Social media users may have a reasonable expectation of privacy in their internet browsing data, according to a recent decision of the United States Court of Appeals for the Ninth Circuit Court.

Users of a social media platform brought a class action against its owner, alleging that the company tracked users’ browsing histories when they visited third-party websites, and then compiled those browsing histories into personal profiles which were sold to advertisers to generate revenue. The company did not dispute that it engaged in these tracking practices even after its users had logged out of the site. Plaintiffs complaint alleged, among other claims, violation of the California Invasion of Privacy Act (“CIPA”), and common law invasion of privacy.

The district court dismissed plaintiffs’ privacy claims for lack of standing after determining they failed to allege that they suffered a concrete harm as a result of the company invading a legally protected interest. Because the case was dismissed for lack of standing at the pleading stage, the Ninth Circuit assumed all material allegations as true for the purpose of the appeal. Under that standard, the Ninth Circuit reversed, finding that Plaintiffs had indeed adequately alleged harm to protectable privacy interests. Specifically, Plaintiffs properly alleged they suffered harm by the company continuously collecting user-data after they had logged off the social media platform. This tracking occurred “no matter how sensitive” or personal users’ browsing histories were. The company constantly compiled and updated its database with its users’ browsing activities, including what they did when they were not using the social media website. According to Plaintiffs, by correlating users’ browsing history with users’ personal profiles—profiles that could include a user’s employment history and political and religious affiliations—the company “gained a cradle-to-grave profile without users’ consent.” This data collection, according to the Ninth Circuit, caused harm or a material risk of harm to plaintiffs’ interest in controlling their personal information by not affording users a meaningful opportunity to control or prevent the unauthorized exploration of their private lives. This amounted to an invasion of user privacy.

In an era when more and more companies interact with and collect user data, potential misuse of that data has heightened personal privacy concerns. Although the Ninth Circuit did not decide on the merits whether the defendant’s actions were unlawful, its decision demonstrates the willingness of courts to define individual “harm” broadly, which may serve to rein in practices which allegedly run afoul of privacy laws, particularly in states with robust (and often constitutionally protected) privacy rights.