ORDER GRANTING IN PART AND DENYING IN PART MOTION FOR CLASS CERTIFICATION
On March 16, 2016, plaintiffs’ motion for class certification came on for hearing before this court. Plaintiffs Matthew Campbell and Michael Hurley (“plaintiffs”) appeared through their counsel, Michael Sobol, Hank Bates, David Rudolph, and Melissa Gardner. Defendant Faeebook, Inc. (“defendant” or “Facebook”) appeared through its counsel, Christopher Chorba, Joshua Jessen, Jeana Maute, and Priyanka Rajagopalan. Having read the papers filed in conjunction with the motion and carefully considered the arguments and the relevant legal authority, and good cause appearing, the court hereby rules as follows.
BACKGROUND
This is a privacy case involving the scanning of messages sent on Facebook’s social media website. Facebook describes itself as the “world’s largest social networking platform,” with approximately 1.2 billion users worldwide. Facebook users are able to share content — such as photos, text, and video— with other users. Users can select the group of people with whom they wish to share this content, and may choose to share certain information publicly (i.e., with all Facebook users), or may choose to share certain information only with their “friends” (i.e., Face-book users with whom they have mutually agreed to share content). Facebook users may also choose to share certain information privately, with just one other Facebook user, through the use of a “private message.” While not identical to email, a private message is analogous to email, in that it involves an electronic message sent from one user to one or more other users. Facebook users access their “messages” through an inbox on the Facebook website, akin to an email inbox. This suit arises out of Facebook’s handling of these “private messages.”
In the operative Consolidated Amended Class Action Complaint (“Complaint”), plaintiffs allege that Facebook scans the content of these private messages for use in connection with its “social plugin” functionality. The “social plugin” operates as follows: certain websites have a Faeebook “like” counter displayed on their web pages, which enables visitors of the page to see how many Faee-book users have either clicked a button indicating that they “like” the page, or have shared the page on Facebook. In essence, the “like” counter is a measure of the popularity of a web page.
Plaintiffs allege in the Complaint that Fa-cebook scans the content of their private messages, and if there is a link to a web page contained in that message, Faeebook treats it as a “like” of the page, and increases the page’s “like” counter by one. Plaintiffs further allege that Facebook uses this data re
Plaintiffs now move for class certification, but their current class definition differs from the one set forth in the operative complaint. The Complaint is brought on behalf of “[a]ll natural-person Facebook users located within the United States who have sent or received private messages that included URLs in their content, from within two years before the filing of this action up through and including the date when Facebook ceased its practice,” Complaint, ¶ 59. In their motion, plaintiffs move for certification of the following class: “All natural-person Facebook users located within the United States who have sent, or received from a Facebook user, private messages that included URLs in their content (and from which Facebook generated a URL attachment), from within two years before the filing of this action up through the date of the certification of the class.”
At the hearing, the court questioned plaintiffs about the incongruity between the Complaint and the class certification motion, and plaintiffs’ counsel explained that the changes are the result of new information that was learned through discovery. And in addition to the changes to the class definition, plaintiffs’ motion also describes two additional ways in which Facebook allegedly violated the ECPA and CIPA, beyond the one alleged in the Complaint.
As mentioned above, plaintiffs’ original theory was that Facebook scans the users’ messages, and when a URL was included, it would increase the “Like” counter for that URL. Now, plaintiffs allege two other interceptions/uses
Plaintiffs explain that, when a Faeebook user composes a message with a URL in the message’s body, Faeebook generates a “URL preview,” consisting of a brief description of the website and a relevant image from the website, if available. Faeebook keeps a record of these “URL previews” — the record being called an “EntShare.” The “EntShare” is tied to the specific user who sent the message. Faeebook also creates another record called a “EntGlobalShare,” which tracks all users who sent a message containing the same URL.
Plaintiffs then specifically describe the three ways in which the message data is allegedly redirected and used. The first is to “fuel its algorithms for measuring user engagement and making recommendations.” This alleged use is related to the “EntShare” and the “EntGlobalShare” described above— essentially, Faeebook keeps a tally of the number of times that a certain URL has been shared in users’ messages (the “EntGlo-balShare” number), and then incorporates that number “into secret algorithms that pushed content to users across the social network.” As an example, plaintiffs cite to Facebook’s “Taste” system, which generates recommendations “to push to targeted users that Faeebook believes the user would find relevant.” The recommendations are generated by a piece of source code called “External-NodeRecommender,” which takes into account which URLs a users’ friends had shared (in other words, a user’s friends’ messages will be weighted more heavily than the messages of random users in generating recommendations). Thus, plaintiffs allege that “Facebook’s recommendation system used private message content to target Internet links to specific users.”
