May 9, 2014 – Yesterday, the 9th Cir. Court of Appeals dismissed federal wiretap claims against Zynga and Facebook. At issue was whether the gaming giant and FB were improperly disclosing user information to advertisers.
In the class action suit, FB users were understandably unhappy to discover that when they clicked on an ad or icon, FB sent a “referrer header” that included the user’s Facebook ID and the address of the FB page the user was viewing when they clicked the link.Apparently, Zynga had specifically programed its games to collect the “referrer information” and then send the valuable information to third-parties.So what’s the big deal about a “referrer header” being sent to third party advertisers and why does this matter to the domain and Internet community?
For starters, FB and Zynga were not required to send or transmit “referrer headers” they could have easily omitted the “referrer header” and still completed the HTTP transactions.
Additionally, the Plaintiffs are alleging that these disclosures also violated the FB Privacy Polices. It does not take much imagination to think of scenarios where you would not want your user info and site info sent to third-parties.
Unfortunately, for the consumers, the wiretap claims could not stand under the Federal statutes. Under the Stored Communications and the Wiretap Acts of the ECPA the information disclosed to advertisers did not qualify as the “contents of a communication.” The case turned on whether or not the “referrer header” (the FB User Identification and site address) were the “contents” of the communication. Under ECPA, while prohibited from disclosing “contents,” a provider is permitted to disclose “record information.” The Court concluded that the user’s Facebook ID and the address of the webpage from which the user’s HTTP request to view another page was sent “does not meet the definition of ‘contents,’ because these pieces of information are not the ‘substance, purport, or meaning’ of a communication.”
So while the Federal Wiretap claims are out, the Plaintiffs can pursue Facebook under claims that FB violated its own privacy policies and can also proceed with their state law claims. You can find a copy of the full decision In Re Zynga Privacy Litigation here.
In sum, website owners need to be careful what information they collect from users and what they disclose to third-parties.
We’ll see soon, but I’m betting that there’s going to be a big fight over the language of those “Privacy Polices.” Make sure your Privacy Polices are clear and updated.