AI Case Brief
Generate an AI-powered case brief with:
đKey Facts
âď¸Legal Issues
đCourt Holding
đĄReasoning
đŻSignificance
Estimated cost: $0.001 - $0.003 per brief
Full Opinion
FOR PUBLICATION
UNITED STATES COURT OF APPEALS
FOR THE NINTH CIRCUIT
IN RE FACEBOOK, INC. INTERNET No. 17-17486
TRACKING LITIGATION,
D.C. No.
5:12-md-02314-
PERRIN AIKENS DAVIS; BRIAN K. EJD
LENTZ; CYNTHIA D. QUINN;
MATTHEW J. VICKERY,
Plaintiffs-Appellants, OPINION
v.
FACEBOOK, INC.,
Defendant-Appellee.
Appeal from the United States District Court
for the Northern District of California
Edward J. Davila, District Judge, Presiding
Argued and Submitted April 16, 2019
San Francisco, California
Filed April 9, 2020
2 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Before: Sidney R. Thomas, Chief Judge, Milan D.
Smith, Jr., Circuit Judge, and Katherine H. Vratil,*
District Judge.
Opinion by Chief Judge Thomas
SUMMARY**
Standing / Privacy Law
The panel affirmed the district courtâs dismissal of the
Stored Communications Act (âSCAâ), breach of contract, and
breach of implied covenant claims; reversed the dismissal of
the remaining claims; and remanded for further consideration,
in an action alleging privacy-related claims against Facebook,
Inc.
Facebook uses plug-ins to track usersâ browsing histories
when they visit third-party websites, and then complies these
browsing histories into personal profiles which are sold to
advertisers to generate revenue. Plaintiffs filed an amended
complaint on behalf of themselves and a putative class of
people who had active Facebook accounts between May 27,
2010 and September 26, 2011. They alleged that Facebook
executives were aware of the tracking of logged-out users and
*
The Honorable Kathryn H. Vratil, United States District Judge for
the District of Kansas, sitting by designation.
**
This summary constitutes no part of the opinion of the court. It has
been prepared by court staff for the convenience of the reader.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 3
recognized that these practices posed various user-privacy
issues.
As an initial matter, the panel held that plaintiffs had
standing to bring their claims. Specifically, the panel held
that plaintiffs adequately alleged an invasion of a legally
protected interest that was concrete and particularized.
As to the statutory claims, the panel held that the
legislative history and statutory text demonstrated that
Congress and the California legislature intended to protect
these historical privacy rights when they passed the Wiretap
Act, SCA, and the California Invasion of Privacy Act
(âCIPAâ). In addition, plaintiffs adequately alleged that
Facebookâs tracking and collection practices would cause
harm or a material risk to their interest in controlling their
personal information. Accordingly, plaintiffs sufficiently
alleged a clear invasion of their right to privacy, and plaintiffs
had standing to pursue their privacy claims under these
statutes.
As to plaintiffsâ alleged theories of California common
law trespass to chattels and fraud, statutory larceny, and
violations of the Computer Data Access and Fraud Act, the
panel held that plaintiffs sufficiently alleged a state law
interest whose violation constituted an injury sufficient to
establish standing to bring their claims. Because California
law recognizes a legal interest in unjustly earned profits,
plaintiffs adequately pled an entitlement to Facebookâs profits
from usersâ data sufficient to confer Article III standing.
Plaintiffs also sufficiently alleged that Facebook profited
from this valuable data.
4 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Turning to the merits, the panel held that plaintiffs
adequately stated claims for relief for intrusion upon
seclusion and invasion of privacy under California law. First,
the panel held that in light of the privacy interests and
Facebookâs allegedly surreptitious and unseen data collection,
plaintiffs adequately alleged a reasonable expectation of
privacy to survive a Fed. R. Civ. P. 12(b)(6) motion to
dismiss. Second, plaintiffs identified sufficient facts to
survive a motion to dismiss on the ultimate question of
whether Facebookâs tracking and collection practices could
highly offend a reasonable individual.
The panel held that plaintiffs sufficiently alleged that
Facebookâs tracking and collection practices violated the
Wiretap Act and CIPA. Both statutes contain an exemption
from liability for a person who is a âpartyâ to the
communication. Noting a circuit split, the panel adopted the
First and Seventh Circuitsâ understanding that simultaneous
unknown duplication and communication of GET requests
did not exempt Facebook from liability under the party
exception. The panel concluded that Facebook was not
exempt from liability as a matter of law under the Wiretap
Act or CIPA, and did not opine whether plaintiffs adequately
pleaded the other requisite elements of the statutes.
The panel held that the district court properly dismissed
plaintiffsâ claims under the SCA, which required plaintiffs to
plead that Facebook gained unauthorized access to a
âfacilityâ where it accessed electronic communications in
âelectronic storage.â The panel agreed with the district
courtâs determination that plaintiffsâ data was not in
electronic storage. The panel concluded that plaintiffsâ
claims for relief under the SCA were insufficient.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 5
The panel held that the district court properly dismissed
plaintiffsâ breach of contract claim for failure to state a claim.
Plaintiffs alleged that Facebook entered into a contract with
each plaintiff consisting of the Statement of Rights and
Responsibilities, Privacy Policy, and relevant Help Center
pages. The panel held that plaintiffs failed to adequately
allege the existence of a contract that was subject to breach.
The panel also held that the district court properly dismissed
plaintiffsâ claim that Facebookâs tracking practices violated
the implied covenant of good faith and fair dealing, where the
allegations did not go beyond the asserted breach of contract
theories.
COUNSEL
David A. Straite (argued), Frederic S. Fox, and Ralph E.
Labaton, Kaplan Fox & Kilsheimer LLP, New York, New
York; Laurence D. King, Matthew George, and Mario M.
Choi, Kaplan Fox & Kilsheimer LLP, San Francisco,
California; Stephen G. Grygiel, Silverman Thompson Slutkin
White LLC, Baltimore, Maryland; for Plaintiffs-Appellants.
Lauren R. Goldman (argued) and Michael Rayfield, Mayer
Brown LLP, New York, New York; Matthew D. Brown,
Cooley LLP, San Francisco, California; for Defendant-
Appellee.
Marc Rotenberg, Alan Butler, Natasha Babazadeh, and Sam
Lester, Electronic Privacy Information Center, Washington,
D.C., for Amicus Curiae Electronic Privacy Information
Center (EPIC).
6 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Douglas Laycock, University of Virginia Law School,
Charlottesville, Virginia; Steven W. Perlstein, Kobre & Kim
LLP, New York, New York; Beau D. Barnes, Kobre & Kim
LLP, Washington, D.C.; for Amicus Curiae Professor
Douglas Laycock.
OPINION
THOMAS, Chief Judge:
In this appeal, we are asked to determine whether:
(1) Facebook-users Perrin Davis, Brian Lentz, Cynthia Quinn,
and Mathew Vickery (âPlaintiffsâ) have standing to allege
privacy-related claims against Facebook, and (2) Plaintiffs
adequately allege claims that Facebook is liable for common
law and statutory privacy violations when it tracked their
browsing histories after they had logged out of the Facebook
application. We have jurisdiction pursuant to 28 U.S.C.
