Perrin Davis v. Facebook, Inc., 956 F.3d 589

Background

Facebook embedded social plug-ins (e.g., Like button) on third-party sites; those plug-ins caused users’ browsers to send referer headers and other data to Facebook even after users logged out.
Facebook allegedly used cookies to tie collected referer headers to individual accounts, compiling detailed browsing profiles and selling targeting data to advertisers.
Plaintiffs (four named users and a putative class: accounts active May 27, 2010–Sept. 26, 2011) alleged Facebook executives knew of logged-out tracking and that Facebook continued tracking until public exposure.
Plaintiffs asserted multiple claims: Wiretap Act, Stored Communications Act (SCA), California Invasion of Privacy Act (CIPA), intrusion upon seclusion, invasion of privacy, trespass to chattels, CDAFA, statutory larceny, fraud, breach of contract, and breach of implied covenant.
The district court dismissed most claims for failure to state a claim and ruled plaintiffs lacked standing for certain economic-based claims; Ninth Circuit reviewed de novo, affirmed in part, reversed in part, and remanded.

Issues

Issue	Plaintiff's Argument	Defendant's Argument	Held
Standing for privacy claims (Wiretap, CIPA, common-law privacy)	Plaintiffs alleged concrete privacy invasions from unauthorized post-logout tracking and compilation into profiles, causing real risk of harm to control of personal data	Facebook argued injury was speculative or purely procedural and insufficient under Spokeo	Ninth Circuit: Plaintiffs pleaded a concrete, particularized privacy injury and have standing for Wiretap, CIPA, and common-law privacy claims
Standing for economic-based state claims (trespass to chattels, CDAFA, larceny, fraud)	Plaintiffs alleged unjust enrichment/disgorgement entitlement because Facebook profited from their data, creating a cognizable state-law interest	Facebook said unjust enrichment is not an Article III injury unless plaintiffs sold data or suffered diminution in value	Ninth Circuit: California law recognizes an entitlement to disgorgement; plaintiffs sufficiently alleged a stake in Facebook’s profits to confer standing
Intrusion upon seclusion / invasion of privacy (California law)	Plaintiffs alleged reasonable expectation of privacy post-logout and that surreptitious collection was highly offensive	Facebook argued users lacked a reasonable expectation in URLs/toolbar data and cited cases finding no offensive intrusion	Ninth Circuit: At pleading stage allegations suffice to show reasonable expectation of privacy and that offensiveness is a factual question — claims survive 12(b)(6)
Wiretap Act & CIPA — party-exception when GET requests are duplicated	Plaintiffs: duplicating and forwarding users’ GET requests/referer headers to Facebook is an interception by a third party, not a "party" exception scenario	Facebook: it was a party/recipient of the communication; party-exception bars liability	Ninth Circuit: Adopts First and Seventh Circuits; duplication/unknown simultaneous forwarding does not make defendant a "party" as a matter of law — party-exception doesn’t automatically apply
SCA (18 U.S.C. §2701) — whether data was in "electronic storage"	Plaintiffs: transient toolbar/GET request copies qualify as electronic storage (incidental to transmission or backup) when Facebook accessed them	Facebook: the URL toolbar copy is not storage incidental to transmission nor backup; SCA protects stored third-party communications, not fleeting toolbar text	Ninth Circuit: Agrees with Facebook — plaintiffs failed to plead "electronic storage"; SCA claims properly dismissed
Breach of contract / implied covenant	Plaintiffs: SRR, Privacy/Data Use Policy, and Help Center formed contractual promises not to track logged-out users	Facebook: policies did not form an enforceable contract promise (no mutual exchange); SRR did not incorporate the Data Use/Help pages relied upon	Ninth Circuit: Plaintiffs failed to plead an operative contract or separate agreement; breach and implied-covenant claims dismissed

Key Cases Cited

Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (U.S. 2016) (standards for concrete and particularized injury in fact under Article III)
Patel v. Facebook, 932 F.3d 1264 (9th Cir. 2019) (recognition that online privacy invasions can be actionable under common law)
In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014) (discussion of referer headers and expectations of privacy in URL data)
In re Google Inc. Cookie Placement Consumer Privacy Litig., 934 F.3d 316 (3d Cir. 2019) (holding that defendants were parties to duplicated GET requests under technical facts; contrasted here)
In re Pharmatrak, Inc. Privacy Litig., 329 F.3d 9 (1st Cir. 2003) (duplicating transmission and forwarding may constitute interception under Wiretap Act)
United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010) (simultaneous duplication/forwarding of employer emails found to be interception)
Theofel v. Farey-Jones, 359 F.3d 1066 (9th Cir. 2004) (discussion of "electronic storage" for SCA backup purpose)
Konop v. Hawaiian Airlines, Inc., 302 F.3d 868 (9th Cir. 2002) (definition of "intercept" encompassing contemporaneous acquisition)
Hernandez v. Hillsides, Inc., 47 Cal.4th 272 (Cal. 2009) (elements for intrusion upon seclusion and invasion under California law)
Hill v. NCAA, 7 Cal.4th 1 (Cal. 1994) (reasonable expectation of privacy is context-dependent)
Intel Corp. v. Hamidi, 30 Cal.4th 1342 (Cal. 2003) (trespass to chattels requires actual injury; damages element discussion)
Carpenter v. United States, 138 S. Ct. 2206 (U.S. 2018) (Fourth Amendment recognition that long-term digital records reveal deeply personal information)
Riley v. California, 573 U.S. 373 (U.S. 2014) (scope of privacy in digital contents)
County of San Bernardino v. Walsh, 158 Cal. App. 4th 533 (Cal. Ct. App. 2007) (California recognizes disgorgement for unjust enrichment)
Joffe v. Google, 746 F.3d 920 (9th Cir. 2013) (Electronic Communications Privacy Act objective to protect privacy of communications)