Searching over 5,500,000 cases.

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.

In re Facebook, Inc., Consumer Privacy User Profile Litigation

United States District Court, N.D. California

September 9, 2019




         This lawsuit, which stems from the Cambridge Analytica scandal, is about Facebook's practice of sharing its users' personal information with third parties. The plaintiffs are current and former Facebook users who believe that their information was compromised by the company. Their principal allegations are that Facebook: (i) made sensitive user information available to countless companies and individuals without the consent of the users; and (ii) failed to prevent those same companies and individuals from selling or otherwise misusing the information. The plaintiffs do not merely allege that Facebook shared what we often describe as “data” - basic facts such as gender, age, address, and the like. They allege that Facebook shared far more substantive and revealing content that users intended only for a limited audience, such as their photographs, videos they made, videos they watched, their religious and political views, their relationship information, and the actual words contained in their messages.

         Facebook has filed a motion to dismiss the lawsuit. Although the company makes many different arguments, there are three main ones. First, Facebook argues that people have no legitimate privacy interest in any information they make available to their friends on social media. This means, according to Facebook, that if people use social media to communicate sensitive information with a limited number of friends, they have no right to complain of a privacy violation if the social media company turns around and shares that information with a virtually unlimited audience. As explained in Section II of this ruling, Facebook's argument could not be more wrong. When you share sensitive information with a limited audience (especially when you've made clear that you intend your audience to be limited), you retain privacy rights and can sue someone for violating them.

         Second, Facebook argues that even if its users had a privacy interest in the information they made available only to friends, there is no standing to sue in federal court because there were no tangible negative consequences from the dissemination of this information. That too is wrong. As explained in Section III, the law has long recognized that a privacy invasion is itself the kind of injury that can be redressed in federal court, even if the invasion does not lead to some secondary economic injury like identity theft.

         Facebook's third main argument is that even if users retained a privacy interest in the information that was disclosed, and even if a “bare” privacy invasion confers standing to sue in federal court, this lawsuit must be dismissed because Facebook users consented, in fine print, to the wide dissemination of their sensitive information. As discussed in Section IV, this question is more difficult than the first two. California law requires the Court to assume as a legal matter (even if it's not true as a factual matter) that users reviewed, understood, and agreed to all of Facebook's contractual terms when they signed up for their accounts. These terms included a description of at least some of Facebook's information-sharing practices, for at least a portion of the time period covered by this lawsuit. In particular, from roughly 2009 to 2015, Facebook disclosed its practice of allowing app developers to obtain, through a user's Facebook friends, any information about the user that the friends had access to.

         That single disclosure, however, is relatively inconsequential for this motion to dismiss. The complaint adequately alleges that users who established their Facebook accounts prior to roughly 2009 never consented to this practice. Plaintiffs in this category may pursue claims based on information-sharing with app developers. Moreover, the complaint adequately alleges that no users ever consented to Facebook's other information-sharing practices - specifically, sharing with certain “whitelisted apps” starting in 2015, and sharing with certain “business partners” during much of the relevant time period. Finally, the complaint adequately alleges that users never consented to Facebook's widespread practice of allowing companies to sell and otherwise misuse sensitive user information, as opposed to restricting the use of this information as Facebook promised it would. Therefore, even though Facebook's arguments regarding user consent have some legal force and will somewhat limit the scope of the lawsuit, they cannot defeat the lawsuit entirely, at least at the pleading stage.

         Accordingly, as set forth in Section V (which discusses the specific legal claims asserted by the plaintiffs), although Facebook's motion to dismiss will be granted for a few of the claims, most claims survive.

         I. BACKGROUND

         Cambridge Analytica, a British political consulting firm, used personal information from millions of Facebook accounts to send targeted political messages during the 2016 presidential campaign. The firm obtained this information from Aleksandr Kogan, a researcher who had acquired it through his app, which Facebook had allowed him to deploy on its platform. The Cambridge Analytica incident began receiving significant press coverage in 2018, which in turn generated increased scrutiny of Facebook's information-sharing practices. In the months that followed, reports emerged suggesting that the ability of people like Kogan and entities like Cambridge Analytica to obtain sensitive Facebook user information was the norm rather than the exception. Broadly speaking, this case is about whether Facebook acted unlawfully in making user information widely available to third parties. It's also about whether Facebook acted unlawfully in failing to do anything meaningful to prevent third parties from misusing the information they obtained.