The second use alleged by plaintiffs is the “sharing of user data with third parties.” Plaintiffs argue that Faeebook “redirects” the content of private messages to interested third parties through its “Insights” product, allowing those third parties to “help the website customize content for its existing visitors and target advertising to attract new visitors.”
The third use alleged by plaintiffs is the “Like” count increase, which was discussed extensively during the motion to dismiss proceedings, and in the court’s order resolving that motion, See Dkt. 43. Specifically, when a user sends a message with a URL, Faeebook counts that as equivalent to a user actively clicking “like” on the website link. Plaintiffs supplement their earlier allegations regarding this practice with testimony from Face-book employees. For instance, in one exchange, a Faeebook employee discusses the “acknowledged problem” that “a shortage of likes is limiting the number of users that can be targeted by their interests and thereby affecting revenue.” Dkt. 138-4, Ex. 8. Another employee described the practice of including user message content in this “like” count, saying that “the motivation was to make [the Like count] as big as possible.” Dkt. 138-4, Ex. 9.
In another exchange, Faeebook CEO Mark Zuckerberg complained in an email that Twitter’s numbers for its “like”-equivalent were much higher than Facebook’s, and argued that “we should be showing the largest number we can rationalize showing.” Dkt. 138-4, Ex. 15. And in yet another exchange, employees discussed the practice of including message seans in the “like” total, and said that “we have intentionally not proactively messaged what this number is since it’s kind of sketchy how we construct it.” Dkt. 138-4, Ex. 17.
While the Complaint already includes allegations regarding the “Like” counter increase, and arguably includes allegations regarding the interception of messages to generate user recommendations (see Complaint, ¶¶ 49-51), it does not contain allegations regarding the sharing of data with third parties. However, because these allegations are based on a review of discovery that was not available at the time of the complaint’s filing, the court finds that plain
Turning back to the present motion, plaintiffs seek class certification under Rule 23(b)(3), or in the alternative, under Rule 23(b)(2).
DISCUSSION
A. Legal Standard
“Before certifying a class, the trial court must conduct a ‘rigorous analysis’ to determine whether the party seeking certification has met the prerequisites of Rule 23.” Mazza v. American Honda Motor Co., Inc.,
The party seeking class certification bears the burden of affirmatively demonstrating that the class meets the requirements of Federal Rule of Civil Procedure 23. Wal-Mart Stores, Inc. v. Dukes,
Rule 23(a) requires that plaintiffs demonstrate numerosity, commonality, typicality and adequacy of representation in order to maintain a class. First, the class must be so numerous that joinder of all members individually is “impracticable.” See Fed. R. Civ. P. 23(a)(1). Second, there must be questions of law or fact common to the class. Fed. R. Civ. P. 23(a)(2). Third, the claims or defenses of the class representative must be typical of the claims or defenses of the class. Fed. R. Civ. P. 23(a)(3). And fourth, the class representative(s) must be able to protect fairly and adequately the interests of all members of the class. Fed. R. Civ. P. 23(a)(4). The parties moving for class certification bear the burden of establishing that the Rule 23(a) requirements are satisfied. Gen’l Tel. Co. of Southwest v. Falcon,
If all four prerequisites of Rule 23(a) are satisfied, the court then determines whether to certify the class under one of the three subsections of Rule 23(b), pursuant to which the named plaintiffs must establish either (1) that there is a risk of substantial prejudice from separate actions; or (2) that declaratory or injunctive relief benefitting the class as a whole would be appropriate; or (3) that common questions of law or fact common to the class predominate and that a class action is superior to other methods available for adjudicating the controversy at issue. See Fed. R. Civ. P. 23(b)(3).
