On September 9, the U.S. District Court for the Northern District of California granted in part and denied in part a social media company’s motion to dismiss a multidistrict class action alleging the company failed to prevent third parties from accessing and misusing private data of its users, in violation of the Stored Communications Act (SCA), the Video Privacy Protection Act (VPPA), and various state laws. In the consolidated action, the plaintiffs allege that the company (i) made sensitive user information—including basic facts such as gender, age, and address; and substantive content such as photos, videos, and religious and political views—available to third parties without user consent; and (ii) failed to prevent those same third parties from selling or otherwise misusing the information. The company moved to dismiss the action, arguing, among other things, that “people have no legitimate privacy interest in any information they make available to their friends on social media.”
The district court disagreed, concluding that most of the plaintiffs’ claims should survive, and that the company “could not be more wrong” in its argument that its users lose all privacy interest in the information they share with their friends on social media. The court asserted that when a user shares information with a limited audience, they “retain privacy rights and can sue someone for violating them.” The court also rejected the company’s argument that the plaintiffs did not have standing to sue in federal court because they could not show “tangible negative consequences from the dissemination of [the] information.” The court noted that privacy invasion is a redressable injury in itself and does not need a secondary economic injury to confer standing. Additionally, while the court recognized that the company’s argument that the users consented to this practice has “some legal force,” it cannot “defeat the lawsuit entirely, at least at the pleading stage.” Therefore, the court denied the motion as to the VPPA and narrowed certain claims under the SCA and California state laws, mostly with regard to claims on behalf of users who signed up for the service after 2009, who purportedly authorized the company to share information through their friends with app developers.