Opinion
23-CV-04784-WHO
02-12-2024
E. H. and C.S., Plaintiffs, v. META PLATFORMS, INC., Defendant.
ORDER ON MOTION TO DISMISS RE: DKT. NO. 34
WILLIAM H. ORRICK UNITED STATES DISTRICT JUDGE
This Case is one of many pending in this District and around the Country against defendant Meta Platforms, Inc. (“Meta”) over the use of its “pixel” tracking technology. According to plaintiffs here and in the other Cases, Meta encourages operators of websites and applications (“apps”) to install its pixel technology and then, unbeknownst to users of those websites and apps (here Cerebral, an online mental telehealth provider, Compl. ¶ 36), the users' sensitive healthcare information is transmitted to Meta. Here, named plaintiffs E.H. and C.S. are residents of Oklahoma and Massachusetts respectively and do not have Facebook accounts. Yet they allege their data was intercepted and transmitted to Meta. See Compl. ¶¶ 7, 11, 12.
Meta acknowledges my prior Orders in In Re Meta Healthcare Pixel Litigation: while preserving its arguments, it does not Challenge in the motion to dismiss in this Case plaintiffs' Federal Wiretap Act, CIPA, and unjust enrichment Claims. Instead, it Challenges plaintiffs' claims for: invasion of privacy; violation of California's Unfair Competition Law (“UCL,” Cal. Bus. & Prof. Code § 17200 et seq.); violation of California's Consumers Legal Remedies Act (“CLRA,” Cal. Civ. Code § 1750 et seq.); and conversion. Its motion to dismiss is DENIED.
18 U.S.C. §§ 2510, et seq.
California Invasion of Privacy Act (“CIPA”), Cal. Penal Code §§ 630, et seq.
Meta asks me to take judicial notice of its Business Tools Terms and its Commercial Terms, because these documents are “available on publicly available websites” and under the doctrine of incorporation because “plaintiffs' complaint depends on the contents of the documents.” Dkt. No. 34-1 at 1. The request is DENIED. It is not appropriate to take judicial notice of documents for the purpose Meta seeks (to consider the contents and meaning of those documents) merely because they are available online. The passing reference in one paragraph of the Complaint out of 200 to one of Meta's terms of service, especially where that term does not apply to plaintiffs and their claims do not depend on it, does not justify incorporation by reference.
LEGAL STANDARD
Under FRCP 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when the plaintiff pleads facts that “allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (citation omitted). There must be “more than a sheer possibility that a defendant has acted unlawfully.” Id. While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). If the court dismisses the complaint, it “should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). In making this determination, the court should consider factors such as “the presence or absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party and futility of the proposed amendment.” Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989).
DISCUSSION
I. PRIVACY CLAIMS
Meta argues that plaintiffs' invasion of privacy claims based on the California constitution and common law intrusion on seclusion fail because these plaintiffs do not identify any specific, sensitive information that they believe Meta received about them. I accept plaintiffs' allegations in the Complaint as true and disagree with Meta.
In the Complaint, plaintiffs allege that they provided specific categories of information to Cerebral, a mental telehealth provider. As part of creating an account on Cerebral to receive mental health services, plaintiffs disclosed personally identifying information, as well as responses to questions regarding their mental health in the past few weeks. See Compl. ¶ 37 (the information received by Meta included that each plaintiff “had created an account, first name, last name, phone number, email, and zip code. This type of account creation data is in and of itself identifiable health information, as accounts were only created by people seeking treatment from Cerebral (rather than casually browsing its site)”); id. ¶ 38 (“But the Pixel also intercepted answers to intake questionnaires that Cerebral patients had to complete as part of the sign-up process, such as how often in the previous two weeks they had felt ‘down, depressed, or hopeless.' Like the account creation data, the questionnaire responses showed that Plaintiffs were actively using Cerebral's services, while also broadcasting Plaintiffs' specific symptoms directly to Meta.”).
Meta contends that these allegations are deficient, pointing in part to my September 2023 Order in the In re Meta Healthcare Pixel Litigation case. There, I dismissed the privacy-based claims and required plaintiffs to “amend to describe the types or categories of sensitive health information that they provided through their devices to their healthcare providers. That basic amendment (which can be general enough to protect plaintiffs' specific privacy interests) will allow these privacy claims to go forward.” Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443, at *8 (N.D. Cal. Sept. 7, 2023). In that case, plaintiffs had alleged that both unprotected and protected healthcare information had been intercepted, but had not identified the type of sensitive healthcare information they provided to their healthcare provider that they believed was intercepted by Meta.
