In Re FACEBOOK INTERNET TRACKING LITIGATION
Filing
159
*** POSTED IN ERROR *** please see #160 EXHIBITS re #156 Administrative Motion to File Under Seal filed by Facebook Inc.. (Attachments: #1 Exhibit UNREDACTED Exhibit 2 to Naugle Declaration)(Related document(s) #156 ) (Brown, Matthew) (Filed on 8/29/2017) Modified on 8/29/2017 (cv, COURT STAFF).
<![CDATA[
1
7
COOLEY LLP
MICHAEL G. RHODES (116127)
(rhodesmg@cooley.com)
MATTHEW D. BROWN (196972)
(brownmd@cooley.com)
JEFFREY M. GUTKIN (216083)
(jgutkin@cooley.com)
KYLE C. WONG (224021)
(kwong@cooley.com)
101 California Street, 5th Floor
San Francisco, CA 94111-5800
Telephone:
(415) 693-2000
Facsimile:
(415) 693-2222
8
Attorneys for Defendant FACEBOOK, INC.
2
3
4
5
6
9
10
11
UNITED STATES DISTRICT COURT
12
NORTHERN DISTRICT OF CALIFORNIA
13
SAN JOSE DIVISION
14
15
In re: Facebook Internet Tracking Litigation
16
Case No. 12-md-02314 EJD
DECLARATION OF NATALIE NAUGLE IN
SUPPORT OF DEFENDANT FACEBOOK,
INC.’S RESPONSE TO PLAINTIFFS’
ADMINISTRATIVE MOTION TO FILE
UNDER SEAL
17
18
19
JUDGE:
COURTROOM:
TRIAL DATE:
20
Edward J. Davila
4
Not Yet Set
21
REDACTED
22
23
24
25
Exhibit 2
26
27
28
COOLEY LLP
ATTORNEYS AT LAW
SAN FRANCISCO
149938629 v1
NAUGLE DECL. I/S/O RESPONSE
TO MOTION TO FILE UNDER SEAL
CASE NO. 12-MD-02314 EJD
1
2
3
4
5
Stephen G. Grygiel (admitted pro hac vice)
SILVERMAN THOMPSON
SLUTKIN WHITE LLC
201 N. Charles Street, 26th Floor
Baltimore, MD 21201
Tel. (410) 385-2225
Fax (410) 547-2432
sgrygiel@mdattorney.com
6
7
8
9
Frederic S. Fox (admitted pro hac vice)
David A. Straite (admitted pro hac vice)
KAPLAN FOX & KILSHEIMER LLP
850 Third Avenue, 14th Floor
New York, NY 10022
Telephone: (212) 687-1980
Facsimile: (212) 687-7714
dstraite@kaplanfox.com
Laurence D. King (206423)
Mario Choi (243409)
KAPLAN FOX & KILSHEIMER LLP
350 Sansome Street, 4th Floor
San Francisco, CA 94104
Tel.: (415) 772-4700
Fax: (415) 772-4707
lking@kaplanfox.com
10
11
12
IN THE UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF CALIFORNIA
SAN JOSE DIVISION
13
14
No. 5:12-md-02314-EJD-NC
15
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT FOR:
16
17
18
19
20
IN RE: FACEBOOK, INC. INTERNET
TRACKING LITIGATION
I.
BREACH OF CONTRACT
II.
BREACH OF IMPLIED COVENANT
OF GOOD FAITH AND FAIR
DEALING
DEMAND FOR JURY TRIAL
21
22
23
REDACTED VERSION OF DOCUMENT SOUGHT TO BE SEALED
24
25
26
27
28
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
TABLE OF CONTENTS
2
Page(s)
3
I.
INTRODUCTION ...............................................................................................................1
II.
JURISDICTION AND VENUE ..........................................................................................2
III.
THE PARTIES .....................................................................................................................3
IV.
FACTUAL ALLEGATIONS...............................................................................................4
4
5
6
7
A. The Facebook Statement of Rights and Responsibilities .............................................. 4
8
B. The Privacy Policy ........................................................................................................ 5
9
C. The Help Center ............................................................................................................ 6
10
D. How Facebook Tracks Internet Use Through the “Like” Button ................................. 7
11
E. Facebook Promised Not to Track Logged-Out Subscribers ....................................... 10
12
F. Facebook Breached Its Promise Not To Track Logged-Out Subscribers ................... 13
13
1. Background ........................................................................................................... 13
14
2. Facebook Failed to Expire User-Identifying Cookies Upon Logout .................... 16
15
3. Facebook Wrote New User-Identifying Cookies to the Browsers of Logged-Out
16
Users ............................................................................................................................ 16
17
18
G. Facebook’s Post-Logout Tracking Breached Expectations of Good Faith and Fair
Dealing ........................................................................................................................ 18
19
H. Facebook’s Post-Logout Tracking Revealed .............................................................. 19
20
V.
PLAINTIFF-SPECIFIC FACTUAL ALLEGATIONS .....................................................23
21
VI.
STATUTE OF LIMITATIONS .........................................................................................24
22
VII.
CLASS ACTION ALLEGATIONS ..................................................................................25
23
VIII.
COUNTS ............................................................................................................................27
24
COUNT I........................................................................................................................................27
25
BREACH OF CONTRACT ...........................................................................................................27
26
COUNT II ......................................................................................................................................28
27
BREACH OF THE COVENANT OF GOOD FAITH AND FAIR DEALING............................28
28
i
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
IX.
PRAYER FOR RELIEF.....................................................................................................29
X.
JURY TRIAL DEMAND ..................................................................................................29
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
ii
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
I.
INTRODUCTION
1.
On April 22, 2010, defendant Facebook, Inc. (“Facebook” or “Defendant”)
3
launched the “Like” button outside of the Facebook domain. Within weeks it became the single
4
most important social plugin ever created, quickly surpassing Facebook’s “Share” button.
5
2.
Less than five weeks after the Like button launch, 50,000 websites had installed it;
6
less than ten weeks after launch, web site consultants were calling it “ubiquitous.” By June 2012,
7
a quarter of the top 10,000 websites formally integrated Facebook plugins just on their homepages.
8
By November 2013, Facebook claimed on its developer blog that its Like and Share buttons drove
9
more referral traffic than all other social networks combined.
10
3.
Today, Facebook says that web pages containing the Like button and its other
11
plugins are viewed more than 30 billion times each day, and more than 7 million websites now
12
incorporate them. As the Huffington Post summed up, the Like button is now “omnipresent.”
13
4.
When a Facebook subscriber logs into his or her Facebook account, a number of
14
“cookies”—including session cookies and tracking cookies—are written to the user’s browser.
15
Several of these cookies can be used to identify the subscriber. When a subscriber visits a webpage
16
with a Facebook social plugin (such as the Facebook Like button), Facebook and the first-party
17
website cause the user’s browser to re-direct the user’s communication, via the file path of the
18
referrer URL of the page being requested, along with all available Facebook tracking and session
19
cookies, to Facebook in real-time.
20
5.
