- 1 2 3 4 UNITED STATES DISTRICT COURT 5 NORTHERN DISTRICT OF CALIFORNIA 6 7 JOHN DOE, et al., Case No. 22-cv-03580-WHO 8 Plaintiffs, ORDER ON MOTION TO DISMISS v. 9 10 META PLATFORMS, INC., et al., Defendants. 11 12 Plaintiffs challenge defendant Meta Platform, Inc.’s alleged use of proprietary computer 13 code to obtain certain healthcare-related information of Facebook users: according to plaintiffs, 14 the Meta Pixel allows Meta to intercept personally identifiable medical information and the 15 content of patient communications from Facebook users, which Meta then monetizes for its own 16 financial gain. Plaintiffs have brought several federal and state law claims, some of which they 17 have plausibly alleged and others which need more specificity. As explained below, Meta’s 18 motion is GRANTED in part and DENIED in part. 19 BACKGROUND 20 Plaintiffs are five Facebook users who are proceeding anonymously due to the sensitive 21 nature of this litigation. Consolidated Class Action Complaint (“CCAC,” Dkt. 185) ¶¶ 24-28. 22 They allege that Meta improperly acquires their confidential health information in violation of 23 state and federal law and in contravention of Meta’s own policies regarding use and collection of 24 Facebook users’ data. Id. ¶¶ 1–2, 5, 7. 25 Each of plaintiffs’ healthcare providers—MedStar Health System, Rush University System 26 for Health, WakeMed Health & Hospitals, Ohio State University Wexner Medical Center, and 27 North Kansas City Hospital—allegedly installed the Meta Pixel on its patient portals. See id. ¶¶ 1 website, the Pixel transmitted information to Meta. Id. ¶¶ 6, 8-13, 22. They contend that this 2 information, contemporaneously redirected to Meta, revealed their status as patients and was 3 monetized by Meta for use in targeted advertising. Id. ¶¶ 9, 13. 4 Plaintiffs initially moved for a preliminary injunction. Dkt. No. 46. I denied that motion, 5 finding that while plaintiffs presented sufficient evidence of a “weighty injury,” the scope of their 6 injury and technical feasibility of plaintiffs’ proposed solutions were not clear and the balance of 7 equities and public interest factors did not support injunctive relief based on the record at that 8 juncture. Dkt. No. 159 (“PI Order”). 9 In February 2023, Interim Class Counsel filed their Consolidated Class Action Complaint. 10 Dkt. No. 185. In the CCAC, plaintiffs expand the scope of their suit and bring 13 claims: (1) 11 breach of contract; (2) breach of the duty of good faith and fair dealing; (3) violation of the 12 Electronic Communications Privacy Act (“ECPA” or “Wiretap Act”); (4) violation of the 13 California Invasion of Privacy Act (“CIPA”); (5) intrusion upon seclusion; (6) California 14 constitutional invasion of privacy; (7) negligence per se; (8) trespass to chattels; (9) violation of 15 California’s Unfair Competition Law (“UCL”); (10) violation of California’s Consumer Legal 16 Remedies Act (“CAFA”); (11) larceny; (12) violation of California’s Comprehensive Computer 17 Data Access and Fraud Act (“CDAFA”); and (13) unjust enrichment. 18 Defendant has moved to dismiss each of the claims asserted in the CCAC.1 19 LEGAL STANDARD 20 Under FRCP 12(b)(6), a district court must dismiss a complaint if it fails to state a claim 21 upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must 22 allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. 23 Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts 24 that “allow the court to draw the reasonable inference that the defendant is liable for the 25 misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must 26 be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not 27 1 require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a 2 right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570. 3 In deciding whether the plaintiff has stated a claim upon which relief can be granted, the 4 Court accepts the plaintiff’s allegations as true and draws all reasonable inferences in favor of the 5 plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, 6 the court is not required to accept as true “allegations that are merely conclusory, unwarranted 7 deductions of fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 8 1055 (9th Cir. 2008). If the court dismisses the complaint, it “should grant leave to amend even if 9 no request to amend the pleading was made, unless it determines that the pleading could not 10 possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 11 2000). In making this determination, the court should consider factors such as “the presence or 12 absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by 13 previous amendments, undue prejudice to the opposing party and futility of the proposed 14 amendment.” Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989). 15 DISCUSSION 16 I. ELECTRONIC COMMUNICATIONS PRIVACY ACT – CLAIM 3 17 “The Wiretap Act prohibits the unauthorized ‘interception’ of an ‘electronic 18 communication.’” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606–07 (9th Cir. 19 2020), cert. denied sub nom. Facebook, Inc. v. Davis, 141 S. Ct. 1684 (2021) (quoting 18 U.S.C. § 20 2511(1)(a)–(e)). To state this claim, plaintiffs must plausibly allege that Meta (1) intentionally (2) 21 intercepted (3) the contents of (4) plaintiffs’ electronic communications (5) using a device. See In 22 re Pharmatrak, Inc., 329 F.3d 9, 18 (1st Cir. 2003) (listing ECPA elements). 23 A. Intent 24 Addressing the intent and intercept elements of the ECPA claim in the PI Order, I wrote: 25 “Intercept” is defined under the Wiretap Act as “the aural or other acquisition of the contents of any wire, electronic, or oral 26 communication through the use of any electronic, mechanical, or other device.” 18 U.S.C. § 2510(4). Although the statute does not 27 define “acquisition,” the Ninth Circuit has construed the term n.7 (9th Cir. 1998). “Such acquisition occurs when the contents of a 1 wire communication are captured or redirected in any way.” Noel v. Hall, 568 F.3d 743, 749 (9th Cir. 2009) (internal citation and 2 quotation marks omitted). 3 According to plaintiffs, the Pixel is “designed for the very purpose of intercepting communications on third-party websites by 4 surreptitiously and contemporaneously redirecting these communications to Meta.” Mot. at 11 (citing Smith Decl. ¶¶ 7–14). 5 Plaintiffs have put forward evidence that Meta receives information through the Pixel. See, e.g., Smith Decl. ¶¶ 4–5, 32–33. Meta does 6 not dispute that the intentional or interception elements are met. See Opp. at 20–21. Plaintiffs appear likely to succeed on these two 7 elements of their claim. 8 PI Order at 18. 9 Meta points out that it did not dispute the intent element at the preliminary injunction 10 stage. It disputes it now, arguing that plaintiffs have failed to plausibly allege that Meta 11 intentionally – meaning “purposefully and deliberately and not as a result of accident or mistake,” 12 United States v. Christensen, 828 F.3d 763, 790 (9th Cir. 2015) – intended to intercept their 13 sensitive health information. It asserts that plaintiffs cannot meet this burden because the CCAC 14 acknowledges that third-party web developers, not Meta, choose whether to install Pixel and also 15 set parameters on what information to send to Meta. It also argues that intent cannot be alleged 16 because, as plaintiffs acknowledge, Meta seeks to avoid receiving sensitive information by 17 contractually forbidding developers from sending it and filtering out any potentially sensitive data 18 it detects on the back end. Mot at 5-6 (citing CCAC ¶¶ 39, 44-46 (Pixel is customizable per 19 instructions provided by Meta), 118, 125, 148-149 (Meta has systems in place to filter sensitive 20 information and, has publicly stated it does not want sensitive health information)). 