The court does not make a preliminary inquiry into the merits of plaintiffs’ claims in determining whether to certify a class. Eisen v. Carlisle & Jacquelin,
B. Legal Analysis
As mentioned above, plaintiffs move for class certification under Rule 23(b)(3), and in the alternative, under Rule 23(b)(2). While
Although Rule 23 makes no mention of an “ascertainability” requirement, courts in this district have found that such a requirement is implied by Rule 23. See, e.g., Mazur v. eBay Inc.,
The Yahoo court then explained that the ascertainability requirement arose out of the “additional procedural safeguards” necessary for a (b)(3) class, including that class members be given notice of the class and an opportunity to opt out. In order to provide those safeguards, “the court must be able to ascertain, i.e., identify potential class members.”
Taking into account the purpose behind the ascertainability requirement, the Yahoo court found that “as a matter of practical application, the ascertainability requirement serves little purpose in Rule 23(b)(2) classes, as there will generally be no need to identify individual class members,” and as a result, it held that “the ascertainability requirement does not apply to Rule 23(b)(2) actions.”
However, plaintiffs also seek certification of a Rule 23(b)(3) class, and must show aseer-tainability with respect to that proposed class. As mentioned above, Faeebook argues that the “individualized inquiry” needed with respect to each message “precludes a finding of ascertainability.” Dkt. 178-2 at 11. However, Faeebook appears to be combining two distinct arguments here.
First, Faeebook argues that not all messages resulted in the creation of an “EntS-hare” (also referred to as a “share object”). For instance, “if a person only sent or received Faeebook messages without a URL, there would be no URL attachment or object.” Dkt. 178-2 at 11. Or, if a person “included a URL in the body of a message but sent the message before a URL preview could be generated, or deleted the URL preview before hitting send, then no share object would have been created.” Id. Or, if a person composing a message “did not have JavaScript enabled,” or if the message included a URL that was on Facebook’s list of malicious URLs, or if the message-sender was using a smartphone application to send
All natural-person Faeebook users located within the United States who have sent, or received from a Faeebook user, private messages that included URLs in their content (and from which Faeebook generated a URL attachment), from within two years before the filing of this action up through the date of the certification of the class.
Dkt. 138 at 10-11 (emphasis added).
By limiting the relevant messages to those “from which Faeebook generated a URL attachment,” plaintiffs have already accounted for the supposed outliers discussed in the previous paragraph, Any messages that did not generate a URL attachment (or share object
However, Faeebook also makes a second argument with respect to ascertainability, arguing that there is no reliable means of isolating the messages “from which Faeebook generated a URL attachment,” and thus, no means of identifying the senders and recipients of those messages. This argument does go to ascertainability, because if plaintiffs cannot identify the senders/recipients of messages containing a URL attachment, they will not be able to provide notice and an opt-out opportunity to those users.
In support of their argument that the class is ascertainable, plaintiffs rely on the testimony of their expert, Dr, Jennifer Golbeck, who opines that the class can be ascertained through a query of Facebook’s database records. See Dkt. 137-6, ¶¶ 103-105. Specifically, Dr. Golbeck explains that, when a message is sent with a URL attachment, a share object called an “EntShare” is created in Face-book’s source code. See id., ¶¶ 34-42. Each such message has a unique EntShare with a unique numerical identifier, and each EntS-hare is tied to the Faeebook user ID of the message’s sender. Id. ¶¶ 98-101. All of this information is stored in a “private message database” called “Titan,” and the Titan database contains all of the information needed to identify members of the class. See Dkt. 166-6, ¶¶ 7-9. Specifically, the Titan database shows (1) the date and time that the message was sent, (2) the sender’s user ID, (3) the recipient’s user ID, and (4) the EntShare ID. Id., ¶ 8. Dr. Golbeck argues that a “database query could be written that would identify the senders and recipients of Private Messages sent during the Class Period with URL attachments,” and sets forth the specific steps for doing so in her opening and rebuttal reports. Id., ¶¶ 9-10, see also Dkt. 137-6, ¶¶ 103-105.
Faeebook calls Dr. Golbeck’s proposal “not only speculative” but also “futile.” Faeebook points to Dr. Golbeck’s deposition testimony, arguing that it undermines the reliability and accuracy of the “database query” method of ascertaining the class. For example, Faee-book argues that the database query would not identify message recipients, or message senders whose URLs were blocked as malicious, or senders who had deleted URL attachments. Dkt. 178-2 at 14.
Along with plaintiffs’ reply brief, Dr. Gol-beck submitted a rebuttal report, addressing each of the concerns identified by Faeebook.