         Following the Cambridge Analytica outcry, dozens of lawsuits were filed against Facebook in various courts around the country. The lawsuits were mostly in federal court, and they were mostly proposed class actions by individual Facebook users who contended that Facebook disseminated their sensitive personal information to Kogan without their consent and failed to prevent him from transferring it to Cambridge Analytica. One of the first of these lawsuits was filed in the Northern District of California and randomly assigned to this Court.

         When multiple, similar federal lawsuits are filed around the country, there is a process within the federal judiciary for handling them. Congress has created the Judicial Panel on Multidistrict Litigation, which considers whether to transfer similar cases to a single federal judge for pretrial proceedings. The purpose is to promote the orderly adjudication of multiple similar cases, avoiding conflicting rulings from different judges and alleviating the strain on the system that would result from many judges adjudicating the same complicated pretrial issues. The multidistrict litigation process contemplates that once the assigned judge adjudicates those issues, the individual cases are sent back for trial to the courts where they originated. In these cases against Facebook, the panel concluded that assignment to a single judge was warranted, and assigned the lawsuits to this Court.

         This Court subsequently appointed two attorneys to serve as lead plaintiffs' counsel. Thereafter, lead counsel, representing roughly three dozen individual Facebook users, filed a consolidated class action complaint. The plaintiffs propose to represent a class consisting of all Facebook users in the United States and the United Kingdom whose personal information was improperly disseminated and/or inadequately protected by Facebook from 2007 to the present. The practical effect of the proposed class action is that this one consolidated complaint could potentially resolve all claims by private parties against Facebook arising from the company's practices of disseminating user information during this period. In other words, this proceeding has effectively become one large proposed class action, as opposed to a group of several dozen separate lawsuits.[1]

         Facebook filed a motion to dismiss, and a lengthy hearing took place during which the parties and the Court discussed many potential deficiencies in the complaint. The hearing ended with the Court giving the plaintiffs permission to file an amended complaint to address any such deficiencies.

         The amended complaint, which is the subject of the current motion to dismiss, runs 414 pages and includes 1, 442 paragraphs. It appears to include all the claims that were asserted in the cases that were transferred here by the multidistrict litigation panel, and more. But for manageability purposes, the complaint is divided into “prioritized claims” and “nonprioritized claims.” The idea is that the prioritized claims (which presumably reflect lead counsel's judgment about their relative strength or importance) will be adjudicated first, and the nonprioritized claims should be stayed and addressed later if necessary. The complaint names multiple defendants (for example, CEO Mark Zuckerberg, in addition to Facebook itself), but again divides those defendants into the “prioritized” and “non-prioritized” categories. Facebook is the only prioritized defendant.

         It's worth noting that the case has expanded in scope. While the initial lawsuits focused largely on Facebook's conduct that was the subject of the Cambridge Analytica scandal, the case now includes allegations stemming from the subsequent revelations about Facebook's wider information-sharing practices. Moreover, although the complaint purports to assert 12 prioritized “claims, ” most of those purported claims actually consist of multiple distinct legal claims, based on distinct factual allegations. For example, the section entitled “Breach of Contract” appears to contain roughly half a dozen distinct claims for breach of contract, based on distinct acts of alleged wrongdoing. Indeed, at times it seems the plaintiffs sought to identify anything Facebook has ever been reported to have done wrong and then made sure to sprinkle in at least a few allegations about it.

