Opinion
23-cv-00083-SI
08-22-2023
MIKHAIL GERSHZON, Plaintiff, on behalf of himself and all others similarly situated, v. META PLATFORMS, INC., Defendant.
ORDER DENYING DEFENDANT'S MOTION TO DISMISS AND DENYING REQUESTS FOR JUDICIAL NOTICE
Re: Dkt. No. 31
SUSAN ILLSTON UNITED STATES DISTRICT JUDGE
On June 23, 2023, the Court held a hearing on defendant's motion to dismiss the complaint. For the reasons set forth below, the Court concludes that the complaint states a claim and therefore the motion to dismiss is DENIED.
BACKGROUND
On January 6, 2023, plaintiff Mikhail Gershzon filed this class action lawsuit against Meta Platforms, Inc. (“Meta”). Gershzon alleges that Meta violated his privacy rights under federal and state law by knowingly obtaining statutorily protected personal information and communications, including names, disability information, and e-mail addresses, through the use of a “hidden tracking code” created by Meta and installed on the website of the California Department of Motor Vehicles (“DMV”). Gershzon alleges that this software code, known as the “Meta Pixel,” “sends to Meta time-stamped, personally-identifiable records of Plaintiff and Class members' personal information, activities and communications on the [California] DMV website.” Compl. ¶ 2. Gershzon brings claims under the federal Driver's Privacy Protection Act, 18 U.S.C. §§ 2721-2725 (“DPPA”) and the California Invasion of Privacy Act, Cal. Pen. Code § 631 (“CIPA”),
The following facts are taken from the complaint and assumed as true for purposes of the present motion. The DMV operates the website www.dmv.ca.gov, “where users can access and manage their data on file with the DMV, book virtual or in-person appointments, and prepare applications for DMV services such as driver's licenses and disabled parking placards.” Compl. ¶ 27. The DMV “strongly encourages Californians to use its ‘virtual' agents and offices, and usage of DMV services online has climbed steadily in recent years.” Id. ¶ 28. The DMV reported 23 million online transactions in 2020, and that figure grew during the COVID-19 pandemic, “during which time the DMV created and promoted new online options for users, allowing, for example, online driver's testing and license renewals that typically required an office visit.” Id.
Meta is “an advertising company which sells advertising space on the social media platform it operates,” and “Meta's advertising is based on sophisticated user-categorizing and targeting capabilities that are fueled by the personal data or users of the social media platform and other Internet users.” Id. ¶ 15. Meta “surveils users' online activities both on and off Meta's own websites and apps,” which allows Meta to “make highly personal inferences about users, such as about their ‘interests,' ‘behavior,' and ‘connections.'” Id. Meta “compiles information it obtains and infers about Internet users and uses it to identify personalized ‘audiences' likely to respond to particular advertisers' messaging.” Id. In 2021, Meta generated approximately $114.93 billion, nearly 98% of its revenue, through advertising. Id.
The Meta Pixel, originally called the Facebook Pixel, was first introduced in 2015. Id. ¶ 16. “It is now the primary means through which Meta acquires personal information to create customized audiences for its advertising business, although Meta's public-facing descriptions of the Pixel obscure and minimize this fundamental purpose of the tracking code.” Id. Meta characterizes the Pixel as a simple “snippet of JavaScript code” that helps website owners keep track of user activity on their websites, and Meta emphasizes that website managers can easily install Pixel on a website. Id.
The Meta Pixel is “configured to capture a substantial amount of information by default,” and since 2015 the Pixel has transmitted “HTTP header information, including the URL of each page visited on a website.” Id. ¶ 17. In 2017 and 2018, Meta modified the Pixel code to transmit more information:
In 2017, Meta quietly modified the Pixel code to transmit additional information automatically, including “microdata” (details about the website and substance of what it offers), other “contextual information” (including details about the structure of a particular webpage), and “SubscribeButtonClick” information (details about buttons available to click on each page including the text), which fires each time a user clicks on a hyperlink or button on the webpage. Meta made these changes to learn more about website users for advertising purposes. Since 2017, the Pixel has been configured to gather all such data indiscriminately and by default without intervention from the website owner requesting the information be tracked.
In 2018, Meta again modified the default operation of the Pixel to maximize the private information it transmits. Meta introduced a “first-party cookie option” for the Pixel, to circumvent improvements in how web browsers block third-party cookies (a primary means by which Facebook historically tracked people across the web). Being embedded in websites as a first-party cookie, rather than as a third-party cookie, causes users' browsers to treat that Pixel as though it is offered by the website they are visiting, rather than by Meta, a third party. When the Pixel is embedded in a website as a first-party cookie, the third-party cookie blocking functions of modern web browsers do not inhibit the Meta Pixel's collection of data. Operating similarly to, and with the same privacy exemptions applicable to, a first party cookie became another default Pixel setting in or around October 2018.Id. ¶¶ 17-18.
The Meta Pixel operates in the following manner:
In all websites where the Pixel operates, when a user exchanges information with the host of that site, Meta's software script surreptitiously directs the user's browser to send a separate message to Meta's servers. This second, secret transmission contains the original request sent to the host website, (“GET request”), along with additional data that the Pixel is configured to collect (“POST request). GET and POST requests are communications that contain contents from both the user and from servers associated with the website they are visiting. These transmissions are initiated by Meta code and concurrent with the communications to and from the host website.