Facebook also briefly argues that “even if a share object was created, there is more variability” around the way that each share object was handled by Facebook’s system, due to “technical complexities” or other reasons. See Dkt. 178-2 at 13. Facebook’s opposition brief does not develop these arguments, instead directing the court to various parts of the voluminous record filed in connection with the opposition brief. This evidence largely points to situations such as “database failures” or “race conditions” (where multiple people share the same URL at the same time) as creating variabilities, but provides no indication of how often they occur. Indeed, Facebook’s declarant admits that “[a]s with any system of this size, it is expected that at least some machines will always be offline or not functioning properly resulting in some error.” The general proposition that machines sometimes do not function properly cannot be sufficient to defeat ascertainability. Without more, Facebook cannot rebut the showing made by plaintiffs that a method exists for determining who fits within the proposed class. Accordingly, the court finds that the class is objectively ascertainable, and it will now address the Rule 23(a) factors.
1. Rule 23(a)
a. Numerosity
Rule 23(a)(1) requires that a class be so numerous that joinder of all members is impracticable. In order to satisfy this requirement, plaintiffs need not state the “exact” number of potential class members, nor is there a specific number that is required. See In re Rubber Chems. Antitrust Litig.,
Facebook does not directly challenge the numerosity of the proposed class, but rather, argues in a footnote that “[b]eeause the proposed class is not ascertainable, plaintiffs also do not meet their burden of showing Rule 23(a)(1) numerosity.” Dkt. 178-2 at 14, n.8. Because the court has found that the class is objectively ascertainable, the court finds no basis for this challenge. Instead, the court looks to plaintiffs’ representation that, in 2012, Facebook had approximately 600 million monthly active users of the private message function. Although this number is a worldwide total, given the relatively low bar for finding numerosity, the court finds that the proposed class is sufficiently numerous for Rule 23(a) purposes.
b. Commonality
Rule 23(a)(2) requires “questions of law or fact common to the class.” This provision requires plaintiffs to “demonstrate that the class members ‘have suffered the same injury,’ ” not merely violations of “the same provision of law.” Dukes,
Plaintiffs need not show, however, that “every question in the case, or even a preponderance of questions, is capable of class wide resolution. So long as there is ‘even a single common question,’ a would-be class can satisfy the commonality requirement of Rule 23(a)(2).” Wang v. Chinese Daily News, Inc.,
Plaintiffs argue that proof of the elements of the ECPA and CIPA is necessarily common, because it will focus on Faeebook’s uniform conduct, such as its internal operations and source code, and its interception and redirection of messages.
Facebook responds by arguing that the “ ‘interceptions’ did not occur in all cases, nor did they apply uniformly,” and instead, “[fjor any particular Facebook message, it would be necessary to determine whether (1) a share object was created, (2) the anonymous, aggregate counter in the global share object was incremented, and (3) the URL scrape or share was ‘logged.’ ” Dkt. 178-2 at 18.
Facebook appears to overstate the showing needed to establish commonality. As explained above, even a single common question is sufficient. Thus, the mere fact that Facebook creates a share object every time a message is sent with a URL is sufficient to establish commonality. Any individual differences between those messages are properly considered as part of the predominance requirement of Rule 23(b)(3).
e. Typicality
The third requirement under Rule 23(a) is that the claims or defenses of the class representatives must be typical of the claims or defenses of the class. Fed. R. Civ. P. 23(a)(3). Typicality exists if the named plaintiffs’ claims are “reasonably coextensive” with those of absent class members. Staton v. Boeing,
“The purpose of the typicality requirement is to assure that the interest of
Plaintiffs argue that they are Face-book users who have sent private messages containing a URL link, and that Facebook intercepted the URL content of their messages in the same manner that it did with the rest of the class’s messages. Facebook does not rebut plaintiffs’ arguments as to typicality, and the court finds that the typicality requirement is met.
d. Adequacy
The fourth requirement under Rule 23(a) is adequacy of representation. The court must find that named plaintiffs’ counsel is adequate, and that named plaintiffs can fairly and adequately protect the interests of the class. To satisfy constitutional due process concerns, unnamed class members must be afforded adequate representation before entry of a judgment which binds them. See Hanlon,
Plaintiffs argue that they have no antagonism with class members’ interests and that they have committed to prosecute the case vigorously on behalf of all class members. They argue that plaintiffs’ counsel have substantial experience in litigating privacy claims, and will commit the resources necessary to represent the class.
