Facebook is facing renewed scrutiny following efforts to explain its data collection practices, which include tracking where and when members and nonmembers are browsing after they visit a Facebook page.
At the end of 2011, USA Today reported on how Facebook tracks user browsing habits, following in-depth interviews with senior Facebook engineers and spokespersons. According to those interviewed, any Facebook user who visits a Facebook page receives a “browser cookie” with a unique alphanumeric identifier; this cookie is then used by Facebook to track and create a time-stamped record of every visit by that user to any other website that utilizes a Facebook plug-in (such as “like” buttons), even if the user is logged out or not a member of Facebook. When a user is logged in to Facebook, an additional “session cookie” is activated, allowing Facebook to collect specific profile and system information (such as the user’s email address and list of friends), user preferences and a time-stamped record of websites visited by the user that contain Facebook plugins. While Facebook only receives a user’s personal information alongside his or her browsing history when the user is logged in to the Facebook service, users frequently remain logged in for long periods of time (merely closing a browser window or tab often is insufficient to end a session—rather, a user must affirmatively select the “log out” option made available by Facebook).
According to Facebook, this tracking information is used to boost security and to “enhance user experience” but not to target ads to Facebook users. Additionally, Facebook claims that it deletes tracking information that is more than 90 days old. However, with Facebook reportedly gearing up for a IPO in 2012, users and critics are concerned that the pressures of the public market will result in more aggressive leveraging of users’ browsing habits and associated data in an effort to maximize profits.
Meanwhile, courts have been actively adjudicating claims against online service providers that may be using (or abusing) user information. In November 2011, a LinkedIn user’s class action lawsuit against LinkedIn for allegedly disclosing the user’s browsing history to third parties was dismissed for lack of constitutional standing to sue. The plaintiff in the Northern District of California case, Low v. LinkedIn Corp., claimed that he was “embarrassed and humiliated” by LinkedIn’s alleged disclosures of “valuable personal property” (his browsing history and related personal information). The court found that the plaintiff’s allegations lacked particularity in failing to explain what personal information was disclosed to third parties, how it was disclosed, and to what extent it actually resulted in economic injury. Failure to allege “injury-in-fact” resulted in a successful motion to dismiss for LinkedIn; however, the court has provided the plaintiff with an opportunity to amend his complaint to allege “particularized” examples of his actual injury.
In the past, plaintiffs in the Northern District of California have been able to survive standing challenges when pursuing online service providers for unauthorized disclosure of their personal information. In April 2011, the plaintiff in Claridge v. RockYou, Inc. survived a motion to dismiss on standing grounds on the theory that personal information is personal property having monetary value. However, just three days following the successful motion to dismiss in Low, Claridge and RockYou settled the dispute (subject to court approval), with RockYou consenting to an injunction requiring two privacy/security audits over the next three years. Moreover, in similar litigation in the Northern District of California, In re Facebook Privacy Litigation, the court was less amenable to treating users’ personal information stored on Facebook as valuable personal property (for an in-depth discussion of these two cases, see our June 2011 issue of Socially Aware).
While courts wrestle with users’ attempts to challenge how online service providers use their personal information, both Congress and the World Wide Web Consortium (W3C) are independently moving forward with efforts to create new standards to govern online tracking. In May 2011, Sen. John D. Rockefeller introduced the Do-Not-Track Online Act of 2011, a law that, if enacted, would direct the FTC to adopt rules regarding website compliance with Internet users’ activation of a “do not track” preference online. In November 2011, W3C published two “first drafts” for Web standards relating to “tracking preference expression” and how websites may engage with users who have opted into the newly conceived “do not track” user preference. The W3C, which develops Web standards and guidelines for the Web, is building these new privacy standards with the expectation that industry stakeholders such as “browser vendors, content providers, advertisers, search engines” among others will adopt the new standards by mid-2012.