This case is different. Cerebral is not simply a healthcare provider; it is a mental health services provider. Plaintiffs affirmatively allege that they were not simply surfing the web seeking information about routine or general healthcare topics. Instead, the information (including otherwise somewhat innocuous information like name and zip code) was secured by Meta from Cerebral in the process of accounts being created “by people seeking treatment from Cerebral (rather than casually browsing its site).” Compl. ¶ 37.
Plaintiffs have identified the specific types of information required by Cerebral in order to open their accounts. That information, some of which would ordinarily not be protected, plausibly becomes sensitive or private considering that plaintiffs were seeking mental health services. Meta provides no caselaw regarding disclosure of personally identifying information from individuals seeking mental health services or other caselaw that would preclude this type of invasion of privacy claim as a matter of law at the motion to dismiss stage.
The cases Meta cites in its reply are unhelpful. In I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1049 (N.D. Cal. 2022), a data breach case against a social gaming company, the court explained that it was “hard pressed to conclude that basic contact information, including one's email address, phone number, or Facebook or Zynga username, is private information. All of this information is designed to be exchanged to facilitate communication and is thus available through ordinary inquiry and observation.” The context of that data breach case, and users' reasonable expectations and conduct when engaging with the social games the defendant offered, made the lack of a plausible invasion of privacy claim related to disclosure of “basic” information apparent. See also id. at 1049 (further noting privacy claim not plausible where “there is no allegation that the gaming accounts for which plain text passwords were taken contain confidential information,” “plaintiffs do not allege that any of their actual first or last names were exposed in the data breach, suggesting that their anonymity is preserved,” and “with the exception of a date of birth, which is immutable, all of this information can be changed”); see also Ji v. Naver Corp., No. 21-CV-05143-HSG, 2022 WL 4624898, at *1 (N.D. Cal. Sept. 30, 2022) (considering app that allowed users to take and edit photos and videos and concluding that “user and device identifiers” were not the type of information that could give rise to a privacy injury, although collection and storage of biometric information was sufficient to support standing). The nature of the invasion of privacy alleged here is markedly different.
The motion to dismiss the privacy claims is DENIED.
II. UCL & CLRA
Meta moves to dismiss plaintiffs' UCL and CLRA claims, arguing that plaintiffs fail to: (1) plead that they saw and relied on particular misrepresentations, as required under Rule 9(b) because both claims sound in fraud; (2) allege cognizable harm under the CLRA and UCL; (3) plead that they are consumers within the CLRA; and (4) satisfy the required “balancing” or “tethering” tests for plaintiffs' unfair claim under the UCL.
See Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1170 (9th Cir. 2012) (explaining balancing and tethering tests for unfair conduct under the UCL).
A. Fraud/Rule 9(b)
To start, plaintiffs do not need to meet Rule 9(b) or identify misrepresentations based on their claims that Meta's conduct is unfair or illegal under the UCL. See Compl. ¶ 182 (identifying bases for illegal prong claim); see also In re Zoom Video Commc'ns Inc. Priv. Litig., 525 F.Supp.3d 1017, 1045 (N.D. Cal. 2021) (plaintiffs' “UCL claims of unlawful or unfair conduct are not subject to Rule 9(b). . . . Only claims sounding in fraud are subject to the heightened pleading requirements of Rule 9(b).”); Torres v. Botanic Tonics, LLC, No. 23-CV-01460-VC, 2023 WL 8852754, at *4-5 (N.D. Cal. Dec. 21, 2023) (“Moreover, it's worth recalling that there are three ways to violate the UCL: fraudulent practices, unlawful practices, and unfair practices. If [plaintiff] were asserting a claim under the fraudulent-practices prong, it would make sense to require him to satisfy the legal standards for pleading a fraudulent omission claim. But there is no reason to think that the only way a defendant can incur liability under the UCL for the failure to disclose information is through the fraudulent-practices prong. If the withholding of information is part of an unfair business practice that falls short of outright fraud, it could still give rise to liability (assuming the tests developed for establishing liability under the unfair-practices prong are met).”).