Facebook argues that neither plaintiffs nor their counsel are adequate for three reasons. First, Facebook argues that this suit “was initiated and is driven by class counsel.” Second, Facebook argues that “plaintiffs’ close relationships with class counsel” render them inadequate class representatives. And finally, Facebook argues that plaintiffs’ counsel’s “mistreatment” of a former plaintiff in this case should “disqualify” them from serving as class counsel. The court finds each of these concerns to be overstated.
The first two arguments rely on the speculative notion that plaintiffs will be unduly influenced by their attorneys into taking positions that run counter to the interests of the class members. However, Facebook points to no actual conflict between the putative class members and the proposed class representatives/counsel. See Cummings v. Connell,
As to the third argument, the court finds that Facebook has blurred the distinction between the proposed class counsel and the counsel of former plaintiff David Shadpour. For instance, Facebook argues that Mr.
2. Rule 23(b)
As mentioned above, Rule 23(b)(3) requires the party seeking class certification to show that “questions of law or fact common to class members predominate over questions affecting only individual members,” and that class treatment is “superior to other available methods for fairly and efficiently adjudicating the controversy.”
a. Predominance
The requirement that questions of law or fact common to class members predominate over questions affecting only individual members “tests whether proposed classes are sufficiently cohesive to warrant adjudication by representation.” Amchem Prods., Inc. v. Windsor,
In addition, however, Rule 23(b)(3) requires a more stringent analysis than does Rule 23(a)(2). See Comcast Corp. v. Behrend, — U.S. —,
Thus, to satisfy this requirement, plaintiffs must show both (1) that the existence of individual injury arising from the defendant’s alleged actions (i.e., the defendant’s liability to each class member) is “capable of proof at trial through evidence ... common to the class rather than individual to its members” and (2) that “the damages resulting from that injury [are] measurable ‘on a class-wide basis’ through the use of a ‘common methodology.’ ” Comcast,
Plaintiffs argue that “resolution of the common issues — whether Facebook’s programmed, uniform treatment of users who send private messages containing URLs or Internet links violates ECPA and CIPA— can be achieved in this one proceeding.” Plaintiffs point out that the relevant issues under the ECPA are whether Facebook in
Facebook argues that the ECPA covers only interceptions of the “contents” of a message, as opposed to the “record information” contained in a message. This distinction is set forth in the ECPA, which allows an electronic communications provider to “divulge a record or other information pertaining to a subscriber to or customer of such service (not including the contents of communications).” 18 U.S.C. § 2702(c). The statute defines such “record” information to include the “name,” “address,” and “subscriber number or identity” of the customer. 18 U.S.C. § 2703(c).
As applied to this case, Facebook argues that “[d]etermining whether the URLs constituted the ‘contents’ of a communication will require a URL-by-URL, message-by-message, sender-by-sender analysis.” Dkt. 178-2 at 23. Facebook’s position appears to be based on a Ninth Circuit ease holding that certain header information, including “the user’s Facebook ID and the address of the webpage from which the user’s HTTP request to view another webpage was sent,” did not constitute the “contents” of a message. In re Zynga Privacy Litigation,
Plaintiffs also point out that both the ECPA and CIPA require that the alleged interception occur without consent, and they argue that the class members’ lack of consent will be established through common proof. Facebook focuses on the issue of implied consent, arguing that it requires an individual user-by-user inquiry to determine whether class members impliedly consented to the alleged interceptions.
For support, Facebook primarily relies on an opinion from this district, In re Google Gmail Litigation,
The Gmail court found that implied consent is “an intensely factual question that requires consideration of the circumstances suiTOunding interception to divine whether the party whose communication was intercepted was on notice that the communication would be intercepted.” Gmail, at *16. However, the court noted that it rejected Google’s prior argument that “all email users impliedly consented to Google’s interceptions.. .because all email users understand that such interceptions are part and parcel of the email delivery process.” Id. Instead, the
The court then went through the specific evidence cited by Google as establishing implied consent. First, there was a page on the Google website itself stating that “the ads you see may be based on.. .factors like the messages in your mailbox.” Second, the same page also gave an example of a user who received lots of messages about photography and cameras, and then was shown an ad for a local camera store. Third, the ads themselves contained buttons that said “Why This Ad?”, and if the user clicked on the button, they would be told “this ad is based on emails from your inbox.” Fourth, another page on the Google website said that “Google scans the text of Gmail messages in order to filter spam and detect viruses,” and “also scans keywords in users’ email which are then used to match and serve ads.” The Gmail court also cited similar disclosures from non-Google sources, such as newspaper reports. Based on that showing, the Gmail court found that some class members likely viewed those disclosures, and some did not, creating individual issues regarding consent.