The re-directed communications are acquired by Facebook regardless of whether
21
the subscriber actually clicks on a Like or Share button or even knows of its existence. Thirty
22
billion times per day, Facebook causes computers around the world to report the real-time Internet
23
communications of more than one billion people—including the entire file path of URLs
24
containing sensitive, personal content—to Facebook. When Facebook’s session and tracking
25
cookies link the URLs to specific persons, anonymity disappears. Facebook can link the web
26
browsing of more than one billion people to their actual identities.
27
28
6.
Given the enormous privacy implications of Facebook’s ubiquitous insight into
web traffic, Facebook promised subscribers that it would not receive user-identifying cookies via
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
its plugins on third-party websites if the subscriber interacts with these websites while logged out
2
of Facebook. Facebook made this promise from the very first day Facebook launched the Like
3
button. From the very first day, however, Facebook broke this promise; logging out did not remove
4
all user-identifying cookies and in fact new user-identifying cookies were written to the browsers
5
of logged-out subscribers via the plugins. Discovery has revealed that from the very first day,
6
Facebook knew it was breaching its contractual promises, and chose to keep this breach quiet
7
despite internal concerns.
8
7.
On September 25, 2011, an independent researcher in Australia publicly revealed
9
that logging out of a Facebook account failed to remove user-identifying cookies—in particular
10
the c_user, lu and datr cookies. The following day (September 26, 2011), the story was picked up
11
by the Wall Street Journal, and circulated around the world. Congress demanded (and received)
12
testimony from Facebook, and the FTC investigated.
13
8.
Facebook quickly admitted the problem, and at some point prior to October 3, 2011,
14
issued fixes with respect to the c_user and lu cookies. But Facebook continued to use the datr
15
cookie to track subscribers post-logout after October 3, 2011.
16
9.
The plaintiffs are four Facebook subscribers whose Internet use was tracked by
17
Facebook after April 22, 2010 while the plaintiffs were logged out of their Facebook accounts.
18
They bring claims for breach of contract and breach of the implied covenant of good faith and fair
19
dealing on behalf of themselves and other similarly-situated Facebook subscribers in the United
20
States (the “Class”).
21
II.
22
23
24
JURISDICTION AND VENUE
10.
This Court has personal jurisdiction over Defendant Facebook because Facebook
is headquartered in this District.
11.
This Court has subject matter jurisdiction pursuant to the Class Action Fairness Act
25
(“CAFA”), 28 U.S.C. § 1332(d), because this is a class action in which the amount in controversy
26
exceeds $5,000,000, and at least one member of the class is a citizen of a state other than California
27
or Delaware.
28
2
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
12.
1
This Court also has discretionary supplemental jurisdiction over the state law
2
claims in this action pursuant to 28 U.S.C. § 1367 because the state law claims form part of the
3
same case or controversy as those that give rise to two previously asserted but dismissed federal
4
claims under the Federal Wiretap Act, 18 U.S.C. § 2511 (the “Wiretap Act”) and the Stored
5
Communication Act, 18 U.S.C. § 2701 (“SCA”).
13.
6
Venue is proper in this District because Defendant Facebook is headquartered in
7
this District. In addition, the Facebook Statements of Rights and Responsibilities in force since
8
April 22, 2010, which governs the relationship between Facebook and its subscribers—including
9
the plaintiffs—provides for exclusive venue in state or federal courts located in Santa Clara
10
County, California.
11
III.
14.
12
13
15.
16.
Plaintiff Dr. Brian Lentz (“Lentz”) is an adult domiciled in Virginia. Lentz has had
an active Facebook account since before April 22, 2010.
17.
18
19
Plaintiff Prof. Cynthia Quinn (“Quinn”) is an adult domiciled in Hawaii. Quinn
has had an active Facebook account since before April 22, 2010.
16
17
Plaintiff Mrs. Perrin Davis (“Davis’) is an adult domiciled in Illinois. Davis has
had an active Facebook account since before April 22, 2010.
14
15
THE PARTIES
Plaintiff Mr. Matthew Vickery (“Vickery”) is an adult domiciled in Washington
State. Vickery has had an active Facebook account since before April 22, 2010.
18.
20
Defendant Facebook is a Delaware corporation which maintains its headquarters at
21
1 Hacker Way, Menlo Park, California 94025. Facebook is a “social network” that permits its
22
members to interact with one another through a web site located at www.facebook.com. Facebook
23
has surpassed 2 billion monthly active users, more than 200 million of whom reside in the United
24
States.
25
26
27
28
3
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
IV.
FACTUAL ALLEGATIONS
2
A.
The Facebook Statement of Rights and Responsibilities
3
19.
The agreement governing Facebook’s relationship with subscribers starts with the
4
“Statement of Rights and Responsibilities” or “SRR.” The SRR incorporates a number of other
5
documents by reference and hyperlinks. 1 The oldest relevant SRR is dated April 22, 2010, and is
6
attached to this complaint as Exhibit A.
20.
7
8
Updated SRRs produced in discovery are dated August 25, 2010 (see Exhibit B),
October 4, 2010 (see Exhibit C) and April 26, 2011 (see Exhibit D).
21.
9
Each of these SRRs, regardless of date, provides that “[t]he laws of the State of
10
California will govern this Statement, as well as any claim that might arise between you and us,
11
without regard to conflict of law provisions.” See, e.g., SSR dated April 22, 2010 at ¶ 15, Ex. A,
12
FB_MDL_00000014.
13
22.
Subscribers agree to the terms of the SRR upon initial creation of the account.
14
23.
In the preamble, the SRR also provides that the agreement renews each and every
15
time a subscriber uses the website: “By using or accessing Facebook, you agree to this Statement.”
16
Ex. A, FB_MDL_00000012.
17
24.
18
Your privacy is very important to us. We designed our Privacy Policy to make
important disclosures about how you can use Facebook to share with others and
how we collect and can use your content and information. We encourage you to
read the Privacy Policy, and to use it to help make informed decisions.
19
20
21
Ex. A. at ¶ 1, FB_MDL_00000012.
25.
22
23
The very first section of the SRR governs privacy, stating:
In the language excerpted above, the words “Privacy Policy” were hyperlinked on
the Facebook website and linked directly to the Privacy Policy. 2
26.
24
The SRR dated April 22, 2010 includes six documents incorporated by reference
25
and hyperlinked at the end of the document: (1) the Privacy Policy (later called the Data Use
26
1
27
28
A hyperlink electronically provides direct access from one internet location/file to another,
typically by clicking a highlighted word or icon.
2
As of April 26, 2011, the name of this policy was changed to the “Data Use Policy.”
4
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
Policy), (2) the Payment Terms, (3) the Platform Policy, (4) Developer Principles and Policies,
2
(5) Advertising Guidelines, and (6) Promotions Guidelines (together, the “Additional
3
Documents”). See Ex. A, FB_MDL_00000014. Later SRRs include additional links.
4
27.
Immediately to the right of “Privacy Policy:” Facebook states: “The Privacy Policy
5
is designed to help you understand how we collect and use information.”
6
FB_MDL_00000014.
7
28.
Ex. A,
Each of the Additional Documents is an agreement with terms agreed to by
8
Facebook and subscribers. For example, the Payment Terms use the phrase “you agree” more than
9
a dozen times.
10
11
12
13
14
15
16
29.
