• by Wendy Davis  @wendyndavis, June 3, 2010

Facebook has been hit with a second potential class-action lawsuit alleging that the company violated users' privacy by providing marketers with the names of users who clicked on ads.

This lawsuit, filed late last week on behalf of Marin County, Calif. resident Mike Robertson, alleges that Facebook "intentionally and knowingly transmitted personal user information to third party advertisers without member consent." Robertson's complaint, filed in federal district court in San Jose, joins a similar case also filed on Friday by South Lake Tahoe resident David Gould.

The allegations in both cases were sparked by the report, "On the Leakage of Personally Identifiable Information Via Online Social Networks," published last August by two computer scientists from AT&T and Worcester Polytechnic Institute. That paper concluded that many social networking sites "leak" personally identifiable information by including it in the HTTP header information that is automatically sent to ad networks.

At the time, a Facebook spokesperson said that referring URLs only provided information about the profile page a user had been on when he or she clicked on the ad, but did not reveal whether that user was the person featured in the profile or a friend of the member. But Harvard professor Ben Edelman said last month that Facebook automatically embeds a profile tag in referring URLs when users view their own profile pages. Late last month, Facebook said it revised its code and no longer sends marketers information that could be used to identify which member clicked on an ad.

Like Gould, Robertson alleges that Facebook violates its contract with users by allegedly disclosing information about users to marketers when its privacy policy says it doesn't do so.

Robertson also alleges that the alleged leakage violates federal wiretap laws.

Facebook spokesperson Andrew Noyes says: "We believe this complaint is without merit and we will fight it vigorously."

While Facebook continues to confront some high-profile criticism over its privacy practices, the most recent lawsuits might not get very far in court.

One big hurdle for users who allege that Facebook violated its privacy policy is that they also must show they were harmed by the alleged data breach to prevail in a lawsuit. "This complaint shows how tough it is for plaintiffs to frame a viable privacy lawsuit," Santa Clara University professor Eric Goldman tells Online Media Daily in an email. "The complaint (like so many others) does not allege any tangible injury to the plaintiffs."

Seattle cyberlaw attorney Venkat Balasubramani adds that federal wiretap laws, which date back to 1986, don't necessarily fit this situation because those laws tend to address disclosure of "stored communications." He adds that courts might not view referrer URLs as the same type of stored communications as, say, email messages.

"The statutes are old," he says. "They don't track nicely to these new technologies."