Campbell et al v. Facebook Inc.

Filing 43

ORDER by Judge Hamilton granting in part and denying in part 29 Motion to Dismiss (pjhlc2, COURT STAFF) (Filed on 12/23/2014)

Download PDF
1 2 3 UNITED STATES DISTRICT COURT 4 NORTHERN DISTRICT OF CALIFORNIA 5 6 7 MATTHEW CAMPBELL, et al., Plaintiffs, 8 9 No. C 13-5996 PJH v. ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS FACEBOOK INC., 11 For the Northern District of California United States District Court 10 Defendant. _______________________________/ 12 13 Defendant’s motion to dismiss plaintiffs’ consolidated amended complaint came on 14 for hearing before this court on October 1, 2014. Plaintiffs Matthew Campbell, Michael 15 Hurley, and David Shadpour (“plaintiffs”) appeared through their counsel, Michael Sobol. 16 Defendant Facebook, Inc. (“defendant” or “Facebook”) appeared through its counsel, 17 Joshua Jessen. Having read the parties’ papers and carefully considered their arguments 18 and the relevant legal authority, and good cause appearing, the court hereby GRANTS in 19 part and DENIES in part defendant’s motion as follows. 20 21 BACKGROUND This is a privacy case involving the scanning of messages sent on Facebook’s social 22 media website. Facebook describes itself as the “world’s largest social networking 23 platform,” with approximately 1.2 billion users worldwide. Facebook users are able to share 24 content – such as photos, text, and video – with other users. Users can select the group of 25 people with whom they wish to share this content, and may choose to share certain 26 information publicly (i.e., with all Facebook users), or may choose to share certain 27 information only with their “friends” (i.e., Facebook users with whom they have mutually 28 agreed to share content). Facebook users may also choose to share certain information 1 privately, with just one other Facebook user, through the use of a “private message.” While 2 not identical to email, a private message is analogous to email, in that it involves an 3 electronic message sent from one user to one or more other users. Facebook users can 4 access a “messages” inbox through the Facebook website, which is akin to an email inbox. 5 This suit arises out of Facebook’s handling of these “private messages.” 6 Plaintiffs allege that Facebook scans the content of these private messages for use Facebook “like” counter displayed on their web pages, which enables visitors of the page to 9 see how many Facebook users have either clicked a button indicating that they “like” the 10 page, or have shared the page on Facebook. In essence, the “like” counter is a measure 11 For the Northern District of California in connection with its “social plugin” functionality. Specifically, certain websites have a 8 United States District Court 7 of the popularity of a web page. 12 Plaintiffs allege that Facebook scans the content of their private messages, and if 13 there is a link to a web page contained in that message, Facebook treats it as a “like” of the 14 page, and increases the page’s “like” counter by one. Plaintiffs further allege that 15 Facebook uses this data regarding “likes” to compile user profiles, which it then uses to 16 deliver targeted advertising to its users. Plaintiffs allege that the messaging function is 17 designed to allow users to communicate privately with other users, and that Facebook’s 18 practice of scanning the content of these messages violates the federal Electronic 19 Communications Privacy Act (“ECPA,” also referred to as the “Wiretap Act”), as well as 20 California’s Invasion of Privacy Act (“CIPA”), and section 17200 of California’s Business 21 and Professions Code. 22 Plaintiffs seek to represent a nationwide class of “all natural person Facebook users 23 located within the United States who have sent or received private messages that included 24 URLs in their content, from within two years before the filing of this action up through and 25 including the date when Facebook ceased its practice.” Consolidated Amended Complaint 26 (“CAC”), ¶ 59. 27 28 2 1 2 3 DISCUSSION A. Legal Standard A motion to dismiss under Rule 12(b)(6) tests for the legal sufficiency of the claims 4 alleged in the complaint. Ileto v. Glock, Inc., 349 F.3d 1191, 1199-1200 (9th Cir. 2003). 5 Review is limited to the contents of the complaint. Allarcom Pay Television, Ltd. v. Gen. 6 Instrument Corp., 69 F.3d 381, 385 (9th Cir. 1995). To survive a motion to dismiss for 7 failure to state a claim, a complaint generally must satisfy only the minimal notice pleading 8 requirements of Federal Rule of Civil Procedure 8. 9 Rule 8(a)(2) requires only that the complaint include a “short and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Specific 11 For the Northern District of California United States District Court 10 facts are unnecessary – the statement need only give the defendant “fair notice of the claim 12 and the grounds upon which it rests. Erickson v. Pardus, 551 U.S. 89, 93 (citing Bell 13 Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007)). All allegations of material fact are 14 taken as true. Id. at 94. However, a plaintiff's obligation to provide the grounds of his 15 entitlement to relief “requires more than labels and conclusions, and a formulaic recitation 16 of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (citations and 17 quotations omitted). Rather, the allegations in the complaint “must be enough to raise a 18 right to relief above the speculative level. Id. 19 A motion to dismiss should be granted if the complaint does not proffer enough facts 20 to state a claim for relief that is plausible on its face. See id. at 558-59. “[W]here the well- 21 pleaded facts do not permit the court to infer more than the mere possibility of misconduct, 22 the complaint has alleged – but it has not show[n] – that the pleader is entitled to relief. 