Whether Facebook’s tracking of users’ visits to medical websites violates California and Federal privacy laws
This class action lawsuit concerns Facebook’s tracking of its users when they visit third-party websites. The plaintiffs in this case have alleged that when they visited certain healthcare-related websites, Facebook was able to personally identify them and track them through the “share” buttons and “like” buttons embedded on the page. Whenever a third-party website includes these buttons, Facebook is able to personally identify visitors to that website by three methods: (1) by obtaining that person’s IP address, (2) by installing cookies on that person’s browser, and (3) by using a process called “browser fingerprinting.” Facebook is then able to track visitors as they browse the third-party’s website, collecting personal data that the company can sell to advertisers or use target targeted advertisements.
In this case, the plaintiffs allege Facebook was able to track them as they visited healthcare websites and to collect highly sensitive healthcare-related information about them as they browsed the sites. Federal law imposes higher burdens on the collection of healthcare-related information than it does on other personal data, and the plaintiffs have alleged that both Facebook and the Healthcare Defendants failed to meet this burden.
The Plaintiffs also alleged that this tracking violated their right to privacy under the California Constitution and also violated the Wiretap Act and the California Invasion of Privacy Act.
Lower Court Ruling
The District Court for the Northern District of California granted the defendants’ motion to dismiss the plaintiffs’ claims, finding that the plaintiffs’ rights had not been violated because Facebook’s Terms of Service blocked them from bringing privacy claims under California and Federal law. Facebook’s Terms of Service state, “We collect information when you visit or use third-party websites and apps that use our Services (like when they offer our Like button or Facebook Log In or use our measurement and advertising services).” The court held that this term barred both the plaintiffs’ statutory claims arising under the federal Wiretap Act and the California’s Invasion of Privacy Act, as well as the plaintiff’s common law tort claims and their claim for invasion of privacy under the California Constitution.
The plaintiffs have appealed the lower court’s decision to the U.S. Court of Appeals for the Ninth Circuit.
EPIC has a strong interest in protecting consumer privacy rights online. EPIC closely monitors the use of advanced tracking techniques that enable companies like Facebook and Google to track users browsing habits, collecting a wealth of personal data about users that the businesses use to develop and sell profiles or deliver targeted advertisements. EPIC has done extensive work in the areas of online tracking and behavioral profiling, including urging the FTC to limit the use of cross-device tracking, whereby companies track consumers across their smartphones, laptops, tablets, and other internet-connected devices. EPIC also supports proposals to impose technological limits on the tracking of third-party web browsing history.
EPIC has filed amicus curiae briefs in support of consumers alleging that their rights have been violated by third party tracking techniques. In In Re Nickelodeon, a case arising under the Video Privacy Protection Act, the plaintiffs alleged that —children who visited the website Nick.com—sued were subject to tracking by Viacom, the company that managed the website, and Google, and that these companies collected their personal information in connection with online views of video content. EPIC argued in its brief that the definition of “Personally Identifiable Information” (or “PII”) in the VPPA is purposefully broad to protect against the very type of privacy abuses at issue in the case.
EPIC has also previously challenged Facebook’s privacy policies—in particular their requiring that users disclose certain personal information—in a complaint with the FTC. The FTC subsequently brought legal action against Facebook for unfair and deceptive business practices, and entered into a consent decree in 2011 following EPIC’s complaint.