The UCL prohibits any “unlawful, unfair or fraudulent business act or practice.” Cal. Prof. & Bus. Code § 17200. Each prong provides a separate and distinct theory of liability. Rubio v. Cap. One Bank, 613 F.3d 1195, 1203 (9th Cir. 2010) (citations omitted).
Because plaintiffs plead the interception of their healthcare data alleged would be illegal and unfair under the UCL, regardless of what disclosures or representations Meta made, plaintiffs' claims are not based on a “unified course of fraudulent conduct” as in Kearns v. Ford Motor Co., 567 F.3d 1120, 1127 (9th Cir. 2009).
Considering the fraud prong of the UCL, which invokes Rule 9(b), plaintiffs explain that they do not need to disclose or identify any particular representations Meta made or to satisfy the 9(b) standard because their fraud-based claim is that “Meta fraudulently omitted information about its collection of non-users' protected healthcare information.” Oppo. at 8. See MacDonald v. Ford Motor Co., 37 F.Supp.3d 1087, 1096 (N.D. Cal. 2014) (recognizing a less stringent pleading standard for omissions-based fraud claims). Under this type of claim, especially considering that plaintiffs are not Facebook users and would have no reason to review Meta's terms and conditions or other disclosures to users, it is enough for plaintiffs to allege what they have: had Meta revealed its collection and use of non-users' protected healthcare information, they would have been aware of it through media coverage, in light of extensive media coverage of Facebook and prior “scandals,” and would have behaved differently. Compl. ¶¶ 200-201. Those specific allegations are sufficient. See In re Carrier IQ, Inc., 78 F.Supp.3d 1051, 1114 (N.D. Cal. 2015) (finding “the SCAC contains sufficient allegations from which it can be inferred that had Defendants reasonably disclosed the existence and functionality of the Carrier IQ Software-a material fact exclusively in Defendants' knowledge-Plaintiffs would have been aware of it” and acted differently, sufficient to plead fraud-based UCL claim); but see In re Apple Processor Litig., No. 22-16164, 2023 WL 5950622, at *2 (9th Cir. Sept. 13, 2023 (affirming dismissal where the complaint, unlike here, did not “contain allegations that Plaintiffs themselves were likely to encounter the news reports or to read Apple's press releases”).
Considering the CLRA, Meta notes that I dismissed plaintiffs' CLRA claim in the In re Meta Pixel Healthcare Litigation case. There, the CLRA claim was based on representations Meta affirmatively made, invoking three separate CLRA subsections, Cal. Civ. Code § 1770(2), (5), and (14). None of the plaintiffs there alleged that they saw and relied on particular misrepresentations. See Doe v. Meta Platforms, Inc., 2023 WL 5837443, at *17. Here, the CLRA claim is based on “concealments and omissions,” specifically that:
1) [Meta] continued to invite the disclosure of sensitive health information in violation of numerous state and federal laws, and 2) it was actually receiving such information because 3) its system was configured to accept health information regardless of whether patients have given the statutorily required permissions, thereby violating § 1770(a)(2), (3), and (14) of the CLRA.Compl. ¶ 198. For the same reasons that the UCL claim survives, the CLRA claim survives as well.
B. Cognizable Harm
A UCL claim may only be brought by “a person who has suffered injury in fact and has lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. Therefore, plaintiffs must “demonstrate some form of economic injury,” such as surrendering more or acquiring less in a transaction, having a present or future property interest diminished, being deprived of money or property, or entering into a transaction costing money or property that would otherwise have been unnecessary. Kwikset Corp. v. Superior Court, 51 Cal.4th 310, 323, (2011). In Doe v. Meta Platforms, Inc., 2023 WL 5837443 (N.D. Cal. Sept. 7, 2023), the UCL claim was dismissed with leave to amend because of plaintiffs' “failure to separately allege a benefit of the bargain basis for ‘loss of money or property' under the UCL and in light of the inconsistent allegations regarding how plaintiffs could and would participate in a legitimate market for health care information.” Id. at *17.
