DocketNumber: Case No. 18-cv-01881-RS
Citation Numbers: 384 F. Supp. 3d 1043
Judges: Introduction, Seeborg
Filed Date: 12/18/2018
Status: Precedential
Modified Date: 7/25/2022
Defendant Facebook, Inc. ("Facebook") is a global social media and networking company. It owns and operates a website and smartphone applications for Android and iOS such as Facebook Messenger and Facebook Lite. In March 2018, the news website Ars Technica reported Facebook apps for Android were programmed to scrape user call and text data to monetize the information for advertising purposes. Facebook allegedly scraped data by exploiting a software vulnerability in the permission settings of older versions of the Android OS. When users installed older versions of Facebook Messenger or Facebook Lite on their Android smartphones a contact upload prompt to grant Facebook access to contact lists surreptitiously also granted access to user call and text logs. Facebook stopped data scraping once the Android OS eventually closed the vulnerability.
Plaintiffs are consumers from the states of California, Florida, Kansas, New York and Texas who bring claims for violations of California's Consumers Legal Remedies Act ("CLRA"),
Because plaintiffs do not identify in the complaint an omission or a specific misleading *1047contact upload prompt, they fail to state their fraud-based claims with sufficient particularity. The complaint also lacks factual averments supporting an injury in fact to establish standing for the CDAFA and GBL § 349 claims. Furthermore, the GBL claim is barred by Facebook's enforceable choice of law provision. Accordingly, the motion to dismiss is granted and plaintiffs are given 21 days leave to amend.
II. FACTUAL ALLEGATIONS
In March 2018, Ars Technica reported Facebook was discretely collecting call and text data by exploiting a vulnerability in prior versions of the Android OS permission settings. Facebook Messenger and Facebook Lite users would receive a prompt during installation requesting permission to access their contact list. Prior to Android version 4.1, granting Facebook such access also surreptitiously granted the apps access to the user's call and text logs by default. Call logs appear to show years of incoming, outgoing, or missed calls, the date and time of each call, the number dialed, the individual called, and the duration of each call. Text logs contain similar sorts of data.
Plaintiffs aver Facebook failed to disclose its data scraping practices. Rather than granting the access solely for its friend recommendation algorithm, as a Facebook spokesperson represented, plaintiffs aver Facebook incorporated call and text logs into its user profiles to be monetized for advertising purposes. The advertising space on Facebook platforms attracts potential advertisers with the possibility to target specific demographic and interest groups based in part on the user data Facebook collects. Additionally, Facebook has entered agreements to share its user data with 61 different entities including Apple, UPS, Microsoft, Blackberry, and Samsung.
Even as the vulnerability was identified and patched in later Android versions, applications like Facebook Messenger and Facebook Lite could bypass the patch by specifying they were using an older pre-patched version of the Android Software Development Kit. It was not until October 2017 that the Android operating system fully deprecated this function in all its versions, which coincided with Facebook ceasing this means of data scraping. Recently, the Open Handset Alliance, the group responsible for developing the Android OS, also announced plans to change the permission settings in the next Android version so users will need to opt-in to share their call and text logs.
III. LEGAL STANDARD
A complaint must contain "a short and plain statement of the claim showing that the pleader is entitled to relief." FED. R. CIV. P. 8(a)(2). While "detailed factual allegations" are not required, a complaint must have sufficient factual allegations to "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal ,
*1048"A plaintiff must set forth more than the neutral facts necessary to identify the transaction. The plaintiff must set forth what is false or misleading about a statement, and why it is false." Vess v. Ciba-Geigy Corp. USA ,
A motion to dismiss a complaint under Rule 12(b)(6) of the Federal Rules of Civil Procedure tests the legal sufficiency of the claims alleged in the complaint. See Parks Sch. of Bus., Inc. v. Symington ,
To establish Article III standing, a plaintiff must satisfy three requirements: (1) "the plaintiff must have suffered an injury in fact," which is concrete and particularized as well as actual or imminent; (2) "there must be a causal connection between the injury and the conduct complained of," which is fairly traceable to defendant's actions; and (3) "it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Lujan v. Defs. of Wildlife ,
IV. DISCUSSION
Facebook seeks to dismiss the first amended consolidated class action complaint (hereafter "FACC" or "complaint") in its entirety without leave to amend. It makes two threshold challenges: (1) there is no injury in fact to confer standing; and (2) the contact upload prompt demonstrates Facebook users allowed it to collect call and text logs. In addition to these threshold challenges, Facebook raises separate arguments for the dismissal of each individual claim.
