Summary
taking judicial notice of transcripts of earnings calls
Summary of this case from Mehedi v. View, Inc.Opinion
Case No. 5:18-cv-01725-EJD
2020-08-07
IN RE FACEBOOK, INC. SECURITIES LITIGATION
ORDER GRANTING DEFENDANTS’ MOTION TO DISMISS WITH LEAVE TO AMEND
Re: Dkt. No. 126
EDWARD J. DAVILA, United States District Judge
Before the Court is Defendants’ motion to dismiss Plaintiffs’ second amended complaint. Plaintiffs are persons who purchased shares of Facebook common stock between February 3, 2017 and July 25, 2018 ("the Class Period"), who believe that Defendant Facebook, Inc. and Executive Defendants Mark Zuckerberg, Sheryl K. Sandberg, and David W. Wehner made materially false and misleading statements and omissions in connection with the purchase and sale of Facebook stock. See Second Amended Complaint ("SAC") ¶ 1, Dkt. 123. Plaintiffs allege that Defendants violated Section 10(b), 20(a), and 20A of the Securities Exchange Act of 1934 (the "Exchange Act") and Rule 10b5 promulgated thereunder because Defendants made guarantees that the Cambridge Analytica, and related data-privacy scandals, would not impact Facebook stock while knowing this to be false. Specifically, Plaintiffs focus on Defendants’ statements and omissions concerning Facebook's "privacy and data protection practices" and their impact on Facebook's stock prices during the Class Period. Id.
Defendants have filed a motion to dismiss arguing that Plaintiffs have failed to (for a second time) meet Federal Rule of Civil Procedure 9(b) ’s heightened pleading requirements for securities fraud. The Court agrees; while Plaintiffs have plead sufficient facts to show actionable misstatements, scienter, and reliance, their SAC fails to plead facts showing causation. Thus, the Court GRANTS Defendants’ motion to dismiss with leave to amend .
Pursuant to N.D. Cal. Civ. L.R. 7-1(b) and General Order 72-5, this Court found this motion suitable for consideration without oral argument. See Dkt. 136.
I. BACKGROUND
A. Factual Background
Defendant Facebook was founded by Defendant Mark Zuckerberg, who is the Chief Executive Office ("CEO") of the company and the Chairman of the Board of Directors. Id. ¶ 32. Defendant Sheryl Sandberg is the Chief Organization Officer ("COO") of the company and serves on the Board of Directors. Id. ¶ 34. Defendant David Wehner is the Chief Financial Officer ("CFO") of the company. Id. ¶ 35.
Facebook is the world's largest social networking company; its products and platforms are designed to facilitate connection and information sharing between users through mobile devices and personal computers. Id. ¶ 41. Plaintiffs allege that Facebook's business model depends on: monetizing user data, attracting new users, and engaging/retaining existing users. Id. ¶¶ 43–48 ("Facebook's main asset is the vast treasure-trove of user personal data that it has amassed since its founding."). The platform formerly allowed third-party app developers’ applications or websites ("apps") access to users’ information and to users’ friends’ information. Id. ¶ 48. Despite Defendants guarantees to the contrary, access to user data (in contravention of user privacy settings) continued through the class period. Allegedly, certain "whitelisted" app developers and corporate giants like Amazon, Google, Samsung, Blackberry, Huawei (a Chinese technology company), and Mail.Ru Group (a Kremlin-connected technology conglomerate) were able to access users’ friends’ data through the class period. Id. ¶¶ 15, 16.
The Court briefly outlines the background of Plaintiffs’ claims. Before April 2014, a user automatically consented to an app developer gaining access to their personal data and the personal data of his or her friends ("third-party consent"). Id. ; see also Ex. 25, Dkt. 126-26. However, in April 2014, Defendant Zuckerberg informed users that this third-party consent would be changed. See Ex. 30, Dkt. 126-31 ("Second, we've heard from people that they're often surprised when a friend shares their information with an app. So we've updated Facebook Login so that each person decides what information they want to share about themselves, including their friend list."). After reading this announcement and considering Facebook's 2014, 2015, and 2016 Privacy Policies, the Court understands this to mean that users could still share their friend list with third-party app developers, but users and users’ friends would have more control over the sharing of that list. This is to say, Facebook represented to consumers that they could control the privacy of their data by using desktop and mobile privacy settings to limit the information that Facebook could share with app-developers. In actuality, users lacked such control. Indeed, Plaintiffs maintain that Facebook's representations were false and/or materially misleading because "whitelisted" app developers could still access users’ data and users’ friends’ data in contravention of user privacy settings. See id. ¶¶ 54–64.
1. Relevant Agreements
Facebook-User Agreements. The use and sharing of data on Facebook are governed by agreements between Facebook and its users, including Facebook's Data Policy (formerly the "Data Use Policy" and the "Privacy Policy") and Facebook's Terms of Service (formerly "Statement of Rights and Responsibilities"). Id. ¶¶ 167, 170, 232, 276, 370, 462–64. These policies explain how users can control whether and how their data is shared with their Facebook friends, other Facebook users, and third parties. Id. ¶¶ 326, 469. For example, the September 2016 Data Policy informed users of the categories of information that third-party apps could access if users allowed (or "authorized") apps to do so. See Ex. 26 at 2, Dkt. 126-27. The policy also informed users how to control access to their data and cautioned users that use of third-party apps, websites, or other services that use, or are integrated with, the Facebook platform may result in the third-parties receiving information about what users post or share. Id. ; see also SAC ¶ 469.
Under the November 2013 Data Use Policy, Facebook's policies allowed users to share information about their friends with third-party app developers. Id. ¶¶ 48, 89. This policy stated that app developers could ask for certain information about users’ friends and alerted users that their friends might choose to share some of their information with app developers. Ex. 25, Dkt. 126-26. For example, the policy advised users that when using a music app, "[y]our friend might ... want to share the music you ‘like’ on Facebook." Id. at 4 ("[I]f you've shared your likes with just your friends, the application could ask your friend for permission to share them."). Thus, under this November 2013 policy, a user's friend could re-share the user's likes with an app that the friend had downloaded, so long as the original user consented to such sharing by their friends. The converse was also true; if a user chose to turn off all Platform apps, that user's friends could not share the user's information with apps (at least, not without running afoul of the stated policy).
In 2014, however, Facebook announced that it would implement changes to its Platform that would "dramatically limit the Facebook information apps could access," and "shut off third parties’ access to collect user friend data" to ensure that "everyone has to choose to share their own data with an app themselves." SAC ¶¶ 81–83, 186, 383, 434; see also Ex. 30, Dkt. 126-31 (disclosing that platform changes would be finalized one year later). The FTC interpreted this to mean that Facebook would stop allowing third-party developers to collect data [about friends]." Id. ¶ 83. The Court does not comment on whether that interpretation is correct. But see Ex. 26, Dkt. 126-27 (2016 data policy warned users that when they use third-party apps, you share your username, user ID, your age range and country/language, and your list of friends , as well as any information that you share with them); accord Ex. 27 at 2, Dkt. 126-28; see also id. ("We transfer information to vendors, service providers, and other partners who globally support our business ....").
Facebook-App Developer Agreements ("Platform Policy"). Third-party app developers must agree to Facebook's Platform Policy before offering apps on the Facebook platform. SAC ¶¶ 275–76 & n. 265, 368–70. The Platform Policy, which was in place at all times relevant to the allegations in the SAC, limits the extent to which developers can collect and use Facebook user data, and requires developers to explain to users the categories of information they will collect and how it will be used. Id. ¶¶ 210, 275–76, 383–70. The Platform Policy prohibits developers from selling or transferring user data, and from using their customers’ friend data outside of customer use of the app. Id. ¶ 468.
2. Alleged Events Relevant to Plaintiffs’ Claims
Aleksandr Kogan and Cambridge Analytica. In 2013, Aleksandr Kogan, a professor and data researcher at Cambridge University, developed a personality quiz app called "This is Your Digital Life." Id. ¶¶ 87–88; see also September 2019 Order at 4 (Plaintiffs admitted in first complaint that Kogan developed app in 2013); Hakopian v. Mukasey , 551 F.3d 843, 846 (9th Cir. 2008) ("Allegations in a complaint are considered judicial admissions."). The app appeared on the Facebook Platform in 2014 and told users that the results of the quiz would be used for academic purposes. Id. ¶¶ 87–88. Approximately 270,000 people installed the app and consented to sharing their data, including some information about their Facebook friends, see id. ¶ 89, which at that time was permitted under Facebook's policies, subject to the friends’ privacy and application settings, see Ex. 25, Dkt. 126-26.
The December 2015 Guardian Article and Facebook's Response . In December 2015, The Guardian reported that Kogan, through his company Global Science Research ("GSR"), sold some of the information collected through the "This Is Your Digital Life" app to Cambridge Analytica, in violation of Facebook's policies. Ex. 17, Dkt. 126-18; SAC ¶¶ 5, 86–89, 98, 468. According to the article, Cambridge Analytica developed psychological profiles of U.S. voters using the data of tens of millions of Facebook users (which had been harvested from Kogan's data) to support Ted Cruz's presidential campaign. Ex. 17, Dkt. 126-18; ¶¶ 5, 86–89. After the article was published, Facebook removed Kogan's app from Facebook, and privately asked GSR and Cambridge Analytica to delete the data and was told by the companies that the data had been deleted. ¶¶ 5, 93, 137–38, 150, 186, 210, 377.
