This article was originally published on July 2, 2013, and remains one of the most popular articles in this blog’s history. It principally authored by Adrean S. Taylor, a student at the University of Michigan Law School and a 2013 summer associate at Honigman Miller Schwartz and Cohn LLP.
The overall issue for courts addressing common law privacy claims is to determine if and when there is a reasonable expectation of privacy for the online communications at issue. Invasion of privacy claims may arise from a variety of Internet and social media activities. Facebook posts are the most common matter of dispute, but claims may also arise from Google searches, LinkedIn profile usage, or MySpace posts.
1. The Reasonable Expectation Spectrum
In Ehling v. Monmouth-Ocean Hospital Service Corp., a case decided in 2012, the District Court of New Jersey acknowledged the need for a consistent approach to the undefined legal boundary between public and private online communications. Deborah Ehling worked as a paramedic, employed by the Monmouth-Ocean Hospital Service Corporation (“MONOC”). Ehling alleged that only individuals invited to be her Facebook “friend” could view postings on her wall, but that a supervisor coerced one of the invitees into accessing Ehling’s page from a work computer. There was a comment posted by Ehling after a museum guard was killed in a shooting and the shooter survived, “I blame the DC paramedics…This was your opportunity to really make a difference! And to the other guards…go to target practice.” The supervisor allegedly copied the postings as a screenshot, sent them on behalf of MONOC to various health organization boards, and Ehling was later terminated. Ehling sued MONOC for invasion of privacy by intrusion upon seclusion or private affairs. MONOC argued that Ehling did not have a reasonable expectation of privacy because the posting was disclosed to dozens, if not hundreds, of people.
The court refused to dismiss the privacy claim in light of two extremes established by courts. On one end of the spectrum, courts have held that there is no reasonable expectation of privacy for material posted to an unprotected website that anyone can view. On the other end, courts have found there to be a reasonable expectation of privacy for individual, password-protected online communications such as email messages. Although most courts hold that a communication is not necessarily public just because it is accessible to a number of people, courts differ dramatically in how far this theory extends. The court cited comparable cases that showed a reasonable expectation of privacy granted for facts revealed to sixty people, but rejected a privacy interest alleged in a separate case for facts disclosed to two people.
The open-ended nature of the case law proved Ehling’s claim to be a highly fact-sensitive inquiry. Due to the lack of a coherent, middle approach, it was held plausible for Ehling to have a reasonable expectation that her posts would remain private. The court placed emphasis on the active steps Ehling took to protect her posts and the lack of information regarding the number of friends she had at the time the post was made. Ehling failed to state a claim under the New Jersey Wiretap Act because she did not allege that her Facebook posting was in transmission when viewed by the supervisor, a statutory requirement. The Wiretap Act aims to prohibit intentional unauthorized access, but only protects electronic communications which are in the course of transmission, or backup to a transmission. Ehling’s posting was instead in post-transmission storage when accessed.
2. Intrusion upon Seclusion
Two main common law causes of action for invasion of privacy are “intrusion upon seclusion” and “public disclosure of private facts.” The Court of Appeals of Texas defines intrusion upon seclusion as an intentional intrusion upon one’s solitude, seclusion, or private affairs or concerns that would be highly offensive to a reasonable person. In Roberts v. Careflite, a 2012 case, Janis Roberts sued her employer, CareFlite, for invasion of privacy by intrusion upon seclusion after she was terminated for “unprofessional and insubordinate” Facebook activity. Janis Roberts worked as a paramedic and was friends on Facebook with coworkers Sumien and Schoenhardt. Roberts posted a comment on Schoenhardt’s page saying that she “wanted to slap” a patient who needed restraining.
Upon notice of the post, a CareFlite compliance officer sent Roberts a lengthy, constructive message through Facebook regarding the personal and professional harm such posts can cause due to the public nature of Facebook posts. The officer also encouraged Roberts to remove the post. Roberts removed the post after responding to the officer’s message in an aggressive, resistant tone. Roberts was terminated soon after the CareFlite CEO received an email from a non-employee about Roberts’ “slap” comment, along with a comment Sumien posted on Roberts’ page referencing a “boot to the head” of a patient. Roberts argued that CareFlite’s use of her Facebook messaging response was an invasion of privacy because the messages were only accessible to the person whom they were sent. She also argued that the National Labor Relations Board (“NLRB”) has held that an employee cannot be fired for “engaging in concerted workplace related discussions on Facebook” by posting about working conditions. The court affirmed summary judgment in favor of CareFlite, finding that Roberts did not direct the court to evidence that review of the messages or posts constituted an intrusion upon seclusion. The NLRB termination argument was held to be irrelevant to the question of whether Roberts produced sufficient evidence to support the elements of her invasion of privacy claim.
