In its opinion filed April 9, the U.S. Court of Appeals for the Ninth Circuit greenlighted a mix of privacy claims levied against Facebook in In Re Facebook, Inc. Internet Tracking Litigation, reversing the lower court’s decision to dismiss the case. The plaintiffs in the case are a class of Facebook users alleging that the social media company tracked their browser histories from May 2010 to September 2011 when they visited third-party websites featuring Facebook “Like” buttons.

The Ninth Circuit’s opinion in In Re Facebook has significant implications for industry and data privacy. Data privacy norms have been enforced most aggressively by the Federal Trade Commission and state attorneys general, while comparable class actions have met resistance in federal courts. In Re Facebook, however, signals a departure from that status quo.

First, this opinion reinforces the Ninth Circuit’s view that privacy violations are, in and of themselves, concrete injuries that confer Article III standing. This position, first articulated by the court last year in Patel v. Facebook, makes it easier for plaintiffs’ attorneys to cross the motion-to-dismiss hurdle for privacy-related claims, increasing the likelihood that successful data-privacy class actions will crop up in the Ninth Circuit. Second, the court joined the First and Seventh Circuits in adopting an industry-unfriendly interpretation of the party exception to the Wiretap Act, 18 U.S.C § 2510. The Third Circuit, by contrast, uses a more industry-sympathetic interpretation. The Ninth Circuit’s reading of the Wiretap Act exposes internet advertisers and other internet-based technology companies to potential liability for cookie-enabled browser monitoring of web users—a fairly common practice employed in targeted advertising.

Due to both the circuit split and the opinion’s potential for disruption of tech revenue streams, In Re Facebook is a candidate for the Supreme Court’s docket. Stewart Baker recently expressed the same sentiment, forecasting a grant of certiorari should Facebook appeal. Baker also discussed what the opinion reflects about the court’s changing posture toward Silicon Valley, contending that such an opinion would have been “unthinkable” from the Ninth Circuit just 10 years ago. In the coming months, Silicon Valley and data privacy lawyers alike are sure to watch this case closely.

Technical Background

The plaintiffs allege that Facebook collected a slate of “personally-identifiable URL information” from user traffic on third-party websites—so long as these websites carried the Facebook “Like” button. The data collected included user identities, the URLs of these websites that users visited, and the information contained in “referrer headers”—that is, referring web addresses, usually google.com, followed by the string of search terms used to get to one of these third-party websites. According to the plaintiffs, Facebook then correlated URLs and referrer headers with “user ID[s], time stamp[s], browser settings, and even the type[s] of browser used,” allowing the social media company to create detailed personal profiles informed by activity off its platform. Facebook’s surveillance, the plaintiffs argue, was facilitated by the interplay between its plug-ins and “tracking” cookies.

Cookies are small, deletable text files that get stored on our devices as we browse the internet. Virtually all companies deploy cookies once we visit their websites. These cookies store browsing information and make it easier to identify web users across repeated visits.

Companies use cookies in a variety of ways. The New York Times, for example, maintains its paywall by placing cookies on readers’ web browsers so that it can keep count of how many free articles an unsubscribed user has read. Facebook similarly places cookies on users’ web browsers once they visit the Facebook webpage. Some of these cookies—“session cookies”— enhance a user’s experience while on Facebook’s platform by helping the site track and broadcast at any given time, for example, whether a user is active in Messenger. But Facebook also uses “tracking cookies.” These cookies attach to individuals’ web browsers not only when visiting Facebook.com but also upon visiting third-party websites that feature Facebook plug-ins, tracking Facebook users and non-Facebook users alike.

Plug-ins are bits of code created and made available to web developers, who can then easily embed them into websites. Facebook’s software developers create many such plug-ins for third-party use. The plug-in at issue in this case is the Facebook “Like” button, which was commonplace on most online publications, forums and blogs.

Plaintiffs allege that Facebook’s cookies “compiled” revealing browser data every time a user visited a website featuring a Facebook “Like” button, and the code buried in the “Like” button “intercepted” that information, kicking it back to Facebook. Here are the mechanics: When we click links to websites, or directly type web addresses into our toolbars, our web browsers send “GET requests” to the websites we are trying to access. GET requests tell websites what remote data we need in order to load a webpage, allowing websites to send that requested information back to our browsers. Absent any interference, there is only one channel of communication upon loading a website—the channel between a user and a website. Plaintiffs argue, however, that when they visited websites featuring “Like” buttons, Facebook code embedded in these websites instructed users’ web browsers to open up second, “unauthorized” channels of communication directly to the Facebook servers, funneling the relevant URL information and cookies to the social media company. Facebook has not disputed any of these tracking practices.

