Should Have Stayed on The Farm(ville): Class Action Plaintiffs' ECPA Claims Put Out to Pasture

by Davis Wright Tremaine LLP
Contact

Ah, to be a class action plaintiff these days. One day you’re up, plowing through the Northern District of California on expansive theories of injury, the next you’re down, upended like a top-heavy apple cart by a failure to properly plead your claims under the relevant statute. In In Re: Zynga Privacy Litigation, it was the latter—a failure to properly allege that Facebook and Zynga wrongly disclosed the “contents” of communications, under the Electronic Communications Privacy Act (ECPA). The Ninth Circuit decision affirming the district court’s consolidated opinion in Robertson v. Facebook and Graf v. Zynga, issued on May 7, 2014, can be found here

Privacy class actions have often suffered from a glaring defect: the inability to allege injury, which is required for Article III standing and jurisdiction. In other words, the class plaintiff has made adequate allegations that information was wrongly disclosed, but not that consumers have been harmed by the disclosure. However, as we have reported previously (see also here), the Northern District of California has tilled the soil for more class actions—at least in that court—by holding that violations of a statute that establishes privacy rights and provides for statutory damages, such as the ECPA, are sufficient to provide Article III standing. While there is a split among circuits on this point, and the Supreme Court’s decision in Clapper v. Amnesty International USA clarifying the Article III injury requirement might be used to challenge this line of cases, for now class action plaintiffs do not have that obstacle in their path when claiming violations of the ECPA. Similarly, in a memorandum opinion  filed simultaneously with the Court’s ECPA ruling, the Ninth Circuit gives a nod to Plaintiffs’ theory that the dissemination of personal information and the loss of the sales value of that information is enough to establish harm for state law claims of breach of contract and fraud. More on that at a later time.

Fortunately for the defendants in the Zynga case, the question of whether a plaintiff can state a claim under the ECPA does not begin and end with the question of injury. The question raised in the defendants’ motion to dismiss in that case was whether the particular information disclosed in connection with consumer interactions constituted “contents” of a communication, or something else. The answer from the Ninth Circuit? Something else.

Background

The communications in question are familiar to anyone who has used Facebook, especially if you have ever been spammed (and we use that term in the nicest possible way) by friends asking you to play an online game, or reporting on their achievements in such a game. Plaintiffs alleged that when users clicked on Facebook ads, or on a link to online games provided by Zynga (including the wildly popular Farmville application), personal information about the user was disclosed to third parties in violation of Facebook’s and/or Zynga’s privacy policies.

During the time period in question, Facebook’s privacy policy stated that it would not reveal a user’s specific identity and would only provide anonymous information to third parties. Zynga’s privacy policy stated that it would not sell or rent personally identifiable information to third parties.

Notwithstanding these policies, Facebook and Zynga did provide some information to third parties when users clicked on the links in question. The clicks generated a message to the third party with a request—to access a particular resource, such as an advertisement—and that request typically also included a “referrer header” the provided the user’s Facebook ID and the address of the webpage where the request originated (that is, the page the user was viewing when it clicked on the link). A Facebook ID is initially set as a strong of numbers, but users often modify it to reflect their real name or screen name, and thus Facebook treats the ID as personally identifiable information.

Plaintiff argued that disclosure of the Facebook ID and web page that generated the request violated the Stored Communications Act (Title II of the ECPA) in both the Zynga and Facebook cases, and also violated the Wiretap Act (Title I of the ECPA) in the Zynga case. The Wiretap Act provides that an entity "providing an electronic communication service to the public shall not intentionally divulge the contents of any communication (other than one to such entity, or an agent thereof) while in transmission on that service to any person or entity other than an addressee or intended recipient of such communication or an agent of such addressee or intended recipient." 18 U.S.C. § 2511(3)(a). Similarly, the Stored Communications Act provides that an entity providing an electronic communication service to the public "shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service," but may divulge the contents of a communication to an addressee or intended recipient of such communication. 18 U.S.C. § 2702 (a)(1) and (b)(1).

Decision and Analysis

The Ninth Circuit upheld the district court’s dismissal of the ECPA claims on the grounds that the referrer headers did not communicate the “contents” of a communication to third parties.

The Ninth Circuit first looked to the definition of “contents” of a communication under the ECPA: “any information concerning the substance, purport or, or meaning of that communication.” 18 U.S.C. § 2510(8) (Title I); 18 U.S.C. § 2711(1) (Title II). The Court also noted that under the Stored Communications Act, “contents” are distinguished from “record information”, which includes the name, address, and subscriber number or identity, and that record information may be disclosed to third parties in some instances.

The Court then applied dictionary definitions to the words “substance, purport or meaning” in the definition above, in the context of the ECPA as a whole, and found that “contents” refers only to the message being conveyed (the “essential part” of the communication), and not record information. In response to plaintiff’s arguments that the referrer header nevertheless contained “contents” under the statute, the Court held that a Facebook ID and web page were no more than a name and address, and thus were record information. The Court also pointed to the fact that, as noted, the statutes expressly permit the disclosure of such information to third parties.

Finally, the Court rejected the plaintiff’s most creative argument, which was that disclosure of referrer here headers (in particular the web page address) was akin to disclosure of a URL in United States v. Forrester. In a footnote in Forrester, the Ninth Circuit indicated that disclosure of a URL that contained a search phrase that had been entered by a user might reveal “content” in a way that could be problematic under the Fourth Amendment. Although dubious that Fourth Amendment precedent should apply at all, the Court here noted that even in Fourth Amendment cases it had previously distinguished between contents and record information, citing its approval of the warrantless installation of pen registers which capture phone numbers but not the contents of calls, and the warrantless collection of email and IP addresses but not their contents.

There is little question that the Ninth Circuit reached the correct result under the ECPA, given its clear distinction between contents and record information. On the other hand, such a decision hardly means that companies should disclose record information that consists of personally identifiable information to third parties if their policies say that they will not do so, as other statutes, such as the Video Privacy Protection Act and state law claims of fraud and breach of contract, do not contain such limiting language.

Finally, unspoken in this case but clear to most of us by now is the economic value of the type of information provided in referrer headers, and the robust tools that can be brought to bear to extract meaningful information about consumers from that data. Just as litigants have been challenging government efforts to collect metadata as invasions of privacy because they reveal so much information about their targets we can expect more and more sophisticated arguments by lawyers to advance similar arguments in class action cases, including the continuing Facebook litigation. Just don’t expect that to work under the ECPA.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Davis Wright Tremaine LLP | Attorney Advertising

Written by:

Davis Wright Tremaine LLP
Contact
more
less

Davis Wright Tremaine LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.