The intent element of the intrusion upon seclusion rule appears to create a heavier burden of proof for plaintiffs than other privacy rules. In addition to proving a reasonable expectation of privacy or seclusion, there must also be support for the generally subjective intent element. The additional termination of Roberts’ coworker, Sumien, led to a similar lawsuit. In Sumien v. Careflite, Robert Sumien presented evidence showing that he misunderstood Roberts’ Facebook settings and did not know how CareFlite was able to view his comment. The Court of Appeals of Texas held that the evidence of Sumien’s personal misunderstanding failed to show that CareFlite intentionally intruded upon his seclusion.
3. Public Facts Versus Private Facts
The key to a common law privacy claim is the existence of factual online information that triggers a privacy interest. Certain cases present courts with a clear line between public and private facts. In Moreno v. Hanford Sentinel, Inc., the California Court of Appeal in 2009 considered privacy interests in MySpace postings. Cynthia Moreno posted an article to her MySpace page which railed against her hometown. When the article was published in the hometown’s local newspaper along with Moreno’s first name, she claimed to be “severely harassed” and sued the newspaper for invasion of privacy by publication of private facts. The allegedly private facts included the article and her first name. The court rejected Moreno’s claim, finding that she opened the article to the public at large by voluntarily posting it to her MySpace page, a public social networking site. Thus, the republication of information readily ascertainable from a MySpace page was not an invasion of privacy because the facts were not actually private.
Active steps taken to secure information may provide support for a party seeking privilege or privacy protection. Many social media providers allow users to implement privacy settings as a way to control their accessibility and exposure. The Virginia Circuit Court of Richmond held in 2009 that public information “posted on a public medium, and available to anyone with access to the Internet” is not private information. In Womack v. Yeoman, a case involving a motor vehicle accident, defendant’s counsel researched the extent of the alleged injuries by conducting searches on MySpace, Facebook, and Google. The searches revealed photographs, postings and other information that Womack wished to be excluded as evidence. The court noted that there are ways to secure “non-public” data and information on social networking sites by adjustment of account settings. Because protective measures were not taken at the time of the defense counsel’s searches, the pages and their information were public. Womack’s counsel suffered sanctions for signing objections to exhibits without making a reasonable inquiry because, “Social media and Internet searches are becoming a normal step in an attorney’s matter of public information.”
If a party does not indicate whether protective privacy settings were in place at the time of the alleged privacy invasion, the court may use such an omission to show a lack of privacy interest. The District Court for the Northern District of California in Pryor v. City of Clearlake, denied a request to seal a section of a reply brief that concerned a peace officer’s Facebook posts and profile information. The section referred to Facebook material, but did not quote or describe specific postings. The court held that a generalized assertion that the information delved into the officer’s private life could not justify a seal without evidence of protective privacy settings, or applicable legal authority.
4. Public Disclosure of Private Facts
The public disclosure of private facts rule has been defined by the District Court of the Northern District of California. There must be a public disclosure of one or more private facts which would be offensive and objectionable to the reasonable person, and which is not of legitimate public concern. The court adopts the meaning of public disclosure provided in the California Jury Instructions, “Communicating it to the public at large, or to so many persons that the matter must be regarded as substantially certain to become one of public knowledge.” There is an important distinction made between public disclosure, and the access or storage of private facts. In Hernandez v. Path, Inc., a class action was brought by users of a Path application (“Path App”) downloaded to mobile devices. Path operates a social networking-enabled photo sharing and messaging service for mobile devices. The class alleged that Path uploaded and stored to its servers personally identifiable information, including users’ address books. Allegedly, the Path App also installed GPS tracking software onto users’ mobile devices that enabled Path to track user social media interactions. The court dismissed the public disclosure claim with leave to amend because the class only alleged that Path stored private information on its servers.
