Hammerling v. Google LLC

Full title: MARIE HAMMERLING, et al., Plaintiffs, v. GOOGLE LLC, Defendant.

Court: United States District Court, Northern District of California

Date published: Jul 18, 2022

615 F. Supp. 3d 1069 (N.D. Cal. 2022)

Opinion

Case No. 21-cv-09004-CRB

2022-07-18

Marie HAMMERLING, et al., Plaintiffs, v. GOOGLE LLC, Defendant.

Willem F. Jonckheer, Amber Love Schubert, Robert C. Schubert, Schubert Jonckheer & Kolbe LLP, San Francisco, CA, Amanda Grace Fiorilla, Pro Hac Vice, Christian Levis, Pro Hac Vice, Margaret C. MacLean, Pro Hac Vice, Lowey Dannenberg, P.C., White Plains, NY, for Plaintiffs. Benjamin Berkowitz, Christina Lee, Ian Asher Kanig, Thomas Edward Gorman, Keker, Van Nest & Peters LLP, San Francisco, CA, for Defendant.

CHARLES R. BREYER, United States District Judge

Willem F. Jonckheer, Amber Love Schubert, Robert C. Schubert, Schubert Jonckheer & Kolbe LLP, San Francisco, CA, Amanda Grace Fiorilla, Pro Hac Vice, Christian Levis, Pro Hac Vice, Margaret C. MacLean, Pro Hac Vice, Lowey Dannenberg, P.C., White Plains, NY, for Plaintiffs.

Benjamin Berkowitz, Christina Lee, Ian Asher Kanig, Thomas Edward Gorman, Keker, Van Nest & Peters LLP, San Francisco, CA, for Defendant.

ORDER GRANTING MOTION TO DISMISS

CHARLES R. BREYER, United States District Judge

Plaintiffs Marie Hammerling and Kay Jackson allege that for years Defendant Google LLC secretly used their Android smartphones to collect data about non-Google app installation metrics, the amount of time spent using non-Google apps, and how often those apps were open. Plaintiffs allege that Google used this data determine Plaintiffs' personal information, such as their religious and political beliefs. In doing so, Google allegedly breached its contract with its customers and violated California's Unfair Competition Law, the California Constitution, and California fraud and privacy laws. Compl. (dkt. 1) ¶¶ 1, 10. Google moves to dismiss Plaintiffs' claims for failure to state a claim under Federal Rules of Civil Procedure 12(b)(6) and 9(b). Mot. (dkt. 33) at 2. The Court GRANTS the motion to dismiss all claims with leave to amend.

I. BACKGROUND

A. Parties

Hammerling and Jackson are Florida residents who bring this putative class action on behalf of themselves, and all others similarly situated. Compl. ¶¶ 15, 19, 86. Since 2014, Plaintiffs have owned several Android smartphones, all made by manufacturers other than Google itself. Id. ¶¶ 15, 19. Android OS is an operating system that powers about 75% of the world's smartphones, including Plaintiffs' smartphones. Id. ¶¶ 28, 31.

Defendant Google is a technology company that has owned the Android OS since 2005. Id. ¶¶ 23, 28. B. The Complaint

Plaintiffs allege the following. Since 2012, Google has collected "sensitive personal data" from Android smartphones through a secret project titled, "Android Lockbox." Id. ¶¶ 35, 38. The public first learned of Google's "Android Lockbox" project in 2020, when the news service, The Information, published an article detailing the project. Id. ¶¶ 44, 83. A congressional report released after The Information's article described Google's "Android Lockbox" as "a covert effort to track real-time data" on Android smartphone users' "usage and engagement" with non-Google apps. Id. ¶ 34. The report detailed that "usage and engagement" data (what Plaintiffs call "sensitive personal data") includes "installation metrics" for non-Google apps, "the average number of days users were active on any particular app," and a users' total time spent on a non-Google app.¹ Id. ¶¶ 34-35, 37-38, 121.

1 Plaintiffs do not define what "installation metrics" are, but presumably they refer to how many times an app is downloaded onto an Android smartphone.

Plaintiffs allege that Google utilized "Android Lockbox" to collect Plaintiffs' personal data without their knowledge or consent. Id. ¶¶ 17, 21, 48. Plaintiffs use several non-Google apps on their smartphones, "including Facebook, Instagram, and TikTok." Id. ¶¶ 16, 20. Google allegedly collected usage and engagement data from these non-Google apps and then used the data to compete with rivals like Facebook. Id. ¶¶ 39, 41. Plaintiffs also allege that from the data Google can learn intimate details about users, such as "their religious and political affiliations, their activity level, their sexual preferences and proclivities, and other habits and preferences." Id. ¶ 69. For example, "Google can learn details of a user's sleep schedule, menstrual cycle, or exercise routine based on when and how often they interact with an alarm clock app, fertility tracker, or fitness app."² Id. ¶ 7.

2 Plaintiffs include in their Opposition specific examples of apps from which Google can infer information about a particular user. See Opp'n at 20. For example, Plaintiffs assert that, from installation metrics as to the app "Pregnancy Tracker: Baby Bump," Google can deduce that a user is pregnant. Id. However, there are no such examples in their Complaint. See Compl.

Plaintiffs allege Google does not seek consent to collect Android user data from non-Google apps. Id. ¶ 46. Further, it does not disclose that it collects this data or that it does so to compete with other companies. Id. ¶¶ 46–47. Rather, when Plaintiffs and class members set up their Android smartphones for the first time, Google states only that it collects user data "to offer a more personalized experience." Id. ¶ 52. Google's Privacy Policy similarly does not disclose Google's data collection practices. Id. ¶ 55. Google's Privacy Policy "only states that it may collect information about ‘activity on third-party sites and apps that use our services,’ " but it does not explain that it monitors the "frequency that non-Google apps are used or the duration of time a user spends on non-Google apps." Id. ¶ 58. Plaintiffs allege that they "would not have purchased, or would have paid significantly less for," their Android Smartphones had they known that Google would collect their personal data from non-Google apps. Id. ¶ 61.

Based on these allegations, Plaintiffs allege the following ten claims: (1) common law intrusion upon seclusion; (2) invasion of privacy under the California Constitution; (3) violation of California Civil Code section 1709 ; (4) violations of the fraud, unlawful, and unfair prongs of California Civil Code section 17200 ("Unfair Competition Law" or "UCL"); (5) violation of California Civil Code section 1750 ("California Consumers Legal Remedies Act" or "CLRA"); (6) breach of contract; (7) breach of implied contract; (8) unjust enrichment; (9) request for relief under the Declaratory Judgment Act; and (10) violation of California Penal Code section 631 ("California's Invasion of Privacy Act" or "CIPA"). Id. ¶¶ 102-201.

C. McCoy v. Alphabet

In their papers, both parties refer to a recent decision by Judge van Keulen that concerned issues nearly identical to those in this case. The McCoy v. Alphabet plaintiffs (represented by the same attorneys as here) sued Google for collecting their personal data from non-Google apps on Android smartphones. 2021 WL 405816, at *1 (N.D. Cal. Feb. 2, 2021). The McCoy plaintiffs alleged the same ten claims present here. Id. at *4. Judge van Keulen granted Google's motion to dismiss plaintiffs' common law intrusion upon seclusion, invasion of privacy under the California Constitution, CIPA, breach of implied contract, and unjust enrichment claims. Id. at *14. She also dismissed the plaintiffs' CLRA claim because plaintiffs did not file an affidavit, as the CLRA requires. Id. at *11. She declined, however, to dismiss the plaintiffs' breach of contract, Declaratory Judgment, and fraud claims ( Section 1709 and UCL). Id. at *8-10, *14. On November 9, 2021, Judge van Keulen compelled the plaintiffs' claims to arbitration after Google discovered that the named plaintiff was subject to a binding arbitration agreement because Google had manufactured his Android smartphone. McCoy v. Google, LLC, 2021 WL 6882419, at *3 (N.D. Cal. Nov. 9, 2021). Plaintiffs' counsel sought to add Hammerling and Jackson as named plaintiffs (because Google had not manufactured their Android phones), but Judge van Keulen denied that request, leading them to file this case. Id. at *4.

Where applicable, the Court refers to Judge van Keulen's reasoning in McCoy in this order. Judge van Keulen, however, did not consider (or the parties did not present to her) many of the arguments Plaintiffs assert in this case.

