In Re FACEBOOK INTERNET TRACKING LITIGATION

Filing 157

THIRD AMENDED COMPLAINT (Public Version) against All Defendants. Filed by Brian K. Lentz, Perrin Aikens Davis, Matthew J. Vickery, Cynthia D. Quinn. (Attachments: #1 Exhibit A, #2 Exhibit B, #3 Exhibit C, #4 Exhibit D, #5 Exhibit E, #6 Exhibit F, #7 Exhibit G, #8 Exhibit H, #9 Exhibit I, #10 Exhibit J, #11 Exhibit K, #12 Exhibit L, #13 Exhibit M, #14 Exhibit N, #15 Exhibit O, #16 Exhibit P, #17 Exhibit Q, #18 Exhibit R, #19 Exhibit S, #20 Exhibit T, #21 Exhibit U (redacted), #22 Exhibit V (redacted), #23 Exhibit W (redacted), #24 Exhibit X (redacted), #25 Exhibit Y (redacted), #26 Exhibit Z (redacted), #27 Exhibit AA (redacted), #28 Exhibit BB (redacted), #29 Exhibit CC (redacted), #30 Exhibit DD (redacted), #31 Exhibit EE, #32 Exhibit FF (redacted), #33 Exhibit GG (redacted), #34 Exhibit HH (redacted), #35 Exhibit II (redacted), #36 Exhibit JJ, #37 Exhibit KK, #38 Exhibit LL (redacted), #39 Exhibit MM, #40 Exhibit NN, #41 Exhibit OO, #42 Exhibit PP)(Straite, David) (Filed on 8/25/2017) Modified on 8/25/2017 (cv, COURT STAFF).

Download PDF
Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 1 of 33 1 2 3 4 5 Stephen G. Grygiel (admitted pro hac vice) SILVERMAN THOMPSON SLUTKIN WHITE LLC 201 N. Charles Street, 26th Floor Baltimore, MD 21201 Tel. (410) 385-2225 Fax (410) 547-2432 sgrygiel@mdattorney.com 6 7 8 9 Frederic S. Fox (admitted pro hac vice) David A. Straite (admitted pro hac vice) KAPLAN FOX & KILSHEIMER LLP 850 Third Avenue, 14th Floor New York, NY 10022 Telephone: (212) 687-1980 Facsimile: (212) 687-7714 dstraite@kaplanfox.com Laurence D. King (206423) Mario Choi (243409) KAPLAN FOX & KILSHEIMER LLP 350 Sansome Street, 4th Floor San Francisco, CA 94104 Tel.: (415) 772-4700 Fax: (415) 772-4707 lking@kaplanfox.com 10 11 12 IN THE UNITED STATES DISTRICT COURT FOR THE NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION 13 14 No. 5:12-md-02314-EJD-NC 15 THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT FOR: 16 18 IN RE: FACEBOOK, INC. INTERNET TRACKING LITIGATION I. BREACH OF CONTRACT II. 17 BREACH OF IMPLIED COVENANT OF GOOD FAITH AND FAIR DEALING 19 DEMAND FOR JURY TRIAL 20 21 22 REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED 23 24 25 26 27 28 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 2 of 33 1 TABLE OF CONTENTS 2 Page(s) 3 I. INTRODUCTION ...............................................................................................................1 II. JURISDICTION AND VENUE ..........................................................................................2 III. THE PARTIES .....................................................................................................................3 IV. FACTUAL ALLEGATIONS...............................................................................................4 4 5 6 7 A. The Facebook Statement of Rights and Responsibilities .............................................. 4 8 B. The Privacy Policy ........................................................................................................ 5 9 C. The Help Center ............................................................................................................ 6 10 D. How Facebook Tracks Internet Use Through the “Like” Button ................................. 7 11 E. Facebook Promised Not to Track Logged-Out Subscribers ....................................... 10 12 F. Facebook Breached Its Promise Not To Track Logged-Out Subscribers ................... 13 13 1. Background ........................................................................................................... 13 14 2. Facebook Failed to Expire User-Identifying Cookies Upon Logout .................... 16 15 3. 16 ............................................................................................................................ 16 17 18 G. Facebook’s Post-Logout Tracking Breached Expectations of Good Faith and Fair Dealing ........................................................................................................................ 18 19 H. Facebook’s Post-Logout Tracking Revealed .............................................................. 19 20 V. PLAINTIFF-SPECIFIC FACTUAL ALLEGATIONS .....................................................23 21 VI. STATUTE OF LIMITATIONS .........................................................................................24 22 VII. CLASS ACTION ALLEGATIONS ..................................................................................25 23 VIII. COUNTS ............................................................................................................................27 24 COUNT I........................................................................................................................................27 25 BREACH OF CONTRACT ...........................................................................................................27 26 COUNT II ......................................................................................................................................28 27 BREACH OF THE COVENANT OF GOOD FAITH AND FAIR DEALING............................28 28 i 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 3 of 33 1 IX. PRAYER FOR RELIEF.....................................................................................................29 X. JURY TRIAL DEMAND ..................................................................................................29 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 ii 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 4 of 33 1 2 I. INTRODUCTION 1. On April 22, 2010, defendant Facebook, Inc. (“Facebook” or “Defendant”) 3 launched the “Like” button outside of the Facebook domain. Within weeks it became the single 4 most important social plugin ever created, quickly surpassing Facebook’s “Share” button. 5 2. Less than five weeks after the Like button launch, 50,000 websites had installed it; 6 less than ten weeks after launch, web site consultants were calling it “ubiquitous.” By June 2012, 7 a quarter of the top 10,000 websites formally integrated Facebook plugins just on their homepages. 8 By November 2013, Facebook claimed on its developer blog that its Like and Share buttons drove 9 more referral traffic than all other social networks combined. 10 3. Today, Facebook says that web pages containing the Like button and its other 11 plugins are viewed more than 30 billion times each day, and more than 7 million websites now 12 incorporate them. As the Huffington Post summed up, the Like button is now “omnipresent.” 13 4. When a Facebook subscriber logs into his or her Facebook account, a number of 14 “cookies”—including session cookies and tracking cookies—are written to the user’s browser. 15 Several of these cookies can be used to identify the subscriber. When a subscriber visits a webpage 16 with a Facebook social plugin (such as the Facebook Like button), Facebook and the first-party 17 website cause the user’s browser to re-direct the user’s communication, via the file path of the 18 referrer URL of the page being requested, along with all available Facebook tracking and session 19 cookies, to Facebook in real-time. 20 5. The re-directed communications are acquired by Facebook regardless of whether 21 the subscriber actually clicks on a Like or Share button or even knows of its existence. Thirty 22 billion times per day, Facebook causes computers around the world to report the real-time Internet 23 communications of more than one billion people—including the entire file path of URLs 24 containing sensitive, personal content—to Facebook. When Facebook’s session and tracking 25 cookies link the URLs to specific persons, anonymity disappears. Facebook can link the web 26 browsing of more than one billion people to their actual identities. 