Meta associates the information it obtains via the Meta Pixel with other information regarding the user, using personal identifiers that are transmitted concurrently with other personal information the Pixel is configured to collect. For Facebook accountholders, these identifiers include the “cuser” IDs, which allow Meta to link data to a particular Facebook account, and “xs” cookies associated with a browsing session. For both Facebook accountholders and users who do not have a Facebook account, these identifiers also include cookies that Meta ties to their browser, such as “datr” and “fr” cookies.Id. ¶¶ 20-21 (internal footnotes omitted). Meta then “feeds the vast quantities of information obtained from Meta Pixels into its advertising systems, using it to identify users and their personal characteristics, categorize them for Meta's business purposes, and target them with marketing messages from its advertising clients.” Id. ¶ 22.
The Meta Pixel is “embedded on and throughout the DMV website, and transmits extensive information from the DMV to Meta in accordance with the Meta Pixel's default configuration.” Id. ¶ 29. This information includes the first name of each person who accesses their online account, id. ¶¶ 32-35; information that a person has applied for or sought to renew a disabled person parking placard or a disabled person license plate, id. ¶¶ 36-43; e-mail addresses, id. ¶¶ 45-50; and other identifying information “concerning users' interests, phone and address status, health and disability status, immigration status, and concerns, all of which are personally identifying in themselves and in combination . . .” Id. ¶ 51.
Meta learns, for example, when someone takes the DMV's self-assessment for driving with impaired vision, or researches the DMV's procedures for licensing people suffering from dementia. Meta also learns when someone accesses MyDMV to update their physical address or phone number, transfer a title, or renew their vehicle registration.
To illustrate one of innumerable examples in detail, if a user asks the DMV to show the page for updating a phone number on the DMV site, Meta intercepts a time-stamped record of the request while it is in transit to the DMV, including unique identifiers for the user, and intercepts the URL transmitted back to the user by the DMV. When a user logs into their MyDMV account, as they must to update their phone number, Meta intercepts a record that the user logs in and successfully completes two-factor authentication, then is presented with hyperlinks or buttons including one to “Change Phone Number.” When a user tells the DMV what they would like to do by clicking that hyperlink, Meta learns that the link “Change Phone Number” is clicked, and obtains the descriptive URL that the DMV presents next, namely https://www.dmv.ca.gov/portal/update-your-phone-number/. This page explains the process for updating one's phone number with the DMV, and a presents button to “Start” the process. When a user clicks the “Start” button, Meta learns that the button “Start” was clicked on that page, and obtains the URL that the DMV presents next, for account verification, and so on. In short, Meta secretly watches every step of the process, and intercepts any and all communications between users and the DMV for its own purposes and its own use.Id. ¶¶ 51-52. The Pixel also transmits communications MyDMV users send the DMV through the search bar on the DMV website as part of the URL returning search results and answers. Id. ¶ 53. For example, a “user who asks the DMV ‘How do I renew a disabled parking placard?' has their disability information transmitted to Meta within the URL ‘https://www.dmv.ca.gov/portal/?s= how+do+I+renew+disabled+parking+placard,' in addition to the transmission that occurs upon starting the renewal application.” Id.
Meta “assigns a unique numerical identifier to each Meta Pixel and maintains records associating each Pixel with the data it transmits and the website where it is embedded.” Id. ¶ 30. Meta has assigned numerical identifiers to the two Meta Pixels that currently operate on the DMV website, and thus “Meta knows that the Meta Pixel operates on the DMV site and knows that information and communication exchanged between users and the DMV are transmitted to Meta by the Pixel.” Id.
Gershzon is a California resident who has had an online account with the DMV since 2019. Id. ¶ 61. Gershzon provided his full name, e-mail address, and telephone number to the DMV in order to open the account. Id. Gershzon has used the DMV website approximately twice a year since 2019, including to apply for a disabled parking placard in 2020. Id. ¶ 62. Gershzon also has a Facebook and/or Meta account since 2010. Id. ¶ 61. Gershzon alleges that the Meta Pixel tracked his activities on the DMV website and the Pixel transmitted his personal information, including his first name, e-mail address, and disability information, from the DMV to Meta without his consent. Id. ¶ 63. Gershzon claims that he did not authorize Meta to obtain his personal information from the DMV for any purpose, and that the DMV website explicitly states that the DMV does not collect personal information for marketing, advertising or similar purposes. Id. ¶¶ 54-55. Gershzon brings this lawsuit on behalf of “all persons who accessed their MyDMV account on the California DMV website or viewed the status of a pending application to the California DMV by clicking on the ‘status checker' link in electronic correspondence from the California DMV.” Id. ¶ 64.