II. LEGAL STANDARD

Under Federal Rule of Civil Procedure 12(b)(6), the Court may dismiss a complaint for failure to state a claim upon which relief may be granted. Dismissal may be based on either "the lack of a cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory." Godecke v. Kinetic Concepts, Inc., 937 F.3d 1201, 1208 (9th Cir. 2019) (cleaned up). A complaint must plead "sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (cleaned up). A claim is plausible "when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. When evaluating a motion to dismiss, the Court "must presume all factual allegations of the complaint to be true and draw all reasonable inferences in favor of the nonmoving party." Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). "Courts must consider the complaint in its entirety, as well as other sources courts ordinarily examine when ruling on Rule 12(b)(6) motions to dismiss, in particular, documents incorporated into the complaint by reference, and matters of which a court may take judicial notice." Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 322, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007).

Claims for fraud must meet the pleading standard of Federal Rule of Civil Procedure 9(b), which requires a party "alleging fraud or mistake [to] state with particularity the circumstances constituting fraud or mistake." Rule 9(b) "requires ... an account of the time, place, and specific content of the false representations as well as the identities of the parties to the misrepresentations." Swartz v. KPMG LLP, 476 F.3d 756, 764 (9th Cir. 2007) (cleaned up). "This means that averments of fraud must be accompanied by the who, what, when, where, and how of the misconduct charged." In re Google Assistant Priv. Litig., 546 F. Supp. 3d 945, 955 (N.D. Cal. 2021) (internal quotations omitted).

If a court dismisses a complaint for failure to state a claim, it should "freely give leave" to amend "when justice so requires." Fed. R. Civ. P. 15(a)(2). A court has discretion to deny leave to amend due to "undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendment previously allowed, undue prejudice to the opposing party by virtue of allowance of the amendment, [and] futility of amendment." Leadsinger, Inc. v. BMG Music Pub., 512 F.3d 522, 532 (9th Cir. 2008).

III. DISCUSSION

This order first considers whether Google's Privacy Policy is incorporated by reference into the complaint. It then addresses Google's motion to dismiss in the following order: (1) fraud claims ( Section 1709, UCL's fraud prong, and CLRA); (2) privacy claims (common law intrusion upon seclusion, invasion of privacy under the California Constitution, and CIPA); (3) UCL's unlawful and unfair prongs; (4) contract claims (breach of contract, implied contract, and unjust enrichment); and (5) declaratory judgment claim.

A. Incorporation by Reference

Google requests that the Court take judicial notice or incorporate by reference two versions of its Privacy Policy ("Policy"). RJN at 2; Kanig Decl. (dkt. 33-1) at 1, Ex. A, Ex. B. Exhibit A is the Policy that was effective on December 19, 2019, and Exhibit B is the Policy that was effective on July 1, 2020. Kanig Decl. at 1.

The incorporation-by-reference doctrine "treats certain documents as though they are part of the complaint itself." Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1002 (9th Cir. 2018). Documents are subject to incorporation by reference if a plaintiff refers to them "extensively" or they form the basis of the complaint. Id. Courts may properly assume the truth of documents incorporated by reference. Id. at 1003. But "it is improper to assume the truth of an incorporated document if such assumptions only serve to dispute facts stated in a well-pleaded complaint." Id.

The complaint incorporates by reference both versions of Google's Privacy Policy. Plaintiffs cite extensively to the Policy, and it forms the basis of their fraud and contract claims. See Compl. ¶¶ 129-31, 163; Khoja, 899 F.3d at 1002. Plaintiffs refer to the two versions of Google's Privacy Policy nearly twenty times in their Complaint. See Compl. ¶¶ 55-60, 80, 129-130, 131, 160, 162-163, 165, 170, 173-74, 177-78, & nn. 2, 9, 10, 12; Khoja, 899 F.3d at 1003-04 (incorporating by reference a blog post cited and quoted once in a complaint). Because these documents are incorporated by reference, the Court need not consider whether it may also take judicial notice of them.

B. Fraud Claims (claims 3, 4, and 5)

Plaintiffs allege violations of the CLRA, UCL's fraud prong, and California Civil Code section 1709 (" Section 1709" or "deceit"). Compl. ¶¶ 126-156. All three statutes prohibit fraudulent misrepresentations and omissions. See In re Seagate Tech. LLC Litig., 233 F. Supp. 3d 776, 788 (N.D. Cal. 2017) (CLRA and UCL); Lazar v. Superior Ct., 12 Cal. 4th 631, 638, 49 Cal.Rptr.2d 377, 909 P.2d 981 (1996) ( Section 1709 ). Courts often evaluate these three claims together because they contain similar elements. E.g., Elias v. Hewlett-Packard Co., 2014 WL 493034, at *4 (N.D. Cal. Feb. 5, 2014).

To allege a violation of the three statutes based on a fraudulent misrepresentation or omission, a plaintiff must plead (1) misrepresentation or omission, (2) reliance, and (3) damages. Kwikset Corp. v. Superior Ct., 51 Cal. 4th 310, 326, 120 Cal.Rptr.3d 741, 246 P.3d 877 (2011) (CLRA and UCL); Mirkin v. Wasserman, 5 Cal. 4th 1082, 1091, 23 Cal.Rptr.2d 101, 858 P.2d 568 (1993) (deceit).³ Additionally, a plaintiff must plead all three claims with particularity as required by Federal Rule of Civil Procedure 9(b). Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1103-04 (9th Cir. 2003) (stating that when a plaintiff alleges "a unified course of fraudulent conduct" and relies "entirely on that course of conduct as the basis of a claim," "the pleading of that claim as a whole must satisfy the particularity requirement of Rule 9(b)").

3 A Section 1709 claim also requires (1) scienter and (2) intent to defraud. See Lazar, 12 Cal. 4th at 638, 49 Cal.Rptr.2d 377, 909 P.2d 981. Google does not challenge these elements of Plaintiffs' section 1709 claim.

Plaintiffs allege that Google committed both fraudulent misrepresentation and omission. See Compl. ¶¶ 51-54 (fraudulent misrepresentation), 55-61 (fraudulent omission); Mot. at 7; Opp'n at 6. As to misrepresentation, Plaintiffs allege that when they set up their Android smartphones, Google falsely told Plaintiffs that it would collect their personal data "to offer a more personalized experience." Id. ¶¶ 51-52, 54, 129-130. But Google's actual reason for collecting such data is "to gain an unfair competitive edge over its competitors." Id. ¶¶ 54, 129. As for their fraudulent omission theory, Plaintiffs allege that Google fails to disclose (1) that it collects personal data when Android users interact with non-Google apps and (2) uses such data to compete with other companies. Id. ¶ 55. Had Plaintiffs known that Google would collect their personal data from non-Google apps, they would not have purchased, or would have paid significantly less for, their Android smartphones. Compl. ¶¶ 18, 22, 49, 61, 135, 146, 152.

As explained below, the Court dismisses the fraud claims. As a preliminary matter, the Court agrees that Plaintiffs have plausibly pleaded that the Privacy Policy failed to disclose material information regarding Google's data collection practices. However, the fraudulent misrepresentation claims fail because Plaintiffs do not plausibly plead reliance on any misrepresentation. The fraudulent omission claims fail because Google lacked a duty to disclose its data collection practices. Further, the CLRA claim fails for the independent reason that Plaintiffs did not purchase a Google-manufactured smartphone.

1. Disclosure

First, the Court disagrees with Google that its Policy discloses what Plaintiffs allege it misrepresents and omits: that it collects data from non-Google apps and uses that data to compete with other companies. See Mot. at 8.

To state a fraudulent omission or misrepresentation claim under Section 1709, a plaintiff must plead either a false representation, concealment, or nondisclosure. Lazar, 12 Cal. 4th at 638, 49 Cal.Rptr.2d 377, 909 P.2d 981. Nondisclosure and concealment mean the "suppression of a fact, by one ... who gives information of other facts which are likely to mislead for want of communication of that fact."⁴ Cal. Civ. Code section 1710. Under the CLRA and UCL, the omission or misrepresentation must be likely to mislead or deceive a reasonable consumer.⁵ See Eidmann v. Walgreen Co., 522 F. Supp. 3d 634, 643 (N.D. Cal. 2021). "Because what a reasonable consumer would believe is generally a question of fact, it is a rare situation in which a motion to dismiss will be granted for failure to satisfy this test." Dinan v. Sandisk LLC, 2019 WL 2327923, at *2 (N.D. Cal. May 31, 2019) (cleaned up).