23 Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009). 24 In addition, when resolving a motion to dismiss for failure to state a claim, the court 25 may not generally consider materials outside the pleadings. Lee v. City of Los Angeles, 26 250 F.3d 668, 688 (9th Cir. 2001). There are several exceptions to this rule. The court 27 may consider a matter that is properly the subject of judicial notice, such as matters of 28 public record. Id. at 689; see also Mack v. South Bay Beer Distributors, Inc., 798 F.2d 3 1 1279, 1282 (9th Cir. 1986) (on a motion to dismiss, a court may properly look beyond the 2 complaint to matters of public record and doing so does not convert a Rule 12(b)(6) motion 3 to one for summary judgment). Additionally, the court may consider exhibits attached to 4 the complaint, see Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542, 5 1555 n.19 (9th Cir. 1989), and documents referenced by the complaint and accepted by all 6 parties as authentic. See Van Buskirk v. Cable News Network, Inc., 284 F.3d 977, 980 (9th 7 Cir. 2002). 8 B. 9 1. Wiretap Act The Wiretap Act provides for civil penalties against any person who “intentionally 11 For the Northern District of California United States District Court 10 Legal Analysis intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to 12 intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a). As the 13 statutory text indicates, the focus of this provision is on the interception of the 14 communication itself. While another provision of the Wiretap Act prohibits the use of the 15 contents of a communication, that prohibition applies only if the interception itself is 16 unlawful under section 2511(1)(a). Specifically, section 2511(1)(d) applies to any person 17 who “intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic 18 communication,” but only if that person knows or has reason to know “that the information 19 was obtained through the interception of a wire, oral, or electronic communication in 20 violation of this subsection.” See 18 U.S.C. § 2511(1)(d) (emphasis added). In other 21 words, if there is no unlawful interception, there can be no unlawful use. 22 Facebook argues that this distinction between “interception” and “use” favors 23 dismissal of plaintiffs’ Wiretap Act claim. According to Facebook, plaintiffs’ real objection is 24 not to Facebook’s interception of private messages, but rather, to Facebook’s use of the 25 information. Facebook argues that it must have access to the messages in order to 26 facilitate their delivery, so there cannot be any unlawful interception; and thus, there can be 27 no unlawful use. See Noel v. Hall, 568 F.3d 743, 751 (9th Cir. 2009) (“use” provision 28 “protects against the dissemination of private communications that have been unlawfully 4 1 2 intercepted.”) (emphasis in original). However, the Noel court also made clear that the term “interception” should not be 3 interpreted as narrowly as urged by Facebook. The Noel court quoted the Wiretap Act’s 4 definition of “intercept,” which is “the aural or other acquisition of the contents of any wire, 5 electronic, or oral communication through the use of any electronic, mechanical, or other 6 device,” and then held that an “acquisition” occurs “when the contents of a wire 7 communication are captured or redirected in any way.” Noel, 568 F.3d at 749 (emphasis 8 added). 9 At this stage of the case, the court is unable to determine whether Facebook unlawfully “redirected” the content of plaintiffs’ private messages. While Facebook must 11 For the Northern District of California United States District Court 10 certainly receive the contents of any message in order to transmit it to the recipient(s), 12 there is no evidentiary record from which the court can determine whether Facebook 13 “redirected” messages in order to scan their content for use in increasing “like” counters 14 and for targeted advertising. 15 In the CAC, plaintiffs allege that Facebook uses a software application called a “web 16 crawler” to scan any URLs that are contained in messages and to send server requests to 17 that web page. CAC, ¶ 25. If true, the use of this “web crawler” could constitute a 18 “redirection” of the contents of users’ messages, and therefore, a separate “interception” 19 under the Wiretap Act. Because the court takes the complaint’s allegations as true, it 20 would be premature to find that plaintiffs’ claims center only around Facebook’s use, not its 21 interception, of users’ private messages. 22 Facebook raises a second threshold challenge to plaintiffs’ Wiretap Act claim. It 23 argues that any actionable “interception” under the Wiretap Act must involve the 24 communication being acquired during transmission, rather than during storage. Facebook 25 points out that Congress created a separate statute, the Stored Communications Act, to 26 address access to stored electronic communications. Facebook argues that the “sequence 27 of actions that plaintiffs allege involves use of content already in storage.” Dkt. 29 at 27. 28 However, the CAC does indeed allege that “Facebook’s interception occurred in 5 1 transit, in transmission, and/or during transfer of users’ private messages.” CAC, ¶ 25. 