LEGAL STANDARD
A complaint must contain “a short and plain statement of the claim showing that the pleader is entitled to relief,” and a complaint that fails to do so is subject to dismissal pursuant to Rule 12(b)(6). Fed.R.Civ.P. 8(a)(2). To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). This “facial plausibility” standard requires the plaintiff to allege facts that add up to “more than a sheer possibility that a defendant has acted unlawfully.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). While courts do not require “heightened fact pleading of specifics,” a plaintiff must allege facts sufficient to “raise a right to relief above the speculative level.” Twombly, 550 U.S. at 555, 570. Although “a well-pleaded complaint may proceed even if it strikes a savvy judge that actual proof is improbable,” Id. at 556, a plaintiff must include sufficient “factual enhancement” to cross “the line between possibility and plausibility.” Id. at 557. “A pleading that offers ‘labels and conclusions' or ‘a formulaic recitation of the elements of a cause of action will not do.'” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 555). “Nor does a complaint suffice if it tenders ‘naked assertion[s]' devoid of ‘further factual enhancement.'” Id. (quoting Twombly, 550 U.S. at 557). “While legal conclusions can provide the framework of a complaint, they must be supported by factual allegations.” Id. at 679.
DISCUSSION
I. DPPA
The first cause of action is brought under the Driver's Privacy Protection Act. Compl. ¶¶ 73-81. Gershzon alleges that Meta has violated the DPPA by obtaining personal information, such as e-mail addresses and disability information, via the Meta Pixel on the DMV website, and that Meta uses that information for prohibited purposes without the consent of the individuals to whom the information pertains. Id.
“Congress enacted the DPPA in 1994, in response to a troubling phenomenon that occurred throughout the 1980s and early 1990s-state DMVs' practice of selling or freely disclosing drivers' personal information, which led to unfortunate consequences ranging from the trivial (onslaughts of random solicitations) to the tragic (the murders of several people by stalkers or ex-spouses).” Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1257 (9th Cir. 2019). “At that time, ‘[u]nder the law in over 30 States, it [was] permissible to give out to any person the name, telephone number, and address of any other person if a drivers' license or vehicle plate number [was] provided to a State agency.'” Id. at 1258 (quoting 139 Cong. Rec. at ¶ 15,765 (statement of then-Sen. Biden)). “Accordingly, ‘[c]oncerned that personal information collected by States in the licensing of motor vehicle drivers was being released-even sold-with resulting loss of privacy for many persons, Congress provided federal statutory protection' through the DPPA.” Id. (quoting Maracich v. Spears, 570 U.S. 48, 51-52 (2013)).
The first part of the DPPA focuses on a state's own records and prohibits “[a] State department of motor vehicles” from “knowingly disclos[ing] or otherwise mak[ing] available . . . personal information . . . about any individual obtained by the department in connection with a motor vehicle record.” 18 U.S.C. § 2721(a). The second part of the DPPA “concerns not DMVs themselves, but instead those who illicitly seek information from motor vehicle records.” Andrews, 932 F.3d at 1258. Section 2722 makes it unlawful “for any person knowingly to obtain or disclose personal information, from a motor vehicle record, for any use not permitted under section 2721(b),” and “for any person to make false representation to obtain any personal information from an individual's motor vehicle record.” 18 U.S.C. § 2722. Section 2724 provides a private cause of action for violations of the DPPA.
Permitted uses include “use in connection with matters of motor vehicle or driver safety and theft, motor vehicle emissions, motor vehicle product alterations, recalls, or advisories, performance monitoring of motor vehicles and dealers by motor vehicle manufacturers, and removal of non-owner records from the original owner records of motor vehicle manufacturers.” 18 U.S.C. § 2721(b). The statute also allows disclosure of an individual's personal information “[f]or use in the normal course of business by a legitimate business,” but only “to verify the accuracy of personal information submitted by the individual” and, “if such information as so submitted is not correct or is no longer correct, to obtain the correct information” in limited circumstances. Id. § 2721(b)(3).
To state a claim against Meta under the DPPA, Gershzon must allege that Meta “(1) knowingly obtained his personal information (2) from a motor vehicle record (3) for a nonpermissible use.” Andrews, 932 F.3d at 1259.
A. “Personal Information”
The complaint alleges that Meta obtains “personal information” such as e-mail addresses, names, disability information, and other personal information via the Meta Pixel. Compl. ¶ 77.
The DPPA defines “personal information” as “information that identifies an individual, including an individual's photograph, social security number, driver identification number, name, address (but not the 5-digit zip code), telephone number, and medical or disability information, but does not include information on vehicular accidents, driving violations, and driver's status.” 18 U.S.C. § 2725(3). The statute further provides that “'highly restricted personal information' means an individual's photograph or image, social security number, medical or disability information.” Id. § 2725(4).
Meta argues that Gershzon's first name, e-mail address, and information that Gershzon began an application for a disabled parking placard and later checked the status of that application do not “identify an individual” and therefore do not constitute “personal information” under the DPPA. Meta argues that a first name alone “sweeps in so many people that it is comparable to a ‘5digit zip code,'” and that an e-mail address “does not always qualify as ‘personal information'- whether it does turns on the ‘content' of the e-mail address.” Mtn. at 9 (Dkt. No. 31). Meta also argues that information that a person has applied for a disability parking placard is not “disability information” because, according to Meta, “disability information” means information about the specific nature of a person's disability.