27 28 6. Given the enormous privacy implications of Facebook’s ubiquitous insight into web traffic, Facebook promised subscribers that it would not receive user-identifying cookies via 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 5 of 33 1 its plugins on third-party websites if the subscriber interacts with these websites while logged out 2 of Facebook. Facebook made this promise from the very first day Facebook launched the Like 3 button. From the very first day, however, Facebook broke this promise; logging out did not remove 4 all user-identifying cookies . Discovery has revealed that from the very first day, 5 6 . 7 7. 8 On September 25, 2011, an independent researcher in Australia publicly revealed 9 that logging out of a Facebook account failed to remove user-identifying cookies—in particular 10 the c_user, lu and datr cookies. The following day (September 26, 2011), the story was picked up 11 by the Wall Street Journal, and circulated around the world. Congress demanded (and received) 12 testimony from Facebook, and the FTC investigated. 8. 13 Facebook quickly admitted the problem, and at some point prior to October 3, 2011, 14 issued fixes with respect to the c_user and lu cookies. But Facebook continued to use the datr 15 cookie to track subscribers post-logout after October 3, 2011. 9. 16 The plaintiffs are four Facebook subscribers whose Internet use was tracked by 17 Facebook after April 22, 2010 while the plaintiffs were logged out of their Facebook accounts. 18 They bring claims for breach of contract and breach of the implied covenant of good faith and fair 19 dealing on behalf of themselves and other similarly-situated Facebook subscribers in the United 20 States (the “Class”). 21 II. 22 23 24 JURISDICTION AND VENUE 10. This Court has personal jurisdiction over Defendant Facebook because Facebook is headquartered in this District. 11. This Court has subject matter jurisdiction pursuant to the Class Action Fairness Act 25 (“CAFA”), 28 U.S.C. § 1332(d), because this is a class action in which the amount in controversy 26 exceeds $5,000,000, and at least one member of the class is a citizen of a state other than California 27 or Delaware. 28 2 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 6 of 33 12. 1 This Court also has discretionary supplemental jurisdiction over the state law 2 claims in this action pursuant to 28 U.S.C. § 1367 because the state law claims form part of the 3 same case or controversy as those that give rise to two previously asserted but dismissed federal 4 claims under the Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”) and the Stored 5 Communication Act, 18 U.S.C. § 2701 (“SCA”). 13. 6 Venue is proper in this District because Defendant Facebook is headquartered in 7 this District. In addition, the Facebook Statements of Rights and Responsibilities in force since 8 April 22, 2010, which governs the relationship between Facebook and its subscribers—including 9 the plaintiffs—provides for exclusive venue in state or federal courts located in Santa Clara 10 County, California. 11 III. 14. 12 13 15. 16. Plaintiff Dr. Brian Lentz (“Lentz”) is an adult domiciled in Virginia. Lentz has had an active Facebook account since before April 22, 2010. 17. 18 19 Plaintiff Prof. Cynthia Quinn (“Quinn”) is an adult domiciled in Hawaii. Quinn has had an active Facebook account since before April 22, 2010. 16 17 Plaintiff Mrs. Perrin Davis (“Davis’) is an adult domiciled in Illinois. Davis has had an active Facebook account since before April 22, 2010. 14 15 THE PARTIES Plaintiff Mr. Matthew Vickery (“Vickery”) is an adult domiciled in Washington State. Vickery has had an active Facebook account since before April 22, 2010. 18. 20 Defendant Facebook is a Delaware corporation which maintains its headquarters at 21 1 Hacker Way, Menlo Park, California 94025. Facebook is a “social network” that permits its 22 members to interact with one another through a web site located at www.facebook.com. Facebook 23 has surpassed 2 billion monthly active users, more than 200 million of whom reside in the United 24 States. 25 26 27 28 3 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 7 of 33 1 IV. FACTUAL ALLEGATIONS 2 A. The Facebook Statement of Rights and Responsibilities 3 19. The agreement governing Facebook’s relationship with subscribers starts with the 4 “Statement of Rights and Responsibilities” or “SRR.” The SRR incorporates a number of other 5 documents by reference and hyperlinks. 1 The oldest relevant SRR is dated April 22, 2010, and is 6 attached to this complaint as Exhibit A. 20. 7 8 Updated SRRs produced in discovery are dated August 25, 2010 (see Exhibit B), October 4, 2010 (see Exhibit C) and April 26, 2011 (see Exhibit D). 21. 9 Each of these SRRs, regardless of date, provides that “[t]he laws of the State of 10 California will govern this Statement, as well as any claim that might arise between you and us, 11 without regard to conflict of law provisions.” See, e.g., SSR dated April 22, 2010 at ¶ 15, Ex. A, 12 FB_MDL_00000014. 13 22. Subscribers agree to the terms of the SRR upon initial creation of the account. 14 23. In the preamble, the SRR also provides that the agreement renews each and every 15 time a subscriber uses the website: “By using or accessing Facebook, you agree to this Statement.” 16 Ex. A, FB_MDL_00000012. 17 24. 18 Your privacy is very important to us. We designed our Privacy Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions. 19 20 21 Ex. A. at ¶ 1, FB_MDL_00000012. 25. 22 23 The very first section of the SRR governs privacy, stating: In the language excerpted above, the words “Privacy Policy” were hyperlinked on the Facebook website and linked directly to the Privacy Policy. 2 26. 24 The SRR dated April 22, 2010 includes six documents incorporated by reference 25 and hyperlinked at the end of the document: (1) the Privacy Policy (later called the Data Use 26 1 27 28 A hyperlink electronically provides direct access from one internet location/file to another, typically by clicking a highlighted word or icon. 2 As of April 26, 2011, the name of this policy was changed to the “Data Use Policy.” 4 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 8 of 33 1 Policy), (2) the Payment Terms, (3) the Platform Policy, (4) Developer Principles and Policies, 2 (5) Advertising Guidelines, and (6) Promotions Guidelines (together, the “Additional 3 Documents”). See Ex. A, FB_MDL_00000014. Later SRRs include additional links. 4 27. Immediately to the right of “Privacy Policy:” Facebook states: “The Privacy Policy 5 is designed to help you understand how we collect and use information.” 6 FB_MDL_00000014. 7 28. Ex. A, Each of the Additional Documents is an agreement with terms agreed to by 8 Facebook and subscribers. For example, the Payment Terms use the phrase “you agree” more than 9 a dozen times. 10 11 12 13 14 15 16 29. Each of the Additional Documents are incorporated by reference and hyperlink into the SRR, and together form a single agreement. 30. Each of the Additional Documents contains hyperlinks back to the SRR, and each contains at least one hyperlink to the Privacy Policy. 31. Some of the Additional Documents also link to each other; for example, the Payment Terms hyperlink to the Advertising Policy. 32. The SRR states that “[t]his Statement makes up the entire agreement between the 17 parties regarding Facebook[.]” 18 FB_MDL_00000014. 19 33. See, e.g., SSR dated April 22, 2010 at ¶ 18.1, Ex. A. Facebook did not intend paragraph 18.1 to render all Additional Documents legal 20 nullities but rather to confirm that the SRR includes the hyperlinked Additional Documents—they 21 function as a single agreement. 22 B. The Privacy Policy 23 34. Historical versions of the Privacy Policy produced in discovery to date are provided 24 as Exhibits E through H to this complaint. 