In re Facebook, Inc., Consumer Privacy User Profile Litigation, 402 F.Supp.3d 767

Background

Consolidated MDL arising from Cambridge Analytica: plaintiffs (current/former Facebook users) allege Facebook disclosed sensitive "friends-only" information to third parties (app developers, whitelisted apps, business partners) and failed to prevent misuse.
Complaint narrowed to core allegations: (1) app developers could access friends' data via Platform interactions; (2) after purported restriction, certain "whitelisted" apps retained access; (3) extensive sharing with business partners; (4) Facebook failed to enforce limits on third-party use.
Lead plaintiffs seek nationwide/U.K. class relief for disclosures from 2007–present; Facebook moved to dismiss on grounds including lack of privacy interest, lack of Article III standing, and user consent via terms.
Court framed three overarching legal questions: expectation of privacy in social-media "friends-only" data; whether a non‑economic privacy invasion confers Article III standing; and whether Facebook’s terms (SRR and incorporated Data Use Policy) manifest user consent to the alleged practices.
Ruling: Court rejects Facebook’s all‑or‑nothing privacy theory; holds that a bare privacy invasion can be a concrete injury for standing; finds consent defenses limited—some disclosures were contractually disclosed for certain timeframes/users but many alleged practices (whitelisted apps, business partners, failure to restrict misuse) were not clearly consented to at pleading stage; most prioritized claims survive in part.

Issues

Issue	Plaintiff's Argument	Defendant's Argument	Held
Reasonable expectation of privacy in "friends-only" social media data	Users retain privacy interest when sharing with limited audiences; broader dissemination by Facebook invades privacy	Once users share with friends, they relinquish all privacy interest; no cognizable expectation against platform sharing	Court: Expectation of privacy can be limited but still reasonable; sharing with friends does not eliminate privacy interest (rejects Facebook’s categorical rule)
Article III standing for nondisclosure/disclosure-only privacy injury	Disclosure of sensitive information itself is a concrete, particularized injury	A "bare" privacy invasion without tangible or economic harm is insufficient; need real‑world harm	Court: Intangible privacy invasion can be concrete and particularized; such allegations suffice for standing (risk-of-identity-theft and lost-value theories were speculative and insufficient)
Consent via online terms (SRR/Data Use Policy)	Plaintiffs did not consent to the challenged practices; many disclosures were not adequately disclosed to users	Users agreed to SRR/Data Use Policy; policy language (and incorporation) authorized sharing with apps via friends, so no claim	Court: Data Use Policy incorporated; sharing via apps was disclosed for many users (post-2009) — consent limits some claims for consenting users; but pre-2009 users and disclosures about whitelisted apps, business partners, and enforcement failures are not shown to be consented to at pleading stage
Statutory and common-law claims (VPPA, SCA, privacy torts, contract, negligence, UCL, right of publicity)	Various claims: VPPA, SCA, public disclosure of private facts, intrusion, negligence, breach, deceit, unjust enrichment	Facebook seeks dismissal on standing, consent, preemption/exceptions, and substance	Court: Most prioritized claims survive in part — VPPA claim and negligence survive; SCA and privacy torts survive except where consent applies; deceit survives as to whitelisted apps/business partners; breach and implied covenant survive for undisclosed practices; UCL and right of publicity dismissed

Key Cases Cited

Sanders v. American Broadcasting Cos., 20 Cal. 4th 907 (Cal. 1999) (privacy expectations can have degrees and nuances)
Reporters Committee for Freedom of the Press v. United States Dep’t of Justice, 489 U.S. 749 (U.S. 1989) (privacy protection tied to degree of dissemination)
Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (U.S. 2016) (intangible injuries can be concrete for Article III standing)
Bartnicki v. Vopper, 532 U.S. 514 (U.S. 2001) (privacy of communications is important to democratic society)
Eichenberger v. ESPN, 876 F.3d 979 (9th Cir. 2017) (statutory privacy violations can create Article III standing)
Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 1037 (9th Cir. 2017) (privacy-intrusive communications can supply standing absent additional harm)
In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) (tracking practices can confer standing without economic loss)
Johnson v. City of Shelby, 574 U.S. 10 (U.S. 2014) (federal pleading rules tolerate imperfect statement of legal theory)
Guz v. Bechtel Nat’l, Inc., 24 Cal. 4th 317 (Cal. 2000) (implied covenant cannot impose duties beyond the contract)
Comedy III Prods., Inc. v. Gary Saderup, Inc., 25 Cal. 4th 387 (Cal. 2001) (right of publicity protects commercial appropriation of name/likeness)
City of Santa Barbara v. Superior Court, 41 Cal. 4th 747 (Cal. 2007) (public policy limits contracting away liability for gross negligence)