The Court is not persuaded by Meta's arguments. As an initial matter, the statute expressly lists “name” and “medical or disability information” as types of “personal information” (and indeed specifies that “medical or disability information” is “highly restricted personal information”). A first name is a name, and information that someone has applied for a disability placard is “disability information” because it indicates that the applicant has a disability. Meta does not cite any authority for its assertion that “personal information” under the DPPA must be sufficient, on its own, to identify an individual, and courts have rejected that argument in favor of a broader reading of “personal information.” “The term ‘personal information' should be read naturally to include facts that can identify an individual, as opposed to facts that in every instance must identify an individual.” United States v. Hastie, 854 F.3d 1298, 1304 (11th Cir. 2017). In Hastie, the Eleventh Circuit held that “[e]mail addresses fall within the ordinary meaning of ‘information that identifies an individual'” because “[t]hey can ‘prove' or ‘establish the identity of' an individual” and “[e]mail addresses often expressly include the account holder's name, affiliated organization, or other identifying information.” Id. at 1303. The court explained,
This interpretation is strengthened by the material similarity between email addresses and the examples in the statute. Because “[a]ssociated words bear on one another's meaning,” Scalia & Garner, supra, at 195, the examples give meaning to the term “personal information.” Email addresses are much like an online version of a physical address or a telephone number: they serve both as a way to find an individual in an online space and as a way to contact a person.... And the examples listed in the statute reveal that “information that identifies an individual” does not require that a single piece of information on its own be sufficient to locate a particular individual. An individual might have multiple phone numbers or one, and an address might be associated with one person or many-the ratio does not need to be 1:1.Id. at 1303-04.
Similarly, in Dahlstrom v. Sun-Times Media, LLC, 777 F.3d 937, 940, 942 (7th Cir. 2015), the Seventh Circuit held that the definition of “personal information” under the DPPA included an individual's approximate birth date (month and year), height, weight, hair color and eye color, even though that information does not uniquely identify an individual. The Seventh Circuit noted that “the term ‘including'-which introduces the itemized list of characteristics that constitute ‘personal information' under the DPPA, see § 2725(3)-is typically ‘illustrative and not limitative.'” Id. at 943 (quoting Campbell v. Acuff-Rose Music, Inc., 510 U.S. 569, 577 (1994)). The court stated that an “expansive reading” of “personal information” was supported by the text of the statute, noting that “even though medical and disability information do not uniquely pertain to a single individual, they are included in a subcategory of ‘highly restricted personal information,' which receives even greater protection under the DPPA.” Id. at 944 (citing 18 U.S.C. § 2724(4)). An expansive interpretation of “personal information” also served the public safety purpose of the DPPA because “[a]lthough a potential stalker would likely require information beyond hair and eye color to positively identify his victim, details regarding any pertinent physical feature would make such identification easier.” Id. In addition, the court found that “[m]uch of the information at issue here, particularly details regarding an individual's age, height, and weight, could conceivably be of great interest to businesses . . . seeking to market their products or services to targeted audiences. While protection against commercial solicitation may not be as fundamental as the Act's public safety objectives, excluding these categories of information from the DPPA's definition of ‘personal information' would likely contravene legislative intent.” Id. at 944-45.
Meta argues that Dancel v. Groupon, Inc., 949 F.3d 999 (7th Cir. 2019), holds that an e-mail address does not always qualify as “personal information” and that whether it does or not depends on the content of the e-mail address. However, Dancel involved the Illinois Right of Privacy Act (“IRPA”), not the DPPA, and arose in the context of class certification. The IRPA prohibits the “(1) appropriation of one's identity, (2) without consent, (3) for another's commercial benefit.” Id. at 1008. In Dancel, the Seventh Circuit affirmed the district court's denial of class certification in a case alleging that the defendant's commercial use of the plaintiff's Instagram username violated the IRPA, holding that the question of “whether any given username identifies that specific individual who is behind that username” and thus is part of “an individual's identity” under the IRPA could not be established with common proof on a classwide basis. Id. at 1009. In reaching that holding, the Seventh Circuit distinguished Hastie by stating that “the [Hastie] court did not hold that e-mail addresses categorically identify an individual, only that they often did, and they often did so only because of their content, not their inherent nature as e-mail addresses.” Id. at 1008. Dancel did not hold that e-mail addresses are not “personal information” under the DPPA, and as discussed above, courts have held that “personal information” under the DPPA need only be “facts that can identify an individual, as opposed to facts that in every instance must identify an individual.” Hastie, 854 F.3d at 1304.
The reasoning of Hastie and Dahlstrom apply here. A first name, e-mail address, and information that someone has applied for a disability parking placard are “facts that can identify an individual,” Hastie, 854 F.3d at 1304, and as such the Court finds that Gershzon has alleged that Meta obtained “personal information” within the meaning of the DPPA.
To the extent Meta asserts that Gershzon does not have standing to challenge Meta's alleged improper acquisition of other types of “personal information” from the DMV website, the Court disagrees. Gershzon brings this case as a class action and he alleges, inter alia, that “[a]ctive at all times on nearly every page of the DMV website, the Meta Pixel also broadly transmits to Meta other information from the DMV that identifies website users,” including “information concerning users' interests, phone and address status, health and disability status, immigration status, and concerns, all of which are personally identifying in themselves ....” Compl. ¶ 51. Because Gershzon has alleged that Meta has improperly obtained his “personal information” from the DMV website via the Meta Pixel, he may pursue those claims. Pichler v. UNITE, 542 F.3d 380, 391-92 (3d Cir. 2008), cited by Meta, is inapposite. In Pichler, two women and their husbands alleged DPPA violations based upon a union searching the husbands' motor vehicle records; the search revealed the couples' shared addresses. The Third Circuit affirmed the dismissal of the wives' claims, holding that “individuals . . . who are not specifically identified in a motor vehicle record, have no legally protected privacy interest under the DPPA.” Id. at 391. Here, Gershzon has alleged that Meta obtained his personal information from the DMV, and thus he has standing to assert a claim about the improper acquisition of “personal information” from the DMV website.