§ 1291. We affirm in part; reverse in part; and remand for
further proceedings.
I
Facebook uses plug-ins1 to track usersâ browsing histories
when they visit third-party websites, and then compiles these
browsing histories into personal profiles which are sold to
advertisers to generate revenue. The parties do not dispute
that Facebook engaged in these tracking practices after its
users had logged out of Facebook.
1
A plug-in is a program that extends the functionality of an existing
program, such as an internet browser.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 7
Facebook facilitated this practice by embedding third-
party plug-ins on third-party web pages. The plug-ins, such
as Facebookâs âLikeâ button, contain bits of Facebook code.
When a user visits a page that includes these plug-ins, this
code is able to replicate and send the user data to Facebook
through a separate, but simultaneous, channel in a manner
undetectable by the user.
As relevant to this appeal, the information Facebook
allegedly collected included the websiteâs Uniform Resource
Locator (âURLâ) that was accessed by the user. URLs both
identify an internet resource and describe its location or
address. â[W]hen users enter URL addresses into their web
browser using the âhttpâ web address format, or click on
hyperlinks, they are actually telling their web browsers (the
client) which resources to request and where to find them. In
re Zynga Privacy Litig., 750 F.3d 1098, 1101 (9th Cir. 2014).
Thus, the URL provides significant information regarding the
userâs browsing history, including the identity of the
individual internet user and the web server, as well as the
name of the web page and the search terms that the user used
to find it. In technical parlance, this collected URL is called
a âreferer headerâ or âreferer.â Facebook also allegedly
collected the third-party websiteâs Internet Protocol (âIPâ)
address,2 which reveals only the owner of the website.
Facebook allegedly compiled the referer headers it
collected into personal user profiles using âcookiesââsmall
text files stored on the userâs device. When a user creates a
Facebook account, more than ten Facebook cookies are
2
An âIP addressâ is a numerical identifier for each computer or
network connected to the Internet. hiQ Labs, Inc. v. LinkedIn Corp., 938
F.3d 985, 991 n.4 (9th Cir. 2019).
8 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
placed on the userâs browser. These cookies store the userâs
login ID, and they capture, collect, and compile the referer
headers from the web pages visited by the user. As most
relevant to this appeal, these cookies allegedly continued to
capture information after a user logged out of Facebook and
visited other websites.
Plaintiffs claim that internal Facebook communications
revealed that company executives were aware of the tracking
of logged-out users and recognized that these practices posed
various user-privacy issues. According to the Plaintiffs,
Facebook stopped tracking logged-out users only after
Australian blogger Nik Cubrilovic published a blog detailing
Facebookâs tracking practices.3
Plaintiffs filed a consolidated complaint on behalf of
themselves and a putative class of people who had active
Facebook accounts between May 27, 2010 and September 26,
2011. After the district court dismissed their first complaint
with leave to amend, Plaintiffs filed an amended complaint.
In the amended complaint, they alleged a number of claims.
The claims relevant to this appeal consist of: (1) violation of
the Wiretap Act, 18 U.S.C. § 2510, et seq.; (2) violation of
the Stored Communications Act (âSCAâ), 18 U.S.C. § 2701;
(3) violation of the California Invasion of Privacy Act
(âCIPAâ), Cal. Pen. Code §§ 631, 632; (4) invasion of
privacy; (5) intrusion upon seclusion; (6) breach of contract;
(7) breach of the duty of good faith and fair dealing; (8) civil
3
The blog post quickly gained notoriety and played a role in a lawsuit
that alleged multiple counts of deceptive trade practices brought against
Facebook by the Federal Trade Commission. In the Matter of Facebook
Inc., FTC File No. 0923184. Facebook reached a settlement with the FTC
in November 2011.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 9
fraud; (9) trespass to chattels; (10) violations of California
Penal Code § 502 Computer Data Access and Fraud Act
(âCDAFAâ); and (11) statutory larceny under California
Penal Code §§ 484 and 496.
The district court granted Facebookâs motion to dismiss
the amended complaint. First, the district court determined
that Plaintiffs had failed to show they had standing to pursue
claims that included economic damages as an element, thus
disposing of the claims for trespass to chattels, violations of
the CDAFA, fraud, and statutory larceny. It dismissed these
claims without leave to amend.
The district court also dismissed for failure to state a
claim, without leave to amend, Plaintiffsâ claims for
violations of the Wiretap Act, CIPA, and the SCA, as well as
their common law claims for invasion of privacy and
intrusion upon seclusion. The district court dismissed the
claims for breach of contract and the breach of the implied
covenant of good faith and fair dealing, but granted leave to
amend these claims. In response, Plaintiffs amended their
complaint as to the breach of contract and implied covenant
claims. The district court subsequently granted Facebookâs
motion to dismiss the amended claims. This timely appeal
followed.
We review de novo a district courtâs determination of
whether a party has standing. San Luis & Delta-Mendota
Water Auth. v. United States, 672 F.3d 676, 699 (9th Cir.
2012). We review de novo dismissals for failure to state a
claim under Rule 12(b)(6). Dougherty v. City of Covina,
654 F.3d 892, 897 (9th Cir. 2011).
10 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
II
The Plaintiffs have standing to bring their claims.
âWhere standing is raised in connection with a motion to
dismiss, the court is to âaccept as true all material allegations
of the complaint, and . . . construe the complaint in favor of
the complaining party.ââ Levine v. Vilsack, 587 F.3d 986,
991 (9th Cir. 2009) (quoting Thomas v. Mundell, 572 F.3d
756, 760 (9th Cir. 2009)).
To establish standing, a â[p]laintiff must have (1) suffered
an injury in fact, (2) that is fairly traceable to the challenged
conduct of the defendant, and (3) that is likely to be redressed
by a favorable judicial decision.â Spokeo v. Robins, __ U.S.
__, 136 S. Ct. 1540, 1547 (2016). To establish an injury in
fact, a plaintiff must show that he or she suffered âan invasion
of a legally protected interestâ that is âconcrete and
particularized.â Id. at 1548 (quoting Lujan v. Defs. of
Wildlife, 504 U.S. 555, 560 (1992)). A particularized injury
is one that affects the plaintiff in a âpersonal and individual
way.â Id.; see also Dutta v. State Farm Mutual Auto. Ins.
Co., 895 F.3d 1166, 1173 (9th Cir. 2018).
A concrete injury is one that is âreal and not abstract.â
Spokeo, 136 S.Ct. at 1548 (internal quotation marks omitted).
Although an injury âmust be ârealâ and ânot abstractâ or
purely âproceduralâ . . . it need not be âtangible.ââ Dutta,
895 F.3d at 1173. Indeed, though a bare procedural violation
of a statute is insufficient to establish an injury in fact,
Congress may âelevat[e] to the status of legally cognizable
injuries concrete, de facto injuries that were previously
inadequateâ to confer standing. Spokeo, 136 S. Ct. at 1549
(quoting Lujan, 504 U.S. at 578).