The Cambridge Analytica Story Resurfaces in 2018. On March 17, 2018, three years after the original Cambridge Analytica story broke, The New York Times and The Guardian reported that Defendants (1) delayed in addressing the Cambridge Analytica data breach and that (2) the data had not been deleted (as reported by Defendants), but was used in connection with President Donald Trump's campaign. See id. ¶ 189. Cambridge Analytica had lied when it represented to Facebook in 2016 that it had deleted all user data. Id. ¶¶ 20, 189-190. Facebook then suspended Cambridge Analytica, its parent company, and certain related employees from the Facebook Platform. ¶ 186.
In response to the stories, Facebook's common stock dropped nearly 7% on Monday, March 19, 2018, the first trading day after the news broke, and fell an additional 2.5% the next trading day. Id. ¶ 198.
Facebook's First Quarter 2018 Earnings Report ("1Q18") and the GDPR. On April 25, 2018, Defendants released a favorable first quarter earnings report, 1Q18, with quarterly revenue, earnings, and daily and monthly active user growth exceeding analyst expectations. Id. ¶¶ 25, 219, 221, 223, 427. Although a "handful" of advertisers had "paused spend" with Facebook after the Cambridge Analytica news, Facebook reported that this did not appear to reflect a "meaningful trend." Id. ¶ 429. During the earnings call, Facebook told investors that it anticipated expenses to increase due to its investments in data security programs and the 48% increase in the number of Facebook employees from the prior year. Id. ; see also Ex. 9 at 7–8, Dkt. 126-10. The stock price climbed more than 9% following the release of this report. SAC ¶ 25. By July, Facebook's stock price was trading well above $200 per share. Id.
On this earnings call, Facebook also addressed the possible impact of the General Data Protection Regulation, ("GDPR") which took effect the month after 1Q18 results were released. Id. ¶¶ 430–31; see also Ex. 9 at 8, 11, 15–16, 18, 23, Dkt. 126-10. Facebook claimed that compliance with the GDPR would not be an issue because Facebook was already almost compliant. SAC ¶ 232. However, Facebook did note that it was "early and difficult to know ... in advance" the business implications of Facebook's implementation of the GDPR. Indeed, Facebook anticipated that Facebook's European daily and monthly user base could be "flat to slightly down." Ex. 9 at 8, 23, Dkt. 126-10. Facebook also noted that while they did not anticipate the GDPR to significantly impacting advertising revenue, there was "certainly the potential for some impact." Id. at 8; see also id. at 18 ("[T]he amount of uncertainty [ ] for us and all the other companies in the digital advertising industry is reasonably higher than it's been [ ] because we're in the process of rolling out GDPR. We're going to all know a lot more after we rollout.").
The GDPR is a broad set of privacy regulations governing the collection and use of personal data. It is designed to protect the privacy of European Union ("EU") citizens. The GDPR has a host of disclosure and user-control requirements. For instance, (and notable here) the GDPR requires corporations to make their data collection and sharing policies opt-in, rather than opt-out. SAC ¶ 229.
Facebook's Second Quarter 2018 Earnings Report ("2Q18"). On July 25, 2018, Facebook announced its 2Q18 earnings, which reported lower than expected revenue growth, profitability, and user growth. SAC ¶¶ 243–44, 247–48. On July 26, 2018 the common stock price dropped nearly 19%, resulting in a single-day loss of approximately $120 billion in market capitalization. Id. ¶ 249.
Following the 2Q18 earnings, the Pew Research Center issued a report that it conducted following the aftermath of the 2018 Cambridge Analytica scandal. The report—titled "Americans are changing their relationship with Facebook"—documented changes in Facebook user engagement. Id. ¶ 252. It revealed substantial disengagement by Facebook users during May 29 to July 11, 2018 (the study period). Id. Specifically, it stated that more than half (54%) of Facebook users had changed their privacy settings to share less with Facebook, 42% had taken extended breaks from engaging with Facebook, while more than a quarter (26%) had deleted the Facebook app from their cell phones. Id. Disengagement was particularly pronounced among the younger users, who are more coveted by advertisers. Id.
Facebook attributed the user growth slowdown to the effects of the "GDPR rollout, consistent with the outlook we gave on the Q1 call," but noted that the "vast majority of people [had continued] opting in to ... third-party data use." Ex. 10 at 7, 18, Dkt. 126-11. During the earnings call, one analyst remarked that Facebook had given an "accurate read into the June quarter" on the likely impact of the GDPR. Id. at 15 ("You have—you gave us a—what turned out to be a pretty accurate read into the June quarter ...."); see also id. ("We had indicated ... in the first quarter that we would expect to see a decline [in daily active users and monthly active users in Europe following implementation of the GDPR]."). Facebook also reported that its expenses were up "50%" year-over-year, which accorded with estimates made in the prior quarter. Id. at 8 ("There are several factors contributing to that deceleration. For example, we expect currency to be a slight headwind in the second half vs. the tailwinds we have experienced over the last several quarters. We plan to grow and promote certain engaging experiences like Stories that currently have lower levels of monetization. We are also giving people who use our services more choices around data privacy which may have an impact on our revenue growth.").
Executive Defendants’ Sale of Facebook Stock . During the Class Period, Defendant Zuckerberg sold approximately 30,000 Facebook shares for proceeds of more than $5.2 billion, while Defendant Sandberg sold $389 million in Facebook shares and Defendant Wehner sold $21 million worth in Facebook shares. SAC ¶ 19. Plaintiffs use this to corroborate scienter.
3. Alleged Misstatements/Omissions
Plaintiffs allege that Defendants made a total of 83 materially misleading statements or omissions in press releases, U.S. Securities and Exchange Commission ("SEC") filings, earnings calls, and public remarks at conferences. The Court has arranged these statements by source and bolded/italicized the relevant portions of the statements.
Statements Concerning Facebook Users’ "Control" Over Their Data
Statement 1
"You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings ."
SAC ¶ 326 (stated in Facebook's Statement of Rights and Responsibilities )
Statement 2
"[W]hen you share on Facebook, you need to know that no one's going to steal our data. No one is going to get your data that shouldn't have it . That we're not going to make money in ways that would make you feel uncomfortable .... And that you're controlling who you share with .... Privacy for us is making sure that you feel secure, sharing on Facebook."
SAC ¶ 327 (stated by Defendant Sandberg during 2017 Axios interview)
Statement 3
"[T]he Facebook family of apps already applies the core principles in the [GDPR] framework because we built our services around transparency and control ."
SAC ¶ 328 (stated by Defendant Sandberg during 3Q17 earnings call) Statement 4
"Our apps have long been focused on giving people transparency and control ...."
SAC ¶ 329 (stated by Defendant Sandberg during Facebook Gather Conference in January 2018)
Statement 5
"[T]he Facebook family of apps already applies the core principles in the GDPR framework, which are transparency and control. "
SAC ¶ 330 (stated by Defendant Sandberg during 4Q17 earnings call)
Statement 6
"So we think with transparency and control , we're set up well to be in a position where we're compliant with GDPR when the regulation goes into effect in May."
SAC ¶ 331 (stated by Defendant Wehner during 2018 Conference Call)
Statement 7
"In 2014, after hearing feedback from the Facebook community, we made an update to ensure that each person decides what information they want to share about themselves, including their friend list. This is just one of the many ways we give people the tools to control their experience . Before you decide to use an app, you can review the permissions the developer is requesting and choose which information to share. You can manage or revoke those permissions at any time."
SAC ¶ 332 (stated by Defendant Facebook in 2018 post after 2018 Cambridge Analytica scandal)
Statement 8
"[T]he main principles are, you have control over everything you put on the service , and most of the content Facebook knows about you it [sic] because you chose to share that content with your friends and put it on your profile."
SAC ¶ 333 (stated by Defendant Zuckerberg during 2018 phone conference)
Statement 9
"You've been hearing a lot about Facebook lately and how your data is being used. While this information can sometimes be confusing and technical, it's important to know that you are in control of your Facebook , what you see, what you share, and what people see about you ."
SAC ¶ 334 (stated by Defendant Facebook in April 2018 post)
Statement 10
"We already show people what apps their accounts are connected to and allow them to control what data they've permitted those apps to use ."
SAC ¶ 335 (stated by Defendant Facebook in June 2018 to U.S. House of Representatives)
Statement 11
"Privacy is at the core of everything we do, and our approach to privacy starts with our commitment to transparency and control . [...] Our approach to control is based on the belief that people should be able to choose who can see what they share and how their data shapes their experience on Facebook. People can control the audience for their posts and the apps that can receive their data. "
SAC ¶ 336 (stated by Defendant Facebook in June 2018 to U.S. House of Representatives) Statement 12
"This is the most important principle for Facebook: Every piece of content that you share on Facebook, you own and you have complete control over who sees it and — and how you share it, and you can remove it at any time. That's why every day, about 100 billion times a day, people come to one of our services and either post a photo or send a message to someone, because they know that they have that control and that who they say it's going to go to is going to be who sees the content . And I think that that control is something that's important that I think should apply to — to every service."
SAC ¶ 337(a) (stated by Defendant Zuckerberg in April 2018 to Joint Commerce & Judiciary Committees of U.S. Senate)
Statement 13
"That's what the [Facebook] service is, right? It's that you can connect with the people that you want, and you can share whatever content matters to you, whether that's photos or links or posts, and you get control over it ."
SAC ¶ 337(b) (stated by Defendant Zuckerberg in April 2018 to Joint Commerce & Judiciary Committees of U.S. Senate)
Statement 14
"The two broad categories that I think about are content that a person is [sic] chosen to share and that they have complete control over, they get to control when they put into the service, when they take it down, who sees it. And then the other category are data that are connected to making the ads relevant. You have complete control over both ."
