Beiles v. Zynga Game Network, Inc. (In re Zynga Privacy Litig.), Nos. 11–18044

• Court: United States Courts of Appeals. United States Court of Appeals (9th Circuit)
• Writing for the Court: IKUTA
• Citation: 750 F.3d 1098
• Parties: In re ZYNGA PRIVACY LITIGATION, Nancy Walther Graf; Richard Beiles; Howard L. Schreiber; John Swanson; Lellaniah Adams; Valerie Gudac; William J. O'Hara; Iris Phee; Zena Carmel–Jessup; Shelley Albani; Christopher Brock; Karen Bryant; Barbara Moskowitz, Plaintiffs–Appellants, v. Zynga Game Network, Inc., a Delaware corporation, Defendant–Appellee. In re Facebook Privacy Litigation, Mike Robertson, as representative of the class, Plaintiff–Appellant, v. Facebook, Inc., a Delaware corporation, Defendant–Appellee.
• Docket Number: Nos. 11–18044,12–15619.
• Decision Date: 08 May 2014

750 F.3d 1098

In re ZYNGA PRIVACY LITIGATION,
Nancy Walther Graf; Richard Beiles; Howard L. Schreiber; John Swanson; Lellaniah Adams; Valerie Gudac; William J. O'Hara; Iris Phee; Zena Carmel–Jessup; Shelley Albani; Christopher Brock; Karen Bryant; Barbara Moskowitz, Plaintiffs–Appellants,
v.
Zynga Game Network, Inc., a Delaware corporation, Defendant–Appellee.
In re Facebook Privacy Litigation,
Mike Robertson, as representative of the class, Plaintiff–Appellant,
v.
Facebook, Inc., a Delaware corporation, Defendant–Appellee.

Nos. 11–18044, 12–15619.

United States Court of Appeals,
Ninth Circuit.

Argued and Submitted Jan. 17, 2014.
Filed May 8, 2014.

[750 F.3d 1099]

Adam J. Levitt (argued), Grant & Eisenhofer P.A., Chicago, IL;

[750 F.3d 1100]

Francis M. Gregorek, Betsy C. Manifold, Rachele R. Rickert, and Patrick H. Moran, Wolf Haldenstein Adler Freeman & Herz LLP, San Diego, CA; Jonathan Shub, Seeger Weiss LLP, Los Angeles, CA; Michael J. Aschenbrener, Aschenbrener Law, PC, San Francisco, CA, for Plaintiffs–Appellants Nancy Walther Graf, John Swanson, Richard Beiles, Howard L. Schreiber, Lellaniah Adams, Valerie Gudac, William J. O'Hara, Iris Phee, Zena Carmel–Jessup, Shelley Albani, Christopher Brock, Karen Bryant, and Barbara Moskowitz.

Kassra Nassiri (argued), Nassiri & Jung LLP, San Francisco, CA; John Joseph Manier, Nassiri & Jung LLP, Los Angeles, CA, for Plaintiff–Appellant Mike Robertson.

Richard L. Seabolt (argued), Suzanne R. Fogarty, Oliver E. Benn, Duane Morris LLP, San Francisco, CA, for Defendant–Appellee Zynga Game Network, Inc.

Aaron Martin Panner (argued), Kellogg, Huber, Hansen, Todd, Evans & Figel, P.L.L.C., Washington, D.C.; Matthew D. Brown, Cooley LLP, San Francisco, CA; James M. Penning, Cooley LLP, Palo Alto, CA, for Defendant–Appellee Facebook, Inc.

Appeals from the United States District Court for the Northern District of California, James Ware, District Judge, Presiding. D.C. Nos. 5:10–cv–04680–JW, 5:10–cv–02389–JW.
Before: ALARCÓN, RICHARD C. TALLMAN, and SANDRA S. IKUTA, Circuit Judges.

OPINION
IKUTA, Circuit Judge:

The plaintiffs in these cases appeal the district court's dismissal with prejudice of their claims for violations of the Wiretap Act and the Stored Communications Act, two chapters within the Electronic Communications Privacy Act of 1986 (ECPA). The plaintiffs allege that Facebook, Inc., a social networking company, and Zynga Game Network, Inc., a social gaming company, disclosed confidential user information to third parties. We have consolidated these cases for this opinion and conclude that the plaintiffs in both cases have failed to state a claim because they did not allege that either Facebook or Zynga disclosed the “contents” of a communication, a necessary element of their ECPA claims. We therefore affirm the district court.¹

I

Facebook operates Facebook.com, a social networking website. Zynga is an independent online game company that designs, develops, and provides social gaming applications that are accessible to users of Facebook. To understand the claims at issue, some background on Facebook and internet communication is necessary.

A

Social networking and gaming websites provide an internet forum where users can interact with each other and share information. Anyone may register to use Facebook's social networking site, but registrants must provide their real names, email addresses, gender, and birth dates. Facebook does not charge any fees to sign

[750 F.3d 1101]

up for its social networking service. Upon registration, Facebook assigns each user a unique Facebook User ID. The User ID is a string of numbers, but a user can modify the ID to be the user's actual name or invented screen name. Facebook considers the IDs to be personally identifiable information.

