Skip to main content

No Violation of Electronic Communications Privacy Act by Facebook

Written by Stu Eaton

The United States District Court for the Northern District of California has dismissed the claims of the plaintiffs against Facebook in the case of In re: Facebook Privacy Litigation.  Plaintiffs’ claims were based on Facebook’s admitted disclosure of their personal information to is advertisers in its “Referrer Headers,” which are created when  a user clicks on an advertisement and then sent to the corresponding advertiser.  Plaintiffs alleged that the Referrer Header, which contained the webpage address the user was viewing prior to clicking on the advertisement, revealed personally identifiable information, such as the user’s  name, gender, picture and other personal information without that user’s knowledge or consent.  Plaintiffs sought damages under the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. §§ 2510, et seq., and California’s Unfair Competition Law, Business and Professions Code §§ 17200, et seq.

A.         No Violation of the Electronic Communications Privacy Act

The ECPA is composed of two distinct subsections, the Wiretap Act and the Stored Communications Act  (“SCA”), both of which prohibit a communications service from disclosing the contents of any communication to parties who are not the “addressee or intended recipient.”   See 18 U.S.C. §§ 2510(a), 2702(b).  The SCA contains a specific exception allowing disclosure with the “lawful consent of the originator.”  18 U.S.C. § 2702(b).  Plaintiffs alleged that they did not know of or consent to Facebook’s disclosure their personal information to its advertisers, and that such disclosure violated both subsections of the ECPA.

The Northern District noted that when a user clicks on an advertisement, the result is either: (1) a communication between the user and Facebook, which is then passed on to the advertiser; or (2) a communication between the user and the advertiser sent through Facebook.  The Court held that Plaintiffs failed to state a claim under the SCA because, under either interpretation, Facebook was entitled to pass on the information at issue.  If the communication was sent to Facebook, then it was an “addressee or intended recipient” and thus permitted to disclose the communication to advertisers with the “lawful consent” of the  users.  The Court held that the act of clicking on the advertisement amounted to such “lawful consent.”   Alternatively, if the communication was sent to an advertiser, then no violation occurred because the advertiser was the addressee or intended recipient, and “Defendant was permitted to divulge the communications to  it.”  Applying the same analysis, the Court also denied Plaintiffs’ wiretap claims.

B.         Personal Information Is Not The Same As Money

Relying on the theory that a user’s personal information can be equated with money or property,  Plaintiffs also sought damages under California’s Unfair Competition Law  (“UCL”).  The Court held that personally identifiable information does not constitute property under the UCL.   It also went one step further, expressly limiting its prior ruling  in  Does 1 v. AOL, Inc., 719 F. Supp. 2d 1102 (N.D. Cal. 2010), which held that AOL’s disclosure of users’ personal  information was not something users’ bargained for when they “signed up and paid fees” to use AOL’s service.  The Northern District Court held that AOL did not stand for the broad proposition that personal information equals property, but rather that “a plaintiff who is a consumer of certain services  . . . may state a claim under  . . . California Consumer Protection statutes when a company, in violation of its own policies, discloses personal information about its consumers to the public.”   Because Facebook is a free service, the Court held that Plaintiffs cannot state a claim under the UCL.

Editor's Note:  Congratulations to Stu Eaton, author of this post, who just received his CIPP certification!

Subscribe To Viewpoints


Cynthia J. Larose

Member / Co-Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.