An invasion of privacy claim may also be alleged when petitioning for a Harassment Restraining Order (“HRO”). In Olson v. LaBrie, a 2012 case before the Court of Appeals of Minnesota, Aaron Olson petitioned for a HRO against his uncle, Randall LaBrie. Although the two were not Facebook friends, LaBrie posted family photos to Facebook featuring Olson and “tagged” him as identification. Olson alleged that the photos were accompanied by obscene comments. To constitute statutory harassment in Minnesota, words must have a “substantial adverse effect on the safety, security, or privacy of another.” Olson argued that the photos and comments violated his privacy as publication of private facts, and should therefore constitute harassment. However, the court held that mean, disrespectful comments coupled with innocuous family photos cannot substantially affect a person’s privacy.
Discovery disputes present an additional opportunity for assertion of privilege and privacy claims. Facebook login and password information may be compelled during discovery. In Largent v. Reed, a 2011 case before the Pennsylvania Court of Common Pleas, Jessica Reed filed a motion to compel Jennifer Largent’s Facebook login and password to dispute the severity of injures following a car accident. Reed claimed that after the accident, Largent posted photos of her enjoying life with family and posted a status update about going to the gym. Reed also claimed that the profile was public as of January 2011, although private at the time of the motion to compel. Largent asserted general privilege and privacy rights for protection against discovery.
The court held that no general privacy privilege at common law protects Facebook material from discovery because “By definition there can be little privacy on a social networking site. Only the uninitiated or foolish could believe that FB is an online lockbox of secrets.” The court added that making a Facebook page private does not shield it from discovery because, “even ‘private’ Facebook posts are shared with others.” Thus, the court ordered Largent to provide the defense counsel her Facebook login information for a twenty-one day window to look for necessary information. The court also ordered Largent not to delete any information and allowed to change her login information soon after expiration of the window.
5. Third Party Disclosure
Social media providers and users lack clarity regarding appropriate limits for sharing user information with third parties. Facebook’s invasive opt-out “Beacon” program of 2007 was the focus of Lane v. Facebook, a 2012 class action settlement case from the Ninth Circuit. Facebook described the purpose of the Beacon program as allowing its members to share information about what they do elsewhere on the Internet. Beacon operated by updating a member’s personal profile to reflect actions the member had taken on websites belonging to companies that contracted with Facebook to participate in the program. For example, if a member rented a movie through a participating website such as Blockbuster.com, Blockbuster would transmit the rental information to Facebook, and Facebook would broadcast that information to the member’s profile. Although initially designed to give members opportunities to prevent the broadcast of private information, Facebook never required members’ affirmative consent.
Many members complained that Beacon caused publication of otherwise private purchase information to personal profiles without their knowledge or approval. Facebook responded to complaints first by releasing a privacy opt out option, and ultimately eliminated the program altogether. Lead plaintiff, Sean Lane, alleged that he bought a ring from Overstock.com as a surprise for his wife, but Facebook ruined the surprise by spreading the news to approximately 700 friends. The dissenting judge argued, “Of the vast number of people whose purchases were broadcast, no doubt some suffered embarrassment…damages to employment, business, or personal relationships.” The dissent also noted that some people buy things on the Internet precisely because they want more privacy than they would have in a local store. Due to the highly invasive nature of the Beacon program, class members argued that the district court abused its discretion in approving the parties’ $9.5 million settlement agreement. However, the Ninth Circuit affirmed the parties’ settlement as “fair, adequate, and free from collusion.”
In Low v. LinkedIn Corp., a 2012 case from the Northern District of California, a class of LinkedIn users brought many claims including invasion of privacy under the California constitution and common law. The claim failed because there were no alleged facts to establish a “highly offensive disclosure of information” or a serious invasion of a privacy interest. The threshold requirement of lost money or property led to a false advertising claim dismissal, “Personal information does not constitute money or property.” Co-lead plaintiff, Masand, satisfied the loss threshold as holder of a paid LinkedIn subscription, but never alleged reliance on any specific representation or advertising. Under the breach of contract claim, the alleged humiliation and embarrassment damages were held to be implausible and not recoverable under California law. Similarly, the court dismissed the negligence claim finding that even assuming LinkedIn owed an affirmative duty not to disclose the information, an “appreciable, nonspeculative, present injury” was not alleged.
In sum, establishing a reasonable invasion of privacy claim relating to social media activity is no easy task. The voluntary nature of user participation and conduct encourages courts to assume the public nature of online posts. A middle approach is growing, but the extreme ends of the privacy spectrum provide the most helpful guidance. Active steps taken to secure information and specificity of allegations appear to be prerequisites for a successful invasion of privacy claim.