SAC ¶ 337(c) (stated by Defendant Zuckerberg in April 2018 to Joint Commerce & Judiciary Committees of U.S. Senate)
Statement 15
"Every person gets to control who gets to see their content ."
SAC ¶ 337(d) (stated by Defendant Zuckerberg in April 2018 to Joint Commerce & Judiciary Committees of U.S. Senate)
Statement 16
"But, Senator, the — your point about surveillance, I think that there's a very important distinction to draw here, which is that when — when organizations do surveillance[,] people don't have control over that. But on Facebook, everything that you share there[,] you have control over ."
SAC ¶ 337(e) (stated by Defendant Zuckerberg in April 2018 to Joint Commerce & Judiciary Committees of U.S. Senate)
Statement 17
"[O]n Facebook, you have control over your information."
SAC ¶ 338(a) (stated by Defendant Zuckerberg in April 2018 to U.S. House of Representatives’ Energy and Commerce Committee)
Statement 18
"[E]very single time that you share something on Facebook or one of our services, right there is a control in line, where you control who — who you want to share with ."
SAC ¶ 338(b) (stated by Defendant Zuckerberg in April 2018 to U.S. House of Representatives’ Energy and Commerce Committee)
Statement 19
"Congresswoman, giving people control of their information and how they want to set their privacy is foundational to the whole service [on Facebook]. It's not just a — kind of an add-on feature, something we have to ... comply with.... all the data that you put in, all the content that you share on Facebook is yours. You control how it's used. "
SAC ¶ 338(c) (stated by Defendant Zuckerberg in April 2018 to U.S. House of Representatives’ Energy and Commerce Committee)
Statement 20
"Privacy is at the core of everything we do, and our approach to privacy starts with our commitment to transparency and control. [...] Our approach to control is based on the belief that people should be able to choose who can see what they share and how their data shapes their experience on Facebook. People can control the audience for their posts and the apps that can receive their data ."
SAC ¶ 339 (stated by Defendant Facebook in response to questions from the U.S. Senate)
Statement Concerning Users’ Privacy Settings
Statement 21
" We respected the privacy settings that people had in place . Privacy and data protections are fundamental to every decision we make."
SAC ¶ 344 (stated by Defendant Facebook in March 2018 to The Washington Post )
Statements Concerning Risks to Facebook's Business
Statement 22
"Security breaches and improper access to or disclosure of our data or user data, or other hacking and phishing attacks on our systems, could harm our reputation and adversely affect our business."
SAC ¶ 350(a) (stated by Defendant Facebook in 2016 Form 10-K)
Statement 23
"Any failure to prevent or mitigate security breaches and improper access to or disclosure of our data or user data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position."
SAC ¶ 350(b) (stated by Defendant Facebook in 2016 Form 10-K)
Statement 24
"We provide limited information to ... third parties based on the scope of services provided to us. However, if these third parties or developers fail to adopt or adhere to adequate data security practices ... our data or our users’ data may be improperly accessed, used, or disclosed."
SAC ¶ 350(c) (stated by Defendant Facebook in 2016 Form 10-K)
Statement 25
"Although we have developed systems and processes that are designed to protect our data and user data, to prevent data loss and to prevent or detect security breaches , we cannot assure you that such measures will provide absolute security."
SAC ¶ 355 (stated by Defendant Facebook in 2016 Form 10-K)
Statement 26
"If we fail to retain existing users or add new users, or if our users decrease their level of engagement with our products, our revenue, financial results, and business may be significantly harmed.
The size of our user base and our users’ level of engagement are critical to our success. Our financial performance has been and will continue to be significantly determined by our success in adding, retaining, and engaging active users of our products, particularly for Facebook and Instagram. We anticipate that our active user growth rate will continue to decline over time as the size of our active user base increases, and as we achieve higher market penetration rates. If people do not perceive our products to be useful, reliable, and trustworthy, we may not be able to attract or retain users or otherwise maintain or increase the frequency and duration of their engagement ....
Any number of factors could potentially negatively affect user retention, growth, and engagement, including if:
there are decreases in user sentiment about the quality or usefulness of our products or concerns related to privacy and sharing, safety, security , or other factors
SAC ¶ 358 (stated by Defendant Facebook in 2016 Form 10-K)
Statements Concerning the Results of Facebook's Investigation into Cambridge Analytica
Statement 27
"Our investigation to date has not uncovered anything that suggests wrongdoing with respect to Cambridge Analytica's work on the [Brexit] and Trump campaigns."
SAC ¶ 362 (stated by Defendant Facebook to The Guardian in March 2017)
Statement 28
"Our investigation to date has not uncovered anything that suggests wrongdoing [with respect to Cambridge Analytica]."
SAC ¶ 363 (stated by Defendant Facebook to The Intercept in March 2017)
Statement 29
"Our investigation to date has not uncovered anything that suggests wrongdoing [with respect to Cambridge Analytica]."
SAC ¶ 363 (stated by Defendant Facebook to The Intercept in March 2017)
Statements Concerning Facebook's Response to Instances of Data Misuse
Statement 30
" Misleading people or misusing their information is a direct violation of our policies and we will take swift action against companies that do, including banning those companies from Facebook and requiring them to destroy all improperly collected data ."
SAC ¶ 368 (stated by Defendant Facebook to BuzzFeed News in February 2017)
Statement 31
" Misleading people or misusing their information is a direct violation of our policies and we will take swift action against companies that do , including banning those companies from Facebook and requiring them to destroy all improperly collected data. "
SAC ¶ 369 (stated by Defendant Facebook to Newsweek in June 2017)
Statement 32
"Enforcement is both automated and manual, and can include disabling your app, restricting you and your app's access to platform functionality, requiring that you delete data , terminating our agreements with you or any other action that we deem appropriate."
SAC ¶ 370 (stated by Defendant Facebook in Data Policy) Statement 33
" We are committed to vigorously enforcing our policies to protect people's information. We will take whatever steps are required to see that this happens. We will take legal action if necessary to hold them responsible and accountable for any unlawful behavior.
* * *
On an ongoing basis, we also do a variety of manual and automated checks to ensure compliance with our policies and a positive experience for users . These include steps such as random audits of existing apps along with the regular and proactive monitoring of the fastest growing apps.
We enforce our policies in a variety of ways — from working with developers to fix the problem, to suspending developers from our platform, to pursuing litigation. "
SAC ¶ 376 (stated by Defendant Facebook in March 2018 in group entitled "Suspending Cambridge Analytica and SCL Group from Facebook")
Statements About Facebook Users Consenting to/Knowingly Giving Information to Kogan
Statement 34
" The claim that this is a data breach is completely false . Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app , and everyone involved gave their consent. People knowingly provided their information , no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked."
SAC ¶ 380 (stated by Defendant Facebook in March 2018 Facebook post)
Statement 35
" The good news is that the most important actions to prevent this from happening again today we have already taken years ago .... In 2014, to prevent abusive apps, we announced that we were changing the entire platform to dramatically limit the data apps could access .... In this case, we already took the most important steps a few years ago in 2014 to prevent bad actors from accessing people's information in this way."
SAC ¶ 383 (stated by Defendant Zuckerberg on March 2018 on personal Facebook page)
Statements About Facebook's Compliance with 2012 FTC Consent Decree
Statement 36
"Violation of existing or future regulatory orders or consent decrees could subject us to substantial monetary fines and other penalties that could negatively affect our financial condition and results of operations."
SAC ¶ 389 (stated by Defendant Facebook in 2016 Form 10-K)
Statement 37
" [W]e respect local laws and regulations ... Certainly, regulation is always an area of focus that we work hard to make sure that we are explaining our business clearly and making sure regulators know the steps we take to protect privacy as well as making sure that we're in compliance ."
SAC ¶ 391 (stated by Defendant Sandberg during 2Q17 Earnings Call)
Statement 38
" We reject any suggestion of violation of the consent decree. "
SAC ¶ 392 (stated by Defendant Facebook to The Washington Post in March 2018) Statement 39
"You asked about the FTC consent order . We've worked hard to make sure that we comply with it ."
SAC ¶ 393 (stated by Defendant Zuckerberg in April 2018)
Statement 40
"We're in constant conversation with the FTC, and that consent decree was important , and we've taken every step we know how to make sure we're in accordance with it ."
SAC ¶ 394 (stated by Defendant Sandberg in April 2018 interview)
Statement 41
"Our view is that — is that we believe that we are in compliance with the consent order , but I think we have a broader responsibility to protect people's privacy even beyond that."
SAC ¶ 395 (stated by Defendant Zuckerberg in April 2018 to U.S. Senate)
Statement 42
"Affected users or government authorities could initiate legal or regulatory actions against us in connection with any security breaches or improper disclosure of data , which could cause us to incur significant expense and liability or result in orders or consent decrees forcing us to modify our business practices. Any of these events could have a material and adverse effect on our business, reputation, or financial results.
SAC ¶ 401 (stated by Defendant Facebook in 2016 Form 10-K)
Statements About Facebook Users Whose Accounts Were Compromised
Statement 43
" We notify our users with context around the status of their account and actionable recommendations if we assess they are at increased risk of future account compromise by sophisticated actors or when we have confirmed their accounts have been compromised ."
SAC ¶ 405 (stated by Defendant Facebook in April 2017 on its corporate website)
Statement 44
Facebook stated that it would provide:
• " Notifications to specific people if they have been targeted by sophisticated attackers, with custom recommendations depending on the threat models"; and
• " Proactive notifications to people who have yet to be targeted, but whom we believe may be at risk based on the behavior of particular malicious actors."
