Gershzon v. Meta Platforms, Inc.

• Docket Number: 23-cv-00083-SI
• Decision Date: 22 August 2023
• Parties: MIKHAIL GERSHZON, Plaintiff, on behalf of himself and all others similarly situated, v. META PLATFORMS, INC., Defendant.
• Court: U.S. District Court — Northern District of California

1

MIKHAIL GERSHZON, Plaintiff, on behalf of himself and all others similarly situated, v. META PLATFORMS, INC., Defendant.

No. 23-cv-00083-SI

United States District Court, N.D. California

August 22, 2023

ORDER DENYING DEFENDANT'S MOTION TO DISMISS AND DENYING REQUESTS FOR JUDICIAL NOTICE

Re: Dkt. No. 31

SUSAN ILLSTON UNITED STATES DISTRICT JUDGE

On June 23, 2023, the Court held a hearing on defendant's motion to dismiss the complaint. For the reasons set forth below the Court concludes that the complaint states a claim and therefore the motion to dismiss is DENIED.

BACKGROUND

On January 6, 2023, plaintiff Mikhail Gershzon filed this class action lawsuit against Meta Platforms, Inc. (“Meta”). Gershzon alleges that Meta violated his privacy rights under federal and state law by knowingly obtaining statutorily protected personal information and communications, including names, disability information, and e-mail addresses, through the use of a “hidden tracking code” created by Meta and installed on the website of the California Department of Motor Vehicles (“DMV”). Gershzon alleges that this software code, known as the “Meta Pixel,” “sends to Meta time-stamped, personally-identifiable records of Plaintiff and Class members' personal information activities and communications on the [California] DMV website.” Compl. ¶ 2. Gershzon brings claims under the federal Driver's Privacy Protection Act, 18 U.S.C §§ 2721-2725 (“DPPA”) and the California Invasion of Privacy Act, Cal. Pen. Code § 631 (“CIPA”) The following facts are taken from the complaint and assumed as true for purposes of the present motion. The DMV operates the website www.dmv.ca.gov, “where users can access and manage their data on file with the DMV, book virtual or in-person appointments, and prepare applications for DMV services such as driver's licenses and disabled parking placards.” Compl. ¶ 27. The DMV “strongly encourages Californians to use its ‘virtual' agents and offices, and usage of DMV services online has climbed steadily in recent years.” Id. ¶ 28. The DMV reported 23 million online transactions in 2020, and that figure grew during the COVID-19 pandemic, “during which time the DMV created and promoted new online options for users, allowing, for example, online driver's testing and license renewals that typically required an office visit.” Id.

Meta is “an advertising company which sells advertising space on the social media platform it operates,” and “Meta's advertising is based on sophisticated user-categorizing and targeting capabilities that are fueled by the personal data or users of the social media platform and other Internet users.” Id. ¶ 15. Meta “surveils users' online activities both on and off Meta's own websites and apps,” which allows Meta to “make highly personal inferences about users, such as about their ‘interests,' ‘behavior,' and ‘connections.'” Id. Meta “compiles information it obtains and infers about Internet users and uses it to identify personalized ‘audiences' likely to respond to particular advertisers' messaging.” Id. In 2021, Meta generated approximately $114.93 billion, nearly 98% of its revenue, through advertising. Id.

The Meta Pixel, originally called the Facebook Pixel, was first introduced in 2015. Id. ¶ 16. “It is now the primary means through which Meta acquires personal information to create customized audiences for its advertising business, although Meta's public-facing descriptions of the Pixel obscure and minimize this fundamental purpose of the tracking code.” Id. Meta characterizes the Pixel as a simple “snippet of JavaScript code” that helps website owners keep track of user activity on their websites, and Meta emphasizes that website managers can easily install Pixel on a website. Id.

The Meta Pixel is “configured to capture a substantial amount of information by default,” and since 2015 the Pixel has transmitted “HTTP header information, including the URL of each page visited on a website.” Id. ¶ 17. In 2017 and 2018, Meta modified the Pixel code to transmit more information:

In 2017, Meta quietly modified the Pixel code to transmit additional information automatically, including “microdata” (details about the website and substance of what it offers), other “contextual information” (including details about the structure of a particular webpage), and “SubscribeButtonClick” information (details about buttons available to click on each page including the text), which fires each time a user clicks on a hyperlink or button on the webpage. Meta made these changes to learn more about website users for advertising purposes. Since 2017, the Pixel has been configured to gather all such data indiscriminately and by default without intervention from the website owner requesting the information be tracked.