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 11
To determine whether Congress has done so, we ask
whether: (1) âCongress enacted the statute at issue to protect
a concrete interest that is akin to a historical, common law
interest[,]â and (2) the alleged procedural violation caused
real harm or a material risk of harm to these interests. Dutta,
895 F.3d at 1174.
A
The district court properly concluded that Plaintiffs had
established standing to bring claims for invasion of privacy,
intrusion upon seclusion, breach of contract, breach of the
implied covenant of good faith and fair dealing, as well as
claims under the Wiretap Act and CIPA, because they
adequately alleged privacy harms.
Plaintiffs have adequately alleged an invasion of a legally
protected interest that is concrete and particularized.
â[V]iolations of the right to privacy have long been
actionable at common law.â Patel v. Facebook, 932 F.3d
1264, 1272 (9th Cir. 2019) (quoting Eichenberger v. ESPN,
Inc., 876 F.3d 979, 983 (9th Cir. 2017)). A right to privacy
âencompass[es] the individualâs control of information
concerning his or her person.â Eichenberger, 876 F.3d at 983
(quoting U.S. Depât of Justice v. Reporters Comm. for
Freedom of the Press, 489 U.S. 749, 763 (1989)).
As to the statutory claims, the legislative history and
statutory text demonstrate that Congress and the California
legislature intended to protect these historical privacy rights
when they passed the Wiretap Act, SCA, and CIPA. See S.
REP. NO. 99-541, at 2 (1986) (â[The Wiretap Act] is the
primary law protecting the security and privacy of business
and personal communications in the United States today.â);
12 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Id. at 3 (â[The SCA] is modeled after the Right to Financial
Privacy Act, 12 U.S.C. § 3401 et seq. to protect privacy
interests in personal and proprietary information . . . .â); Cal.
Pen. Code § 630 (noting that CIPA was passed âto protect the
right of privacy of the people of this stateâ). Thus, these
statutory provisions codify a substantive right to privacy, the
violation of which gives rise to a concrete injury sufficient to
confer standing. See Campbell v. Facebook, Inc., âF.3dâ,
2020 WL 1023350, at *7â8 (9th Cir. Mar. 3, 2020).
Plaintiffs have adequately alleged harm to these privacy
interests. Plaintiffs alleged that Facebook continued to
collect their data after they had logged off the social media
platform, in order to receive and compile their personally
identifiable browsing history. As alleged in the complaint,
this tracking occurred âno matter how sensitiveâ or personal
usersâ browsing histories were. Facebook allegedly
constantly compiled and updated its database with its usersâ
browsing activities, including what they did when they were
not using Facebook. According to Plaintiffs, by correlating
usersâ browsing history with usersâ personal Facebook
profilesâprofiles that could include a userâs employment
history and political and religious affiliationsâFacebook
gained a cradle-to-grave profile without usersâ consent.
Here, Plaintiffs have adequately alleged that Facebookâs
tracking and collection practices would cause harm or a
material risk of harm to their interest in controlling their
personal information. As alleged, Facebookâs tracking
practices allow it to amass a great degree of personalized
information. Facebookâs user profiles would allegedly reveal
an individualâs likes, dislikes, interests, and habits over a
significant amount of time, without affording users a
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 13
meaningful opportunity to control or prevent the unauthorized
exploration of their private lives.
â[A]dvances in technology can increase the potential for
unreasonable intrusions into personal privacy.â Patel,
932 F.3d at 1272. As the Third Circuit has noted, â[i]n an era
when millions of Americans conduct their affairs increasingly
through electronic devices, the assertion . . . that federal
courts are powerless to provide a remedy when an internet
company surreptitiously collects private data . . . is untenable.
Nothing in Spokeo or any other Supreme Court decision
suggests otherwise.â In re Google Inc. Cookie Placement
Consumer Privacy Litig., 934 F.3d 316, 325 (3rd Cir. 2019)
(âIn re Google Cookieâ).
Accordingly, Plaintiffs have sufficiently alleged a clear
invasion of the historically recognized right to privacy.
Therefore, Plaintiffs have standing to pursue their privacy
claims under the Wiretap Act, SCA, and CIPA, as well as
their claims for breach of contract and breach of the implied
covenant of good faith and fair dealing.
B
Plaintiffs also alleged theories of California common law
trespass to chattels and fraud, statutory larceny, and
violations of the CDAFA. The district court dismissed these
claims for lack of standing, concluding that the Plaintiffs
failed to demonstrate that they had suffered the economic
14 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
injury the district court viewed as necessary to bring each of
these claims.4 We respectfully disagree.
Plaintiffs allege that Facebook is unjustly enriched
through the use of their data. Facebook argues that unjust
enrichment is not sufficient to confer standing, and that
Plaintiffs must instead demonstrate that they either planned
to sell their data, or that their data was made less valuable
through Facebookâs use. They similarly assert that Plaintiffsâ
entitlement to damages does not constitute an injury for
purposes of standing.
However, âstate law can create interests that support
standing in federal courts.â Cantrell v. City of Long Beach,
241 F.3d 674, 684 (9th Cir. 2001). As relevant here,
California law recognizes a right to disgorgement of profits
resulting from unjust enrichment, even where an individual
has not suffered a corresponding loss. See Cty. of San
Bernardino v. Walsh, 158 Cal. App. 4th 533, 542 (2007)
(noting that where âa benefit has been received by the
defendant but the plaintiff has not suffered a corresponding
loss, or in some cases, any loss, but nevertheless the
enrichment of the defendant would be unjust . . . [t]he
defendant may be under a duty to give to the plaintiff the
4
To prevail on a claim for trespass to chattels, Plaintiffs must
demonstrate that some actual injury may have occurred and that the owner
of the property at issue may only recover the actual damages suffered as
a result of the defendantâs actions. Intel Corp. v. Hamidi, 30 Cal. 4th
1342, 1351â52 (2003). Fraud similarly requires damages, Beckwith v.
Dahl, 205 Cal. App. 4th 1039, 1064 (2012), as does a violation of the
CDAFA, Mintz v. Mark Bartelstein & Assocs., 906 F. Supp. 2d 1017,
1032 (C.D. Cal. 2012) (noting that â[u]nder the plain language of the
statute[,]â damages must be established). Damages is an inherent element
of larceny.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 15
amount by which [the defendant] has been enrichedâ (quoting
Rest., Restitution, § 1, com. e)); see also Ghirardo v.
Antonioli, 14 Cal. 4th 39, 51 (1996) (âUnder the law of
restitution, an individual may be required to make restitution
if he is unjustly enriched at the expense of another.â).
In other words, California law requires disgorgement of
unjustly earned profits regardless of whether a defendantâs
actions caused a plaintiff to directly expend his or her own
financial resources or whether a defendantâs actions directly
caused the plaintiffâs property to become less valuable. See,
e.g., CTC Real Estate Servs. v. Lepe, 140 Cal. App. 4th 856,
860â61 (2006) (holding that a woman whose identity was
stolen and used to obtain later-foreclosed-upon property was
entitled to surplus funds from the sale at auction because âshe
was entitled to the product of identity theftâ); Ward v.