SAC ¶ 405 (stated by Defendant Facebook in April 2017 on its corporate website)
Statement About Facebook Compliance with GDPR
Statement 45
"Europe[ ] has passed a single privacy law [i.e. , the GDPR] and we are adhering to that . But privacy is something we take really seriously."
SAC ¶ 411 (stated by Defendant Sandberg in October 2017)
Statements About Use of Platform to Influence Elections
Statement 46
"Though the volume of these posts was a tiny fraction of the overall content on Facebook, any amount is too much. Those accounts and Pages violated Facebook's policies — which is why we removed them, as we do with all fake or malicious activity we find."
SAC ¶ 414 (stated by Facebook's General Counsel [Mr. Strech] to U.S. Senate/U.S. House of Representatives)
Statement 47
SWALWELL: Can each of you assure the American people that you have fully searched your platforms and disclosed to this committee every Russian effort to influence the 2016 election? Mr. Edgett?
EDGETT: We've provided everything we have to date , and we're continuing to look at this. So there will be more information that we share.
SWALWELL: Mr. Stretch?
STRETCH: The same is true , particularly in connection with, as I mentioned earlier, some of the threat sharing that the companies are now engaged in.
SAC ¶ 415 (stated by Facebook's General Counsel [Mr. Stretch] to House subcommittee)
Statement 48
Feinstein QFR #4: Facebook confirmed in the House Intelligence committee hearing that they found no overlap in the groups targeted by the Trump campaign's advertisements, and the advertisements tied to the Russia-linked accounts identified thus far.... Does this assessment extend to both the content used and groups targeted by the companies associated with the campaign — like Cambridge Analytica — and Russian accounts ?
Stretch: We have seen only what appears to be insignificant overlap between the targeting and content used by the IRA and that used by the Trump campaign (including its third-party vendors). We are happy to schedule a meeting with your staff to discuss our findings in more detail.
SAC ¶ 416 (stated by Facebook's General Counsel [Mr. Stretch] to Senator Feinstein)
Statements About Daily Active Users ("DAU") and Monthly Active Users ("MAU") Metrics
Statement 49
May 3, 2017: "Daily active users (DAUs) — DAUs were 1.28 billion on average for March 2017, an increase of 18% year-over-year. Monthly active users (MAUs) — MAUs were 1.94 billion as of March 31, 2017, an increase of 17% year-over- year."
SAC ¶ 420(a) (stated by Defendant Facebook in press release)
Statement 50
"Our community now has more than 1.9 billion people, including almost 1.3 billion people active every day."
SAC ¶ 420(a) (stated by Defendant Zuckerberg in May 2017)
Statement 51
July 26, 2017: "Daily active users (DAUs) — DAUs were 1.32 billion on average for June 2017, an increase of 17% year-over-year. Monthly active users (MAUs) — MAUs were 2.01 billion as of June 30, 2017, an increase of 17% year-over- year."
SAC ¶ 420(b) (stated by Defendant Facebook in press release)
Statement 52
"Our community is now more than 2 billion people, including more than 1.3 billion people who use Facebook every day."
SAC ¶ 420(b) (stated by Defendant Zuckerberg in June 2017) Statement 53
November 1, 2017: "Daily active users (DAUs) — DAUs were 1.37 billion on average for September 2017, an increase of 16% year-over- year. Monthly active users (MAUs) — MAUs were 2.07 billion as of September 30, 2017, an increase of 16% year-over-year."
SAC ¶ 420(c) (stated by Defendant Facebook in press release)
Statement 54
"Our community continues to grow, now with nearly 2.1 billion people using Facebook every month, and nearly 1.4 billion people using it daily. Instagram also hit a big milestone this quarter, now with 500 million daily actives."
SAC ¶ 420(c) (stated by Defendant Zuckerberg in November 2017)
Statement 55
January 31, 2018: "Daily active users (DAUs) — DAUs were 1.40 billion on average for December 2017, an increase of 14% year-over-year. Monthly active users (MAUs) — MAUs were 2.13 billion as of December 31, 2017, an increase of 14% year-over-year."
SAC ¶ 420(d) (stated by Defendant Facebook in press release)
Statement 56
"Our community continues to grow with more than 2.1 billion people now using Facebook every month and 1.4 billion people using it daily. Our business grew 47% year-over-year to $40 billion."
SAC ¶ 420(d) (stated by Defendant Zuckerberg in January 2018)
Statement 57
" We monitor the sentiment and engagement of people engaging in News Feed . We're really pleased with the strength of sentiment and engagement as we've ramped up News Feed ads."
SAC ¶ 421(a) (stated by Defendant Wehner)
Statement 58
"Because your experience on Facebook or Instagram is about the quality of what you see ... what we do is we monitor it carefully. We ramp slowly. We monitor engagement sentiment, quality of ads. We get a lot of feedback directly from people who use Facebook.... And we just continue to monitor the metrics ."
SAC ¶ 421(b) (stated by Defendant Sandberg)
Statement 59
"Improving the quality and the relevance of the ads has enabled us to show more of them, without harming the experience. And, our focus really remains on the experience. So, we'll continue to monitor engagement and sentiment very carefully. "
SAC ¶ 421(c) (stated by Defendant Wehner)
Statement 60
"When we introduce ads into feed and continue to increase the ad load, we monitor really carefully . We're looking at user engagement on the platform . We also look at the quality of ads."
SAC ¶ 421(d) (stated by Defendant Sandberg)
Statement 61
Analyst: "Can you just talk about some of the biggest trends you're monitoring?
Wehner: "Yes, I can start with the stats. So on — yes, Mark, on the engagement front, we're seeing time spent growth per DAU across the Facebook family of apps and that includes Facebook itself."
SAC ¶ 421(e)
Statement 62
"We have also increased our estimate for inauthentic accounts to approximately 2% to 3% of worldwide MAUs.... We continuously monitor and aggressively take down those accounts. These accounts tend to be less active and thus, we believe, impact DAU less than MAU."
SAC ¶ 421(f) (stated by Defendant Wehner)
Statements About 1Q18 Financial Results
Statement 63
Facebook Reports First Quarter 2018 Results: "Daily active users (DAUs) — DAUs were 1.45 billion on average for March 2018, an increase of 13% year-over-year. Monthly active users (MAUs) — MAUs were 2.20 billion as of March 31, 2018, an increase of 13% year-over- year."
SAC ¶ 427.
Statement 64
"Despite facing important challenges, our community continues to grow. More than 2.2 billion people now use Facebook every month and more than 1.4 billion people use it daily."
SAC ¶ 428 (stated by Defendant Zuckerberg)
Statement 65
"Before going through our results, I want to take a minute to talk about ads and privacy. [...]
We also believe that people should control their advertising experience. For every ad we show, there's an option to find out why you're seeing that ad and to turn off ads from that advertiser entirely. And you can opt out of being targeted based on certain information like the websites you visit or your relationship status.
Advertising and protecting people's information are not at odds. We do both. Targeted ads that respect people's privacy are better ads. They show people things that they're more likely to be interested in. We regularly hear from people who use Facebook that they prefer to see ads that are relevant to them and their lives.
Effective advertising is also critical to helping businesses grow.
* * *
In the coming months, GDPR will give us another opportunity to make sure people fully understand how their information is used by our services. It's an EU regulation, but as Mark said a few weeks ago, we're going to extend these controls to everyone who uses Facebook, regardless of where in the world they live. Our commitment to you is that we will continue to improve our ads model by strengthening privacy and choice while giving businesses of all sizes new and better tools to help them grow.
* * *
Going forward, we will continue to focus on these 3 priorities and ensure that people's privacy is protected on Facebook ."
SAC ¶ 430 (stated by Defendant Sandberg on 1Q18 earnings call)
Statement 66
" The changes that Mark and Sheryl described will, we believe, benefit our community and our business and will serve to strengthen Facebook overall. At the highest level, we believe that we can continue to build a great ads business while protecting people's privacy. * * *
So on GDPR, I think fundamentally, we believe we can continue to build a great ads business while protecting the privacy of the people that use Facebook. As part of the rollout of GDPR, we're providing a lot of control to people around their ad settings. And we're committed, as Sheryl and Mark mentioned, to providing the same controls worldwide. And while we don't expect these changes will significantly impact advertising revenue, there's certainly potential for some impact. Any change of our — of the ability for us and our advertisers to use data can impact our optimizational potential at the margin, which could impact our ability to drive price improvements in the long run. So we'll just have to watch how that plays out over time. I think it's important to note that GDPR is affecting the entire online advertising industry. And so what's really most important in winning budgets is our relative performance versus other opportunities presented to marketers, and that's why it will be important to watch kind of how this plays out at the industry level.
* * *
I don't know that we really see a doomsday scenario here. I think what we think is that depending on how people react to the controls and the ad settings, there could be some limitations to data usage. We believe that those will be relatively minor. But depending on how broadly the controls are adopted and set, there is a potential to impact targeting for our advertisers. Obviously, if they are less able to target effectively, they'll get a lower ROI on their advertising campaigns. They'll then bid differently into the auction. That ultimately will flow through into how we can realize price on the impressions that we're selling. So I think that's the mitigating issue that we could see, depending on how GDPR and our broader commitment to providing these same controls worldwide could play out. We think that there is a great case for not just our business but also for the user experience on Facebook to have targeting because we think it's a better experience for the people who use Facebook to have targeted ads. We think we can do that in a privacy-protected way, and it's just a better experience. You get more relevant ads, and it's — and I think overall benefits that only the advertisers but also the people who use Facebook. So I don't think see a real doomsday scenario here. We see an opportunity to really make the case."