In 2018, Meta again modified the default operation of the Pixel to maximize the private information it transmits. Meta introduced a “first-party cookie option” for the Pixel, to circumvent improvements in how web browsers block third-party cookies (a primary means by which Facebook historically tracked people across the web). Being embedded in websites as a first-party cookie, rather than as a third-party cookie, causes users' browsers to treat that Pixel as though it is offered by the website they are visiting, rather than by Meta, a third party. When the Pixel is embedded in a website as a first-party cookie, the third-party cookie blocking functions of modern web browsers do not inhibit the Meta Pixel's collection of data. Operating similarly to, and with the same privacy exemptions applicable to, a first party cookie became another default Pixel setting in or around October 2018.

Id. ¶¶ 17-18.

The Meta Pixel operates in the following manner:

In all websites where the Pixel operates, when a user exchanges information with the host of that site, Meta's software script surreptitiously directs the user's browser to send a separate message to Meta's servers. This second, secret transmission contains the original request sent to the host website, (“GET request”), along with additional data that the Pixel is configured to collect (“POST request). GET and POST requests are communications that contain contents from both the user and from servers associated with the website they are visiting. These transmissions are initiated by Meta code and concurrent with the communications to and from the host website.

Meta associates the information it obtains via the Meta Pixel with other information regarding the user, using personal identifiers that are transmitted concurrently with other personal information the Pixel is configured to collect. For Facebook accountholders, these identifiers include the “cuser” IDs, which allow Meta to link data to a particular Facebook account, and “xs” cookies associated with a browsing session. For both Facebook accountholders and users who do not have a Facebook account, these identifiers also include cookies that Meta ties to their browser, such as “datr” and “fr” cookies.

Id. ¶¶ 20-21 (internal footnotes omitted). Meta then “feeds the vast quantities of information obtained from Meta Pixels into its advertising systems, using it to identify users and their personal characteristics, categorize them for Meta's business purposes, and target them with marketing messages from its advertising clients.” Id. ¶ 22.

The Meta Pixel is “embedded on and throughout the DMV website, and transmits extensive information from the DMV to Meta in accordance with the Meta Pixel's default configuration.” Id. ¶ 29. This information includes the first name of each person who accesses their online account, id. ¶¶ 32-35; information that a person has applied for or sought to renew a disabled person parking placard or a disabled person license plate, id. ¶¶ 36-43; e-mail addresses, id. ¶¶ 45-50; and other identifying information “concerning users' interests, phone and address status, health and disability status, immigration status, and concerns, all of which are personally identifying in themselves and in combination . . .” Id. ¶ 51.

Meta learns, for example, when someone takes the DMV's self-assessment for driving with impaired vision, or researches the DMV's procedures for licensing people suffering from dementia. Meta also learns when someone accesses MyDMV to update their physical address or phone number, transfer a title, or renew their vehicle registration.

To illustrate one of innumerable examples in detail, if a user asks the DMV to show the page for updating a phone number on the DMV site, Meta intercepts a time-stamped record of the request while it is in transit to the DMV, including unique identifiers for the user, and intercepts the URL transmitted back to the user by the DMV. When a user logs into their MyDMV account, as they must to update their phone number, Meta intercepts a record that the user logs in and successfully completes two-factor authentication, then is presented with hyperlinks or buttons including one to “Change Phone Number.” When a user tells the DMV what they would like to do by clicking that hyperlink, Meta learns that the link “Change Phone Number” is clicked, and obtains the descriptive URL that the DMV presents next, namely https://www.dmv.ca.gov/portal/update-your-phone-number/. This page explains the process for updating one's phone number with the DMV, and a presents button to “Start” the process. When a user clicks the “Start” button, Meta learns that the button “Start” was clicked on that page, and obtains the URL that the DMV presents next, for account verification, and so on. In short, Meta secretly watches every step of the process, and intercepts any and all communications between users and the DMV for its own purposes and its own use.

Id. ¶¶...