         This strategy interferes significantly with the clarity and effectiveness of the plaintiffs' presentation. Some of the allegations are quite vague. For example, the plaintiffs make an allegation, the significance of which the Court has not been able to understand, about Facebook stripping metadata from users' photos before allowing third parties to access them. Also scattered throughout the complaint are allegations about something the plaintiffs call “psychographic marketing, ” without any meaningful explanation of the legal or factual difference between psychographic marketing and targeted advertising (the latter of which the plaintiffs appear to concede is perfectly legitimate).

         Overall, the presence of so many disparate and vague allegations makes it nearly impossible for Facebook to meaningfully respond to all of them, much less for the Court to effectively address them. The conventional approach in a situation like this might be to sift through the complaint to try to identify each distinct claim, then dismiss with leave to amend all claims that are not adequately articulated. But that approach would likely result in many more rounds of motions to dismiss, bogging the case down at the pleading stage for years. In the interest of preventing that from happening to this multidistrict litigation, this ruling focuses on what the Court understands to be the plaintiffs' core allegations about Facebook's handling of sensitive user information. Claims based on these core factual allegations will largely survive the motion to dismiss. All other prioritized claims not addressed by this ruling will be stayed (effectively, relegated to non-prioritized status) and adjudicated, if necessary, at a later stage in the proceedings with the other non-prioritized claims.

         The core allegations in the complaint describe four categories of wrongdoing by Facebook. In adjudicating Facebook's motion to dismiss, the Court is required to assume the truth of these allegations, so long as they are adequately articulated and not contradicted by any documents that the complaint explicitly relies on.

         1. Giving app developers access to sensitive user information. Since roughly 2007, Facebook users have been able to access applications, or apps, directly from the Facebook platform to do things like play video games, read news content, or stream videos. According to the plaintiffs, this interaction among Facebook, its users, and third-party apps is one of the primary means by which Facebook has disseminated user information to third parties. The complaint alleges that when users accessed apps on the Facebook platform, the app developers were not merely able to obtain information about the users they were interacting with; they were also able to obtain any information about the users' Facebook friends that the users themselves had access to. So, for example, if you decided to use an app on the Facebook platform to play a video game, the video game company would be able to access not only your information but also any information about your friends that you could obtain yourself. This includes a variety of things that your friends might have intended to share only with a limited audience, such as photographs, videos they made, videos they watched, religious preferences, posts, and even sometimes private one-on-one messages sent through Facebook. And since most people have dozens or hundreds of Facebook friends, each interaction with an app represents the disclosure of a great deal of information about dozens or hundreds of people.

         The Cambridge Analytica story is an example of this. In 2013, Aleksandr Kogan created an app called “MyDigitalLife.” Facebook allowed Kogan to market and operate this app on the Facebook platform. The app invited Facebook users to answer a series of questions to help them better understand themselves - a personality test of sorts. But when a user took the test, Kogan was not merely able to collect information about that user; he was able to collect information on the user's Facebook friends. This allowed Kogan to compile a database with information on roughly 87 million Facebook users, even though his app was only downloaded by around 300, 000 people.

         The plaintiffs allege that from roughly 2009 to 2015, tens of thousands of app developers like Kogan, operating on the Facebook platform, were able to interact with users to obtain this type of information about users' friends. The plaintiffs further allege that Facebook failed to adequately disclose that even if users adjusted their privacy settings to specify that only their friends would be allowed to see their information, this would not prevent app developers from getting it.

         2. Continued disclosure to whitelisted apps. In 2014, in response to criticism of its information-sharing practices, Facebook announced it would restrict app developers so they would have access only to the information of the users the apps were interacting with (and not to information of the users' friends). But the plaintiffs allege that Facebook, despite its public promises to restrict access, continued to allow a preferred list of app developers to access the information of users' friends. The complaint describes these preferred app developers as “whitelisted apps, ” and alleges that Facebook secretly continued to give these apps “special access” to friends' information because of the amount of revenue these apps generated for Facebook. Thousands of companies were allegedly on this list, including Airbnb, Netflix, UPS, Hot or Not, Salesforce, Lyft, Telescope, and Spotify.

