Campbell et al v. Facebook Inc.
Filing
43
ORDER by Judge Hamilton granting in part and denying in part 29 Motion to Dismiss (pjhlc2, COURT STAFF) (Filed on 12/23/2014)
1
2
3
UNITED STATES DISTRICT COURT
4
NORTHERN DISTRICT OF CALIFORNIA
5
6
7
MATTHEW CAMPBELL, et al.,
Plaintiffs,
8
9
No. C 13-5996 PJH
v.
ORDER GRANTING IN PART AND
DENYING IN PART MOTION TO
DISMISS
FACEBOOK INC.,
11
For the Northern District of California
United States District Court
10
Defendant.
_______________________________/
12
13
Defendant’s motion to dismiss plaintiffs’ consolidated amended complaint came on
14
for hearing before this court on October 1, 2014. Plaintiffs Matthew Campbell, Michael
15
Hurley, and David Shadpour (“plaintiffs”) appeared through their counsel, Michael Sobol.
16
Defendant Facebook, Inc. (“defendant” or “Facebook”) appeared through its counsel,
17
Joshua Jessen. Having read the parties’ papers and carefully considered their arguments
18
and the relevant legal authority, and good cause appearing, the court hereby GRANTS in
19
part and DENIES in part defendant’s motion as follows.
20
21
BACKGROUND
This is a privacy case involving the scanning of messages sent on Facebook’s social
22
media website. Facebook describes itself as the “world’s largest social networking
23
platform,” with approximately 1.2 billion users worldwide. Facebook users are able to share
24
content – such as photos, text, and video – with other users. Users can select the group of
25
people with whom they wish to share this content, and may choose to share certain
26
information publicly (i.e., with all Facebook users), or may choose to share certain
27
information only with their “friends” (i.e., Facebook users with whom they have mutually
28
agreed to share content). Facebook users may also choose to share certain information
1
privately, with just one other Facebook user, through the use of a “private message.” While
2
not identical to email, a private message is analogous to email, in that it involves an
3
electronic message sent from one user to one or more other users. Facebook users can
4
access a “messages” inbox through the Facebook website, which is akin to an email inbox.
5
This suit arises out of Facebook’s handling of these “private messages.”
6
Plaintiffs allege that Facebook scans the content of these private messages for use
Facebook “like” counter displayed on their web pages, which enables visitors of the page to
9
see how many Facebook users have either clicked a button indicating that they “like” the
10
page, or have shared the page on Facebook. In essence, the “like” counter is a measure
11
For the Northern District of California
in connection with its “social plugin” functionality. Specifically, certain websites have a
8
United States District Court
7
of the popularity of a web page.
12
Plaintiffs allege that Facebook scans the content of their private messages, and if
13
there is a link to a web page contained in that message, Facebook treats it as a “like” of the
14
page, and increases the page’s “like” counter by one. Plaintiffs further allege that
15
Facebook uses this data regarding “likes” to compile user profiles, which it then uses to
16
deliver targeted advertising to its users. Plaintiffs allege that the messaging function is
17
designed to allow users to communicate privately with other users, and that Facebook’s
18
practice of scanning the content of these messages violates the federal Electronic
19
Communications Privacy Act (“ECPA,” also referred to as the “Wiretap Act”), as well as
20
California’s Invasion of Privacy Act (“CIPA”), and section 17200 of California’s Business
21
and Professions Code.
22
Plaintiffs seek to represent a nationwide class of “all natural person Facebook users
23
located within the United States who have sent or received private messages that included
24
URLs in their content, from within two years before the filing of this action up through and
25
including the date when Facebook ceased its practice.” Consolidated Amended Complaint
26
(“CAC”), ¶ 59.
27
28
2
1
2
3
DISCUSSION
A.
Legal Standard
A motion to dismiss under Rule 12(b)(6) tests for the legal sufficiency of the claims
4
alleged in the complaint. Ileto v. Glock, Inc., 349 F.3d 1191, 1199-1200 (9th Cir. 2003).
5
Review is limited to the contents of the complaint. Allarcom Pay Television, Ltd. v. Gen.
6
Instrument Corp., 69 F.3d 381, 385 (9th Cir. 1995). To survive a motion to dismiss for
7
failure to state a claim, a complaint generally must satisfy only the minimal notice pleading
8
requirements of Federal Rule of Civil Procedure 8.
9
Rule 8(a)(2) requires only that the complaint include a “short and plain statement of
the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a)(2). Specific
11
For the Northern District of California
United States District Court
10
facts are unnecessary – the statement need only give the defendant “fair notice of the claim
12
and the grounds upon which it rests. Erickson v. Pardus, 551 U.S. 89, 93 (citing Bell
13
Atlantic Corp. v. Twombly, 550 U.S. 544, 555 (2007)). All allegations of material fact are
14
taken as true. Id. at 94. However, a plaintiff's obligation to provide the grounds of his
15
entitlement to relief “requires more than labels and conclusions, and a formulaic recitation
16
of the elements of a cause of action will not do.” Twombly, 550 U.S. at 555 (citations and
17
quotations omitted). Rather, the allegations in the complaint “must be enough to raise a
18
right to relief above the speculative level. Id.