Facebook users upload information to the site to share with others. Users frequently share a wide range of personal information, including their birth date, relationship status, place of residence, religion, and interests, as well as pictures, videos, and news articles. Facebook arranges this information into a profile page for each user. Users can make their profiles available to the public generally, or limit access to specified categories of family, friends, and acquaintances.

To generate revenue, Facebook sells advertising to third parties who want to market their products to Facebook users. Facebook helps advertisers target their advertising to a specific demographic group by providing them with users' demographic information. For example, a purveyor of spring training baseball memorabilia can choose to display its ads to males between the ages of 18 and 49 who like baseball and live in Phoenix, Arizona, on the theory that the members of that particular demographic group will be more likely to click on the ad and view the offer. Nevertheless, Facebook's privacy policy states that it will not reveal a user's specific identity and that only anonymous information is provided to advertisers.

In addition to its social networking and advertising services, Facebook offers a platform service that allows developers to design applications that run on the Facebook webpage. Zynga is one such developer. It offers free social gaming applications through Facebook's platform that are used by millions of Facebook users. Until November 30, 2010, Zynga's privacy policy stated that it did “not sell or rent your ‘Personally Identifiable Information’ to any third party.”

B

A brief review of how computers communicate on the internet is helpful to understand what happens when a Facebook user clicks on a link or icon. The hypertext transfer protocol, or HTTP, is the language of data transfer on the internet and facilitates the exchange of information between computers. R. Fielding, et al., Hypertext Transfer Protocol—HTTP/ 1. 1, § 1.1 (1999), http:// www. w 3. org/ Protocols/ HTTP/ 1. 1/ rfc 2616. pdf. ² The protocol governs how communications occur between “clients” and “servers.” A “client” is often a software application, such as a web browser, that sends requests to connect with a server. A server responds to the requests by, for instance, providing a “resource,” which is the requested information or content. Id. §§ 1.3, 1.4. Uniform Resource Locators, or URLs, both identify a resource and describe its location or address. Id. §§ 3.2, 3.2.2. And so when users enter URL addresses into their web browser using the “http” web address format, or click on hyperlinks, they are actually telling their web browsers (the client) which resources to request and where to find them. Id. § 3.2.2.

The “basic unit of HTTP communication” is the message, which can be either a request from a client to a server or a response from a server to a client. Id.

[750 F.3d 1102]

§§ 1.3, 4.1. A request message has several components, including a request line, the resource identified by the request, and request header fields. Id. § 5. The request line specifies the action to be performed on the identified resource. Id. § 5.1. Often, the request line includes “GET,” which means “retrieve whatever information ... is identified by the” indicated resource, or “POST,” which requests that the server accept a body of information enclosed in the request, such as an email message. Id. §§ 9.3, 9.5. For example, if a web user clicked a link on the Ninth Circuit website to access recently published opinions (URL: http:// www. ca 9. uscourts. gov/ opinions/), the client request line would state “GET/ opinions/ HTTP/ 1. 1,” which is the resource, followed by “Host: www. ca 9. uscourts. gov,” a location header that specifies the website that hosts the resource. Id. § 5.1.2.

Other request headers follow the request line and “allow the client to pass additional information about the request, and about the client itself, to the server.” Id. § 5.3. A request header known as the “referer” ³ provides the address of the webpage from which the request was sent. Id. § 14.36. For example, if a web user accessed the Ninth Circuit's website from the Northern District of California's webpage, the GET request would include the following header: “Referer: http:// www. cand. uscourts. gov/ home.” A client can be programmed to avoid sending a referer header. Id. § 15.1.2.

During the period at issue in this case, when a user clicked on an ad or icon that appeared on a Facebook webpage, the web browser sent an HTTP request to access the resource identified by the link. The HTTP request included a referer header that provided both the user's Facebook ID and the address of the Facebook webpage the user was viewing when the user clicked the link. Accordingly, if the Facebook user clicked on an ad, the web browser would send the referer header information to the third party advertiser.

To play a Zynga game through Facebook, a registered Facebook user would log into the user's Facebook account and then click on the Zynga game icon within the Facebook interface. For example, if a user wanted to access Zynga's popular FarmVille game, the user would click the FarmVille icon, and the user's web browser would send an HTTP request to retrieve the resource located at http:// apps. facebook. com/ onthefarm. Like the HTTP request to view an ad on Facebook, the HTTP request to launch a Zynga game contained a referer header that displayed the user's Facebook ID and the address of the Facebook webpage the user was viewing before clicking on the game icon. In response to the user's HTTP request, the Zynga server would load the game in an inline frame ⁴ on the Facebook website. The inline frame allows a user to view one webpage embedded within another; consequently, a user who is playing a Zynga game is viewing both the Facebook page from which the user launched the game and, within that page, the Zynga game.

According to the relevant complaint, Zynga programmed its gaming applications to collect the information contained in the referer header, and then transmit this information to advertisers and other third...