2 While Facebook may ultimately produce evidence showing that the messages were 3 actually accessed while in storage, not during transmission, that issue is premature at this 4 stage of the case, and would be better addressed as part of a motion for summary 5 judgment with a more developed factual record. See also In re Yahoo Mail Litigation, 7 6 F.Supp.3d 1016, 1027-28 (N.D. Cal. 2014). 7 Having addressed the threshold issues regarding plaintiffs’ Wiretap Act claim, the 8 court now turns to Facebook’s primary arguments: that any alleged interception falls within 9 the “ordinary course of business” exception to the Wiretap Act, and that plaintiffs consented 11 For the Northern District of California United States District Court 10 to any alleged interception of their messages. a. “Ordinary course of business” exception 12 As mentioned above, the Wiretap Act defines “intercept” as “the aural or other 13 acquisition of the contents of any wire, electronic, or oral communication through the use of 14 any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). The statute then further 15 defines “electronic, mechanical, or other device” as “any device or apparatus which can be 16 used to intercept a wire, oral, or electronic communication other than” a device or 17 apparatus that is “being used by a provider of wire or electronic communication service in 18 the ordinary course of its business.” 18 U.S.C. § 2510(5). Essentially, the Wiretap Act 19 creates an exception for interceptions conducted by an electronic communications service 20 provider occurring in “the ordinary course of its business.” 21 The scope of this “ordinary course of business” exception has been the subject of 22 extensive litigation in this district. The parties focus on two cases in particular: In re 23 Google Inc. Gmail Litigation, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013) (referred to as 24 “Gmail”) and In re Google Inc. Privacy Policy Litigation, 2013 WL 6248499 (N.D. Cal. Dec. 25 3, 2013) (referred to as “Google”). 26 The Gmail case involved allegations that the defendant, Google Inc., was scanning 27 the content of users’ emails in order to facilitate its delivery of targeted advertising, and to 28 create “user profiles to serve their profit interests that were unrelated to providing email 6 1 services to particular users.” Plaintiffs asserted that the email scanning violated the 2 Wiretap Act, and Google moved to dismiss based on the “ordinary course of business” 3 exception. The court denied the motion to dismiss, finding that the “ordinary course of 4 business” exception must be given a “narrow reading” that requires “some nexus between 5 the need to engage in the alleged interception and the subscriber’s ultimate business, that 6 is, the ability to provide the underlying service or good.” Gmail at *11. In other words, the 7 court held that the interception must “facilitate[]” or be “incidental” to the provision of the 8 electronic communication service at issue. Id. Plaintiffs alleged that Google had 9 intercepted emails “for the purposes of creating user profiles and delivering targeted advertising, which are not instrumental to Google’s ability to transmit emails.” Id. Plaintiffs 11 For the Northern District of California United States District Court 10 also alleged that the interceptions of emails for targeting ads and creating user profiles 12 occurred separately from other processes that were related to the transmission of emails, 13 such as spam filtering, antivirus protection, and spell check. Thus, the complained-about 14 interceptions were “physically and purposively unrelated to Google’s provision of email 15 services.” Id. Additionally, the Gmail court further found that the defendant’s actions were 16 in violation of its own internal policies, and thus could not be considered within the ordinary 17 course of its business. 18 While the Google case involved the same defendant as the Gmail case, it involved a 19 different Google product, and thus, a different application of the “ordinary course of 20 business” exception. Rather than involving claims of scanning users’ emails, Google 21 involved allegations that Google would combine personal information collected from its 22 different services – Google search, Gmail, YouTube, Google Maps, Picasa, etc. – in order 23 to create a single user profile. The plaintiffs pointed out that Google previously allowed its 24 users to keep information gathered from one Google product separate from information 25 gathered from other Google products, but then changed its policy to commingle all of that 26 data. Plaintiffs alleged that this commingling violated the Wiretap Act, and Google moved 27 to dismiss, invoking the “ordinary course of business” exception. 28 The Google court rejected a “narrow read” of the exception that would be “limited to 7 1 only action taken to deliver the electronic communication.” Google at *10. Instead, the 2 court found that “Congress specifically chose the broader term ‘business’ that covers more 3 far-ranging activity.” Id. The pairing of the term “business” with the terms “ordinary course” 4 further “suggest[ed] an interest in protecting a provider’s customary and routine business 5 practices.” Id. The Google court found that targeted advertising was indeed within 6 Google’s ordinary course of business, and dismissed plaintiffs’ Wiretap Act claim. 7 The Ninth Circuit has not yet ruled on the scope of the “ordinary course of business” 8 exception. In the absence of any such authority, both the Gmail court and the Google court 9 looked to cases from other circuit courts, and gave careful consideration to the Second Circuit’s decision in Hall v. Earthlink Network, Inc., 396 F.3d 500 (2nd Cir. 2005), and the 11 For the Northern District of California United States District Court 10 Tenth Circuit’s decision in Kirch v. Embarq Management Co., 702 F.3d 1245 (10th Cir. 12 2012). 