19
A motion to dismiss should be granted if the complaint does not proffer enough facts
20
to state a claim for relief that is plausible on its face. See id. at 558-59. “[W]here the well-
21
pleaded facts do not permit the court to infer more than the mere possibility of misconduct,
22
the complaint has alleged – but it has not show[n] – that the pleader is entitled to relief.
23
Ashcroft v. Iqbal, 556 U.S. 662, 679 (2009).
24
In addition, when resolving a motion to dismiss for failure to state a claim, the court
25
may not generally consider materials outside the pleadings. Lee v. City of Los Angeles,
26
250 F.3d 668, 688 (9th Cir. 2001). There are several exceptions to this rule. The court
27
may consider a matter that is properly the subject of judicial notice, such as matters of
28
public record. Id. at 689; see also Mack v. South Bay Beer Distributors, Inc., 798 F.2d
3
1
1279, 1282 (9th Cir. 1986) (on a motion to dismiss, a court may properly look beyond the
2
complaint to matters of public record and doing so does not convert a Rule 12(b)(6) motion
3
to one for summary judgment). Additionally, the court may consider exhibits attached to
4
the complaint, see Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542,
5
1555 n.19 (9th Cir. 1989), and documents referenced by the complaint and accepted by all
6
parties as authentic. See Van Buskirk v. Cable News Network, Inc., 284 F.3d 977, 980 (9th
7
Cir. 2002).
8
B.
9
1.
Wiretap Act
The Wiretap Act provides for civil penalties against any person who “intentionally
11
For the Northern District of California
United States District Court
10
Legal Analysis
intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to
12
intercept, any wire, oral, or electronic communication.” 18 U.S.C. § 2511(1)(a). As the
13
statutory text indicates, the focus of this provision is on the interception of the
14
communication itself. While another provision of the Wiretap Act prohibits the use of the
15
contents of a communication, that prohibition applies only if the interception itself is
16
unlawful under section 2511(1)(a). Specifically, section 2511(1)(d) applies to any person
17
who “intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic
18
communication,” but only if that person knows or has reason to know “that the information
19
was obtained through the interception of a wire, oral, or electronic communication in
20
violation of this subsection.” See 18 U.S.C. § 2511(1)(d) (emphasis added). In other
21
words, if there is no unlawful interception, there can be no unlawful use.
22
Facebook argues that this distinction between “interception” and “use” favors
23
dismissal of plaintiffs’ Wiretap Act claim. According to Facebook, plaintiffs’ real objection is
24
not to Facebook’s interception of private messages, but rather, to Facebook’s use of the
25
information. Facebook argues that it must have access to the messages in order to
26
facilitate their delivery, so there cannot be any unlawful interception; and thus, there can be
27
no unlawful use. See Noel v. Hall, 568 F.3d 743, 751 (9th Cir. 2009) (“use” provision
28
“protects against the dissemination of private communications that have been unlawfully
4
1
2
intercepted.”) (emphasis in original).
However, the Noel court also made clear that the term “interception” should not be
3
interpreted as narrowly as urged by Facebook. The Noel court quoted the Wiretap Act’s
4
definition of “intercept,” which is “the aural or other acquisition of the contents of any wire,
5
electronic, or oral communication through the use of any electronic, mechanical, or other
6
device,” and then held that an “acquisition” occurs “when the contents of a wire
7
communication are captured or redirected in any way.” Noel, 568 F.3d at 749 (emphasis
8
added).
9
At this stage of the case, the court is unable to determine whether Facebook
unlawfully “redirected” the content of plaintiffs’ private messages. While Facebook must
11
For the Northern District of California
United States District Court
10
certainly receive the contents of any message in order to transmit it to the recipient(s),
12
there is no evidentiary record from which the court can determine whether Facebook
13
“redirected” messages in order to scan their content for use in increasing “like” counters
14
and for targeted advertising.
15
In the CAC, plaintiffs allege that Facebook uses a software application called a “web
16
crawler” to scan any URLs that are contained in messages and to send server requests to
17
that web page. CAC, ¶ 25. If true, the use of this “web crawler” could constitute a
18
“redirection” of the contents of users’ messages, and therefore, a separate “interception”
19
under the Wiretap Act. Because the court takes the complaint’s allegations as true, it
20
would be premature to find that plaintiffs’ claims center only around Facebook’s use, not its
21
interception, of users’ private messages.
22
Facebook raises a second threshold challenge to plaintiffs’ Wiretap Act claim. It
23
argues that any actionable “interception” under the Wiretap Act must involve the
24
communication being acquired during transmission, rather than during storage. Facebook
25
points out that Congress created a separate statute, the Stored Communications Act, to
26
address access to stored electronic communications. Facebook argues that the “sequence
27
of actions that plaintiffs allege involves use of content already in storage.” Dkt. 29 at 27.