B. “From a Motor Vehicle Record”
The complaint alleges that Meta obtains personal information from the DMV via the Meta Pixel, and that the information comes “from a motor vehicle record” because the information “derives from the DMV database.” Compl. ¶ 78.
Meta contends that Gershzon has not plausibly alleged that Meta obtained any of his information “from a motor vehicle record.” The DPPA defines a “motor vehicle record” as a “record that pertains to a motor vehicle operator's permit, motor vehicle title, motor vehicle registration, or identification card issued by a department of motor vehicles.” 18 U.S.C. § 2725(1). Meta argues that a disabled person placard (or application for a placard) does not fit within this definition because “[d]isabled person placards provide people with disabilities certain parking privileges” and “these privileges are distinct from the person's permit, the title or registration for that person's car, and that person's ID card.” Mtn. at 10-11. As support, Meta relies on Lake v. Neal, 585 F.3d 1059 (7th Cir. 2009), in which the Seventh Circuit held that a voter registration form filled out at a state DMV was not a “motor vehicle record” because a voter form does not pertain to any of the DMV documents listed in § 2725(1) of the DPPA. Id. at 1061 (“Other than the fact that it is filled out simultaneously with a driver's license application, the voter form has nothing to do with, nor does it ‘pertain' to, a motor vehicle operator's permit.”)
Lake does not aid Meta. Unlike a voter registration form, a disability parking placard (and an application for such a placard) does pertain to a motor vehicle operator's permit. If a person with a disability is licensed to drive in California and requires an accommodation in the form of a disabled parking placard, the person must apply for such a placard. Disability parking placards are only used in connection with driving, unlike a voter registration form which has no connection to driving. Thus, a disabled parking placard “pertains to a motor vehicle operator's permit.”
Meta also argues that the information that Meta allegedly received cannot be described as having come from a “record.” Meta argues that Gershzon has not alleged that Meta obtains preexisting information maintained by the DMV, and instead that his only allegations are that the DMV allegedly sends Meta information about Gershzon's interactions with the DMV's website using GET and POST requests. Meta argues that GET and POST requests are not motor vehicle “records” because they are HTTP requests generated when an online user clicks on a link or button, and they exist completely independent from the DMV's records. Meta argues that these GET and POST requests are not “information about [plaintiff] that is maintained by [the DMV],” Andrews, 932 F.3d at 1260, and thus they are not a “record” under the DPPA. Similarly, Meta argues that the pieces of code that the DMV allegedly sends Meta-i.e., “unique identifiers like the cuser ID, datr, xs, and fr cookies,” Compl. ¶ 43-exist independently of any “motor vehicle records.” Finally, Meta argues that Gershzon does not allege that Meta received information “from” a motor vehicle record because “the information Meta allegedly received when plaintiff began a placard application was received before the creation of a motor vehicle record, and all the information Meta allegedly received (both when plaintiff began his application and later checked its status) was allegedly derived from plaintiff's own online interactions with the DMV website - not from any particular record.” Mtn. at 11-12 (emphasis in original).
The Court is not persuaded by Meta's arguments and finds that at most they raise factual questions that are not amenable to resolution at the pleadings stage. Andrews, upon which Meta relies, is factually distinguishable. In Andrews, the Ninth Circuit held that Sirius XM Radio did not violate the DPPA by obtaining information from an individual's driver's license and a form provided in connection with the purchase of vehicle because that information did not come from the DMV. Andrews, 932 F.3d at 1260 (“[W]e conclude that where, as here, the initial source of personal information is a record in the possession of an individual, rather than a state DMV, then use or disclosure of that information does not violate the DPPA.”). The court held that this interpretation was consistent with the purpose of the DPPA, which was “concern[ed] with the release of personal information by States.” Id. (emphasis in original). Unlike Andrews, where the defendant obtained personal information from sources other than a DMV, here Gershzon alleges that Meta obtained his personal information from the DMV website and that the DMV maintained this information after Gershzon provided it to the DMV through his “MyDMV” online account. These allegations are sufficient to show that Meta obtained Gershzon's information “from a motor vehicle record.”
C. Improper Purpose
The complaint alleges,
Meta obtains Plaintiff's and Class members' personal information from the DMV in a manner that is not consistent with any permissible purpose under 18 U.S.C. § 2721(b). On information and belief, Meta uses the personal information it obtains from the DMV for purposes that are prohibited, including for purposes of profiling, categorizing, and deriving “insights” about consumers, including through “Core
Audiences,” “Lookalike audiences,” and “Custom Audiences”; targeting and serving advertisements to Meta platform users and non-users; improving Meta's profiling and categorizing algorithms; improving Meta platforms; and competing with other advertising companies, without express consent of the individuals to whom the information pertains.Compl. ¶ 79.