         3. Sharing sensitive user information with business partners. Meanwhile, Facebook has maintained a separate information-sharing program with companies that the plaintiffs describe as “business partners.” The complaint's allegations about these business partners are somewhat more difficult to pin down than the allegations about app developers. Indeed, there may be some overlap between companies in the “app” category and the “business partner” category. Moreover, the plaintiffs allege that Facebook outsourced to business partners “the time, labor, and money required to build Facebook's Platform on different devices and operating systems, ” but that doesn't seem to describe all the “business partners” listed in the complaint. The non-exclusive list of companies that the complaint identifies as business partners includes device manufacturers, such as Blackberry and Samsung. It includes websites such as Yahoo, and the Russian search engine Yandex. And it includes companies such as Amazon, Microsoft, and Sony. This list came from Facebook itself, which asserted that it had “integration partnerships” with these companies in a letter to the Energy and Commerce Committee of the U.S. House of Representatives.

         Although the category is somewhat vague, the alleged misconduct is relatively straightforward. The complaint alleges that Facebook shared information about its users with this non-exclusive list of business partners, and that those companies in turn shared data with Facebook. “These partnerships, ” the complaint alleges, “were built in part on ‘data reciprocity.' Facebook and its partners agreed to exchange information about users' activities with each other.” And as with app developers, Facebook allegedly would give a business partner access not only to information of the user with whom the business partner interacted, but also to information of that user's friends. The plaintiffs allege that, for most of the period covered by the lawsuit, Facebook never disclosed that it was sharing user information with business partners in this fashion.

         4. Failure to restrict the use of sensitive information. In addition to complaining about Facebook's dissemination of private user information to app developers, whitelisted apps, and business partners, the plaintiffs allege that Facebook did nothing to prevent these third parties from misusing the information Facebook allowed them to access. Specifically, the plaintiffs allege that: (i) Facebook purported to have a policy preventing app developers from using information for any purpose other than enhancing the interaction between the app and the person who was using the app on the Facebook platform; but (ii) Facebook did nothing to enforce this policy, thus giving users the impression that their information was protected, while in reality countless app developers were using it for other purposes.

         Again, the Cambridge Analytica story is an example of this. According to the plaintiffs, if Facebook was truly enforcing a policy of limiting the use of user information by app developers, Kogan would have been precluded from extracting all that sensitive information about users' friends to employ for his own research, and he would certainly have been precluded from selling it to Cambridge Analytica. The plaintiffs allege that this was the norm with the tens of thousands of app developers who interacted with users on the Facebook platform - that any policy Facebook purported to have restricting the use of information by third parties was nonexistent in reality, because Facebook was intent solely on generating revenue from the access it was providing.

         Based on the four core categories of misconduct described above, the plaintiffs assert a variety of legal claims. They bring a privacy-based tort claim under California law for the unauthorized disclosure of private facts. They assert another privacy-based tort claim for intrusion into private affairs, along with a similar claim based on the right to privacy enshrined in the California Constitution. They bring two claims based on federal statutes: the Stored Communications Act (which prohibits the unauthorized disclosure of information from computers) and the Video Privacy Protection Act (which prohibits disclosure of a person's video viewing habits). And the plaintiffs bring a variety of other California law claims that don't relate as directly to privacy but are nonetheless based on assertions that Facebook failed to protect their privacy. Such claims include breach of contract (for allowing third parties to obtain sensitive user information despite promising to protect it), deceit (for tricking users about the degree to which their information could be accessed), and negligence (for failing to prevent third parties from misusing sensitive information despite Facebook's duty to protect that information). As mentioned earlier, many of these purported claims actually have multiple distinct claims built into them. Facebook has moved to dismiss all the claims, both for lack of standing and on the merits.


         Facebook's motion to dismiss is littered with assumptions about the degree to which social media users can reasonably expect their personal information and communications to remain private. Because Facebook's view of this issue pervades so many of its individual legal arguments - and because Facebook's view is so wrong - it is addressed at the outset.