SAC ¶ 431 (stated by Defendant Wehner on 1Q18 Earnings Call)
Statement 67
" I also want to talk about data privacy . And what happened with Cambridge Analytica was a major breach of trust. An app developer took data that people had shared with them and sold it. So we need to make sure that this never happens again, so we're taking a number of steps here.
First, as you all know we're restricting the data that developers will be able to request from people. Now the good news here is that back in 2014, we already made a major change to how the platform works to prevent people from sharing a lot of their friends’ information. So this specific situation could not happen again today. "
SAC ¶ 434 (stated by Defendant Zuckerberg)
Statement 68
"So we recently went through this process of rolling out our flows and settings for GDPR compliance, first, in Europe, and we're going to do it around the world. And one of the settings that we ask people proactively to make a decision on is, do you want your ads, for how we do ad targeting, to be informed by the other apps and websites that you use? People have to proactively make a decision. Yes or no. Do they want that data used? And the majority, I think we can even say vast majority of people say, yes, they want that data used. Because if they're going to see ads, you want to see good ads, right? So I think that this is one of the core questions that society faces and individuals face across the different services that we use, are how do we want our data to be used and where? ... This is going to be a core thing that we need to think about going forward, but we think about it very deeply as this is a — just a core part of the value that we're trying to provide."
SAC ¶ 437 (stated by Defendant Zuckerberg)
Statement 69
" Privacy is at the core of everything we do, and our approach to privacy starts with our commitment to transparency and control. Our threefold approach to transparency includes, first, whenever possible, providing information on the data we collect and use and how people can control it in context and in our products. Second, we provide information about how we collect and use data in our user agreements and related educational materials. And third, we enable people to learn more about the specific data we have about them through interactive tools such as Download Your Information, which lets people download a file containing data that they may want to take to another service, and Access Your Information, a tool we are launching that will let people more easily access and manage their data on Facebook.
Our approach to control is based on the belief that people should be able to choose who can see what they share and how their data shapes their experience on Facebook. People can control the audience for their posts and the apps that can receive their data. They can see and delete the history of their activities on Facebook, and, if they no longer want to use Facebook, they can delete their account and the data associated with it. Of course, we recognize that controls are only useful if people know how to find and use them. That is why we continuously deliver in-product educational videos in people's News Feeds on important privacy topics. We are also inviting people to take our Privacy Checkup — which prompts people to review key data controls — and we are sharing privacy tips in education campaigns off of Facebook, including through ads on other websites. To make our privacy controls easier to find, we are launching a new settings menu that features core privacy settings in a single place. We are always working to help people understand and control how their data shapes their experience on Facebook.
* * *
Like many other free online services, we sell advertising space to third parties. Doing so enables us to offer our services to consumers for free. This is part of our mission to give people the power to build community and bring the world closer together.
* * *
We maintain our commitment to privacy by not telling advertisers who users are or selling people's information to anyone. That has always been true. We think relevant advertising and privacy are not in conflict, and we're committed to doing both well. We believe targeted advertising creates value for people and advertisers who use Facebook. Being able to target ads to the people most likely to be interested in the products, service or causes being advertised enables businesses and other organizations to run effective campaigns at reasonable prices.
* * *
We do not have a "business reason" to compromise the personal data of users; we have a business reason to protect that information.
* * *
We believe that everyone has the right to expect strong protections for their information , and that we also need to do our part to help keep our community safe, in a way that's consistent with people's privacy expectations."
SAC ¶ 440 (stated by Defendant Facebook in June 2018 in response to questions from the U.S. Senate)
Statements About Selling User Data
Statement 70
" We don't sell your data. We don't sell personal information like your name, Facebook posts, email address, or phone number to anyone. Protecting people's privacy is central to how we've designed our ad system."
SAC ¶ 445 (stated by Defendant Facebook in November 27)
Statement 71
"These principles are our commitment to the people who use our services. They are: We build for people first. We don't sell your data ."
SAC ¶ 446 (stated by Defendant Facebook in January 2018)
Statement 72
"We provide a free service that's an ad-based business model, and in order to do that, we do not sell your data. "
SAC ¶ 447 (stated by Defendant Sandberg in March 2018)
Statement 73
"There are other internet companies or data brokers or folks that might try to track and sell data, but we don't buy and sell . [...] The second point, which I touched on briefly there: for some reason we haven't been able to kick this notion for years that people think we will sell data to advertisers. We don't. That's not been a thing that we do. Actually it just goes counter to our own incentives ... And we're going to use data to make those services better ... but we're never going to sell your information ."
SAC ¶ 448 (stated by Defendant Zuckerberg in April 2018)
Statement 74
"What we share : We will never sell your information to anyone. We have a responsibility to keep people's information safe and secure, and we impose strict restrictions on how our partners can use and disclose data ."
SAC ¶ 449 (stated by Defendant Facebook)
Statement 75
"It's a good opportunity to remind everyone what we say all the time, but we need to keep saying so people understand it — which is that we don't sell data, period , ... And again, we do not sell data, ever."
SAC ¶ 450 (stated by Defendant Sandberg during April 2018 NPR interview) Statement 76
" We do not sell data or give your personal data to advertisers, period ." SAC ¶ 451 (stated by Defendant Sandberg during April 2018 NPR interview)
Statement 77
"I want to be clear. We don't sell information. So regardless of whether we could get permission to do that, that's just not a thing we're going to go do ." 418 Zuckerberg further stated, "Well, Senator, once again, we don't sell any data to anyone. We don't sell it to advertisers, and we don't sell it to developers ."
SAC ¶ 452 (stated by Defendant Zuckerberg before U.S. Senate Committees)
Statement 78
"Mr. Chairman, you're right that we don't sell any data .... There is a common misperception, as you say, that is just reported — often keeps on being reported, that, for some reason, we sell data. I can't be clearer on this topic. We don't sell data .... Congressman, we don't sell people's data . So I think that's an important thing to clarify up front."
SAC ¶ 453 (stated by Defendant Zuckerberg before U.S. House of Representatives Committee)
Statement 79
"We use the information you provide and that we receive from websites to target ads for advertisers, but we don't tell them who you are. We don't sell your information to advertisers or anyone else . "
SAC ¶ 454(a) (stated by Defendant Zuckerberg during 1Q18 Earnings Call)
Statement 80
" At Facebook, we have always built privacy protection into our ads system . [...] We don't sell your information to advertisers or anyone else. "
SAC ¶ 454(b) (stated by Defendant Sandberg during 1Q18 Earnings Call)
Statement 81
"We don't tell advertisers who you are; and we don't sell your data ."
SAC ¶ 455 (stated by Defendant Facebook in May 2018)
Statement 82
"Facebook does not sell people's information to anyone, and we never will. When the individual is a Facebook user, we are also able to use this information to personalize their experiences on Facebook, whether or not they are logged out, but we will not target ads to users relying on this information unless the user allows this in their privacy settings. We don't sell or share this information with third parties ."
SAC ¶ 456 (stated by Defendant Facebook in June 2018 to U.S. House of Representatives)
Statement 83
" We don't sell data .... So while it may seem like a small difference to you, this distinction on ‘selling data,’ I actually think to people it's like the whole game, right? So we don't sell data, we don't give the data to anyone else , but overwhelmingly people do tell us that if they're going to see ads on Facebook, they want the ads to be relevant; they don't want bad ads."
SAC ¶ 457 (stated by Defendant Zuckerberg in a July 2018 interview with Recode)
B. Procedural History
On October 15, 2018, Plaintiffs filed their Consolidated Class Action Complaint. See Dkt. 86. On September 25, 2019, this Court granted Defendants’ motion to dismiss the consolidated complaint after finding that Plaintiffs had failed to carry their burden to plead with particularity falsity and scienter—the Court did not address reliance or loss causation in that order. Order Granting Defendants’ Motion to Dismiss ("September 2019 Order"), Dkt. 118.
Plaintiffs filed their second amended consolidated complaint on November 15, 2019. See Dkt. 123. Thereafter, Defendants filed a motion to dismiss the second amended consolidated class action complaint. Motion to Dismiss Second Amended Consolidated Class Action Complaint ("Mot."), Dkt. 126. Plaintiffs filed an opposition. Lead Plaintiffs’ Memorandum of Points and Authorities in Opposition to Defendants’ Motion to Dismiss ("Opp."), Dkt. 130. Defendants then filed a reply. Reply in Support of Defendants’ Motion to Dismiss ("Reply"), Dkt. 132.
II. JUDICIAL NOTICE
Defendants ask this Court to take judicial notice of Exhibits 1 through 30, which are attached to the Declaration of Brian M. Lutz in Support of Defendant's Motion to Dismiss. See Request for Judicial Notice in Support of Defendants’ Motion to Dismiss Second Amended Consolidated Class Action Complaint ("RJN re MTD"), Dkt. 127. Defendants also ask this Court to take judicial notice of Exhibit 31, which is attached to the Declaration of Brian M. Lutz in Support of Defendants’ Reply ("RJN Reply"), Dkt. 133. Plaintiffs do not oppose this request and also ask the Court to take judicial notice of Exhibits A-K. Plaintiffs’ Request for Judicial Notice and Response to Defendants’ Request for Judicial Notice ("P RJN"), Dkt. 131.
Generally, district courts may not consider material outside the pleadings when assessing the sufficiency of a complaint under Federal Rule of Civil Procedure 12(b)(6). Lee v. City of L.A. , 250 F.3d 668, 688 (9th Cir. 2001). When matters outside the pleadings are considered, the 12(b)(6) motion typically must convert into a motion for summary judgment. Khoja v. Orexigen Therapeutics, Inc. , 899 F.3d 988, 998 (9th Cir. 2018) ; see also Fed. R. Civ. P. 12(d). This rule, however, does not apply to the incorporation by reference doctrine or judicial notice. Khoja , 899 F.3d at 998.