25 35. The Privacy Policy is incorporated by reference and hyperlink into the SRR. 26 36. Several terms in the Privacy Policy are defined with reference to the SRR, see e.g., 27 Ex. E, ¶ 4 (“Facebook Platform”), FB_MDL_00000008, and changes to the Privacy Policy can 28 only be made in accordance with the SRR. See, e.g., Ex. G, ¶ 9, FB_MDL_00000036. 5 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 9 of 33 1 37. The Privacy Policy is an agreement. For example, in the September 7, 2011 2 version, under the “Change of Control” section, Facebook states, “If the ownership of our business 3 changes, we may transfer your information to the new owner so they can continue to operate the 4 service. But they will still have to honor the commitments we have made in this privacy policy.” 5 Ex. H, Section VI (Change of Control) (emphasis added), FB_MDL_00000048. 6 38. Additionally, in earlier versions of the Privacy Policy, the terms were referred to as 7 “promises” rather than “commitments.” See, e.g., Ex. G, ¶ 6, Transfer in Event of Sale or Change 8 of Control (“In such a case, your information would remain subject to the promises made in any 9 pre-existing Privacy Policy”), FB_MDL_00000035. 10 39. Likewise, in the December 22, 2010 version, Facebook states, “By using or 11 accessing Facebook, you agree to our privacy practices outlined here.” See Ex. G, ¶ 1 (Scope), 12 FB_MDL_00000032. This language is nearly identical to the binding language in the SRR. See 13 also id. ¶ 9 (“By using Facebook, you consent to having your personal data transferred to and 14 processed in the United States.”), FB_MDL_00000036. 15 C. The Help Center 16 40. Relevant portions of Facebook’s Help Center produced in discovery are attached to 17 18 this complaint as Exhibits I through S and MM through PP. 41. The Privacy Policy is long, dense, and complicated. A December 8, 2011 inquiry 19 from the United States House of Representatives noted that Facebook’s privacy policy was “longer 20 than that of all other social networks and exceed in length the United States Constitution . . . . We 21 are concerned . . . that long, complex privacy policy statements make it difficult for consumers to 22 understand how their information is being used.” See Ex. T., p. 8, FB_MDL_00000247. 23 42. 24 We also agree that long and complex privacy policies can make it difficult for consumers to understand how their information is being used. . . . we use a layered approach, summarizing our practices on the front page and then allowing people to click through the Policy for more details. 25 26 27 In its January 6, 2012 response to the Congressional inquiry, Facebook agreed: Id. at 9, FB_MDL_00000248. 28 6 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 10 of 33 1 43. The Privacy Policy repeatedly hyperlinked to Facebook’s Help Center (consisting 2 of a series of “frequently asked questions”) as a part of this “layered approach,” and the Help 3 Center is thus incorporated into the Privacy Policy by reference and hyperlink. It is impossible to 4 understand the Privacy Policy without the Help Center. 5 44. The Privacy Policy repeatedly directs subscribers, via reference and hyperlink, to 6 the Help Center for more information. The April 22, 2010 Privacy Policy, for example, linked to 7 the Help Center 18 times. See generally Ex. A. 8 9 10 45. Sometimes, Facebook would migrate language between the Help Center and the body of the Privacy Policy, underscoring the unified nature of these pages. 46. For example, in its description of “cookies,” the Privacy Policy discloses that “we 11 use them to store your login ID . . . to make it easier for you to login whenever you come back to 12 Facebook. We also use them to confirm that you are logged into Facebook.” Ex. F, ¶ 2 (Cookie 13 Information), FB_MDL_00000028. Near exact language also appears in the Help Center page, 14 “How does Facebook use cookies?” See Ex. N, FB_MDL_00064915. 15 D. How Facebook Tracks Internet Use Through the “Like” Button 16 47. When signing up for a Facebook account, subscribers fill out an electronic form, 17 sending communications to Facebook which personally identifies them: 18 19 20 21 22 23 24 25 26 27 28 7 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 11 of 33 48. 1 2 Each Facebook subscriber manually enters his or her first and last name, email address, a password, gender, and birthdate before signing-up. 49. 3 Facebook then creates a database entry for the new user in an internal database 4 called 5 cookies to the user’s web browser that Facebook correlates with the information in the 6 database. As each user encounters more Facebook partner websites while logged into Facebook, 7 Facebook adds the information to the user’s database entry. 50. 8 9 and assigns a unique user ID to the subscriber. Facebook also writes a number of When an Internet user lands on a webpage with an integrated Facebook social plugin, the user’s browser is instructed to redirect the communications, along with several 10 Facebook cookies, to Facebook, which can then be added to the 11 acquires this information before the communications are completed. 51. 12 database. Facebook Cookies are small text files that web-servers can place on a person’s web-browser 13 and computing device when that person’s web-browser interacts with a website server. Different 14 cookies perform different functions. Some cookies were designed to track and record an individual 15 Internet user’s communications with and activities on websites across the Internet. 52. 16 The process for logged-in users differs from that of logged-out users. When a 17 Facebook subscriber is logged into Facebook at the time he visits a third-party website that 18 contains a Facebook plugin, the user’s browser will contain several Facebook cookies. 53. 19 20 In 2010 and 2011, Facebook wrote cookies to the browsers of logged-in users as illustrated in the chart below. As can be seen below, , in addition to the c_user (or a_user) cookie: 21 22 /// 23 /// 24 /// 25 26 27 28 8 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 12 of 33 Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 13 of 33 1 e. Facebook also assigns each browser a unique identifier (the datr cookie) 2 which can and does identify actual current users when a computer is not a 3 shared computer. 4 5 See Ex. U, FB_MDL_00005501. 6 7 f. Indeed, Facebook publicly confirmed in its response to Mr. Cubrilovic 8 (available on his blog): “We also maintain a cookie association between 9 accounts and browsers.” 10 g. Finally, . 11 12 13 55. When a logged-in subscriber visits a webpage with a Facebook Like button, a copy of the referrer URL is acquired by Facebook along with the cookies noted above. 14 56. Facebook acquires an enormous amount of individualized data for each 15 communication. Facebook receives the full referral URL (including the exact subpage of the 16 precise items being purchased or viewed), and through the use of cookies, correlates that URL 17 with the user ID, time stamp, browser settings, and even the type of browser used. Facebook not 18 only acquires an exact copy of the user’s communication with, for example, Walmart, but can put 19 the communication in the precise context of the time of day and other user actions on the same 20 website. Facebook acquires all of this information before the communications between the user 21 and the third-part website is completed. 22 E. Facebook Promised Not to Track Logged-Out Subscribers 23 57. The very first section of the SRR governs privacy, stating: 24 Your privacy is very important to us. We designed our Privacy Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Privacy Policy, and to use it to make informed decisions. 