Farmville is a game that celebrates the digital harvest: players earn Farm Coins by diligently and systematically harvesting their virtual crops. Yet a different kind of digital harvest – the harvest of user data – was at the heart of two unsuccessful class action suits users filed against Facebook and Zynga. While the Ninth Circuit ultimately dismissed both claims with prejudice in a consolidated opinion, this case is another important battle in an ongoing war between consumers and social media sites over user data.
Marking a victory for Facebook and Zynga, the Ninth Circuit held that sharing information about users’ identity and the last Facebook page they visited with third party advertisers did not violate the Electronic Communications Privacy Act (“ECPA”). But consumer unrest over data use remains. A Canadian woman recently brought a class action suit against Facebook in Ontario for profiting from users’ private messages. In the United States, the FTC recently signaled its intent to police Facebook’s use of data in light of a proposed merger with WhatsApp.
This battle, recently waged on the fields of FarmVille, may influence the struggles to come.
Class plaintiffs alleged that Facebook and Zynga violated two provisions of the ECPA by divulging the “contents” of their communications to third party advertisers without permission. Indeed, the federal statute prohibits knowing or intentional disclosure of “the contents of any communication” to unauthorized third parties.
The putative classes premised their argument on two pieces of information a third party advertiser automatically receives as a result of the protocol initiated whenever users click on that third party’s link: the user’s Facebook ID and the address of the Facebook page the user accessed their link from.
The Ninth Circuit rejected this argument, without touching on the question of whether either service violated its respective terms of use. The Court held that the user IDs and URLs are not “contents” under the ECPA, but are actually “records,” which parties can divulge without consent. This distinction rests in part on the fact that “Facebook and Zynga divulged identification and address information contained in a referer header automatically generated by the web browser,” as opposed to content that users generate themselves, such as a wall post, a private message or a picture of lunch.
This case signals that courts may be reluctant to hold social media sites like Facebook liable for the transmission of the user metadata that these sites generate automatically as they function. But information that users affirmatively enter themselves may compel a different response.
In any case, this is unlikely to be the last time consumers accuse Facebook and other social media outlets of reaping data where they did not sow.