4 In its Reply, Google states that for Plaintiffs to plausibly allege their deceit claim they cannot rely on a "misleading statement." Id. Google is wrong; a misleading statement is enough for a deceit claim. Section 1710, which defines deceit, states that deceit includes "suppression of a fact, by one ... who gives information of other facts which are likely to mislead for want of communication of that fact." Cal. Civ. Code section 1710 (emphasis added). California courts have also held that "[m]ere nondisclosure, when combined with statements of fact which are likely to mislead in the absence of such further disclosure, is actionable" deceit. Sanfran Co. v. Rees Blow Pipe Mfg. Co., 168 Cal. App. 2d 191, 204, 335 P.2d 995 (1959) (emphasis added); 5 Witkin, Summary 11th Torts § 919 (2021) (collecting cases stating the same).

5 For the deceit claim, the reasonable consumer test does not appear to apply. See Kearns v. Ford Motor Co., 567 F.3d 1120, 1126 (9th Cir. 2009) (requiring knowledge of falsity for a cause of action for fraud). The real question should be what Plaintiffs themselves actually understood from Google's Privacy Policy. Nonetheless, this does not matter because the allegations suggest that the answer is the same for Plaintiffs as for a reasonable consumer. For ease of reading, the Court refers to the reasonable consumer in the fraud claim section, with the understanding that the same analysis applies as to Plaintiffs themselves for the purpose of the deceit claim.

Under Section 1709, the UCL, or the CLRA, when a defendant truthfully and clearly discloses an alleged misrepresentation or omission, a plaintiff cannot plausibly state a claim for relief. See id. For example, in Davis v. HSBC Bank Nevada, N.A., the Ninth Circuit held that a defendant did not fraudulently omit that a credit card it offered had an annual fee because the card's terms and conditions stated that the card included an annual fee. 691 F.3d 1152, 1158, 1163-64 (9th Cir. 2012). And in Fabozzi v. StubHub, Inc., Judge Chen held that a ticket reseller did not fraudulently omit that it sold its tickets at a "premium" compared to the ticket's face value because the ticket reseller disclosed numerous times on its website that its tickets "may be ... above face value" or different from face value. 2012 WL 506330, at *6 (N.D. Cal. Feb. 15, 2012).

Here, Google argues that six disparate portions of its Privacy Policy together amount to a disclosure that it collects user data from non-Google apps on Android smartphones and uses the data to compete with other companies. See Mot. at 8-10. First, Google states on page one of its Policy that Android OS is a Google service. See Mot. at 9; Kanig Decl. Ex. A at 1 ("Our services include: ... Platforms like the Chrome browser and Android operating system"). Second, page three of the Policy states that Google collects information regarding apps that a user has installed. See Mot. at 8; Kanig Decl. Ex. A at 3 ("We collect information about the apps, browsers, and devices you use to access Google services ..."). Third, also on page three, the Policy states that Google collects information about a user's activity on their services, including "[a]ctivity on third party sites and apps that use our services." See Mot. at 8; Kanig Decl. Ex. A at 3. Fourth, on page five, the Policy states that Google uses the information it collects to improve and develop new services. Reply at 7; Kanig Decl. Ex. A at 6 ("And we use your information to make improvements to our services"); id. ("We use the information we collect in existing services to help us develop new ones."). Fifth, page seventeen of the Policy states that Google "uses information to improve our services and to develop new products, features, and technologies that benefit our users and the public." See Mot. at 9; Kanig Decl. Ex. A at 16, Ex. B at 17. This section appears under the heading "California Requirements" and (in the 2020 version of the Policy) under the subheading "Business purposes for which information may be used or disclosed." Sixth, page eighteen of the Policy states that the Policy "applies to all of the services offered by Google LLC and its affiliates, including YouTube, Android, and services offered on third-party sites." Reply at 5 n.3; Kanig Decl. Ex. A at 18. (It then states that the Policy "doesn't apply to ... Services offered by other companies or individuals, including products or sites that may include Google services, be displayed to you in search results, or be linked from our services." Kanig Decl. Ex. A at 18.)

From these six portions of its Privacy Policy, Google asserts that a reasonable consumer must conclude that because the Policy states that Android OS is a Google service, all apps on an Android smartphone (including non-Google apps) are using a Google service. See Mot. at 8-9. Thus, in stating that it collects data from apps that use Google services, Google argues that it discloses that it collects data from non-Google apps on Android smartphones. See id. By disclosing its collection of user data from non-Google apps, Google argues that it also discloses that it uses such data to develop new products and compete with other companies. See id. at 9. Because Google discloses these facts, Google argues that Plaintiffs cannot allege fraudulent omission or misrepresentation. See id. at 8-10.

But it is at least as plausible that a reasonable consumer would read Google's Privacy Policy and reach a different conclusion. Plaintiffs argue that they could conclude that Google collects user data only from Google apps (i.e., Gmail, Photos, or Google Maps) and not non-Google apps. See Opp'n at 3-4. For example, a consumer could read the statement that Google collects a user's "[a]ctivity on third party sites and apps that use our services" to mean that Google collects data only from apps "that require users to sign into Google services, like YouTube [or Gmail]." See Kanig Decl. Ex. A at 3; Opp'n at 4 (emphasis added). To conclude that "apps that use our services" includes all non-Google apps, a consumer would have to realize that, somewhat counterintuitively, every single app could be construed as an "app[ ] that use[s] our services" because page one of the Policy defines Google's services to include the operating system itself. At the motion to dismiss stage, the Court does not decide the factual question of which interpretation is more likely. See Davis, 691 F.3d at 1162 ("Whether a business practice is deceptive will usually be a question of fact not appropriate for decision on a motion to dismiss." (cleaned up)).

The Court rejects Google's argument and finds it plausible that Google did not adequately disclose its data collection practices. See Dinan, 2019 WL 2327923, at *2.

2. Misrepresentation

However, the Court dismisses the fraudulent misrepresentation claims because Plaintiffs fail to allege that they relied on any misrepresentation.

To plausibly allege a CLRA, UCL, or Section 1709 claim, a plaintiff must allege that they relied on a misrepresentation and suffered injury as a result. See Moore v. Apple, Inc., 73 F. Supp. 3d 1191, 1200 (N.D. Cal. 2014) ; Mirkin, 5 Cal. 4th at 1092, 23 Cal.Rptr.2d 101, 858 P.2d 568. But, here, Plaintiffs only allege that they "relied upon [Google's] statement when setting up their Android Smartphones." Compl. ¶ 52. Critically, they do not allege whether this occurred before or after their purchases. See Davidson v. Apple, Inc., 2017 WL 976048, at *8 (N.D. Cal. Mar. 14, 2017) (holding that the plaintiffs failed to plead actual reliance because their complaint was "devoid of allegations that [they] were exposed to any representation ... prior to purchasing an iPhone 6 or 6 Plus" (emphasis in original)); Donohue v. Apple, Inc., 871 F. Supp. 2d 913, 925 (N.D. Cal. 2012) (holding that the plaintiff failed to plead actual reliance because he did not "allege that he relied on the [misrepresentation] in making his purchase"). Plaintiffs have, therefore, failed to allege that they relied on Google's alleged misrepresentation before purchasing their Android smartphones. See Swartz, 476 F.3d at 764.

Plaintiffs' three arguments in response are unpersuasive. First, Plaintiffs argue that Judge van Keulen rejected the same argument that Google makes here in McCoy. See Opp'n at 11. But it is unclear if Judge van Keulen considered the timing of the plaintiff's purchase in McCoy, and in any case, this Court is not bound by McCoy. Second, Plaintiffs argue that actual reliance can occur after purchase but before a plaintiff uses and sets up their smartphone. But they offer no support for this argument.⁶ Third, Plaintiffs argue that Google's argument only applies to Plaintiffs' CLRA claim because Plaintiffs' Section 1709 and UCL claims do not require a misrepresentation that results in a transaction. See Opp'n at 11. While it is true that Section 1709 and the UCL do not require a misrepresentation that results in a transaction, they do require that the misrepresentation cause an injury. See Kwikset Corp., 51 Cal. 4th at 326, 120 Cal.Rptr.3d 741, 246 P.3d 877 (UCL) ; Mirkin, 5 Cal. 4th at 1088, 1091, 23 Cal.Rptr.2d 101, 858 P.2d 568. And, here, Plaintiffs' only alleged injury derives from the purchase of their Android smartphones. See Compl. ¶¶ 135, 146, 152.

