless the mixed question is primarily factual.” N.B. v. Hellgate Elem. Sch. Dist., ex rel. Bd. of Dirs., Missoula Cty., Mont., 541 F.3d 1202, 1207 (9th Cir. 2008). Here, because we are reviewing the district court’s legal conclusions, we review de novo.
We first consider whether a defendant gained “unwanted access to data by electronic or other covert means, in violation of the law or social norms.” Hernandez, 47 Cal. 4th at 286 (internal quotation marks omitted). To make this determination, courts consider a variety of factors, including the customs, practices, and circumstances surrounding a defendant’s particular activities. Hill, 7 Cal. 4th at 36.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 19
Thus, the relevant question here is whether a user would reasonably expect that Facebook would have access to the user’s individual data after the user logged out of the application. Facebook’s privacy disclosures at the time allegedly failed to acknowledge its tracking of logged-out users, suggesting that users’ information would not be tracked.
The applicable Facebook Statement of Rights and Responsibilities (“SRR”) stated:
Your privacy is very important to us. We designed our Privacy Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Privacy Policy, and to use it to make informed decisions.
SRR, dated April 26, 2011.
Facebook’s applicable Data Use Policy,5 in turn, stated:
We receive data whenever you visit a game, application, or website that uses [Facebook’s services]. This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system However, in order to maintain a California common law privacy action, “[p]laintiffs must show more than an intrusion upon reasonable privacy expectations. Actionable invasions of privacy also must be ‘highly offensive’ to a reasonable person, and ‘sufficiently serious’ and unwarranted so as to constitute an ‘egregious breach of the social norms.’” Hernandez, 47 Cal. 4th at 295. Determining whether a defendant’s actions were “highly offensive to a reasonable person” requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder’s motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive. Id. at 287; see also Hill, 7 Cal. 4th at 25–26. While analysis of a reasonable expectation of privacy primarily focuses on the nature of the intrusion, the highly offensive analysis focuses on the degree to which the intrusion is unacceptable as a matter of public policy. Hernandez, 47 Cal. 4th at 287 (noting that highly offensive analysis “essentially involves a ‘policy’ determination as to whether the alleged intrusion is highly offensive under the particular circumstances”).
[*590]28 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
The ultimate question of whether Facebook’s tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage. Plaintiffs have identified sufficient facts to survive a motion to dismiss. Plaintiffs’ allegations of surreptitious data collection when individuals were not using Facebook are sufficient to survive a dismissal motion on the issue. Indeed, Plaintiffs have alleged that internal Facebook communications reveal that the company’s own officials recognized these practices as a problematic privacy issue.
In sum, Plaintiffs have sufficiently pleaded the “reasonable expectation of privacy” and “highly offensive” elements necessary to state a claim for intrusion upon seclusion and invasion of privacy to survive a 12(b)(6) motion to dismiss.[8]
B
Plaintiffs also have sufficiently alleged that Facebook’s tracking and collection practices violated the Wiretap Act and CIPA.
The Wiretap Act prohibits the unauthorized “interception” of an “electronic communication.” 18 U.S.C. § 2511(1)(a)–(e). Similarly, CIPA prohibits any person from using electronic means to “learn the contents or meaning” of any “communication” “without consent” or in an “unauthorized manner.” Cal. Pen. Code § 631(a). Both statutes contain an exemption from liability for a person who is a “party” to the communication, whether acting under the color of law or not. 18 U.S.C. § 2511(2)(c), (d); see Warden v. Kahn, 160 Cal. Rptr. 471, 475 (1979) (“[S]ection 631 . . . has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.”). Courts perform the same analysis for both the Wiretap Act and CIPA regarding the party exemption. See, e.g., In re Google Cookie, 806 F.3d at 152 (holding that CIPA claims could be dismissed because the parties were exempted from liability under the Wiretap Act’s party exception).
The party exception must be considered in the technical context of this case. When an individual internet user visits a web page, his or her browser sends a message called a “GET request” to the web page’s server. The GET request serves two purposes: it first tells the website what information is being requested and then instructs the website to send the information back to the user. The GET request also transmits a referer header containing the personally-identifiable URL information. Typically, this communication occurs only between the user’s web browser and the third-party website. On websites with Facebook plug-ins, however, Facebook’s code directs the user’s browser to copy the referer header from the GET request and then send a separate but identical GET request and its associated referer header to Facebook’s
30 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
server. It is through this duplication and collection of GET requests that Facebook compiles users’ browsing histories.
