In continuing its push to enforce its terms and policies against developers that engage in unauthorized collection or scraping of user data, Facebook brought suit last month against mobile marketing and data analytics firm OneAudience LLC. (Facebook, Inc. v. OneAudience LLC, No. 20-01461 (N.D. Cal. Complaint filed Feb. 27, 2020)). Facebook alleges that OneAudience harvested Facebook users’ profile data and device data in contravention of Facebook’s terms and developer policies. OneAudience purportedly gathered this data by paying app developers to bundle OneAudience’s software development kit (SDK) into their apps and then harvesting data for those users that logged into those apps via Facebook credentials.

Facebook users, including developers and page administrators, are required to assent to Facebook’s terms and various platform policies when a Facebook account is created. According to Facebook’s Complaint, OneAudience created two public Facebook pages and a business account, and its employees/agents operated at least two apps on OneAudience’s behalf on the Facebook platform – actions, which Facebook asserts, bound OneAudience to its terms and platform policies for developers. Since 2019, Facebook has filed multiple suits against various app developers, software makers and social media analytics firms that Facebook has determined to have violated some or all of these terms. These cases generally assert that the defendants have engaged in off-limits scraping or collection of user data for marketing and other purposes (Facebook’s website details its approach in these actions, see “Taking Action against Platform Abuse”).

The instant dispute involves claims for breach of contract and violations of the Computer Fraud and Abuse Act (CFAA), and are particularly important as they may shed clarity on the availability of these claims in other types of scraping suits as well. In all, it appears Facebook is asserting what it has previously called “platform enforcement authority” or the right of an online service to combat unauthorized data scraping and misuse that violates its terms.

In its Complaint, Facebook alleged that around September 2019, OneAudience offered to pay app developers to bundle its SDK into their apps. The SDK allegedly allowed OneAudience to collect data about users’ devices and their Facebook (and some other social media) accounts in instances where the user logged into the particular app using their Facebook credentials (e.g., the “Sign in with Facebook” option). The data included user names, email addresses, country, time zone, Facebook ID, and, in limited instances, gender, all of which were allegedly used by OneAudience for targeted marketing services. OneAudience also allegedly collected device data such as call logs, cell tower and other geolocation data, contacts, browser information, email, and information about installed apps.

In bringing this suit, Facebook advanced breach of contract and Computer Fraud and Abuse Act (CFAA) claims (including claims under the California state law computer trespass law).

With regard to the CFAA “unauthorized access” claims, Facebook asserted that OneAudience directed software commands to Facebook’s network to obtain user data without authorization and “used the malicious SDK to infect the app users’ devices and obtain a digital key, without Facebook’s authorization, to make API calls to Facebook protected computers…” Concerning the breach of contract claims, Facebook pointed to several provisions from the Facebook terms of service and its developer platform policies, which, among other things, grant Facebook certain audits rights and generally place certain restrictions on automated data scraping and developers’ data use outside the app.

While OneAudience has not filed an Answer, it posted a statement on its website in November 2019, stating that its SDK may have inadvertently collected personal information, but that it had initially disabled such functionality and then shut down the SDK.

Beyond the instant litigation, the OneAudience dispute has an additional wrinkle for any company that acquires anonymized market data or social media analytics from third party vendors. In its Complaint, Facebook alleged that OneAudience falsely represented that it was partners with Facebook and had also stated that it was “committed to the transparency of [their] mobile driven audiences and relationships” and sourced “data responsibly.” In one of the Exhibits to the Complaint, Facebook also appended screenshots of OneAudience’s explanation of its data collection practices, which indicated that: “All of our data is permission based and fully-compliant, meaning it’s been confirmed by the user to access and collect his or her personal data.” As we’ve previously stated – and regardless of the outcome of this litigation – it is important for downstream recipients of anonymized web or user data or analytic reports crunching such data to understand how such data is collected and processed and whether such data collection is done according to applicable law or contractual requirements.