*1049A. Standing
Facebook contests the sufficiency of plaintiffs' injury in fact. First, it asserts plaintiffs lack a particularized injury because the FACC offers only conclusory claims of a deprivation of income and an invasion of privacy without identifying injury to the plaintiffs themselves. See In re Google, Inc. Priv. Policy Litig. , No. 12-cv-01382-PSG,
Plaintiffs assert a deprivation of income theory, relying on paragraphs sixteen to eighteen of their complaint, which they assert is sufficient to confer standing. These averments include Facebook's duopoly with Google in the online advertising space, FACC ¶ 16, its "over $ 10 billion of annual advertising sales," id. ¶ 17, and the monetization of "User Data by selling advertising space on its platforms and services," id. ¶ 18. Although the complaint suggests Facebook profits off the advertisements targeting its users, which use the information Facebook collects, none of its averments offer a particularized or concrete harm related to the individual plaintiffs' deprivation of any income.
Plaintiffs also aver an invasion of privacy theory conferring standing, which is particularized. Plaintiffs Olin, Nyamjom, Smith-Jackson, and Vega-Latker, were able to download the scraped data and confirm Facebook was in possession of their private call and text logs without their consent. FACC ¶¶ 5, 6, 7, 8. This is sufficient for the class claims. See In re iPhone Application Litig. , No. 11-MD-02250-LHK,
As for concreteness, plaintiffs again rest on the theory of an intangible harm arising from Facebook monetizing their user data and disseminating their private information to third parties. See FACC ¶¶ 18, 25; see also Spokeo, Inc. v. Robins , --- U.S. ----,
1. CDAFA and GBL § 349 Claims
In claims under the CDAFA and GBL § 349, before and after the Supreme Court's decision in Spokeo , courts have required plaintiffs to aver economic harm or actual injury. Standing to bring a CDAFA claim requires "a showing of economic harm or loss." In re Facebook Internet Tracking Litig. ,
Plaintiffs rely on an earlier case, Bose v. Interclick, Inc. , No. 10CV9183,
2. Intrusion Upon Seclusion, Invasion of Privacy, and Unjust Enrichment Claims
Unlike the CDAFA and GBL claims, plaintiffs' failure to plead actual individualized deprivation of income is not fatal to the remaining common law claims. The complaint need not include economic injury to establish standing for the intrusion upon seclusion, invasion of privacy, or unjust enrichment claims. See In re Facebook Internet Tracking Litig. ,
As both parties recognize, courts in the Ninth Circuit "have routinely denied motions to dismiss based on Article III standing where a plaintiff alleges that his personal information was collected and then wrongfully disclosed, as opposed to alleging that his personal information was collected without his consent." In re Sony Gaming Networks & Customer Data Sec. Breach Litig. ,
Here, plaintiffs have averred their own call and text log user data, and those of the putative class, was disclosed by Facebook to third parties. FACC ¶ 25 ("On *1051June 29, 2018, Facebook produced 747 pages of documents to Congress, which show that Facebook has agreements in place to share its user data with 61 different entities."). The complaint states Facebook collects information termed "user data" comprised of a broad range of information, such as a user's name, country, browsing habits, interests, age, gender, marital status, telephone number, email address, IP address, and "other categories." FACC ¶ 15. Facebook incorporated the call and text logs into its "user data" for all users who had the apps on Android OS, FACC ¶ 19, and Facebook shared the same "user data" pursuant to agreements it has with other entities, FACC ¶ 25.
