August 13, 2014 Top Story

Online Privacy at Risk under Federal Statute

Disclosure of name and web history does not violate the Electronic Communications Privacy Act

Robert T. Denny

Disclosure of a Facebook user’s allegedly confidential information to third-party advertisers does not violate the Electronic Communications Privacy Act (ECPA), according to the U.S. Court of Appeals for the Ninth CircuitIn re Zynga Privacy Litigation. While social media users might be surprised that their name along with their browsing history could be revealed to third parties, the Ninth Circuit held that such disclosure does not violate ECPA because that information is not the “contents” of a communication—a required element of an ECPA claim. Although website privacy policies may provide some protection to users, ABA leaders suggest revisions to ECPA may be warranted to keep pace with changes in technology.

The Electronic Communications Privacy Act

In 1986, ECPA was enacted to provide increased statutory privacy protections in response to technological changes that occurred in the 17 years after the Wiretap Act took effect in 1968. As amended by ECPA, the Wiretap Act prohibits entities “providing an electronic communication service to the public” from “intentionally divulg[ing] the contents of any communication” to anyone other than the “intended recipient.” The act defines “contents” as “any information concerning the substance, purport, or meaning of that communication.”

The Stored Communications Act, another chapter of ECPA, contains similar provisions, but differentiates between “contents” and “record” information. In essence, where “contents” is the substance of a communication, “record” information describes characteristics of the communication such as “the name, address, or client ID number” of a customer. This record information may be disclosed to anyone aside from a governmental entity.

Claims under ECPA

Facebook generates revenue by selling advertising to third parties. Through Facebook, Zynga provides gaming applications to Facebook users from within Facebook’s platform. The plaintiffs alleged that when a user clicked on an advertisement from Facebook, the user’s Facebook ID, which could include the user’s real name, and the address of the last Facebook page visited by that user would be sent to a third-party advertiser through a “referer header.” The plaintiffs alleged that Zynga also collected this information and disclosed it to third parties.

In two separate suits consolidated on appeal, the plaintiffs alleged Facebook and Zynga’s disclosure of such information violated the Stored Communications Act and the Wiretap Act. The U.S. District Court for the Northern District of California dismissed both cases for failure to state a claim. The district court concluded that Facebook, Zynga, and others were intended recipients of the plaintiffs’ communications. Thus, the disclosures were expressly permitted under both acts.

No Violation of ECPA

Unlike the district court, the Ninth Circuit focused its analysis on whether the disclosed information constituted “contents” of a communication under ECPA. The court first clarified that “the term ‘contents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message.” The court then concluded the referer header information was record information, and not contents, because a Facebook ID is similar to a name or ID number, and the last webpage visited is similar to an address.

While the plaintiffs argued the referer headers disclosed contents because they could reveal personally identifiable information, the court disagreed, explaining that contents and personally identifiable information are not synonymous. Moreover, the court determined referer headers could not be considered communications because they were “automatically generated by the web browser.”

Lastly, while the court acknowledged that in some instances disclosure of a URL containing a “search term to a third party could amount to disclosure of the contents of a communication,” it rejected that analysis here because the referer header information only included basic identification, and not search terms or other information that could be considered user communications. Accordingly, the court dismissed the plaintiff’s ECPA allegations for failure to state a claim.

Calls to Revise ECPA

The Ninth Circuit could have persuasively concluded that the referer header information was “contents” by determining that the last-visited website “reflects the mental impression of the user just like typing in a Google search term might,” contends Mark Romance, Miami, FL, cochair of the Internet Litigation Subcommittee of the ABA Section of Litigation’s Commercial & Business Litigation Committee. Nonetheless, ECPA does not ask “whether information is personal information or private information, but whether it fits the specific definition of content,” notes Susan Lyon-Hintze, Seattle, WA, cochair of the Privacy and Information Security Subcommittee of the Section of Litigation’s Consumer Litigation Committee.

The “court’s conclusion is not surprising given the case law and statutory context,” suggests Romance. But “in reality, header information does have some privacy implications, which illustrates one of the ways that ECPA has fallen behind in terms of the types of technology and the real privacy issues of technology today,” adds Lyon-Hintze. This lack of protection of personal information may be “contrary to what most users of the Internet and particularly users of Facebook would expect in terms of what information is being shared,” notes Romance.

While services like Facebook and Zynga do have privacy policies in place that alert users as to how their information will be used, revisions to ECPA may be warranted because “the market is not protecting the consumer,” argues Romance. Indeed, given the technological changes that have occurred since its enactment, “ECPA needs to be updated to address new privacy concerns that exist today, or be replaced or supplemented with other laws that will protect consumers,” concludes Lyon-Hintze.

Robert T. Denny is a contributing editor for Litigation News.

Keywords: privacy, Facebook, technology, personally identifiable information, wiretap, electronic

Related Resources

Copyright © 2014, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).