Davis v. Facebook, Inc. (In re Facebook Inc. Internet Tracking Litig.) - 956 F.3d 589 (9th Cir. 2020)

Rule:

In order to maintain a California common law privacy action, plaintiffs must show more than an intrusion upon reasonable privacy expectations. Actionable invasions of privacy also must be highly offensive to a reasonable person, and sufficiently serious' and unwarranted so as to constitute an egregious breach of the social norms. Determining whether a defendant's actions were highly offensive to a reasonable person requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive. While analysis of a reasonable expectation of privacy primarily focuses on the nature of the intrusion, the highly offensive analysis focuses on the degree to which the intrusion is unacceptable as a matter of public policy.

Facts:

Facebook uses plug-ins to track users' browsing histories when they visit third-party websites, and then compiles these browsing histories into personal profiles which are sold to advertisers to generate revenue. The parties do not dispute that Facebook engaged in these tracking practices after its users had logged out of Facebook. Facebook allegedly compiled the referer headers it collected into personal user profiles using "cookies"—small text files stored on the user's device. When a user creates a Facebook account, more than ten Facebook cookies are placed on the user's browser. These cookies store the user's login ID, and they capture, collect, and compile the referer headers from the web pages visited by the user. As most relevant to this appeal, these cookies allegedly continued to capture information after a user logged out of Facebook and visited other websites. Plaintiffs claim that internal Facebook communications revealed that company executives were aware of the tracking of logged-out users and recognized that these practices posed various user-privacy issues. According to the Plaintiffs, Facebook stopped tracking logged-out users only after Australian blogger Nik Cubrilovic published a blog detailing Facebook's tracking practices.  Plaintiffs filed a consolidated complaint on behalf of themselves and a putative class of people who had active Facebook accounts between May 27, 2010 and September 26, 2011. After the district court dismissed their first complaint with leave to amend, Plaintiffs filed an amended complaint. In the amended complaint, they alleged a number of claims. The claims relevant to this appeal consist of: (1) violation of the Wiretap Act, 18 U.S.C. § 2510, et seq.; (2) violation of the Stored Communications Act ("SCA"), 18 U.S.C. § 2701; (3) violation of the California Invasion of Privacy Act ("***"), Cal. Pen. Code §§ 631, 632; (4) invasion of privacy; (5) intrusion upon seclusion; (6) breach of contract; (7) breach of the duty of good faith and fair dealing; (8) civil fraud; (9) trespass to chattels; (10) violations of California Penal Code § 502 Computer Data Access and Fraud Act ("CDAFA"); and (11) statutory larceny under California Penal Code §§ 484 and 496. The district court granted Facebook's motion to dismiss the amended complaint. First, the district court determined that Plaintiffs had failed to show they had standing to pursue claims that included economic damages as an element, thus disposing of the claims for trespass to chattels, violations of the CDAFA, fraud, and statutory larceny. It dismissed these claims without leave to amend. The district court also dismissed for failure to state a claim, without leave to amend, Plaintiffs' claims for violations of the Wiretap Act, ***, and the SCA, as well as their common law claims for invasion of privacy and intrusion upon seclusion. The district court dismissed the claims for breach of contract and the breach of the implied covenant of good faith and fair dealing, but granted leave to amend these claims. In response, Plaintiffs amended their complaint as to the breach of contract and implied covenant claims. The district court subsequently granted Facebook's motion to dismiss the amended claims. This appeal followed.

Issue:

Did the Plaintiffs sufficiently plead the "reasonable expectation of privacy" and "highly offensive" elements necessary to state a claim for intrusion upon seclusion and invasion of privacy to survive a 12(b)(6) motion to dismiss?

Answer:

Yes.

Conclusion:

The court found that the district court properly concluded that plaintiffs had established standing to bring claims for invasion of privacy, intrusion upon seclusion, breach of contract, breach of the implied covenant of good faith and fair dealing, as well as claims under the Wiretap Act and California Invasion of Privacy Act, because they adequately alleged privacy harms. The court, however, found that the district court erred in dismissing plaintiffs' claims for California common law trespass to chattels and fraud, statutory larceny, and violations of the Computer Data Access and Fraud Act for lack of standing because California law recognized a legal interest in unjustly earned profits, and plaintiffs adequately pleaded an entitlement to defendant's profits from users' personal data sufficient to confer standing.