13 In Hall, an email user had a dispute with his email provider (Earthlink) that resulted 14 in the termination of his email account. However, even after the termination, Earthlink 15 continued to receive emails that were sent to the user’s address, and the user complained 16 that the receipt of his messages constituted an unlawful “interception” under the Wiretap 17 Act. The court found that receiving the emails was within Earthlink’s ordinary course of 18 business, and noted that, at the relevant time, Earthlink did not have the technological 19 capacity to “bounce back” emails that were sent to a terminated email address. 20 In Kirch, the plaintiffs’ internet service provider (Embarq) placed a device on its 21 servers that redirected its users’ Internet traffic to a third-party company (NebuAd) that 22 tracked which websites the users visited and used that information to target ads. The 23 district court granted summary judgment on two bases – but not on the ordinary course of 24 business exception. Instead, the district court first found that Embarq did not actually 25 intercept the data, and instead merely siphoned it off to NebuAd. Second, the district court 26 found that plaintiffs had consented to the interception by agreeing to Embarq’s privacy 27 policy. On appeal, the Tenth Circuit seemingly agreed with the first of the district court’s 28 reasons, but also applied the ordinary course of business exception, finding that Embarq 8 1 had no more access to the users’ data than it did in the ordinary course of its business. 2 And because there was no aiding-and-abetting liability under the Wiretap Act, Embarq 3 could not be held responsible for any alleged interception by NebuAd. 4 While Hall and Kirch present useful discussions of the “ordinary course of business” 5 exceptions, the court ultimately finds that the factual differences preclude any meaningful 6 application of those courts’ reasoning to this case. In Hall, there was no “interception” 7 analogous to the alleged interception in this case – instead, the complained-about conduct 8 was nothing more than the receipt of emails itself, which would be “ordinary” even under 9 the narrowest view of the word. And while Kirch involved analysis of users’ web activity to aid in targeting advertising (similar to the allegations in the present case), the court’s 11 For the Northern District of California United States District Court 10 dismissal of the Wiretap Act claim was based primarily on the fact that any unlawful 12 interception was performed by a third-party, rather than by the defendant. Notably, the 13 Kirch court did not explain whether its decision would have been the same if the defendant 14 itself had analyzed the web traffic to deliver targeted advertising, and the court never 15 expressly held that targeted-ad-analysis was within the ordinary course of Embarq’s 16 business as an internet service provider. Instead, the court held only that Embarq was not 17 involved in any such analysis, and thus, had the same level of access that it would have 18 even in the absence of NebuAd’s analysis. Because there are no such third-party issues in 19 this case, the court finds that Kirch is not applicable. 20 Instead, the court finds the analyses of the Gmail and Google courts to provide the 21 most value to the present case. To summarize the difference between the two rulings, 22 Gmail took a narrow view of the “ordinary course of business” exception and held that it 23 covers only interceptions that are “instrumental” (or “facilitate[]” or are “incidental”) to the 24 provision of electronic communication services, while Google took the broader view that the 25 interception need only be part of a defendant’s “customary and routine” business practices. 26 In so doing, both courts presented persuasive reasons to avoid an overly broad or narrow 27 approach. 28 For instance, the Google court rejected a “narrow read” of the exception that would 9 1 be “limited to only action taken to deliver the electronic communication.” Instead, as 2 mentioned above, the Google court found that “Congress specifically chose the broader 3 term ‘business’ that covers more far-ranging activity.” Google at *10. The Google court 4 rejected the plaintiffs’ argument that the exception should cover only “necessary” activities, 5 pointing out that such a rule would “beg[] the question of what exactly it means for a given 6 action to be ‘necessary’ to the delivery of Gmail.” Google at *11. 7 While the Google court emphasized the need to give meaning to the term 8 “business,” the Gmail court cautioned that an overly broad interpretation of the exception 9 would read the word “ordinary” out of the statute. Gmail at *8 (“The presence of the modifier ‘ordinary’ must mean that not everything Google does in the course of its business 11 For the Northern District of California United States District Court 10 would fall within the exception.”). The Gmail court ultimately found that the exception must 12 be given a “narrow reading” that requires “some nexus between the need to engage in the 13 alleged interception and the subscriber’s ultimate business, that is, the ability to provide the 14 underlying service or good.” Gmail at *11. 