Facebook made international news recently when it was revealed that Cambridge Analytica, a political consulting firm, used the personal data of tens of millions of people it got from Facebook to assist Donald Trump’s presidential campaign. A recent lawsuit against Facebook alleges that Facebook violated California law in culling and selling the data to Cambridge Analytica. Now, a new development in the case could fundamentally change how we think about the viability of such data-related lawsuits.
For those unfamiliar with Cambridge Analytica, the alleged story, in a nutshell, is the following: a Russian professor named Aleksandr Kogan released a personality test app called This Is Your Digital Life. However, TIYDL did more than store the survey results. The app reached into the Facebook profiles of the more than 300,000 users who granted Kogan consent, as well as the profiles of all of those users’ Facebook friends (who did not grant consent, obviously). According to Mark Zuckerberg, TIYDL might have accessed as many as 87 million accounts, though even Facebook is not quite sure how many or whose information was taken. Kogan then sold the data to Cambridge Analytica’s parent company, who used the data to assist the Trump campaign.
This lawsuit, filed in San Mateo Superior Court, titled Leah Ballejos, et al. v. Facebook, Inc., Case No. 18-CIV-03607, alleges just two causes of action: violations of California’s Unfair Competition Law (“UCL”) and California’s False Advertising Law (“FAL”). UCL prohibits any “unlawful, unfair or fraudulent business act or practice,” while the FAL prohibits “untrue or misleading” disclosures related to a sale of a good or service.
The Complaint’s UCL cause of action alleges that Facebook committed unlawful, unfair, and fraudulent acts, by advertising terms of service and other policies purporting to protect its members, but failing to actually abide by these promises. The Complaint also alleges Facebook failed to abide by a consent decree (a settlement with the government to cease certain activities) reached with the FTC to implement stronger privacy safeguards.
The Complaint’s FAL cause of action similarly alleges that Facebook publicly advertised itself as safe and that it would abide by users’ preferences as to sharing their data, but failed to do so.
Most importantly, both causes of action allege:
Plaintiffs have a property interest in the data collected by Facebook. Facebook’s data use policy stated that users “always own all of your information.” CEO Mark Zuckerberg recently affirmed that “[e]very piece of content that you share on Facebook, you own, and you have complete control over who sees it, and how to share it.”
Facebook’s pending demurrer (California’s word for a motion to dismiss) brings up a number of issues. While I highly suggest you read the full pleadings, most importantly here, Facebook argued that the plaintiffs lacked standing. Specifically, California’s Proposition 64 from 2004 added the requirement that a plaintiff must have lost money or property and suffered an “injury in fact” as a result of the alleged action to have standing under the UCL and FAL to bring a lawsuit. Facebook argued that the users had not been injured because the loss of personal information is not an actual or economic injury.
For those less familiar with law and motion issues, a motion to dismiss/demurrer is not challenging the veracity of the facts pled in the complaint. Rather, the motion is simply saying that even if everything you’re saying is true, you don’t have a leg to stand on because the events described in the complaint don’t constitute a violation on my part. In other words, even if Facebook actually flouted the rules and allowed Kogan to give Cambridge Analytica 87 million accounts’ worth of data, this doesn’t amount to any violation of California law (because loss of data is not an injury-in-fact).
Facebook also argued that the plaintiffs’ injury is “too speculative and conjectural” because no users actually know whether they were included in the user data Cambridge Analytica accessed. Facebook also argued that the user data that was taken did not include “sensitive” information.
In opposition, the plaintiffs argued that the complaint had, in fact, alleged lost money or property. The plaintiffs argued that such a loss can be proven in a number of ways, including “if a property interest was diminished; deprivation of property to which he or she has a cognizable claim; and/or plaintiff will be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary,” quoting the California Supreme Court. According to the plaintiffs, the complaint adequately pled such a loss to a property interest that even Facebook acknowledges in its “always own all of your information” policy. This property interest was diminished by Cambridge Analytica’s unauthorized access to the data, causing an injury. The plaintiffs also pointed to a number of previous case decisions that have found standing and/or loss or property solely based on data breaches alone.
The judge heard oral argument on July 9, 2019, and the opinion is expected on July 22, 2019. If the judge holds that the plaintiffs have standing, or that Prop 64 does not apply to data breach cases, this will be a big deal for this and future data breach cases. On the other hand, if the judge rules that the Class does not have standing, it could make such cases much harder to bring in the future. Regardless of the outcome, the losing side is likely to appeal, so this won’t be the last we hear from this case.
The relevant pleadings, downloaded from San Mateo Superior Court’s website, are attached here: the Complaint, Facebook’s Demurrer, the plaintiffs’ Opposition to the Demurrer, Facebook’s Reply, and Facebook’s Supplemental Briefing.
While we wait for the judge’s decision, why not read more about the California Consumer Privacy Act?
Disclaimer: This information is given for legal education only. This post is not legal advice and does not create an attorney-client relationship. Please contact an attorney for legal advice.
Daniel Zarchy is a civil litigator and privacy attorney in San Francisco, California. Daniel is also a Certified Information Privacy Professional (CIPP/US). The views and opinions expressed herein are solely those of the author and do not necessarily reflect the views or opinions of any other party or law firm.
Latest posts by Daniel J. Zarchy
(see all)Like this:
Like Loading...