28
However, the CAC does indeed allege that “Facebook’s interception occurred in
5
1
transit, in transmission, and/or during transfer of users’ private messages.” CAC, ¶ 25.
2
While Facebook may ultimately produce evidence showing that the messages were
3
actually accessed while in storage, not during transmission, that issue is premature at this
4
stage of the case, and would be better addressed as part of a motion for summary
5
judgment with a more developed factual record. See also In re Yahoo Mail Litigation, 7
6
F.Supp.3d 1016, 1027-28 (N.D. Cal. 2014).
7
Having addressed the threshold issues regarding plaintiffs’ Wiretap Act claim, the
8
court now turns to Facebook’s primary arguments: that any alleged interception falls within
9
the “ordinary course of business” exception to the Wiretap Act, and that plaintiffs consented
11
For the Northern District of California
United States District Court
10
to any alleged interception of their messages.
a.
“Ordinary course of business” exception
12
As mentioned above, the Wiretap Act defines “intercept” as “the aural or other
13
acquisition of the contents of any wire, electronic, or oral communication through the use of
14
any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). The statute then further
15
defines “electronic, mechanical, or other device” as “any device or apparatus which can be
16
used to intercept a wire, oral, or electronic communication other than” a device or
17
apparatus that is “being used by a provider of wire or electronic communication service in
18
the ordinary course of its business.” 18 U.S.C. § 2510(5). Essentially, the Wiretap Act
19
creates an exception for interceptions conducted by an electronic communications service
20
provider occurring in “the ordinary course of its business.”
21
The scope of this “ordinary course of business” exception has been the subject of
22
extensive litigation in this district. The parties focus on two cases in particular: In re
23
Google Inc. Gmail Litigation, 2013 WL 5423918 (N.D. Cal. Sept. 26, 2013) (referred to as
24
“Gmail”) and In re Google Inc. Privacy Policy Litigation, 2013 WL 6248499 (N.D. Cal. Dec.
25
3, 2013) (referred to as “Google”).
26
The Gmail case involved allegations that the defendant, Google Inc., was scanning
27
the content of users’ emails in order to facilitate its delivery of targeted advertising, and to
28
create “user profiles to serve their profit interests that were unrelated to providing email
6
1
services to particular users.” Plaintiffs asserted that the email scanning violated the
2
Wiretap Act, and Google moved to dismiss based on the “ordinary course of business”
3
exception. The court denied the motion to dismiss, finding that the “ordinary course of
4
business” exception must be given a “narrow reading” that requires “some nexus between
5
the need to engage in the alleged interception and the subscriber’s ultimate business, that
6
is, the ability to provide the underlying service or good.” Gmail at *11. In other words, the
7
court held that the interception must “facilitate[]” or be “incidental” to the provision of the
8
electronic communication service at issue. Id. Plaintiffs alleged that Google had
9
intercepted emails “for the purposes of creating user profiles and delivering targeted
advertising, which are not instrumental to Google’s ability to transmit emails.” Id. Plaintiffs
11
For the Northern District of California
United States District Court
10
also alleged that the interceptions of emails for targeting ads and creating user profiles
12
occurred separately from other processes that were related to the transmission of emails,
13
such as spam filtering, antivirus protection, and spell check. Thus, the complained-about
14
interceptions were “physically and purposively unrelated to Google’s provision of email
15
services.” Id. Additionally, the Gmail court further found that the defendant’s actions were
16
in violation of its own internal policies, and thus could not be considered within the ordinary
17
course of its business.
18
While the Google case involved the same defendant as the Gmail case, it involved a
19
different Google product, and thus, a different application of the “ordinary course of
20
business” exception. Rather than involving claims of scanning users’ emails, Google
21
involved allegations that Google would combine personal information collected from its
22
different services – Google search, Gmail, YouTube, Google Maps, Picasa, etc. – in order
23
to create a single user profile. The plaintiffs pointed out that Google previously allowed its
24
users to keep information gathered from one Google product separate from information
25
gathered from other Google products, but then changed its policy to commingle all of that
26
data. Plaintiffs alleged that this commingling violated the Wiretap Act, and Google moved
27
to dismiss, invoking the “ordinary course of business” exception.
28
The Google court rejected a “narrow read” of the exception that would be “limited to
7
1
only action taken to deliver the electronic communication.” Google at *10. Instead, the
2
court found that “Congress specifically chose the broader term ‘business’ that covers more
3
far-ranging activity.” Id. The pairing of the term “business” with the terms “ordinary course”
4
further “suggest[ed] an interest in protecting a provider’s customary and routine business
5
practices.” Id. The Google court found that targeted advertising was indeed within
6
Google’s ordinary course of business, and dismissed plaintiffs’ Wiretap Act claim.