Each of the Additional Documents are incorporated by reference and hyperlink into
the SRR, and together form a single agreement.
30.
Each of the Additional Documents contains hyperlinks back to the SRR, and each
contains at least one hyperlink to the Privacy Policy.
31.
Some of the Additional Documents also link to each other; for example, the
Payment Terms hyperlink to the Advertising Policy.
32.
The SRR states that “[t]his Statement makes up the entire agreement between the
17
parties regarding Facebook[.]”
18
FB_MDL_00000014.
19
33.
See, e.g., SSR dated April 22, 2010 at ¶ 18.1, Ex. A.
Facebook did not intend paragraph 18.1 to render all Additional Documents legal
20
nullities but rather to confirm that the SRR includes the hyperlinked Additional Documents—they
21
function as a single agreement.
22
B.
The Privacy Policy
23
34.
Historical versions of the Privacy Policy produced in discovery to date are provided
24
as Exhibits E through H to this complaint.
25
35.
The Privacy Policy is incorporated by reference and hyperlink into the SRR.
26
36.
Several terms in the Privacy Policy are defined with reference to the SRR, see e.g.,
27
Ex. E, ¶ 4 (“Facebook Platform”), FB_MDL_00000008, and changes to the Privacy Policy can
28
only be made in accordance with the SRR. See, e.g., Ex. G, ¶ 9, FB_MDL_00000036.
5
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
37.
The Privacy Policy is an agreement. For example, in the September 7, 2011
2
version, under the “Change of Control” section, Facebook states, “If the ownership of our business
3
changes, we may transfer your information to the new owner so they can continue to operate the
4
service. But they will still have to honor the commitments we have made in this privacy policy.”
5
Ex. H, Section VI (Change of Control) (emphasis added), FB_MDL_00000048.
6
38.
Additionally, in earlier versions of the Privacy Policy, the terms were referred to as
7
“promises” rather than “commitments.” See, e.g., Ex. G, ¶ 6, Transfer in Event of Sale or Change
8
of Control (“In such a case, your information would remain subject to the promises made in any
9
pre-existing Privacy Policy”), FB_MDL_00000035.
10
39.
Likewise, in the December 22, 2010 version, Facebook states, “By using or
11
accessing Facebook, you agree to our privacy practices outlined here.” See Ex. G, ¶ 1 (Scope),
12
FB_MDL_00000032. This language is nearly identical to the binding language in the SRR. See
13
also id. ¶ 9 (“By using Facebook, you consent to having your personal data transferred to and
14
processed in the United States.”), FB_MDL_00000036.
15
C.
The Help Center
16
40.
Relevant portions of Facebook’s Help Center produced in discovery are attached to
17
18
this complaint as Exhibits I through S and MM through PP.
41.
The Privacy Policy is long, dense, and complicated. A December 8, 2011 inquiry
19
from the United States House of Representatives noted that Facebook’s privacy policy was “longer
20
than that of all other social networks and exceed in length the United States Constitution . . . . We
21
are concerned . . . that long, complex privacy policy statements make it difficult for consumers to
22
understand how their information is being used.” See Ex. T., p. 8, FB_MDL_00000247.
23
42.
24
We also agree that long and complex privacy policies can make it difficult for
consumers to understand how their information is being used. . . . we use a layered
approach, summarizing our practices on the front page and then allowing people to
click through the Policy for more details.
25
26
27
In its January 6, 2012 response to the Congressional inquiry, Facebook agreed:
Id. at 9, FB_MDL_00000248.
28
6
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
43.
The Privacy Policy repeatedly hyperlinked to Facebook’s Help Center (consisting
2
of a series of “frequently asked questions”) as a part of this “layered approach,” and the Help
3
Center is thus incorporated into the Privacy Policy by reference and hyperlink. It is impossible to
4
understand the Privacy Policy without the Help Center.
5
44.
The Privacy Policy repeatedly directs subscribers, via reference and hyperlink, to
6
the Help Center for more information. The April 22, 2010 Privacy Policy, for example, linked to
7
the Help Center 18 times. See generally Ex. A.
8
9
10
45.
Sometimes, Facebook would migrate language between the Help Center and the
body of the Privacy Policy, underscoring the unified nature of these pages.
46.
For example, in its description of “cookies,” the Privacy Policy discloses that “we
11
use them to store your login ID . . . to make it easier for you to login whenever you come back to
12
Facebook. We also use them to confirm that you are logged into Facebook.” Ex. F, ¶ 2 (Cookie
13
Information), FB_MDL_00000028. Near exact language also appears in the Help Center page,
14
“How does Facebook use cookies?” See Ex. N, FB_MDL_00064915.
15
D.
How Facebook Tracks Internet Use Through the “Like” Button
16
47.
When signing up for a Facebook account, subscribers fill out an electronic form,
17
sending communications to Facebook which personally identifies them:
18
19
20
21
22
23
24
25
26
27
28
7
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
48.
1
2
Each Facebook subscriber manually enters his or her first and last name, email
address, a password, gender, and birthdate before signing-up.
49.
3
Facebook then creates a database entry for the new user in an internal database
4
called
5
cookies to the user’s web browser that Facebook correlates with the information in the
6
database. As each user encounters more Facebook partner websites while logged into Facebook,
7
Facebook adds the information to the user’s database entry.
50.
8
9
and assigns a unique user ID to the subscriber. Facebook also writes a number of
When an Internet user lands on a webpage with an integrated Facebook social
plugin, the user’s browser is instructed to redirect the communications, along with several
10
Facebook cookies, to Facebook, which can then be added to the
11
acquires this information before the communications are completed.
51.
12
database. Facebook
Cookies are small text files that web-servers can place on a person’s web-browser
13
and computing device when that person’s web-browser interacts with a website server. Different
14
cookies perform different functions. Some cookies were designed to track and record an individual
15
Internet user’s communications with and activities on websites across the Internet.
52.
16
The process for logged-in users differs from that of logged-out users. When a
17
Facebook subscriber is logged into Facebook at the time he visits a third-party website that
18
contains a Facebook plugin, the user’s browser will contain several Facebook cookies.
53.
19
20
In 2010 and 2011, Facebook wrote cookies to the browsers of logged-in users as
illustrated in the chart below. As can be seen below,
, in addition to the c_user (or a_user) cookie:
21
22
///
23
///
24
///
25
26
27
28
8
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
e.
Facebook also assigns each browser a unique identifier (the datr cookie)
2
which can and does identify actual current users when a computer is not a
3
shared computer.
4
5
See Ex. U, FB_MDL_00005501.
6
7
f.
Indeed, Facebook publicly confirmed in its response to Mr. Cubrilovic
8
(available on his blog): “We also maintain a cookie association between
9
accounts and browsers.”
10
g.
Finally,
.
11
12
13
55. When a logged-in subscriber visits a webpage with a Facebook Like button, a copy
of the referrer URL is acquired by Facebook along with the cookies noted above.
