United States: Judge Hits Ctrl+Alt+Delete On Facebook User Tracking MDL

Judge Edward J. Davila of the Northern District of California recently administered the coup de grâce to an expansive multidistrict litigation over Facebook's data use policy filed in 2012. The plaintiffs alleged that Facebook's data use and privacy policy violated the federal Wiretap Act, the Stored Communications Act, California's Invasion of Privacy Act, California consumer protection statutes, and common law, seeking over $15 billion in damages and injunctive relief.  The scope of the suit was first narrowed in 2015, then again in July 2017, cutting all causes of action with leave to amend granted only for the plaintiffs' claims for breach of contract and breach of the implied covenant of good faith and fair dealing

The plaintiffs alleged that they entered into a contract with Facebook that consisted of its statements of rights and responsibilities (SRR), its privacy policy, and relevant pages from its help center. The policy at issue was Facebook's collection of data—including user IDs—that the company receives when users visit a third-party site with a Facebook feature such as a plugin "if [the user] is logged into Facebook."  The plaintiffs claimed that this statement "implicitly promises to the average user that Facebook will not receive [a user-identifying] cookie when the user is not logged in," and was incorporated by reference into the SRR from Facebook's privacy policy and help center pages.

However, this argument had little support. Judge Davila found that the version of Facebook's data use policy containing the language about not collecting logged-out users' IDs was published in September 2011, four months after the publication of the version of the SRR upon which the plaintiffs rested their arguments.  He found that the privacy policy and help center pages were not incorporated into the SRR and therefore could not form the basis of the plaintiffs' claims for breaches of contract and good faith, and dismissed them without leave to amend.

Takeaway: This decision indicates that statements of rights and responsibilities and separate privacy policies or help center pages may not be viewed as one incorporated contract for purposes of contract litigation.  Drafters of such policies should consider this when writing and updating their companies' terms of use.

This article is presented for informational purposes only and is not intended to constitute legal advice.