21 While plaintiffs acknowledge that Meta may tell third parties and Facebook users that it 22 intends to prevent receipt of sensitive health information, plaintiffs contend that is not what Meta 23 really intends. See, e.g., CCAC ¶¶ 122-123, 144-146, 150, 161 (plaintiffs allege Meta’s tools and 24 filters are not effective, not fully implemented, and call into question Meta’s true intent). What 25 Meta’s true intent is, what steps it actually took to prevent receipt of health information, the 26 efficacy of its filtering tools, and the technological feasibility of implementing other measures to 27 prevent the transfer of health information, all turn on disputed questions of fact that need 1 (N.D. Cal. 2021) (“At the pleading stage, however, interception may be considered intentional 2 ‘where a defendant is aware of the defect causing the interception but takes no remedial action.’”) 3 (quoting In re Google Assistant Priv. Litig., 457 F. Supp. 3d 797, 815 (N.D. Cal. 2020)). At this 4 stage, intent has been adequately alleged. 5 B. Content 6 Meta also argues that plaintiffs have not and cannot plausibly plead interception of covered 7 “content.” The statute broadly defines “content” to include “any information concerning the 8 substance, purport, or meaning of [a] communication.” 18 U.S.C. § 2510(8). “Contents” refers to 9 the “intended message conveyed by the communication”—it does not include record information 10 regarding the characteristics of the message that is generated in the course of the communication. 11 See In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). For instance, contact 12 information provided as part of a sign-up process constitutes “content” because this information is 13 the subject of the communication. Id. at 1107 (“Because the users had communicated with the 14 website by entering their personal medical information into a form provided by the website, the 15 First Circuit correctly concluded that the defendant was disclosing the contents of a 16 communication.”). And while a URL that includes “basic identification and address information” 17 is not “content,” a URL disclosing a “search term or similar communication made by the user” 18 “could constitute a communication” under the statute. Id. at 1108–09. 19 In the PI Order, I found that plaintiffs had made a strong showing on this element: 20 In my view, the log-in buttons and the kinds of descriptive URLs identified in the Smith Decl. are “contents” within the meaning of the 21 statute. Unlike in Zynga, the URLs at issue here would not merely reveal the name of a Facebook user or group—as Smith explained, 22 the transmitted URLs include both the “path” and the “query string.” Smith Decl. ¶¶ 50–51; see also id. ¶ 189 (showing 23 hardfordhospital.org/services/digestive-health/conditions-we- treat/colorectal-small-bowel-disorders/ulcerative-colitis URL). 24 These items are content because they concern the substance of a communication. See Zynga, 750 F.3d at 1107; In re Google Inc. 25 Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 137 (3d Cir. 2015) (“If an address, phone number, or URL is . . . part of the 26 substantive information conveyed to the recipient, then by definition it is ‘content.’”); see also In re Google RTB Consumer Priv. Litig., 27 No. 21-cv-2155-YGR, 2022 WL 2165489, at *10 (N.D. Cal. June 13, navigation to the current page constituted “content”). 1 PI Order at 19. Meta acknowledges this prior conclusion, but argues that unspecified “remaining 2 items” that are transferred “mostly” do not qualify as content and claims based on “those 3 communications” should be dismissed. Mot. at 9-10; Reply at 4. 4 At this juncture, plaintiffs have adequately alleged covered content is transferred. The 5 boundaries of what transferred information is content under the Act is better determined on a full 6 evidentiary record. 7 C. Consent 8 Finally, Meta argues that the ECPA’s one-party consent exemption (exempting liability for 9 intercepted information resulting from one party’s consent) bars the claim as a matter of law. 10 Meta points out, again, that it is the third-party web developers who make their Pixel-enhanced 11 websites available to plaintiffs and their other healthcare customers, and by doing so those 12 healthcare entities have necessarily consented to the transmission of data to Meta. 13 In the PI Order, I explained: 14 [T]he Wiretap Act exempts liability in certain circumstances. The 15 statute provides that: 16 It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, 17 or electronic communication where such person is a party to the communication or where one of the parties to the 18 communication has given prior consent to such interception unless such communication is intercepted for the purpose of 19 committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State. 20 18 U.S.C. § 2511(2)(d). In other words, the Wiretap Act allows 21 interception where the interception is made by a “party” to the communication or where a “party” has consented to the interception. 22 Id. This exception does not apply, however, where the interceptor acts “for the purpose of” committing any crime or tort in violation of 23 state or federal law. Id. 24 PI Order at 20.2 25 2 In the PI Order, I “put aside” the issue of consent and considered whether the “crime or tort” 26 “exception to the exception” applied. I concluded there was a “not-insignificant chance, then, that plaintiffs may be able to show that the crime-tort exception applies,” but “in light of the authority 27 in this district finding that liability does not lie where a defendant’s primary motivator was to 1 On this motion to dismiss, the issue of consent is front and center and the burden of proof 2 to show this exemption applies is on Meta. See In re Google RTB Consumer Priv. Litig., 606 F. 3 Supp. 3d 935, 949 (N.D. Cal. 2022). In support of dismissal, Meta relies on Katz-Lacabe v. 4 Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118, at *10 (N.D. Cal. Apr. 6, 2023). 5 There, plaintiffs challenged Oracle’s collection of “personal information from internet users” by 6 “synchroniz[ing] that data to create individual profiles, and ultimately sell[ing] that data— 7 bolstered by data made available by its partners—on its Data Marketplace.” The court dismissed 8 the ECPA claim because, “[a]s Defendant's customers must have chosen to deploy Oracle’s tools 9 on their websites, it necessarily follows that ‘one of the parties to the communication’—the 10 websites themselves—gave ‘prior consent to such interception.’” Id. at *210 (relying on 11 Rodriguez v. Google LLC, No. 20-cv-04688-RS, 2021 WL 2026726, at *6 (N.D. Cal. May 21, 12 2021). 13 Plaintiffs counter with Brown v. Google LLC, No. 4:20-CV-3664-YGR, 2023 WL 14 5029899, at *9 (N.D. Cal. Aug. 7, 2023). There, the court rejected summary judgment on the 15 consent issue under the ECPA claim, despite the defendant having “generally disclosed” its data 16 tracking practices, because it also “promote[d] the privacy afforded by Incognito” as a browsing 17 mode. Id. In that situation, Google “itself created a situation where there is a dispute as to whether 18 users’ consent of Google’s data collection generally is ‘substantially the same’ as their consent to 19 the collection of their private browsing data in particular.” Id. 20 The facts alleged here – that while Meta disclosed its purported attempts to prevent third- 21 party developers who incorporated the Pixel from sending sensitive data to Meta, Meta in fact 22 intended to receive and did receive that sensitive data – bring this case closer to Brown. Id., 2023 23 WL 5029899 *7 (“For consent to be actual, the disclosures must ‘explicitly notify’ users of the 24 practice at issue.”). Meta has not pointed to anything I can judicially notice on this motion to 25 dismiss to show as a matter of law that the healthcare providers did not just presumably but 26 27 differently in a motion to dismiss context,” and recognized that the “parties will have the 1 actually consented to the sending of sensitive healthcare information of its customers. 