15 The court agrees that the word “ordinary” serves to narrow the exception, while the 16 term “business” serves to broaden it. The court also finds it significant that the statute 17 exempts activities conducted by a “provider of wire or electronic communication service in 18 the ordinary course of its business.” The use of the word “its” indicates that the court must 19 consider the details of Facebook’s business, and must not rely on a generic, one-size-fits- 20 all approach that would apply the exception uniformly across all electronic communication 21 service providers. However, Facebook has not offered a sufficient explanation of how the 22 challenged practice falls within the ordinary course of its business, which prevents the court 23 from determining whether the exception applies. 24 For instance, in both its motion and its reply, Facebook emphasizes that plaintiffs’ 25 original complaint accused Facebook of using users’ message content to target advertising, 26 but points out that plaintiffs “have now abandoned their inaccurate, advertising-related 27 allegations (except for some lingering amorphous allegations).” Dkt. 29 at 8. Facebook 28 repeatedly characterizes plaintiffs’ advertising-related allegations as “false claims,” or 10 1 “factually incorrect,” or lacking “any factual basis whatsoever.” Dkt. 29 at 14, 22; Dkt. 35 at 2 8. However, Facebook then turns around and argues that serving targeted advertisements 3 is indeed the type of “legitimate purpose” that warrants application of the “ordinary course 4 of business” exception, and that “systematic conduct of the type alleged by plaintiffs that 5 generates revenue for a company is the very essence of a company acting in the ordinary 6 course of business.” Dkt. 29 at 22. 7 The court finds it problematic that Facebook is attempting to have it both ways by 8 maintaining that plaintiffs’ advertising-related allegations lack any factual basis, and even to 9 emphasize that the allegations have been removed apart from a “few conclusory stragglers,” but then using those largely-removed allegations to invoke the “ordinary course 11 For the Northern District of California United States District Court 10 of business” exception. Regardless, if the court does take as true plaintiffs’ remaining 12 allegations regarding targeted advertising, it still finds an insufficient record on which to 13 base a finding that the challenged practice is within the ordinary course of Facebook’s 14 business. Facebook’s unwillingness to offer any details regarding its targeted advertising 15 practice prevents the court from being able to determine whether the specific practice 16 challenged in this case should be considered “ordinary.” 17 The court rejects the suggestion that any activity that generates revenue for a 18 company should be considered within the “ordinary course of its business.” At the hearing, 19 Facebook’s counsel suggested that, because the practice is in the service of making 20 money, it must necessarily fall within the ordinary course of business. However, as 21 discussed above, the statute’s inclusion of the word “ordinary” implies some limits on a 22 company’s ability to self-define the scope of the exception. An electronic communications 23 service provider cannot simply adopt any revenue-generating practice and deem it 24 “ordinary” by its own subjective standard. The court instead finds that any interception 25 falling within the exception must be related or connected to an electronic communication 26 provider’s service, even if it does not actually facilitate the service. While the court agrees 27 with the Google court’s holding that the exception must cover more than just “necessary” 28 activities, it also agrees with the Gmail court’s finding that there must be “some nexus 11 1 between the need to engage in the alleged interception and the subscriber’s ultimate 2 business, that is, the ability to provide the underlying service or good.” Based on the 3 current record, the court cannot find any facts alleged in the complaint or facts presented 4 by Facebook that indicate a nexus between Facebook’s alleged scanning of users’ private 5 messages for advertising purposes and its ability to provide its service. targeted advertising, its interception of users’ messages fell within the ordinary course of its 8 business. Facebook argues that the “receipt of its users’ electronic messages is in fact 9 necessary to facilitate the transmission of the communications at issue,” and thus, the 10 “ordinary course of business” exception would apply even if the court were to apply the 11 For the Northern District of California Facebook separately argues that, even putting aside the allegations regarding 7 United States District Court 6 Gmail court’s narrow view of the exception. 12 However, at this stage of the case, the court rejects Facebook’s attempt to treat its 13 receipt of a user’s message and the scanning of that message’s content for advertising 14 purposes as part of the same “interception.” The court has no evidentiary record regarding 15 the technical details of Facebook’s handling of messages, and thus, has no basis to 16 determine whether Facebook’s alleged use of a “web crawler” constitutes an “interception” 17 separate from the receipt of the message itself. 