14
56. Facebook acquires an enormous amount of individualized data for each
15
communication. Facebook receives the full referral URL (including the exact subpage of the
16
precise items being purchased or viewed), and through the use of cookies, correlates that URL
17
with the user ID, time stamp, browser settings, and even the type of browser used. Facebook not
18
only acquires an exact copy of the user’s communication with, for example, Walmart, but can put
19
the communication in the precise context of the time of day and other user actions on the same
20
website. Facebook acquires all of this information before the communications between the user
21
and the third-part website is completed.
22
E.
Facebook Promised Not to Track Logged-Out Subscribers
23
57.
The very first section of the SRR governs privacy, stating:
24
Your privacy is very important to us. We designed our Privacy Policy to make
important disclosures about how you can use Facebook to share with others and
how we collect and can use your content and information. We encourage you to
read the Privacy Policy, and to use it to make informed decisions.
25
26
27
28
10
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
Ex. A. at ¶ 1, FB_MDL_00000012. The words “Privacy Policy” above were hyperlinked to the
2
Privacy Policy on the Facebook website, and starting September 7, 2011, linked to the Data Use
3
Policy.
4
58.
The Privacy Policy is incorporated into and is a part of the Facebook – user contract.
5
59.
Implicitly, Facebook agrees in its contract with users that it would respect user
6
privacy and not collect data in ways not agreed to in the Privacy Policy. It is therefore an implicit
7
term of the SRR that Facebook would not track users post-logout using user-identifying cookies.
8
60.
9
We receive data whenever you visit a . . . site with a Facebook feature (such as a
social plugin). This may include the date and time you visit the site; the web
address, or URL, you’re on; technical information about the IP address, browser
and the operating system you use; and, if you are logged in to Facebook, your
User ID.
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
The Data Use Policy dated Sept. 7, 2011 states:
Ex. H, FB_MDL_00000043. This provision, explaining that Facebook will receive a useridentifying cookie when “you are logged in to Facebook,” implicitly promises to the average user
that Facebook will not receive such a cookie when the user is not logged in.
61.
The Help Center pages are incorporated by reference into the Privacy Policy and
are a part of the contract.
62.
In the Help Center page, “Does Facebook use cookies if I don’t have an account or
have logged out of my account?” Facebook promised: “When you log out of Facebook, we remove
the cookies that identify your particular account[.]” Ex. I, FB_MDL_00064918.
63.
In the Help Center page, “What information does Facebook receive about me when
I visit a website with a Facebook social plugin?” Facebook explained that it receives “technical
information” about IP addresses, browsers, and operating systems to help “optimize your
experience . . . or let[] us know that you are logged into Facebook.” Ex. J, FB_MDL_00064922.
Facebook implicitly promised in this section that it would not receive user-identifying information
if the user logged out of Facebook.
64.
In a later version of the same Help Center page, Facebook explicitly added: “If you
are logged into Facebook, we also see your user ID number and email address.” Ex. K,
28
11
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
FB_MDL_00064913 (emphasis added). Because Facebook limited this language to logged-in
2
users, Facebook promised that if the user were not logged in, Facebook would not “see your user
3
ID number and email address.”
4
5
6
65.
In an even later version of the same Help Center page, Facebook made its promise
more explicit, adding:
8
If you’re logged out or don’t have a Facebook account and visit a website with the
Like button or another social plugin, your browser sends us a more limited set of
information. For example, because you’re not logged in to Facebook, we don’t
receive your user ID.
9
Ex. M, FB_MDL_00064920 (emphasis added). This exact language also appeared in a second
7
10
11
Help Center page. See Ex. L, FB_MDL_00064919.
66.
In Help Center “Does Facebook have the ability to see what I’m doing on non-
12
Facebook sites?” Facebook reminded users that it would not be able to see what users do on other
13
websites unless the user logs in:
14
Does Facebook have the ability to see what I’m doing on non-Facebook sites?
15
Facebook cannot track your actions on external sites unless you decide to connect
your Facebook account to that site and/or explicitly decide to publish a story to your
Wall via the Like button. For example, if you are on Digg, and digg an article or
comment on an article, Facebook will only be notified of the actions for which Digg
wants to create a story. Facebook will have no access to other actions you have
taken or other information involving your Digg account.
16
17
18
19
20
21
22
23
To take advantage of the ability to generate stories from another site, you must
“connect” your Facebook account to that site, or otherwise be logged into
Facebook while you interact with one of these sites.
Ex. MM, FB_MDL_00064926 (emphasis added); see also Ex. NN, FB_MDL_00064927 (same);
Ex. OO, FB_MDL_00064928 (same); Ex. PP, FB_MDL_00064929 (same).
67.
In the Help Center page, “How do social plugins work?”, Facebook promised:
24
25
26
27
28
You only see a personalized experience with your friends if you are logged into
your Facebook account. If you are not already logged in, you will be prompted to
log in to Facebook before you can use a plugin on another site.
At a technical level, social plugins work when external websites put an iframe from
Facebook.com on their sites, as if they were agreeing to give Facebook some real
estate on their websites. When you visit one of these sites, the Facebook iframe
12
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
4
5
6
can recognize if you are logged into Facebook. If you are logged in, it’ll show
personalized content within the plugin as if you were on Facebook.com directly.
Even though the iframe is not on Facebook, it is designed with all the privacy
protections as if it were.
Ex. R, FB_MDL_00064901 (emphasis added); see also Ex. S, FB_MDL_00064905 (same).
Implicit in this Help Center page is the promise that Facebook would remove any user-identifying
cookies from browsers of users who had logged out.
F.
7
8
9
Facebook Breached Its Promise Not To Track Logged-Out Subscribers
1.
68.
Background
As soon as the Like button was rolled out on April 22, 2010, Facebook found it had
a problem—
.
10
If user identities were disaggregated from web history, the value of the Like button would diminish
11
substantially.
12
69.
13
October 28, 2010,
Facebook product manager Austin Haugen noted in an internal email, dated
14
15
16
17
18
19
See Ex. W, p. 1,
FB_MDL_00007340.
70.
A few months later, after reviewing detailed cookie data, Mr. Haugen determined
that only approximately
71.
See Ex. X, p. 4, FB_MDL_00005394.
The genesis for these discussions was pressure coming directly from
20
. In an email dated September 21, 2010, Mr. Haugen wrote:
21
22
See Ex. Y, p. 2, FB_MDL_00002731.
72.
As an alternative to convincing subscribers to stay logged in, Facebook came up
23
with an easy interim solution: break Facebook’s promise and track users post-logout. This was
24
done by failing to delete cookies containing User IDs (such as lu), by continuing to use the datr
25
cookie and associating that cookie with User IDs,
26
.
27
28
13
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
73.
1
2
At the same time, three Facebook employees filed a patent application (later
assigned to Facebook), facilitating the post-logout tracking of Facebook users on other websites.
74.
3
On February 8, 2011, Kent Matthew Schoen, Gregory Luc Dingle, and Timothy
4
Kendall (Facebook’s “Director of Monetization”) filed a patent application entitled
5
“Communicating Information in a Social Network System about Activities from Another
6
Domain.” 4 As the first claim in the Patent Application explains, the applicants were seeking to
7
patent:
8
A method for tracking information about the activities of users of a social
networking system while on another domain, the method comprising: maintaining
a profile for each of one or more users of the social networking system . . .; receiving
one or more communications from a third-party website having a different domain
than the social network system, each message communicating an action taken by a
user of the social networking system on the third-party website; logging the actions
taken on the third-party website in the social networking system . . .; and correlating
the logged actions with one or more advertisements presented to one or more users.
