Davis v. Facebook, Inc. (In re Facebook, Inc. Internet Tracking Litig.)

• Decision Date: 09 April 2020
• Docket Number: No. 17-17486,17-17486
• Citation: 956 F.3d 589
• Parties: IN RE FACEBOOK, INC. INTERNET TRACKING LITIGATION, Perrin Aikens Davis; Brian K. Lentz; Cynthia D. Quinn; Matthew J. Vickery, Plaintiffs-Appellants, v. Facebook, Inc., Defendant-Appellee.
• Court: U.S. Court of Appeals — Ninth Circuit

956 F.3d 589

IN RE FACEBOOK, INC. INTERNET TRACKING LITIGATION,

Perrin Aikens Davis; Brian K. Lentz; Cynthia D. Quinn; Matthew J. Vickery, Plaintiffs-Appellants,

v.Facebook, Inc., Defendant-Appellee.

No. 17-17486

United States Court of Appeals, Ninth Circuit.

Argued and Submitted April 16, 2019 San Francisco, California

Filed April 9, 2020

David A. Straite (argued), Frederic S. Fox, and Ralph E. Labaton, Kaplan Fox & Kilsheimer LLP, New York, New York; Laurence D. King, Matthew George, and Mario M. Choi, Kaplan Fox & Kilsheimer LLP, San Francisco, California; Stephen G. Grygiel, Silverman Thompson Slutkin White LLC, Baltimore, Maryland; for Plaintiffs-Appellants.

Lauren R. Goldman (argued) and Michael Rayfield, Mayer Brown LLP, New York, New York; Matthew D. Brown, Cooley LLP, San Francisco, California; for Defendant-Appellee.

Marc Rotenberg, Alan Butler, Natasha Babazadeh, and Sam Lester, Electronic Privacy Information Center, Washington, D.C., for Amicus Curiae Electronic Privacy Information Center (EPIC).

Douglas Laycock, University of Virginia Law School, Charlottesville, Virginia; Steven W. Perlstein, Kobre & Kim LLP, New York, New York; Beau D. Barnes, Kobre & Kim LLP, Washington, D.C.; for Amicus Curiae Professor Douglas Laycock.

Before: Sidney R. Thomas, Chief Judge, Milan D. Smith, Jr., Circuit Judge, and Katherine H. Vratil,^* District Judge.

THOMAS, Chief Judge:

In this appeal, we are asked to determine whether: (1) Facebook-users Perrin Davis, Brian Lentz, Cynthia Quinn, and Mathew Vickery ("Plaintiffs") have standing to allege privacy-related claims against Facebook, and (2) Plaintiffs adequately allege claims that Facebook is liable for common law and statutory privacy violations when it tracked their browsing histories after they had logged out of the Facebook application. We have jurisdiction pursuant to 28 U.S.C. § 1291. We affirm in part; reverse in part; and remand for further proceedings.

I

Facebook uses plug-ins¹ to track users’ browsing histories when they visit third-party websites, and then compiles these browsing histories into personal profiles which are sold to advertisers to generate revenue. The parties do not dispute that Facebook engaged in these tracking practices after its users had logged out of Facebook.

Facebook facilitated this practice by embedding third-party plug-ins on third-party web pages. The plug-ins, such as Facebook’s "Like" button, contain bits of Facebook code. When a user visits a page that includes these plug-ins, this code is able to replicate and send the user data to Facebook through a separate, but simultaneous, channel in a manner undetectable by the user.

As relevant to this appeal, the information Facebook allegedly collected included the website’s Uniform Resource Locator ("URL") that was accessed by the user. URLs both identify an internet resource and describe its location or address. "[W]hen users enter URL addresses into their web browser using the ‘http’ web address format, or click on hyperlinks, they are actually telling their web browsers (the client) which resources to request and where to find them. In re Zynga Privacy Litig. , 750 F.3d 1098, 1101 (9th Cir. 2014). Thus, the URL provides significant information regarding the user’s browsing history, including the identity of the individual internet user and the web server, as well as the name of the web page and the search terms that the user used to find it. In technical parlance, this collected URL is called a "referer header" or "referer." Facebook also allegedly collected the third-party website’s Internet Protocol ("IP") address,² which reveals only the owner of the website.

Facebook allegedly compiled the referer headers it collected into personal user profiles using "cookies"—small text files stored on the user’s device. When a user creates a Facebook account, more than ten Facebook cookies are placed on the user’s browser. These cookies store the user’s login ID, and they capture, collect, and compile the referer headers from the web pages visited by the user. As most relevant to this appeal, these cookies allegedly continued to capture information after a user logged out of Facebook and visited other websites.