Under the CLRA, “not only must a consumer be exposed to an unlawful practice, but some kind of damage must result.” Meyer v. Sprint Spectrum L.P., 45 Cal.4th 634, 641, 643 (2009). However, the damage allegations necessary to support CLRA standing are not limited to lost money or property (as under the UCL), as damages under the CLRA can include “ transaction costs to avoid the consequences of a deceptive practice” as well as “opportunity costs.” Id,
Meta argues that the standard is the same under both the UCL and CLRA, but as shown by Meyer, it is not. However, satisfying the UCL standing requirement necessarily satisfies the CLRA standard. See Hinojos v. Kohl's Corp., 718 F.3d 1098, 1108 (9th Cir. 2013), as amended on denial of reh'g andreh'g en banc (July 8, 2013) (“Because the ‘any damage' standard includes even minor pecuniary damage, we conclude that any plaintiff who has standing under the UCL's and FAL's ‘lost money or property' requirement will, a fortiori, have suffered ‘any damage' for purposes of establishing CLRA standing.”).
Here, plaintiffs allege that they paid more for their services for Cerebral than they otherwise would have had they known about Meta's interception of their information and they allege that “they paid the Covered Entity [Cerebral], which used Plaintiffs' payments to fund its purchase of targeted advertising from Meta.” Compl. ¶¶ 13, 66, 163, 189, 190. Contrary to Meta's arguments, the benefit of the bargain theory is not simply a repackaged “lost value of PII” theory rejected in Doe v. Meta Platforms, Inc., 2023 WL 5837443 (N.D. Cal. Sept. 7, 2023). It is a significantly different theory of harm and damage. Plaintiffs identify a number of cases where benefit of the bargain allegations sufficed where the defendant was the entity that plaintiffs paid. See Oppo. at 5. The distinction here, of course, is that plaintiffs are asserting lost money or property and CLRA damage based on their payments to Cerebral, not Meta.
Plaintiffs argue that this distinction does not diminish their injury for standing purposes or their ability to seek restitution from Meta. See, e.g., City & Cnty. of San Francisco v. Purdue Pharma L.P., 491 F.Supp.3d 610, 695 (N.D. Cal. 2020) (collecting cases under the UCL supporting that a “defendant can be liable for restitution under the UCL even if it is not the direct recipient of a plaintiff's misappropriated funds.”); see also Shersher v. Superior Ct., 154 Cal.App.4th 1491, 1500 (2007) (UCL “requires only that the plaintiff must once have had an ownership interest in the money or property acquired by the defendant through unlawful means.”). They contend Wesch v. Yodlee, Inc., No. 20-CV-05991-SK, 2021 WL 1399291, at *6 (N.D. Cal. Feb. 16, 2021), which Meta relies on, is not to the contrary. There, the court rejected standing for a UCL claim against a defendant who allegedly intercepted plaintiffs' sensitive financial data that had been disclosed to PayPal. Id. at *6 (“Plaintiffs have not alleged a transaction or contract with Yodlee, therefore, it is not clear how they alleged such damages.”). Plaintiffs distinguish Wesch because there was no allegation there that plaintiffs paid PayPal for its services. Id. at *6. Plaintiffs assert that their case is closer to In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783 (N.D. Cal. May 27, 2016), where plaintiff “paid money for health insurance premiums, which were used to pay for services offered by Defendants.” Id. at *30.
This case is closer to In re Anthem and is unlike cases where plaintiffs asserted a benefit of the bargain theory to satisfy UCL and CLRA standing but did not allege tht they paid anyone for the services or products provided. Plaintiffs have plausibly alleged lost money or property and CLRA damage to state claims against Meta based on their payments to Cerebral and Cerebral paying Meta for its services. Whether, of course, they will be entitled to restitution from Meta under the UCL or damages from Meta under the CLRA will be matters determined at the appropriate time and tested on an evidentiary record. But plaintiffs have adequately alleged lost money or property and harm with respect to Meta.
C. CLRA Consumers
Meta separately moves to dismiss the CLRA claim because plaintiffs were not “consumers” of Meta's product and did not engage in a transaction with Meta. See Cal. Civ. Code § 1761(d) (“‘Consumer' means an individual who seeks or acquires, by purchase or lease, any goods or services for personal, family, or household purposes”); Civ. Code § 1770 (“(a) The unfair methods of competition and unfair or deceptive acts or practices listed in this subdivision undertaken by any person in a transaction intended to result or that results in the sale or lease of goods or services to any consumer are unlawful” (emphasis added)). Plaintiffs have clearly alleged that they are consumers who engaged in a transaction with Cerebral; the question is whether they can assert their CLRA claim against Meta, with whom they did not knowingly transact anything.
