A “cookie” is a small text file that a server creates and sends to a browser, storing files in a particular directory on an individual computer. Facebook cookies come in two flavors. The first is a “session cookie” that is set when a user logs into Facebook. Session cookies are supposed to be deleted when a user logs out of Facebook. The second is a “tracking cookie” – also known as a “persistent cookie” – which uses Facebook “like” buttons placed on other websites to track which websites a user visits as she surfs the web. The tracking cookie sends data back to Facebook any time user accesses a page with the Facebook “like” button. Tracking cookies are not deleted when a user logs out of Facebook. In fact, Facebook sets these cookies on an individual’s computer whether or not they have a Facebook account.
One such tracking cookie is called a “datr” cookie. When a logged-out user visits a website that includes a Facebook “like” button, such as the CNN homepage, the CNN server responds with the file for the CNN homepage, which also contains embedded code from Facebook. The user’s browser, triggered by the Facebook code, sends a request to the Facebook server to display the Facebook “like” button on the page. This request contains information from the user’s datr cookie as well as details of the specific webpage that the user accessed. When Facebook receives this information, the Facebook server adds it to its database records for the browser and the user, enabling Facebook to build a profile of the individual user’s browsing habits over time.
Plaintiffs alleged that Facebook used these datr cookies to intentionally track users’ browsing activity after they logged-out of Facebook despite contrary representations in the social network’s governing materials.
Plaintiffs also alleged that the information Facebook receives through tracking logged-out users is specific enough to identify the user. They alleged that if a user has logged into Facebook, the datr tracking cookie that is set on her machine is linked to her through a number which is unique to her browser and computer or mobile device. Plaintiffs contend that the personal information Facebook receives from its users, including users’ browsing history, has “massive economic value” and that a market exists for such information.
Plaintiffs filed a class action complaint against Facebook in the Federal District Court for the Northern District of California on May 23, 2012, alleging violations of the federal Wiretap Act, 18 U.S.C. §2510 et seq., the Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., the California Invasion of Privacy Act (“CIPA”), invasion of privacy under the California Constitution, as well as common law claims.. The district court granted Facebook’s motion to dismiss on October 23, 2015, with leave to amend, on the grounds that Plaintiffs had failed to establish Article III standing with respect to some of their claims, and that Plaintiffs had failed to state a claim with respect to the rest.
Specifically, the court dismissed the Plaintiffs’ Wiretap Act claim with leave to amend because the Plaintiffs had not sufficiently alleged that Facebook intercepted the “contents” of a communication. The court reasoned that the tracking cookies Facebook set on Plaintiffs’ web browsers collected only their browsing history, which does not qualify as “contents” under the Ninth Circuit’s holding in In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014). Zynga held that a “referrer header” – basically the portion of the webpage request that provides the address of the webpage – does not meet the Wiretap Act’s definition of “contents”
The court also dismissed Plaintiffs’ CIPA claims with leave to amend, adding that “Plaintiffs have not pled facts to show how Facebook used a ‘machine, instrument, or contrivance’ to obtain the contents of communications.” Although Plaintiffs contended that a cookie is a “contrivance” under CIPA, the court stated that, “Plaintiffs must include facts in their pleading to show why it is so. In its current form, the [complaint] only defines a cookie as a small text file containing a limited amount of information which sits idly on a user’s computer until contacted by the server.” The court did not specifically address the common law invasion of privacy claim, but dismissed all common law claims with leave to amend for lack of standing.
Plaintiffs filed an amended complaint on December 1, 2015, re-alleging the same statutory and common law claims as the original complaint. On June 30, 2017, the court again granted Facebook’s motion to dismiss. This time, the court provided alternative reasons for why the plaintiffs’ Wiretap Act, CIPA, and SCA claims failed. The court found that the Wiretap Act claims failed because Facebook did not “intercept” the browser communications—Plaintiffs’ browsers communicated with both Facebook and the third-party websites simultaneously. The court found that Plaintiffs CIPA claims likewise “fail for the same reason.” In addition, the court found that the Plaintiffs’ SCA claims failed because “personal computers are not ‘facilities’ under the SCA.”
Finally, the court dismissed Plaintiffs’ common law invasion of privacy and intrusion upon seclusion claims because Plaintiffs “have not established that they have a reasonable expectation of privacy in the URLs of the pages they visit,” explaining that “Plaintiffs could have taken steps to keep their browsing histories private.”
Plaintiffs appealed the district court’s order to the Ninth Circuit Court of Appeals on December 15, 2017.
EPIC has a strong interest in protecting the privacy of Internet users. In particular, EPIC has challenged the growing use of advanced tracking techniques that allow companies such as Google and Facebook to track users as they go from website to website, gaining a trove of personal information on individuals that can be used to develop behavioral profiles for targeted advertising.
EPIC directly challenged the underlying conduct by Facebook at issue in this particular lawsuit. In 2009 and 2010, EPIC and a number of public interest organizations filed a series of complaints to the FTC detailing how Facebook was misrepresenting its privacy practices. EPIC’s 2010 complaint specifically highlighted how Facebook was using cookies to track users across the web, limiting users’ ability to browse the Internet anonymously. In 2011, the FTC entered into a 20-year consent order as the result of EPIC’s complaints. EPIC told the FTC in comments on the proposed settlement that the FTC should explicitly require Facebook to cease its secret, post-log out tracking of users across websites. EPIC also detailed Facebook’s use of persistent cookies to track logged-out users in a letter to the FTC.
EPIC has also filed amicus briefs challenging Facebook’s privacy-invasive practices in related cases. In Smith v. Facebook, EPIC challenged Facebook’s tracking of users’ visits to sensitive medical websites despite these websites’ representations that they would protect visitors’ privacy. And in Campbell v. Facebook, EPIC challenged a proposed class action settlement arising from Facebook’s conduct of scanning private messages.
EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smartphones, laptops, tablets, and other Internet-connected devices. EPIC also supports proposals such as do not track, that would address the problem of companies like Google and Facebook tracking users when they visit third-party websites.
U.S. Court of Appeals for the Ninth Circuit, No. 17-17486
- Brief for Plaintiffs-Appellants [Redacted Version] (June 18, 2018)
- EPIC Amicus Brief (June 26, 2018)