Taggert, 51 Cal. 2d 736, 742â43 (1959) (holding that
plaintiffs could recover profits unjustly realized by a real
estate agent who misrepresented the purchase price of real
estate, even though the plaintiffs did not pay more than the
land was worth when they purchased it); cf. Walsh, 158 Cal.
App. 4th at 542â43 (holding that the district court did not err
where it solely relied on profit to the defendants rather than
loss to the plaintiffs to calculate damages).
âThe âgist of the question of standingâ is whether the
plaintiff has a sufficiently âpersonal stake in the outcome of
the controversy.ââ Washington v. Trump, 847 F.3d 1151,
1159 (9th Cir. 2017) (quoting Massachusetts v. EPA,
549 U.S. 497, 517 (2007)). Because California law
recognizes that individuals maintain an entitlement to
unjustly earned profits, to establish standing, Plaintiffs must
allege they retain a stake in the profits garnered from their
personal browsing histories because âthe circumstances are
16 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
such that, as between the two [parties], it is unjust for
[Facebook] to retain it.â McBride v. Boughton, 123 Cal. App.
4th 379, 389 (2004) (emphasis in original) (quoting First
Nationwide Savings v. Perry, 11 Cal. App. 4th 1657, 1662
(1992)). Under California law, this stake in unjustly earned
profits exists regardless of whether an individual planned to
sell his or her data or whether the individualâs data is made
less valuable.
Because California law recognizes a legal interest in
unjustly earned profits, Plaintiffs have adequately pleaded an
entitlement to Facebookâs profits from usersâ personal data
sufficient to confer Article III standing. Plaintiffs allege that
their browsing histories carry financial value. They point to
the existence of a study that values usersâ browsing histories
at $52 per year, as well as research panels that pay
participants for access to their browsing histories.
Plaintiffs also sufficiently allege that Facebook profited
from this valuable data. According to the complaint,
Facebook sold user data to advertisers in order to generate
revenue. Indeed, as alleged, Facebookâs ad sales constituted
over 90% of the social media platformâs revenue during the
relevant period of logged-out user tracking.
Plaintiffsâ allegations are sufficient at the pleading stage
to demonstrate that these profits were unjustly earned. As
stated in the complaint, âdespite Facebookâs false guarantee
to the contrary,â the platform âcharges users by acquiring the
usersâ sensitive and valuable personal informationâ and
selling it to advertisers for a profit. Plaintiffs allegedly did
not provide authorization for the use of their personal
information, nor did they have any control over its use to
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 17
produce revenue. This unauthorized use of their information
for profit would entitle Plaintiffs to profits unjustly earned.
Thus, Plaintiffs sufficiently alleged a state law interest
whose violation constitutes an injury sufficient to establish
standing to bring their claims for CDAFA violations and
California common law trespass to chattels, fraud, and
statutory larceny.
III
Plaintiffs adequately stated claims for relief for invasion
of privacy, intrusion upon seclusion, breach of contract,
breach of the implied covenant of good faith and fair dealing,
as well as their claims under the Wiretap Act and CIPA. In
order to survive a motion to dismiss under Federal Rule of
Civil Procedure 12(b)(6), the facts alleged must âplausibly
give rise to an entitlement to relief.â Dougherty, 654 F.3d
at 897 (quoting Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009)).
At the pleading stage, all allegations of material fact are taken
as true and construed in the light most favorable to the non-
moving party. Id.
A
Plaintiffs adequately stated claims for relief for intrusion
upon seclusion and invasion of privacy under California law.
To state a claim for intrusion upon seclusion under California
common law, a plaintiff must plead that (1) a defendant
âintentionally intrude[d] into a place, conversation, or matter
as to which the plaintiff has a reasonable expectation of
privacy[,]â and (2) the intrusion âoccur[red] in a manner
highly offensive to a reasonable person.â Hernandez v.
Hillsides, Inc., 47 Cal. 4th 272, 286 (2009).
18 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
A claim for invasion of privacy under the California
Constitution involves similar elements. Plaintiffs must show
that (1) they possess a legally protected privacy interest,
(2) they maintain a reasonable expectation of privacy, and (3)
the intrusion is âso serious . . . as to constitute an egregious
breach of the social normsâ such that the breach is âhighly
offensive.â Id. at 287.
Because of the similarity of the tests, courts consider the
claims together and ask whether: (1) there exists a reasonable
expectation of privacy, and (2) the intrusion was highly
offensive. Id. We address both in turn.
1
The existence of a reasonable expectation of privacy,
given the circumstances of each case, is a mixed question of
law and fact. Hill v. NCAA, 7 Cal. 4th 1, 40 (1994).
â[M]ixed questions of fact and law are reviewed de novo,
unless the mixed question is primarily factual.â N.B. v.
Hellgate Elem. Sch. Dist., ex rel. Bd. of Dirs., Missoula Cty.,
Mont., 541 F.3d 1202, 1207 (9th Cir. 2008). Here, because
we are reviewing the district courtâs legal conclusions, we
review de novo.
We first consider whether a defendant gained âunwanted
access to data by electronic or other covert means, in
violation of the law or social norms.â Hernandez, 47 Cal.
4th at 286 (internal quotation marks omitted). To make this
determination, courts consider a variety of factors, including
the customs, practices, and circumstances surrounding a
defendantâs particular activities. Hill, 7 Cal. 4th at 36.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 19
Thus, the relevant question here is whether a user would
reasonably expect that Facebook would have access to the
userâs individual data after the user logged out of the
application. Facebookâs privacy disclosures at the time
allegedly failed to acknowledge its tracking of logged-out
users, suggesting that usersâ information would not be
tracked.
The applicable Facebook Statement of Rights and
Responsibilities (âSRRâ) stated:
Your privacy is very important to us. We
designed our Privacy Policy to make
important disclosures about how you can use
Facebook to share with others and how we
collect and can use your content and
information. We encourage you to read the
Privacy Policy, and to use it to make informed
decisions.
SRR, dated April 26, 2011.
Facebookâs applicable Data Use Policy,5 in turn, stated:
We receive data whenever you visit a game,
application, or website that uses [Facebookâs
services]. This may include the date and time
you visit the site; the web address, or URL,
youâre on; technical information about the IP
address, browser and the operating system
5
This policy was originally titled âPrivacy Policy.â During the class
period, its title was changed to âData Use Policy.â
20 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
you use; and, if you are logged in to
Facebook, your user ID.
Data Use Policy, dated September 7, 2011 (emphasis added).