18 At the hearing, Facebook represented that it ceased the challenged practice in 19 October 2012, but confirmed that it still conducts some analysis of the content of users’ 20 messages – to protect against viruses, to filter spam messages, and to “protect the integrity 21 of the site.” The fact that Facebook can configure its code to scan message content for 22 certain purposes, but not for others, leaves open the possibility that the challenged practice 23 constitutes a separate “interception.” Simply put, the application of the “ordinary course of 24 business” exception to this case depends upon the details of Facebook’s software code, 25 and those details are simply not before the court on a motion to dismiss, and thus, the court 26 must deny Facebook’s motion on that basis. However, the court may re-address the 27 “ordinary course of business” exception at the summary judgment stage of the case, with a 28 more complete evidentiary record before the court. 12 1 The court also notes that the Gmail court found the “ordinary course of business” 2 exception inapplicable because the plaintiffs alleged that Google had violated its own 3 internal policies. However, that finding was not critical to the court’s rejection of the 4 “ordinary course of business” exception. The Gmail court had already found that Google’s 5 interceptions were “neither instrumental to the provision of email services, nor are they an 6 incidental effect of providing these services,” and thus, the plaintiffs had “plausibly alleged 7 that the interceptions fall outside Google’s ordinary course of business.” Gmail at *11. 8 Only after making that finding did the court address the independent argument that Google 9 had violated its own internal policies. Facebook attempts to persuade the court that, because plaintiffs have not alleged a 11 For the Northern District of California United States District Court 10 violation of internal policies in this case, the “ordinary course of business” exception must 12 apply. The court disagrees. While the court does find that plaintiffs have failed to identify a 13 violation of internal policies1 in this case, that analysis does not affect the above finding that 14 Facebook is not entitled to dismissal based on the ordinary course of business exception. 15 Finally, the court recognizes the need for the ECPA in general, and the “ordinary 16 course of business” exception in particular, to be read as flexible enough to adapt to 17 technologies that arose long after the statute’s passage in 1986. Much of what is “ordinary” 18 today was not at all “ordinary” in 1986, so the scope of the exception cannot be set in 19 stone. The defendant in Gmail raised concern of a “slippery slope” that would “make it 20 impossible for electronic communication service providers to provide basic features, such 21 as email searches or spam filtering.” Gmail at *11, n.4. Presumably, Facebook has similar 22 concerns about adding new and innovative features to its service. However, as the Gmail 23 court noted, “a service provider can seek consent to provide features beyond those linked 24 to the provision of the service.” Id. In other words, an electronic communication provider 25 26 27 28 1 Plaintiffs do not identify any policy which expressly disallows Facebook from scanning its users’ messages for their content for advertising purposes. While plaintiffs argue that neither the Data Use Policy nor the Statement of Rights and Responsibilities (both of which are discussed in more detail below) expressly disclose the challenged practice, that is a separate issue from whether any internal policy was affirmatively violated. 13 1 need not be concerned that every new feature of its service could trigger Wiretap Act 2 liability – as long as it obtains consent for those features. And, indeed, Facebook does 3 claim that it obtained consent for the interceptions alleged in this case. 4 5 b. Consent If either party to a communication consents to its interception, then there is no 6 violation of the Wiretap Act, “unless such communication is intercepted for the purpose of 7 committing any criminal or tortious act.” See 18 U.S.C. § 2511(2)(d). Consent can be 8 either express or implied, and Facebook argues that plaintiffs both expressly and impliedly 9 consented to any alleged interception. In support of its express consent argument, Facebook points to its “Statement of 11 For the Northern District of California United States District Court 10 Rights and Responsibilities” and its “Data Use Policy,” both of which must be agreed to by 12 users in order to use the Facebook website. As an initial matter, the court notes that 13 Facebook’s motion provides specific citations only to the Data Use Policy, and does not 14 identify any portion of the Statement of Rights and Responsibilities that purportedly 15 establishes consent. The court has reviewed the Statement of Rights and Responsibilities, 16 and finds that it does not establish that users consented to the scanning of their messages 17 for advertising purposes, and in fact, makes no mention of “messages” whatsoever. 18 Instead, it appears that the only relevance of the Statement of Rights and Responsibilities 19 to this case is Facebook’s statement that it “encourage[s]” the reader to “read the Data Use 20 Policy, and to use it to help you make informed decisions.” Dkt. 42, Ex. A at 1. 21 The parties have included three versions of the Data Use Policy (in effect at various 22 times during the class period) as part of their joint stipulation regarding judicially noticeable 23 documents.2 See Dkt. 41, Exs. D-F. The specific language of the policy changes slightly in 24 these three versions, but the general principles remain the same. Facebook informs the 25 user that “we receive data about you whenever you use or are running Facebook,” 26 including when you “send or receive a message.” Dkt. 41, Ex. D at 2; see also Ex. E at 1, 27 28 2 The court GRANTS the parties stipulation regarding judicially noticeable documents. 