Meta relies on cases where the CLRA claim failed because the plaintiff did not pay a defendant for goods and services. Mot. at 6; Reply at 6; see, e.g., In re FacebookPriv. Litig., 791 F.Supp.2d 705, 717 (N.D. Cal. 2011), affd, 572 Fed.Appx. 494 (9th Cir. 2014) (dismissing of CLRA claim based on plaintiffs' allegations that “Defendant ‘allows anyone ... to register for its services free of charge.'”); Claridge v. RockYou, Inc., 785 F.Supp.2d 855, 864 (N.D. Cal. 2011) (where defendant provided free social medial application, plaintiff was not a consumer under the CLRA “since he did not ‘purchase or lease' any goods or services from defendant-a strict requirement under the statute.”). These cases are not on point. Absent persuasive authority interpreting California law governing this consumer protection statute, I will not dismiss the claim at this juncture. How far the CLRA transaction requirement stretches, and whether the allegedly “unfair or deceptive acts or practices” of Meta were adequately “undertaken” by Meta through “a transaction intended to result or that results in the sale or lease of goods or services” - here the creation of accounts for mental telehealth services - is better considered on an evidentiary record.
D. Unfair Conduct
Finally, Meta moves to dismiss the unfair prong UCL claim for failure to plead facts to plausibly support the required “balancing” or “tethering” tests for consumer claims under the UCL. See Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 735 (9th Cir. 2007) (the balancing test “involves balancing the harm to the consumer against the utility of the defendant's practice” and the tethering test requires “that the unfairness be tied to a ‘legislatively declared' policy”). Plaintiffs allege that Meta's conduct:
violated California's strong public policy in favor of protecting consumers' privacy interests, which is reflected in the state's broad constitutional and statutory privacy protections, as well as the federal policy of ensuring that health information remains private. Additionally, Meta's interception of users' deeply private information, in violation of its own policies, was unethical, immoral, and unscrupulous.Compl. ¶ 187. These plausible allegations satisfy plaintiffs' pleading burden under the tethering test. I need not separately consider the balancing test.
See, e.g., In re Anthem, Inc. Data Breach Litig., 162 F.Supp.3d 953, 990 (N.D. Cal. 2016) (“Thus, based on the balancing test alone, the Court DENIES Defendants' motion to dismiss Plaintiffs' UCL claim under the unfair prong.”).
The motion to dismiss plaintiffs' UCL claim is DENIED. The motion to dismiss plaintiffs' CLRA claim is DENIED.
III. CONVERSION
To state a claim for conversion, plaintiffs must show “‘ownership or right to possession of property, wrongful disposition of the property right and damages.'” Kremen v. Cohen, 337 F.3d 1024, 1029 (9th Cir. 2003) (quoting G.S. Rasmussen & Assocs., Inc. v. Kalitta Flying Serv., Inc., 958 F.2d 896, 906 (9th Cir.1992)).
A. Ownership or Right of Possession
Ownership or right of possession is determined by a three-part test: “First, there must be an interest capable of precise definition; second, it must be capable of exclusive possession or control; and third, the putative owner must have established a legitimate claim to exclusivity.” G.S. Rasmussen, 958 F.2d at 903 (footnote omitted); see also Kremen, 337 F.3d at 1030 (applying three part test).
In support of the conversion claim, plaintiffs allege:
Plaintiffs and Class Members have a property interest in the identifiable health care data they provide to Covered Entities. They have exclusive possession of this data, as demonstrated by the legally protectable right and interest in the data conferred by the web of state
and federal regulations that strictly governs the dissemination of this information and generally requires patients' explicit, specific authorization for it to be shared and used outside narrow, strictly defined circumstances. This data can only be acquired by covered entities with patients' assent, and they alone can, without restriction, permit this data to be shared with third parties and sanction its use outside of specific statutorily defined functions. Furthermore, without Plaintiffs' and Class Members' experiences and efforts to describe and seek treatment for their health conditions, this data would not exist in the first place (nor could it be aggregated into records for use by medical professionals.Compl. ¶ 169.
