Last Thursday, the United States Court of Appeals for the Ninth Circuit affirmed dismissal of claims for violations of the Electronic Communications Privacy Act (“ECPA”), holding that the plaintiffs had failed to allege Facebook and Zynga disclosed the “contents” of a communication, a necessary element under the Act.
The court’s ruling applies to the consolidated cases In re Zynga Privacy Litig. and In re Facebook Privacy Litig., in which plaintiffs alleged that the social network and popular gaming company disclosed personally identifiable information to third parties.
According to plaintiffs, when a Facebook user clicked on an advertisement on Facebook, the user’s web browser sent the Facebook User ID and the URL of the page the user was viewing as part of the HTTP request to the advertiser. Similarly, the complaint alleged that when a Facebook user clicked on a Zynga game icon on Facebook, the user’s browser sent the same information to Zynga. Plaintiffs claimed the transmission of this information violated provisions in ECPA that generally prohibit certain entities’ from disclosing the contents of users’ electronic communications. The Zynga plaintiffs further claimed that Zynga collected this information and, in turn, shared the information with advertisers and other third parties, also in violation of the Act.
ECPA generally prohibits companies providing an electronic communications service or remote computing service from intentionally or knowingly divulging “the contents of any communication” unless a statutory exception or defense otherwise applies. 18 U.S.C. §§ 2511(3)(a), 2702(a)(2). In determining whether the information disclosed was “content,” the court looked to the language and structure of the statute. The court noted that ECPA’s §§ 2702(c) and 2703(c)(1) explicitly excluded from the definition of “contents” the communication’s “record” information. Thus, the court held that record information under sections 2702(c) and 2703(c)(1), including the “name,” “address,” and “subscriber number or identity,” may be divulged under the statute.
The court held that the information at issue was, in effect, nothing more than “record” information: A user’s Facebook ID is akin to a “name” or “subscriber number or identity” and the address of the webpage from which the request was sent is like a physical “address.” Because Congress explicitly excluded these types of record information from its definition of content, the court held that plaintiffs failed to allege the disclosure of communication “contents,” and that the claims were properly dismissed.
Also on Thursday, the Ninth Circuit affirmed the district court’s dismissal of In re Facebook Privacy Litig. plaintiffs’ California Unfair Competition Law claim, holding plaintiffs failed to allege that they had lost money or property as a result of unfair competition, where plaintiffs claimed they were harmed by the dissemination of their personal information and by losing the sales value of that information. The court also dismissed the plaintiffs’ Consumer Legal Remedies Act claim, holding that plaintiffs failed to allege that they obtained anything from Facebook by purchase or a consumer transaction.
The allegations were, however, held sufficient to show the element of damages for breach of contract and fraud. Plaintiffs’ claims on those theories were remanded to district court for further proceedings.