6 The two cases that Plaintiffs rely on are Moore v. Apple, Inc., 73 F. Supp. 3d 1191 (N.D. Cal. 2014), and Phillips v. Apple Inc., 2016 WL 1579693 (N.D. Cal. Apr. 19, 2016). Plaintiffs argue that the plaintiffs in both cases failed to plead actual reliance because they saw the alleged misrepresentation (1) after purchase and (2) after having used their smartphones for the first time. See Opp'n at 11. Because Plaintiffs, here, allege that they saw Google's alleged misrepresentation before first using their Android smartphones, they argue that they have plausibly alleged actual reliance. See id. But Plaintiffs are incorrect. Both Moore and Phillips held that the plaintiffs there failed to plead actual reliance only because they saw the alleged misrepresentation after purchase, not because they also happened to see it after using their phones for the first time. See Moore, 73 F. Supp. 3d at 1200-02 ; Phillips, 2016 WL 1579693, at *7.

Therefore, by not alleging that they relied on Google's misrepresentation before purchasing their Android Smartphones, Plaintiffs fail to plausibly allege actual reliance with particularity. See Swartz, 476 F.3d at 764. Accordingly, the Court dismisses Plaintiffs' fraud claims to the extent that they rely on a misrepresentation theory.

3. Omission

The fraudulent omission claims fail because Plaintiffs do not allege that Google had a duty to disclose the omitted information.

To plausibly allege a fraudulent omission, the omission must either (1) "be contrary to a representation actually made by the defendant," or (2) "an omission of a fact the defendant was obliged to disclose."⁷ Anderson v. Apple Inc., 500 F. Supp. 3d 993, 1012 (N.D. Cal. 2020) (quoting Hodsdon v. Mars, Inc., 891 F.3d 857, 861 (9th Cir. 2018) ).

7 The phrase "contrary to a representation actually made by the defendant" describes the legal theory also known as "partial omission." See Anderson, 500 F. Supp. 3d at 1013. Thus, when a defendant makes an incomplete representation, a partial omission occurs. See id. Plaintiffs argue that they need not show that Google had a duty to disclose its alleged omissions because Google's representations in its Privacy Policy are partial omissions. See Opp'n at 7; Anderson, 500 F. Supp. 3d at 1012 (stating that a fraudulent omission is actionable either under a partial omission theory or when a defendant had a duty to disclose). But Plaintiffs cannot rely on a partial omission argument because Plaintiffs do not allege that they ever read the Policy before (or after) purchasing their Android smartphones, without which they could not have relied on this "partial omission." See Anderson, 500 F. Supp. 3d at 1018 (holding that a defendant's omission was contrary to a web page and press release, but nonetheless dismissing that claim because none of the plaintiffs alleged that they viewed the web page or press release).

Courts have noted that the law concerning a defendant's duty to disclose in a fraudulent omissions case is "marked by general disarray." In re Toyota RAV4 Hybrid Fuel Tank Litig., 534 F. Supp. 3d 1067, 1101 (N.D. Cal. 2021). The disarray stems in part from the fact that there are (at least) two different tests to determine whether a defendant has a duty to disclose. See id. at 1102 (noting the confusion). Under one approach, a defendant only has a duty to disclose when either (1) the defect at issue relates to an unreasonable safety hazard or (2) the defect is material, "central to the product's function," and the plaintiff alleges one of the four LiMandri factors. Id. at 1102. The LiMandri factors are: (1) the defendant is in a fiduciary relationship with the plaintiff; (2) the defendant had exclusive knowledge of material facts not known to the plaintiff; (3) the defendant actively conceals a material fact from the plaintiff; or (4) the defendant makes partial representations but also suppresses some material facts. LiMandri v. Judkins, 52 Cal. App. 4th 326, 336, 60 Cal.Rptr.2d 539 (1997). Under a separate approach, a defendant has a duty to disclose any time that a plaintiff alleges one of the following: (1) the defect relates to an unreasonable safety hazard; (2) the defect is material and related to the product's central function; or (3) the presence of one of the four LiMandri factors. In re Toyota, 534 F. Supp. 3d at 1102.

Google argues for the first approach, see Mot. at 14-16, while Plaintiffs argue for the second, see Opp'n at 7-8. Plaintiffs point to In re Toyota RAV4 Hybrid Fuel Tank Litig., 534 F. Supp. 3d at 1101 and this Court's decision in City & County of San Francisco v. Purdue Pharma L.P., 491 F. Supp. 3d 610, 690 (N.D. Cal. 2020). These two cases seemingly applied only the LiMandri factors to determine that the defendants there had a duty to disclose. See Purdue Pharma, 491 F. Supp. 3d at 690 ; In re Toyota, 534 F. Supp. 3d at 1101.

This Court will apply the first approach (i.e., that in addition to alleging a LiMandri factor, the plaintiff must allege materiality and that the defect was central to the product's function). First, it appears that the Ninth Circuit adopted this approach in Hodsdon v. Mars, Inc., 891 F.3d 857 (9th Cir. 2018). Id. at 863 (stating that the defendant lacked a duty to disclose because the plaintiffs failed to plead "a crucial element ... that the defect must relate to the central functionality of the product"). Second, post- Hodsdon, the Ninth Circuit and a majority of district courts have applied the first approach. See, e.g., Sud v. Costco Wholesale Corp., 731 F. App'x 719, 720 (9th Cir. 2018) ; In re Apple Inc. Device Performance Litig., 386 F. Supp. 3d 1155, 1176 (N.D. Cal. 2019) ; Beyer v. Symantec Corp., 333 F. Supp. 3d 966, 979-80 (N.D. Cal. 2018) ; Anderson, 500 F. Supp. 3d at 1014 ; Ahern v. Apple, 411 F. Supp. 3d 541, 567 (N.D. Cal. 2019).⁸ Applying the first approach, Plaintiffs must allege that Google's collection of user data from non-Google apps on Android smartphones either (1) relates to an unreasonable safety hazard or (2) is material, "central to the product's function," and meets one of the four LiMandri factors. Hodsdon, 891 F.3d at 863. Plaintiffs do not argue, under the first prong, that Google's alleged omission relates to an unreasonable safety hazard. Thus, they must plausibly allege the second prong. They have failed to do so because Google's data collection practices are not central to the function of their Android smartphones. Plaintiffs argue that "[u]sing apps is at the heart of the smartphone experience" and thus affect a central function of the Android phone. Opp'n at 8-9 n.6. But that is not the test courts apply. The question is not whether a defect "affects" the product, rather the question is: does the alleged defect prevent the product from "performing a critical or integral function," or render the product "incapable of use" for all users? See Knowles v. ARRIS Int'l PLC, 847 F. App'x 512, 513-14 (9th Cir. 2021) (critical and integral function); Ahern, 411 F. Supp. 3d at 567 (incapable of use); see also Hodsdon, 891 F.3d at 864 (stating that a "computer chip that corrupts the hard drive, or a laptop screen that goes dark, renders those products incapable of use by any consumer," but "the alleged lack of disclosure about the existence of slave labor in the supply chain is not ... related to the chocolate's function as chocolate").

8 This Court apparently applied the second approach (the LiMandri factors alone) to determine that opioid manufacturers had a duty to disclose that opioids were addictive and frequently abused. Purdue Pharma L.P., 491 F. Supp. 3d at 690. However, the split of authority was not squarely raised there. Moreover, a duty to disclose existed under any theory. The omitted facts related to an unreasonable safety hazard and were material and went to opioids' central function.

Plaintiffs have not alleged that Google's collection of data from non-Google apps renders their smartphones "incapable of use" or prevents their phones from "performing a critical or integral function." See Knowles, 847 F. App'x at 513-14 ; Ahern, 411 F. Supp. 3d at 567. Therefore, the Court dismisses Plaintiffs' fraud claims to the extent Plaintiffs predicate them on a fraudulent omission theory because Plaintiffs fail to plausibly allege that Google had a duty to disclose.⁹

9 Because the Court finds that Google lacked a duty to disclose its alleged omissions, the Court need not address Google's additional arguments that (1) Plaintiffs did not actually rely on the alleged omissions, or (2) the fraudulent omission claims are also barred by California's economic loss rule. (Moreover, the Ninth Circuit recently certified to the California Supreme Court the question of whether "claims for fraudulent concealment [are] exempted from the economic loss rule," Rattagan v. Uber Techs., Inc., 19 F.4th 1188, 1191, 1193 (9th Cir. 2021). The fact that the California Supreme Court has not yet spoken is another reason the Court does not engage with this argument at this time.)

4. CLRA

Although the Court has already found that Plaintiffs have not stated any of their fraud claims, the Court also concludes that the CLRA claim also fails for another reason.

