On May 31, 2019, the District of Columbia Superior Court issued an order rejecting Facebook’s request to dismiss or to stay a data privacy litigation brought under a state consumer protection statute.
The case is interesting because the order deals with the decision of a state court on the applicability of state general consumer protection statutes to data privacy and security issues. The claims is also interesting because it concerns the distribution and maintenance of Facebook users’ personal data.
By way of background. In 2018 the District of Columbia Office of the Attorney General, D.C. OAG, filed a complaint against Facebook, Inc. for failing to honor its promise to protect consumers’ personal data in violation of the District of Columbia Consumer Protection Procedures Act, CPPA. The D.C. OAG alleged that Facebook users “reasonably expect Facebook to maintain and protect their data, but Facebook fails to do so.”
Facebook moved to dismiss the claim for lack of jurisdiction over Facebook and because the D.C. OAG claim could not withstand scrutiny. Alternatively, Facebook argued that the proceeding should be stayed pending the resolution of a related multi-district litigation and an FTC investigation.
Even though the court found that Facebook was not subject to general personal jurisdiction in D.C., it still deemed that the companywas subject to the State’s specific personal jurisdiction due to the federal Due Process Clause. As a matter of fact, the court found that Facebook had sufficient “minimum contacts” in the jurisdiction, it purposefully directed its activities at D.C. residents and the lawsuit resulted from the alleged injuries. Facebook’s website qualified as a “storefront” in D.C. because the company transacted “continuous and systematic business” with D.C. residents through its online platform. D.C. residents transacted businesses by repeatedly exchanging personal information through Facebook online social networking service. Facebook’s conduct “had an effect” in D.C, it filed with D.C. regulatory authorities.
Facebook was also subject to D.C. long arm statute, D.C. Code § 13-423, also because it operates an office with employees in D.C. and acquired an estimated $10 million in revenue from D.C. consumers in the fourth quarter of 2018.
As for the D.C. OAG claims’ viability under Civil Procedure Rule 8(a), the court found that the claims – alleging that Facebook misled consumers by failing to provide them with a clear explanation of how much responsibilities the company undertook to protect consumers’ personal data, by leading them to believe that the information obtained by third-parties from Facebook would be limited to the data users’ opted to share in their privacy settings and by inadequately warning its users that the data was improperly obtained, harvest and used by third parties without their knowledge – satisfies the required pleading standard and are sufficient to set forth a prima facie case against Facebook.
Finally, the court didn’t find a significant overlap with other cases and denied Facebook motion to stay the proceeding.
The order 2018 ca 008715 B District of Columbia vs. Facebook, Inc. is available https://eaccess.dccourts.gov…
For more information on how a privacy statute could impact your business Francesca Giannoni-Crystal Thanks to Federica Romanelli