Home / Blogs

Disclosing Unique User IDs in URLs Doesn’t Violate ECPA - In re Zynga/Facebook

In separate lawsuits, plaintiffs alleged Facebook and Zynga violated the Stored Communications Act (in Zynga’s case, also the Wiretap Act). The crux of plaintiffs’ allegations was that when a Facebook user clicked on an ad or a link, the HTTP request sent by the browser included the user’s Facebook ID and the address of the webpage the user was viewing when he or she clicked the link. An end user’s request to play Farmville would result in the transmission of similar information to third parties.

The district court dismissed the claims on the basis that anyone who received the information was an “intended recipient” and thus these disclosures were excluded from the reach of the statute. (Previous post on the case here: “Facebook and Zynga Privacy Litigation Dismissed With Prejudice”.)

On appeal, the court tackles a foundational issue: is the information disclosed by Facebook or Zynga the “content”—the “substance, meaning, or purport”—of the communication. The ECPA distinguishes between a message’s content and “record” information, which includes the name, address, “subscriber number or identity” of a subscriber (what we usually call metadata). According to the court, this distinction indicates that the statutory concept of “content” doesn’t encompass a user ID or the page from which the end user initiated the request. The court says this conclusion is bolstered by the fact that ECPA’s amendments to the Wiretap Act expressly excluded the identity of the parties or the existence of a communication (these previously could be considered content).

Plaintiffs argued that the Facebook IDs can be used to uncover personal information, but the court says this doesn’t change the analysis. Plaintiffs also argued that the record information and content information may overlap in some instances (citing to In re Pharmatrak). The court distinguishes Pharmatrak because, in that case, the users communicated with a website by entering their personal information into a form, and this information was then accessed by third parties. Finally, plaintiffs tried to rely on Fourth Amendment cases where disclosure of a URL would result in disclosure of contents of a communication. The court says that its job is to construe the relatively clear statutory language, and the scope of privacy under the Fourth Amendment is not illuminating to this.

* * *

The real bombshell is that in a memorandum disposition, the court reverses the breach of contract and fraud claims against Facebook! So what the court taketh away in a detailed opinion, it gives back in a breezy memo.

As tortuous as the ECPA analysis usually is, the court’s conclusion that Facebook’s IDs and the web pages or links in question are not “content” is common sensical. LinkedIn was able to defeat a similar lawsuit. (See Low v. LinkedIn.) Although I don’t recall if the court delved into it in Gaos, contrast this result with the one in Gaos v. Google, where Google lost a motion to dismiss, and (recently) settled a search referral case for $8.5 million.

Plaintiffs’ argument that knowing the identity of the Facebook user plus the identity of the web page in question could divulge contents has a superficial appeal. Undoubtedly, the URL often provides some clue into the substance of a webpage in question, and the thought of anyone having access to the full list of URLs we’ve accessed is not comforting. However, even if this somehow amounts to an argument that it could result in disclosure of the “content” under the ECPA, it would be a tough sell to make this argument work on a class-wide basis in this context.

Including user IDs in URLs was a short-lived practice that Facebook (and others) fixed when they were advised of it. Presumably, plaintiffs won’t continue to try to litigate their breach of contract claims, which would be comical from a damages standpoint. In any event, as with the cookie lawsuits of the early 2000s, the court makes quick work of this genre of claims.

Case citation: In re: Zynga & Facebook Privacy Litigation, Nos. 11-18044; 12-15619 (9th Cir. May 8, 2014)

By Venkat Balasubramani, Tech-Internet Lawyer at Focal PLLC

Follow Venkat on Twitter here.

Visit Page

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign


Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global


Sponsored byDNIB.com

New TLDs

Sponsored byRadix