Facebook hit with $15 billion class action user tracking lawsuit

Facebook is once again being sued for tracking its users even after they logout of the service. The latest class action lawsuit demands $15 billion from Facebook for violating federal wiretap laws.
Written by Emil Protalinski, Contributor

Facebook is being sued for $15 billion for tracking users, even after they have logged out of the social network, and violating federal wiretap laws. If that sounds familiar, that's because it is: Facebook faces nationwide class action tracking cookie lawsuit.

Today's lawsuit, filed in Federal Court in San Jose, California, combines 21 separate cases across the U.S. in 2011 and early 2012. It's an amended consolidated class-action complaint that claims the company is invading the privacy of its users by tracking them across the Internet. If the claimants are successful in their case against Facebook, they could prevent Menlo Park from collecting the huge amount of data it collects about its users to serve ads back to them.

Like the previous lawsuits, Facebook is once again being accused of violating the Federal Wiretap Act, which provides statutory damages per user of $100 per day per violation, up to a maximum per user of $10,000. The complaint also asserts claims under the Computer Fraud and Abuse Act, the Stored Communications Act, various California Statutes, and California common law. It's worth noting that similar cases against Facebook and others filed under the wiretap law have been thrown out because browser cookies are simply not considered wiretaps and plaintiffs have difficulty proving any harm.

Stewarts Law is one of the firms leading the claim. "This is not just a damages action, but a groundbreaking digital-privacy rights case that could have wide and significant legal and business implications," David Straite, a partner at Stewarts Law, said in a statement.

Facebook has been accused multiple times of using cookies to track users even after they log out of the service. Menlo Park has since twice denied the allegations, and has also twice fixed the issue. Nevertheless, the lawsuits just keep coming. In additional to national lawsuits, there have been several lawsuits filed in multiple states, including Kansas, Kentucky, Louisiana, and Mississippi.

In September 2011, self-proclaimed hacker Nik Cubrilovic accused Facebook of tracking its users even if they log out of the social network. He explained that even after logging out of the service, whenever he visited a website that had a Facebook plugin, information including his account ID was still being sent to Palo Alto.

The company responded by denying the claims and offering an explanation as to why its cookies behave the way they do. Menlo Park explained that it does not track users across the Web and its cookies are used to personalize content. As for the logged-out cookies, Facebook said they are used for safety and protection.

After a long technical discussion, Cubrilovic confirmed Facebook made changes to the logout process, and that the cookies in question behave as they should. They still exist, but they no longer send back personally-identifiable information after you log out. The company also took the time to explain what each cookie is responsible for.

Later that month, 10 privacy groups and US congressmen sent letters asking the Federal Trade Commission (FTC) to investigate Facebook for these and other practices. Note that the FTC settlement from November 2011 was over charges that date back to December 2009, meaning the tracking cookie issue was never discussed.

In October 2011, the issue came back. It was discovered that the datr cookie, which can be used for tracking users, was once again being set on third-party websites with a Facebook social plugin – whether you are logged in or logged out of the service. Facebook confirmed the bug, said only some third-party websites were affected, and fixed it.

Also in September, Ireland's Data Protection Commissioner (DPC) agreed to conduct a privacy audit of Facebook. Since the social network giant's international headquarters is in Dublin, the larger majority of the site's users are affected by any of the DPC's decisions (see Europe versus Facebook). Thankfully for Facebook, when the DPC completed his three-month privacy audit of Facebook's activities in December 2011, he said Facebook makes "innovative use of cookies to identify unusual or suspicious activity" on an account.

All that being said, Facebook still needs to worry about this lawsuit and all the previous ones related to cookie tracking. I have contacted Facebook and will update you if I hear back.

See also:

Editorial standards