Ah, to be a class action plaintiff these days. One day you’re up, plowing through the Northern District of California on expansive theories of injury, the next you’re down, upended like a top-heavy apple cart by a failure to properly plead your claims under the relevant statute. In In Re: Zynga Privacy Litigation, it was the latter—a failure to properly allege that Facebook and Zynga wrongly disclosed the “contents” of communications, under the Electronic Communications Privacy Act (ECPA). The Ninth Circuit decision affirming the district court’s consolidated opinion in Robertson v. Facebook and Graf v. Zynga, issued on May 7, 2014, can be found here.
Privacy class actions have often suffered from a glaring defect: the inability to allege injury, which is required for Article III standing and jurisdiction. In other words, the class plaintiff has made adequate allegations that information was wrongly disclosed, but not that consumers have been harmed by the disclosure. However, as we have reported previously (see also here), the Northern District of California has tilled the soil for more class actions—at least in that court—by holding that violations of a statute that establishes privacy rights and provides for statutory damages, such as the ECPA, are sufficient to provide Article III standing. While there is a split among circuits on this point, and the Supreme Court’s decision in Clapper v. Amnesty International USA clarifying the Article III injury requirement might be used to challenge this line of cases, for now class action plaintiffs do not have that obstacle in their path when claiming violations of the ECPA. Similarly, in a memorandum opinion filed simultaneously with the Court’s ECPA ruling, the Ninth Circuit gives a nod to Plaintiffs’ theory that the dissemination of personal information and the loss of the sales value of that information is enough to establish harm for state law claims of breach of contract and fraud. More on that at a later time.
Fortunately for the defendants in the Zynga case, the question of whether a plaintiff can state a claim under the ECPA does not begin and end with the question of injury. The question raised in the defendants’ motion to dismiss in that case was whether the particular information disclosed in connection with consumer interactions constituted “contents” of a communication, or something else. The answer from the Ninth Circuit? Something else.
The communications in question are familiar to anyone who has used Facebook, especially if you have ever been spammed (and we use that term in the nicest possible way) by friends asking you to play an online game, or reporting on their achievements in such a game. Plaintiffs alleged that when users clicked on Facebook ads, or on a link to online games provided by Zynga (including the wildly popular Farmville application), personal information about the user was disclosed to third parties in violation of Facebook’s and/or Zynga’s privacy policies.
Notwithstanding these policies, Facebook and Zynga did provide some information to third parties when users clicked on the links in question. The clicks generated a message to the third party with a request—to access a particular resource, such as an advertisement—and that request typically also included a “referrer header” the provided the user’s Facebook ID and the address of the webpage where the request originated (that is, the page the user was viewing when it clicked on the link). A Facebook ID is initially set as a strong of numbers, but users often modify it to reflect their real name or screen name, and thus Facebook treats the ID as personally identifiable information.
Plaintiff argued that disclosure of the Facebook ID and web page that generated the request violated the Stored Communications Act (Title II of the ECPA) in both the Zynga and Facebook cases, and also violated the Wiretap Act (Title I of the ECPA) in the Zynga case. The Wiretap Act provides that an entity "providing an electronic communication service to the public shall not intentionally divulge the contents of any communication (other than one to such entity, or an agent thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended recipient." 18 U.S.C. § 2511(3)(a). Similarly, the Stored Communications Act provides that an entity providing an electronic communication service to the public "shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service," but may divulge the contents of a communication to an addressee or intended recipient of such communication. 18 U.S.C. § 2702 (a)(1) and (b)(1).
Decision and Analysis
The Ninth Circuit upheld the district court’s dismissal of the ECPA claims on the grounds that the referrer headers did not communicate the “contents” of a communication to third parties.
The Ninth Circuit first looked to the definition of “contents” of a communication under the ECPA: “any information concerning the substance, purport or, or meaning of that communication.” 18 U.S.C. § 2510(8) (Title I); 18 U.S.C. § 2711(1) (Title II). The Court also noted that under the Stored Communications Act, “contents” are distinguished from “record information”, which includes the name, address, and subscriber number or identity, and that record information may be disclosed to third parties in some instances.
The Court then applied dictionary definitions to the words “substance, purport or meaning” in the definition above, in the context of the ECPA as a whole, and found that “contents” refers only to the message being conveyed (the “essential part” of the communication), and not record information. In response to plaintiff’s arguments that the referrer header nevertheless contained “contents” under the statute, the Court held that a Facebook ID and web page were no more than a name and address, and thus were record information. The Court also pointed to the fact that, as noted, the statutes expressly permit the disclosure of such information to third parties.
Finally, the Court rejected the plaintiff’s most creative argument, which was that disclosure of referrer here headers (in particular the web page address) was akin to disclosure of a URL in United States v. Forrester. In a footnote in Forrester, the Ninth Circuit indicated that disclosure of a URL that contained a search phrase that had been entered by a user might reveal “content” in a way that could be problematic under the Fourth Amendment. Although dubious that Fourth Amendment precedent should apply at all, the Court here noted that even in Fourth Amendment cases it had previously distinguished between contents and record information, citing its approval of the warrantless installation of pen registers which capture phone numbers but not the contents of calls, and the warrantless collection of email and IP addresses but not their contents.
There is little question that the Ninth Circuit reached the correct result under the ECPA, given its clear distinction between contents and record information. On the other hand, such a decision hardly means that companies should disclose record information that consists of personally identifiable information to third parties if their policies say that they will not do so, as other statutes, such as the Video Privacy Protection Act and state law claims of fraud and breach of contract, do not contain such limiting language.
Finally, unspoken in this case but clear to most of us by now is the economic value of the type of information provided in referrer headers, and the robust tools that can be brought to bear to extract meaningful information about consumers from that data. Just as litigants have been challenging government efforts to collect metadata as invasions of privacy because they reveal so much information about their targets we can expect more and more sophisticated arguments by lawyers to advance similar arguments in class action cases, including the continuing Facebook litigation. Just don’t expect that to work under the ECPA.