While Facebook relies on the ultimate holding of Gmail, the evidence in this ease is a far cry from the evidence cited in that case. Facebook cites to only one example of a Facebook-generated document where the message scanning practice was disclosed - in a guide intended for website developers, rather than in Facebook’s own terms of service. In fact, plaintiffs suggest that Facebook was actively trying to hide the practice, citing evidence showing that its own employees described the practice as “sketchy” and “downright misleading” and contrary to “the understanding of 99.9% of people.” Dkt. 138-4, Ex. 27, 28. And when faced with a “high degree of scrutiny from privacy advocates,” the decision was made to “just remove it.” Dkt. 138-4, Ex. 16.
That said, Facebook is correct that one of the alleged practices (the “Like” counter increase) was reported on in 2012, even though the reports came from non-Facebook sources. The Gmail court rejected any distinction between information gleaned from Google sources versus non-Google sources, and this court similarly finds no reason for such a distinction. Gmail, at *19. Even if Facebook hid its practice, as long as users heard about it from somewhere and continued to use the relevant features, that can be enough to establish implied consent. The court also notes that the class period has been defined to extend “up through the date of the certification of the class,” so the 2012 news reports regarding the “Like” counter increase are relevant to the implied consent analysis.
However, there is an important point that is completely glossed over by Facebook — the public disclosures were limited to the “Like” counter increase, even though plaintiffs now challenge three distinct interceptions/uses of the message content, only one of which is the Like counter increase. As discussed above, plaintiffs also argue that Facebook used the “share objects” in order to make recommendations to other users, and that Facebook shared message data with third parties. While the court finds that individual issues of implied consent do predominate in the context of increasing the Like counter (due to the media reports on the practice), the court does not reach the same conclusion with respect to the other two alleged practices, neither of which were disclosed by either Face-book sources or non-Facebook sources.
Faeebook’s only statement regarding those two challenged practices is that “[a]ll of these practices varied over time and with different user behavior, and none continue to involve URLs shared in messages.” Dkt. 178-2 at 10, n. 6. That sentence is so vague as to be irrelevant to the implied consent analysis. Facebook points to no source of information — either internal or external — where the two challenged practices were disclosed to Facebook users. While it is ultimately plaintiffs’ burden to show that common issues predominate over individual ones, if plaintiffs have made such a showing, it falls to Face-book to rebut that showing and to present the court with a basis for reaching the opposite result. And while Facebook does invoke implied consent as a defense that could potentially raise individual issues, based on the
While the court finds that individual issues of implied consent do not predominate over common ones, at least as to two of the alleged practices, that finding does not end the predominance analysis under Rule 23(b)(3). The court must also consider whether individual issues surrounding damages predominate over common issues, or in other words, that “damages are capable of measurement on a classwide basis.” See Comcast,
The ECPA provides that “the court may assess as damages whichever is the greater of: (A) the sum of the actual damages suffered by the plaintiff and any profits made by the violator as a result of the violation; or (B) statutory damages of whichever is the greater of $100 a day for each day of violation or $10,000.” 18 U.S.C. § 2250(c)(2). CIPA provides for statutory damages, but not damages based on plaintiffs harm or defendant’s profits. Cal. Penal Code § 632.7.
Plaintiffs do not appear to seek any sum for “actual damages” that they suffered, but instead, seek damages measured by profits made by Facebook (under ECPA) and/or statutory damages (under ECPA and CIPA). The court will start by addressing plaintiffs’ model for damages based on Faeebook’s profits.
As a threshold matter, plaintiffs attempt to subtly expand the scope of available damages by tweaking the language of the statute. After quoting the E CPA’s provision for damages based on “profits made by the violator as a result of the violation,” plaintiffs argue that they can offer “common proof to calculate the value which Facebook derived from intercepting private message content.” See Dkt. 138 at 22. While the “value” derived by Facebook may bear some correlation with the “profits made,” the terms are not synonymous.