9
10
11
12
13
Patent Application at 2.
14
75.
The detailed description of this tracking method reveals that it enables Facebook to
15
capture and log actions taken by Facebook users on websites other than Facebook, even when the
16
user is not logged in:
17
[0054] As described above, in particular embodiments, the social network system
100 also logs actions that a user takes on a third party website 140. The social
network system 100 may learn of the user’s actions on the third party website via
any of a number of methods. In particular embodiment, in response to certain
actions such as, a user registering with a third-party website 140, purchasing a
product from a third-party website 140, downloading a service from a third-party
website 140, or otherwise making a conversion, the third-party website 140
transmits a conversion page, such as a confirmation or “thank you” page to the user
at the user’s client device. In particular embodiment, this page includes an
embedded call or code segment (e.g., JavaScript) in the HTML or other structured
document code (e.g., in an HREF (Hypertext REFerence) that, in particular
embodiments, generates a tracking pixel that, when executed by the client’s
browser or other rendering application, generates a tracking pixel or image tag that
is then transmitted to the social network system (whether the user is logged into
the social network system or not). The tracking pixel or image tag then
communicates various information to the social network system about the user’s
action on the third-party website. By way of example, the tracking pixel or call may
transmit parameters such as the user’s ID (user ID as registered with the social
network system), a product ID, information about the third-website, timestamp
18
19
20
21
22
23
24
25
26
27
28
4
See U.S. Patent Application No. 20110231240, filed February 8, 2011 and published September
22, 2011 (the “Patent Application”) at 1.
14
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
information about the timing of the purchase or other action, etc. In one example,
if the third party website 140 is a commercial website on which users may purchase
items, the third party website 140 may inform the social network system 100 in this
manner when a user of the social network system 100 buys an item on the third
party website 140.
Patent Application at 5.
76.
In certain circumstances, Facebook has to hack its way past data protection software
to do this: Facebook deposits a cookie that deliberately and without a user’s consent bypasses
security settings on the user’s browser for the purpose of gathering intelligence about what the
user does on the Internet in real time, such as what sites are visited, whether purchases are made,
or whether information is downloaded or a link forwarded to a friend. This information is instantly
relayed back to Facebook, substantially enhancing the value of Facebook’s vast repository of
personal data. This is all done whether the Facebook user is logged onto Facebook or logged off.
77.
Technically, this is how the Patent Application describes the bypass:
[0099] In one embodiment, the third party website 140 and/or the social network
system 100 determine whether the user is a user of the social network system 100.
For example, the third party website 140 may access a cookie on the user’s
computer, where the cookie is associated with the social network system 100. Since
the social network system 100 and the third party website 140 are on different
domains, the user’s browser program may include security features that normally
prevent a website from one domain from accessing content on other domains. To
avoid this, the third party website 140 may use nested iframes, where the third party
website 140 serves a web page that includes a nested iframe in the social network
website’s domain, thereby allowing the nested iframe to access the user information
and send the information back to the third party website 140. Repeated nesting of
iframes further allows the social networking site 100 to communicate information
back to the third party website 140. By using this technique, the third party website
140 and the social network system 100 can communicate about the user without
sharing any of the user’s personal information and without requiring the user to
log into the social network system 100.
Patent Application 10-11 (emphasis added).
78.
Although Facebook’s name does not appear in the Patent Application, the Patent
23
Application is listed in the U.S. Patent & Trademark Office database as assigned to Facebook.
24
Tellingly, Mr. Kendall, Facebook’s “Director of Monetization,” is not an inventor nor a computer
25
scientist. According to his LinkedIn profile, Mr. Kendall’s job description at Facebook is “Product
26
Strategy & Development for Facebook’s revenue generating products.” Essentially, Mr. Kendall
27
is charged with devising creative ways to sell user information to advertisers and third-party
28
websites.
15
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
2.
1
2
3
4
5
6
7
8
79.
Facebook Failed to Expire User-Identifying Cookies Upon Logout
To comply with its promise to remove user-identifying cookies upon logout,
Facebook reset the c_user cookie from the browser. This is the basic user ID cookie, but as noted
by Mr. Cubrilovic, it didn’t actually clear until the session expired. Facebook only changed its
state from a persistent cookie to a session cookie—meaning it never actually was removed postlogout unless and until the user actually closed and restarted the browser.
80.
Far worse, Facebook knowingly kept two other user-identifying cookies in place
for the explicit purpose of tracking users post-logout, even after the expiration of the session.
noted on February 7, 2011:
9
10
11
12
13
14
15
16
17
18
19
See Ex. V (emphasis added),
FB_MDL_00005416.
81. Two weeks later, on February 19, 2011, Facebook employee Douglas Purdy drafted a
table
which acknowledged that the
were still present for
logged out users. See Ex. U, FB_MDL_00005503-04. Facebook engineer Matt Jones made a
number of revisions and comments, and said
Id. at 2 (emphasis
added), FB_MDL_00005502.
82. Mr. Himel concluded by saying:
20
21
22
See Ex. U, p. 1, FB_MDL_00005501.
23
3.
24
25
fy g
f
gg
83.
26
.
27
28
84.
On June 5, 2010, an engineering task was created called
16
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
Facebook engineering director Alex Himel commented,
1
2
3
4
5
See Ex. Z, FB_MDL_00000734.
85.
On June 7, 2010, Mr. Himel created a task with the tag
and assigned it to
engineer Chuck Rossi. The task noted:
6
7
8
9
10
11
12
See Ex. AA, FB_MDL_00005470 (underlining added).
86.
The following month, July 2010, Mr. Himel
13
14
but noted later in an August 19, 2010 email that changes
still had not been made:
15
16
17
18
19
20
Ex. BB, FB_MDL_00002992.
87.
Even after Mr. Himel’s August 19 email above,
21
22
. For example, on January 28,
2011, Alex Himel noted that
23
24
See Ex. CC, FB_MDL_00000622.
responded,
25
26
27
An unknown Facebook employee
Id.
(emphasis added).
88.
28
17
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
For example, Facebook engineering director Alex Himel assigned
to engineer Adam Wolff on January 27, 2011:
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
See Ex. DD, FB_MDL_00005356.
G.
Facebook’s Post-Logout Tracking Breached Expectations of Good Faith and
Fair Dealing
89.
The Facebook Privacy Policy, which includes the Help Center pages, is consistent
with all public representations made by Facebook. For example, on April 26, 2010, Facebook
explained how the social plug-ins affect Facebook users on its “Facebook Notes” blog. Facebook
was clear that “you only see a personalized experience with your friends if you are logged into
your Facebook account.” This is identical language to the Help Center page shown in Exhibit R,
FB_MDL_00064901.
90.