7
The Ninth Circuit has not yet ruled on the scope of the “ordinary course of business”
8
exception. In the absence of any such authority, both the Gmail court and the Google court
9
looked to cases from other circuit courts, and gave careful consideration to the Second
Circuit’s decision in Hall v. Earthlink Network, Inc., 396 F.3d 500 (2nd Cir. 2005), and the
11
For the Northern District of California
United States District Court
10
Tenth Circuit’s decision in Kirch v. Embarq Management Co., 702 F.3d 1245 (10th Cir.
12
2012).
13
In Hall, an email user had a dispute with his email provider (Earthlink) that resulted
14
in the termination of his email account. However, even after the termination, Earthlink
15
continued to receive emails that were sent to the user’s address, and the user complained
16
that the receipt of his messages constituted an unlawful “interception” under the Wiretap
17
Act. The court found that receiving the emails was within Earthlink’s ordinary course of
18
business, and noted that, at the relevant time, Earthlink did not have the technological
19
capacity to “bounce back” emails that were sent to a terminated email address.
20
In Kirch, the plaintiffs’ internet service provider (Embarq) placed a device on its
21
servers that redirected its users’ Internet traffic to a third-party company (NebuAd) that
22
tracked which websites the users visited and used that information to target ads. The
23
district court granted summary judgment on two bases – but not on the ordinary course of
24
business exception. Instead, the district court first found that Embarq did not actually
25
intercept the data, and instead merely siphoned it off to NebuAd. Second, the district court
26
found that plaintiffs had consented to the interception by agreeing to Embarq’s privacy
27
policy. On appeal, the Tenth Circuit seemingly agreed with the first of the district court’s
28
reasons, but also applied the ordinary course of business exception, finding that Embarq
8
1
had no more access to the users’ data than it did in the ordinary course of its business.
2
And because there was no aiding-and-abetting liability under the Wiretap Act, Embarq
3
could not be held responsible for any alleged interception by NebuAd.
4
While Hall and Kirch present useful discussions of the “ordinary course of business”
5
exceptions, the court ultimately finds that the factual differences preclude any meaningful
6
application of those courts’ reasoning to this case. In Hall, there was no “interception”
7
analogous to the alleged interception in this case – instead, the complained-about conduct
8
was nothing more than the receipt of emails itself, which would be “ordinary” even under
9
the narrowest view of the word. And while Kirch involved analysis of users’ web activity to
aid in targeting advertising (similar to the allegations in the present case), the court’s
11
For the Northern District of California
United States District Court
10
dismissal of the Wiretap Act claim was based primarily on the fact that any unlawful
12
interception was performed by a third-party, rather than by the defendant. Notably, the
13
Kirch court did not explain whether its decision would have been the same if the defendant
14
itself had analyzed the web traffic to deliver targeted advertising, and the court never
15
expressly held that targeted-ad-analysis was within the ordinary course of Embarq’s
16
business as an internet service provider. Instead, the court held only that Embarq was not
17
involved in any such analysis, and thus, had the same level of access that it would have
18
even in the absence of NebuAd’s analysis. Because there are no such third-party issues in
19
this case, the court finds that Kirch is not applicable.
20
Instead, the court finds the analyses of the Gmail and Google courts to provide the
21
most value to the present case. To summarize the difference between the two rulings,
22
Gmail took a narrow view of the “ordinary course of business” exception and held that it
23
covers only interceptions that are “instrumental” (or “facilitate[]” or are “incidental”) to the
24
provision of electronic communication services, while Google took the broader view that the
25
interception need only be part of a defendant’s “customary and routine” business practices.
26
In so doing, both courts presented persuasive reasons to avoid an overly broad or narrow
27
approach.
28
For instance, the Google court rejected a “narrow read” of the exception that would
9
1
be “limited to only action taken to deliver the electronic communication.” Instead, as
2
mentioned above, the Google court found that “Congress specifically chose the broader
3
term ‘business’ that covers more far-ranging activity.” Google at *10. The Google court
4
rejected the plaintiffs’ argument that the exception should cover only “necessary” activities,
5
pointing out that such a rule would “beg[] the question of what exactly it means for a given
6
action to be ‘necessary’ to the delivery of Gmail.” Google at *11.
7
While the Google court emphasized the need to give meaning to the term
8
“business,” the Gmail court cautioned that an overly broad interpretation of the exception
9
would read the word “ordinary” out of the statute. Gmail at *8 (“The presence of the
modifier ‘ordinary’ must mean that not everything Google does in the course of its business
11
For the Northern District of California
United States District Court
10
would fall within the exception.”). The Gmail court ultimately found that the exception must
12
be given a “narrow reading” that requires “some nexus between the need to engage in the
13
alleged interception and the subscriber’s ultimate business, that is, the ability to provide the
14
underlying service or good.” Gmail at *11.