The report of plaintiffs’ damages expert takes similar liberties. Under the heading titled “The Measure of Damages,” plaintiffs’ expert sets forth two categories: (1) “Benefits Resulting from Enhancing the Social Graph by Incorporating Intercepted Data,” and (2) “Benefits from Inflating the Like Count on Third Party Websites.” See Dkt. 137-3, Ex. E. And while plaintiffs’ expert does attempt to tie the value of Facebook’s “Social Graph” to its actual advertising profits, he makes no such attempt with respect to the Like Counter. As to the Like Counter, plaintiffs’ expert opines that “the economic benefit derived by Facebook ... lies between two bounds: a higher bound represented by the cost that client websites saved by not having to acquire additional ‘Likes’ ... and a lower bound determined by the market value of artificially acquired ‘Likes’ for pages made possible by manipulating the counting system.” Id. at ¶ 62. Neither the higher bound nor the lower bound are tied to Facebook’s own actual revenue or profits, and instead, are presented in terms of costs savings to advertisers. While plaintiffs’ expert theorizes that “the cost savings to advertisers from the accrual of Likes from the intercepted messages [ ] were, in principle, made available to spend on additional Facebook marketing campaigns,” there appears to be no indication, other than speculation, that the advertisers’ cost savings actually did result in additional profits for Facebook. Thus, even in the aggregate, the connection between the Like counter increase and Facebook’s profits is too attenuated to support a classwide damages award.
Turning back to the Social Graph, the key flaw underlying plaintiffs’ expert’s methodology is that it assumes that every message intercepted by Facebook resulted in an equal amount of profit to Facebook. The
However, the next step of the damages methodology requires calculation of individual damages awards, and it is here where plaintiffs’ expert’s report falls short. Essentially, plaintiffs’ expert relies on the assumption that, because Facebook derives value (and therefore profit) from its Social Graph, and because part of the Social Graph is constructed based on information gleaned from the challenged interceptions, then each challenged interception resulted in an equal amount of profit to Facebook. While this assumption has the benefit of expediency, as it would lead to a straightforward damages distribution, it makes no attempt to actually calculate the profit attributable to each individual interception. And while the court is aware of the difficulty, if not impossibility, of discerning how much of a company’s profits is attributable to individual interceptions, and does not intend to foreclose all privacy-related class actions under Rule 23(b)(3), the court’s finding simply illustrates the difficulty of calculating non-statutory damages under the ECPA. Indeed, statutory damages are designed to cover situations exactly like this, where actual damages are “uncertain and possibly unmeasurable.” See Kehoe v. Fidelity Fed. Bank & Trust,
However, as mentioned above, statutory damages remain available to plaintiffs under either ECPA or CIPA. And while statutory damages awards largely avoid the individualized inquiries that plague awards based on actual damages, statutory damages are not to be awarded mechanically. In fact, the ECPA “makes the decision of whether or not to award damages subject to the court’s discretion.” DirecTV, Inc. v. Huynh,
When exercising that limited discretion, courts have weighed several factors, including: (1) the severity of the violation, (2) whether or not there was actual damage to the plaintiff, (3) the extent of any intrusion into the plaintiffs privacy, (4) the relative financial burdens of the parties, (5) whether there was a reasonable purpose for the violation, and (6) whether there is any useful purpose to be served by imposing the statutory damages amount. DirecTV v. Huynh,
b. Superiority
Having already found that the predominance requirement is not met, the court need not reach the “superiority” prong of Rule 23(b)(3).
2. Rule 23(b)(2)
To have a class certified under Rule 23(b)(2), plaintiffs must show that “the party opposing the class has acted or refused to act on grounds that apply generally to the class, so that final injunctive relief or corresponding declaratory relief is appropriate respecting the class as a whole.” The “predominance” and “superiority” requirements of Rule 23(b)(3) do not apply to Rule 23(b)(2) classes. Instead, “[i]t is sufficient if class members complain of a pattern or practice that is generally applicable to the class as a whole. Even if some class members have not been injured by the challenged practice, a class may nevertheless be appropriate.” Walters v. Reno,
Plaintiffs argue that Facebook has “utilized a uniform system architecture and source code to intercept and catalog its users’ private message content,” and thus, has “acted or refused to act on grounds generally applicable to the class.”