Federal Rule of Evidence 201 permits a court to take judicial notice of an adjudicative fact "not subject to reasonable dispute," that is "generally known" or "can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." Fed. R. Evid. 201(b). Specifically, a court may take judicial notice: (1) of matters of public record, Khoja , 899 F.3d at 999, (2) that the market was aware of information contained in news articles, Heliotrope Gen., Inc. v. Ford Motor Co. , 189 F.3d 971, 981 n.18 (9th Cir. 1999), and (3) publicly accessible websites whose accuracy and authenticity are not subject to dispute, Daniels-Hall v. Nat'l Educ. Ass'n , 629 F.3d 992, 998–99 (9th Cir. 2010). A court may consider the facts contained in the noticed materials. Barron v. Reich , 13 F.3d 1370, 1377 (9th Cir. 1994).
Incorporation by reference treats certain documents as though they are part of the complaint itself. Daniels-Hall , 629 F.3d at 998. These are situations where the complaint "necessarily relies" upon a document or where the complaint alleges the contents of the document and the document's authenticity and relevance is not disputed. Coto Settlement v. Eisenberg , 593 F.3d 1031, 1038 (9th Cir. 2010).
For the following reasons, Defendants’ Exhibits 1–31 are subject to judicial notice.
• Exhibits 1–5 and 7–8 are SEC filings and Exhibit 6 is a table Defendants created that summarizes the forms
contained in Exhibit 5. Judicial notice of these exhibits is appropriate because they are public filings made by Facebook with the SEC (or summaries of such public filings), and are therefore matters of public record not subject to reasonable dispute. See Fed. R. Evid. 201(b) ; see also Weller v. Scout Analytics, Inc. , 230 F. Supp. 3d 1085, 1094 n.5 (N.D. Cal. 2017) (taking judicial notice of SEC filings).
• Exhibits 9–11 are transcripts of Defendants’ earnings calls and shareholder meetings. Judicial notice of Exhibits 9 through 11 is appropriate—these exhibits are publicly available documents and are thus matters of public record not subject to reasonable dispute. See Fed. R. Evid. 201(b) ; see also In re Energy Recovery Inc. Sec. Litig. , 2016 WL 324150, at *3 (N.D. Cal. Jan. 27, 2016).
• Exhibit 12 is a transcript of a November 27, 2018 witness examination before the Digital, Culture, Media, and Sport Committee of the House of Commons of the United Kingdom. Exhibit 13 is a February 2019 report from the Information Commissioner's Office of the Parliament of the United Kingdom. Judicial notice of Exhibits 12 and 13 is appropriate because they are matters of public record not subject to reasonable dispute. See Fed. R. Evid. 201(b) ; Khoja , 899 F.3d at 999.
• Exhibits 14–16 are court filings. Judicial notice is appropriate because these exhibits are matters of public record not subject to reasonable dispute. See Fed. R. Evid. 201(b). "Materials from a proceeding in another tribunal are appropriate for judicial notice." Biggs v. Terhune , 334 F.3d 910, 915 n.3 (9th Cir. 2003) ; Foster Poultry Farms v. Alkar-Rapidpak-MP Equip., Inc. , 868 F. Supp. 2d 983, 990 (E.D. Cal. 2012) ("Courts routinely take judicial notice of publicly available records ... from other court proceedings.").
• Exhibits 17–24 are news articles. Exhibits 17 through 24 are publicly available documents, available on publicly accessible websites, they are capable of accurate and ready determination from sources whose accuracy cannot reasonably be questioned, and are thus subject to judicial notice. Fed. R. Evid. 201(b) ; Daniels-Hall , 629 F.3d at 999.
• Exhibits 25–27 are versions of Facebook's Data Policy, which were in effect during the time period covered by Plaintiffs’ allegations. The exhibits are subject to judicial notice because they are capable of accurate and ready determination from sources whose accuracy cannot reasonably be questioned. Fed. R. Evid. 201(b). It is common for courts to take judicial notice of a company's historical privacy policies. See, e.g. , Matera v. Google Inc. , 2016 WL 8200619, at *5 (N.D. Cal. Aug. 12, 2016) (taking judicial notice of multiple versions of Google's privacy policy, including archived versions); Oracle Am., Inc. v. CedarCrestone, Inc. , 938 F. Supp. 2d 895, 901 (N.D. Cal. 2013) (same).
• Exhibit 28 is Facebook's white paper, which is referenced and relied on in paragraphs 405 through 407 of the SAC. Because it is referenced and relied on in the SAC, the Court may consider it under the incorporation by reference doctrine. See Coto , 593 F.3d at 1038.
• Exhibit 29 is a Bloomberg stock table showing the historical stock prices of Facebook from January 2, 2018 to December 11, 2018. The Court may take judicial notice of Facebook's stock prices. See Lloyd v. CVB Fin. Corp. , 2012 WL 12883522, at *13 (C.D. Cal. Jan 12, 2012) (collecting cases); Metzler Inv. GMBH v. Corinthian Colls., Inc. , 540 F.3d 1049, 1064 n.7 (9th Cir. 2008) ; In re Copper Mountain Sec. Litig. , 311 F. Supp. 2d 857, 864 (N.D. Cal. 2004) ("Information about the stock price of publicly traded companies [is] the prop er subject of judicial notice.").
• Exhibit 30 is an April 30, 2014 Facebook blog post entitled "The New Facebook Login and Graph API 2.0." Because Exhibit 30 is a publicly available document, available on a publicly accessible website, it is capable of accurate and ready determination from sources whose accuracy cannot reasonably be questioned, and it is thus subject to judicial notice. Fed. R. Evid. 201(b) ; see also Daniels-Hall , 629 F.3d at 999 ; Diaz v. Intuit, Inc. , 2018 WL 2215790, at *3 ("Publically accessible websites and news articles are proper subjects of judicial notice.").
• Exhibit 31 is Facebook's February 3, 2017 Annual Report on Form 10-K. Judicial notice is appropriate because it is a public filing made by Facebook with the SEC and is thus a matter of public record, not subject to reasonable dispute. See Weller , 230 F. Supp. 3d at 1094 n.5.
Plaintiffs’ Exhibits A-K are also subject to judicial notice. These exhibits are either news articles, court filings, or other matters of public record. For the same reasons above, the Court finds them suitable for judicial notice. Accordingly, the Court GRANTS both Plaintiffs’ and Defendants’ requests for judicial notice.
III. DISCUSSION
A. Legal Standard
To survive a Rule 12(b)(6) motion to dismiss, a complaint must contain sufficient factual matter to "state a claim to relief that is plausible on its face." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) ; Fed. R. Civ. Pro. 8(a). Threadbare recitals of the elements of a cause of action supported by mere conclusory statements "do not suffice." Ashcroft , 556 U.S. at 678, 129 S.Ct. 1937.
Securities fraud cases, however, must meet Rule 8 ’s plausibility standard, the Private Securities Litigation Reform Act ("PSLRA"), and Rule 9(b) ’s higher pleading standard. See Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308, 319–22, 127 S.Ct. 2499, 168 L.Ed.2d 179 (2007); Zucco Partners, LLC v. Digimarc, Corp. , 552 F.3d 981, 991 (9th Cir. 2009).
The PSLRA mandates that securities fraud complaints " ‘specify’ " each misleading statement, set forth the facts " ‘on which [a] belief’ " that a statement is misleading was " ‘formed,’ " and " ‘state with particularity facts giving rise to a strong inference that the defendant acted with the required state of mind [scienter].’ " Dura Pharm., Inc. v. Broudo , 544 U.S. 336, 345, 125 S.Ct. 1627, 161 L.Ed.2d 577 (2005) (quoting 15 U.S.C. §§ 78u–4(b)(1)–(2) ); see also Metzler , 540 F.3d at 1070 ("The PSLRA has exacting requirements for pleading ‘falsity.’ "). Plaintiffs bear the burden of proving that the defendant's misrepresentations " ‘caused the loss for which the plaintiff seeks to recover.’ " Dura Pharm. , 544 U.S. at 345–46, 125 S.Ct. 1627 (quoting § 78u-4(b)(4) ). In determining whether a "strong inference" of scienter has been sufficiently alleged, this Court must not only draw "inferences urged by the plaintiff," but also engage in a "comparative evaluation," and examine and consider "competing inferences [in defendants’ favor] drawn from the facts alleged." Tellabs , 551 U.S. at 314, 127 S.Ct. 2499. Hence, scienter must not only be "plausible or reasonable," it must also be "cogent and at least as compelling as any opposing inference of nonfraudulent intent." Id. at 324, 127 S.Ct. 2499.
Federal Rule of Civil Procedure 9(b) further requires a plaintiff pleading securities fraud to state, with particularity, the circumstances constituting fraud or mistake.
B. Defendants’ Motion to Dismiss
To show securities fraud under Section 10(b) and Rule 10b-5, plaintiffs must allege facts sufficient to establish (1) a material misrepresentation or omission; (2) made with scienter, i.e. , a wrongful state of mind; (3) a connection between the misrepresentation and the purchase or sale of a security; (4) reliance upon the misrepresentation; (5) economic loss; and (6) loss causation. Loos v. Immersion Corp. , 762 F.3d 880 (9th. Cir. 2014), amended (Sept. 11, 2014). "To determine whether a private securities fraud complaint can survive a motion to dismiss for failure to state a claim, the court must determine whether particular facts in the complaint, taken as a whole, raise a strong inference that defendants intentionally or with deliberate recklessness made false or misleading statements to investors." In re LeapFrog Enter., Inc. Sec. Litig. , 527 F. Supp. 2d. 1033, 1039–40 (N.D. Cal. 2007).