Facebook contends the call and text logs are not sensitive information and cannot form the basis of a concrete injury in fact. Yet plaintiffs aver the call and text logs are "necessarily of a highly sensitive and private nature." FACC ¶ 69; see also FACC ¶¶ 74, 75. Whether someone has a reasonable expectation of privacy in their call and text logs would appear to involve a question of fact under California law. See Hill v. Nat'l Collegiate Athletic Assn. ,
Accordingly, plaintiffs lack standing to pursue their CDAFA and GBL § 349 claims without a showing of an actual and individualized injury. Their privacy-based injury premised on the disclosure of their private information satisfies standing for the remaining intrusion upon seclusion, invasion of privacy, and unjust enrichment claims.
B. Facebook's Contact Upload Prompt
Facebook contends the case must be dismissed because the complete language of its contact upload prompt, which was omitted from the complaint, shows plaintiffs expressly allowed Facebook to collect their call and text history. Alternatively, Facebook asserts plaintiffs cannot satisfy notice pleading or the heightened pleading required of fraud cases without including the language of the prompt in the complaint.
1. Incorporation by Reference and Judicial Notice
Facebook relies on the language of a contact upload prompt that appears in the March 2018 Ars Technica article in support of its motion to dismiss. See Request for Judicial Notice (Dkt. No. 66). Incorporation by reference and judicial notice are both grossly overused and regularly confused in motions to dismiss as this case reflects.
Incorporation by reference is "a judicially created doctrine that treats certain documents as though they are part of the complaint itself." Khoja v. Orexigen Therapeutics, Inc. ,
Similarly, courts may take judicial notice "without converting a motion to dismiss into a motion for summary judgment."
*1052See Opperman v. Path, Inc. ,
Here, there is no dispute the Ars Technica article is relied upon in the complaint, but it is not the basis of the claim. Facebook's conduct is. There is also a significant dispute about the relevance of the prompt shown in the article and the meaning of the article's content. Facebook contends the prompt in the article shows it disclosed its practices to users, while plaintiffs believe the article suggests the prompt was only an addition to the Facebook apps after October 2017. See Oppo. at 7 (Dkt. No. 74). In short, reference to the article in the complaint cannot be transformed into a finding that the prompt therein is indisputably the operative version for purposes of plaintiffs' claims. In other words, Facebook cannot advance defenses premised on the disputed prompt shown in the article through either incorporation by reference or judicial notice on a motion to dismiss.
2. Claims Based on Misrepresentations or Fraudulent Omissions
The more difficult issue is whether plaintiffs have adequately pleaded facts establishing specific misrepresentations or fraudulent omissions arising from a prompt which does not appear in the complaint. The nature of the averred misrepresentation sounds in fraud, and therefore Rule 9(b) applies to all such claims. See Concha v. London ,
Facebook asserts it lacks any notice of a prompt containing a specific misrepresentation, or notice of an "account of the time, place, and specific content of the false representations" if the prompt in the Ars Technica article is not judicially noticed or incorporated by way of the complaint. Swartz v. KPMG LLP ,
Without any prompt identified, plaintiffs do not provide adequate notice of the misrepresentation or omission. Cooper ,
*1053The complaint quotes the Ars Technica article as reporting "Facebook never explicitly revealed that the data was being collected," yet it provides no contact upload prompt against which to assess that assertion. FACC ¶ 23. As pleaded, the complaint appears to be based on selective information from the article without any suggestion plaintiffs know what the specific prompt or prompts were at the time they installed the apps. More needs to be averred to satisfy the applicable rules of pleading.
C. California Computer Data Access and Fraud Act Claim
Plaintiffs' California subclass brings a claim for a violation of CDAFA § 502(c)(1)-(3) and (7). The CDAFA prohibits knowingly accessing, and without permission, using any data, computer, computer system, or computer network in certain prohibited ways. Cal. Pen. Code, § 502. A party acts "without permission" under the CDAFA when it "circumvents technical or code-based barriers in place to restrict or bar a user's access." NovelPoster v. Javitch Canfield Grp. ,
Setting aside the Rule 9(b) deficiencies in the complaint, plaintiffs adequately aver Facebook used and accessed their call and text logs without their permission, and specifically with the intention to "obtain money" at the expense of unwitting users. CDAFA § 502(c)(1) ; see FACC ¶¶ 1, 24, 91. Only Section 502(c)(1) requires plaintiffs to aver Facebook "altered, damaged, destroyed, or otherwise used any data...," while Sections 502(c)(2),(3), and (7) focus on access and use. Plaintiffs aver Facebook scraped call and text data from the Android device such as the type of call, the time of each call, the number dialed, the individual called, and the duration of each call. FACC ¶ 1. The lack of a disclosure, combined with Facebook's averred exploitation of the permission setting on older Android OS devices, is enough to plead Facebook circumvented technical barriers in violation of the CDAFA.