The Wiretap Act does not define the term “party” in its liability exemption, and the other circuit courts that have considered the Act’s scope have interpreted the term in different ways. The First and Seventh Circuits have implicitly assumed that entities that surreptitiously duplicate transmissions between two parties are not parties to communications within the meaning of the Act. In In re Pharmatrak, Inc. Privacy Litig., the First Circuit considered whether the defendant could face liability under the Wiretap Act when it employed software that “automatically duplicated part of the communication between a user and a [third-party website] and sent this information to [the defendant].” 329 F.3d 9, 22 (1st Cir. 2003). The First Circuit rejected the defendant’s argument that “there was no interception because ‘there were always two separate communications: one between the Web user and the [third-party website], and the other between the Web user and [the defendant].’” Id. Noting that the defendant “acquired the same URL . . . exchanged as a part of the communication between the [third- party website] and the user,” it determined that the defendant’s acquisition constituted an interception and could still render it liable. Id.
In United States v. Szymuszkiewicz, the Seventh Circuit reached a similar conclusion. 622 F.3d 701 (7th Cir. 2010). In that case, the Seventh Circuit considered whether a defendant violated the Wiretap Act when he employed a software that instructed his employer’s email to duplicate and forward all emails the employer received to the defendant’s own inbox. Id. at 703. The court determined that, because the copies were sent contemporaneously with the original
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 31 emails, the defendant had intercepted the communications and could be held liable. Id. at 706.
However, the Third Circuit has held to the contrary. In In re Google Cookie, the court considered whether internet advertising companies were parties to a communication when they placed cookie blockers on web-users’ browsers to facilitate online advertisements. 806 F.3d at 143. As in the instant case, the users sent GET requests to third-party websites and upon receipt, the website would duplicate the GET request and send it to the defendants. Id. at 140. The Third Circuit concluded that the defendants were “the intended recipients” of the duplicated GET requests, and thus “were parties to the transmissions at issue.” Id. at 143; see also In re Nickelodeon, 827 F.3d at 275–76 (citing In re Google Cookie for the same).9
We adopt the First and Seventh Circuits’ understanding that simultaneous, unknown duplication and communication of GET requests do not exempt a defendant from liability under the party exception. As we have previously held, the “paramount objective of the [Electronic Communications Privacy Act, which amended the Wiretap Act] is to protect effectively the privacy of communications.” Joffe v. Google, 746 F.3d 920, 931 (9th Cir. 2013). We also recognize that the Wiretap Act’s legislative history evidences Congress’s intent to prevent the acquisition of the contents of a message by an
9 In Konop v. Hawaiian Airlines, Inc., we adopted a definition of “intercept” that encompassed both an “acquisition contemporaneous with transmission” and an act requiring a party to “stop, seize, or interrupt in progress or course before arrival.” 302 F.3d 868, 878 (9th Cir. 2002). In that case, however, we considered whether items viewed on a private website were intercepted, in violation of the Wiretap Act, not plug-ins that duplicated and sent GET requests, as we consider here.
32 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
unauthorized third-party or “an unseen auditor.” See S. REP. NO. 90-1097, reprinted in 1986 U.S.C.C.A.N. 2112, 2154, 2182. Permitting an entity to engage in the unauthorized duplication and forwarding of unknowing users’ information would render permissible the most common methods of intrusion, allowing the exception to swallow the rule.
Therefore, we conclude that Facebook is not exempt from liability as a matter of law under the Wiretap Act or CIPA as a party to the communication. We do not opine whether the Plaintiffs adequately pleaded the other requisite elements of the statutes, as those issues are not presented on appeal.
C
The district court properly dismissed Plaintiffs’ SCA claims. The SCA requires Plaintiffs to plead that Facebook (1) gained unauthorized access to a “facility” where it (2) accessed an electronic communication in “electronic storage.” 18 U.S.C. § 2701(a).
Electronic storage is defined as either the “temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof” and “any storage of such communication by an electronic communication service for purposes of backup protection of such communication.” 18 U.S.C. § 2510(17).
