How private is the funny URL you share via Facebook Messenger?
While the primary purpose of Campbell v. Facebook, Inc., 951 F.3d 1106 (9th Cir. 2020), might not have been about privacy, there are some points to consider.
The Cause of Action- Your Facebook messages are being shared
In 2013, Facebook users alleged that Facebook used the website links included in users’ private messages without consent. They claimed such practices violated federal and California privacy laws. Facebook acknowledged in the settlement that it already made several changes to these practices. On Facebook.com it explains that these messages are “private” as their contents and history are viewable only by the sender and their recipients.
Plaintiffs alleged that if a message contained a URL, Facebook would collect that information and use it ways that the user consent. These URLs were shared into a feature that enabled third parties to show on their sites how many Facebook users “Liked” their pages regardless of what the message said about the URL. Moreover, Facebook used the URL data to build profiles of users for advertising. Last, Facebook’s handling of their messages amounted to interception and use of electronic communications.
In response, Facebook represented that these uses had relied on “anonymous, aggregate” information. Facebook separately confirmed that, as of the date of the settlement, it was not using any URL data for targeted advertising and not sharing PI associated with URL.
Facebook agreed to display for one year a new disclosure in the Help Center, stating: “We use tools to identify and store links shared in messages, including…the number of times links are shared.” In exchange, class members were required to release their injunctive claims. Only the named Plaintiffs released their damages claims. ECPA includes a private right of action, 18 U.S.C. § 2520, against one who “intentionally intercepts….any wire, oral, or electronic communication,” 2511(1)(a).
The question whether such practices are actionable are relatively simple. Privacy torts that form the backdrop for these modern statutes, “[t]he intrusion itself makes the defendant subject to liability.” Restatement 2nd Torts § 652B cmt. b. “In other words, `privacy torts do not always require additional consequences to be actionable.'” So, historical practice provides support for the conclusion that a wiretapping plaintiff “need not allege any further harm to have standing.”
The settlement includes declaratory relief, confirming that Facebook no longer (1) uses private message URL-shares to tally likes “likes”; (2) proffers URL-share data to third-parties via “Insights;” and (3) uses URL-shares for Facebook feed recommendations. The settlement also requires Facebook to update its Data Policy to disclose its collection of data from messages or other communications and to display for one year in its Help Center a message disclosing its practice of collecting information about shared links.
The win in this case pertains to basic accountability but unless you are doing a deep dive through their policies or closely follow such litigation, you are likely still being taken advantage of unbeknownst to you.