25 26 27 28 10 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 14 of 33 1 Ex. A. at ¶ 1, FB_MDL_00000012. The words “Privacy Policy” above were hyperlinked to the 2 Privacy Policy on the Facebook website, and starting September 7, 2011, linked to the Data Use 3 Policy. 4 58. The Privacy Policy is incorporated into and is a part of the Facebook – user contract. 5 59. Implicitly, Facebook agrees in its contract with users that it would respect user 6 privacy and not collect data in ways not agreed to in the Privacy Policy. It is therefore an implicit 7 term of the SRR that Facebook would not track users post-logout using user-identifying cookies. 8 60. 9 We receive data whenever you visit a . . . site with a Facebook feature (such as a social plugin). This may include the date and time you visit the site; the web address, or URL, you’re on; technical information about the IP address, browser and the operating system you use; and, if you are logged in to Facebook, your User ID. 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 The Data Use Policy dated Sept. 7, 2011 states: Ex. H, FB_MDL_00000043. This provision, explaining that Facebook will receive a useridentifying cookie when “you are logged in to Facebook,” implicitly promises to the average user that Facebook will not receive such a cookie when the user is not logged in. 61. The Help Center pages are incorporated by reference into the Privacy Policy and are a part of the contract. 62. In the Help Center page, “Does Facebook use cookies if I don’t have an account or have logged out of my account?” Facebook promised: “When you log out of Facebook, we remove the cookies that identify your particular account[.]” Ex. I, FB_MDL_00064918. 63. In the Help Center page, “What information does Facebook receive about me when I visit a website with a Facebook social plugin?” Facebook explained that it receives “technical information” about IP addresses, browsers, and operating systems to help “optimize your experience . . . or let[] us know that you are logged into Facebook.” Ex. J, FB_MDL_00064922. Facebook implicitly promised in this section that it would not receive user-identifying information if the user logged out of Facebook. 64. In a later version of the same Help Center page, Facebook explicitly added: “If you are logged into Facebook, we also see your user ID number and email address.” Ex. K, 28 11 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 15 of 33 1 FB_MDL_00064913 (emphasis added). Because Facebook limited this language to logged-in 2 users, Facebook promised that if the user were not logged in, Facebook would not “see your user 3 ID number and email address.” 4 5 6 65. In an even later version of the same Help Center page, Facebook made its promise more explicit, adding: 8 If you’re logged out or don’t have a Facebook account and visit a website with the Like button or another social plugin, your browser sends us a more limited set of information. For example, because you’re not logged in to Facebook, we don’t receive your user ID. 9 Ex. M, FB_MDL_00064920 (emphasis added). This exact language also appeared in a second 7 10 11 Help Center page. See Ex. L, FB_MDL_00064919. 66. In Help Center “Does Facebook have the ability to see what I’m doing on non- 12 Facebook sites?” Facebook reminded users that it would not be able to see what users do on other 13 websites unless the user logs in: 14 Does Facebook have the ability to see what I’m doing on non-Facebook sites? 15 Facebook cannot track your actions on external sites unless you decide to connect your Facebook account to that site and/or explicitly decide to publish a story to your Wall via the Like button. For example, if you are on Digg, and digg an article or comment on an article, Facebook will only be notified of the actions for which Digg wants to create a story. Facebook will have no access to other actions you have taken or other information involving your Digg account. 16 17 18 19 20 21 22 23 To take advantage of the ability to generate stories from another site, you must “connect” your Facebook account to that site, or otherwise be logged into Facebook while you interact with one of these sites. Ex. MM, FB_MDL_00064926 (emphasis added); see also Ex. NN, FB_MDL_00064927 (same); Ex. OO, FB_MDL_00064928 (same); Ex. PP, FB_MDL_00064929 (same). 67. In the Help Center page, “How do social plugins work?”, Facebook promised: 24 25 26 27 28 You only see a personalized experience with your friends if you are logged into your Facebook account. If you are not already logged in, you will be prompted to log in to Facebook before you can use a plugin on another site. At a technical level, social plugins work when external websites put an iframe from Facebook.com on their sites, as if they were agreeing to give Facebook some real estate on their websites. When you visit one of these sites, the Facebook iframe 12 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 16 of 33 1 2 3 4 5 6 can recognize if you are logged into Facebook. If you are logged in, it’ll show personalized content within the plugin as if you were on Facebook.com directly. Even though the iframe is not on Facebook, it is designed with all the privacy protections as if it were. Ex. R, FB_MDL_00064901 (emphasis added); see also Ex. S, FB_MDL_00064905 (same). Implicit in this Help Center page is the promise that Facebook would remove any user-identifying cookies from browsers of users who had logged out. F. 7 8 9 Facebook Breached Its Promise Not To Track Logged-Out Subscribers 1. 68. Background As soon as the Like button was rolled out on April 22, 2010, Facebook found it had a problem— . 10 If user identities were disaggregated from web history, the value of the Like button would diminish 11 substantially. 12 69. 13 October 28, 2010, Facebook product manager Austin Haugen noted in an internal email, dated 14 15 16 17 18 19 See Ex. W, p. 1, FB_MDL_00007340. 70. A few months later, after reviewing detailed cookie data, Mr. Haugen determined that only approximately 71. See Ex. X, p. 4, FB_MDL_00005394. The genesis for these discussions was pressure coming directly from 20 . In an email dated September 21, 2010, Mr. Haugen wrote: 21 22 See Ex. Y, p. 2, FB_MDL_00002731. 72. As an alternative to convincing subscribers to stay logged in, Facebook came up 23 with an easy interim solution: break Facebook’s promise and track users post-logout. This was 24 done by failing to delete cookies containing User IDs (such as lu), by continuing to use the datr 25 cookie and associating that cookie with User IDs, 26 . 27 28 13 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 17 of 33 73. 1 2 At the same time, three Facebook employees filed a patent application (later assigned to Facebook), facilitating the post-logout tracking of Facebook users on other websites. 74. 3 On February 8, 2011, Kent Matthew Schoen, Gregory Luc Dingle, and Timothy 4 Kendall (Facebook’s “Director of Monetization”) filed a patent application entitled 5 “Communicating Information in a Social Network System about Activities from Another 6 Domain.” 4 As the first claim in the Patent Application explains, the applicants were seeking to 7 patent: 8 A method for tracking information about the activities of users of a social networking system while on another domain, the method comprising: maintaining a profile for each of one or more users of the social networking system . . .; receiving one or more communications from a third-party website having a different domain than the social network system, each message communicating an action taken by a user of the social networking system on the third-party website; logging the actions taken on the third-party website in the social networking system . . .; and correlating the logged actions with one or more advertisements presented to one or more users. 9 10 11 12 13 Patent Application at 2. 