15
The court agrees that the word “ordinary” serves to narrow the exception, while the
16
term “business” serves to broaden it. The court also finds it significant that the statute
17
exempts activities conducted by a “provider of wire or electronic communication service in
18
the ordinary course of its business.” The use of the word “its” indicates that the court must
19
consider the details of Facebook’s business, and must not rely on a generic, one-size-fits-
20
all approach that would apply the exception uniformly across all electronic communication
21
service providers. However, Facebook has not offered a sufficient explanation of how the
22
challenged practice falls within the ordinary course of its business, which prevents the court
23
from determining whether the exception applies.
24
For instance, in both its motion and its reply, Facebook emphasizes that plaintiffs’
25
original complaint accused Facebook of using users’ message content to target advertising,
26
but points out that plaintiffs “have now abandoned their inaccurate, advertising-related
27
allegations (except for some lingering amorphous allegations).” Dkt. 29 at 8. Facebook
28
repeatedly characterizes plaintiffs’ advertising-related allegations as “false claims,” or
10
1
“factually incorrect,” or lacking “any factual basis whatsoever.” Dkt. 29 at 14, 22; Dkt. 35 at
2
8. However, Facebook then turns around and argues that serving targeted advertisements
3
is indeed the type of “legitimate purpose” that warrants application of the “ordinary course
4
of business” exception, and that “systematic conduct of the type alleged by plaintiffs that
5
generates revenue for a company is the very essence of a company acting in the ordinary
6
course of business.” Dkt. 29 at 22.
7
The court finds it problematic that Facebook is attempting to have it both ways by
8
maintaining that plaintiffs’ advertising-related allegations lack any factual basis, and even to
9
emphasize that the allegations have been removed apart from a “few conclusory
stragglers,” but then using those largely-removed allegations to invoke the “ordinary course
11
For the Northern District of California
United States District Court
10
of business” exception. Regardless, if the court does take as true plaintiffs’ remaining
12
allegations regarding targeted advertising, it still finds an insufficient record on which to
13
base a finding that the challenged practice is within the ordinary course of Facebook’s
14
business. Facebook’s unwillingness to offer any details regarding its targeted advertising
15
practice prevents the court from being able to determine whether the specific practice
16
challenged in this case should be considered “ordinary.”
17
The court rejects the suggestion that any activity that generates revenue for a
18
company should be considered within the “ordinary course of its business.” At the hearing,
19
Facebook’s counsel suggested that, because the practice is in the service of making
20
money, it must necessarily fall within the ordinary course of business. However, as
21
discussed above, the statute’s inclusion of the word “ordinary” implies some limits on a
22
company’s ability to self-define the scope of the exception. An electronic communications
23
service provider cannot simply adopt any revenue-generating practice and deem it
24
“ordinary” by its own subjective standard. The court instead finds that any interception
25
falling within the exception must be related or connected to an electronic communication
26
provider’s service, even if it does not actually facilitate the service. While the court agrees
27
with the Google court’s holding that the exception must cover more than just “necessary”
28
activities, it also agrees with the Gmail court’s finding that there must be “some nexus
11
1
between the need to engage in the alleged interception and the subscriber’s ultimate
2
business, that is, the ability to provide the underlying service or good.” Based on the
3
current record, the court cannot find any facts alleged in the complaint or facts presented
4
by Facebook that indicate a nexus between Facebook’s alleged scanning of users’ private
5
messages for advertising purposes and its ability to provide its service.
targeted advertising, its interception of users’ messages fell within the ordinary course of its
8
business. Facebook argues that the “receipt of its users’ electronic messages is in fact
9
necessary to facilitate the transmission of the communications at issue,” and thus, the
10
“ordinary course of business” exception would apply even if the court were to apply the
11
For the Northern District of California
Facebook separately argues that, even putting aside the allegations regarding
7
United States District Court
6
Gmail court’s narrow view of the exception.
12
However, at this stage of the case, the court rejects Facebook’s attempt to treat its
13
receipt of a user’s message and the scanning of that message’s content for advertising
14
purposes as part of the same “interception.” The court has no evidentiary record regarding
15
the technical details of Facebook’s handling of messages, and thus, has no basis to
16
determine whether Facebook’s alleged use of a “web crawler” constitutes an “interception”
17
separate from the receipt of the message itself.
18
At the hearing, Facebook represented that it ceased the challenged practice in
19
October 2012, but confirmed that it still conducts some analysis of the content of users’
20
messages – to protect against viruses, to filter spam messages, and to “protect the integrity
21
of the site.” The fact that Facebook can configure its code to scan message content for
22
certain purposes, but not for others, leaves open the possibility that the challenged practice
23
constitutes a separate “interception.” Simply put, the application of the “ordinary course of
24
business” exception to this case depends upon the details of Facebook’s software code,
25
and those details are simply not before the court on a motion to dismiss, and thus, the court
26
must deny Facebook’s motion on that basis. However, the court may re-address the
27
“ordinary course of business” exception at the summary judgment stage of the case, with a
28
more complete evidentiary record before the court.