The Ninth Circuit’s Opinion

The plaintiffs asserted violations of the Wiretap Act, the Stored Communications Act (SCA) and the California Invasion of Privacy Act (CIPA), alongside common law privacy claims and a hodgepodge of other grievances. The Ninth Circuit found Article III standing for all claims, but only the Wiretap Act, the CIPA and the two common law privacy claims ultimately made it over the motion-to-dismiss hurdle. In Re Facebook marks the first time the Ninth Circuit has permitted claims against commercial browser monitoring under the Wiretap Act and CIPA.

Article III Standing

Under Spokeo v. Robins, standing requires that plaintiffs (1) “suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Standing analysis in the data privacy context typically focuses on element number one. More specifically, element number one asks whether a plaintiff has suffered a “concrete” and “particularized” injury—usually some sort of economic or physical harm—rather than a “bare procedural violation.” Analyzing first the privacy claims and then the remaining claims, the Ninth Circuit found that the plaintiffs had indeed suffered concrete injuries related to all claims.

The Ninth Circuit affirmed that the plaintiffs had standing to bring their privacy claims even though the alleged invasions of privacy had not caused any economic or physical harm. According to Ninth Circuit case law, even when there is no economic or physical harm, violation of a law in which there was legislative intent to protect a concrete interest—“akin to a historical, common law interest”—can satisfy element one of Spokeo v. Robins. In August 2019, in Patel v. Facebook, the Ninth Circuit identified a long-standing common law interest in the right to privacy, satisfying the second leg of this analysis. And to satisfy the first leg, the Ninth Circuit concluded that the legislative history behind the Wiretap Act and CIPA demonstrated that both Congress and the California legislature “intended to protect these historical privacy rights.” This has important implications for future Ninth Circuit privacy cases. So long as any future plaintiff in the Ninth Circuit alleges invasion of privacy under either a common law theory or a statute intended to protect privacy, In Re Facebook would likely permit the plaintiff to establish Article III standing. With this ruling, the Ninth Circuit has eliminated that barrier to the courthouse.

Next, the Ninth Circuit Court reversed the lower court’s conclusion as to the remaining claims (trespass to chattels, fraud, larceny and the Computer Data Access and Fraud Act), finding standing through an interest in the “disgorgement of profits,” conferred not through federal law, or common law generally, but through California state law. At issue, again, was the first element from Spokeo. For the non-privacy-related claims, the plaintiffs contended that Facebook was “unjustly enriched,” presumably through the increased ad revenue that resulted from the alleged third-party tracking. Facebook, however, argued that there was still no injury to the plaintiffs—although Facebook had made profits on the data, the plaintiffs had not suffered from the data monetization in any tangible sense. The Ninth Circuit ultimately sided with the plaintiffs. Per the court, “state law can create interests that support standing in federal courts.” And “California law recognizes a right to disgorgement of profits resulting from unjust enrichment” even when a plaintiff does not suffer any sort of economic loss. Under the Ninth Circuit’s analysis, unjust enrichment constitutes a concrete injury whether or not it imposes economic losses on plaintiffs.

12(b)(6) Motion to Dismiss and Failure to State a Claim

Having reversed part of the lower court’s decision on Article III standing, the Ninth Circuit remanded the slate of non-privacy-related claims back to the lower court for a motion-to-dismiss ruling. The bulk of the Ninth Circuit opinion focused on the plaintiffs’ contract, SCA, common law privacy, CIPA and Wiretap Act claims. Ultimately, only the common law privacy, CIPA and Wiretap Act claims survived Facebook’s motion to dismiss.

The Ninth Circuit made short work of the plaintiffs’ contract claims. The plaintiffs pointed to Facebook’s September 2011 data use policy, which “promise[d] … to help [users] protect [their] property rights.” The court, however, found that the document did not contain “an explicit promise not to track logged-out users.” The court also rejected the notion that the policy was a contract, emphasizing that there was no “exchange for [Facebook’s] promise.” This refusal to construe Facebook’s data use policy as a contract is consistent with the jurisprudence of most circuit courts.