14 75. The detailed description of this tracking method reveals that it enables Facebook to 15 capture and log actions taken by Facebook users on websites other than Facebook, even when the 16 user is not logged in: 17 [0054] As described above, in particular embodiments, the social network system 100 also logs actions that a user takes on a third party website 140. The social network system 100 may learn of the user’s actions on the third party website via any of a number of methods. In particular embodiment, in response to certain actions such as, a user registering with a third-party website 140, purchasing a product from a third-party website 140, downloading a service from a third-party website 140, or otherwise making a conversion, the third-party website 140 transmits a conversion page, such as a confirmation or “thank you” page to the user at the user’s client device. In particular embodiment, this page includes an embedded call or code segment (e.g., JavaScript) in the HTML or other structured document code (e.g., in an HREF (Hypertext REFerence) that, in particular embodiments, generates a tracking pixel that, when executed by the client’s browser or other rendering application, generates a tracking pixel or image tag that is then transmitted to the social network system (whether the user is logged into the social network system or not). The tracking pixel or image tag then communicates various information to the social network system about the user’s action on the third-party website. By way of example, the tracking pixel or call may transmit parameters such as the user’s ID (user ID as registered with the social network system), a product ID, information about the third-website, timestamp 18 19 20 21 22 23 24 25 26 27 28 4 See U.S. Patent Application No. 20110231240, filed February 8, 2011 and published September 22, 2011 (the “Patent Application”) at 1. 14 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 18 of 33 1 2 information about the timing of the purchase or other action, etc. In one example, if the third party website 140 is a commercial website on which users may purchase items, the third party website 140 may inform the social network system 100 in this manner when a user of the social network system 100 buys an item on the third party website 140. 3 Patent Application at 5. 4 76. In certain circumstances, Facebook has to hack its way past data protection software 5 to do this: Facebook deposits a cookie that deliberately and without a user’s consent bypasses 6 security settings on the user’s browser for the purpose of gathering intelligence about what the 7 user does on the Internet in real time, such as what sites are visited, whether purchases are made, 8 or whether information is downloaded or a link forwarded to a friend. This information is instantly 9 relayed back to Facebook, substantially enhancing the value of Facebook’s vast repository of 10 personal data. This is all done whether the Facebook user is logged onto Facebook or logged off. 11 77. Technically, this is how the Patent Application describes the bypass: 12 13 14 15 16 17 18 19 20 21 22 [0099] In one embodiment, the third party website 140 and/or the social network system 100 determine whether the user is a user of the social network system 100. For example, the third party website 140 may access a cookie on the user’s computer, where the cookie is associated with the social network system 100. Since the social network system 100 and the third party website 140 are on different domains, the user’s browser program may include security features that normally prevent a website from one domain from accessing content on other domains. To avoid this, the third party website 140 may use nested iframes, where the third party website 140 serves a web page that includes a nested iframe in the social network website’s domain, thereby allowing the nested iframe to access the user information and send the information back to the third party website 140. Repeated nesting of iframes further allows the social networking site 100 to communicate information back to the third party website 140. By using this technique, the third party website 140 and the social network system 100 can communicate about the user without sharing any of the user’s personal information and without requiring the user to log into the social network system 100. Patent Application 10-11 (emphasis added). 78. Although Facebook’s name does not appear in the Patent Application, the Patent 23 Application is listed in the U.S. Patent & Trademark Office database as assigned to Facebook. 24 Tellingly, Mr. Kendall, Facebook’s “Director of Monetization,” is not an inventor nor a computer 25 scientist. According to his LinkedIn profile, Mr. Kendall’s job description at Facebook is “Product 26 Strategy & Development for Facebook’s revenue generating products.” Essentially, Mr. Kendall 27 is charged with devising creative ways to sell user information to advertisers and third-party 28 websites. 15 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 19 of 33 2. Facebook Failed to Expire User-Identifying Cookies Upon Logout 1 79. To comply with its promise to remove user-identifying cookies upon logout, 2 Facebook reset the c_user cookie from the browser. This is the basic user ID cookie, but as noted 3 by Mr. Cubrilovic, it didn’t actually clear until the session expired. Facebook only changed its 4 state from a persistent cookie to a session cookie—meaning it never actually was removed post5 logout unless and until the user actually closed and restarted the browser. 6 80. Far worse, Facebook knowingly kept two other user-identifying cookies in place 7 for the explicit purpose of tracking users post-logout, even after the expiration of the session. 8 noted on February 7, 2011: 9 10 See Ex. V (emphasis added), 11 FB_MDL_00005416. 12 81. Two weeks later, on February 19, 2011, Facebook employee Douglas Purdy drafted a 13 table 14 which acknowledged that the were still present for 15 logged out users. See Ex. U, FB_MDL_00005503-04. Facebook engineer Matt Jones made a 16 number of revisions and comments, and said 17 Id. at 2 (emphasis 18 added), FB_MDL_00005502. 19 82. Mr. Himel concluded by saying: 20 21 22 See Ex. U, p. 1, FB_MDL_00005501. 23 3. 25 fy g f gg 24 83. 26 . 27 28 84. On June 5, 2010, an engineering task was created called 16 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 20 of 33 Facebook engineering director Alex Himel commented, 1 2 3 4 5 See Ex. Z, FB_MDL_00000734. 85. On June 7, 2010, Mr. Himel created a task with the tag and assigned it to engineer Chuck Rossi. The task noted: 6 7 8 9 10 11 12 See Ex. AA, FB_MDL_00005470 (underlining added). 86. The following month, July 2010, Mr. Himel 13 14 but noted later in an August 19, 2010 email that changes still had not been made: 15 16 17 18 19 20 Ex. BB, FB_MDL_00002992. 87. Even after Mr. Himel’s August 19 email above, 21 22 . For example, on January 28, 2011, Alex Himel noted that 23 24 See Ex. CC, FB_MDL_00000622. responded, 25 26 27 An unknown Facebook employee Id. (emphasis added). 88. 28 17 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 21 of 33 1 For example, Facebook engineering director Alex Himel assigned to engineer Adam Wolff on January 27, 2011: 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 See Ex. DD, FB_MDL_00005356. G. Facebook’s Post-Logout Tracking Breached Expectations of Good Faith and Fair Dealing 89. The Facebook Privacy Policy, which includes the Help Center pages, is consistent with all public representations made by Facebook. For example, on April 26, 2010, Facebook explained how the social plug-ins affect Facebook users on its “Facebook Notes” blog. Facebook was clear that “you only see a personalized experience with your friends if you are logged into your Facebook account.” This is identical language to the Help Center page shown in Exhibit R, FB_MDL_00064901. 