12
1
The court also notes that the Gmail court found the “ordinary course of business”
2
exception inapplicable because the plaintiffs alleged that Google had violated its own
3
internal policies. However, that finding was not critical to the court’s rejection of the
4
“ordinary course of business” exception. The Gmail court had already found that Google’s
5
interceptions were “neither instrumental to the provision of email services, nor are they an
6
incidental effect of providing these services,” and thus, the plaintiffs had “plausibly alleged
7
that the interceptions fall outside Google’s ordinary course of business.” Gmail at *11.
8
Only after making that finding did the court address the independent argument that Google
9
had violated its own internal policies.
Facebook attempts to persuade the court that, because plaintiffs have not alleged a
11
For the Northern District of California
United States District Court
10
violation of internal policies in this case, the “ordinary course of business” exception must
12
apply. The court disagrees. While the court does find that plaintiffs have failed to identify a
13
violation of internal policies1 in this case, that analysis does not affect the above finding that
14
Facebook is not entitled to dismissal based on the ordinary course of business exception.
15
Finally, the court recognizes the need for the ECPA in general, and the “ordinary
16
course of business” exception in particular, to be read as flexible enough to adapt to
17
technologies that arose long after the statute’s passage in 1986. Much of what is “ordinary”
18
today was not at all “ordinary” in 1986, so the scope of the exception cannot be set in
19
stone. The defendant in Gmail raised concern of a “slippery slope” that would “make it
20
impossible for electronic communication service providers to provide basic features, such
21
as email searches or spam filtering.” Gmail at *11, n.4. Presumably, Facebook has similar
22
concerns about adding new and innovative features to its service. However, as the Gmail
23
court noted, “a service provider can seek consent to provide features beyond those linked
24
to the provision of the service.” Id. In other words, an electronic communication provider
25
26
27
28
1
Plaintiffs do not identify any policy which expressly disallows Facebook from scanning
its users’ messages for their content for advertising purposes. While plaintiffs argue that
neither the Data Use Policy nor the Statement of Rights and Responsibilities (both of which
are discussed in more detail below) expressly disclose the challenged practice, that is a
separate issue from whether any internal policy was affirmatively violated.
13
1
need not be concerned that every new feature of its service could trigger Wiretap Act
2
liability – as long as it obtains consent for those features. And, indeed, Facebook does
3
claim that it obtained consent for the interceptions alleged in this case.
4
5
b.
Consent
If either party to a communication consents to its interception, then there is no
6
violation of the Wiretap Act, “unless such communication is intercepted for the purpose of
7
committing any criminal or tortious act.” See 18 U.S.C. § 2511(2)(d). Consent can be
8
either express or implied, and Facebook argues that plaintiffs both expressly and impliedly
9
consented to any alleged interception.
In support of its express consent argument, Facebook points to its “Statement of
11
For the Northern District of California
United States District Court
10
Rights and Responsibilities” and its “Data Use Policy,” both of which must be agreed to by
12
users in order to use the Facebook website. As an initial matter, the court notes that
13
Facebook’s motion provides specific citations only to the Data Use Policy, and does not
14
identify any portion of the Statement of Rights and Responsibilities that purportedly
15
establishes consent. The court has reviewed the Statement of Rights and Responsibilities,
16
and finds that it does not establish that users consented to the scanning of their messages
17
for advertising purposes, and in fact, makes no mention of “messages” whatsoever.
18
Instead, it appears that the only relevance of the Statement of Rights and Responsibilities
19
to this case is Facebook’s statement that it “encourage[s]” the reader to “read the Data Use
20
Policy, and to use it to help you make informed decisions.” Dkt. 42, Ex. A at 1.
21
The parties have included three versions of the Data Use Policy (in effect at various
22
times during the class period) as part of their joint stipulation regarding judicially noticeable
23
documents.2 See Dkt. 41, Exs. D-F. The specific language of the policy changes slightly in
24
these three versions, but the general principles remain the same. Facebook informs the
25
user that “we receive data about you whenever you use or are running Facebook,”
26
including when you “send or receive a message.” Dkt. 41, Ex. D at 2; see also Ex. E at 1,
27
28
2
The court GRANTS the parties stipulation regarding judicially noticeable documents.
14
1
Ex. F at 2. As plaintiffs point out, this disclosure is made under a heading called “other
2
information we receive about you.”
3
In another section, titled “how we use the information we receive,” Facebook states:
4
We use the information we receive about you in connection with the services
and features we provide to you and other users like your friends, our partners,
the advertisers that purchase ads on the site, and the developers that build
the games, applications, and websites you see. For example, in addition to
helping people see and find things that you do and share, we may use the
information we receive about you:
5
6
7
1.
8
4.
11
For the Northern District of California
2.
3.
10
United States District Court
9
5.
