The 9th U.S. Circuit Court of Appeals in San Francisco on Thursday revived U.S. litigation accusing Facebook of violating users’ privacy rights by tracking their internet activity even after they logged out of the social media website.

The court said Facebook users could pursue several claims under federal and California privacy laws.

Facebook said the proposed class action was without merit, and the Menlo Park, California-based company will continue defending itself.

Facebook uses plug-ins to track users’ browsing histories when they visit third-party websites, and then complies these browsing histories into personal profiles which are sold to advertisers to generate revenue.

Plaintiffs filed an amended complaint on behalf of themselves and a putative class of people who had active Facebook accounts between May27,2010 and September 26, 2011. They alleged that Facebook executives were aware of the tracking of logged-out users and recognized that these practices posed various user-privacy issues.

U.S. District Judge Edward Davila in San Jose, California had dismissed the lawsuit in 2017, including claims under the federal Wiretap Act, and said the users lacked legal standing to pursue economic damages claims.

In Thursday’s decision, Chief Judge Sidney Thomas wrote:

"The panel affirmed the district court’s dismissal of the Stored Communications Act (“SCA”), breach of contract, and breach of implied covenant claims; reversed the dismissal of the remaining claims; and remanded for further consideration, in an action alleging privacy-related claims against Facebook, Inc.

As an initial matter, the panel held that plaintiffs had standing to bring their claims. Specifically, the panel held that plaintiffs adequately alleged an invasion of a legally protected interest that was concrete and particularized. As to the statutory claims, the panel held that the legislative history and statutory text demonstrated that Congress and the California legislature intended to protect these historical privacy rights when theypassed the WiretapAct, SCA, and the California Invasion of PrivacyAct (“CIPA”). In addition, plaintiffs adequately alleged that Facebook’s tracking and collection practices would cause harm or a material risk to the irinterest in controlling their personal information. Accordingly, plaintiffs sufficiently alleged a clear invasion of their right to privacy, and plaintiffs had standing to pursue their privacy claimsunder these statutes.

Facebook’s user profiles would allegedly reveal an individual’s likes, dislikes, interests, and habits over a significant amount of time, without affording users meaningful opportunity to control or prevent the unauthorized exploration of their private lives,"

Citing Facebook’s data use policy, Judge Thomas also said the plaintiffs “plausibly alleged that Facebook set an expectation that logged-out user data would not be collected, but then collected it anyway.”