Finally, Facebookâs âHelp Centerâ at the time included
answers to questions related to data tracking. Most
relevantly, one answer from a Help Center page at the time
answered the question â[w]hat information does Facebook
receive about me when I visit a website with a Facebook
social plug in?â6 The Help Center page first stated that
Facebook collected the date and time of the visit, the referer
URL, and other technical information. It continued, â[i]f you
are logged into Facebook, we also see your user ID number
and email address. . . . If you log out of Facebook, we will
not receive this information about partner websites but you
will also not see personalized experiences on these sites.â
Plaintiffs have plausibly alleged that an individual reading
Facebookâs promise to âmake important privacy disclosuresâ
could have reasonably concluded that the basics of
Facebookâs trackingâwhen, why, and how it tracks user
informationâwould be provided. Plaintiffs have plausibly
alleged that, upon reading Facebookâs statements in the
applicable Data Use Policy, a user might assume that only
logged-in user data would be collected. Plaintiffs have
alleged that the applicable Help Center page affirmatively
stated that logged-out user data would not be collected. Thus,
Plaintiffs have plausibly alleged that Facebook set an
6
Facebook disputes that some of the Help Center pages Plaintiffs
attached to their complaint were dated during the class period. It does not
dispute, however, that this particular Help Center page fell within the class
period.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 21
expectation that logged-out user data would not be collected,
but then collected it anyway.
In addition, the amount of data allegedly collected was
significant. Plaintiffs allege that â[n]o matter how sensitive
the website, the referral URL is acquired by Facebook along
with the cookies that precisely identify the [logged-out] userâ
and that Facebook acquires an âenormous amount of
individualized dataâ through its use of cookies on the
countless websites that incorporate Facebook plug-ins. That
this amount of information can be easily collected without
user knowledge is similarly significant. Plaintiffs have
plausibly alleged that Facebook did not disclose that the
cookies would continue to track usersâ browsing history after
they log out of the platform. Nor did it disclose the extent of
information collected.
In light of the privacy interests and Facebookâs allegedly
surreptitious and unseen data collection, Plaintiffs have
adequately alleged a reasonable expectation of privacy. Case
law supports this determination. In In re Google
Cookieâwhere the Third Circuit similarly interpreted
California Lawâthe court held that users maintained a
reasonable expectation of privacy in their browsing histories
when Google tracked URLs after the users denied consent for
such tracking. 806 F.3d at 129, 151; see also In re
Nickelodeon Cons. Priv. Litig., 827 F.3d 262, 293â94 (3d Cir.
2016) (âIn re Nickelodeonâ) (holding, under analogous New
Jersey law, that a reasonable expectation of privacy existed
when Nickelodeon promised users that it would not collect
information from website users, but then did). That users in
those cases explicitly denied consent does not render those
cases distinguishable from the instant case, given Facebookâs
affirmative statements that it would not receive information
22 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
from third-party websites after users had logged out. Indeed,
in those cases, the critical fact was that the online entity
represented to the plaintiffs that their information would not
be collected, but then proceeded to collect it anyway.
The nature of the allegedly collected data is also
important. Plaintiffs allege that Facebook obtained a
comprehensive browsing history of an individual, no matter
how sensitive the websites visited, and then correlated that
history with the time of day and other user actions on the
websites visited. This process, according to Plaintiffs,
resulted in Facebookâs acquiring âan enormous amount of
individualized dataâ to compile a âvast repository of personal
data.â
Facebook argues that Plaintiffs need to identify specific,
sensitive information that Facebook collected, and that their
more general allegation that Facebook acquired âan enormous
amount of individualized dataâ is insufficient. However, both
the nature of collection and the sensitivity of the collected
information are important. The question is not necessarily
whether Plaintiffs maintained a reasonable expectation of
privacy in the information in and of itself. Rather, we must
examine whether the data itself is sensitive and whether the
manner it was collectedâafter users had logged
outâviolates social norms.
When we consider the sensitivity of that data, moreover,
we conclude there remain material questions of fact as to
whether a reasonable individual would find the information
collected from the seven million websites that employ
Facebook plug-ins âsensitive and confidential.â Hill, 7 Cal.
4th at 35. âTechnological advances[,]â such as Facebookâs
use of cookies to track and compile internet browsing
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 23
histories, âprovide âaccess to a category of information
otherwise unknowableâ and âimplicate privacy concernsâ in
a manner different from traditional intrusions as a âride on
horsebackâ is different from âa flight to the moon.ââ Patel,
932 F.3d at 1273 (quoting Riley v. California, 573 U.S. 373,
393 (2014)). Thus, viewing the allegations in the light most
favorable to Plaintiffs, as we must at this stage, the
allegations that Facebook allegedly compiled highly
personalized profiles from sensitive browsing histories and
habits prevent us from concluding that the Plaintiffs have no
reasonable expectation of privacy.7
7
Analogous cases decided in the Fourth Amendment context support
a conclusion that the breadth of information allegedly collected would
violate community norms. These cases hold that individuals have a
reasonable expectation of privacy in collections of information that reveal
âfamiliar, political, professional, religious, and sexual associations.â See
Carpenter v. United States, 138 S. Ct. 2206, 2217 (2018) (holding that
individuals have a reasonable expectation of privacy in long-term location
tracking data under the Fourth Amendment because it reveals all-
encompassing information); Riley, 573 U.S. at 397â99 (holding that
individuals have a reasonable expectation of privacy in the contents of
their cell phones under the Fourth Amendment due to the large amount of
personal data stored therein); United States v. Forrester, 512 F.3d 500,
510 n.6 (9th Cir. 2008) (noting that, in a Fourth Amendment search
context, URLs may be particularly sensitive because they âidentif[y] the
particular document within a website that a person views and thus reveals
much more information about the personâs Internet activityâ). We
acknowledge that the Fourth Amendment imposes higher standards on the
government than those on private, civil litigants. Carpenter, 138 S. Ct.
at 2213â14. But we have nonetheless found analogies to Fourth
Amendment cases applicable when deciding issues of privacy related to
technology. See Patel, 932 F.3d at 1272â73. And, viewed broadly, these
cases stand for the proposition that individuals maintain the expectation
that entities will not be able to collect such broad swaths of personal
information absent consent.
24 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Contrary to Facebookâs arguments, this case can also be
distinguished from Forrester and Zynga as it relates to an
analysis of a reasonable expectation of privacy. Forrester,
512 F.3d 500; Zynga, 750 F.3d 1098. In Forrester, we
considered whether the individuals had a reasonable
expectation of privacy in âthe to/from addresses of their
messages or the IP addresses of the websites they visit.â
512 F.3d at 510. Concluding that users did not maintain a
reasonable expectation of privacy in such information, we
determined that users âshould know that this information is
provided to and used by Internet service providers for the
specific purposes of directing the routing information.â Id.
But, in a footnote, we went on to distinguish the IP addresses
collected in Forrester from the collection of URLs, which we
stated âmight be more constitutionally problematic,â
explaining that, â[a] URL, unlike an IP address, identifies the
particular document within a website that a person views and
thus reveals much more information about the personâs
Internet activity.â Id. at n.6.