The CLRA prohibits "unfair or deceptive acts or practices ... undertaken by any person in a transaction ... that results in the sale or lease of goods to any consumer." Cal. Civ. Code § 1770. The term "person" means an individual or business. Cal. Civ. Code. § 1761. A "consumer" is "an individual who seeks or acquires, by purchase or lease, any goods or services for personal, family, or household purposes." Id. "Goods" are "tangible chattels." Id. A "transaction" is "an agreement between a consumer and another person, whether or not the agreement is a contract enforceable by action, and includes the making of, and the performance to, that agreement." Id. Google argues that Plaintiffs cannot state a claim under the CLRA because (1) Android OS is a free software (and thus not a good under the CLRA), and (2) Plaintiffs purchased their smartphones from third-party manufacturers, not Google. Mot. at 17; Reply at 14.

Google's first argument is unpersuasive because Plaintiffs premise their CLRA claim on their purchase of Android smartphones, which are "goods" under the CLRA. The court in In re iPhone Application Litigation came to a similar conclusion. 844 F. Supp. 2d 1040, 1070-71 (N.D. Cal. 2012). There, plaintiffs sued Apple, asserting a CLRA claim premised on their purchase of "iDevices" (iPhones, iPods, iPads). Id. at 1048-49. The plaintiffs alleged Apple represented that it took "precautions" to protect consumers' personal information. Id. at 1049-50. But contrary to Apple's representations, plaintiffs alleged that when they downloaded free apps from Apple's app store, app creators could access their personal information. Id. Apple argued that plaintiffs could not allege a CLRA claim based on downloading free apps. Id. at 1070. The court disagreed. Id. at 1070-71. It reasoned that the plaintiffs asserted a CLRA claim based on the purchase of their iDevices (and not the free apps) because they alleged that they overpaid for their iDevices due to Apple's alleged false representations. Id. Plaintiffs here similarly allege that they overpaid for their Android smartphones because of Google's failure to disclose its data collection practices. See Compl. ¶ 61. Thus, Plaintiffs sufficiently premise their CLRA claim on the sale of a good.

Nonetheless, Google is correct that Plaintiffs fail to allege a "transaction" under the CLRA. Although courts have held that the CLRA does not require a direct transaction between a plaintiff and a defendant, in cases where there was no direct sale, the plaintiff sued either (1) the manufacturer of the product or (2) a party that received some portion of the product's sale. See, e.g., Philips v. Ford Motor Co., 2015 WL 4111448, at *14 (N.D. Cal. July 7, 2015) (holding that plaintiffs plausibly alleged a CLRA claim against the manufacturer of their cars despite not purchasing the car directly from the manufacturer); Decarlo v. Costco Wholesale Corp., 2020 WL 1332539, at *9 (S.D. Cal. Mar. 23, 2020) (holding that a plaintiff plausibly alleged a CLRA claim against Costco despite not purchasing his eye exam directly from Costco because "Costco entered into an agreement with [a third-party] whereby [the third-party] would lease ... office space to optometrists which required the optometrist to pay a portion of their exam fees to [the third-party] who provided a portion to Costco"). Plaintiffs claim in their brief that Google receives a portion of the sale of the smartphones, see Opp'n at 13, but they do not do so anywhere in their complaint. Thus, Plaintiffs fail to allege a "transaction" under the CLRA.

***

In sum, the fraud claims fail because (1) Plaintiffs did not actually rely on any alleged misrepresentation, and (2) Google lacked a duty to disclose any alleged omission. The CLRA claim fails for the additional reason that Plaintiffs fail to allege a "transaction." The Court GRANTS the motion to dismiss the CLRA, UCL fraud prong, and Section 1709 claims.

C. Privacy Claims (claims 1, 2, and 10)

Plaintiffs allege three privacy claims: intrusion upon seclusion under California common law (claim 1), invasion of privacy under the California Constitution (claim 2), and violation of the CIPA (claim 10). Compl. ¶¶ 102-25, 196-201. The Court will address claims 1 and 2 together, and then address claim 10. 1. Privacy Under the Common Law and State Constitution

A claim for intrusion upon seclusion under California common law requires (1) intrusion into a private place, conversation, or matter to which Plaintiffs have a reasonable expectation of privacy (2) in a manner highly offensive to a reasonable person. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020) (citing Hernandez v. Hillsides, 47 Cal.4th 272, 97 Cal.Rptr.3d 274, 211 P.3d 1063, 1072 (2009) ). This District sets a high bar when assessing the "highly offensive" requirement. In re Google, Inc. Priv. Pol'y Litig., 58 F. Supp. 3d 968, 988 (N.D. Cal. 2014) (internal citation omitted). To state a claim for invasion of privacy under the California Constitution, Plaintiffs must show that (1) a legally protected privacy interest, (2) a reasonable expectation for privacy, and (3) the intrusion is so serious as to amount to an egregious breach of the social norms. Facebook Tracking, 956 F.3d at 601 (citing Hernandez, 211 P.3d at 1073 ).

Given the similarity of the two tests, courts consider them together and ask (1) whether there is a reasonable expectation of privacy, and (2) whether the intrusion was highly offensive. See id. (citing Hernandez, 211 P.3d at 1072-73 ). The Court concludes that these two privacy claims fail because, although Plaintiffs have pleaded a reasonable expectation of privacy, they have not pleaded that the intrusion was highly offensive.¹⁰

10 Google also argues that Plaintiffs fail even to allege a legally protected privacy interest. Mot. At 3. But courts tend to find this satisfied easily, and the Court finds that users have a legally protected privacy interest in at least some information regarding their sexual preferences, religion, political affiliations, and menstrual cycle. Compl. ¶¶ 6-7, 69; see In re Vizio, Inc., Consumer Priv. Litig., 238 F. Supp. 3d 1204, 1232 (C.D. Cal. 2017) (holding that there is a cognizable privacy interest in discrete types of information such as a user's video viewing history).

a. Reasonable Expectation of Privacy

Plaintiffs have plausibly pleaded that customers would reasonably expect Google not to track their usage data as to non-Google apps. A reasonable expectation of privacy can exist where a defendant gains "unwanted access to data by electronic or other covert means, in violation of the law or social norms." See Facebook Tracking, 956 F.3d at 601-02 (quoting Hernandez, 211 P.3d at 1072-73 ). Courts consider the customs, practices, and circumstances surrounding the data collection, including the amount of data collected, the sensitivity of data collected, the manner of data collection, and the defendant's representations to its customers. See Hill v. National Collegiate Athletic Association, 7 Cal.4th 1, 26 Cal.Rptr.2d 834, 865 P.2d 633, 655 (1994).

In Facebook Tracking, the Ninth Circuit applied these factors to find that there was a reasonable expectation of privacy. 956 F.3d at 602-04. There, the plaintiffs alleged that Facebook obtained "an enormous amount of individualized data" by collecting URLs of third-party websites that could disclose the "search term" inputted by users which could potentially "divulge a user's personal interests, queries, and habits on third-party websites operating outside of Facebook's platform." Id. at 603, 605. After noting the large amount and high sensitivity of the data collected, the court considered whether the manner of the data collection "violate[d] social norms." Id. at 603. The court emphasized that the data collection occurred after users had logged out of their Facebook accounts, which contravened its affirmative statements to users that it would not receive information from third-party websites after users had logged out. Id. at 603-04 ; see also Calhoun v. Google LLC, 526 F. Supp. 3d 605, 630 (N.D. Cal. 2021) (holding that a reasonable expectation of privacy existed when Google's data collection defied Google's representation such that reasonable users might expect that their personal information would not be disclosed).

Conversely, there is no reasonable expectation of privacy when the data collection is within users' common-sense expectation or when the information is not sensitive. For example, in United States v. Forrester, the Ninth Circuit held that internet users lacked a reasonable expectation of privacy in the IP addresses of the websites they visited because "they should know that this information is provided to and used by Internet service providers for the specific purpose of directing the routing of information." 512 F.3d 500, 510 (9th Cir. 2008). Likewise, in In re Zynga Privacy Litigation, the Ninth Circuit held that a user did not have a reasonable expectation of privacy in URLs that revealed only basic identification and address information. 750 F.3d 1098, 1108-09 (9th Cir. 2014). While both Zynga and Facebook Tracking concerned data collection of URLs, Zynga distinguished Facebook Tracking in two ways: first, where the URLs in Facebook Tracking disclosed the unique "search term" inputted by a user in a third-party search engine and the "particular document within a website that a person views," the URLs in Zynga only revealed a user's Facebook ID and the address of the Facebook webpage the user was viewing before the user clicked on a link to play a game. See 956 F.3d at 605 (citing Zynga, 750 F.3d at 1102 ). Second, the data collection in Zynga was less egregious because users there were still logged into their Facebook accounts, whereas the data collection in Facebook Tracking occurred after users logged out. See id. (citing Zynga, 750 F.3d at 1102 ).