90. In 2010, when privacy rights and civil liberties organizations raised a number of privacy concerns associated with social plug-ins and other changes to the Facebook Privacy Policy, it was believed and understood that Facebook was only tracking logged in users via the Like button. So, for example, the ACLU, Center for Democracy and Technology, Center for Digital Democracy, Consumer Action, Consumer Watchdog, Electronic Privacy Information Center, Electronic Frontier Foundation, and the Privacy Rights Clearinghouse jointly wrote to Facebook CEO Mark Zuckerberg regarding a number of “outstanding privacy problems.” See Open Letter dated June 16, 2010, attached as Ex. EE. The authors objected that the Like buttons “provide Facebook with information about every visit to the site by anyone who is logged in to Facebook[.]” Id. at 2 (emphasis added). Not one of these well-respected and tech-savvy privacy groups understood or believed that Facebook was also tracking logged out as well as logged in users, which would have been a far more serious concern. 91. From the start of the rollout of the Like button and thereafter, Facebook consistently told the public that it was not tracking users post-logout. In a series of interviews with USA Today 28 18 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 22 of 33 1 in mid-November, 2011, for example, Facebook said it did not log any personal information 2 associated with Internet surfing by logged out users—all logging would be done only by an 3 anonymous browser cookie. When asked if even the anonymous data could somehow be re- 4 associated with the browsing history, Facebook reiterated: “We’ve said that we don’t do it, and 5 we couldn’t do it without some form of consent and disclosure.” 5 6 H. Facebook’s Post-Logout Tracking Revealed 7 92. In 2010, Australian researcher and blogger Nik Cubrilovic discovered that 8 Facebook cookies were tracking users’ Internet communications even after users had logged out 9 of Facebook. 93. 10 Cubrilovic’s investigation revealed that several personally identifiable cookies 11 remained on users’ browsers post logout, and that some cookies (for example, the lu and datr 12 cookies) even remained after the browser was closed and restarted. Despite its representations to 13 the contrary, Facebook was in fact secretly tracking its users’ Internet communications after logout 14 via these cookies that Facebook had promised it had removed. 94. 15 Mr. Cubrilovic contacted Facebook on November 14, 2010 to report his findings 16 and ask Facebook to fix the problem. He received no response. Again, on January 12, 2011, Mr. 17 Cubrilovic wrote to Facebook alerting it to his findings. Again, Facebook refused to respond. Mr. 18 Cubrilovic of course had no way of knowing that Facebook . 19 95. 20 On September 25, 2011, Mr. Cubrilovic made his findings public. He wrote, “Even 21 if you are logged out, Facebook still knows and can track every page you visit.” He explained that 22 “[t]his is not what ‘logout’ is supposed to mean – Facebook is only altering the state of the cookies 23 instead of removing all of them when a user logs out.” Mr. Cubrilovic had revealed what 24 25 26 5 27 28 See Acohido, Byron, How Facebook Tracks you across the Web, USA TODAY, Nov. 16, 2011. http://www.usatoday.com/tech/news/story/2011-11-15/facebook-privacy-trackingdata/51225112/1. 19 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 23 of 33 See Ex. V 1 2 (emphasis added), FB_MDL_00005416. 96. 3 Mr. Cubrilovic’s blog post spread globally and was picked up the next day by the 4 Wall Street Journal, in addition to dozens of other news outlets. 6 Journalist Erik Sherman, writing 5 for CBS News, for example, succinctly expressed Facebook users’ feelings: 6 7 Many who use Facebook who don’t like the idea of other sites reporting information back have typically logged out of the system before going elsewhere. (I know I have.) What Cubrilovic argues is that this does no good[.] 7 8 97. 9 Facebook told the Wall Street Journal that the user-identifying data was not “logged” and the information is “quickly deleted” anyway. 10 98. These statements to the Wall Street Journal were incorrect 11 included 12 as Exhibit FF, FB_MDL_00053202, the story was corrected to remove Facebook’s assurances 13 regarding logging and deletion. 14 99. On the same day, Facebook engineer Gregg Stefancik contacted Mr. Cubrilovic and 15 admitted that Cubrilovic raised “important issues.” Mr. Stefancik, however, never disclosed that 16 . Instead, he misleadingly told Mr. 17 Cubrilovic only that a “bug” caused a particular user-identifying cookie—the a_user cookie—not 18 to clear on logout, advising, “We will be fixing that today.” 19 100. Facebook further admitted that the Company had not “done as good a job as we 20 could have to explain our cookie practices. Your post presents a great opportunity for us to fix 21 that.” 22 23 101. Mr. Stefancik also told Mr. Cubrilovic that “if you log out, [the lu] cookie does not contain your user ID” and is used to protect people using public computers. However, the lu 24 25 6 See Jennifer Valentino-DeVries, “Facebook Defends Getting Data from Logged Out Users,” Wall Street Journal (Sept. 26, 2011). 26 7 27 28 See Erik Sherman, Facebook’s New Policy Bust: Users Log In but They Can’t Log Out, CBS News (Sept. 26, 2011). https://www.cbsnews.com/news/facebooks-new-privacy-bust-users-login-but-they-cant-log-out-update/. 20 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 24 of 33 1 cookie actually did contain the encrypted user ID of the last user, so Mr. Stefancik’s comment was 2 deeply misleading. Mr. Stefancik’s comment would only be true if an intervening Facebook user 3 were to use the shared computer and then the original user returned without logging into Facebook. 4 For anyone else, the lu cookie continued to identify logged out users, and continued to do so for 5 some time thereafter. 102. 6 7 Within hours of the publication of Mr. Cubrilovic’s report, employees at Facebook realized that the company had been violating promises made in the Privacy Policy. In an email, 8 . 9 See Ex. LL, p. 1, 10 FB_MDL_00017708. The referenced Help Center page is the same page included as Exhibit K to 11 this complaint. 103. 12 13 Independently of , upon seeing Mr. Cubrilovic’s report, 14 Ex. GG, FB_MDL_00058738. 15 16 17 104. 18 (the Help Center page attached as Exhibit 19 20 K), Ex. GG, 21 FB_MDL_00058739. This Help Center page just several hours earlier, as noted above. 22 23 105. Also on the same day, September 25, 2011, 24 : 25 26 27 28 21 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 25 of 33 1 2 Ex. HH, FB_MDL_00043989 (underlining added). 3 4 106. Not everyone at Facebook was happy about the removing of the User ID from the lu cookie upon logout. 5 6 Ex. II, FB_MDL_00043461. 7 Id. 8 9 Id., FB_MDL_00043460. 10 11 107. Three days after the Cubrilovic revelations, on September 28, 2011, U.S. 12 Representatives Edward Markey 8 and Joe Barton, then Co-Chairmen of the Congressional Bi- 13 Partisan Privacy Caucus, submitted a joint letter to the Chairman of the Federal Trade Commission 14 urging the FTC to expand its investigation of Facebook. See Ex. JJ. The FTC had already 15 commenced an investigation related to the Like button rollout and changes to Facebook’s Privacy 16 Policy in 2010, prior to discovery of the secret and pervasive post-logout tracking. 17 18 108. The letter also expressed concern that Facebook told the Wall Street Journal on September 26, 2011 that correcting the problem “will take a while.” 