14 1 Ex. F at 2. As plaintiffs point out, this disclosure is made under a heading called “other 2 information we receive about you.” 3 In another section, titled “how we use the information we receive,” Facebook states: 4 We use the information we receive about you in connection with the services and features we provide to you and other users like your friends, our partners, the advertisers that purchase ads on the site, and the developers that build the games, applications, and websites you see. For example, in addition to helping people see and find things that you do and share, we may use the information we receive about you: 5 6 7 1. 8 4. 11 For the Northern District of California 2. 3. 10 United States District Court 9 5. 12 13 14 6. as part of our efforts to keep Facebook products, services, and integrations safe and secure; to protect Facebook’s or others’ rights or property; to provide you with location features and services, like telling you and your friends when something is going on nearby; to measure or understand the effectiveness of ads you and others see, including to deliver relevant ads to you; to make suggestions to you and other users on Facebook, such as: suggesting that your friend use our contact importer because you found friends using it, suggesting that another user add you as a friend because the user imported the same email address as you did, or suggesting that your friend tag you in a picture they have uploaded with you in it; and for internal operations, including troubleshooting, data analysis, testing, research, and service improvement. 15 Dkt. 42, Ex. D at 4; see also Ex. E at 2, Ex. F at 4. 16 17 When asked, at the hearing, which portion of this policy provided notice of 18 Facebook’s practice of scanning users’ messages, Facebook’s counsel pointed to the 19 disclosure that Facebook “may use the information we received about you” for “data 20 analysis.” However, this disclosure is not specific enough to establish that users expressly 21 consented to the scanning of the content of their messages – which are described as 22 “private messages” – for alleged use in targeted advertising3. 23 Facebook argues that users have already consented to the messages’ “interception” 24 for purposes of facilitating delivery, and thus, Facebook has blanket immunity for any use of 25 26 27 28 3 As discussed above, Facebook disputes plaintiffs’ allegations that users’ messages were scanned for the purpose of targeting advertising. However, just as Facebook argued that the allegations of the complaint must be taken as true for the purpose of analyzing its “ordinary course of business” argument, so too must the allegations be taken as true for the purpose of analyzing its “consent” defense. 15 1 that information other than for the purpose of committing a criminal or tortious act. 2 However, as discussed above, plaintiffs have alleged that Facebook uses a “web crawler” 3 to scan any URLs that are contained in messages, and to increase the corresponding web 4 page’s “like” counter accordingly, and the use of that “web crawler” may constitute a 5 separate “interception” under the Wiretap Act. Accordingly, the court rejects Facebook’s 6 argument that plaintiffs expressly consented to the alleged interceptions. 7 Facebook further argues that plaintiffs impliedly consented to the alleged 8 interceptions. Implied consent may be based on the overall circumstances of a particular 9 communication, and the “critical question with respect to implied consent is whether the parties whose communications were intercepted had adequate notice of the interception.” 11 For the Northern District of California United States District Court 10 Gmail, 2013 WL 5423918 at *12. 12 Facebook argues that, “[g]iven the features of the Messages product, plaintiffs had 13 full notice of, necessarily expected, and consented to Facebook’s processing of message 14 data.” Facebook also emphasizes the “URL preview” feature of Facebook messages, 15 which creates a thumbnail preview of the website whenever a user includes a valid web link 16 in a message. 17 However, as discussed above in the context of express consent, any consent with 18 respect to the processing and sending of messages itself does not necessarily constitute 19 consent to the specific practice alleged in this case – that is, the scanning of message 20 content for use in targeted advertising. And because the court is without any evidentiary 21 record at this stage of the case, it cannot determine whether the process by which 22 Facebook generates a thumbnail preview is the same process by which it analyzes the 23 URL link to increase the web page’s “like” counter. Thus, the court finds that plaintiffs have 24 not impliedly consented to the alleged interception. Accordingly, the court DENIES Facebook’s motion to dismiss plaintiffs’ Wiretap Act 25 26 claim. 27 2. California’s Invasion of Privacy Act 28 Section 631 of CIPA is the state-law corollary to the Wiretap Act, and creates civil 16 1 2 liability for: 7 Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained. . . 8 Facebook argues that plaintiffs’ claim under section 631 fails for two reasons. First, 3 4 5 6 9 Facebook argues that plaintiffs consented to any alleged interception. This argument is identical to the “consent” argument addressed above, and the court rejects it for the same 11 For the Northern District of California United States District Court 10 reasons. 