Here, Plaintiffs have plausibly alleged a reasonable expectation of privacy because Google allegedly collected potentially sensitive data while users might not expect that Google was tracking them. Plaintiffs allege that Google collected usage data, including duration and frequency of usage of various applications, from "millions of individuals." Compl. ¶ 65. Plaintiffs also allege that usage data of non-Google apps allows Google to infer about a user's pregnancy, sleep cycle, religion, political affiliation, and menstrual cycle. Compl. ¶¶ 7-8, 69. While it may be a close question as to whether it is plausible that Google really did collect such information, viewing the allegations in the light most favorable to Plaintiffs, there is at least a question of fact as to whether the information would be sensitive to a reasonable individual. See Facebook Tracking, 956 F.3d at 603-04 (finding a reasonable expectation of privacy where there remained a material question of fact as to whether the data would be deemed "sensitive and confidential").

Moreover, the manner of Google's alleged data collection plausibly defies social norms. Plaintiffs allege that users were unaware of the data collection because Google used an "internal secret program" to collect data while users were not in Google apps. Compl. ¶ 4; Opp'n at 17. While Google never made affirmative promises not to collect the data as in Facebook Tracking, Google's Privacy Policy is (at best) ambiguous. Calhoun reasoned that a reasonable expectation of privacy exists when the plaintiffs "could have reasonably assumed" the company's policy prohibited data collection. 526 F. Supp. 3d at 630. So too here, because a reasonable consumer could have understood from the Terms of Service and Privacy Policy that Google collects data only from Google apps. See id.; see also McCoy, 2021 WL 405816, at *6 (finding that a reasonable user might understand the Privacy Policy to mean that Google would collect data from non-Google apps only to enhance the user's personal experience). Because the collection of this large amount of personal information from users' smartphones likely contravenes Plaintiffs' reasonable understanding of the Privacy Policy, users had a reasonable expectation of privacy.

b. Highly Offensive

Nonetheless, these two privacy claims fail because Plaintiffs do not allege that Google's intrusion was highly offensive. Determining whether a defendant's actions were "highly offensive to a reasonable person" requires a "holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder's motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive." Facebook Tracking, 956 F.3d at 606 (quoting Hernandez, 211 P.3d at 1073 ). The analysis also "focuses on the degree to which the intrusion is unacceptable as a matter of public policy." Id.

Courts in this district have held that data collection and disclosure to third parties that is "routine commercial behavior" is not a "highly offensive" intrusion of privacy. See Low v. LinkedIn Corp., 900 F. Supp. 2d 1010, 1025 (N.D. Cal. 2012) (LinkedIn's disclosure of users' browser history to third parties was not highly offensive); Google Priv. Pol'y, 58 F. Supp. 3d at 988 (Google's collection and disclosure of users' browsing histories was not highly offensive); iPhone Application Litig., 844 F. Supp. 2d at 1063 (disclosures of unique device identification number, personal data, and geolocation information without consent were not an egregious breach of social norms). Even disclosure of highly personal information such as social security numbers is not "highly offensive." Low, 900 F. Supp. 2d at 1025. But conduct is more likely to be "highly offensive" where the defendant "surreptitious[ly]" collects sensitive information even while the plaintiff has logged off and is not even using the defendant's services. See Facebook Tracking, 956 F.3d at 606 & n.8.

In McCoy, Judge van Keulen held that information of how long and how often users used non-Google apps "alone" could not rise to the standard of being "highly offensive." 2021 WL 405816, at *8, *14. Google argues that Plaintiffs' allegations in this case are "materially identical to" those dismissed in McCoy. Reply at 1. Plaintiffs insist that their allegations differ in two ways: (1) they allege details regarding the types of intimate personal information that Google can discern based on an individual's use of a certain apps, such as a user's sleep cycle, menstrual cycle, sexual preferences, religion, and political affiliations; (2) they plead information about the Congressional inquiry into Google's data collection practices and quote a House Subcommittee's conclusion that Google "collects specific usage data" that yields "near-perfect market intelligence." Compl. ¶¶ 37-39; Opp'n at 18-19.

But Plaintiffs still fail to plead a "highly offensive" intrusion of privacy. First, though Google's representation in its Privacy Policy is ambiguous, its data collection is not blatantly deceitful. It is thus a different case than Facebook Tracking, where Facebook's surreptitious data collection contravened its affirmative promises to its users that it would never track them after they logged out. See 956 F.3d at 603. It is also unlike In re Google Inc. Cookie Placement Consumer Privacy Litigation, where Google overrode users' cookie blockers and contravened statements in its Privacy Policy that explained how users refuse cookies. See 806 F.3d 125, 150 (3rd Cir. 2015). But perhaps more importantly, Plaintiffs do not allege that the data allegedly collected by Google is sufficiently specific or personal, and its collection sufficiently harmful, to be highly offensive. Factors like "the likelihood of serious harm to the victim, the degree and setting of the intrusion, [or] the intruder's motives and objectives" do not plausibly suggest that Google's behavior was that egregious. See Facebook Tracking, 956 F.3d at 606. To be sure, information about a user's menstrual cycle is extremely intimate. But, without more, it is not plausible that Google can deduce a user's menstrual cycle just from knowing how long the user uses a fertility tracker app. Plaintiffs do not allege that Google collects specific menstrual cycle information inputted in the fertility tracker app.¹¹ The lack of details as to how Google could attain the intimate information renders implausible what might otherwise be the strongest allegation of highly offensive conduct.

11 Plaintiffs currently do not clearly plead that the personal information collected by Google is non-aggregate or de-anonymized. Despite Plaintiffs' implication in the complaint, quoted words and phrases from the Congressional report that the data collection was "specific" and provided "near-perfect market intelligence" do not indicate that the information was de-anonymized. Compl. ¶¶ 37-38. And even if the data collection by Google is assumed to reveal information specific to each individual user, it still fails to amount to be a highly offensive intrusion of privacy.

Nor is the other personal information allegedly collected by Google sufficiently intrusive to satisfy this element. Courts have found egregious intrusions of privacy in cases involving surreptitious recording of people's voices and conversations. See In re Google Assistant Privacy Litigation, 457 F. Supp. 3d 797, 830 (N.D. Cal. 2020) (finding the unconsented recording and reviewing of users' conversations by Google's voice-activated software highly offensive); see also Shulman v. Grp. W Prods., Inc., 18 Cal.4th 200, 74 Cal.Rptr.2d 843, 955 P.2d 469, 494 (1998) (disclosure on a public television channel of a nonconsensual recording of a survivor's words at the accident scene could be highly offensive). A conclusory claim that Google collects general information about a user's religion, political affiliation, or sexual preference does not suffice, particularly because Plaintiffs do not plausibly allege the specific apps from which Google inferred this information.¹² See Compl. Although the Court concluded above that consumers plausibly have a reasonable expectation of privacy in general app usage data, that does not mean that a reasonable consumer would be particularly shocked or offended to discover that Google is in fact collecting this sort of data.

12 For example, Plaintiffs do not allege that Google infers the sexual identity of closeted queer users from those users' usage of a given dating app.

Because Plaintiffs have not alleged that Google's conduct is plausibly "highly offensive" or "egregious," the common-law and constitutional privacy claims fail.

2. California Invasion of Privacy Act

The Court also concludes that the CIPA claim is insufficiently pleaded. CIPA prohibits any person from using electronic means to "learn the contents or meaning of any message, report, or communication" "without the consent of all parties to the communication." Cal. Pen. Code § 631(a). The provision protects against three types of harm: "intentional wiretapping, willfully attempting to learn the contents or meaning of a communication in transit over a wire, and attempting to use or communicate information obtained as a result of engaging in either of the two previous activities." Tavernetti v. Superior Ct., 22 Cal.3d 187, 148 Cal.Rptr. 883, 583 P.2d 737, 741 (1978).

As noted above, Google plausibly lacked consent from Plaintiffs as to its data collection. The questions are whether Plaintiffs adequately allege that Google intercepted "communication[s] ... in transit" and learned their "contents."

a. Communications In Transit

CIPA § 631 applies to "communications" "in transit." Tavernetti, 583 P.2d at 741. Plaintiffs contend that the communications are the interactions Android owners have with non-Google apps. Opp'n at 19. Google argues that this is not a "communication," much less one "in transit." Reply at 4.

