Cookie Monster: Facebook Sued Under Wiretap Act

Photo by Kon Karampelas on Unsplash

Brianna Vollman, Blog Editor, University of Cincinnati Law Review

Facebook has occupied news headlines for years due to the site’s less-than-perfect protection of user privacy. As recently as a month ago, Facebook’s new “Messenger Rooms,” a video chat app, were criticized for lack of privacy protection.[1] Years before, in 2014, Cambridge Analytica, a British political consulting firm, acquired the data tens of thousands of Facebook users with intent to sell acquired data.[2] Privacy expert Rowenna Fielding went so far as to say, “Data mining and profiling are the core of their business model–governance and ethics have been notably absent from the start and continue to be so.”[3] The constant scrutiny prompted Facebook leaders to recently appoint a privacy committee to prevent misappropriation of user data.[4]

The mentioned privacy scandals and many others have landed Facebook in federal court. The most recent court decision impacting Facebook came from the Ninth Circuit in April 2020.[5] In a punitive class action, a group of Facebook users filed a consolidated complaint, alleging primarily a violation of the Wiretap Act.[6] The complaint alleged that Facebook “cookies,” small text files stored on the user’s device, continued to capture information even after a user logged out of Facebook and visited other websites.[7] Specifically, the lawsuit involved Facebook plugins that are embedded on third party websites and contain a small portion of Facebook code.[8] When a user visits a third party website, the user’s browser sends a “GET request” to the web page’s server, which then sends back the requested information to the user.[9] When the third party website contains a Facebook plugin, the code sends a separate but identical request to Facebook’s servers.[10] Facebook allegedly tracks users across the internet in this way, collecting the data into personal user profiles, which Facebook allegedly intended to sell.[11] The district court granted Facebook’s motion to dismiss.[12] The appeal followed.[13]

The Wiretap Act (“the Act”) prohibits the unauthorized “interception” of an “electronic communication.”[14] Case law has interpreted the meaning of “interception.”[15] The Ninth Circuit has held that an interception is an “acquisition contemporaneous with transmission.”[16] The statute contains an exemption for a person who is a “party” to the communication or the interception has been consented to, which is where the crux of the litigation lies for the Ninth Circuit and where an implied circuit split is revealed.[17] The Act does not solely apply to social media platforms but to any situation where a GET request is duplicated and contemporaneously sent to an entity other than the website being accessed by the user. The question faced by the Ninth Circuit is whether the entity other than the website being accessed is considered a “party” to the communication and is thus not liable due to the exemption contained in the Act. The First, Seventh, and Third Circuit faced related questions previously.

The First Circuit implicitly dealt with the party exemption in 2003.[18] Pharmatrak, an enterprising company, sold a service to pharmaceutical companies that collected user information from the companies’ websites and created intra-industry comparisons of website traffic.[19] Buyers of the service were assured that no personal information would be collected in this process.[20] Despite this assurance, Pharmatrak collected personally identifiable information from some users, which prompted a class action to be filed under the Electronic Communications Privacy Act (an amendment to the Wiretap Act).[21] The lower court held that since the pharmaceutical companies were in a contractual relationship with Pharmatrak, they had consented to the collection of their personal data and thus was a party to the communication.[22] The First Circuit disagreed.[23] The court held that the information acquisition committed by Pharmatrak constituted an interception and “was contemporaneous with the transmission by the internet users to the pharmaceutical companies.”[24] For these reasons, the Ninth Circuit explained that the First Circuit implicitly rejected the argument that Pharmatrak was a party to the communication.[25]

The Seventh Circuit faced different facts but reached a similar conclusion.[26] The defendant was being accused of violating the Wiretap Act by using software that duplicated his employer’s emails and sent them to the defendant’s own email address.[27] The court focused on whether the duplicated emails were sent off contemporaneously to determine whether these actions constituted an interception.[28] The court determined that because the duplicate emails indeed were sent contemporaneously, the case was reversed and remanded.[29] For similar reasons to the First Circuit, the Ninth Circuit opinion in In re Facebook explained  that the Seventh Circuit does not believe the defendant was a party to the communication and did not receive protection of the enumerated exemption.[30]

The Third Circuit reached the opposite conclusion.[31] In In Re Google Cookie, the court determined that defendants, internet advertising companies, that placed cookie blockers on users’ browsers to facilitate online advertising were parties to the communication and thus were not liable under the Act.[32] This case dealt with duplicate GET requests being sent to advertising companies.[33] The court opined that because a communication necessarily has two parties, here the user’s browser and the defendants, the defendants were the intended recipients of the communication.[34] Thus, the case was vacated and remanded in part to the lower court. [35]