In 2010, when privacy rights and civil liberties organizations raised a number of
privacy concerns associated with social plug-ins and other changes to the Facebook Privacy Policy,
it was believed and understood that Facebook was only tracking logged in users via the Like
button. So, for example, the ACLU, Center for Democracy and Technology, Center for Digital
Democracy, Consumer Action, Consumer Watchdog, Electronic Privacy Information Center,
Electronic Frontier Foundation, and the Privacy Rights Clearinghouse jointly wrote to Facebook
CEO Mark Zuckerberg regarding a number of “outstanding privacy problems.” See Open Letter
dated June 16, 2010, attached as Ex. EE. The authors objected that the Like buttons “provide
Facebook with information about every visit to the site by anyone who is logged in to Facebook[.]”
Id. at 2 (emphasis added). Not one of these well-respected and tech-savvy privacy groups
understood or believed that Facebook was also tracking logged out as well as logged in users,
which would have been a far more serious concern.
91.
From the start of the rollout of the Like button and thereafter, Facebook consistently
told the public that it was not tracking users post-logout. In a series of interviews with USA Today
28
18
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
in mid-November, 2011, for example, Facebook said it did not log any personal information
2
associated with Internet surfing by logged out users—all logging would be done only by an
3
anonymous browser cookie. When asked if even the anonymous data could somehow be re-
4
associated with the browsing history, Facebook reiterated: “We’ve said that we don’t do it, and
5
we couldn’t do it without some form of consent and disclosure.” 5
6
H.
Facebook’s Post-Logout Tracking Revealed
7
92.
In 2010, Australian researcher and blogger Nik Cubrilovic discovered that
8
Facebook cookies were tracking users’ Internet communications even after users had logged out
9
of Facebook.
93.
10
Cubrilovic’s investigation revealed that several personally identifiable cookies
11
remained on users’ browsers post logout, and that some cookies (for example, the lu and datr
12
cookies) even remained after the browser was closed and restarted. Despite its representations to
13
the contrary, Facebook was in fact secretly tracking its users’ Internet communications after logout
14
via these cookies that Facebook had promised it had removed.
94.
15
Mr. Cubrilovic contacted Facebook on November 14, 2010 to report his findings
16
and ask Facebook to fix the problem. He received no response. Again, on January 12, 2011, Mr.
17
Cubrilovic wrote to Facebook alerting it to his findings. Again, Facebook refused to respond. Mr.
18
Cubrilovic of course had no way of knowing that Facebook
.
19
95.
20
On September 25, 2011, Mr. Cubrilovic made his findings public. He wrote, “Even
21
if you are logged out, Facebook still knows and can track every page you visit.” He explained that
22
“[t]his is not what ‘logout’ is supposed to mean – Facebook is only altering the state of the cookies
23
instead of removing all of them when a user logs out.” Mr. Cubrilovic had revealed what
24
25
26
27
28
5
See Acohido, Byron, How Facebook Tracks you across the Web, USA TODAY, Nov. 16, 2011.
http://www.usatoday.com/tech/news/story/2011-11-15/facebook-privacy-trackingdata/51225112/1.
19
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
See Ex. V
1
2
(emphasis added), FB_MDL_00005416.
96.
3
Mr. Cubrilovic’s blog post spread globally and was picked up the next day by the
4
Wall Street Journal, in addition to dozens of other news outlets. 6 Journalist Erik Sherman, writing
5
for CBS News, for example, succinctly expressed Facebook users’ feelings:
6
7
Many who use Facebook who don’t like the idea of other sites reporting information
back have typically logged out of the system before going elsewhere. (I know I
have.) What Cubrilovic argues is that this does no good[.] 7
8
97.
9
Facebook told the Wall Street Journal that the user-identifying data was not
“logged” and the information is “quickly deleted” anyway.
10
98.
These statements to the Wall Street Journal were incorrect
11
included
12
as Exhibit FF, FB_MDL_00053202, the story was corrected to remove Facebook’s assurances
13
regarding logging and deletion.
14
99.
On the same day, Facebook engineer Gregg Stefancik contacted Mr. Cubrilovic and
15
admitted that Cubrilovic raised “important issues.” Mr. Stefancik, however, never disclosed that
16
. Instead, he misleadingly told Mr.
17
Cubrilovic only that a “bug” caused a particular user-identifying cookie—the a_user cookie—not
18
to clear on logout, advising, “We will be fixing that today.”
19
100.
Facebook further admitted that the Company had not “done as good a job as we
20
could have to explain our cookie practices. Your post presents a great opportunity for us to fix
21
that.”
22
23
101.
Mr. Stefancik also told Mr. Cubrilovic that “if you log out, [the lu] cookie does not
contain your user ID” and is used to protect people using public computers. However, the lu
24
25
26
27
28
6
See Jennifer Valentino-DeVries, “Facebook Defends Getting Data from Logged Out Users,”
Wall Street Journal (Sept. 26, 2011).
7
See Erik Sherman, Facebook’s New Policy Bust: Users Log In but They Can’t Log Out, CBS
News (Sept. 26, 2011). https://www.cbsnews.com/news/facebooks-new-privacy-bust-users-login-but-they-cant-log-out-update/.
20
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
cookie actually did contain the encrypted user ID of the last user, so Mr. Stefancik’s comment was
2
deeply misleading. Mr. Stefancik’s comment would only be true if an intervening Facebook user
3
were to use the shared computer and then the original user returned without logging into Facebook.
4
For anyone else, the lu cookie continued to identify logged out users, and continued to do so for
5
some time thereafter.
102.
6
7
Within hours of the publication of Mr. Cubrilovic’s report, employees at Facebook
realized that the company had been violating promises made in the Privacy Policy. In an email,
8
.
9
See Ex. LL, p. 1,
10
FB_MDL_00017708. The referenced Help Center page is the same page included as Exhibit K to
11
this complaint.
103.
12
13
Independently of
, upon seeing
Mr. Cubrilovic’s report,
14
Ex. GG, FB_MDL_00058738.
15
16
17
104.
18
(the Help Center page attached as Exhibit
19
20
K),
Ex. GG,
21
FB_MDL_00058739. This Help Center page
just several hours earlier, as noted above.
22
23
105.
Also on the same day, September 25, 2011,
24
:
25
26
27
28
21
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
2
Ex. HH, FB_MDL_00043989 (underlining added).
3
4
106.
Not everyone at Facebook was happy about the removing of the User ID from the
lu cookie upon logout.
5
6
Ex. II, FB_MDL_00043461.
7
Id.
8
9
Id., FB_MDL_00043460.
10
11
107.
Three days after the Cubrilovic revelations, on September 28, 2011, U.S.
12
Representatives Edward Markey8 and Joe Barton, then Co-Chairmen of the Congressional Bi-
13
Partisan Privacy Caucus, submitted a joint letter to the Chairman of the Federal Trade Commission
14
urging the FTC to expand its investigation of Facebook. See Ex. JJ. The FTC had already
15
commenced an investigation related to the Like button rollout and changes to Facebook’s Privacy
16
Policy in 2010, prior to discovery of the secret and pervasive post-logout tracking.
17
18
108.
The letter also expressed concern that Facebook told the Wall Street Journal on
September 26, 2011 that correcting the problem “will take a while.”
19
109.