Meta argues that Gershzon has failed to plausibly allege that Meta obtained his personal information for an improper purpose, and that several of the DPPA's exceptions for permissible uses “plainly apply here.” Mtn. at 13. According to Meta, it is obvious from Gershzon's allegations that Meta used or obtained personal information for the permissible purpose of assisting the DMV in carrying out its functions, such as market research activities. See 18 U.S.C. § 2721(b)(2) (personal information may be disclosed “[f]or use in connection with . . . motor vehicle research activities, including survey research ....”). Meta also argues that Gershzon consented to the use of his personal information by agreeing to Meta's Privacy Policy, thus rendering Meta's use of any data it received about Gershzon permissible under 18 U.S.C. § 2721(b)(13).
Meta seeks judicial notice of Meta's Privacy Policy and Cookies Policy, and argues that a reasonable person viewing these disclosures would understand that Meta collects information about user activities on third-party websites and uses that information for advertising purposes. Meta also seeks judicial notice of the DMV's Conditions of Use, and argues that a reasonable person reading these disclosures would understand that the DMV collects personal information and uses it for “customer service” and “statistical analysis,” and thus would understand that his information would be shared by the DMV with third parties for these purposes. Gershzon opposes Meta's request for judicial notice. The Court DENIES Meta's request for judicial notice. The Court will not consider documents beyond the pleadings and draw inferences from those documents in Meta's favor. See Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 999 (9th Cir. 2018) (“If defendants are permitted to present their own version of the facts at the pleading stage-and district courts accept those facts as uncontroverted and true-it becomes near impossible for even the most aggrieved plaintiff to demonstrate a sufficiently ‘plausible' claim for relief.”). Meta may renew its arguments about consent and permissible purposes on a fuller factual record.
The Court is not persuaded by Meta's arguments. The complaint expressly alleges that Meta obtains individuals' personal information via the Meta Pixel for the improper purpose of creating customized audiences for its advertising business. Compl. ¶¶ 15-17, 21-26, 79. Whether Meta in fact had a permissible purpose in obtaining and using personal information from the DMV website raises factual questions to be resolved on summary judgment or at trial. The complaint also alleges that Gershzon did not consent to Meta obtaining his information from the DMV website. Id. ¶ 62. These allegations are plausible and sufficient at this stage of litigation.
D. “Knowingly”
Meta contends that Gershzon has failed to satisfy the “knowingly” requirement because the complaint does not allege that Meta knew the DMV was sending it “personal information” from a “motor vehicle record” for an improper purpose. Meta argues that “knowingly” “requires knowledge that the defendant's conduct satisfied all elements of the offense,” and thus that Gershzon must allege that Meta essentially knew it was violating the DPPA by collecting and using personal information from the DMV website. Reply at 10.
The DPPA provides, “A person who knowingly obtains, discloses or uses personal information, from a motor vehicle record, for a purpose not permitted under this chapter shall be liable to the individual to whom the information pertains, who may bring a civil action in a United States district court.” 18 U.S.C. § 2724(a). District courts have held that as a matter of statutory construction, the “knowingly” requirement applies to the first element of a DPPA claim - “obtains, discloses or uses personal information.” See Wilcox v. Swapp, 330 F.R.D. 584, 594 (E.D. Wash. 2019) (“Because the rest of the statute is offset by commas, the ‘knowingly' requirement in section 2724(a) only applies to the portion before the commas, which is the first element of the statute.”); Wiles v. Worldwide Info., Inc., 809 F.Supp.2d 1059, 1081 (W.D. Mo. 2011) (“The only reason to use commas to isolate the clause ‘from a motor vehicle record' is to confine the adverb ‘knowingly' to modifying the act of obtainment, disclosure, or use.”); Rios v. Direct Mail Express, 435 F.Supp.2d 1199, 1205 (S.D. Fla. 2006) (“Thus, under the express language of the DPPA the term ‘knowingly' only modifies the phrase ‘obtains, discloses, or uses personal information.'”). Further, although the Ninth Circuit has not expressly addressed the question, when the court has described the elements of a DPPA claim, it has applied “knowingly” to the first element. See Andrews, 932 F.3d at 1259 (“To prevail on his DPPA claim, Andrews must satisfy § 2722(a) and prove that (1) Sirius XM knowingly obtained his personal information (2) from a motor vehicle record (3) for a nonpermissible use.”); Howard v. Criminal Info. Servs., Inc., 654 F.3d 887, 890 (9th Cir. 2011) (“Section 2724(a) sets forth the three elements giving rise to liability, i.e., that a defendant (1) knowingly obtained, disclosed or used personal information, (2) from a motor vehicle record, (3) for a purpose not permitted.”) (internal citation and quotation marks omitted).