19 109. Congressmen Markey and Barton stated in a press release accompanying the FTC 20 letter, “[I]n this instance, Facebook has admitted to collecting information about its users even 21 after its users had logged out of Facebook.” They continued, “We believe that tracking users 22 without their knowledge or consent raises serious privacy concerns. When users log-out of 23 Facebook, they are under the impression that Facebook is no longer monitoring their activities. 24 We believe this impression should be the reality.” 25 26 27 28 8 Congressman Markey is now Senator Markey. 22 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 26 of 33 110. 1 The FTC sued Facebook under Section 5 of the FTC Act for multiple counts of 2 misrepresenting its Privacy Policy, alleging that Facebook engaged in deceptive trade practices. 3 In the Matter of Facebook Inc., FTC File No. 0923184. 111. 4 On November 29, 2011, Facebook settled with the FTC, agreeing to an 5 unprecedented 20 years of independent privacy audits. No fine was levied because a civil fine is 6 not an available remedy absent a violation of a prior Commission order. 112. 7 Marc Rotenberg, Executive Director of the Electronic Privacy Information Center, 8 wrote to the FTC submitting an official comment and asking for clarification of a number of points, 9 including whether the settlement covered Facebook’s post-logout tracking revealed two months 10 prior. In response, the FTC confirmed it did. The complaint “does allege that Facebook violated 11 Section 5 of the FTC Act by falsely representing to users the protections provided by their privacy 12 settings, [and] by making other false promises regarding privacy[.]” See Letter from FTC to 13 EPIC dated July 27, 2012 at p. 3, Ex. KK (emphasis added). 14 V. 15 16 17 18 19 20 21 PLAINTIFF-SPECIFIC FACTUAL ALLEGATIONS 113. Plaintiff Davis is an adult domiciled in Illinois and has an active Facebook account and has had an active account since before April 22, 2010. 114. She accessed the Internet and visited websites containing Facebook social plugins from at least one computer that was not a shared computer. 115. On this same computer, Facebook installed user-identifying cookies while she was logged into her Facebook account. 116. Facebook failed to expire the user-identifying cookies on these computers when 22 Mrs. Davis logged out of her Facebook account. Facebook was thus able to—and in fact did— 23 track her internet use when visiting Facebook-enabled websites. 24 25 26 27 117. Plaintiff Quinn is an adult domiciled in Hawaii and has an active Facebook account and has had an active account since before April 22, 2010. 118. She accessed the Internet and visited websites with Facebook social plugins from at least one computer that was not a shared computer. 28 23 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 27 of 33 119. 1 2 On this same computer, Facebook installed user-identifying cookies while she was logged into her Facebook account. 120. 3 Facebook failed to expire the user-identifying cookies on these computers when 4 Prof. Quinn logged out of her Facebook account. Facebook was thus able to—and in fact did— 5 track her internet use when visiting Facebook-enabled websites. 121. 6 7 and has had an active account since before April 22, 2010. 122. 8 9 He accessed the Internet and visited websites containing Facebook social plugins from a computer he shared with his wife. 123. 10 11 Plaintiff Lentz is an adult domiciled in Virginia and has an active Facebook account On this same computer, Facebook installed user-identifying cookies while Dr. Lentz was logged into his Facebook account. 124. 12 Facebook failed to expire the user-identifying cookies on these computers when Dr. 13 Lentz logged out of his Facebook account. Facebook was thus able to—and in fact did—track his 14 internet use when visiting Facebook-enabled websites. 125. 15 16 Facebook account and has had an active account since before April 22, 2010. 126. 17 18 He accessed the Internet and visited websites containing Facebook social plugins from at least one computer that is not a shared computer. 127. 19 20 Plaintiff Vickery is an adult domiciled in Washington State and has an active On this same computer, Facebook installed user-identifying cookies while Mr. Vickery was logged into his Facebook account. 128. 21 Facebook failed to expire the user-identifying cookies on these computers when 22 Mr. Vickery logged out of his Facebook account. Facebook was thus able to—and in fact did— 23 track his internet use when visiting Facebook-enabled websites. 129. 24 None of these four plaintiffs consented to the tracking and interception of their 25 logged-off communications. 26 VI. 27 28 STATUTE OF LIMITATIONS 130. The following claims (since dismissed) were brought on a class basis within days of the public reports of post-logout tracking, and the statutes of limitations are thus tolled: 24 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 28 of 33 1 (1) Violation of Federal Wiretap Act; (2) Violation of the Stored Communications Act; 2 (3) Violation of CIPA § 631; (4) Invasion of Privacy; (5) Intrusion Upon Seclusion; (6) Trespass 3 to Chattels; and (7) the California Computer Crime Law. 131. 4 The two claims asserted in this Third Amended Complaint were first asserted on 5 November 30, 2015 in the Second Amended Complaint, but relate to the identical “conduct, 6 transaction or occurrence” set out in the First Amended Complaint and thus relate back to the date 7 of filing of the First Amended Complaint. All relevant statutes of limitations have therefore also 8 been tolled. 9 VII. 10 CLASS ACTION ALLEGATIONS 132. This is a class action pursuant to Rules 23(a) and (b)(3) of the Federal Rules of 11 Civil Procedure on behalf of a Class of all persons who had active Facebook accounts and used 12 Facebook between April 22, 2010 and a later date to be determined upon the completion of 13 discovery, and whose personally identifiable Internet use was tracked at times when not logged 14 into their Facebook accounts. 15 133. Excluded from the Class are the Court, Facebook, and its officers, directors, 16 employees, affiliates, legal representatives, predecessors, successors and assigns, and any entity in 17 which any of them have a controlling interest. 18 19 20 134. The members of the Class are so numerous that joinder of all members is impracticable. 135. Common questions of law and fact exist as to all members of the Class and 21 predominate over any questions affecting solely individual members of the Class. The questions 22 of law and fact common to the Class include: 23 a. whether the SRR is a legally binding contract; 24 b. whether the SRR incorporates by reference the Privacy Policy; 25 c. whether the Privacy Policy incorporates by reference the Help Center pages; 26 d. whether the claims in this action are governed by California law; 27 e. whether the lu cookie in fact included a User ID; 28 f. whether Facebook in fact failed to expire the lu cookie upon logout; 25 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 29 of 33 g. 1 when Facebook in fact caused the User ID contained in the lu cookie to collapse to a zero value upon logout; 2 h. 3 the length of time Facebook continued to track logged-out subscribers even after the lu cookie was fixed; 4 i. 5 whether Facebook in fact ; 6 7 j. whether Facebook in fact failed to expire the datr cookie upon logout; 8 k. whether Facebook in fact could link datr cookies to User IDs; 9 l. whether Facebook’s tracking of the Internet use of logged out subscribers was done in bad faith; and 10 m. 11 was unfair dealing. 12 13 whether Facebook’s tracking of the Internet use of logged out subscribers 136. Plaintiffs’ claims are typical of the claims of other Class members, as all members 14 of the Class were similarly affected by Facebook’s wrongful conduct in violation of federal law as 15 complained of herein. 