The Stored Communications Act, another chapter of ECPA, contains similar provisions, but differentiates between “contents” and “record” information. In essence, where “contents” is the substance of a communication, “record” information describes characteristics of the communication such as “the name, address, or client ID number” of a customer. This record information may be disclosed to anyone aside from a governmental entity.
Claims under ECPA
Facebook generates revenue by selling advertising to third parties. Through Facebook, Zynga provides gaming applications to Facebook users from within Facebook’s platform. The plaintiffs alleged that when a user clicked on an advertisement from Facebook, the user’s Facebook ID, which could include the user’s real name, and the address of the last Facebook page visited by that user would be sent to a third-party advertiser through a “referer header.” The plaintiffs alleged that Zynga also collected this information and disclosed it to third parties.
In two separate suits consolidated on appeal, the plaintiffs alleged Facebook and Zynga’s disclosure of such information violated the Stored Communications Act and the Wiretap Act. The U.S. District Court for the Northern District of California dismissed both cases for failure to state a claim. The district court concluded that Facebook, Zynga, and others were intended recipients of the plaintiffs’ communications. Thus, the disclosures were expressly permitted under both acts.
No Violation of ECPA
Unlike the district court, the Ninth Circuit focused its analysis on whether the disclosed information constituted “contents” of a communication under ECPA. The court first clarified that “the term ‘contents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message.” The court then concluded the referer header information was record information, and not contents, because a Facebook ID is similar to a name or ID number, and the last webpage visited is similar to an address.
While the plaintiffs argued the referer headers disclosed contents because they could reveal personally identifiable information, the court disagreed, explaining that contents and personally identifiable information are not synonymous. Moreover, the court determined referer headers could not be considered communications because they were “automatically generated by the web browser.”
Lastly, while the court acknowledged that in some instances disclosure of a URL containing a “search term to a third party could amount to disclosure of the contents of a communication,” it rejected that analysis here because the referer header information only included basic identification, and not search terms or other information that could be considered user communications. Accordingly, the court dismissed the plaintiff’s ECPA allegations for failure to state a claim.
Calls to Revise ECPA
The Ninth Circuit could have persuasively concluded that the referer header information was “contents” by determining that the last-visited website “reflects the mental impression of the user just like typing in a Google search term might,” contends Mark Romance, Miami, FL, cochair of the Internet Litigation Subcommittee of the ABA Section of Litigation’s Commercial & Business Litigation Committee. Nonetheless, ECPA does not ask “whether information is personal information or private information, but whether it fits the specific definition of content,” notes Susan Lyon-Hintze, Seattle, WA, cochair of the Privacy and Information Security Subcommittee of the Section of Litigation’s Consumer Litigation Committee.
The “court’s conclusion is not surprising given the case law and statutory context,” suggests Romance. But “in reality, header information does have some privacy implications, which illustrates one of the ways that ECPA has fallen behind in terms of the types of technology and the real privacy issues of technology today,” adds Lyon-Hintze. This lack of protection of personal information may be “contrary to what most users of the Internet and particularly users of Facebook would expect in terms of what information is being shared,” notes Romance.
While services like Facebook and Zynga do have privacy policies in place that alert users as to how their information will be used, revisions to ECPA may be warranted because “the market is not protecting the consumer,” argues Romance. Indeed, given the technological changes that have occurred since its enactment, “ECPA needs to be updated to address new privacy concerns that exist today, or be replaced or supplemented with other laws that will protect consumers,” concludes Lyon-Hintze.
Robert T. Denny is a contributing editor for Litigation News.