Meta does not cite any cases interpreting the DPPA which hold that “knowingly” applies to all three elements of the statute. Meta cites Enslin v. The Coca-Cola Co., 136 F.Supp.3d 654 (E.D. Pa. 2015), but that case does not support Meta's position and actually undercuts it. In Enslin, a former employee sued Coca-Cola under the DPPA, alleging that he provided Coca-Cola with authorization to obtain his personal information from the DMV, and that this personal information was stored on company laptops that were subsequently stolen, thus constituting a “knowing disclosure” of personal information under the DPPA. The court dismissed the plaintiff's DPPA claim, holding that a “'knowing disclosure' of PDI requires the defendant to take some ‘voluntary action' to disclose the information,” and that “[t]he theft of Plaintiff's PDI cannot be characterized as a ‘voluntary action' taken by the Coke Defendants to disclose that information.” Id. at 670-71. In reaching that holding, the court stated that the “knowing” requirement “does not mean, however, that the disclosing party knows that the disclosure is potentially illegal.” Id. at 670. The other cases cited by Meta do not interpret the DPPA. In the absence of any contrary authority, the Court agrees with the other courts which have held that “knowingly” applies to the first element of the DPPA.
Gershzon alleges that Meta “assigns a unique numerical identifier to each Meta Pixel and maintains records associating each Pixel with the data it transmits and the website where it is embedded,” that Meta has assigned numerical identifiers to the two Meta Pixels that currently operate on the DMV website, and thus that “Meta knows that the Meta Pixel operates on the DMV site and knows that information and communication exchanged between users and the DMV are transmitted to Meta by the Pixel.” Compl. ¶¶ 30, 76. This is sufficient to show that Meta “knowingly obtains, discloses or uses personal information” under the DPPA.
II. CIPA
The second cause of action is brought under the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 630 et seq. Penal Code Section 631(a) provides,
Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or
telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state; or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section, is punishable by a fine not exceeding two thousand five hundred dollars ($2,500), . . .
“Subdivision (a) of section 631 prescribes . . . three distinct and mutually independent patterns of conduct: intentional wiretapping, wilfully attempting to learn the contents or meaning of a communication in transit over a wire, and attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.” Tavernetti v. Superior Ct., 22 Cal.3d 187, 192 (1978). “In enacting this statute, the Legislature declared in broad terms its intent ‘to protect the right of privacy of the people of this state' from what it perceived as ‘a serious threat to the free exercise of personal liberties [that] cannot be tolerated in a free and civilized society.'” Ribas v. Clark, 38 Cal.3d 355, 359, 696 P.2d 637 (1985) (quoting (Cal. Penal Code § 630)).
The complaint alleges that Meta “tracked and intercepted Plaintiff's and Class members' internet communications exchanged with the DMV through the DMV website,” that Meta did so without consent from all parties to the communications, that Meta “intended to learn, and did learn, some meaning of the content in the communications including without limitation in the URLs, search queries, and other content exchanged between Class members and the DMV on the DMV website,” and that Meta used the Meta Pixel and other “machines, instruments and contrivances” to track and intercept the communications. Compl. ¶¶ 82-92.
A. Intent
Meta argues that Gershzon does not allege that Meta intended to wiretap a conversation without his consent. In addition, relying on documents outside the pleadings, Meta asserts that it did not intentionally or willfully intercept Gershzon's information because third parties decide whether to install the Meta Pixel, and Meta tells third parties not to send it any information unless it has the legal right to do so.
As stated earlier, the Court finds it inappropriate to consider these extrinsic documents on this motion to dismiss.
Gershzon responds that Meta's intent argument improperly focuses on the “wiretapping” provision of CIPA (prong one of § 631(a)), while the complaint alleges violations of the second and third prongs of CIPA - that Meta willfully read communications between Gershzon and the DMV (second prong) and that Meta used the information it obtained (third prong). Gershzon also argues that the complaint does allege that Meta read Gershzon's communications by design, not accidentally, and that willfulness and intent are fact questions.
Because Gershzon is not alleging a wiretapping claim, Meta's arguments about what is needed to plead such a claim are moot. Further, contrary to Meta's assertions, the complaint alleges far more than inadvertent receipt of information because Gershzon alleges that that Meta designed the Meta Pixel “to maximize the private information it transmits,” that the Pixel is installed on the DMV website, that personal information and communications are transmitted to Meta via the Pixel on the DMV website, that Meta is aware that this information is being transmitted, and that “Meta intended to learn, and did learn, some meaning of the content in the communications . . .” Compl. ¶¶ 18, 88. These allegations, along with the other detailed allegations in the complaint, are sufficient and non-conclusory, and whether Meta in fact acted willfully is a question of fact to be resolved on a factual record.
B. Consent
Meta contends that Gershzon does not plausibly allege that he did not consent to Meta's receipt of his data from the DMV. For the reasons stated earlier, the Court finds that Gershzon's allegations are sufficient and that Meta's arguments raise factual questions that cannot be resolved on the pleadings.
C. “Contents” of communications
Section 631(a) prohibits “wilfully attempting to learn the contents or meaning of a communication over a wire.” Tavernetti, 22 Cal.3d at 192. The Ninth Circuit has held that “the term ‘contents' refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication.” In re Zynga Priv. Litig., 750 F.3d 1098, 1106 (9th Cir. 2014). “Generally, customer information such as a person's name, address, and subscriber number or identity is record information, but it may be contents when it is part of the substance of the message conveyed to the recipient.” Hammerling v. Google LLC, 615 F.Supp.3d 1069, 1093 (N.D. Cal. 2022) (citing Zynga, 750 F.3d at 1104, 1108-09). “Similarly, URLs are record information when they only reveal a general webpage address and basic identification information, but when they reproduce a person's personal search engine queries, they are contents.” Id.; see also In re Google Inc. Cookie Placement Consumer Litig., 806 F.3d 125, 137 (3d Cir. 2015) (“In essence, addresses, phone numbers, and URLs may be dialing, routing, addressing, or signaling information, but only when they are performing such a function. If an address, phone number, or URL is instead part of the substantive information conveyed to the recipient, then by definition it is ‘content.'”).