The Ninth Circuit followed the reasoning of the First and Seventh Circuits.[36] The courtexplained that the First and Seventh Circuit had “implicitly assumed that entities that surreptitiously duplicate transmissions between two parties are not parties to communications within the meaning of the Act.” [37] The Ninth Circuit further delved into the Wiretap Act’s legislative history, which “evidences Congress’s intent to prevent the acquisition of the contents of a message by an unauthorized third-party or ‘an unseen auditor.’”[38] The Ninth Circuit summarized in stating, “Permitting an entity to engage in the unauthorized duplication and forwarding of unknowing users’ information would render permissible the most common methods of intrusion, allowing the exception to swallow the rule.”[39] The case was remanded for further consideration.[40]

The First, Seventh and Ninth Circuits properly held that sending a duplicate GET request to an unseen entity is an interception under the Wiretap Act. To hold any differently would allow sites like Facebook to invisibly track their users around the internet. The Ninth Circuit properly explained that the party exception does not apply in these sorts of electronic interception situations because the user and the third party website are communicating with one another, while the third party merely receives a contemporaneous duplication of that communication.[41] This holding is consistent with the legislative purpose of the Wiretap Act and would further protect internet users from being tracked across the web. This holding is also consistent with the First and Seventh Circuit’s related cases, which although didn’t explicitly focus on the party exemption, still made clear that contemporaneous communication to an unauthorized third party is an interception in violation of federal law.  

In re Facebook has been remanded for further consideration by the district court, but the circuit split remains. Facebook’s privacy scandals are ongoing, which may gain the attention of the Supreme Court. Should the Supreme Court take a case involving liability under the Wiretap Act for tracking site users across the internet, the resolution of the circuit split will have major implications for Facebook, as it has profited from sharing data collected from tracking.[42] The Supreme Court should follow the decisions of the First, Seventh, and Ninth Circuit, which would appropriately hold Facebook accountable for tracking its users across the web.


[1] Kate O’Flaherty, Facebook Users Beware: Here’s Why Messenger Rooms Is Not Actually That Private, Forbes (Apr. 26, 2020, 3:50 AM), https://www.forbes.com/sites/kateoflahertyuk/2020/04/26/facebooks-messenger-rooms-is-not-actually-all-that-private-heres-why/#78020c5bb098

[2] Nicholas Confessore, Cambridge Analytica and Facebook: The Scandal and the Fallout So Far, New York Times, (March 17, 2020), https://www.nytimes.com/2018/04/04/us/politics/cambridge-analytica-scandal-fallout.html

[3] Id.

[4] Rob Price,  Facebook has appointed the ‘privacy committee’ on its board designed to prevent another Cambridge Analytica scandal, Business Insider, (May 13, 2020 8:06 PM), https://www.businessinsider.com/facebook-announces-privacy-committee-board-of-directors-2020-5.

[5] In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020).

[6] 18 U.S.C. § 2511 (West); In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020).

[7] In re Facebook, 956 F.3d at 596.

[8] Id. at 607.

[9] Id.

[10] Id.

[11] Id. at 599.

[12] Id. at 597.

[13] Id.

[14] 18 U.S.C. § 2511(1)(a)–(e) (2020).

[15] While case law interprets the meaning of “interception,” the term “electronic communication” is defined in 18 U.S.C. § 2510(12) (2020), and takes on a plain meaning of “any transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce.”

[16] Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 878 (9th Cir. 2002).

[17] 18 U.S.C. § 2511(2)(c)-(d) (2020). The statute reads: “It shall not be unlawful under this chapter for a person acting under color of law to intercept a wire, oral, or electronic communication, where such person is a party to the communication or one of the parties to the communication has given prior consent to such interception.”

[18] In re Pharmatrak, Inc., 329 F.3d 9 (1st Cir. 2003).

[19] Id. at 12.

[20] Id. at 15.

[21] Id. at 16.

[22] Id. at 17. Arguing that the plaintiff consented to the communication is another way to avoid liability under the Wiretap Act. See 18 U.S.C. § 2511(2)(c)-(d) (2020).

[23] Id. at 22.

[24] Id.

[25] In re Facebook, 956 F.3d at 607.

[26] United States v. Szymuszkiewicz, 622 F.3d 701 (7th Cir. 2010).

[27] Id. at 703.

[28] Id. at 706.

[29] Id.

[30] In re Facebook, 956 F.3d at 607.

[31] In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 142-43 (3d Cir. 2015)

[32] Id. at 132, 142-43.

[33] Id. at 130-31.

[34] Id. at 142-43.

[35] Id.

[36] In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 608 (9th Cir. 2020).

[37] Id. at 607.

[38] Id. at 608; See S. Rep. No. 90-1097.

[39] In re Facebook, 956 F.3d at 608.

[40] Id. at 611.

[41] Id. at 607.

[42] Gabriel J.X. Dance, Michael LaForgia and Nicholas Confessore, As Facebook Raised a Privacy Wall, It Carved an Opening for Tech Giants, New York Times, (Dec. 18, 2018) https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html.