In re Facebook Internet Tracking Litigation
263 F. Supp. 3d 836
| N.D. Cal. | 2017Background
- Facebook provides social plug-ins (e.g., "Like" buttons) that cause users' browsers to send a separate GET request to Facebook containing the page URL and Facebook cookies.
- Plaintiffs allege Facebook used these requests and persistent cookies to track browsing across third‑party sites, correlate histories with identities (even when logged out), and in some instances circumvent Internet Explorer cookie‑blocking via P3P policy strings.
- Plaintiffs filed a second amended consolidated class complaint asserting claims under the Wiretap Act, Stored Communications Act (SCA), California Invasion of Privacy Act (CIPA), California constitutional privacy, intrusion upon seclusion, trespass to chattels, CDAFA, fraud, larceny, breach of contract, and breach of the covenant of good faith and fair dealing.
- The Court previously dismissed an earlier complaint in part and granted leave to amend; Facebook moved to dismiss the SAC under Rules 12(b)(1) and 12(b)(6).
- The court found Article III standing for Wiretap, SCA, and CIPA claims generally (as previously), and for privacy torts and contract claims; it found no standing for trespass to chattels, CDAFA, fraud, and larceny.
- On the merits, the court dismissed the Wiretap Act, SCA, and CIPA claims (and the privacy torts) for failure to state a claim, but allowed breach‑of‑contract and breach‑of‑duty claims to be repleaded; several claims were dismissed without leave to amend for lack of standing.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Wiretap Act / CIPA: Did Facebook "intercept" communications between users and third‑party sites? | Facebook’s receipt of page URLs and cookies constitutes interception of user communications with third‑party sites. | Facebook received a separate request as a party to that communication, so it did not intercept a communication between the user and the third party. | Dismissed: No interception — Facebook was a party to the requests it received; Wiretap Act and CIPA claims fail. |
| SCA: Do URLs/cookies in users’ browsers constitute electronic storage and are users’ devices "facilities"? | URLs and persistent cookies stored in browser history/toolbar are electronic storage protected by the SCA. | SCA protects temporary, intermediate storage incident to transmission and third‑party servers; local browser storage and personal devices are not covered facilities. | Dismissed: SCA does not cover local browser storage or personal computers; claim fails. |
| Intrusion upon seclusion / California constitutional privacy: Is FB’s tracking a highly offensive intrusion given reasonable expectations of privacy (including IE/P3P subclass)? | Collecting URLs and linking identities via persistent cookies (and using P3P strings to bypass IE settings) violated reasonable privacy expectations and was highly offensive. | Users could block cookies or use incognito/plugins; P3P adoption is voluntary and Facebook did not promise to adopt P3P; routine third‑party requests are not highly offensive. | Dismissed: Plaintiffs lack a reasonable expectation of privacy in these requests and allegations are not sufficiently offensive; IE/P3P allegations insufficient to state claim. |
| Trespass/CDAFA/fraud/larceny: Did plaintiffs suffer economic loss permitting standing? | Plaintiffs’ browsing data has value and its collection caused economic harm or deprivation. | Plaintiffs do not allege actual economic loss or deprivation (no realistic lost sale/value, no intent to permanently deprive). | Dismissed for lack of standing: economic‑harm‑dependent claims fail; dismissal without leave to amend. |
| Breach of contract / covenant: Did Facebook breach contractual terms or the implied covenant by tracking users? | Facebook’s SRR/privacy policy and help pages (incorporated into the contract) promised cookie removal on logout and limited tracking. | Plaintiffs do not identify specific contract terms or show incorporation path; implied covenant cannot create duties beyond contract terms. | Dismissed with leave to amend: Plaintiffs must plead specific contractual provisions and integration to proceed. |
Key Cases Cited
- Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (U.S. 2016) (injury‑in‑fact must be concrete and particularized)
- Ashcroft v. Iqbal, 556 U.S. 662 (U.S. 2009) (plausibility standard for pleadings)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (U.S. 2007) (plausibility standard applies to complaints)
- Steel Co. v. Citizens for a Better Env’t, 523 U.S. 83 (U.S. 1998) (lack of Article III standing requires dismissal for want of jurisdiction)
- In re Google Inc. Cookie Placement Consumer Privacy Litig., 806 F.3d 125 (3d Cir. 2015) (distinguishing deceptive circumvention of browser settings from ordinary tracking)
- In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014) (SCA covers third‑party stored communications, not end‑user devices)
- In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497 (S.D.N.Y. 2001) (SCA targets temporary, intermediate storage incident to transmission)
- eBay, Inc. v. Bidder’s Edge, Inc., 100 F. Supp. 2d 1058 (N.D. Cal. 2000) (elements and damages for trespass to chattels)
- Hernandez v. Hillsdale, 47 Cal.4th 272 (Cal. 2009) (elements for intrusion upon seclusion)