The Ninth Circuit also dismissed the plaintiffs’ claim under the SCA, 18 U.S.C § 2701(a). The plaintiffs argued that Facebook gained unauthorized access to URLs that were contained in “electronic storage.” The court found three problems with this argument. First, the URLs were not electronically stored “incident to transmission,” per the language of the statute. Second, the court concluded that Congress never intended the SCA to protect URLs and individuals. Rather, it intended the law to protect electronic “communications” held by “centralized data-management” entities that store, for example, “emails” for transmission. And third, assuming for a moment that the plaintiffs’ URLs were communications, the plaintiffs pointed to the wrong ones. The court argued that Facebook had not accessed the plaintiffs’ browser toolbars or browser histories. Facebook did collect a lot of the same information found in browser toolbars and saved history, but rather than obtain the information from those sources, the social media company had obtained the relevant information from GET requests.

The plaintiffs had better luck with their common law privacy claims. The Ninth Circuit evaluated whether they had a “reasonable expectation of privacy” and whether Facebook’s intrusion was “highly offensive.” Looking at Facebook's Statement of Rights and Responsibilities and Facebook’s data use policies, the court determined that users had a reasonable expectation of privacy regarding their data obtained while logged-out of Facebook. Further, the Ninth Circuit held that, even if the plaintiffs had never explicitly denied Facebook the consent to collect such data, Facebook’s “affirmative statements” not to track data were enough to establish a reasonable expectation of privacy. Turning the analysis to whether Facebook’s intrusion was “highly offensive,” the court determined that the lower court would have to make such a finding after the pleading stage. The court reasoned that such a determination would require a holistic, multifactor analysis of the intrusion, the social norms surrounding the intrusion and broader policy considerations.

Most significantly, the Ninth Circuit refused to exempt Facebook from liability under both the CIPA and the Wiretap Act, which prohibit eavesdropping, or the unauthorized “interception” of “electronic communications.” Though eavesdropping is prohibited, both statutes exempt entities that are “part[ies]” to a communication. Circuit courts are split on who qualifies as a “party.” Whereas the First and Seventh Circuits have held that defendants who “surreptitiously” induce users to copy and send communications—such as emails or GET requests—back to the defendants are not “parties” to those communications, the Third Circuit has held the exact opposite.

For example, in In re Google Cookie, the Third Circuit evaluated tracking techniques used by internet advertising companies. Just like Facebook, those advertising companies would duplicate standard GET requests sent between a web user and a website, opening up a second, secret channel of communication between the web user and the advertising company. The Third Circuit ultimately granted these advertising companies the party exception. Under the court’s analysis, the duplicate GET requests sent from a users’ web browser to an internet advertising company constituted discrete channels of communication—not mere interceptions. The fact that there were two separate channels of communication—user to website and user to advertising company—proved critical to the Third Circuit’s conclusion.

Further still, the Third, Fifth and Sixth Circuits point to Congress’s express mention of United States v. Pasha when, in 1968, it amended the Wiretap Act to its current state. Four years before the amendment, the Pasha court held that a police officer who impersonated the intended recipient of a phone call had not violated the Wiretap Act. And these courts now interpret Pasha’s inclusion in the legislative history to mean that Congress never intended the Wiretap Act to impose liability on anyone “who impersonate[s] the intended receiver of a communication.” If that understanding of the statute were adapted to the facts alleged against Facebook, the social media company’s covert duplication of GET requests would not disqualify it from the party exception. Nevertheless, the Ninth Circuit expressly rejected that view, ultimately agreeing with the First and Seventh Circuits. The Ninth Circuit held that “simultaneous, unknown duplication and communication of GET requests” do not exempt Facebook from liability under the party exception. Under this reasoning, the Ninth Circuit will likely not extend the party exception to web companies and online advertisers that use the same techniques.

***

As we wait for a ruling from the lower court on the remaining claims, there are two lenses through which to view what may come next.

First is the fate of the Wiretap Act. Until the Supreme Court clarifies the statute’s application to online tracking for commercial purposes, companies whose revenue streams depend on targeted advertising may have to go on the defensive, preemptively modifying their tracking techniques. This could mean turning to more aggressive user-consent models and offering affirmative tracking disclosures. But a Supreme Court ruling adopting an interpretation more akin to the Third Circuit’s could preserve targeted advertising methods in their current iterations.

And then there is how this opinion impacts industry data-monetization practices more generally, beyond just cookie-based browser tracking. Though In Re Facebook Tracking Litigation has only just recently cleared the pleading stage, enterprising plaintiffs’ attorneys may see this ruling as a signal to start preparing data privacy lawsuits challenging other industry practices and seeking lucrative settlements (if not judgments) in the Ninth Circuit. It’s too early to tell just how large an impact this ruling will have, but technology companies would do well to start preparing for these increased liability risks.