In Zynga, the plaintiffs relied on this footnote to argue
that they maintained a reasonable expectation of privacy in
the URLs of gaming websites collected without their
knowledge and disclosed to third parties by Zynga (a gaming
platform) and Facebook. 750 F.3d at 1108â09. The Zynga
plaintiffs alleged that users would log in to their Facebook
account and âthen click on the Zynga game icon within the
Facebook interface.â Id. at 1102. Facebook and Zynga
would then collect a referer header containing the URL for
the Zynga game, after which the Zynga server would load the
game in a small frame embedded on the Facebook website.
Id. According to the Zynga plaintiffs, âZynga programmed
its gaming applications to collect the information provided in
the referer header, and then transmit this information to
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 25
advertisers and other third parties.â Id. This information
included âthe userâs Facebook ID and the address of the
Facebook webpage the user was viewing when the user
clicked the link.â Id. at 1102.
In Zynga, we concluded that the collected information
was not problematic because it differed from the URLs
containing sensitive information alluded to in Forresterâs
footnote. We determined that â[i]nformation about the
address of the Facebook webpage the user was viewing is
distinguishable from the sort of communication involving a
search engine discussed in Forrester.â Id. at 1108. We then
continued to say that âa Google search URL not only shows
that a user is using the Google search engine, but also shows
the specific search terms the user had communicated to
Google.â Id. We continued, âthe referer header information
at issue here includes only basic identification and address
information, not a search term or similar communication
made by the user.â Id. at 1108â09.
Here, Plaintiffs allege that Facebook collects a full-string
detailed URL, which contains the name of a website, folder
and sub-folders on the web-server, and the name of the
precise file requested. Their complaint notes that a user
might type a search term into Googleâs search engine, which
would return a link to an article relevant to the search term.
According to Plaintiffs, when the user clicks the link, a
communication is created that contains a âGET request and
the full-string detailed URL.â They allege that Facebook
collected this communication, including the âfull referral
URL (including the exact subpage of the precise items being
purchased)â and that Facebook then âcorrelates that URL
with the user ID, time stamp, browser settings and even the
type of browser used.â
26 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
In sum, Plaintiffs allege that a Google search could
generate links that include full-string, detailed URLs that
Facebook then collected. Thus, they have sufficiently alleged
that the collected URLs in this case are distinct from IP
addresses collected in Forrester, as well as the URLs
collected in Zynga. The URLs, by virtue of including âthe
particular document within a website that a person viewsâ
reveal âmuch more informationâ than the IP addresses
collected in Forrester. 512 F.3d at 510 n.6. Unlike the URLs
in Zynga, which revealed only that a Facebook user had
clicked on a link to a gaming website, Plaintiffs allege that
the URLs in the instant case could emanate from search terms
inputted into a third-party search engine. These terms and the
resulting URLs could divulge a userâs personal interests,
queries, and habits on third-party websites operating outside
of Facebookâs platform.
Moreover, the users in Zynga clicked on links to the
gaming websites after they had logged into their Facebook
user accounts. Zynga, 750 F.3d at 1102. Then, the linked
material appeared within the Facebook interface. Id. Here,
in contrast, Plaintiffs allege that users were not logged in to
the website, making it impossible for the linked material to be
viewed within Facebookâs interface.
The fact that users could have taken additional measures
to prevent cookies from tracking their browsing, as Facebook
asserts, is not relevant at the pleading stage. This is a fact-
based defense to be developed and asserted at a later stage of
the litigation. And Plaintiffs have alleged that these
protections would not have done any good, even if users had
employed them. Specifically, they allege that Facebook
would âhack its way past data protection softwareâ to
âbypass[] security settings for the purpose of gathering
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 27
intelligenceâ on the usersâ real-time searches, and similarly,
with respect to a subclass of individuals who used the Internet
Explorer browser, that Facebook fraudulently maintained that
it employed a protocol that would result in its tracking being
automatically blocked by the browser. These issues cannot
be resolved at the pleading stage.
In sum, Plaintiffs have sufficiently pleaded a reasonable
expectation of privacy to survive a Rule 12(b)(6) motion to
dismiss.
2
However, in order to maintain a California common law
privacy action, â[p]laintiffs must show more than an
intrusion upon reasonable privacy expectations. Actionable
invasions of privacy also must be âhighly offensiveâ to a
reasonable person, and âsufficiently seriousâ and unwarranted
so as to constitute an âegregious breach of the social norms.ââ
Hernandez, 47 Cal. 4th at 295. Determining whether a
defendantâs actions were âhighly offensive to a reasonable
personâ requires a holistic consideration of factors such as the
likelihood of serious harm to the victim, the degree and
setting of the intrusion, the intruderâs motives and objectives,
and whether countervailing interests or social norms render
the intrusion inoffensive. Id. at 287; see also Hill, 7 Cal. 4th
at 25â26. While analysis of a reasonable expectation of
privacy primarily focuses on the nature of the intrusion, the
highly offensive analysis focuses on the degree to which the
intrusion is unacceptable as a matter of public policy.
Hernandez, 47 Cal. 4th at 287 (noting that highly offensive
analysis âessentially involves a âpolicyâ determination as to
whether the alleged intrusion is highly offensive under the
particular circumstancesâ).
28 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
The ultimate question of whether Facebookâs tracking and
collection practices could highly offend a reasonable
individual is an issue that cannot be resolved at the pleading
stage. Plaintiffs have identified sufficient facts to survive a
motion to dismiss. Plaintiffsâ allegations of surreptitious data
collection when individuals were not using Facebook are
sufficient to survive a dismissal motion on the issue. Indeed,
Plaintiffs have alleged that internal Facebook
communications reveal that the companyâs own officials
recognized these practices as a problematic privacy issue.
In sum, Plaintiffs have sufficiently pleaded the
âreasonable expectation of privacyâ and âhighly offensiveâ
elements necessary to state a claim for intrusion upon
seclusion and invasion of privacy to survive a 12(b)(6)
motion to dismiss.8
B
Plaintiffs also have sufficiently alleged that Facebookâs
tracking and collection practices violated the Wiretap Act and
CIPA.
8
The non-precedential cases cited by Facebook do not compel the
opposite conclusion. For instance, in In re Google, Inc. Privacy Policy
Litig., the Northern District of California found no highly offensive
conduct when Plaintiffs alleged that Google surreptitiously tracked their
browsing data while using Googleâs services. 58 F. Supp. 3d 968, 987â88
(N.D. Cal. 2014). Here, on the other hand, Plaintiffs had logged out and
were not using Facebook when Facebook tracked them. The same is true
in Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1016â18 (N.D. Cal.
2012) and In re iPhone App. Litig., 844 F. Supp. 2d 1040, 1049â50 (N.D.
Cal. 2012). In those cases, there were likewise no allegations that the
defendants tracked the plaintiffs after the plaintiffs stopped using the
defendantâs services.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 29
1
The Wiretap Act prohibits the unauthorized âinterceptionâ
of an âelectronic communication.â 18 U.S.C.
