Facebook Avoids Certification of Privacy Class Action

Photo by Wesley VanDinter/iStock / Getty Images

Facebook users may have no effective recourse for disclosures of their private information because of a recent decision from the Northern District of California.  In an opinion by Judge Ronald Whyte, Facebook was able to defeat class certification in a case styled In Re Facebook Privacy Litigation, 2016 WL 4585817 (N.D. Cal. 9/2/16).  Given the low amount of damages for each individual claim, this decision is a “death knell” for the litigation.  Even beyond killing the litigation, however, the decision gives a roadmap for how a tech company can defeat class certification by showing the a user’s interface with an ad service can be different than other users because of the vagaries of different technological tools.  

The case involves of breach of contract and fraud based on a particular series of actions that may have occurred only when Facebook users were navigating their own page.  The court explained that when an Internet user navigates to a website by clicking a link, the user's browser may send a “referer header” to the destination website's server and this “referer header” typically contains the URL of the website
the user was visiting when he or she clicked the link.   

A Facebook user could navigate the website in a particular way and by clicking on a third-party advertisement linked to an external page, the user could cause the referrer header to include a user’s Facebook username or user ID.  Theoretically, by combining the anonymous data that an advertiser would receive from Facebook as a result of the user’s click on the ad with the referer header information, an advertiser could figure out the specific individual that clicked on an ad.  This was fixed in July 2010.  

In analyzing class certification, the court quickly found that the class had enough members, the named plaintiff’s claims were typical of the class, common questions existed, and class counsel and the named plaintiff were adequate representatives.  The named plaintiff had a felony conviction for embezzlement, would have had trouble traveling to the trial if there was one, and seemingly had little knowledge of what the case was about.  In spite of this, the court ruled she was an adequate representative of the class, thus reinforcing the notion that the bar is extremely low for adequacy of a class representative.  

Like most class actions, the battle joined on the predominance prong of Rule 23(b)(3) of the Federal Rules of Civil Procedure.  Class certification was denied because of several scenarios that could have occurred in which a user’s information would not have been disclosed.  The examples presented were the operation of a tool called Quickling used by Facebook to cut down browser time and would not have changed the URL when reloading a page.  Another set of scenarios involved the use of privacy and security tools and web filtering proxies that would have stripped the problematical information.  Also, when Internet Explorer used a JavaScript redirect that information also would not have been transmitted.  

Although Facebook did not present proof that such scenarios actually occurred, its burden on class certification was only to show that the claims were not subject to common proof, which it did by explaining these potential scenarios.  This decision, therefore, is powerful ammunition to help tech companies avoid class certification by showing that various technological differences in a user’s experience could mean that individual claims would not be subject to common proof.