Meta argues that plaintiffs fail to allege sufficient exclusive use because Meta received only copies of plaintiffs' information and the information at issue remains in plaintiffs' possession for their continued use, e.g., to communicate with their medical or mental health providers. See, e.g., FMC Corp. v. Cap. Cities/ABC, Inc., 915 F.2d 300, 303-04 (7th Cir. 1990) (noting “receipt of copies of documents, rather than the documents themselves, should not ordinarily give rise to a claim for conversion” and explaining the “reason for this rule is that the possession of copies of documents-as opposed to the documents themselves-does not amount to an interference with the owner's property sufficient to constitute conversion. [] In cases where the alleged converter has only a copy of the owner's property and the owner still possesses the property itself, the owner is in no way being deprived of the use of his property. The only rub is that someone else is using it as well.” (internal quotations omitted)); see also Karls v. Wachovia Tr. Co. of California, No. A126669, 2010 WL 4233047, at *4 (Cal.Ct.App. Oct. 27, 2010) (addressing allegations that defendant converted the “idea” of his tax strategy and holding, “[e]ven if plaintiff had identified a form of ‘property' susceptible to conversion . . . the FAC's contain no allegations as to how defendants substantially interfered with his own use or possession of the property in issue. His complaints essentially relate that his corporate tax strategy was utilized by defendants, but nothing more. He never alleges how any of the defendants substantially interfered with his own use or possession of this corporate tax-reduction concept. Failure to allege substantial interference with possession or right to possession permits rejection of the conversion claim.”); Jurisearch Holdings, LLC v. Lawriter, LLC, No. CV0803068MMMVBKX, 2009 WL 10670588, at *7 (C.D. Cal. Apr. 13, 2009 (“ Jurisearch cannot maintain a claim for conversion of the compact discs. Where property is capable of being copied, wrongful possession of copies does not typically give rise to a conversion claim if the rightful owner retains possession of the original or retains access to other copies. See FMC Corp. v. Capital Cities/ABC, Inc., 915 F.2d 300, 304 (7th Cir. 1990).”); McGowan v. Weinstein, 505 F.Supp.3d 1000, 1022 (C.D. Cal. 2020) (claim either preempted by copyright act or failed to state conversion because “Defendants did not deprive McGowan of possession over her own copy of Brave” manuscripts, relying on Jurisearch and FMC).
Plaintiffs respond that the passage from FMC regarding copies not normally creating an interference with property rights is dicta and otherwise inapposite. They rely on cases where despite the fact that an owner retained copies of the information at issue, defendants could be liable for use of the copied or otherwise intercepted information. See, e.g., G.S. Rasmussen & Assocs., Inc. v. Kalitta Flying Serv., Inc., 958 F.2d 896, 906 (9th Cir. 1992) (addressing use of a copied FAA certification, court found conversion adequately alleged where defendant, “photocopied the certificate, presented it to the FAA, and thereby obtained a valuable benefit as a consequence of using Rasmussen's STC without authorization or permission”); Planned Parenthood Los Angeles v. Gonzalez, No. B190490, 2007 WL 1087292, at *11 (Cal.Ct.App. Apr. 12, 2007) (“We have not been provided nor have we found any published decision in California that applies the rule in FMC, and we decline to do so. To the contrary, California courts have recognized conversion claims based on the taking of copies of intangible personal property even when the owner retains an original or copy.”); A & MRecords, Inc. v. Heilman, 75 Cal.App.3d 554 (1977) (cause of action for conversion against defendant who duplicated plaintiff's recordings and sold them); Thrifty-Tel, Inc. v. Bezenek, 46 Cal.App.4th 1559, 1565 (1996) (recognizing in dicta conversion of information recorded on floppy disk).
