In continuing its efforts to enforce its terms and policies against developers that engage in unauthorized scraping of user data, this week Facebook brought suit against two marketing analytics firms, BrandTotal Ltd (“BrandTotal”) and Unimania, Inc. (“Unimania”) (collectively, the “Defendants”) (Facebook, Inc. v. BrandTotal Ltd., No. 20Civ04246 (Cal. Super. Ct., San Mateo Cty Filed Oct. 1, 2020)). Facebook alleges that the defendants developed and distributed malicious Chrome browser extensions that were essentially designed to scrape users’ data from various social media platforms (including Facebook and Instagram), all in contravention of Facebook and Instagram’s terms of service and commercial terms.

According to the Complaint, the defendants coaxed users to install their UpVoice and Ads Feed extensions by, among other things, offering gift cards in exchange for downloading and suggesting that users would become “panelists” impacting marketing strategies of large companies. Facebook further claims that defendant BrandTotal deceived visitors to its website into believing Facebook and other social media services were working with BrandTotal by identifying Facebook and the other companies as “participating sites,” when in fact Facebook never authorized the defendants to scrape user data.  In fact, Facebook alleges that once installed, the browser extensions harvested, without Facebook’s authorization, the users’ profile information, user advertisement interest information and various public and nonpublic ad metrics when the users visited Facebook, Instagram or various other social sites (all despite users’ account privacy settings).  As laid out in the Complaint, the defendants’ extensions were programmed to send commands to Facebook and Instagram servers appearing to originate from the user, not the defendants, and then scrape the data and transmit it back to the user, and then onto the defendants’ own servers. The data collected by defendants was then presumably used to provide “marketing intelligence” services about users and advertisers.

Facebook states that it undertook various technical measures against the defendants in September 2020, including disabling the defendants’ Facebook and Instagram accounts and pages, as well as asking Google to remove the extensions from the Chrome Store. And this week, Facebook filed suit against the defendants, advancing claims for breach of contract and unjust enrichment and requesting monetary damages and injunctive relief barring defendants from accessing and using Facebook’s services or developing browser extensions that access Facebook without authorization. It does not appear that the defendants have filed an answer to the state court action or otherwise responded to the suit by posting a statement on the BrandTotal website.

Beyond the issues discussed above, the instant dispute should also resonate with any entity that acquires anonymized social media analytics from third party vendors.  As we’ve previously stated – and regardless of the outcome of this dispute – it is important for downstream recipients of aggregated web or user data or reports processing such data to understand how such data is collected and whether such collection comports with applicable law or contractual requirements.