We have all gone to a website and, in accessing the website’s services, have agreed to terms and conditions that include a litany of policies, including privacy policies governing how the company maintaining the website will use our information obtained while accessing the website. One such specific website that most, if not all, of us have used is Facebook. While we may not pay very close attention to privacy policies such as data and cookie policies, those policies explain that Facebook uses cookies or browser fingerprinting to identify users and track what third-party websites users browse. Such privacy policies serve an important function for any company, including Facebook, to help protect against potential liability for use of a consumer’s information. Indeed, Facebook’s privacy policy just carried the day in getting a case dismissed against it in which the Plaintiffs alleged a litany of causes of action against Facebook, including violation of the Computer Fraud and Abuse Act, California Invasion of Privacy Act, Health Insurance Portability and Accountability Act, and other common law claims.

In Smith v. Facebook, Inc., Case no. 16-cv-1282, the Northern District of California dismissed the claims against Facebook, with prejudice, based upon Facebook’s user agreement. There, the Plaintiffs argued that Facebook violated numerous federal and state statutes, as well as common law, by tracking and collecting its users’ web browsing activity, including sensitive information from various healthcare websites. In dismissing the case, the Court found that Plaintiffs had consented to Facebook’s tracking and marketing activity when they agreed to Facebook’s “data policy” and “cookie policy” when opening a Facebook account. The Court further found that while the applicable policy provisions were broad, they were not vague and provided adequate notice of the tracking activity in which Facebook engaged. For example, a portion of Facebook’s “cookie policy” explained that “[t]hings like Cookies and similar technologies (such as information about your device or a pixel on a website) are used to understand and deliver ads, make them more relevant to you, and analyze products and services and the use of those products and services . . . we use cookies so we, or our affiliates and partners, can serve you ads that may be interesting to you on Facebook Services or other websites and mobile applications.” Simply put, Facebook’s privacy policy, which Plaintiffs had agreed to when they signed up for Facebook, was adequately clear to permit Facebook to track and collect Plaintiffs’ web browsing activity, including browsing of healthcare related information. In so finding, the Court rejected Plaintiff’s arguments that the policies were buried and overbroad.

Facebook’s recent victory is a good reminder of the importance of having a thorough and clear privacy policy. Any company that collects or uses consumers’ information should aim to have a transparent and broad privacy policy to help guard against liability.