Meta attempts to distinguish the Rasmussen case by noting that the Court of Appeal recognized there were no “conceptual or practical difficulties in restricting the right to the holder of the” certification required by the FAA, thereby satisfying the second prong of the test. See Rasmussen, 958 F.2d at 903. Meta argues here that because there are many users of plaintiffs' healthcare information - presumably because plaintiffs provide their information to various healthcare providers to receive services - as a result “plaintiffs' healthcare information can exist on multiple devices, websites, and forms, and multiple people can access and use the information without excluding plaintiffs.” Mot. at 8. But assuming this is the right standard to apply to the facts of this case - surreptitiously securing sensitive healthcare information - discovery may or may not show that there are too many “conceptual or practical difficulties in restricting the right” of plaintiffs' to control their healthcare information. That is not determinable on a motion to dismiss.
Plaintiffs also rely on a series of cases where recordings or licensed broadcasts were subject to conversion claims. See, e.g., G & G Closed Cir. Events, LLC v. Velasquez, 2021 WL 3164096, at *8 (E.D. Cal. July 27, 2021), report and recommendation adopted, 2021 WL 4846985 (E.D. Cal. Oct. 18, 2021) (finding conversion where defendant broadcast sporting event without a license and collecting similar cases from District Courts throughout California); Flo & Eddie, Inc. v. Sirius XMRadio, Inc., 9 F.4th 1167, 1176 (9th Cir. 2021) (discussing concept of “exclusive use” and recognizing that “when a defendant's reproduction of the content violates recognized property rights, such as first publication or reproduction, then courts recognize a misappropriation or conversion”).
A recent Ninth Circuit case, Best Carpet Values, Inc. v. Google, LLC, No. 22-15899, 2024 WL 119670 (9th Cir. Jan. 11, 2024), applied Kremen to determine whether copies of a website could form the basis of a trespass to chattels claim (requiring the same three part ownership or right of possession test). The court explained why the plaintiff failed parts two and three of that test:
Second, a website copy is not “capable of exclusive possession or control.” Id. Plaintiffs have not alleged, nor could they allege, that they retain control over the copies of their websites that are generated and sent to users' devices. Unlike a domain name, where the registrant “decides where on the Internet those who invoke that particular name-whether by typing it into their web browsers, by following a hyperlink, or by other means-are sent[,]” id., once the website copy is generated and sent to the user's device, users have control over what to do with it-whether to click on a link on Plaintiffs' sites, resize the page, navigate away from the page themselves, or click on one of the links provided in the results. ...
Third and finally, there is no “legitimate claim to exclusivity” over website copies. Kremen, 337 F.3d at 1030. Plaintiffs themselves recognize that they do not control how their websites are displayed on different devices or web browsers. This lack of exclusivity renders website copies fundamentally different from other types of intangible property recognized as being subject to California state-law property claims.Id. at *4-5; see also Spy Dialer, Inc. v. Reya LLC, No. EDCV181178FMOSHKX, 2019 WL 1873296, at *8 (C.D. Cal. Mar. 18, 2019) (“unlike domain names, which are capable of exclusive possession or control by virtue of their registration, [] web traffic is distinctively ephemeral. . . . Additionally, plaintiff has cited to no case holding that a property interest capable of conversion exists in web traffic, and the court is aware of none.”).
Looking to the Ninth Circuit's analysis in Best Carpet, plaintiffs' allegations state a plausible conversion claim despite the fact that plaintiffs obviously retain access to that information and may have granted others access to their sensitive healthcare data. Meta does not dispute that plaintiffs' healthcare data is “capable” of their exclusive control; it is eminently plausible that individuals do not want their sensitive health care data shared beyond the medical and related professionals with whom they must share it to secure healthcare. Nor can Meta dispute that plaintiffs have a legitimate claim to exclusivity for sensitive healthcare information; at least, exclusivity to make the decision to whom to provide that information. That plaintiffs shared their sensitive healthcare information over the internet - where it was surreptitiously copied by Meta -does not by itself diminish the plausible inferences that plaintiffs want to keep the use of that information within their exclusive control and share it only with healthcare providers of their choosing for the purpose of securing treatment.
FMC, upon which all of Meta's cases rely, addressed a news organization's possession of originals or copies of a federal contractor's documents as part of the news organization's reporting on the contractor's work for the federal government. The court mentioned in passing that “ordinarily” conversion will not lie to require return of copies of documents. FMC, 915 F.2d at 303 (relying on Harper & Row Publishers, Inc. v. Nation Enterprises, 723 F.2d 195 (2d Cir. 1983), rev'd, 471 U.S. 539 (1985) (holding that “merely removing one of number of copies of manuscript for short time, copying parts of it, and returning it undamaged constituted far too insubstantial interference with property right to demonstrate conversion.”)). In addition to having totally inapposite facts, Meta ignores how the results of cases in this area turn on their context. It is never that possession of “copies” of information ends the analysis; the analysis also considers the nature of the information at issue, the relationships between the parties, how the defendants came into possession of the information, and defendants' use of the information.