§ 2511(1)(a)â(e). Similarly, CIPA prohibits any person from
using electronic means to âlearn the contents or meaningâ of
any âcommunicationâ âwithout consentâ or in an
âunauthorized manner.â Cal. Pen. Code § 631(a). Both
statutes contain an exemption from liability for a person who
is a âpartyâ to the communication, whether acting under the
color of law or not. 18 U.S.C. § 2511(2)(c), (d); see Warden
v. Kahn, 160 Cal. Rptr. 471, 475 (1979) (â[S]ection 631 . . .
has been held to apply only to eavesdropping by a third party
and not to recording by a participant to a conversation.â).
Courts perform the same analysis for both the Wiretap Act
and CIPA regarding the party exemption. See, e.g., In re
Google Cookie, 806 F.3d at 152 (holding that CIPA claims
could be dismissed because the parties were exempted from
liability under the Wiretap Actâs party exception).
The party exception must be considered in the technical
context of this case. When an individual internet user visits a
web page, his or her browser sends a message called a âGET
requestâ to the web pageâs server. The GET request serves
two purposes: it first tells the website what information is
being requested and then instructs the website to send the
information back to the user. The GET request also transmits
a referer header containing the personally-identifiable URL
information. Typically, this communication occurs only
between the userâs web browser and the third-party website.
On websites with Facebook plug-ins, however, Facebookâs
code directs the userâs browser to copy the referer header
from the GET request and then send a separate but identical
GET request and its associated referer header to Facebookâs
30 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
server. It is through this duplication and collection of GET
requests that Facebook compiles usersâ browsing histories.
The Wiretap Act does not define the term âpartyâ in its
liability exemption, and the other circuit courts that have
considered the Actâs scope have interpreted the term in
different ways. The First and Seventh Circuits have
implicitly assumed that entities that surreptitiously duplicate
transmissions between two parties are not parties to
communications within the meaning of the Act. In In re
Pharmatrak, Inc. Privacy Litig., the First Circuit considered
whether the defendant could face liability under the Wiretap
Act when it employed software that âautomatically duplicated
part of the communication between a user and a [third-party
website] and sent this information to [the defendant].â 329
F.3d 9, 22 (1st Cir. 2003). The First Circuit rejected the
defendantâs argument that âthere was no interception because
âthere were always two separate communications: one
between the Web user and the [third-party website], and the
other between the Web user and [the defendant].ââ Id.
Noting that the defendant âacquired the same URL . . .
exchanged as a part of the communication between the [third-
party website] and the user,â it determined that the
defendantâs acquisition constituted an interception and could
still render it liable. Id.
In United States v. Szymuszkiewicz, the Seventh Circuit
reached a similar conclusion. 622 F.3d 701 (7th Cir. 2010).
In that case, the Seventh Circuit considered whether a
defendant violated the Wiretap Act when he employed a
software that instructed his employerâs email to duplicate and
forward all emails the employer received to the defendantâs
own inbox. Id. at 703. The court determined that, because
the copies were sent contemporaneously with the original
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 31
emails, the defendant had intercepted the communications
and could be held liable. Id. at 706.
However, the Third Circuit has held to the contrary. In In
re Google Cookie, the court considered whether internet
advertising companies were parties to a communication when
they placed cookie blockers on web-usersâ browsers to
facilitate online advertisements. 806 F.3d at 143. As in the
instant case, the users sent GET requests to third-party
websites and upon receipt, the website would duplicate the
GET request and send it to the defendants. Id. at 140. The
Third Circuit concluded that the defendants were âthe
intended recipientsâ of the duplicated GET requests, and thus
âwere parties to the transmissions at issue.â Id. at 143; see
also In re Nickelodeon, 827 F.3d at 275â76 (citing In re
Google Cookie for the same).9
We adopt the First and Seventh Circuitsâ understanding
that simultaneous, unknown duplication and communication
of GET requests do not exempt a defendant from liability
under the party exception. As we have previously held, the
âparamount objective of the [Electronic Communications
Privacy Act, which amended the Wiretap Act] is to protect
effectively the privacy of communications.â Joffe v. Google,
746 F.3d 920, 931 (9th Cir. 2013). We also recognize that the
Wiretap Actâs legislative history evidences Congressâs intent
to prevent the acquisition of the contents of a message by an
9
In Konop v. Hawaiian Airlines, Inc., we adopted a definition of
âinterceptâ that encompassed both an âacquisition contemporaneous with
transmissionâ and an act requiring a party to âstop, seize, or interrupt in
progress or course before arrival.â 302 F.3d 868, 878 (9th Cir. 2002). In
that case, however, we considered whether items viewed on a private
website were intercepted, in violation of the Wiretap Act, not plug-ins that
duplicated and sent GET requests, as we consider here.
32 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
unauthorized third-party or âan unseen auditor.â See S. REP.
NO. 90-1097, reprinted in 1986 U.S.C.C.A.N. 2112, 2154,
2182. Permitting an entity to engage in the unauthorized
duplication and forwarding of unknowing usersâ information
would render permissible the most common methods of
intrusion, allowing the exception to swallow the rule.
Therefore, we conclude that Facebook is not exempt from
liability as a matter of law under the Wiretap Act or CIPA as
a party to the communication. We do not opine whether the
Plaintiffs adequately pleaded the other requisite elements of
the statutes, as those issues are not presented on appeal.
C
The district court properly dismissed Plaintiffsâ SCA
claims. The SCA requires Plaintiffs to plead that Facebook
(1) gained unauthorized access to a âfacilityâ where it
(2) accessed an electronic communication in âelectronic
storage.â 18 U.S.C. § 2701(a).
Electronic storage is defined as either the âtemporary,
intermediate storage of a wire or electronic communication
incidental to the electronic transmission thereofâ and âany
storage of such communication by an electronic
communication service for purposes of backup protection of
such communication.â 18 U.S.C. § 2510(17).
Plaintiffs allege that â[w]eb-browsers store a copy of the
Plaintiffsâ URL requests in the toolbar while the user remains
present at a particular webpage,â and that this storage is
incidental to the electronic communication because once âthe
user hits the Enter button or clicks on a link, the
communication is in the process of being sent and received
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 33
between the user and the first-party website.â Plaintiffs
similarly assert that their browsing historyâa record of
previously viewed websitesâserves purposes of âbackup
protectionâ of such communications. In short, Plaintiffs
allege that the URL is in âelectronic storageâ in the toolbar
during the split-second that it takes to complete a search. In
Plaintiffsâ view, because Facebook duplicates the URL and
sends it to its servers during that split second, it accesses the
URL while it is in this âelectronic storage.â
The district court considered the GET requests that
Facebook duplicated and forwarded to its servers as wholly
separate from the copy of the URL displayed in the search
toolbar. Because the copy in the toolbar was not stored
âincident to transmissionâ but was only present for the userâs
convenience, the district court determined that the Plaintiffsâ
data was not in electronic storage.
We agree. The communications in questionâthe GET
requests themselvesâare not the communications stored in
the userâs toolbar. Rather, the GET requests are sent directly
between the user and the third-party website. The text
displayed in the toolbar serves only as a visual indicationâa
means of informing the userâof the location of their
browser. Thus, the URLâs appearance in the toolbar is not
âincidentalâ to the transmission of the URL or GET request.
