Are targeted ads the result of wiretapping? Companies track your browsing history all the time through the use of, inter alia, cookies, and then mine the data they receive for purposes like targeted advertising. Because the cookies make the users computer send electronic communications without the users’ knowledge is this wiretapping?
Put differently, can a defendant “wiretap” a communication that it receives directly from a plaintiff ? This is the question that Facebook is asking the United States Court of Appeals for the Ninth Circuit to consider in its Petition for Panel Rehearing and for Rehearing En Banc in In re Facebook Internet Tracking Litigation, No. 17-17-486.
The Wiretaps laws have an interesting history that begins with listening in on private calls facilitated by the telephone companies but has long also embraced data transmissions across the internet. In 1986, Congress enacted the Electronic Communications Privacy Act (ECPA) to extend restrictions on government wire taps of telephone calls to include transmissions of electronic data by computer (18 U.S.C. § 2510 et seq.) and to add new provisions prohibiting access to stored electronic communications, i.e., the Stored Communications Act (SCA, 18 U.S.C. § 2701 et seq.). The ECPA has been amended by the Communications Assistance for Law Enforcement Act (CALEA) of 1994, the USA PATRIOT Act (2001), the USA PATRIOT reauthorization acts (2006), and the FISA Amendments Act (2008). Despite these amendments, Title I of the ECPA protects wire, oral, and electronic communications while in transit, requiring heightened search warrants that are more stringent than in other settings. Commentators have long wondered whether browsing and similar communications, which are routinely “listened-to” by ad technology, constitute a protected communication.
While both ECPA (commonly referred to as the federal WireTap Act) and the California Invasion of Privacy Act (CIPA) impose civil and criminal penalties on a person who “intercepts” an “electronic communication,” both statutes contain an exemption from liability for a person who is a “party” to the communication. Thus, the question raised by Facebook’s petition is whether a company that installs code on users’ computers, such that the users’ computers automatically send information back to the company regarding the users’ browsing history (to be used for, inter alia, targeted advertising), constitutes a “party” that falls under the Wiretap laws’ exception.
Some of the relevant facts that plaintiffs in the In re Facebook Internet Tracking Litigation allege are as follows:
- During a 16 month period, when plaintiffs visited third-party websites that contained Facebook “plug-ins” (such as its “Like” button), the code would direct plaintiffs’ browsers to send a copy of the URL to the visited page (known as a “referrer header”) to Facebook.
- Facebook used “cookies” to compile these reference headers into personal profiles, and then used that data to improve targeting for advertisements.
- Facebook never promised not to collect this data – but its disclosures suggested that it would not receive referrer headers from logged-out users.
- Facebook tracked logged-out users’ browsing activities and sold that information to advertisers without the users’ knowledge.
The Northern District of California dismissed plaintiffs’ wiretapping claims pursuant to the “party” exception of the federal Wiretap Act and CIPA because Facebook received the data at issue directly from plaintiffs (more precisely, plaintiff’s computers, pursuant to the Facebook “plug-ins”).
The Ninth Circuit, relying on decisions from the First and Seventh Circuits (that “implicitly assumed” the “party” exception is inapplicable when the sender is unaware of the transmission), vacated the district court’s dismissal of the wiretapping claims, holding that “entities that surreptitiously duplicate transmissions between two parties are not parties to communications” under the wiretapping statutes.
Facebook now argues that the Ninth Circuit should grant rehearing because the panel’s April decision conflicts with precedent and purportedly “fundamentally changes the definition of ‘wiretapping’ under the Federal Wiretap Act and the California Invasion of Privacy Act (CIPA), both of which have not just civil but also criminal penalties. Notably, the Ninth Circuit’s decision conflicts not just with precedent of other circuits (i.e., the Second, Third, Fifth, and Sixth Circuits), but it also conflicts with a prior ruling of the Ninth Circuit.
The prior Ninth Circuit ruling on this issue was in Konop v. Hawaiian Airlines, 302 F.3d 868 (9th Cir. 2003). In this case, the Court focused on the “interception” element instead of the “party” exception. The Court held that a defendant “intercept[s]” a communication under the Wiretap Act only if it “stop[s], seize[s], or interrupt[s]” a communication “in progress or course before arrival” at its destination,” and obtaining a communication directly from a sender – even if the sender did not have knowledge of the communication – is not an interception.
Among the other circuit cases that the Ninth Circuit Facebook decision conflicts with is In re Google Cookie Placement, 806 F.3d 125 (3d Cir. 2015), a Third Circuit case based on similar facts. In In re Google Cookie Placement, the plaintiffs alleged that Google violated the Wiretap Act and CIPA by acquiring referrer headers “that the plaintiffs sent directly to the defendants.” There, the court held that a direct “recipient of a communication is necessarily one of its parties,” and when it comes to wiretapping statute, whether the communication was obtained by deceit upon the sender is irrelevant. The Third Circuit relied on opinions of the Second, Fifth, and Sixth Circuits, and concluded, based on the text and history of the federal Wiretap Act, that the applicability of the “party” exception does not turn on the sender’s knowledge or intent.
Any company that tracks browsing histories should be paying close to attention to this issue. This case should also serve as a reminder for companies to revisit their terms and policies to ensure they accurately describe web tracking and data collection activities.