         Facebook's view is that once you make information available to your friends on social media, you completely relinquish any privacy interest in that information. For this reason, Facebook insists, it does not matter whether Facebook users consented to the company's information-sharing practices. Facebook asserts that even if users didn't consent, and even if users intended to restrict access to friends only, and even if Facebook had explicitly promised not to share their information with anyone else, the users would have no right to complain that their privacy was invaded by the disclosure or misuse of their sensitive information. Although this argument was implicit in Facebook's papers, it became explicit at the hearing on the motion to dismiss. Dkt. No. 287 at 7 (hearing transcript).[2]

         The problem with Facebook's argument is that it treats privacy as an all-or-nothing proposition - either you retain a full privacy interest by not sharing information with anyone, or you have no privacy interest whatsoever by virtue of sharing it even in a limited fashion. In reality, there can be “degrees and nuances to societal recognition of our expectations of privacy: the fact that the privacy one expects in a given setting is not complete or absolute does not render the expectation unreasonable as a matter of law.” Sanders v. American Broadcasting Companies, Inc., 20 Cal.4th 907, 915 (1999); see also Opperman v. Path, Inc., 84 F.Supp.3d 962, 991-93 (N.D. Cal. 2015). Thus, as the U.S. Supreme Court has explained, “information may be classified as private if it is intended for or restricted to the use of a particular person or group or class of persons” rather than being “freely available to the public.” U.S. Department of Justice v. Reporters Committee for Freedom of the Press, 489 U.S. 749, 763-64 (1989) (emphasis added) (quoting Webster's Third New International Dictionary 1804 (1976)); see also Id. at 763 (“Thus the extent of the protection accorded a privacy right at common law rested in part on the degree of dissemination of the allegedly private fact . . . .”). So, for example, if you are diagnosed with a medical condition, you can expect to conceal it completely only if you keep it between you and your doctor. But it does not follow that if you send an email to selected colleagues and friends explaining why you'll be out of commission for a while, you've relinquished any privacy interest in your medical condition, such that the email provider could disseminate your diagnosis to anyone who might be interested in your health status. Similarly, social media users can have their privacy invaded if sensitive information meant only for a few dozen friends is shared more widely.[3]

         Although Facebook refuses in this case to acknowledge its users' privacy interests, it has done so in other court cases. For example, in a brief filed with the California Supreme Court, for a case where Facebook fought against the compelled disclosure of a user's posts, Facebook compared information kept on social media to information kept on a smartphone: “The data on a smartphone - like the data maintained in a social media account - can reveal an individual's private interests and concerns and where a person has been, which in turn reflects a wealth of detail about a person's familial, political, professional, religious, and sexual associations.” Answer Brief on the Merits, Facebook, Inc. v. Superior Court, 2016 WL 684072 (Cal.), at *29 (brackets and internal quotations omitted) (quoting Riley v. California, 573 U.S. 373, 396 (2014)). For this reason, Facebook continued, “communications content of the kind maintained by [social media] providers” carries with it such a significant expectation of privacy that even law enforcement must get a warrant before accessing it from those providers. Id. In a different California Supreme Court brief, Facebook took pains to juxtapose users who share communications with the general public against users who share communications only with friends: “These settings cannot be overridden by others; if a post is set to be viewable only by a certain audience, it may not then be shared or forwarded through the Facebook platform to someone outside that audience.” Answering Brief on the Merits, Facebook, Inc. v. Superior Court, 2018 WL 2060039 (Cal.), at *16. Facebook added that even if users designate their communications to be viewed by the general public, they can later “regain” their expectation of privacy in that information by switching their settings back to a more restricted audience. See Id. at *28 n.4.

         Perhaps Facebook's argument that social media accounts are like smartphones is an exaggeration in the other direction. But it's closer to the truth than the company's assertions in this case. Sharing information with your social media friends does not categorically eliminate your privacy interest in that information, and the plaintiffs' claims in this lawsuit must be analyzed against that backdrop, rather than the backdrop Facebook attempts to paint in its motion to dismiss.