In their motion to dismiss, Defendants challenge the sufficiency of Plaintiffs’ Section 10b and Rule 10b-5 claim as to (1) misrepresentation, (2) scienter, (3) reliance, and (4) causation. First , Defendants argue that Plaintiffs fail to plead actual misrepresentations—that is, statements by Defendants that are actually false and/or omit material facts. The Court agrees that some of the alleged misrepresentations are not actionable or that Plaintiffs have failed to plead with particularity the circumstances that make the alleged misrepresentations actionable. However, for the below reasons, the Court finds a number of the alleged misrepresentations actionable. Second , Defendants argue that Plaintiffs have failed to plead scienter. The Court disagrees; Plaintiffs have alleged sufficient facts to connect the alleged misrepresentations with a wrongful state of mind. Third , Defendants argue that Plaintiffs have failed to plead reliance. The Court disagrees, Plaintiffs have established the presumption of reliance. Finally , Defendants argue that Plaintiffs have failed to plead loss causation. The Court agrees. Plaintiffs have not connected the alleged loss with alleged misrepresentations. For that reason, the Court must dismiss Plaintiffs’ SAC.
C. Discussion
1. Misrepresentation
For a misstatement to be actionable, the statement must be both false and material. See Basic Inc. v. Levinson , 485 U.S. 224, 238, 108 S.Ct. 978, 99 L.Ed.2d 194 (1988) ("It is not enough that a statement is false or incomplete, if the misrepresented fact is otherwise insignificant."). To survive a motion to dismiss, a complaint must "specify each statement alleged to have been misleading, [and] the reason or reasons why the statement is misleading." Metzler , 540 F. 3d at 1070 (quoting 15 U.S.C. § 78u–4(b)(1) ).
Statements are misleading only if they "affirmatively create an impression of a state of affairs that differs in a material way from the one that actually exists." Brody v. Transitional Hosp. Corp. , 280 F.3d 997, 1006 (9th Cir. 2002). Rule 10b-5 prohibits "only misleading and untrue statements, not statements that are incomplete." Id. Silence, absent a duty to disclose, "is not misleading under Rule 10b-5." Basic , 485 U.S. at 239 n.17, 108 S.Ct. 978. "Often a statement will not mislead even if it is incomplete or does not include all relevant facts." Brody , 280 F.3d at 1006.
Not all material adverse events must be disclosed to investors. See In re Rigel Pharm., Inc. Sec. Litig. , 697 F.3d 869, 880 n.8 (9th Cir. 2012) (discussing Matrixx Initiatives, Inc. v. Siracusano , 563 U.S. 27, 38–45, 131 S.Ct. 1309, 179 L.Ed.2d 398 (2011) ). Information that a reasonable investor might consider material need not always be disclosed; companies can control "what they have to disclose [per § 10(b) ] by controlling what they say to the market." Matrixx , 563 U.S. at 45, 131 S.Ct. 1309. Consequently, omissions are only actionable if a defendant has a duty to disclose information and fails to do so. Basic , 485 U.S. at 239 n.17, 108 S.Ct. 978. Hence, if the omission does not "make the actual statement[ ] misleading," a company need not supplement the statement "even if investors would consider the omitted information significant." Rigel , 697 F.3d at 880 n.8.
Finally, an actionable statement must also "be capable of objective verification." Retail Wholesale & Dep't Store Union Local 338 Ret. Fund v. Hewlett-Packard Co. , 845 F.3d 1268, 1275 (9th Cir. 2017). For example, business puffery or opinion statements—i.e. , vague, optimistic statements—are not actionable because they do not "induce the reliance of a reasonable investor." Or. Pub. Emps. Ret. Fund v. Apollo Grp. Inc. , 774 F.3d 598, 606 (9th Cir. 2014).
In their SAC, Plaintiffs allege thirteen categories of allegedly misleading statements: (1) statements about control; (2) statements about respecting users’ privacy; (3) statements about risk factors; (4) statements about the Cambridge Analytica investigation; (5) statements about data misuse; (6) statements about user consent; (7) statements about compliance with the FTC consent decree; (8) statements about user notification; (8) statements about GDPR compliance; (9) statements about Russian interference in U.S. elections; (10) statements about user metrics; (11) statements about 1Q18 results; and (12) statements about the sale of user data. The Court addresses the alleged misstatements by category.
a. Deletion Certifications
An overarching issue through the alleged misrepresentations is whether or not Facebook knew that Kogan, GSR, and Cambridge Analytica did not delete the misappropriated data in 2015. Plaintiffs’ main theory of securities fraud is that Defendants knew that Cambridge Analytica had sensitive user information and was using that information for improper purposes, which created a significant risk of business, reputational, and/or economic harm to Facebook. And, despite this knowledge, represented the risks posed by Cambridge Analytica as "hypothetical." See, e.g. , SAC ¶¶ 135, 136.
The Parties each agree that Defendants did not know about Kogan's connections with Cambridge Analytica until December 2015—when The Guardian article broke. Id. ¶ 137. Once the article broke, Facebook learned that Kogan had used GSR to collect user data from Facebook and create personality scores for Facebook users. Id. Facebook also discovered that GSR, through Kogan, had transferred these personality scores (and not the underlying data) to Cambridge Analytica. Id. Both Parties also agree that Kogan's transfer of personality scores to a third-party violated Facebook's Platform Policy (Kogan's retention of users’ friends’ data is another matter). Id. ¶ 138. Thereafter, Facebook privately asked GSR and Cambridge Analytica—the entities with illicit access to the data—to delete the personality scores. Id. Both GSR and Cambridge Analytica represented that the scores had been deleted. Id.
Plaintiffs belabor the point that Facebook did "nothing else to confirm that the data had been deleted." Id. ¶ 139. This misses the mark; this is not a tort action. The relevant inquiry is not whether Defendants had a "duty" to do more. That question is already before Judge Chhabria. See In re Facebook, Inc., Consumer Privacy User Profile Litig. , 402 F. Supp. 3d 767, 800 (N.D. Cal. 2019). Rather, the question is whether Facebook misrepresented its efforts to contain the Cambridge Analytica "breach." Thus, that Facebook did nothing else to confirm that the data had been deleted is only relevant if Facebook represented that it would confirm such deletion. Plaintiffs maintain that Facebook made such representations in their data use policy. Yet, nowhere in Facebook's data policy is there any representation that Facebook would confirm deletion. To the contrary, the data policy only represents that it would "require" data to be deleted. See Statement 32. It makes no guarantees about how Facebook would enforce that requirement.
Perhaps recognizing that their "lack of confirmation" argument essentially boils into a duty argument, Plaintiffs argue that "Facebook did not believe the oral statements from GSR and Cambridge Analytica that the data had been deleted." SAC ¶ 140. This is closer; with this theory, Plaintiffs can argue that Facebook knew GSR and Cambridge Analytica still could access the data and that representations to the contrary were false. But, Plaintiffs encounter another problem—they fail to provide the Court with any reason why Facebook's belief would be misplaced. Instead, Plaintiffs use speculation to argue that Facebook should have known that Cambridge Analytica was still involved in data mining. For instance, Plaintiffs highlight February 2016 reports that a group supporting Brexit signed up Cambridge Analytica. Id. ¶ 141. From this, Defendants were supposed to deduce that Cambridge Analytica was using the misappropriated personality scores. Id. ¶ 42. Of course, Plaintiffs do not explain why the equally likely inference—that Cambridge Analytica was using data other than the misappropriated Facebook data—is overcome.
More damning is Plaintiffs’ admission that after the June 2016 Brexit vote, Facebook contacted Cambridge Analytica to confirm deletion. Id. ¶ 142. Plaintiffs argue that this shows a "guilty conscience" by Facebook. The converse is true; it also shows that Defendants wanted to ensure their policies had been followed and that the data had been deleted. Again, Plaintiffs provide no reason as to why this inference is not also possible.
Next, Plaintiffs point the Court toward the "Confidential Settlement Agreement and Mutual Release" agreement Facebook signed with Kogan following the June 2016 Brexit vote. Id. ¶ 143. Two important things occurred in this agreement: first, Kogan certified that he and GSR had deleted the data. Id. ¶ 144. Second, the agreement revealed that the data Kogan transferred to Cambridge Analytica was not just personality scores, but also included highly sensitive user information like name, birthdays, page likes, and locations. Id. Plaintiffs focus on this later revelation and show that it "revealed beyond doubt" that GSR and Cambridge Analytica had lied when initially describing the types of user data they had misappropriated. This is literally true. But, the inference Plaintiffs draw from it is mere speculation. Plaintiffs argue that this second revelation showed Facebook that Cambridge Analytica had not deleted the data and that the company was still misusing the data. Id. ¶ 146. Plaintiffs, however, provide no specific facts to support this inference. Instead, Plaintiffs point the Court toward vague evidence about Cambridge Analytica use of personality profiles—which they could have compiled with non-Facebook data—to target political advertising. Id. The significance of these "red flags" is never explained. The Court, rather, is supposed to draw inferences in Plaintiffs’ favor, on the sole basis that the SEC identified these facts as "red flags." This is not enough. See In re UBS Auction Rate Secs. Litig. , 2010 WL 2541166, at *19 n.11 (S.D.N.Y. June 10, 2010) ; see also Vess v. Ciba-Geigy Corp. USA , 317 F.3d 1097, 1107 (9th Cir. 2003) ("[T]he circumstances constituting the alleged fraud [must] be specific enough to give the defendants notice of the particular misconduct .... Averments of fraud must be accompanied by the who, what, when, where, and how of the misconduct charged." (quotation marks and citations omitted)).