2 Determination of whether actual consent was given depends on what Meta disclosed to healthcare 3 providers, how it described and trained healthcare providers on the Pixel, and how the healthcare 4 providers understood the Pixel worked and the information that then could or would be collected 5 by Meta. These evidence-bound determinations are inappropriate to reach on this motion. 6 Meta’s motion to dismiss the ECPA claim is DENIED. 7 II. CALIFORNIA INVASION OF PRIVACY ACT – CLAIM 4 8 In the PI Order, I concluded that plaintiffs had adequately alleged and supported their 9 CIPA claim under both sections 631(a) and 632, based on Meta’s challenges to “content” under 10 631(a) and “confidential communications” under 632. PI Order at 23-24. Meta now moves to 11 dismiss the California state law analog to the ECPA, raising arguments not addressed in my PI 12 Order. 13 A. Extraterritoriality 14 Meta initially argues that CIPA does not apply “extraterritorially,” because CIPA’s intent 15 is “to protect the right of privacy of the people of this state.” Cal. Penal Code § 630. As none of 16 the named plaintiffs are California residents, Meta contends the CIPA claim must be dismissed. 17 I disagree for three reasons. First, this contention is arguably premature. Kellman v. 18 Spokeo, Inc., 599 F. Supp. 3d 877, 894 (N.D. Cal. 2022), motion to certify appeal denied, No. 19 3:21-CV-08976-WHO, 2022 WL 2965399 (N.D. Cal. July 8, 2022) (deferring choice of law 20 analyses until class certification, after discovery shed light on whether defendants’ acts had a 21 substantial nexus to California). 22 Second, plaintiffs have plausibly alleged that the conduct at issue, in terms of the design 23 and marketing of the Pixel technology and development and implementation of its Terms of 24 Service, occurred in California;. See, e.g., Schmitt v. SN Servicing Corp., No. 21-CV-03355- 25 WHO, 2021 WL 3493754, at *3 (N.D. Cal. Aug. 9, 2021) (data breach allegations regarding 26 defendant who operated out of California “sufficient to allow out-of-state plaintiffs to seek 27 recovery under California law”); Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022, 1028 (N.D. 1 is not inconsistent with also allowing non-Californians to pursue claims against California 2 residents.”); see also Oman v. Delta Air Lines, Inc., 889 F.3d 1075, 1079 (9th Cir. 2018), certified 3 question accepted sub nom. Oman v. Delta Air Lines, No. S248726, 2018 WL 10809386 (Cal. July 4 11, 2018), and certified question answered, 9 Cal. 5th 762 (2020) (“If the conduct that ‘creates 5 liability’ occurs in California, California law properly governs that conduct.”). 6 Third, Facebook’s Terms of Service specify that California law applies to disputes between 7 Facebook and its users. CCAC ¶ 292. That alone may not be dispositive, but it supports allowing 8 these non-resident plaintiffs to assert a claim against a California resident under CIPA. See 9 Maldonado v. Apple, Inc, No. 3:16-CV-04067-WHO, 2021 WL 1947512, at *6 (N.D. Cal. May 10 14, 2021) (“California Supreme Court held that choice-of-law clauses in contracts are generally 11 enforceable and laid out a multipart test to determine whether to follow the contracted-for 12 jurisdiction’s law or disregard it.”). 13 I am not determining or foreclosing any choice-of-law issues. Choice-of-law has not been 14 squarely raised. I am denying the motion to dismiss the CIPA claim based on Meta’s 15 exterritoriality argument. 16 B. Intent 17 Meta also argues plaintiffs fail to allege plausible facts to support the intent element of 18 CIPA, which requires a showing of Meta’s “affirmative desire” to intercept communications. 19 Intent under CIPA is determined consistently with intent under ECPA, and for the same reasons as 20 discussed above, intent has been adequately alleged. Whether Meta’s affirmative disclosures and 21 back-end filtering process sufficiently negate intent depends on Meta’s knowledge as well as its 22 implementation and the efficacy of its alleged contractual efforts and back-end filtering. Those 23 will be tested on an evidentiary record. Similarly, Meta’s point that Pixel captures some data that 24 healthcare entities may permissibly share with Meta might provide a defense to some portion of 25 plaintiffs’ CIPA claim, but it does not negate the plausible allegations that sensitive healthcare 26 information is intentionally captured and transmitted to Meta. 27 C. Sent or Received 1 sent from, or received at any place within this state,” Cal. Penal Code § 631(a), and argues 2 plaintiffs have not plausibly alleged that plaintiffs’ information was being sent to or received from 3 a place in this state. Plaintiffs plead that Meta is headquartered in California and Meta “designed 4 and effectuated its scheme to track the patient communications at issue here from California.” 5 CCAC ¶ 369 (emphasis added). That is sufficient at this stage. 6 D. Device 7 The last CIPA challenge is whether the Pixel is a “device” under Section 632(a) because it 8 is a piece of software. Meta points out that two judges in this District, when considering 9 “electronic tracking devices” under Penal Code section 637.7(d), have rejected the argument that 10 tracking software are “devices.” See In re Google Location Hist. Litig., 428 F. Supp. 3d 185, 193 11 (N.D. Cal. 2019) (Davila, E.) (Google maps software and related “services are not a ‘device’ 12 within the meaning of Section 637.7(d).”); In Moreno v. San Francisco Bay Area Rapid Transit 13 Dist., 2017 WL 6387764, at *5 (N.D. Cal. Dec. 14, 2017) (Corley, J.) (an “electronic tracking 14 device” does not include “software installed in mobile devices”). 15 Plaintiffs respond that the section 637.7 cases so not apply to this section 632(a) case. 16 They instead discuss decisions construing and interpreting CIPA consistently with the ECPA 17 which hold that servers or software qualify as “devices” under the ECPA. Oppo. at 10 n.2.3 Most 18 on point is In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1084 (N.D. Cal. 2015). There, plaintiffs 19 alleged that a software application, once installed on users’ phones, “surreptitiously intercepted 20 personal data and communications and transmitted this data to Carrier IQ and its customers.” Id. 21 The Honorable Edward M. Chen held that “plaintiffs have sufficiently alleged that the Carrier IQ 22 Software is a ‘device’ for purposes of the Wiretap Act.” Id. at 1084. The section 637.7 cases are 23 24 3 A few of the cases plaintiffs rely on are not truly in support. For example, in United States v. Szymuszkiewicz, 622 F.3d 701, 707 (7th Cir. 2010), as amended (Nov. 29, 2010), the court held 25 that the defendant “acquired the emails by using at least three devices: Infusino’s computer (where the rule was set up), the Kansas City server (where the rule caused each message to be duplicated 26 and sent his way), and his own computer (where the messages were received, read, and sometimes stored).” In Lopez v. Apple, Inc., 519 F. Supp. 3d 672, 690 (N.D. Cal. 2021), the court simply 27 found that “Apple used the devices [iPhone] by programming Siri software to intercept 1 distinguishable, and absent contrary authority under section 632(a), I agree that the Pixel software 2 is a device under section 632(a). 