What is more, Plaintiffsâ interpretation of the SCA would
stretch its application beyond its limits. True, the SCAâs
legislative history suggests that Congress intended the term
âelectronic storageâ to be broadly construed, and not limited
to âparticular mediums, forms, or locations.â Hately v. Watts,
917 F.3d 770, 786 (4th Cir. 2019) (citing H.R. REP., NO. 99-
647, at 39 (1986)). Nonetheless, the text and legislative
34 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
history of the SCA demonstrate that its 1986 enactment was
driven by congressional desire to protect third-party entities
that stored information on behalf of users. See id. at 782
(noting that the SCA was enacted to protect against illicit
access to stored communications in âremote computing
operations and large data banks that stored emailsâ). Since
then, the SCA has typically only been found to apply in cases
involving a centralized data-management entity; for instance,
to protect servers that stored emails for significant periods of
time between their being sent and their recipientsâ reading
them. See id. at 798 (considering whether a web-based email
service âstoredâ emails); Theofel v. Farey-Jones, 359 F.3d
1066, 1072 (9th Cir. 2004) (considering whether emails
stored by an internet service provider fell under the statuteâs
purview). Here, the allegations, even construed in the light
most favorable to Plaintiffs, do not show that the
communications were even in âstorage,â much less that the
alleged âstorageâ within a URL toolbar falls within the
SCAâs intended scope.
Plaintiffs alternatively argue that their browsing histories
are stored for âpurposes of back-upâ and thus satisfy the
SCAâs electronic storage definition. Plaintiffs note that, in
Theofel, we held that a copy of information stored on a userâs
computer âin the event that the user needs to download it
againâ constituted storage for backup purposes. 359 F.3d
at 1075. In this case, however, the browsing histories are not
composed of the actual communications sent between the
individualsârather, the browsing histories are merely a
record of URLs visited. Thus, Plaintiffsâ claims for relief
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 35
under the SCA are insufficient, and the district court correctly
dismissed them.10
D
The district court also properly held that the Plaintiffs
have not stated a breach of contract claim. In order to
establish a contract breach, Plaintiffs must allege: (1) the
existence of a contract with Facebook, (2) their performance
under that contract, (3) Facebook breached that contract, and
(4) they suffered damages. Oasis West Realty, LLC v.
Goldman, 51 Cal. 4th 811, 821 (2011).
Plaintiffs allege that Facebook entered into a contract with
each Plaintiff consisting of the SRR, Privacy Policy, and
relevant Help Center pages. The parties agree that the SRR
constitutes a contract. In their third amended complaint,
Plaintiffs attached the SRR that was last revised April 26,
2011. This document states â[y]our privacy is very important
to usâ and â[w]e encourage you to read the Privacy Policy,
and to use it to help make informed decisions.â But this
document does not contain an explicit promise not to track
logged-out users. For that allegation, Plaintiffs instead rely
on language from the Data Use Policy and the Help Center
pages.
To properly incorporate another document, the document
âneed not recite that it incorporates another document, so
long as it guide[s] the reader to the incorporated document.â
10
Because we hold that the URLs are not in electronic storage, we
need not decide whether Plaintiffs sufficiently allege that their personal
computers, web browsers, and browser managed files are âfacilities,â
through which electronic communications service providers operate.
36 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
Shaw v. Regents of the Univ. of Cal., 58 Cal. App. 4th 44, 54
(1997) (internal quotations and citations omitted). During the
class period, Facebook changed the title of its âPrivacy
Policyâ to âData Use Policyâ and made adjustments to its
content. Although the relevant SRR directs readers to the
Privacy Policy, Plaintiffs rely on the latest version of this
document, titled âData Use Policy,â last revised September 7,
2011. The attached SRR does not reference a Data Use
Policy and thus, it does not guide the reader to the
incorporated document on which Plaintiffs rely. As such, as
a matter of law, any promise not to track logged-out users
therein was not incorporated.
On appeal, Plaintiffs argue that the Data Use Policy
constitutes an additional agreement separate from the SRR.
Plaintiffs support this allegation with text from the September
2011 Data Use Policy, which states that, were Facebook to
transfer ownership, the new owner would âstill have to honor
the commitments we have made in this privacy policy,â and
the December 2010 Privacy Policy, which states â[b]y using
or accessing Facebook, you agree to our privacy practices
outlined here.â
First, the December 2010 Privacy Policy does not contain
any agreement that Facebook would not track logged-out user
data.11 Second, and more generally, the Privacy and Data Use
Policies do not outline shared commitments to which users
must abide. For a contract to exist, there must be an
11
The December 2010 Privacy Policy states: âIf you log out of
Facebook before visiting a pre-approved application or website, it will not
be able to access your information.â This statement merely provides that
the third-party websites will not receive a userâs information. It does not
make any promises regarding Facebookâs receipt of data.
IN RE FACEBOOK, INC. INTERNET TRACKING LITIG. 37
exchange for a promise. Steiner v. Thexton, 48 Cal. 4th 411,
421 (2010). The 2011 Data Use Policy does not contain any
exchange. To illustrate, while the SRR outlines commitments
to which both Facebook and users agree (for example, users
agree not to âsend or otherwise post unauthorized commercial
communicationsâ on Facebook, while Facebook promises to
âprovide . . . tools to help you protect your property rightsâ),
the 2011 Data Use Policy merely provides informationânot
commitmentsâregarding Facebookâs use of information and
how users can control that information (for example, it states
that â[y]our information is the information thatâs required
when you sign up for the siteâ). Plaintiffsâ reliance on one
use of the term âcommitmentâ within this document cannot
overcome the fact that the document does not require the user
to make any commitment. Thus, the Data Use Policy does
not constitute a separate contract. Because Plaintiffs have
failed to allege adequately the existence of a contract that was
subject to breach, we affirm the district courtâs dismissal of
their breach of contract claim.
Plaintiffs also alleged that Facebookâs tracking practices
violated the implied covenant of good faith and fair dealing.
However, as pleaded, the allegations did not go beyond the
breach of contract theories asserted by Plaintiffs and were
thus properly dismissed. Carau & Co. v. Sec. Pac. Bus.
Credit, Inc., 222 Cal. App.3d 1371, 1395 (1990).
IV
In sum, we conclude that Plaintiffs have standing to assert
their claims. We affirm the district courtâs dismissal of the
SCA, breach of contract, and breach of implied covenant
claims. We conclude that Plaintiffs adequately pleaded their
remaining claims at this early stage to survive a motion to
38 IN RE FACEBOOK, INC. INTERNET TRACKING LITIG.
dismiss under Rule 12(b)(6). We remand these issues to the
district court for further consideration. We do not reach any
other issue argued by the parties, leaving those issues for
consideration by the district court in the first instance. All
pending motions are denied as moot. The parties shall bear
their own costs.
AFFIRMED IN PART, REVERSED IN PART, AND
REMANDED.