Surreptitious interception of personal healthcare information that is then used or sold by Meta to third parties, depriving plaintiffs of their ability to control who has access to their sensitive information and how that information is used, is wholly different than possession by news organizations of public contractor documents, the possession of manuscripts that were intentionally shared with defendants, the idea of tax strategies, or attempted control over ephemeral web traffic. See FMC, McGowan, Harper & Row, Karls, and Spy Dialer, Inc., supra. It is more similar to dispossession of a domain name, commercial use of a copy of a FAA certificate, unlicensed broadcast of a performance, and wrongful possession of internal operating documents. See Kremen, Rasmussen, G & G Closed Cir. Events, LLC, and Planned Parenthood supra.
At summary judgment or trial, Meta may argue that the way plaintiffs used or disseminated their sensitive healthcare information undercuts their ability to show ownership or exclusive right of possession (as that term is broadly construed under California law). For now, plaintiffs have plausibly stated those exclusive rights.
B. Wrongful Act
Meta also contends that plaintiffs fail to allege a wrongful act by Meta - the conversion “by a wrongful act or disposition of property” - because Meta employs a filter designed to prevent use of potentially sensitive data and even if that filter is ineffective (as plaintiffs allege) that is insufficient to show wrongful intent. I rejected a similar intent argument by Meta in Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443, at *3 (N.D. Cal. Sept. 7, 2023), in connection with the federal Wiretap Act and privacy claims (“What Meta's true intent is, what steps it actually took to prevent receipt of health information, the efficacy of its filtering tools, and the technological feasibility of implementing other measures to prevent the transfer of health information, all turn on disputed questions of fact that need development on a full evidentiary record.”); see also id. *7 (privacy claims). In addition, plaintiffs here allege that “Meta actively urged Covered Entities to use the Pixel and aggressively targeted health care companies as advertising clients-businesses whose placement of a Pixel on their sites would by definition involve the transmission of protected health care information.” Compl. ¶ 175. That is sufficient to rebut Meta's assertion it was only a “passive” recipient of information at this stage.
Farmers Ins. Exch. v. Zerin, 53 Cal.App.4th 445, 451 (1997).
C. Damages
Finally, Meta argues - similar to arguments raised repeatedly in In re Meta Pixel Healthcare Litigation cases - that plaintiffs have failed to plead facts showing that they suffered damage as a result of the alleged conversion of their personally identifying information.
Plaintiffs respond that the discussions of trespass to chattels, as in In re Metal Pixel opinions, and what impact Meta's trespass had on the devices of the plaintiffs here, is irrelevant to conversion, a claim that concerns injury from loss of exclusive use or control of property (here healthcare data). Plaintiffs note that, by statute, California sets damages for conversion at the value of the property. See Lueter v. State of California, 94 Cal.App.4th 1285, 1302 (2002) (“As a general rule, the value of the converted property is the appropriate measure of damages, and resort to the alternative occurs only where a determination of damages on the basis of value would be manifestly unjust.”); Cal. Civ. Code § 3336 (“The detriment caused by the wrongful conversion of personal property is presumed to be: First - The value of the property at the time of the conversion”). Plaintiffs allege that the value of the converted healthcare data is determinable “by the fair market value of their health data at the time of the conversion, which is readily ascertainable in light of the robust market for health care data described earlier in the complaint.” Compl. ¶ 177.
Defendants rely on Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1350 (2003), but Hamidi concerned the inapposite question of what impact the trespass to chattels had on the plaintiff's email system. And in In re Meta Pixel Healthcare Litigation, the trespass to chattels question is what impact Meta's conduct had on the users' devices. The focus here is whether plaintiffs have adequately alleged damages for the conversion of their converted healthcare information. Given the available statutory damages, Meta's argument fails.
CONCLUSION
Meta's motion to dismiss is DENIED in full.
IT IS SO ORDERED.