Campbell v. Facebook

Whether the lower court erred in approving a proposed class action settlement that allowed Facebook to continue scanning private messages as long as the company posts a notice about the practice in its privacy policy
  • Appeals Court Affirms Consumer Rights to Facebook Suit, But Upholds Ineffective Settlement: The Ninth Circuit decided today that consumers could bring a case against Facebook for scanning private messages, but upheld a settlement that produced only a minor change in Facebook's business practices. In Campbell v. Facebook, the appeals court found that consumers "sued to protect concrete interests" because wiretap laws "codify a context-specific extension of the substantive right to privacy." EPIC filed an amicus brief in the case, arguing that the settlement "does not prevent Facebook from resuming the practices" consumers sued to stop. EPIC explained that the settlement only requires Facebook to post a "vague notice" that is "not the basis for consent" under applicable wiretap laws. EPIC routinely files amicus briefs in cases concerning consumer privacy and standing. (Mar. 3, 2020)


Campbell v. Facebook, No. 13-5996, 2017 WL 3581179 (N.D. Cal. Aug. 18, 2017), appeal docketed, No. 17-16873 (9th Cir. Sept. 15, 2017), concerns the fairness of a class action settlement in a case implicating Facebook users’ privacy interests. Facebook allegedly scanned its users’ private messages in violation of federal and state privacy laws. As objector intervenors, potential class members have filed an appeal, arguing that the terms of the settlement failed to compensate consumers and did nothing to change Facebook’s business practices. The only prospective relief in the settlement is a minor change to Facebook’s privacy policy disclosing that Facebook scans private messages.

Factual and Procedural Background

This class action lawsuit concerns Facebook’s practice of scanning the content of its users’ messages without consent. The plaintiffs, Mathew Campbell and Michael Hurley, as class representatives, allege that Facebook’s scanning of the contents of their private messages violated the federal Electronic Communications Privacy Act (“ECPA”) and California’s Invasion of Privacy Act (“CIPA”). Specifically, the allegations in this suit concern Facebook's practice of using links to websites (URLs) in private messages for targeted advertising and increasing the "like" count of webpages.

Lower Court Ruling

On December 23, 2014, the lower court granted in part and denied in part Facebook’s motion to dismiss. Campbell v. Facebook, 77 F. Supp. 3d 836 (N.D. Cal. 2014). The court concluded that the complaint sufficiently alleged Facebook’s scanning was an “interception” of a private message under ECPA, and that the “ordinary course of business” and “consent” exceptions did not apply.

On May 18, 2006, the court granted class certification to certain groups of Plaintiffs under Federal Rule of Civil Procedure 23(b)(2) (for those plaintiffs seeking only injunctive and declarative relief). Campbell v. Facebook, 315 F.R.D. 250 (N.D. Cal. 2016). Subsequently, on April 26, 2017, the court granted preliminary approval of a proposed settlement agreement. The court certified a settlement class of “[a]ll nautral-person Facebook users located within the United States and its territories who have sent, or received from a Facebook user, private messages that included URLs in their content (and from which Facebook generated a URL attachment), from December 30, 2011 to March 1, 2017.”

Finally, on August 18, 2017, the court granted plaintiffs’ motion for final settlement approval, an award of attorneys’ fees, and incentive awards.

Settlement Agreement

The settlement agreement provided for declaratory relief. Facebook acknowledged its cessation of a number of practices in 2012, 2014, and 2017, including scanning URL links to increase the “like” count increment of websites, disclosing URL data to third parties via “insights,” for targeted advertising, and using URLs to generate “recommendations,” via "EntShares." However, the settlement did not include an injunction barring Facebook from resuming these practices.

The agreement also provided for disclosure changes, that would allow Facebook to continue scanning private messages. This included a revision to the Data Policy to include “that Facebook collects the ‘content and other information’ that people provide when they ‘message or communicate with others.’” Additionally, Facebook is required to display the following message on its American "Help Center" website for a year: “We use tools to identify and store links shared in messages, including a count of the number of times links are shared.” With regard to attorneys’ fees and costs, Facebook will pay up to $3.89 million, which was negotiated independently of other settlement terms.

