Facebook's Scanning Social Media Messages May Violate Wiretap Act: N.D. Cal. | Practical Law

Facebook's Scanning Social Media Messages May Violate Wiretap Act: N.D. Cal. | Practical Law

In Campbell v. Facebook, Inc., the US District Court for the Northern District of California rejected defendant Facebook's motion to dismiss claims alleging that the company's scanning of users' private messages on its social media website violates the federal Electronic Communications Privacy Act.

Facebook's Scanning Social Media Messages May Violate Wiretap Act: N.D. Cal.

Practical Law Legal Update 3-594-1985 (Approx. 4 pages)

Facebook's Scanning Social Media Messages May Violate Wiretap Act: N.D. Cal.

by Practical Law Intellectual Property & Technology
Published on 31 Dec 2014USA (National/Federal)
In Campbell v. Facebook, Inc., the US District Court for the Northern District of California rejected defendant Facebook's motion to dismiss claims alleging that the company's scanning of users' private messages on its social media website violates the federal Electronic Communications Privacy Act.
On December 23, 2014, in Campbell v. Facebook, Inc., the US District Court for the Northern District of California denied Facebook's motion to dismiss claims that its scanning of Facebook users' messages sent on the company's social media website violates, among other statutes, the Electronic Communications Privacy Act, commonly known as the Wiretap Act (ECPA) (No. C 13-5996, (N.D. Cal. Dec. 23, 2014)).
Facebook allows users to limit their sharing of certain information to just one other Facebook user through private messages. The plaintiffs allege that while this messaging function is designed to allow users to communicate privately with other users, Facebook improperly:
  • Scanned the content of users' private messages to measure the popularity of webpages linked to in users' messages.
  • Uses this data to compile user profiles to deliver targeted advertising to its users.
The plaintiffs filed suit in the Northern District of California alleging that Facebook's scanning of these messages violates:
  • The ECPA.
  • California's Invasion of Privacy Act (CIPA).
  • Section 17200 of California's Business and Professions Code (UCL).
In moving to dismiss the ECPA claims, Facebook argued that:
  • The plaintiffs' claims did not satisfy threshold ECPA requirements, because:
    • Facebook does not "intercept" messages, as required by the ECPA, because it properly accesses the messages to facilitate their delivery; and
    • any actionable interception under the ECPA must involve the communication being acquired during transmission, rather than storage, of the message and the actions plaintiffs complained of concerned content in electronic storage.
  • Its actions were not improper because they fell within the ECPA's "ordinary course of business" exception.
  • The plaintiffs gave express or implied consent to Facebook's scanning their messages.
Facebook also moved to dismiss the plaintiffs' state law claims, arguing that:
  • The plaintiffs' CIPA claims failed because:
    • plaintiffs consented to Facebook's interception of their messages; and
    • Facebook could not intercept any messages "in transit," as required by CIPA, because the messages were contained entirely on Facebook's servers; and
    • plaintiffs did not allege any confidential communications.
  • Plaintiffs, having failed to allege that they lost any money or property as a result of Facebook's conduct, did not state any compensable injury under the UCL.
The court denied Facebook's motion to dismiss the ECPA claims. First, it rejected Facebook's threshold arguments, finding that, without an evidentiary record the court:
  • Could not rule out the possibility that Facebook unlawfully redirected the content of plaintiffs' private messages to inappropriately scan their content.
  • Was compelled to reject Facebook's factual argument that any interception occurred during storage.
The court also rejected Facebook's argument that any alleged interception was excepted from the ECPA because it occurred in the ordinary course of Facebook's business, reasoning that:
  • Contrary to Facebook's argument, not every activity that generates revenue for a company should be considered within the ordinary course of the company's business.
  • Any interception falling within the ordinary course exception must either facilitate or otherwise be related or connected to an electronic communication provider's service.
  • Facebook provided no facts linking Facebook's alleged scanning of users' private messages for advertising purposes and its ability to provide its service, including any technical details needed to support this argument.
  • The plaintiffs' failure to allege that Facebook's scanning of its users' messages violated its internal policies was of no account because proof that a company's activity violated its own internal policy is not required to negate an ordinary course of business exception.
  • There was therefore an insufficient record to find that Facebook's challenged practices were within the ordinary course of its business.
Distinguishing between users' consent to Facebook's processing and sending of private messages and its scanning these messages' contents for targeted advertising, the court further rejected Facebook's arguments that its scanning of these messages did not violate the ECPA because of its users' express or implied consent.
For similar reasons, the court denied Facebook's motion to dismiss the plaintiffs' state law claim under section 631 of the CIPA, a statute that it found analogous to the ECPA. In addition, the court denied Facebook's request to strike the plaintiffs' request for injunctive relief, finding that, even though Facebook no longer scanned private messages, the plaintiffs adequately alleged a sufficient likelihood that it could resume this activity.
However, the court granted Facebook's motion to dismiss the plaintiffs' remaining state law claims under:
  • Section 632 of the CIPA, because the plaintiffs did not allege that Facebook had intercepted any confidential communication.
  • Section 17200 of the UCL, because the plaintiffs did not allege that they had lost any money or property as a result of Facebook's conduct, and the plaintiffs' claim of a property interest in their personal information did not satisfy this statutory requirement.
This decision clarifies the US Court of Appeals for the Ninth Circuit's position that companies that provide e-mail or messaging services cannot rely on the ordinary course of business exception to dismiss ECPA claims against them for scanning messages other than such scanning as is either:
  • Conducted to facilitate the provision of their electronic communication service.
  • Incidental to the provision of that service.
As a result, a properly pled complaint may require the social media service provider to submit to discovery and defend against a Wiretap Act claim at least to summary judgment.