3 Meta’s motion to dismiss the CIPA claim is DENIED. 4 III. CONSTITUTIONAL PRIVACY (CLAIM 6) AND INTRUSION ON SECLUSION (CLAIM 5) 5 Addressing the invasion of privacy and intrusion on seclusion claim in the PI Order, I 6 explained that plaintiffs had shown enough to demonstrate a reasonable expectation of privacy in 7 their medical communications (despite Meta’s policies generally disclosing its collection of data 8 from users and its disclosures that it would require partners to obtain lawful rights to share 9 protected user data) and that Meta’s conduct was highly offensive. PI Order at 24-27. Meta 10 argues here that the California’s constitutional privacy protections do not apply extraterritorially 11 and plaintiffs have failed to adequately allege their sensitive information was received by Meta. 12 As with CIPA, plaintiffs have plausibly alleged that the conduct causing them harm 13 occurred in and emanated from California. That is sufficient at this juncture. 14 Concerning the protected interest, Meta argues that plaintiffs have failed to plausibly allege 15 a violation of their constitutionally protected privacy interests because the named plaintiffs fail to 16 identify with specificity what, if any, private or particularly sensitive information about them Meta 17 allegedly received. Meta is correct that these named plaintiffs do not identify in the CCAC what 18 specific, personal or private information they conveyed to their healthcare providers that they 19 reasonably believe Meta received. 20 In opposition, plaintiffs do not dispute this or identify any particular categories of 21 information that they shared with their healthcare providers that they reasonably believe was 22 captured by Meta. Instead, they rely on In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 23 589 (9th Cir. 2020) to argue they do not need to disclose the specific information they contend 24 Meta received. But in that case, there was no dispute that Facebook collected “a full-string 25 detailed URL, which contains the name of a website, folder and sub-folders on the web-server, and 26 the name of the precise file requested,” when it operated. Id. at 605. Here, as Meta repeatedly 27 points out and plaintiffs admit, there is information collected by the Pixel software that does not 1 constitute sensitive, personal information. 2 Given the nature of this case – where plaintiffs allege that both unprotected and 3 constitutionally protected information was captured by Meta’s Pixel – plaintiffs are required to 4 amend to describe the types or categories of sensitive health information that they provided 5 through their devices to their healthcare providers. That basic amendment (which can be general 6 enough to protect plaintiffs’ specific privacy interests) will allow these privacy claims to go 7 forward.4 8 Plaintiffs’ invasion of privacy claims are DISMISSED with leave to amend. 9 IV. CALIFORNIA’S COMPREHENSIVE COMPUTER DATA ACCESS AND FRAUD ACT – CLAIM 12 10 CDAFA provides that only an individual who has “suffer[ed] damage or loss by reason of 11 a violation” of the statute may bring a civil action “for compensatory damages and injunctive 12 relief or other equitable relief.” Cal. Penal Code § 502(e)(1). CDAFA permits recovery of 13 “[c]ompensatory damages [that] include any expenditure reasonably and necessarily incurred by 14 the owner or lessee to verify that a computer system, computer network, computer program, or 15 data was or was not altered, damaged, or deleted by the access.” Id. 16 A. Loss or Damage 17 Meta initially seeks dismissal of plaintiffs’ CDAFA claim because plaintiffs have not 18 alleged and cannot allege “damage or loss” in an action like this that is based on privacy violations 19 as opposed to an intrusion that impacts the performance or operation of computer devices. Meta 20 relies on a recent decision from Chief Magistrate Judge Donna M. Ryu, Cottle v. Plaid Inc., 536 F. 21 Supp. 3d 461 (N.D. Cal. 2021), where Judge Ryu rejected a theory of loss or damage under 22 CDAFA based on the “loss of the right to control their own data, the loss of the value of their data, 23 24 4 Related to the “legally protected interest” argument, Meta also contends that the privacy claims fail because plaintiffs have not alleged a “sufficiently serious” invasion of their privacy rights. 25 Once plaintiffs amend to identify the types of protected information they shared with their healthcare providers and was likely captured by Meta, they will have plausibly alleged a 26 sufficiently serious impact on their privacy rights. See PI Order at 26-27. Meta’s remaining arguments, that its filtering efforts and purported use of any received healthcare information are 27 highly relevant to whether its conduct is “highly offensive,” have merit. Mot. at 14-15. But the 1 and the loss of the right to protection of the data,” as that type of loss was not covered by the 2 statute. Id. at 488 (citing Nowak v. Xapo, Inc., No. 5:20-cv-03643-BLF, 2020 WL 6822888, at *4- 3 5 (N.D. Cal. Nov. 20, 2020) (dismissing CDAFA claim based on loss of value of stolen 4 cryptocurrency in part because the nature of the loss was not cognizable under CDAFA)). 5 Plaintiffs respond that they adequately allege actionable “loss or damage” under CDAFA 6 by alleging: (1) the Pixel “has precluded” them from being able to communicate with their 7 healthcare providers through their computers or otherwise and (2) their protected information is 8 diminished in value. Plaintiffs cite a number of cases from this District that they claim support 9 these types of damages under CDAFA. However, each of the cases plaintiffs rely on dealt with 10 different sections of CDAFA or allegations of impaired device performance. Oppo. at 13.5 11 Plaintiffs provide no support for their argument that an “inability” to use their computer 12 devices to communicate with their healthcare providers in the future is a cognizable form of loss 13 or damage actionable under the CDAFA. Their diminished value of information claim is 14 foreclosed by the reasoning in Cottle. 15 Plaintiffs indicated at the hearing that they might be able to plead a different theory of 16 impairment of their computing devices. They may do so. The CDAFA claim is DISMISSED, 17 with leave to amend. 18 B. Other CDAFA Elements 19 Meta also attacks the substance of the CDAFA claim. The CCAC relies on various 20 substantive sections of CDAFA: sections 502(c)(1), (c)(2), (c)(3), (c)(6), (c)(7), and (c)(8). In 21 opposition plaintiffs address only (1) and (8).6 In their further amended CCAC, plaintiffs shall 22 5 See In re Apple Inc. Device Performance Litig., 347 F. Supp. 3d 434, 454 (N.D. Cal. 2018), on 23 reconsideration in part, 386 F. Supp. 3d 1155 (N.D. Cal. 2019) (addressing (c)(4) and (c)(5) and allegations of device impairment); Ubisoft, Inc. v. Kruk, No. CV 20-478-DMG (ASX), 2021 WL 24 3472833, at *4 (C.D. Cal. July 9, 2021) ((c)(5) claim alleging DDoS attacks); In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1067 (N.D. Cal. 2015) (alleging impact on battery life and 25 performance); see also In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 599 (9th Cir. 2020) (finding Article III standing to allege CDAFA claim, but not addressing standing under the 26 “loss or damage” requirement of the statute). 