U.S. Court of Appeals for the Ninth Circuit

The case has been appealed to the Ninth Circuit Court of Appeals. Appellants are objector-intervenors who are potential class members objecting to the terms of the settlement. Appellants argue that the terms of the settlement does not provide a benefit to class members because it would allow Facebook to continue engaging in the practice that was the basis for the lawsuit as long as the company buries a notice in its privacy policy.

Legal Background

Under the Federal Rule of Civil Procedure 23(e)(2), a proposed settlement may be approved “only after a hearing and on finding that it is fair, reasonable, and adequate.

The Supreme Court has recently expressed an interest in the fairness of class settlements. In Marek v. Lane, Chief Justice Roberts expressed "fundamental concerns" over a settlement that allowed Facebook to continue its "Beacon" program and provided no monetary relief to the class:

“In the end, the vast majority of Beacon's victims got neither remedy. The named plaintiffs reached a settlement agreement with the defendants before class certification. Although Facebook promised to discontinue the "Beacon" program itself, plaintiffs' counsel conceded at the fairness hearing in the District Court that nothing in the settlement would preclude Facebook from reinstituting the same program with a new name.”

EPIC’s Interest

EPIC has long urged courts to reject collusive settlements and has proposed objective criteria for courts to follow in class action cases.

In In Re Google Cookie Placement Litigation, EPIC urged the Third Circuit to reject a settlement that allowed Google to continue tracking Internet users across the web and failed to provide any monetary relief to the class members. The only relief in the settlement were cy pres funds dedicated to organizations to which Google already contributed. The case involved practices by Google which EPIC had challenged in the past. EPIC, the Center for Digital Democracy, and US PIRG were the groups that warned the FTC in 2007 that the Google-DoubleClick merger would lead to the internet tracking practices at issue in the settlement. EPIC's 2010 FTC complaint regarding Google Buzz also led to the FTC's Consent Order with Google that enabled the Commission to pursue related charges against Google.

In In Re Google Referrer Header Privacy Litigation, EPIC twice urged the lower court to reject the settlement, arguing that it did nothing for class members and would allow Google to “continue to engage in the privacy-invading practice.” A divided federal appeals court ultimately upheld a decision that allows Google to continue consumer privacy violations by means of the collusive settlement. The case concerned Google’s illegal disclosure of personal data from 129 million consumers; however, the settlement failed to compensate those consumers, did nothing to change Google’s business practices, and diverts funds to organizations that do not protect consumer privacy. The dissenting judge wrote that the settlement “raises a red flag” because “47% of the settlement fund is being donated to the alma maters of class counsel.”

Furthermore, EPIC has a strong interest in protecting consumer privacy rights online. EPIC closely monitors the use of advanced tracking techniques that enable companies like Facebook and Google to track users browsing habits, collecting a wealth of personal data about users that the businesses use to develop and sell profiles or deliver targeted advertisements. EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smartphones, laptops, tablets, and other internet-connected devices. EPIC also supports proposals to impose technological limits on the tracking of third-party web browsing history.

EPIC has filed amicus curiae briefs in support of consumers alleging that their rights have been violated by third party tracking techniques. In In Re Nickelodeon, a case arising under the Video Privacy Protection Act, the plaintiffs alleged that —children who visited the website—sued were subject to tracking by Viacom, the company that managed the website, and Google, and that these companies collected their personal information in connection with online views of video content. EPIC argued in its brief that the definition of “Personally Identifiable Information” (or “PII”) in the VPPA is purposefully broad to protect against the very type of privacy abuses at issue in the case.

EPIC has also previously challenged Facebook’s privacy policies—in particular their requiring that users disclose certain personal information—in a complaint with the FTC. The FTC subsequently brought legal action against Facebook for unfair and deceptive business practices, and entered into a consent decree in 2011 following EPIC’s complaint.

Legal Documents

U.S. Court of Appeals for the Ninth Circuit, No. 17-16873

U.S. District Court for the Northern District of California, No. 13-05996



Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security