Although there is some oddity in construing the collection of data related to app usage as involving "communications," it is at least plausible that it does. When an Android user opens a non-Google app such as Instagram, the user begins communicating with Instagram that lasts for the period throughout the user's usage of the app. Therefore, at least at this stage, the Court finds that there is a communication involved. Cf. Revitch v. New Moosejaw, LLC, 2019 WL 5485330, at *1 (N.D. Cal. Oct. 23, 2019) (holding that a user's interactions with a shopping website was a communication under CIPA because the user requested information from the website and the website responded to the requests). Viewing the allegations in the light most favorable to Plaintiffs, Google's data collection could involve communications.

For similar reasons, at least for now, Plaintiffs adequately allege that the intercepted communications were in transit. Citing Bradley v. Google, Inc., Google contends that the communications here were in storage. Mot. at 6. But in Bradley, Google allegedly deleted and removed the plaintiff's emails the day after the plaintiff saved the emails to her Google account. 2006 WL 3798134, at *5-6 (N.D. Cal. Dec. 22, 2006). Accordingly, Bradley held that Google's practice was not an interception of electronic communications in transit but rather deletion of electronic communications in storage. Id. Here, Plaintiffs allege that the collection process occurred "when [users] interact with non-Google applications on their smartphones." Compl. ¶ 4. While it is unclear whether Google's interception occurs solely when a user opens and exits Instagram, or occurs while the user uses Instagram, it is at least plausible that Google collects data during users' usage of non-Google apps.

b. Contents

The CIPA claim nonetheless fails because Plaintiffs do not plead that Google learned the "contents" of the communications.

"The analysis for a violation of CIPA is the same as that under the federal Wiretap Act." Cline v. Reetz-Laiolo, 329 F. Supp. 3d 1000, 1051 (N.D. Cal. 2018) (internal citation omitted). The Wiretap Act defines the term "contents" as "any information concerning the substance, purport, or meaning of that communication." 18 U.S.C. § 2510. The Ninth Circuit has held that "contents" means "the intended message conveyed by the communication" as opposed to "record information regarding the characteristics of the message that is generated in the course of the communication." Zynga, 750 F.3d at 1106.

Courts employ a contextual "case-specific" analysis hinging on "how much information would be revealed" by the information's tracking and disclosure. Google Cookie Placement, 806 F.3d at 137-38. Generally, customer information such as a person's name, address, and subscriber number or identity is record information, but it may be contents when it is part of the substance of the message conveyed to the recipient. See id. at 137 ; Zynga, 750 F.3d at 1104, 1108-09. Similarly, URLs are record information when they only reveal a general webpage address and basic identification information, but when they reproduce a person's personal search engine queries, they are contents. See id. at 1108 ; Forrester, 512 F.3d at 510 n.6.

As noted above, the sensitivity of information collected by Google—and the plausibility of the collection of each sort of data—remains unclear. But at least as currently alleged, information about personal habits and identities that Google "infers" from the types of apps a user uses is not "content" of a communication. See Reply at 4. In Forrester, IP addresses that revealed the news websites ("nytimes.com")—but not the particular articles—that users viewed were not "contents" because they could only allow "educated guess about what [users viewed] on the websites." 512 F.3d at 510 n.6. Forrester noted that URLs that could reveal the particular articles users read would likely be "more [ ] problematic." Id. Indeed, in Facebook Tracking, the Ninth Circuit concluded that URLs that could disclose the search terms users typed into the search engines were "contents" because they could provide "significant information regarding the user's browsing history" and divulge "a user's personal interests, queries, and habits on third-party websites operating outside of Facebook's platform." 956 F.3d at 596, 605.

This case is more analogous to Forrester than to Facebook Tracking. While Google might infer a user's traits and habits from the fact that this user uses non-Google apps designed for a specific purpose, the extent of that inference is limited because Plaintiffs do not allege Google can read the specific information (i.e., content) that a user inputs. Consider again Plaintiffs' allegation that Google can learn about a user's menstrual cycle. From the activity data regarding the duration and frequency a user's use of a fertility tracker app, Google may infer that the user is a female and has the ability to get pregnant. However, it is implausible that Google can infer anything beyond that. And Google can extract even less information when the non-Google apps are not designed to serve specific purposes or specific groups of users. Google cannot infer anything from the fact that a person uses Instagram or Facebook. To constitute contents, the information intercepted by Google needs to identify the specific videos or document that the user views within Instagram or Facebook. See Reply at 4. As alleged, Google's data collection only allows Google to make "educated guesses" about a user's traits and habits, much like the IP addresses in Forrester. See 512 F.3d at 510 n.6.

None of Plaintiffs' other cases are apposite. See Opp'n at 20. In Google Cookie Placement, the Third Circuit suggested that a general scheme by Google of tracking the plaintiffs' internet usage would likely involve collecting "at least some ‘content’ within the meaning of the Wiretap Act." 806 F.3d at 139. But Plaintiffs fail to identify any content here. In Wesch v. Yodlee, Inc., another court in this district held that individuals' bank transaction histories constituted "contents" because they revealed personal details of the plaintiffs' lives and expenditures. 2021 WL 1399291, at *4 (N.D. Cal. Jul. 19, 2021). Similarly, In re Vizio, Inc., Consumer Privacy Litigation ruled that individuals' television program viewing records constituted contents. 2017 WL 11420284, at *6 (C.D. Cal. Jul. 25, 2017). The inferences available to Google in the instant case are far less personal, concrete, and detailed than the information in these two cases. See id.; Wesch, 2021 WL 1399291 at *4. Because Plaintiffs fail to allege that Google intercepted "contents" of any communication, the CIPA claim fails. Accordingly, the Court GRANTS the motion to dismiss the three privacy claims.

D. UCL Claim (claim 4)

The UCL is violated where a business practice is (1) unlawful, (2) unfair, or (3) fraudulent. Cal. Bus. & Profs. Code § 17200. Each prong involves a distinct theory of liability and provides an independent basis for relief. Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007). Plaintiffs allege that Google violated all three prongs. Compl. ¶ 138. The Court has already concluded that Plaintiffs have not pleaded a claim under the fraud prong. For the reasons below, the Court concludes that Plaintiffs also fail to plead a claim under the unlawful and unfair prongs.

1. Unlawful Prong

Under the unlawful prong, injured customers base their claims on violations of other causes of actions. S. Bay Chevrolet v. Gen. Motors Acceptance Corp., 72 Cal. App. 4th 861, 880, 85 Cal.Rptr.2d 301 (1999) (internal citation omitted). If the predicate claims fail, the UCL claim also fails. Davis, 691 F.3d at 1168. Plaintiffs base their unfair competition claim on the common-law intrusion upon seclusion claim (claim 1), California Constitution claim (claim 2), California Civil Code § 1709 (claim 3), and CIPA § 631 claim (claim 10). Compl. ¶ 139. Since those claims fail, Plaintiffs do not allege a claim under UCL's unlawful prong.

2. Unfair Prong

The UCL also prohibits business practices that are "unfair." Cal. Bus. & Profs. Code § 17200. However, the UCL does not define "unfair," and the definition in consumer cases is in flux. Hodsdon, 891 F.3d at 866 (internal citation omitted). Google argues that the unfair prong cannot stand because "[i]n this district, when [a plaintiff's] claim under the unfair prong overlaps entirely with the conduct alleged in the fraudulent and unlawful prongs of the UCL, ‘the unfair prong of the UCL cannot survive if the claims under the other two prongs ... do not survive.’ " Reply at 15 (quoting Eidmann, 522 F. Supp. 3d at 647 (internal citation omitted)).

The Court agrees. Plaintiffs argue that their claim under the unfair prong does not overlap entirely with their claims under the other two prongs because the fraud prong requires reliance. See Opp'n at 14. However, the "conduct" on which Plaintiffs base their claims under all three UCL prongs is the same: that Google collected sensitive personal data without proper disclosure to gain unfair advantage over its rival companies. See Compl. ¶¶ 139, 141, 145. Because the Court dismisses Plaintiffs' claims under the fraud and unlawful prongs, the unfair prong cannot survive either. See Eidmann, 522 F. Supp. 3d at 647. The Court therefore GRANTS the motion to dismiss the UCL claim.

E. Contract Claims (claims 6, 7, and 8)

1. Breach of Contract

To state a claim for breach of contract, Plaintiffs must allege four elements: (1) the existence of a contract, (2) plaintiffs' performance under the contract, (3) defendant's breach, and (4) damage to plaintiff. Facebook Tracking, 956 F.3d at 610. The main element in dispute is whether Google breached the contract. Plaintiffs argue that Google breached the Terms of Service and the incorporated Privacy Policy in two ways: (1) violating its specific promise to collect data from third-party apps only if those apps use Google services; and (2) failing to disclose the true purpose of its data collection in claiming in its Privacy Policy that it collects data only to "provide better services." Compl. ¶¶ 162-63.