12
13
14
6.
as part of our efforts to keep Facebook products, services, and
integrations safe and secure;
to protect Facebook’s or others’ rights or property;
to provide you with location features and services, like telling you and
your friends when something is going on nearby;
to measure or understand the effectiveness of ads you and others see,
including to deliver relevant ads to you;
to make suggestions to you and other users on Facebook, such as:
suggesting that your friend use our contact importer because you
found friends using it, suggesting that another user add you as a friend
because the user imported the same email address as you did, or
suggesting that your friend tag you in a picture they have uploaded
with you in it; and
for internal operations, including troubleshooting, data analysis, testing,
research, and service improvement.
15
Dkt. 42, Ex. D at 4; see also Ex. E at 2, Ex. F at 4.
16
17
When asked, at the hearing, which portion of this policy provided notice of
18
Facebook’s practice of scanning users’ messages, Facebook’s counsel pointed to the
19
disclosure that Facebook “may use the information we received about you” for “data
20
analysis.” However, this disclosure is not specific enough to establish that users expressly
21
consented to the scanning of the content of their messages – which are described as
22
“private messages” – for alleged use in targeted advertising3.
23
Facebook argues that users have already consented to the messages’ “interception”
24
for purposes of facilitating delivery, and thus, Facebook has blanket immunity for any use of
25
26
27
28
3
As discussed above, Facebook disputes plaintiffs’ allegations that users’ messages
were scanned for the purpose of targeting advertising. However, just as Facebook argued that
the allegations of the complaint must be taken as true for the purpose of analyzing its “ordinary
course of business” argument, so too must the allegations be taken as true for the purpose of
analyzing its “consent” defense.
15
1
that information other than for the purpose of committing a criminal or tortious act.
2
However, as discussed above, plaintiffs have alleged that Facebook uses a “web crawler”
3
to scan any URLs that are contained in messages, and to increase the corresponding web
4
page’s “like” counter accordingly, and the use of that “web crawler” may constitute a
5
separate “interception” under the Wiretap Act. Accordingly, the court rejects Facebook’s
6
argument that plaintiffs expressly consented to the alleged interceptions.
7
Facebook further argues that plaintiffs impliedly consented to the alleged
8
interceptions. Implied consent may be based on the overall circumstances of a particular
9
communication, and the “critical question with respect to implied consent is whether the
parties whose communications were intercepted had adequate notice of the interception.”
11
For the Northern District of California
United States District Court
10
Gmail, 2013 WL 5423918 at *12.
12
Facebook argues that, “[g]iven the features of the Messages product, plaintiffs had
13
full notice of, necessarily expected, and consented to Facebook’s processing of message
14
data.” Facebook also emphasizes the “URL preview” feature of Facebook messages,
15
which creates a thumbnail preview of the website whenever a user includes a valid web link
16
in a message.
17
However, as discussed above in the context of express consent, any consent with
18
respect to the processing and sending of messages itself does not necessarily constitute
19
consent to the specific practice alleged in this case – that is, the scanning of message
20
content for use in targeted advertising. And because the court is without any evidentiary
21
record at this stage of the case, it cannot determine whether the process by which
22
Facebook generates a thumbnail preview is the same process by which it analyzes the
23
URL link to increase the web page’s “like” counter. Thus, the court finds that plaintiffs have
24
not impliedly consented to the alleged interception.
Accordingly, the court DENIES Facebook’s motion to dismiss plaintiffs’ Wiretap Act
25
26
claim.
27
2.
California’s Invasion of Privacy Act
28
Section 631 of CIPA is the state-law corollary to the Wiretap Act, and creates civil
16
1
2
liability for:
7
Any person who, by means of any machine, instrument, or contrivance, or in
any other manner, intentionally taps, or makes any unauthorized connection .
. . with any telegraph or telephone wire, line, cable, or instrument, including
the wire, line, cable, or instrument of any internal telephonic communication
system, or who willfully and without the consent of all parties to the
communication, or in any unauthorized manner, reads, or attempts to read, or
to learn the contents or meaning of any message, report, or communication
while the same is in transit or passing over any wire, line, or cable, or is being
sent from, or received at any place within this state; or who uses, or attempts
to use, in any manner, or for any purpose, or to communicate in any way, any
information so obtained. . .
8
Facebook argues that plaintiffs’ claim under section 631 fails for two reasons. First,
3
4
5
6
9
Facebook argues that plaintiffs consented to any alleged interception. This argument is
identical to the “consent” argument addressed above, and the court rejects it for the same
11
For the Northern District of California
United States District Court
10
reasons.
12
Second, Facebook argues that plaintiffs’ messages could not have been intercepted
13
“in transit,” as required by the statute, because the “messages were entirely contained
14
within Facebook’s network during the purported ‘interception.’” However, plaintiffs’
15
opposition points out that Facebook’s messaging function allows users to send messages
16
to non-Facebook email addresses, which shows that the messages cannot be “entirely
17
contained within Facebook’s network.” Facebook does not address this argument in its
18
reply. Moreover, the complaint’s allegation that users’ messages were intercepted in transit
19
is to be taken as true at this stage of the case.