12 Second, Facebook argues that plaintiffs’ messages could not have been intercepted 13 “in transit,” as required by the statute, because the “messages were entirely contained 14 within Facebook’s network during the purported ‘interception.’” However, plaintiffs’ 15 opposition points out that Facebook’s messaging function allows users to send messages 16 to non-Facebook email addresses, which shows that the messages cannot be “entirely 17 contained within Facebook’s network.” Facebook does not address this argument in its 18 reply. Moreover, the complaint’s allegation that users’ messages were intercepted in transit 19 is to be taken as true at this stage of the case. 20 21 22 Accordingly, the court DENIES Facebook’s motion to dismiss plaintiffs’ claim under section 631 of CIPA. Plaintiffs also assert a claim under section 632 of CIPA, which provides for liability 23 against “[e]very person who, intentionally and without the consent of all parties to a 24 confidential communication, by means of any electronic amplifying or recording device, 25 eavesdrops upon or records the confidential communication.” 26 Facebook again argues that plaintiffs consented to any alleged interception, which 27 the court rejects for the same reasons discussed above. However, Facebook also argues 28 that plaintiffs have not alleged any “confidential communication.” 17 1 The California Supreme Court has held that a conversation is “confidential” under 2 section 632 “if a party to that conversation has an objectively reasonable expectation that 3 the conversation is not being overheard or recorded.” See Kearney v. Salomon Smith 4 Barney, Inc., 39 Cal.4th 95, 117 n.7 (2006); see also Faulkner v. ADT Sec. Services, Inc., 5 706 F.3d 1017, 1019 (9th Cir. 2013). California appeals courts have generally found that 6 Internet-based communications are not “confidential” within the meaning of section 632, 7 because such communications can easily be shared by, for instance, the recipient(s) of the 8 communications. See, e.g., People v. Nakai, 183 Cal.App.4th 499, 518 (2010). Although 9 Nakai involved an Internet chat, rather than email, the Gmail court found that “email by its very nature is more similar to internet chats” than it is to phone conversations. Gmail, 2013 11 For the Northern District of California United States District Court 10 WL 5423918 at *23. The court finds the reasoning of the Gmail court persuasive, and 12 similarly finds that plaintiffs have not alleged facts leading to the plausible inference that 13 their communications were “confidential” under section 632. Accordingly, Facebook’s 14 motion to dismiss plaintiffs’ section 632 claim is GRANTED. Because no amendment could 15 establish that plaintiffs’ communications were indeed “confidential,” plaintiffs shall not be 16 granted leave to amend this claim. 17 3. Section 17200 18 California Business & Professions Code section 17200, also referred to as the 19 “Unfair Competition Law” (or “UCL”), prohibits any “unlawful, unfair, or fraudulent business 20 act or practice.” A plaintiff seeking to assert a UCL claim must meet the statute’s 21 requirements for standing, which are that he or she (1) has suffered an “injury in fact,” and 22 (2) “lost money or property.” See Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 322 23 (2011). Facebook argues that plaintiffs fail to meet either requirement. 24 As to the “injury in fact” requirement, the court notes that the Ninth Circuit recently 25 rejected this argument, finding “a plaintiff demonstrates an injury sufficient to satisfy Article 26 III when bringing a claim under a statute that prohibits the defendant’s conduct and grants 27 ‘persons in the plaintiff’s position a right to judicial relief.’” See In re Zynga Privacy 28 Litigation, 750 F.3d 1098, 1105 n.5 (9th Cir. 2014) (citing Edwards v. First American Corp., 18 1 610 F.3d 514, 517 (9th Cir. 2010)). As discussed above, plaintiffs have established viable 2 claims under the Wiretap Act and under CIPA section 631, which is sufficient to satisfy the 3 “injury in fact” requirement. 4 However, plaintiffs have not alleged that they have lost any money or property as a 5 result of Facebook’s conduct. Plaintiffs argue that they have a property interest in their 6 personal information, including the content of their messages, but courts have consistently 7 rejected such a broad interpretation of “money or property.” See, e.g., Opperman v. Path, 8 2014 WL 1973378 at *23, n.22 (N.D. Cal. May 14, 2014); In re Facebook Privacy Litigation, 9 791 F.Supp.2d 705, 715 (N.D. Cal. 2011); Claridge v. RockYou, Inc., 785 F.Supp.2d 855, 11 For the Northern District of California United States District Court 10 12 862 (N.D. Cal. 2011). Accordingly, Facebook’s motion to dismiss plaintiffs’ UCL claim is GRANTED without leave to amend. 13 4. 14 Facebook moves to strike plaintiffs’ request for injunctive relief, arguing that it Injunctive relief 15 ceased the challenged practice “nearly two years ago.” However, plaintiffs have 16 adequately alleged that there is a “sufficient likelihood” that Facebook could resume the 17 practice, so the court DENIES Facebook’s request to strike the prayer for injunctive relief at 18 this time. 19 CONCLUSION 20 For the foregoing reasons, Facebook’s motion to dismiss is GRANTED in part and 21 DENIED in part. The motion to dismiss plaintiffs’ Wiretap Act claim and CIPA section 631 22 claim is DENIED, and the motion to dismiss plaintiffs’ CIPA section 632 claim and section 23 17200 claim is GRANTED. Facebook’s request to strike plaintiffs’ prayer for injunctive 24 relief is DENIED. 25 26 IT IS SO ORDERED. Dated: December 23, 2014 ______________________________ PHYLLIS J. HAMILTON United States District Judge 27 28 19

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.

Why Is My Information Online?