16 137. Plaintiffs will fairly and adequately protect the interests of the members of the Class 17 and have retained counsel that is competent and experienced in class action litigation. Plaintiffs 18 have no interest that is in conflict with, or otherwise antagonistic to, the interests of the other Class 19 or Subclass members. 20 138. A class action is superior to all other available methods for the fair and efficient 21 adjudication of this controversy since joinder of all members is impracticable. Furthermore, as the 22 damages individual Class members have suffered may be relatively small, the expense and burden 23 of individual litigation make it impossible for members of the Class and Subclass to individually 24 redress the wrongs done to them. There will be no difficulty in management of this action as a 25 class action. 26 27 28 26 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 30 of 33 1 VIII. COUNTS 2 COUNT I 3 BREACH OF CONTRACT 4 139. Plaintiffs hereby incorporate all other paragraphs as if fully stated herein. 5 140. Facebook entered into a contract with each Plaintiff consisting of the SRR, Privacy 6 Policy, and relevant Help Center pages. 141. 7 8 The contract contains enforceable promises that Facebook made to the Plaintiffs and the Class. 142. 9 Facebook promised that it would not track user’s web browsing after log-out except 10 on an anonymous basis. If a subscriber were logged out and visited a website with Facebook 11 functionality, Facebook promised it would only receive technical information. Instead, Facebook 12 received personally-identifiable information which it directly integrated into Facebook’s database 13 entries of the very User ID that Facebook promised only to track for logged-in users. 143. 14 Under the contract, Plaintiffs and Class members transmitted personally 15 identifiable information to Facebook in exchange for use of Facebook and Facebook’s promise 16 that it would not track users’ communications or access their computing devices or web-browsers 17 while the users were logged-off of Facebook. 144. 19 20 Plaintiffs did all, or substantially all, of the things that the contract required them 145. 18 By reason of the conduct described herein, Facebook materially and uniformly to do. 21 breached its contract with Plaintiffs and each of the Class members by tracking their personally 22 identifiable Internet communications while they were logged-off of Facebook. 23 146. Facebook collects revenues in large part because the personal information 24 submitted by its users and the tracking of their Internet communications across a wide variety of 25 websites increases the value of Facebook’s advertising services. As a result of Facebook’s breach 26 of the contract, it was unjustly enriched. 27 147. Facebook is liable for at least nominal damages as a result of the breach. 28 27 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 31 of 33 148. 1 2 As a further result of Facebook’s breach, Plaintiffs and the class sustained non- monetary privacy damages in an amount to be proven at trial. 3 COUNT II 4 BREACH OF THE COVENANT OF GOOD FAITH AND FAIR DEALING 5 149. Plaintiffs hereby incorporate all other paragraphs as if fully stated herein. 6 150. In every contract or agreement there is an implied promise of good faith and fair 7 dealing under California law. 151. 8 9 rights of its users. 152. 10 11 In dealings between Facebook and its users, Facebook has power affecting the Facebook entered into a contract with each Plaintiff consisting of the SRR, Privacy Policy, and relevant Help Center pages. 12 153. Facebook promised to respect and protect its users’ privacy. 13 154. Facebook promised to abide by the terms of its Privacy Policy and the promises in 14 any relevant Help Center pages. 155. 15 In assurances given outside of the contractual context—for example in the 16 Facebook Pages blog and in comments made the press—Facebook assured its customers that it 17 would not track the Internet use of users who were not logged into their Facebook accounts. 156. 19 20 Plaintiffs did all, or substantially all, of the things that the contract required them 157. 18 Despite its contractual privacy promises not to track users while they were logged- to do. 21 off, Facebook took actions in breach of those contractual promises, tracking users while they were 22 logged-off thereby depriving Plaintiffs and the Class of the privacy benefits agreed to in their 23 contract with Facebook. 24 25 26 27 158. Facebook’s tracking of the Internet communications of logged-off users was objectively unreasonable given Facebook’s privacy promises. 159. Facebook’s conduct in tracking the Internet communications of logged-off users evaded the spirit of the bargain made between Facebook and the Plaintiffs. 28 28 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 32 of 33 160. 1 2 Facebook’s conduct in this case abused its power to specify terms—in particular, Facebook failed to accurately disclose its tracking of users while they were logged-off Facebook. 161. 3 As a result of Facebook’s misconduct and breach of its duty of good faith and fair 4 dealing, Plaintiffs and the Class suffered damages. Plaintiffs and the Class members did not 5 receive the benefit of the bargain for which they contracted and for which they paid valuable 6 consideration in the form of their personal information and privacy, which, as alleged above, has 7 ascertainable value to be proven at trial. 8 IX. WHEREFORE, Plaintiffs respectfully request that this Court: 9 A. 10 11 PRAYER FOR RELIEF Certify this action as a class action pursuant to Rule 23 of the Federal Rules of Civil Procedure; B. 12 Award compensatory and nominal damages to Plaintiffs and the Class against 13 Defendant for all damages sustained as a result of Defendant’s wrongdoing, in an amount to be 14 proven at trial, including interest thereon; C. 15 Permanently restrain Defendant, and its officers, agents, servants, employees, and 16 attorneys, from installing cookies on its users’ computers that could track the users’ computer 17 usage after logging out of Facebook or otherwise breaching its contracts with subscribers; D. 18 19 action, including counsel fees and expert fees; and E. 20 21 Award Plaintiffs and the Class their reasonable costs and expenses incurred in this X. Grant Plaintiffs such further relief as the Court deems appropriate. JURY TRIAL DEMAND The Plaintiffs demand a trial by jury of all issues so triable. 22 23 /// 24 /// 25 /// 26 27 28 29 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT Case 5:12-md-02314-EJD Document 157 Filed 08/25/17 Page 33 of 33 1 Dated: August 25, 2017 Respectfully submitted, KAPLAN, FOX & KILSHEIMER LLP SILVERMAN, THOMPSON, SLUTKIN & WHITE LLC By: /s/ David A. Straite Frederic S. Fox (admitted pro hac vice) David A. Straite (admitted pro hac vice) 850 Third Avenue New York, NY 10022 Telephone: (212) 687-1980 Facsimile: (212) 687-7714 dstraite@kaplanfox.com By: /s/ Stephen G. Grygiel Stephen G. Grygiel (admitted pro hac vice) 201 N. Charles St., #2600 Baltimore, MD 21201 Telephone (410) 385-2225 Facsimile: (410) 547-2432 sgrygiel@mdattorney.com 2 3 4 5 6 7 8 Interim Co-Lead Counsel 9 13 Laurence D. King (206423) Mario Choi (243409) 350 Sansome Street, 4th Floor San Francisco, CA 94104 Tel.: (415) 772-4700 Fax: (415) 772-4707 lking@kaplanfox.com 14 Interim Co-Lead Counsel 10 11 12 15 16 17 ATTESTATION PURSUANT TO CIVIL LOCAL RULE 5-1(i)(3) 18 I, David A. Straite, attest that concurrence in the filing of this document has been obtained 19 from the other signatory. I declare under penalty of perjury under the laws of the United States of 20 America that the foregoing is true and correct. 21 Executed this 25th day of August, 2017, at New York, New York. 22 /s/ David A. Straite DAVID A. STRAITE 23 24 25 26 27 28 30 5:12-MD-02314-EJD-NC THIRD AMENDED CONSOLIDATED CLASS ACTION COMPLAINT

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?