Congressmen Markey and Barton stated in a press release accompanying the FTC
20
letter, “[I]n this instance, Facebook has admitted to collecting information about its users even
21
after its users had logged out of Facebook.” They continued, “We believe that tracking users
22
without their knowledge or consent raises serious privacy concerns. When users log-out of
23
Facebook, they are under the impression that Facebook is no longer monitoring their activities.
24
We believe this impression should be the reality.”
25
26
27
28
8
Congressman Markey is now Senator Markey.
22
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
110.
1
The FTC sued Facebook under Section 5 of the FTC Act for multiple counts of
2
misrepresenting its Privacy Policy, alleging that Facebook engaged in deceptive trade practices.
3
In the Matter of Facebook Inc., FTC File No. 0923184.
111.
4
On November 29, 2011, Facebook settled with the FTC, agreeing to an
5
unprecedented 20 years of independent privacy audits. No fine was levied because a civil fine is
6
not an available remedy absent a violation of a prior Commission order.
112.
7
Marc Rotenberg, Executive Director of the Electronic Privacy Information Center,
8
wrote to the FTC submitting an official comment and asking for clarification of a number of points,
9
including whether the settlement covered Facebook’s post-logout tracking revealed two months
10
prior. In response, the FTC confirmed it did. The complaint “does allege that Facebook violated
11
Section 5 of the FTC Act by falsely representing to users the protections provided by their privacy
12
settings, [and] by making other false promises regarding privacy[.]” See Letter from FTC to
13
EPIC dated July 27, 2012 at p. 3, Ex. KK (emphasis added).
14
V.
15
16
17
18
19
20
21
PLAINTIFF-SPECIFIC FACTUAL ALLEGATIONS
113.
Plaintiff Davis is an adult domiciled in Illinois and has an active Facebook account
and has had an active account since before April 22, 2010.
114.
She accessed the Internet and visited websites containing Facebook social plugins
from at least one computer that was not a shared computer.
115.
On this same computer, Facebook installed user-identifying cookies while she was
logged into her Facebook account.
116.
Facebook failed to expire the user-identifying cookies on these computers when
22
Mrs. Davis logged out of her Facebook account. Facebook was thus able to—and in fact did—
23
track her internet use when visiting Facebook-enabled websites.
24
25
26
27
117.
Plaintiff Quinn is an adult domiciled in Hawaii and has an active Facebook account
and has had an active account since before April 22, 2010.
118.
She accessed the Internet and visited websites with Facebook social plugins from
at least one computer that was not a shared computer.
28
23
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
119.
1
2
On this same computer, Facebook installed user-identifying cookies while she was
logged into her Facebook account.
120.
3
Facebook failed to expire the user-identifying cookies on these computers when
4
Prof. Quinn logged out of her Facebook account. Facebook was thus able to—and in fact did—
5
track her internet use when visiting Facebook-enabled websites.
121.
6
7
and has had an active account since before April 22, 2010.
122.
8
9
He accessed the Internet and visited websites containing Facebook social plugins
from a computer he shared with his wife.
123.
10
11
Plaintiff Lentz is an adult domiciled in Virginia and has an active Facebook account
On this same computer, Facebook installed user-identifying cookies while Dr.
Lentz was logged into his Facebook account.
124.
12
Facebook failed to expire the user-identifying cookies on these computers when Dr.
13
Lentz logged out of his Facebook account. Facebook was thus able to—and in fact did—track his
14
internet use when visiting Facebook-enabled websites.
125.
15
16
Facebook account and has had an active account since before April 22, 2010.
126.
17
18
He accessed the Internet and visited websites containing Facebook social plugins
from at least one computer that is not a shared computer.
127.
19
20
Plaintiff Vickery is an adult domiciled in Washington State and has an active
On this same computer, Facebook installed user-identifying cookies while Mr.
Vickery was logged into his Facebook account.
128.
21
Facebook failed to expire the user-identifying cookies on these computers when
22
Mr. Vickery logged out of his Facebook account. Facebook was thus able to—and in fact did—
23
track his internet use when visiting Facebook-enabled websites.
129.
24
None of these four plaintiffs consented to the tracking and interception of their
25
logged-off communications.
26
VI.
27
28
STATUTE OF LIMITATIONS
130.
The following claims (since dismissed) were brought on a class basis within days
of the public reports of post-logout tracking, and the statutes of limitations are thus tolled:
24
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
(1) Violation of Federal Wiretap Act; (2) Violation of the Stored Communications Act;
2
(3) Violation of CIPA § 631; (4) Invasion of Privacy; (5) Intrusion Upon Seclusion; (6) Trespass
3
to Chattels; and (7) the California Computer Crime Law.
131.
4
The two claims asserted in this Third Amended Complaint were first asserted on
5
November 30, 2015 in the Second Amended Complaint, but relate to the identical “conduct,
6
transaction or occurrence” set out in the First Amended Complaint and thus relate back to the date
7
of filing of the First Amended Complaint. All relevant statutes of limitations have therefore also
8
been tolled.
9
VII.
10
CLASS ACTION ALLEGATIONS
132.
This is a class action pursuant to Rules 23(a) and (b)(3) of the Federal Rules of
11
Civil Procedure on behalf of a Class of all persons who had active Facebook accounts and used
12
Facebook between April 22, 2010 and a later date to be determined upon the completion of
13
discovery, and whose personally identifiable Internet use was tracked at times when not logged
14
into their Facebook accounts.
15
133.
Excluded from the Class are the Court, Facebook, and its officers, directors,
16
employees, affiliates, legal representatives, predecessors, successors and assigns, and any entity in
17
which any of them have a controlling interest.
18
19
20
134.
The members of the Class are so numerous that joinder of all members is
impracticable.
135.
Common questions of law and fact exist as to all members of the Class and
21
predominate over any questions affecting solely individual members of the Class. The questions
22
of law and fact common to the Class include:
23
a.
whether the SRR is a legally binding contract;
24
b.
whether the SRR incorporates by reference the Privacy Policy;
25
c.
whether the Privacy Policy incorporates by reference the Help Center pages;
26
d.
whether the claims in this action are governed by California law;
27
e.
whether the lu cookie in fact included a User ID;
28
f.
whether Facebook in fact failed to expire the lu cookie upon logout;
25
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
g.
1
2
when Facebook in fact caused the User ID contained in the lu cookie to
collapse to a zero value upon logout;
h.
3
4
the length of time Facebook continued to track logged-out subscribers even
after the lu cookie was fixed;
i.
5
6
whether Facebook in fact wrote presence cookies to the browsers of loggedout subscribers and whether the presence cookie included a User ID;
7
j.
whether Facebook in fact failed to expire the datr cookie upon logout;
8
k.
whether Facebook in fact could link datr cookies to User IDs;
9
l.
whether Facebook’s tracking of the Internet use of logged out subscribers
10
was done in bad faith; and
m.
11
12
13
whether Facebook’s tracking of the Internet use of logged out subscribers
was unfair dealing.
136.
Plaintiffs’ claims are typical of the claims of other Class members, as all members
14
of the Class were similarly affected by Facebook’s wrongful conduct in violation of federal law as
15
complained of herein.
16
137.