Facebook’s primary argument against (b)(2) certification is that the class is not “indivisible” because “individual proof will show that many putative class members impliedly consented to the challenged practices.” Facebook also argues that some class members may have “welcome[d]” the challenged scanning practices, showing that an injunction would not affect the class in the same way.
The arguments raised by Facebook are very similar to those addressed—and rejected—by the court in Yahoo Mail.
The Yahoo court also held that “the fact that some class member's might not want Yahoo to cease its interception and scanning... does not render plaintiffs’ Rule 23(b)(2) class improper.”
Facebook also separately argues that the “primary relief sought by plaintiffs is monetary relief, not injunctive relief,” thus making Rule 23(b)(2) certification inappropriate. However, plaintiffs have represented that they seek “only declaratory and injunctive relief in the alternative request for certification pursuant to Rule 23(b)(2).” The court similarly finds that, to the extent plaintiffs sought monetary damages, those damages were sought pursuant to a Rule 23(b)(3) class. The court construes plaintiffs’ alternative request for Rule 23(b)(2) certification as seeking only injunctive and declaratory relief, and for the reasons discussed above, plaintiffs’ motion for (b)(2) certification is GRANTED.
CONCLUSION
For the foregoing reasons, plaintiffs’ motion for class certification is DENIED as to the proposed Rule 23(b)(3) class, and GRANTED as to the proposed Rule 23(b)(2) class.
As mentioned above, plaintiffs are granted leave to amend the complaint on a limited basis, and any amended complaint must be filed no later than June 8, 2016.
Finally, the court will conduct a case management conference on June 30, 2016 at 2:00 p.m.
IT IS SO ORDERED.
Notes
. Plaintiffs also exclude the following from the class definition: "Facebook and its parents, subsidiaries, affiliates, officers and directors, current or former employees, and any entity in which Facebook has a controlling interest; counsel for the putative class; all individuals who make a timely election to be excluded from this proceeding using the correct protocol for opting out; and any and all federal, state, or local governments, including but not limited to their departments, agencies, divisions, bureaus, boards, sections, groups, counsels and/or subdivisions; and all judges assigned to hear any aspect of this litigation, as well as their immediate family members." Dkt. 138 at 11.
. In its motion to dismiss, Facebook argued that plaintiffs were not challenging the "interception” of their messages, but rather the “use” of those messages. The court cited Ninth Circuit authority defining an "interception” as an "acquisition of the contents” of a communication, and further holding that an "acquisition” occurs "when the contents of a wire communication are captured or redirected in any way.” Dkt. 43 at 5 (citing Noel v. Hall,
.The parties are still disputing the details of this alleged practice, with Facebook filing an "errata” on May 11, 2016 to clarify and withdraw some of the assertions made during briefing, and with plaintiffs filing a response asking the court to strike the errata. The court will not strike Facebook's errata at this time, because it does seek to correct certain representations made previously, but the court's current order does not rely on the errata in any manner. For purposes of this motion, the court finds that plaintiffs have adequately shown that Facebook intercepts users’ message data in order to generate recommendations, even as the parties continue to dispute tire specifics of those alleged interceptions.
. Facebook’s own opposition brief appears to use the term "URL preview" interchangeably with "share object.” See Dkt. 178-2 at 7 (“URL previews are stored on Facebook’s servers in the form of 'global' share objects”), 8 ("URL preview - i.e., the global share object”).
. Faeebook objects to Dr. Golbeck’s rebuttal report, arguing that it should be stricken. See Dkt. 169-4. The thrust of Facebook’s objection is that the rebuttal report refers to the "Titan database,” which was not mentioned in Dr. Golbeck’s opening report. However, it appears that the rebuttal report simply adds the name of the database, which was referred to simply as a "database” in the original report. See, e.g., Dkt. 137-6, ¶ 103 ("A database query could be used"); see also Dkt. 166-6, ¶ 14 ("Although X did not mention Titan by name in my opening report, I specifically referenced using a database query”). Faeebook
. As discussed above, the issues regarding implied consent to the "Like” counter increase already preclude class certification, but the damages issues provide an independent basis for denying certification as to that accused practice.