Power.com Learns Too Late That Facebook Must OK Promotion First

(July 12, 2016) Even if you get permission from Facebook users to use their pages to send messages promoting your website, you still need Facebook’s permission. If Facebook doesn’t approve, you may be liable under the Computer Fraud and Abuse Act (CFAA)—at least after receiving a cease and desist notice.

That’s the lesson learned by the now defunct power.com, a DBA of Power Ventures, Inc. The social networking site that let its users see contacts from multiple social networking sites on a single page.

To promote the site, Power placed an icon on its site offering $100 to the first 100 people who brought 100 new users to the site. For those who entered, Power created an event, photo, or status on the user’s Facebook profile, which in turn generated a message to the user’s friends on Facebook that showed Facebook as the sender. When it learned of the activity, Facebook sent Power a cease and desist notice and blocked Power’s IP address. Power then switched to a different IP address.

Facebook sued under the CAN-SPAM Act and the CFAA. The trial court granted summary judgment for Facebook.

The Ninth Circuit reversed the judgment under CAN-SPAM because the headers on the emails were correct. They came from Facebook because they were generated by Facebook users, so the headers were not deceptive, as would be required to find a violation under CAN-SPAM.

As to violations of CFAA, the appellate court reversed any liability for access to the Facebook accounts before the cease and desist letter. “Here, initially, Power users arguably gave Power permission to use Facebook’s computers to disseminate messages,” the opinion explained. “But Facebook expressly rescinded that permission when Facebook issued its written cease and desist letter to Power.”

Because Power was accessing Facebook’s computers, the “consent that Power had received from Facebook users was not sufficient to grant continuing authorization to access Facebook’s computers after Facebook’s express revocation of permission,” the court wrote. “[F]or Power to continue its campaign using Facebook’s computers, it needed authorization both from the individual Facebook users (who controlled their data and personal pages) and from Facebook (which stored this data on its physical servers). Permission from the users alone was not sufficient to constitute authorization after Facebook issued the cease and desist letter.”

The appellate court reversed the award of $3 million in damages and remanded the case to the court to consider appropriate remedies.

Facebook, Inc. v. Power Ventures, Inc., DBA Power.com, Ninth Cir. No. 13-17154 issued July 12, 2016.