27 6 These provisions hold persons liable for “(1) Knowingly accesses and without permission alters, 1 limit the CDAFA claim to these two subsections only. 2 Meta argues that plaintiffs have not alleged a claim under (1) because intent has not been 3 sufficiently alleged. Consistent with the ECPA and CIPA discussions above, however, plaintiffs 4 have adequately alleged intent. Meta next contends that plaintiffs cannot plausibly allege a claim 5 under (8), as it was the healthcare entities’ web developers who introduced Pixel onto their own 6 websites, not Meta. Plaintiffs’ allegations regarding how Meta induced or encouraged those 7 entities to adopt and install the Pixel suffice at this juncture. 8 Meta also asserts that even if it could be vicariously liable, plaintiffs have not alleged and 9 cannot plausibly allege that the Pixel is a prohibited “contaminant.”7 In In re iPhone Application 10 Litig., No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) the court explained: 11 Section 502(c)(1[2]) defines “computer contaminant” as “any set of computer instructions that are designed to modify, damage, destroy, 12 record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of 13 the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms. . . to 14 contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in 15 some other fashion usurp the normal operation of the computer, computer system, or computer network.” See Cal.Penal Code § 502(b) 16 (10) (emphasis added). Thus, the very definition of a “computer contaminant” limits liability to conduct that occurs “without the intent 17 or permission of the owner of the information.” Moreover, the section on “computer contaminants” appears to be aimed at “viruses or 18 worms,” and other malware that usurps the normal operation of the computer or computer system. Although Plaintiffs[] are given leave 19 to amend to clarify their allegations in an amended complaint, it is not clear to the Court how Section 502(c)(8) applies to the case at hand.” 20 Id. at *13. 21 22 extort, or (B) wrongfully control or obtain money, property, or data” and (8) “Knowingly 23 introduces any computer contaminant into any computer, computer system, or computer network.” Cal. Penal Code § 502(c). 24 7 Cal. Penal Code § 502(12) “‘Computer contaminant’ means any set of computer instructions 25 that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the 26 information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to 27 contaminate other computer programs or computer data, consume computer resources, modify, 1 Whether plaintiffs can, on amendment, plausibly allege facts establishing recognized “loss 2 or damage” sufficient to state a claim under CDAFA will also inform whether the Pixel is a 3 contaminant that “usurps” the normal operation of plaintiffs’ devices. See also Flextronics Int'l, 4 Ltd. v. Parametric Tech. Corp., No. 5:13-CV-00034-PSG, 2014 WL 2213910, at *5 (N.D. Cal. 5 May 28, 2014) (“a plaintiff need only allege that the actions of the contaminant 6 (modify/damage/destroy/record/ transmit) were undertaken by overcoming a technical barrier 7 without the permission of the owner; the introduction of the contaminant to the system need not 8 surmount the same hurdle.”). 9 The motion to dismiss the CDAFA claim is GRANTED with leave to amend. 10 V. BREACH OF CONTRACT – CLAIMS 1 & 2 11 A. Limitation of Liability in Meta’s Terms of Service 12 Meta argues initially that a “limitation of liability” clause in its TOS bars the breach of 13 contract claims. That clause provides: “[Meta]’s liability shall be limited to the fullest extent 14 permitted by applicable law, and under no circumstance will we be liable to you for any lost 15 profits, revenues, information, or data, or consequential, special, indirect, exemplary, punitive, or 16 incidental damages arising out of or related to these Terms or the Meta Products.” Meta RJN Ex. 17 1 at 7.8 18 Meta notes that at least one court in this District has applied Meta’s limitation provision to 19 defeat express and implied contract claims, rejecting the argument that the limitation provision 20 was unconscionable. See Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1037 (N.D. Cal. 2019) 21 (“Perhaps regrettably, ‘[w]ith respect to claims for breach of contract, limitation of liability 22 clauses are enforceable unless they are unconscionable, that is, the improper result of unequal 23 bargaining power or contrary to public policy.’ Food Safety Net Servs. v. Eco Safe Sys. USA, Inc., 24 209 Cal. App. 4th 1118, 1126, 147 Cal.Rptr.3d 634 (2012).”). The Bass court then determined 25 that the limitations provision was not unconscionable as applied to the contract and quasi-contract 26 27 8 Meta seeks judicial notice of various documents, including its TOS, Business Tools Terms, 1 causes of action. Id. at 1038; see also Darnaa, LLC v. Google LLC, 756 F. App'x 674, 676–77 2 (9th Cir. 2018) (rejecting unconscionability argument, “[a]s interpreted by California courts, 3 Section 1668 generally does not prohibit parties from limiting liability for breach of contract, 4 including breach of the implied covenant. [citations omitted]. We see no reason to depart from this 5 principle here.”). 6 Plaintiffs respond that Meta’s attempt to limit its liability for the breach claim runs afoul of 7 California Civil Code section 1668. It provides: “All contracts which have for their object, 8 directly or indirectly, to exempt anyone from responsibility for his own fraud, or willful injury to 9 the person or property of another, or violation of law, whether willful or negligent, are against the 10 policy of the law.” Here, because defendants acted intentionally by refusing to stop the data 11 transfer or employ a stronger filter mechanism, plaintiffs assert that section 1668 comes into play 12 even for a breach of contract claim. On that basis, they distinguish Bass from this case as Bass 13 concerned a negligent data breach case caused by an obscure flaw in Meta’s code and Meta took 14 immediate action to fix it. 15 In addition to the substantive differences between the allegations in Bass and this case, 16 plaintiffs also note that other courts in this district have allowed breach of contract claims to 17 continue against Facebook despite the limitation of liability clause. See, e.g., Lundy v. Facebook 18 Inc., No. 18-CV-06793-JD, 2021 WL 4503071, at *2 (N.D. Cal. Sept. 30, 2021) (“For the 19 damages element of plaintiffs’ contract and quasi-contract claims, plaintiffs have adequately 20 pleaded claims for disgorgement and nominal damages. [] These types of damages are not 21 covered by the limitation of liability provision Facebook points to in its motion to dismiss. [] 22 Nominal damages may be recovered for a breach of contract under California law.” (internal 23 citations omitted)); Shared.com v. Meta Platforms, Inc., No. 22-CV-02366-RS, 2022 WL 24 4372349, at *4 (N.D. Cal. Sept. 21, 2022) (allowing breach of contract and other claims to 25 proceed past motion to dismiss stage despite limitation of liability clause because the “discovery 26 process would aid in determining more concretely whether each claim avers direct or indirect 27 damages. The limitations provision will therefore not mandate dismissal of any of Plaintiff’s 1 for summary judgment”). 2 Here, plaintiffs have pleaded entitlement to nominal damages and restitution. CCAC ¶ 3 317. Given the differences between the damages sought as well as the intentional conduct alleged 4 (distinguishing this case from Bass), the breach of contract claims will not be dismissed based on 5 the limitation of liability clause. Meta may, however, move to limit the types of damages 6 available (e.g., anything beyond nominal damages) on summary judgment or at another 7 appropriate juncture. 