Plaintiffs will fairly and adequately protect the interests of the members of the Class
17
and have retained counsel that is competent and experienced in class action litigation. Plaintiffs
18
have no interest that is in conflict with, or otherwise antagonistic to, the interests of the other Class
19
or Subclass members.
20
138.
A class action is superior to all other available methods for the fair and efficient
21
adjudication of this controversy since joinder of all members is impracticable. Furthermore, as the
22
damages individual Class members have suffered may be relatively small, the expense and burden
23
of individual litigation make it impossible for members of the Class and Subclass to individually
24
redress the wrongs done to them. There will be no difficulty in management of this action as a
25
class action.
26
27
28
26
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
VIII. COUNTS
2
COUNT I
3
BREACH OF CONTRACT
4
139.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
5
140.
Facebook entered into a contract with each Plaintiff consisting of the SRR, Privacy
6
Policy, and relevant Help Center pages.
141.
7
8
The contract contains enforceable promises that Facebook made to the Plaintiffs
and the Class.
142.
9
Facebook promised that it would not track user’s web browsing after log-out except
10
on an anonymous basis. If a subscriber were logged out and visited a website with Facebook
11
functionality, Facebook promised it would only receive technical information. Instead, Facebook
12
received personally-identifiable information which it directly integrated into Facebook’s database
13
entries of the very User ID that Facebook promised only to track for logged-in users.
143.
14
Under the contract, Plaintiffs and Class members transmitted personally
15
identifiable information to Facebook in exchange for use of Facebook and Facebook’s promise
16
that it would not track users’ communications or access their computing devices or web-browsers
17
while the users were logged-off of Facebook.
144.
19
20
Plaintiffs did all, or substantially all, of the things that the contract required them
145.
18
By reason of the conduct described herein, Facebook materially and uniformly
to do.
21
breached its contract with Plaintiffs and each of the Class members by tracking their personally
22
identifiable Internet communications while they were logged-off of Facebook.
23
146.
Facebook collects revenues in large part because the personal information
24
submitted by its users and the tracking of their Internet communications across a wide variety of
25
websites increases the value of Facebook’s advertising services. As a result of Facebook’s breach
26
of the contract, it was unjustly enriched.
27
147.
Facebook is liable for at least nominal damages as a result of the breach.
28
27
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
148.
1
2
As a further result of Facebook’s breach, Plaintiffs and the class sustained non-
monetary privacy damages in an amount to be proven at trial.
3
COUNT II
4
BREACH OF THE COVENANT OF GOOD FAITH AND FAIR DEALING
5
149.
Plaintiffs hereby incorporate all other paragraphs as if fully stated herein.
6
150.
In every contract or agreement there is an implied promise of good faith and fair
7
dealing under California law.
151.
8
9
rights of its users.
152.
10
11
In dealings between Facebook and its users, Facebook has power affecting the
Facebook entered into a contract with each Plaintiff consisting of the SRR, Privacy
Policy, and relevant Help Center pages.
12
153.
Facebook promised to respect and protect its users’ privacy.
13
154.
Facebook promised to abide by the terms of its Privacy Policy and the promises in
14
any relevant Help Center pages.
155.
15
In assurances given outside of the contractual context—for example in the
16
Facebook Pages blog and in comments made the press—Facebook assured its customers that it
17
would not track the Internet use of users who were not logged into their Facebook accounts.
156.
19
20
Plaintiffs did all, or substantially all, of the things that the contract required them
157.
18
Despite its contractual privacy promises not to track users while they were logged-
to do.
21
off, Facebook took actions in breach of those contractual promises, tracking users while they were
22
logged-off thereby depriving Plaintiffs and the Class of the privacy benefits agreed to in their
23
contract with Facebook.
24
25
26
27
158.
Facebook’s tracking of the Internet communications of logged-off users was
objectively unreasonable given Facebook’s privacy promises.
159.
Facebook’s conduct in tracking the Internet communications of logged-off users
evaded the spirit of the bargain made between Facebook and the Plaintiffs.
28
28
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
160.
1
2
Facebook’s conduct in this case abused its power to specify terms—in particular,
Facebook failed to accurately disclose its tracking of users while they were logged-off Facebook.
161.
3
As a result of Facebook’s misconduct and breach of its duty of good faith and fair
4
dealing, Plaintiffs and the Class suffered damages. Plaintiffs and the Class members did not
5
receive the benefit of the bargain for which they contracted and for which they paid valuable
6
consideration in the form of their personal information and privacy, which, as alleged above, has
7
ascertainable value to be proven at trial.
8
IX.
WHEREFORE, Plaintiffs respectfully request that this Court:
9
A.
10
11
PRAYER FOR RELIEF
Certify this action as a class action pursuant to Rule 23 of the Federal Rules of Civil
Procedure;
B.
12
Award compensatory and nominal damages to Plaintiffs and the Class against
13
Defendant for all damages sustained as a result of Defendant’s wrongdoing, in an amount to be
14
proven at trial, including interest thereon;
C.
15
Permanently restrain Defendant, and its officers, agents, servants, employees, and
16
attorneys, from installing cookies on its users’ computers that could track the users’ computer
17
usage after logging out of Facebook or otherwise breaching its contracts with subscribers;
D.
18
19
action, including counsel fees and expert fees; and
E.
20
21
Award Plaintiffs and the Class their reasonable costs and expenses incurred in this
X.
Grant Plaintiffs such further relief as the Court deems appropriate.
JURY TRIAL DEMAND
The Plaintiffs demand a trial by jury of all issues so triable.
22
23
///
24
///
25
///
26
27
28
29
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
1
Dated: August 25, 2017
Respectfully submitted,
KAPLAN, FOX & KILSHEIMER LLP
SILVERMAN, THOMPSON, SLUTKIN &
WHITE LLC
By:
/s/ David A. Straite
Frederic S. Fox (admitted pro hac vice)
David A. Straite (admitted pro hac vice)
850 Third Avenue
New York, NY 10022
Telephone: (212) 687-1980
Facsimile: (212) 687-7714
dstraite@kaplanfox.com
By: /s/ Stephen G. Grygiel
Stephen G. Grygiel (admitted pro hac vice)
201 N. Charles St., #2600
Baltimore, MD 21201
Telephone (410) 385-2225
Facsimile: (410) 547-2432
sgrygiel@mdattorney.com
2
3
4
5
6
7
8
9
Interim Co-Lead Counsel
13
Laurence D. King (206423)
Mario Choi (243409)
350 Sansome Street, 4th Floor
San Francisco, CA 94104
Tel.: (415) 772-4700
Fax: (415) 772-4707
lking@kaplanfox.com
14
Interim Co-Lead Counsel
10
11
12
15
16
17
ATTESTATION PURSUANT TO CIVIL LOCAL RULE 5-1(i)(3)
18
I, David A. Straite, attest that concurrence in the filing of this document has been obtained
19
from the other signatory. I declare under penalty of perjury under the laws of the United States of
20
America that the foregoing is true and correct.
21
Executed this 25th day of August, 2017, at New York, New York.
22
/s/ David A. Straite
DAVID A. STRAITE
23
24
25
26
27
28
30
5:12-MD-02314-EJD-NC
THIRD AMENDED CONSOLIDATED
CLASS ACTION COMPLAINT
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