Plaintiffs allege that “[w]eb-browsers store a copy of the Plaintiffs’ URL requests in the toolbar while the user remains present at a particular webpage,” and that this storage is incidental to the electronic communication because once “the user hits the Enter button or clicks on a link, the communication is in the process of being sent and received
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 33
between the user and the first-party website.” Plaintiffs similarly assert that their browsing history—a record of previously viewed websites—serves purposes of “backup protection” of such communications. In short, Plaintiffs allege that the URL is in “electronic storage” in the toolbar during the split-second that it takes to complete a search. In Plaintiffs’ view, because Facebook duplicates the URL and sends it to its servers during that split second, it accesses the URL while it is in this “electronic storage.”
The district court considered the GET requests that Facebook duplicated and forwarded to its servers as wholly separate from the copy of the URL displayed in the search toolbar. Because the copy in the toolbar was not stored “incident to transmission” but was only present for the user’s convenience, the district court determined that the Plaintiffs’ data was not in electronic storage.
We agree. The communications in question—the GET requests themselves—are not the communications stored in the user’s toolbar. Rather, the GET requests are sent directly between the user and the third-party website. The text displayed in the toolbar serves only as a visual indication—a means of informing the user—of the location of their browser. Thus, the URL’s appearance in the toolbar is not “incidental” to the transmission of the URL or GET request.
What is more, Plaintiffs’ interpretation of the SCA would stretch its application beyond its limits. True, the SCA’s legislative history suggests that Congress intended the term “electronic storage” to be broadly construed, and not limited to “particular mediums, forms, or locations.” Hately v. Watts, 917 F.3d 770, 786 (4th Cir. 2019) (citing H.R. REP., NO. 99- 647, at 39 (1986)). Nonetheless, the text and legislative
34 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
history of the SCA demonstrate that its 1986 enactment was driven by congressional desire to protect third-party entities that stored information on behalf of users. See id. at 782 (noting that the SCA was enacted to protect against illicit access to stored communications in “remote computing operations and large data banks that stored emails”). Since then, the SCA has typically only been found to apply in cases involving a centralized data-management entity; for instance, to protect servers that stored emails for significant periods of time between their being sent and their recipients’ reading them. See id. at 798 (considering whether a web-based email service “stored” emails); Theofel v. Farey-Jones, 359 F.3d 1066, 1072 (9th Cir. 2004) (considering whether emails stored by an internet service provider fell under the statute’s purview). Here, the allegations, even construed in the light most favorable to Plaintiffs, do not show that the communications were even in “storage,” much less that the alleged “storage” within a URL toolbar falls within the SCA’s intended scope.
Plaintiffs alternatively argue that their browsing histories are stored for “purposes of back-up” and thus satisfy the SCA’s electronic storage definition. Plaintiffs note that, in Theofel, we held that a copy of information stored on a user’s computer “in the event that the user needs to download it again” constituted storage for backup purposes. 359 F.3d at 1075. In this case, however, the browsing histories are not composed of the actual communications sent between the individuals—rather, the browsing histories are merely a record of URLs visited. Thus, Plaintiffs’ claims for relief
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 35 under the SCA are insufficient, and the district court correctly dismissed them.[10]
D
The district court also properly held that the Plaintiffs have not stated a breach of contract claim. In order to establish a contract breach, Plaintiffs must allege: (1) the existence of a contract with Facebook, (2) their performance under that contract, (3) Facebook breached that contract, and (4) they suffered damages. Oasis West Realty, LLC v. Goldman, 51 Cal. 4th 811, 821 (2011).
Plaintiffs allege that Facebook entered into a contract with each Plaintiff consisting of the SRR, Privacy Policy, and relevant Help Center pages. The parties agree that the SRR constitutes a contract. In their third amended complaint, Plaintiffs attached the SRR that was last revised April 26, 2011. This document states “[y]our privacy is very important to us” and “[w]e encourage you to read the Privacy Policy, and to use it to help make informed decisions.” But this document does not contain an explicit promise not to track logged-out users. For that allegation, Plaintiffs instead rely on language from the Data Use Policy and the Help Center pages.
To properly incorporate another document, the document “need not recite that it incorporates another document, so long as it guide[s] the reader to the incorporated document.”