20
21
22
Accordingly, the court DENIES Facebook’s motion to dismiss plaintiffs’ claim under
section 631 of CIPA.
Plaintiffs also assert a claim under section 632 of CIPA, which provides for liability
23
against “[e]very person who, intentionally and without the consent of all parties to a
24
confidential communication, by means of any electronic amplifying or recording device,
25
eavesdrops upon or records the confidential communication.”
26
Facebook again argues that plaintiffs consented to any alleged interception, which
27
the court rejects for the same reasons discussed above. However, Facebook also argues
28
that plaintiffs have not alleged any “confidential communication.”
17
1
The California Supreme Court has held that a conversation is “confidential” under
2
section 632 “if a party to that conversation has an objectively reasonable expectation that
3
the conversation is not being overheard or recorded.” See Kearney v. Salomon Smith
4
Barney, Inc., 39 Cal.4th 95, 117 n.7 (2006); see also Faulkner v. ADT Sec. Services, Inc.,
5
706 F.3d 1017, 1019 (9th Cir. 2013). California appeals courts have generally found that
6
Internet-based communications are not “confidential” within the meaning of section 632,
7
because such communications can easily be shared by, for instance, the recipient(s) of the
8
communications. See, e.g., People v. Nakai, 183 Cal.App.4th 499, 518 (2010). Although
9
Nakai involved an Internet chat, rather than email, the Gmail court found that “email by its
very nature is more similar to internet chats” than it is to phone conversations. Gmail, 2013
11
For the Northern District of California
United States District Court
10
WL 5423918 at *23. The court finds the reasoning of the Gmail court persuasive, and
12
similarly finds that plaintiffs have not alleged facts leading to the plausible inference that
13
their communications were “confidential” under section 632. Accordingly, Facebook’s
14
motion to dismiss plaintiffs’ section 632 claim is GRANTED. Because no amendment could
15
establish that plaintiffs’ communications were indeed “confidential,” plaintiffs shall not be
16
granted leave to amend this claim.
17
3.
Section 17200
18
California Business & Professions Code section 17200, also referred to as the
19
“Unfair Competition Law” (or “UCL”), prohibits any “unlawful, unfair, or fraudulent business
20
act or practice.” A plaintiff seeking to assert a UCL claim must meet the statute’s
21
requirements for standing, which are that he or she (1) has suffered an “injury in fact,” and
22
(2) “lost money or property.” See Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 322
23
(2011). Facebook argues that plaintiffs fail to meet either requirement.
24
As to the “injury in fact” requirement, the court notes that the Ninth Circuit recently
25
rejected this argument, finding “a plaintiff demonstrates an injury sufficient to satisfy Article
26
III when bringing a claim under a statute that prohibits the defendant’s conduct and grants
27
‘persons in the plaintiff’s position a right to judicial relief.’” See In re Zynga Privacy
28
Litigation, 750 F.3d 1098, 1105 n.5 (9th Cir. 2014) (citing Edwards v. First American Corp.,
18
1
610 F.3d 514, 517 (9th Cir. 2010)). As discussed above, plaintiffs have established viable
2
claims under the Wiretap Act and under CIPA section 631, which is sufficient to satisfy the
3
“injury in fact” requirement.
4
However, plaintiffs have not alleged that they have lost any money or property as a
5
result of Facebook’s conduct. Plaintiffs argue that they have a property interest in their
6
personal information, including the content of their messages, but courts have consistently
7
rejected such a broad interpretation of “money or property.” See, e.g., Opperman v. Path,
8
2014 WL 1973378 at *23, n.22 (N.D. Cal. May 14, 2014); In re Facebook Privacy Litigation,
9
791 F.Supp.2d 705, 715 (N.D. Cal. 2011); Claridge v. RockYou, Inc., 785 F.Supp.2d 855,
11
For the Northern District of California
United States District Court
10
12
862 (N.D. Cal. 2011).
Accordingly, Facebook’s motion to dismiss plaintiffs’ UCL claim is GRANTED
without leave to amend.
13
4.
14
Facebook moves to strike plaintiffs’ request for injunctive relief, arguing that it
Injunctive relief
15
ceased the challenged practice “nearly two years ago.” However, plaintiffs have
16
adequately alleged that there is a “sufficient likelihood” that Facebook could resume the
17
practice, so the court DENIES Facebook’s request to strike the prayer for injunctive relief at
18
this time.
19
CONCLUSION
20
For the foregoing reasons, Facebook’s motion to dismiss is GRANTED in part and
21
DENIED in part. The motion to dismiss plaintiffs’ Wiretap Act claim and CIPA section 631
22
claim is DENIED, and the motion to dismiss plaintiffs’ CIPA section 632 claim and section
23
17200 claim is GRANTED. Facebook’s request to strike plaintiffs’ prayer for injunctive
24
relief is DENIED.
25
26
IT IS SO ORDERED.
Dated: December 23, 2014
______________________________
PHYLLIS J. HAMILTON
United States District Judge
27
28
19
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?