8 B. Sufficiently Definite Promises and Breach 9 Next Meta argues that the contractual provisions on which plaintiffs based their breach of 10 contract claim are not “sufficiently definite.” The specific contractual promises made in Meta’s 11 Privacy Policy and TOS and plaintiffs’ allegations regarding breach are identified at paragraph 12 312 in the CCAC: 13 • “We require Partners to have the right to … share your information before giving it to us.” 14 Plaintiffs allege: “Meta does not require Partners to have the right to share health 15 information with Meta before giving it to Meta.” 16 • “We employ dedicated teams around the world … to detect potential misuse of our Products, harmful conduct towards others, and situations where we may be able to help 17 support or protect our community.” 18 Plaintiffs allege: “Meta does not employ dedicated teams to prevent its 19 unauthorized acquisition of health information. To the contrary, Meta employs dedicated teams to encourage health entities to share health information with Meta 20 that the health entities lack rights to share.” 21 • “We … develop advanced technical systems to detect potential misuse of our Products, 22 harmful conduct towards others, and situations where we may be able to help support or protect our community. If we learn of content or conduct like this, we will take appropriate 23 action – for example … removing content, blocking access to certain features, disabling an account, or contacting law enforcement.” 24 25 Plaintiffs allege: “Meta has developed advanced technical systems to detect potential misuse of certain products and is fully capable of using those systems to 26 detect Pixel Partners from which it is acquiring health information without authorization. However, Meta has not used those systems to stop acquiring such 27 information and has not taken appropriate action to prevent health entities from 1 • “We work with external service providers, partners, and other relevant entities … to detect 2 potential misuse of our Products, harmful conduct towards others, and situations where we may be able to help support or protect our community, including to respond to user reports 3 of potentially violating content.” 4 Plaintiffs allege: “Meta does not work with external service providers, Partners, or other relevant entities to detect potential misuse of sending health information to 5 Meta through the Pixel without the right to do so. To the contrary, Meta works with 6 Partners to help those Partners avoid the meaningless restrictions Meta places on ads that are targeted to health. As shown above, Meta teaches health entities how to 7 avoid its “restrictions” on personalized health targeted ads by removing certain words that would give users the idea that the ad was specifically targeted to them, 8 all the while continuing to target ads to specific users based on personal attributes, including health.” 9 CCAC ¶ 312; see also ¶¶ 96-97 (noting Meta “requires” some information including sensitive and 10 protected information from users for services to work), 117 (same).9 Plaintiffs’ specific references 11 to identified provisions in Meta’s TOS and Privacy Policy are sufficiently definite to “determine 12 the scope of the duty and the limits of performance must be sufficiently defined to provide a 13 rational basis for the assessment of damages.” Ladas v. California State Auto. Assn., 19 Cal. App. 14 4th 761, 770 (1993). 15 Plaintiffs have also plausibly alleged that Meta breached the promises. Meta overreads the 16 impact of plaintiffs’ “admissions” that Meta may have “discouraged” partners from sending 17 sensitive or protected information and Meta employed a filter to reduce the transfer of sensitive or 18 protected information. Meta ignores plaintiffs’ detailed and plausible allegations regarding how 19 and why the transfer of sensitive or protected information is necessary for Meta’s advertising 20 services to function in the way Meta advertised those services, as well as allegations that Meta 21 knew its filter was not effective and could have improved its filter or taken other steps to block the 22 transfer of the sensitive or protected information. That is sufficient at this juncture. 23 The motion to dismiss the breach of contract and related breach of the duty of good faith 24 and fair dealing claims is DENIED.10 25 26 99 In addressing consent at the preliminary injunction stage, as both sides here note, I expressed that Meta’s use of the term “require” was susceptible to multiple meanings. PI Order at 16. 27 VI. UNJUST ENRICHMENT – CLAIM 13 1 Meta moves to dismiss the unjust enrichment claim, which California law construes as a 2 quasi-contract claim, in light of plaintiffs’ express contract claim. But plaintiffs may plead this 3 claim as an alternative at this juncture, even if the contract claim can be read to cover plaintiffs’ 4 allegation that Meta sold their data without consent and unjustly retained the proceeds. See 5 Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015). Meta also argues that the 6 claim cannot stand as plaintiffs have failed to plead that they lack adequate remedies at law under 7 Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020). But plaintiffs do allege that 8 their remedies at law are inadequate. See CCAC ¶¶ 448, 489. 9 The motion to dismiss the unjust enrichment claim is DENIED. 10 VII. NEGLIGENCE PER SE – CLAIM 7 11 Under California law, negligence per se is not a separate cause of action, but a negligence 12 claim analyzed under the per se doctrine. See Dent v. Nat'l Football League, 902 F.3d 1109, 1118 13 (9th Cir. 2018). Under that doctrine, the standard of care can be established by a statute, and a 14 defendant’s violation of that statue can “give rise to a presumption that it failed to exercise due 15 care” where that violation “proximately caused an injury,” the injury resulted from something the 16 statute was designed to prevent, and the person who was injured was “one of the class of persons 17 for whose protection the statute, ordinance, or regulation was adopted.” Id. (internal citations 18 omitted). However, the basic elements of a negligence claim, including duty of care and 19 causation, must still be alleged. See Quiroz v. Seventh Ave. Ctr., 140 Cal. App. 4th 1256, 1285 20 (2006). 21 Meta attacks plaintiffs’ attempt to plead a breach of the duty of care required to state a 22 negligence-based claim. Plaintiffs’ only identified source of duty is HIPAA, and at least one court 23 this District and another within the Ninth Circuit have rejected HIPAA as a basis of a negligence 24 per se claim. See, e.g., Austin v. Atlina, No. 20-CV-6363-YGR, 2021 WL 6200679, at *3 (N.D. 25 26 Oppo. at 17. As construed, the claim is not merely duplicative of or exceeding the obligations imposed by the contractual provisions plaintiffs rely on for their express breach claim. Plaintiffs 27 have also adequately Meta’s intent – conscious and deliberative acts – given the breach allegations 1 Cal. Dec. 22, 2021) (“Because there is no private right of action under HIPAA, plaintiff’s HIPAA 2 claim is not cognizable under common law”); Teeter v. Easterseals-Goodwill N. Rocky Mountain, 3 Inc., No. CV-22-96-GF-BMM, 2023 WL 2330241, at *4 (D. Mont. Mar. 2, 2023) (dismissing 4 negligence per se cause of action based on HIPAA); see also Delta Sav. Bank v. United States, 265 5 F.3d 1017, 1026 (9th Cir. 2001) (“[t]o bring suit under the FTCA based on negligence per se, a 6 duty must be identified, and this duty cannot spring from a federal law. The duty must arise from 7 state statutory or decisional law, and must impose on the defendants a duty to refrain from 8 committing the sort of wrong alleged