         III. STANDING

         To bring their claims in federal court, the plaintiffs must adequately allege (and eventually prove) that they have “standing” under Article III of the United States Constitution. This means, among other things, that the plaintiffs must allege they suffered an actual injury from Facebook's conduct that is both “concrete” and “particularized.” See Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1545 (2016).

         The plaintiffs allege three kinds of injury. First, they allege a simple “privacy injury” - that is, injury from Facebook's widespread disclosure of their sensitive information, including their photographs, videos they made, videos they watched, religious preferences, posts, and even private one-on-one messages sent through Facebook. Second, the plaintiffs allege they were injured because Facebook's dissemination of their personal information increased the risk that they would become victims of identity theft. Third, the plaintiffs allege they were deprived the economic value of their personal information as a result of its dissemination, the theory apparently being that if their information had remained private, they could have sold that information to advertisers or data brokers themselves.

         The second and third alleged injuries do not confer Article III standing. Regarding the risk of identity theft, this is not a case involving, say, hackers, and it is not a case about the theft of, say, social security or credit card numbers. Although the risk of identity theft is admittedly greater than if Facebook had not made the plaintiffs' personal information available, the risk is too speculative to confer standing. Compare In re, Inc., 888 F.3d 1020, 1024-29 (9th Cir. 2018). Regarding loss of value, although it's true that each user's information is worth a certain amount of money to Facebook and the companies Facebook gave it to, it does not follow that the same information, when not disclosed, has independent economic value to an individual user. The plaintiffs do not plausibly allege that they intended to sell their non-disclosed personal information to someone else. Nor, in any event, do they plausibly allege that someone else would have bought it as a stand-alone product. The plaintiffs' economic-loss theory is therefore purely hypothetical and does not give rise to standing. See In re Facebook Internet Tracking Litigation, 140 F.Supp.3d 922, 931-32 (N.D. Cal. 2015); Opperman v. Path, Inc., 87 F.Supp.3d 1018, 1057 (N.D. Cal. 2014); Yunker v. Pandora Media, Inc., 2013 WL 1282980, at *4 (N.D. Cal. Mar. 26, 2013); Low v. LinkedIn Corp., 2011 WL 5509848, at *4-5 (N.D. Cal. Nov. 11, 2011).[4]

         But the first alleged injury - that the plaintiffs' sensitive information was disseminated to third parties in violation of their privacy - is sufficient to confer standing. Facebook argues that a “bare” privacy violation, without “credible risk of real-world harm” such as identity theft or other economic consequences, cannot rise to the level of an Article III injury. But it's black-letter law that an injury need not be “tangible” to be cognizable in federal court. Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1549 (2016) (“Although tangible injuries are perhaps easier to recognize, we have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete.”). And courts have often held that this particular type of intangible injury - disclosure of sensitive private information, even without further consequence - gives rise to Article III standing.

         Indeed, the Ninth Circuit has repeatedly explained that intangible privacy injuries can be redressed in the federal courts. This issue has tended to come up recently in cases where a plaintiff alleges standing based on the violation of a statute whose purpose is to protect privacy. In such cases, the alleged violation of the statute does not automatically give rise to standing. For a statutory violation to create standing, the statute must protect against a concrete and particularized injury that's cognizable within the meaning of Article III.

         Most recently on this issue, the Ninth Circuit handed down an opinion in a different case against Facebook - a case involving Facebook's use of facial recognition technology in alleged violation of an Illinois statute. The Court held that “the development of a face template using facial recognition technology without consent (as alleged here) invades an individual's private affairs and concrete interests.” Patel v. Facebook, Inc., 2019 WL 3727424, at *5 (9th Cir. Aug. 8, 2019). Earlier, in Eichenberger v. ESPN, the Ninth Circuit held that an alleged violation of the Video Privacy Protection Act creates standing, explaining that the statute “protects privacy interests . . . generally by ensuring that consumers retain control over their personal information, ” and emphasizing that “privacy torts do not always require additional consequences to be actionable.” 876 F.3d 979, 983 (9th Cir. 2017). And in Van Patten v. Vertical Fitness Group, LLC, the Ninth Circuit concluded that alleged violations of the Telephone Consumer Protection Act, which creates a cause of action to remedy the injury of receiving annoying telemarketing text messages, give rise to standing because such messages, “by their nature, invade the privacy and disturb the solitude of their recipients.” 847 F.3d 1037, 1043 (9th Cir. 2017). The Van Patten court emphasized that a lawsuit alleging this type of intrusion under the statute may proceed in federal court even if no additional, tangible harm is alleged. Id.