In McCoy, Judge Van Keulen held that Google lacked consent to collect usage data from non-Google apps to gain a competitive edge in the market against its rivals, and treated this as the basis for denying Google's motion to dismiss with regard to the breach of contract claim. 2021 WL 405816, at *6, *12. Although the Court agrees with McCoy that Google plausibly lacked consent, the Court respectfully disagrees that this means Google plausibly breached a contract. The question is whether Google breached anything that it promised, not whether Google did anything it did not promise. See Facebook Tracking, 956 F.3d at 610 (dismissing the breach of contract claim because Facebook's contract with the plaintiffs did not contain an explicit promise not to collect the data).

It follows that both of Plaintiffs' theories of breach fail. First, Plaintiffs are incorrect that Google made a specific promise to collect data only from apps that use Google's services like YouTube and Gmail. Plaintiffs argue that Google "expressly promised to disclose all the data it collected and for what purposes." Opp'n at 15; see Privacy Policy at 1 ("When you use our services, you're trusting us with your information ... This Privacy Policy is meant to help you understand what information we collect and why we collect it."); id. (purporting to "explain things as clearly as possible"). However, the Privacy Policy states only that "the activity information we collect may include" "Activity on third-party sites and apps that use our services." Kanig Decl. Ex. A at 3 (emphasis added). Although a reasonable consumer might understand that Google does not collect information from non-Google apps, these statements do not plausibly amount to a promise to collect data only from Google apps or third-party apps that use Google services. And Plaintiffs cannot state a claim for breach of contract without alleging a promise that is breached. See Facebook Tracking, 956 F.3d at 610 ("For a contract to exist, there must be an exchange of promise.").

Plaintiffs' second theory of breach fails too. Google never promised not to compete with rival companies. Instead, the Privacy Policy states that Google will collect data to provide better services—a promise that Plaintiffs do not allege that Google breached. See Kanig Decl. Ex. A at 16, Ex. B at 17.

The breach of contract claim therefore fails.

2. Implied Contract

Plaintiffs also raise a breach of implied contract claim. Compl. ¶ 167. An implied contract is one the existence and terms of the promise are "manifested by conduct." Cal. Civ. Code § 1621 ; see Cal. Spine & Neurosurgery Inst. v. United Healthcare Ins. Co., 2019 WL 4450842, at *3 (N.D. Cal. 2019). Like an express contract, an implied contract requires a meeting of minds or an ascertained agreement. Pac. Bay Recovery, Inc. v. Cal. Physicians' Servs., Inc., 12 Cal. App. 5th 200, 215, 218 Cal.Rptr.3d 562 (2017).

As Google correctly argues, "an action based on an implied-in-fact [contract] ... cannot lie where there exists between the parties a valid express contract covering the same subject matter." Be In, Inc. v. Google Inc., 2013 WL 5568706, at *5 (N.D. Cal. Oct. 9, 2013). Here, Plaintiffs clearly allege that they had an enforceable contract with Google; indeed, they cite and quote from the Terms of Service and Privacy Policy throughout their Complaint. See, e.g., Compl. ¶¶ 161-62. Moreover, these documents also govern the subject matter of Plaintiffs' implied contract claim—scope and purpose of data collection. Therefore, the express contract governs, and any implied contract claim fails.¹³

13 Plaintiffs rely on Putnam v. Putnam Lovell Group NBF Securities, Inc. and argue that they can plead an implied contract claim in the alternative to their express contract claim. See Opp'n at 14. However, Putnam allowed an implied contract claim to proceed because the plaintiff amended the pleading to allege that the portions of the express contract covering the dispute were replaced or superseded. 2006 WL 1821207, at *6 (N.D. Cal. June 30, 2006).

3. Unjust Enrichment

Plaintiffs plead in the alternative that Google received benefits from Plaintiffs in the form of the sensitive personal data that Google collected and unjustly retained those benefits. Compl. ¶¶ 179, 182-83. Google argues that (1) unjust enrichment is not an independent cause of action; (2) even if it were, the claim would fail because an enforceable agreement defines the parties' rights; and (3) even if the claim were not precluded by an express agreement, Plaintiffs failed to allege that Google committed an actionable wrong and benefited at Plaintiffs' expense. Mot. at 20.

California law on unjust enrichment remains somewhat unclear. In Astiana v. Hain Celestial Group., Inc., the Ninth Circuit held that unjust enrichment is not an independent cause of action but "describe[s] the theory underlying a claim that a defendant has been unjustly conferred a benefit through mistake, fraud, coercion, or request." 783 F.3d 753, 762 (9th Cir. 2015). When a plaintiff alleges unjust enrichment, a court may "construe the cause of action as a quasi-contract claim seeking restitution," but this quasi-contract claim "does not lie when an enforceable, binding agreement exists defining the rights of the parties." Id. at 762 (quoting Rutherford Holdings, LLC v. Plaza Del Rey, 223 Cal.App.4th 221, 166 Cal. Rptr. 3d 864, 872 (2014) ); Paracor Fin., Inc. v. Gen. Elec. Capital Corp., 96 F.3d 1151, 1167 (9th Cir. 1996).

More recently, the Ninth Circuit followed the California Supreme Court in allowing an independent claim for unjust enrichment to proceed. Bruton v. Gerber Products Co., 703 Fed. Appx. 468, 470 (9th Cir. 2017) (citing Hartford Cas. Ins. Co. v. J.R. Mktg., L.L.C., 61 Cal.4th 988, 190 Cal.Rptr.3d 599, 353 P.3d 319, 322 (2015) (allowing unjust enrichment to proceed as an independent claim in an insurance case)). Following Bruton, Judge Chhabria permitted the plaintiffs in a data disclosure dispute to plead unjust enrichment alongside valid breach of contract and fraud claims, holding that unjust enrichment provided another avenue for the plaintiffs to claim damages. See In re Facebook, Inc., Consumer Priv. User Profile Litigation, 402 F. Supp. 3d 767, 803 (N.D. Cal. 2019).

But even if unjust enrichment is an independent cause of action, Plaintiffs still have not plausibly pleaded an actionable wrong. As noted above, Plaintiffs fail to plead with particularity that Google committed an actionable misrepresentation or omission. And "when a plaintiff fails ‘to sufficiently plead an actionable misrepresentation or omission, his [or her] restitution claim must be dismissed.’ " Rojas-Lozano v. Google, Inc., 159 F. Supp. 3d 1101, 1120 (N.D. Cal. 2016) (internal citation omitted); Swearingen v. Healthy Beverage, LLC, 2017 WL 1650552, at *5 (N.D. Cal. May 2, 2017) (finding that the unjust enrichment claim failed because the plaintiffs failed to allege that they relied to their detriment on the defendants' misrepresentations); Dinosaur Development, Inc. v. White, 216 Cal. App. 3d 1310, 1316, 265 Cal.Rptr. 525 (1989) (for restitution, it "must ordinarily appear that the benefits were conferred by mistake, fraud, coercion or request; otherwise, though there is enrichment, it is not unjust."). Accordingly, the unjust enrichment claim cannot stand.

The Court therefore GRANTS the motion to dismiss all three of the contract claims.

F. Declaratory Judgment (claim 9)

Finally, Plaintiffs seek relief under the Declaratory Judgment Act. Compl. ¶¶ 186-95. The Act provides that "[i]n a case of actual controversy within its jurisdiction ... any court of the United States ... may declare the rights and other legal relations of any interested party seeking such declaration, whether or not further relief is or could be sought." 28 U.S.C. § 2201(a). However, "[t]he Declaratory Judgment Act does not provide an independent theory for recovery; if the underlying claims are dismissed, ... then there is no basis for any declaratory relief." Muhammad v. Conner, 2012 WL 2428937, at *3 (N.D. Cal. Jun. 26, 2012) (citing Hoeck v. City of Portland, 57 F.3d 781, 787 (9th Cir. 1995) and 28 U.S.C. § 2201 ). Because the Court dismisses all of Plaintiffs' underlying claims, the Court GRANTS the motion to dismiss the declaratory relief claim.

IV. CONCLUSION

For the foregoing reasons, the Court GRANTS Google's Motion to Dismiss as to all claims. Although many of the problems noted above will be difficult to cure, the Court provides leave to amend. See Leadsinger, 512 F.3d at 532. Plaintiffs may file an amended complaint within 21 days of the date of this order.

IT IS SO ORDERED.