here,” and citing authority explaining “[t]he pertinent inquiry 9 is whether the duties set forth in the federal law are analogous to those imposed under local tort 10 law”) (quotations omitted); In re: Netgain Tech., LLC, No. 21-CV-1210 (SRN/LIB), 2022 WL 11 1810606, at *16 (D. Minn. June 2, 2022) (“Here, Plaintiffs have not cited any precedent in 12 California, Minnesota, Nevada, South Carolina, or Wisconsin that permits a state-law negligence 13 per se claim to proceed based on the theory that there is a violation of Section 5 of the FTC Act.”); 14 but see In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1143 (C.D. Cal. 2021) 15 (allowing negligence/negligence per se claim based on violations of FTCA and HIPAA to 16 proceed).11 17 Following the majority of the cases that have considered the issue, the negligence per se 18 claim based on a duty created by HIPAA is DISMISSED with leave to amend so that plaintiffs 19 may attempt to identify a state law source of the duty of care. 20 VIII. TRESPASS TO CHATTELS – CLAIM 8 21 Under California law, trespass to chattels “lies where an intentional interference with the 22 possession of personal property has proximately caused injury.” Intel Corp. v. Hamidi, 30 Cal.4th 23 1342, 1350–51, 1 Cal.Rptr.3d 32, 71 P.3d 296 (2003). This claim does not lie where injuries are 24 to privacy and confidentiality. See Casillas v. Berkshire Hathaway Homestate Ins. Co., 79 Cal. 25 26 11 Meta also challenges plaintiffs’ ability to plausibly please causation for a negligence claim, given plaintiffs’ admission that the healthcare providers’ web developers, not Meta, choose what 27 information the Pixel sends to Meta. Mot. at 21. Given plaintiffs’ plausible allegations that Meta 1 App. 5th 755, 765 (2022). In cases of interference with possession of personal property not 2 amounting to conversion “‘the owner has a cause of action for trespass or case, and may recover 3 only the actual damages suffered by reason of the impairment of the property or the loss of its 4 use.’” Hamidi, at 1351 (emphasis in original, quoting Zaslow v. Kroenert, 29 Cal. 2d 541, 551 5 (1946)); see also id. 1353 (where there was “no actual or threatened damage to [plaintiff's] 6 computer hardware or software and no interference with its ordinary and intended operation,” the 7 defendant's trespass was not actionable); In re iPhone Application Litig., No. 11-MD-02250-LHK, 8 2011 WL 4403963, at *13–14 (N.D. Cal. Sept. 20, 2011 (following Hamidi and dismissing a 9 privacy-based action where plaintiffs failed to connect the trespass to a harm in the functioning of 10 the phone). 11 Plaintiffs’ trespass claim is based on their assertions that Meta places the _fbp cookie on 12 their devices via their health-care providers’ websites. They do not allege that the presence of that 13 cookie “impairs” the operation of their devices in terms of diminished storage, decreased battery 14 life, or otherwise. Instead, they assert that Meta’s tracking diminishes the value of plaintiffs’ 15 computing devices because plaintiffs no longer want to use their devices to communicate with 16 their healthcare providers. CCAC ¶¶ 415-28, 423-25. They analogize their inability to use their 17 phones and computers to communicate with their healthcare providers (lest they disclose personal 18 healthcare information) to the situation in Grace v. Apple Inc., No. 17-CV-00551, 2017 WL 19 3232464, at *11 (N.D. Cal. July 28, 2017). There, based on allegations that Apple heavily 20 advertised the presence and ability to use Facetime in its iPhones and allegations that use of 21 Facetime was integral to the plaintiffs’ use of their iPhones, the court allowed the trespass claim to 22 continue because the removal of Facetime from plaintiffs’ phones due to Apple’s software update 23 significantly impaired the value of plaintiffs’ phones. 24 Here, unlike in Grace, there are no allegations that any functionality inherent in their 25 computing devices has been impacted by Meta’s conduct. Nor are there allegations that plaintiffs 26 purchased any specific computing device with the purpose in whole or part of using that device to 27 communicate with their healthcare providers. That these plaintiffs may have valued using their 1 value of those devices to allow the plaintiffs to state a trespass to chattels claim. 2 The trespass claim is DISMISSED with leave to amend. 3 IX. LARCENY – CLAIM 11 4 Plaintiffs’ larceny claim is brought under California Penal Code sections 484 and 496(a),12 5 based on the theory that Meta “knowingly obtained” plaintiffs’ information “by false pretenses.” 6 CCAC ¶¶ 455-464; Oppo. at 20-21; see also Bell v. Feibush, 212 Cal. App. 4th 1041, 1047-48 7 (2013) (discussing theft by false pretenses). To plausibly state a theft by false pretenses claim, 8 plaintiffs must allege not only that Meta made specific false representations to them, but also that 9 plaintiffs transferred their property to Meta “in reliance on the representation.” See People v. 10 Miller, 81 Cal. App. 4th 1427, 1440 (2000), as modified on denial of reh'g (July 6, 2000). 11 Plaintiffs have not clearly identified the specific representations that Meta made to them that 12 support their larceny claim or the facts showing that their reliance on those representations 13 issufficient to state this claim. 14 The larceny claim is DISMISSED with leave to amend. 15 X. UNFAIR COMPETITION LAW (CLAIM 9) AND CONSUMERS LEGAL RREMEDIES ACT (CLAIM 10) 16 A UCL claim may only be brought by “a person who has suffered injury in fact and has 17 lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. 18 Plaintiffs, therefore, must “demonstrate some form of economic injury,” such as surrendering 19 more or acquiring less in a transaction, having a present or future property interest diminished, 20 being deprived of money or property, or entering into a transaction costing money or property that 21 would otherwise have been unnecessary. Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 323 22 (2011). 23 Courts in this district have dismissed cases where, like here, the injury is based on “the loss 24 of the inherent value of their personal data,” see Cottle v. Plaid Inc., 536 F. Supp. 3d 461, 484 25 (N.D. Cal. 2021), as well as where it was undisputed that plaintiffs paid no money to the 26 27 12 California Penal Code section 484 forbids theft, which includes obtaining property “by ... false 1 defendant. See In re Facebook, Inc., Consumer Privacy, 402 F. Supp. 3d at 804 (noting “the 2 plaintiffs here do not allege that they paid any premiums (or any money at all) to Facebook to 3 potentially give rise to standing under California law” for purposes of UCL claim and dismissing 4 claim for failure to allege “lost money or property”); Wesch v. Yodlee, Inc., No. 20-cv-05991-SK, 5 2021 WL 1399291, at *6 (N.D. Cal. Feb. 16, 2021) (holding that the plaintiffs had not alleged that 6 they “surrender[ed] more or acquir[ed] less in a transaction than they otherwise would have” for 7 purposes of UCL standing where they had not paid money to the defendant). 