The complaint also adequately avers how Facebook used "computer services" under Section 502(c)(3). Facebook allegedly exploited "a software vulnerability in the permission settings of older versions of the Android OS," particularly prior to Android version 4.1. FACC ¶¶ 20-21. In the opposition, plaintiffs argue their general accusation of data scraping Android smartphones necessarily implies the use of "storage functions" and "Internet services" such as CPU and RAM, storage space on the device, and Wi-Fi and 4G to transmit data to Facebook. See Oppo. at 15:20-24. Facebook points out none of these averments are included in the complaint. Nonetheless, assuming it is true that Facebook exploited a vulnerability in Android OS smartphones, it is plausible Facebook did so using a computer service as defined in the CDAFA. Accordingly, if plaintiffs establish their standing and plead a fraud with sufficient particularity, the CDAFA claim could move forward.
D. Intrusion Upon Seclusion Claim
Common law intrusion upon seclusion requires: "(1) an intrusion into a private place, conversation, or matter (2) in a manner highly offensive to a reasonable person." Varnado v. Midland Funding LLC ,
First, Facebook relies again on the contact upload prompt to show plaintiffs agreed to the disclosure of their information and had no reasonable expectation of privacy. See Shulman v. Group W Prods., Inc. ,
Second, Facebook's more substantial challenge is levied against the "highly offensive" factor, which courts determine by "the degree of intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder's motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded." Med. Lab. Mgmt. Consultants v. ABC, Inc. ,
Here, plaintiffs aver surreptitious collection, use, and dissemination of their call and text logs for Facebook's monetary gain. Facebook argues the disclosure of this type of data is not considered highly offensive as a matter of law. See In re Google, Inc. Privacy Policy Litig. ,
In response, plaintiffs in part rely on Opperman , which found unpersuasive Facebook's two primary cases owing to their lack of consideration for California's privacy norms. See Opperman v. Path, Inc. ,
E. California Privacy Claim
Invasion of privacy in violation of the California Constitution requires: "(1) a legally protected privacy interest; (2) a reasonable expectation of privacy under the circumstances; and (3) conduct by the defendant that amounts to a serious invasion of the protected privacy interest." Low v. LinkedIn Corp. ,
For the first and second factors, Facebook asserts user call and text logs are not content considered a legally protected privacy interest and do not create any reasonable expectation of privacy. According to Facebook, the FACC only contains conclusory averments the user data is protected by the CDAFA. FACC ¶ 68. In response, plaintiffs invoke the California Constitution's protection of an interest in "conducting personal activities without observation."
*1055In re Google Inc. Cookie Placement Consumer Privacy Litig. ,
In re Google Inc. Cookie Placement and similar cases turned on a defendant's express promise not to collect information. The Court found whether plaintiffs voluntarily sent information to Google while using the internet was not the issue; rather, "[w]hat is notable about this case is how Google accomplished its tracking."
As for the final factor, Facebook relies on the same line of cases in the intrusion upon seclusion context to contend there is a lack of any serious invasion of privacy. It asserts more serious disclosures have not been considered invasions of privacy. See e.g. , In re iPhone Application Litig. ,
F. New York GBL § 349 Claim
Plaintiff's New York subclass brings a claim for violation of the GBL § 349. The GBL prohibits "[d]eceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service."