Zynga interpreted the federal Wiretap Act. “The analysis for a violation of CIPA is the same as that under the federal Wiretap Act.” Cline v. Reetz-Laiolo, 329 F.Supp.3d 1000, 1051 (N.D. Cal. 2018).
A website's “URL” is its Uniform Resource Locator. “URLs both identify an internet resource and describe its location or address.” In re Facebook Inc., Internet Tracking Litig., 956 F.3d 589, 596 (9th Cir. 2020). “[W]hen users enter URL addresses into their web browser using the ‘http' web address format, or click on hyperlinks, they are actually telling their web browsers (the client) which resources to request and where to find them.” In re Zynga Privacy Litig., 750 F.3d at 1101. “Thus, the URL provides significant information regarding the user's browsing history, including the identity of the individual internet user and the web server, as well as the name of the web page and the search terms that the user used to find it. In technical parlance, this collected URL is called a ‘referer header' or ‘referer.'” Facebook Tracking Litig., 956 F.3d at 956.
“Courts employ a contextual ‘case-specific' analysis hinging on ‘how much information would be revealed' by the information's tracking and disclosure.” Id. at 1092 (quoting Google Cookie Placement, 806 F.3d at 137-38). Thus, in In re Facebook, Inc. Internet Tracking Litigation, the Ninth Circuit held that URLs that could disclose a user's search terms were “contents” because they could provide “significant information regarding the user's browsing history” and divulge “a user's personal interests, queries, and habits on third-party websites operating outside of Facebook's platform.” 956 F.3d at 596, 605; see also United States v. Forrester, 512 F.3d 500, 510 n.6 (9th Cir. 2008) (stating that warrantless capture of URLs generally “might be more constitutionally problematic” than warrantless capture of IP addresses because “[a] URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person's [i]nternet activity.”). Similarly, in Google Cookie Placement the Third Circuit held that the plaintiffs stated a claim under the federal Wiretap Act where they alleged “a broad scheme in which the defendants generally acquired and tracked the plaintiffs' internet usage” because “at a minimum-some queried URLs qualify as content.” Google Cookie Placement, 806 F.3d at 139; see also Wesch v. Yodlee, Inc., Case No. 20-cv-05991-SK, 2021 WL 1399291, at *4 (N.D. Cal. Jul. 19, 2021) (holding individuals' bank transaction histories constituted “contents” because they “reveal personal details of Plaintiffs' lives and their expenditures.”). By contrast, in Hammerling Judge Breyer held that Google's collection of “usage and engagement” data - the average number of days that users were active on certain apps and the user's total time spent on non-Google apps - did not violate CIPA because “[w]hile Google might infer a user's traits and habits from the fact that this user uses non-Google apps designed for a specific purpose, the extent of that inference is limited because Plaintiffs do not allege Google can read the specific information (i.e., content) that a user inputs.” Hammerling, 615 F.Supp.3d at 1093.
Meta argues that none of the information that Meta allegedly received from plaintiff constitutes “contents” because it is “record information” about a user's communication, not contents of the communication.
The Court concludes that Gershzon has sufficiently alleged that the Meta Pixel transmits “contents” of communications to Meta. The complaint alleges that the Meta Pixel is embedded on and throughout the DMV website, that the Pixel transmits to Meta the URL of each page visited on a website, and that, among other things, Meta obtained information showing that Gershzon communicated with the DMV in order to apply for a disability parking placard and later to check on the status of that application. This type of information is substantive and personal, as it shows that Gershzon has a disability (or believes that he has a disability) and that he requires a disability parking placard. Similar to the “broad scheme” in Google Cookie Placement, Gershzon alleges that the Meta Pixel is “[a]ctive at all times on nearly every page of the DMV website,” and that it “broadly transmits to Meta other information from the DMV that identifies website users,” including “information concerning users' interests, phone and address status, health and disability status, immigration status and concerns.” Compl. ¶ 51. At least some of this information - such as information someone is disabled - constitutes “contents” under CIPA, and thus the allegations are sufficient at the pleadings stage.
D. Statute of Limitations
Meta contends that if the Court allows the CIPA claim to proceed, the claim should be limited to conduct occurring within the one year statute of limitations. Gershzon responds that there is no dispute that the complaint is timely, and that whether the statutes of limitation are tolled “as a result of Meta's knowing and active concealment of its conduct” as alleged in the complaint, see Compl ¶¶ 56-60, is a factual question that requires discovery.
The Court agrees with plaintiff that the question of tolling cannot be decided on the pleadings, and that Meta can renew its arguments on a fuller factual record.
CONCLUSION
For the foregoing reasons, the Court concludes that plaintiff has stated claims under the DPPA and CIPA, and therefore Meta's motion to dismiss is DENIED. The Court shall set a pretrial schedule at the September 1, 2023 case management conference.
IT IS SO ORDERED.