Plaintiffs claim that internal Facebook communications revealed that company executives were aware of the tracking of logged-out users and recognized that these practices posed various user-privacy issues. According to the Plaintiffs, Facebook stopped tracking logged-out users only after Australian blogger Nik Cubrilovic published a blog detailing Facebook’s tracking practices.³

Plaintiffs filed a consolidated complaint on behalf of themselves and a putative class of people who had active Facebook accounts between May 27, 2010 and September 26, 2011. After the district court dismissed their first complaint with leave to amend, Plaintiffs filed an amended complaint. In the amended complaint, they alleged a number of claims. The claims relevant to this appeal consist of: (1) violation of the Wiretap Act, 18 U.S.C. § 2510, et seq. ; (2) violation of the Stored Communications Act ("SCA"), 18 U.S.C. § 2701 ; (3) violation of the California Invasion of Privacy Act ("CIPA"), Cal. Pen. Code §§ 631, 632 ; (4) invasion of privacy; (5) intrusion upon seclusion; (6) breach of contract; (7) breach of the duty of good faith and fair dealing; (8) civil fraud; (9) trespass to chattels; (10) violations of California Penal Code § 502 Computer Data Access and Fraud Act ("CDAFA"); and (11) statutory larceny under California Penal Code §§ 484 and 496.

The district court granted Facebook’s motion to dismiss the amended complaint. First, the district court determined that Plaintiffs had failed to show they had standing to pursue claims that included economic damages as an element, thus disposing of the claims for trespass to chattels, violations of the CDAFA, fraud, and statutory larceny. It dismissed these claims without leave to amend.

The district court also dismissed for failure to state a claim, without leave to amend, Plaintiffs’ claims for violations of the Wiretap Act, CIPA, and the SCA, as well as their common law claims for invasion of privacy and intrusion upon seclusion. The district court dismissed the claims for breach of contract and the breach of the implied covenant of good faith and fair dealing, but granted leave to amend these claims. In response, Plaintiffs amended their complaint as to the breach of contract and implied covenant claims. The district court subsequently granted Facebook’s motion to dismiss the amended claims. This timely appeal followed.

We review de novo a district court’s determination of whether a party has standing. San Luis & Delta-Mendota Water Auth. v. United States , 672 F.3d 676, 699 (9th Cir. 2012). We review de novo dismissals for failure to state a claim under Rule 12(b)(6). Dougherty v. City of Covina , 654 F.3d 892, 897 (9th Cir. 2011).

II

The Plaintiffs have standing to bring their claims. "Where standing is raised in connection with a motion to dismiss, the court is to ‘accept as true all material allegations of the complaint, and ... construe the complaint in favor of the complaining party.’ " Levine v. Vilsack , 587 F.3d 986, 991 (9th Cir. 2009) (quoting Thomas v. Mundell , 572 F.3d 756, 760 (9th Cir. 2009) ).

To establish standing, a "[p]laintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision." Spokeo v. Robins , ––– U.S. ––––, 136 S. Ct. 1540, 1547, 194 L.Ed.2d 635 (2016). To establish an injury in fact, a plaintiff must show that he or she suffered "an invasion of a legally protected interest" that is "concrete and particularized." Id . at 1548 (quoting Lujan v. Defs. of Wildlife , 504 U.S. 555, 560, 112 S.Ct. 2130, 119 L.Ed.2d 351 (1992) ). A particularized injury is one that affects the plaintiff in a "personal and individual way." Id . ; see also Dutta v. State Farm Mutual Auto. Ins. Co. , 895 F.3d 1166, 1173 (9th Cir. 2018).

A concrete injury is one that is "real and not abstract." Spokeo , 136 S.Ct. at 1548 (internal quotation marks omitted). Although an injury "must be ‘real’ and ‘not abstract’ or purely ‘procedural’ ... it need not be ‘tangible.’ " Dutta , 895 F.3d at 1173. Indeed, though a bare procedural violation of a statute is insufficient to establish an injury in fact, Congress may "elevat[e] to the status of legally cognizable injuries concrete, de facto injuries that were previously inadequate" to confer standing. Spokeo , 136 S. Ct. at 1549 (quoting Lujan , 504 U.S. at 578, 112 S.Ct. 2130 ).

To determine whether Congress has done so, we ask whether: (1) "Congress enacted the statute at issue to protect a concrete interest that is akin to a historical, common law interest[,]" and (2) the alleged procedural violation caused real harm or a material risk of harm to these interests. Dutta , 895 F.3d at 1174.

A

The district court properly concluded that Plaintiffs had established standing to bring claims for invasion of privacy, intrusion upon seclusion, breach of contract, breach of the implied covenant of good faith and fair dealing, as well as claims under the Wiretap Act and CIPA, because they adequately alleged privacy harms.

Plaintiffs have adequately alleged an invasion of a legally protected interest that is concrete and particularized. "[V]iolations of the right to privacy have long been actionable at common law." Patel v. Facebook , 932 F.3d 1264, 1272 (9th Cir. 2019) (quoting Eichenberger v. ESPN, Inc. , 876 F.3d 979, 983 (9th Cir. 2017) ). A right to privacy "encompass[es] the individual’s control of information concerning his or her person." Eichenberger , 876 F.3d at 983 (quoting U.S. Dep’t of Justice v. Reporters Comm. for Freedom of the Press , 489 U.S. 749, 763, 109 S.Ct. 1468, 103 L.Ed.2d 774 (1989) ).

As to the statutory claims, the legislative history and statutory text demonstrate that Co...