A case pending against Facebook in California is heading back to the Federal District Court for further litigation on the merits. On April 9, 2020, the Ninth Circuit Court of Appeal ruled on plaintiffs’ claims against Facebook arising out of Facebook’s alleged use of plug-ins to track users’ browsing histories when they visit third-party websites, which, allegedly, then are sold to advertisers to generate revenue. On appeal from the granting of a motion to dismiss at the District Court level were two distinct issues; namely, (1) whether the plaintiffs had standing to bring their claims (e.g., whether plaintiffs adequately alleged an invasion of a legally protected interest that was concrete and particularized) and (2) whether Congress and the California legislature intended to protect historical privacy rights when they passed the Wiretap Act, Stored Communication Act (“SCA”), and the California Invasion of Privacy Act (“CIPA”). As to both questions, the Court ruled in the affirmative, holding that the plaintiffs had standing to bring their claims and that Congress, and the California Legislature, had intended to protect privacy rights when passing those Acts.
Turning to the merits, the Court held that plaintiffs adequately stated claims for relief for intrusion upon seclusion and invasion of privacy under California law. First, given the privacy interests alleged in the complaint and Facebook’s allegedly surreptitious and unseen data collection, plaintiffs had adequately alleged a reasonable expectation of privacy sufficient to survive a motion to dismiss. Second, plaintiffs had identified sufficient facts to survive a motion to dismiss on the ultimate question of whether Facebook’s tracking and collection practices could offend a reasonable individual.
Furthermore, the Court held that plaintiffs sufficiently alleged that Facebook’s tracking and collection practices, as alleged, violated the Wiretap Act and CIPA. Both statutes contain an exemption from liability for a person who is a “party” to the communication. Noting a circuit split, the panel adopted the First and Seventh Circuits’ understanding that simultaneous unknown duplication and communication of GET requests did not exempt Facebook from liability under the party exception. A GET request is a coding method that sends data as part of the URL in the address bar, and it is saved in the browser history and server logs in plain text. The Court concluded that Facebook was not exempt from liability as a matter of law under the Wiretap Act or CIPA, although the Court did not rule on whether the plaintiffs adequately pleaded the other requisite elements of those statutes.
Notably, the Court ruled in favor of Facebook and affirmed the dismissal of the plaintiffs’ claims under the SCA, which required plaintiffs to plead that Facebook gained unauthorized access to a “facility” where it accessed electronic communications in “electronic storage.” The Court of Appeal agreed with the District Court’s determination that plaintiffs’ data was not in electronic storage and thus the claims for relief under the SCA were insufficient.
This ruling provides significant direction regarding minimum pleading standards required for claims against other businesses subject to these Acts, particularly the CIPA. Indeed, this decision affirms that the purpose of the CIPA was to protect traditional notions of privacy in today’s data-driven and web-based world. That the Court of Appeal has unequivocally determined that these plaintiffs have standing to assert such claims will most certainly result in a rash of new class action cases against Facebook and similar companies that are subject to CIPA. While the Court of Appeal is permitting the claims against Facebook to proceed, it is important to highlight that the plaintiffs may still face additional challenges in proving each element of their case to survive a summary judgment motion before trial. Put differently, there is still much left to litigate at the District Court level.