         There are many similar cases involving common law claims. For example, Judge Seeborg recently held that a lawsuit asserting common law privacy claims against Facebook based on the collection and disclosure of users' Android data could proceed in federal court despite the absence of any alleged economic injury. Williams v. Facebook, Inc., 384 F.Supp.3d 1043, 1050 (N.D. Cal. 2018) (“The complaint need not include economic injury to establish standing for the intrusion upon seclusion, invasion of privacy, or unjust enrichment claims.”). In reaching this conclusion, Judge Seeborg quoted another decision involving Facebook - this one by Judge Davila - which held: “a plaintiff need not show actual loss to establish standing for common-law claims of invasion of privacy and intrusion upon seclusion.” In re Facebook Internet Tracking Litigation, 263 F.Supp.3d 836, 843 (N.D. Cal. 2017); see also In re Google Inc. Cookie Placement Consumer Privacy Litigation, 806 F.3d 125, 134-35 (3d Cir. 2015) (holding that the plaintiffs had standing to assert federal statutory and California common law privacy claims based on allegations that the defendants implanted tracking cookies on their personal computers); id. at 134 (“For purposes of injury in fact, the defendants' emphasis on economic loss is misplaced.”); Opperman v. Path, Inc., 87 F.Supp.3d 1018, 1057 (N.D. Cal. 2014).

         To be sure, Facebook cites a few cases that lean in the other direction. For example, in a 2012 case, Judge Grewal rejected the argument that the “loss of personal information, even in the absence of any cognizable economic harm, was sufficient to confer Article III standing.” In re Google, Inc. Privacy Policy Litigation, 2012 WL 6738343, at *5 (N.D. Cal. Dec. 28, 2012). But Judge Grewal's ruling seems to assume that economic harm is required rather than examining whether it's required. This appears equally true of the earlier district court cases on which he relied. See LaCourt v. Specific Media, Inc., 2011 WL 1661532, at *4 (C.D. Cal. Apr. 28, 2011); In re iPhone Application Litigation, 2011 WL 4403963, at *5 (N.D. Cal. Sept. 20, 2011). Ultimately, the only reason Judge Grewal gave for his ruling was that “nothing in the precedent of the Ninth Circuit or other appellate courts confers standing on a party that has brought statutory or common law claims based on nothing more than the unauthorized disclosure of personal information . . . .” In re Google, Inc. Privacy Policy Litigation, 2012 WL 6738343, at *5. Whether or not he was right about precedent at the time, the cases cited above provide ample support for the conclusion that this type of privacy invasion alone creates standing.

         And those cases are right. To say that a “mere” privacy invasion is not capable of inflicting an “actual injury” serious enough to warrant the attention of the federal courts is to disregard the importance of privacy in our society, not to mention the historic role of the federal judiciary in protecting it. “In a democratic society privacy of communication is essential if citizens are to think and act creatively and constructively.” Bartnicki v. Vopper, 532 U.S. 514, 533 (2001) (quoting President's Commission on Law Enforcement and Administration of Justice, The Challenge of Crime in a Free Society 202 (1967)). For this reason, our country has countless federal laws on the books designed to protect our privacy - laws that the federal courts are charged with enforcing.[5] Perhaps the most prominent of these is the Wiretap Act, colloquially known as “Title III, ” a bedrock privacy protection which makes it unlawful for either the government or a private party to intercept someone's “wire, oral, or electronic communication” ...

Buy This Entire Record For $7.95

Download the entire decision to receive the complete text, official citation,
docket number, dissents and concurrences, and footnotes for this case.

Learn more about what you receive with purchase of this case.