8 Plaintiffs rely on In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 9 F. Supp. 3d 1284, 1301 (S.D. Cal. 2020). But the injury in that case was based on a “benefit-of- 10 the-bargain” theory that plaintiffs “acquired less” in their transactions with the defendant (who 11 sold medical devices to plaintiffs). See also Cappello v. Walmart Inc., 394 F. Supp. 3d 1015, 12 1019 (N.D. Cal. 2019) (benefit-of-the-bargain theory asserted by customers of defendant). There 13 is no benefit of the bargain basis alleged in the CCAC with respect to the UCL claim, although 14 benefit of the bargain allegations are made in support of the contract claim. See CCAC ¶ 316 15 (seeking benefit of the bargain contract damages). Given the different requirements to state a 16 plausible remedy under a breach of contract claim and “loss of money or property” under the 17 UCL, a cognizable “benefit of the bargain” theory has not adequately been alleged as a remedy for 18 the UCL claim.13 19 With respect to diminished value of their data, in the most recent Northern District case to 20 address the issue the Hon. Richard S. Seeborg reviewed recent cases and held: 21 Plaintiffs fail to show they have an economic injury. Plaintiffs do identify some support for the idea that personal information without 22 consent constitutes economic injury. See Calhoun v. Google LLC, 526 F. Supp. 3d 605, 636 (N.D. Cal. 2021) (“[T]he Ninth Circuit and a 23 number of district courts, including this Court, have concluded that plaintiffs who suffered a loss of their personal information suffered 24 economic injury and had standing.”) (citing cases, including In re Facebook Privacy Litig. (“Facebook Privacy”), 572 F. App'x 494, 25 494 (9th Cir. 2014); and In re Yahoo! Inc. Cust. Data Sec. Breach 26 13 Plaintiffs also rely on Callahan v. PeopleConnect, Inc., No. 20-CV-09203-EMC, 2021 WL 27 5050079, at *19 (N.D. Cal. Nov. 1, 2021), motion to certify appeal denied, No. 20-CV-09203- Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *13 (N.D. Cal. 1 Aug. 30, 2017)). The weight of the authority in the district and the state, however, point in the opposite direction: that “the ‘mere 2 misappropriation of personal information’ does not establish compensable damages.” Pruchnicki v. Envision Healthcare Corp., 3 845 F. App'x 613, 615 (9th Cir. 2021) [citations omitted]. Because Plaintiffs have not alleged a specific monetary or economic loss, 4 Plaintiffs lack standing to maintain their UCL claims. 5 Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118, at *8 (N.D. Cal. Apr. 6 6, 2023). 7 Judge Seeborg relied in part on Moore v. Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 8 538 (2022), review denied (Dec. 14, 2022). There, the California Court of Appeal held that 9 plaintiffs’ “lost-value-of-PII theory, as pled, is insufficient to support UCL standing,” because 10 “[a]ppellants properly pled only that their PII was stolen and disseminated, and that a market for it 11 existed. They did not allege they ever attempted or intended to participate in this market, or 12 otherwise to derive economic value from their PII. Nor did they allege that any prospective 13 purchaser of their PII might learn that their PII had been stolen in this data breach and, as a result, 14 refuse to enter into a transaction with them, or insist on less favorable terms. In the absence of any 15 such allegation, appellants failed to adequately plead that they lost money or property in the form 16 of the value of their PII.” Id. at 538. 17 Plaintiffs rely on Brown v. Google LLC, No. 20-CV-03664-LHK, 2021 WL 6064009 (N.D. 18 Cal. Dec. 22, 2021). There, the Honorable Lucy H. Koh found that plaintiffs adequately alleged 19 lost money or property sufficient to state their UCL claim where they alleged that “because 20 Google previously has paid individuals for browsing histories, it is plausible that, had Plaintiffs 21 been aware of Google’s data collection, they would have demanded payment for their data. Thus, 22 by inducing Plaintiffs to give Google their data without payment, Google caused Plaintiffs to 23 ‘acquire in a transaction less[ ] than [they] otherwise would have.’ [] Second, because there are 24 several browsers and platforms willing to pay individuals for data, it is plausible that Plaintiffs 25 will decide to sell their data at some point. Indeed, each named Plaintiff has alleged that he or she 26 is aware of these browsers and platforms. [] Accordingly, by obtaining Plaintiffs’ data and selling 27 it to advertisers, Google ‘diminished’ Plaintiffs’ ‘future property interest.’ Kwikset, 51 Cal. 4th at 1 Here, plaintiffs contend their allegations bring them closer to Brown and satisfy the 2 deficiencies identified in Moore. See CCAC ¶¶ 22 (alleging Meta “takes patients’ property and 3 property rights without compensation and ignores their right to control the dissemination of their 4 health information to third parties”), 215 (“Meta itself has paid users for their digital 5 information”). But the crux of this case concerns Meta’s receipt of “individually identifiable 6 health information,” that plaintiffs apparently do not want Meta or anyone other than their 7 healthcare providers to have. Id., ¶¶ 1, 216 (“Americans typically do not want to see their 8 individually identifiable health information for any purpose”). That brings it closer to Moore and 9 Katz-Lacabe. 10 In light of the failure to separately allege a benefit of the bargain basis for “loss of money 11 or property” under the UCL and in light of the inconsistent allegations regarding how plaintiffs 12 could and would participate in a legitimate market for health care information, the UCL claim is 13 DISMISSED with leave to amend. 14 There is a different deficiency with plaintiffs’ claim under the CLRA. The CLRA claim is 15 based on Meta’s representation “that it required its Partners to have the right to collect, use and 16 share Plaintiffs’ and Class members’ information but doing nothing to ensure their rights were 17 protected.” CCAC ¶¶ 451-453. As a result, plaintiffs allege that Meta violated section 1770(2) of 18 the CLRA by “[m]isrepresenting the source, sponsorship, approval, or certification of goods or 19 services”; section 1770(5) of the CLRA by “[r]epresenting that goods or services have 20 sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not 21 have”; and section 1770(14) of the CLRA by “[r]epresenting that a transaction confers or involves 22 rights, remedies, or obligations which it does not have or involve, or which are prohibited by law.” 23 Meta moves to dismiss these misrepresentations claims under Rule 9(b) because none of 24 the plaintiffs allege that they saw and relied on those alleged misrepresentations. See, e.g., In re 25 Zoom Video Commc'ns Inc. Priv. Litig., 525 F. Supp. 3d 1017, 1046 (N.D. Cal. 2021) (dismissing 26 CLRA claims where “[n]o Plaintiff alleges reading those allegedly misleading statements, let 27 alone reading them at a specific time or place.”). Plaintiffs did not address this issue in their 1 DISMISSED with leave to amend so that plaintiffs can plead facts regarding reliance on the 2 || alleged misrepresentations.'4 3 CONCLUSION 4 For the foregoing reasons Meta’s motion is DENIED regarding the ECPA, CIPA, breach 5 || of contract, and unjust enrichment claims. The motion is GRANTED with leave to amend on the 6 || privacy, CDAFA, negligence per se, trespass, larceny, UCL, and CLRA claims. Plaintiffs shall 7 file their amended complaint within twenty (20) days of the date of this Order. 8 9 Dated: September 7, 2023 10 : \f 11 ® Wilfiam H. Orrick 12 United States District Judge 15 16 = 17 Z 18 19 20 21 22 23 24 25 26 4 Th my Tentative Order issued in advance of the hearing, I indicated I was inclined to follow Judge Koh’s decision in Calhoun v. Google LLC, 526 F. Supp. 3d 605, 635 (N.D. Cal. 2021). 07 Dkt. No. 298. However, the defendant in Calhoun moved to dismiss arguing only that there was no property interest in browsing data and that copying data did not amount theft. Jd. Meta’s 2g || argument here rests on plaintiffs’ failure to satisfy the false statement and reliance elements of that claim.
Document Info
Docket Number: 3:22-cv-03580
Filed Date: 9/7/2023
Precedential Status: Precedential
Modified Date: 6/20/2024