Facebook relies on its Statement of Rights and Responsibilities for a choice of law clause barring the GBL § 349 claim even if plaintiffs have standing. This argument depends on judicial notice of the Statement of Rights and Responsibilities which was in effect from January 30, 2015 through October 2017. Req. Jud. Not. at 1 (Dkt. No. 66). The existence of the publicly available Statement of Rights and Responsibilities is suitable for judicial notice because its existence cannot reasonably be questioned. See Letizia v. Facebook Inc. ,
Plaintiffs do not dispute the authenticity of the document or its contents, but they disagree on whether this choice of law *1056clause is enforceable based on In re Facebook Biometric Info. Privacy Litig. ("Biometric"),
Courts apply a two-pronged choice of law test: "(1) whether the chosen state has a substantial relationship to the parties or their transaction, or (2) whether there is any other reasonable basis for the parties' choice of law." Washington Mut. Bank, FA v. Superior Court ,
Both prongs of the test are indisputably met here. California has an obvious substantial relationship to the parties and a reasonable basis to enforce its choice of law considering Facebook is "a California corporation with its principal place of business located at Menlo Park, California." FACC ¶ 9. Rather than dispute these initial portions of the analysis, however, plaintiffs focus entirely on the "fundamental policy" of New York and contend it has a greater interest in this case than California.
Considering both cases presented by plaintiffs and Facebook, Palomino is more applicable here. In Biometric , the court inquired into "which state, in the circumstances presented, will suffer greater impairment of its policies if the other state's law is applied." Biometric ,
Here, plaintiffs only argue there is a "fundamental policy" difference because the GBL § 349 was enacted "as a broad consumer protection measure." Bose v. Interclick, Inc. ,
G. Unjust Enrichment Claim
Plaintiffs final claim for relief requests restitution for Facebook's "retention of the non-gratuitous benefits conferred on it." FACC ¶ 92. The Ninth Circuit has attempted to clarify a long-standing inconsistency in California law, now "allowing an independent claim for unjust enrichment to proceed." Bruton v. Gerber Prod. Co. ,
Facebook argues in its reply that an unjust enrichment claim is not viable where there is an express agreement. Whether the quasi-contract claim is "nonsensical because it was duplicative of or superfluous" to other claims or legal remedies, however, is no longer a ground for dismissal.
Finally, Facebook's reliance on several opinions before the Ninth Circuit's holdings in Astiana is not persuasive, as these cases did not have the benefit of the Ninth Circuit's interpretation of California law on this subject. See Bruton ,
Facebook asserts the plaintiffs fail to allege the elements of unjust enrichment in any event. An unjust enrichment claim requires the "receipt of a benefit and [the] unjust retention of the benefit at the expense of another." Lectrodryer v. SeoulBank ,
The unjust enrichment claim could proceed, assuming plaintiffs can satisfy the pleading requirements of Rule 9(b). Plaintiffs charge Facebook with monetizing their user call and text logs. FACC ¶¶ 18, 19, 91. The benefit conferred to Facebook was based on a misrepresentation in the contact upload prompt for Facebook Messenger and Facebook Lite on Android smartphones. FACC ¶¶ 40,41. Plaintiffs also aver the benefit to Facebook occurred at the expense of its users' data privacy, including the privacy of the named plaintiffs. FACC ¶ 63.
V. CONCLUSION
For the foregoing reasons, the motion to dismiss is granted. The complaint does not include the allegedly fraudulent contact upload prompt or contain particularized averments of fraud to satisfy the heightened pleading requirements of Rule 9(b). Additionally, plaintiffs lack standing to pursue CDAFA and GBL § 349 claims without pleading an actual injury. The *1058GBL § 349 claim must be dismissed without leave to amend on choice of law grounds. As they are unopposed, the trespass to chattel, UCL, and CLRA claims are also dismissed without leave to amend. All other claims are dismissed with leave to amend within 21 days from the date of this Order.
IT IS SO ORDERED.
The factual background is based on the averments in the first amended consolidated class action complaint, which are taken as true for purposes of a motion to dismiss, as well as on documents incorporated by reference and judicially noticed.
Plaintiffs consented to dismissal of their trespass to chattel, UCL, and CLRA claims, but requested leave to amend "California-only claims" if their New York GBL claim is unsuccessful. See Oppo. at 3 n.1, 23 n.9. Because plaintiffs consented to dismissal and have not stated any basis for repleading these claims, they are dismissed without leave to amend.