Finally, Plaintiffs focus on Roger McNamee's warnings to Defendants about bad actors using Facebook data to "harm innocent people." Id. ¶¶ 147, 148. These warnings, however, fail to establish that McNamee told Defendants that Cambridge Analytica did not delete the data or that he would even have such personal knowledge about Cambridge Analytica's data use.
This is all to say, the SAC does not have sufficient allegations from which the Court can infer that Defendants knew that GSR and Cambridge Analytica did not delete the relevant data. This undercuts many of Plaintiffs’ theories of falsity because it demonstrates that Defendants’ representations about the Cambridge Analytica scandal were not false and/or made with scienter. The Court will not re-analyze this in each below section, but it should be noted, that this is in the background of the below analysis.
b. Statements About Control
Statements 1–20 concern Facebook users’ ability to control their data and information. See SAC ¶ 325. Importantly, this Court held in its September 2019 Order that Statement 2 was plead with adequate falsity. Plaintiffs have now presented the Court with every statement by Defendants using the word "control" and have attempted to lump together any statement that references control. This is incorrect. Metzler , 540 F. 3d at 1070 (noting that plaintiff must allege why each statement is false). Simply stating that users have control over their experience does not render the statement inaccurate. Rather, the relevant inquiry is whether Plaintiffs have alleged particular facts showing that the alleged misstatements were false when made. See Ronconi v. Larkin , 253 F.3d 423, 430 (9th Cir. 2001).
Three sub-categories emerge. There are statements like Statements 2, 8, and 12–19 , where an Executive Defendant pledges that users "control what they share" and how the data is used. These statements are of the type that the Court previously found actionable. There are statements like Statements 1, 7, 9–11, and 20 , where Defendant Facebook pledges that users can control the audience for their posts and the apps that receive their data via the privacy settings. These statements are of the type previously found inactionable. And then, there are statements like Statements 3–6 , which focus on "transparency and control." These statements have not been previously analyzed. Plaintiffs argue the statements (irrespective of the sub-category) are false by their literal terms and because they omit material facts necessary to make them not misleading. But see supra III.C.1.a. (finding that Plaintiffs have not alleged sufficient facts to show Defendants omitted information about the Cambridge Analytica data deletion, or mislead investors about deletion and access to data). Specifically, Plaintiffs argue that the statements are false because users did not have control over their data since (i) Facebook continued to give whitelisted parties users’ friend's data (and overrode user privacy settings to do so), (ii) bad actors (like Cambridge Analytica) could still access Facebook data, and (iii) Facebook could not control the data once it was given to third-parties. SAC ¶¶ 340, 343.
Specifically, the Court previously held Statements 1 & 7 inactionable. In their Consolidated Class Action Complaint, Plaintiffs alleged that these statements were false because (1) Defendants’ privacy policies were deliberately confusing to users and (2) they were meant to cast doubt on new reports about Facebook's failure to address data breaches. See September 2019 Order at 33, 41. Plaintiffs’ theory of falsity has changed in this action and the Court finds this new theory, coupled with the factual background, sufficient to show falsity. See infra III.C.1.b.
In Statements 2, 8, and 12–19 , an Executive Defendant (either Defendant Sandberg or Defendant Zuckerberg) made assurances like "you have complete control over who sees your content," "no one is going to get your data that shouldn't have it," "you are controlling who you share with," and "you have control over everything you put on the service." Plaintiffs have alleged that the contrary was true—that is, that users did not control their data as whitelisted developers could override privacy controls. See, e.g. , id. ¶ 3. More concerning, once data was in the hands of app developers, developers could share the data with "bad actors" or other third-parties without Facebook's knowledge. As demonstrated by the Cambridge Analytica data scandal, Facebook had limited control over the data once it "left" Facebook's servers. Id. ¶ 9 (noting that the data Kogan misappropriated was not deleted despite certifications to the contrary). This is to say, users did not have control over their data; whitelisted developers could still access, use, and potentially abuse user data, much like Kogan did in 2015.
Plaintiffs have plead sufficient, particular facts which show that Statements 2, 8, and 12–19 were false when made. In April 2014, Facebook issued a press release promising to shut-off third party access to user-friend data to ensure that "everyone has to choose to share their own data with an app themselves." Id. ¶ 82; see also Ex. 30, Dkt. 126-31. This announcement established two timelines: new apps would be immediately confined to the new privacy terms, while existing apps would have a full year to upgrade. Ex. 30, Dkt. 126-31. This "transition period" ended April 30, 2015. During this transition period, existing developers could continue to access friends’ data, subject to a users’ privacy and application setting. Ex. 30, Dkt. 126-31.
Plaintiffs allege that new-whitelisted app developers were able to access user data and users’ friends’ data in contravention of the April 2014 announcement. More concerning, Statements 2, 8, and 12–19 were made in 2018, which is long after the "transition period" discussed in the April 2014 announcement. Thus, at the time Statements 2, 8, and 12–19 were made, there was no notification to users that their data or their friends’ data could still be accessed by whitelisted developers (whether such developers were using new or existing apps). It was thus false for Defendants to say users "controlled" their data since whitelisted app-developers could access user-data in contravention of user privacy settings. See SAC ¶¶ 111–25 (alleging the specifics of whitelisting, including that whitelisted apps could override privacy settings through to nearly the end of the Class Period); see also ¶ 116 (investigation by The New York Times revealed that during the Class Period, Facebook allowed at least 60 phone and other device makers continued access to users’ friends’ data without consent). Two such third-party developers were Huawei, a Chinese telecom company, with ties to the Chinese government and Mail.Ru Group, a Kremlin-connected technology conglomerate. Id. ¶¶ 16, 125. After Cambridge Analytica, and especially after the 2018 The Guardian story, Defendants knew or should have known that once data is released to third-party app developers, it is near-impossible for Facebook to control the sharing or deletion of that data. See id. ¶¶ 86–106, 171–72. Hence, it was false for Defendants to state that users had "complete control" over their data when they knew that user data was released to whitelisted developers with little to no oversight. For these reasons, the Court holds that Plaintiffs have adequately plead falsity as required by the PSLRA for Statements 2, 8, and 12–19.
Statements 1, 7, 9–11, and 20 pertain to statements made by Defendant Facebook about user control on the platform. For instance, Statement 1 told users that they could control the sharing of their content and information via privacy and application settings. Likewise, Statement 7 told users that they were being given "tools to control their experience." And, Statement 9 stated that users were told they could "control what data ... apps [could] use." Defendants argue that these statements are "indisputably true," see Mot. at 11, because these statements describe how Facebook's platform functions, see Reply at 4. But, these statements do not fully describe how Facebook's platform functions. Take Statement 20 , where Defendant Facebook stated: "People can control the audience for their posts and the apps that can receive their data." Accepting Plaintiffs’ allegations that, despite Defendant Facebook's assurances of control, certain whitelisted developers and phone companies were able to access user data and circumvent user privacy settings, renders Statement 20 false. Indeed, the issue is not what users chose to post, but whether Defendants’ promises of control were true. By default, if a third-party can access a users’ data, without permission and in contravention of Facebook's stated policy, a user does not have control over their content. Hence, Statements 1, 7, 9–11, and 20 are misleading because they indicate that users could control who accessed their data, when whitelisted developers and certain phone companies could still access user information. Users thus did not have "control" over their content and the Court holds that Plaintiffs have adequately plead falsity as to these statements.
In Statements 3–6 , Plaintiffs challenge Defendants’ representations that Facebook "built [its] services around transparency and control." Defendants argue that these statements are too vague to be actionable. Reply at 5. In the alternative, Defendants argue that these statements are true.
To be misleading, a statement must be "capable of objective verification." Hewlett-Packard Co. , 845 F.3d at 1275. For example, "puffing"—expressing an opinion rather than a knowingly false statement of fact—is not misleading. Id. The Court finds that Statements 3–6 are capable of objective verification. These statements are not the "soft statements," "loose predictions," or "aspirational goals" typically found to be puffery. See id. at 1049. Paradigm examples of puffery include "business remained strong," "consolidation would be very positive," or "we want to be a company known for its ethical leadership." An investor cannot quantify terms like "strong," "very positive," or "wants." Such statements are too vague to impact an investors investment decisions and are thus inactionable. In contrast, these statements can be verified—if Plaintiffs’ allegations are true, Facebook was not built around transparency and control. The secret whitelisting practice is antithetical to Defendants’ statements that Facebook is built around "transparency and control." In other words, if Facebook shared user data, as is alleged, then the service is neither transparent nor focused on user control. For these reasons, Plaintiffs have adequately plead falsity as to Statements 3–6 and Defendants’ motion to dismiss Statements 1–20 on falsity grounds is DENIED .
c. Statement About Respecting Users’ Privacy
Plaintiffs claim that Statement 21 —"We respected the privacy settings that people had in place"—was false and misleading because Facebook continued to give whitelisted third-parties and others access to users’ friends’ data after April 2014. SAC ¶ 345. For the reasons detailed above, see III.C.1.b., the Court finds that Plaintiffs have adequately plead falsity as to Statement 21 and DENIES Defendants’ motion to dismiss this statement on falsity grounds.
d. Statements About Risk Factors
Statements 22–26 refer to Defendant Facebook's 10-K SEC risk disclosure statements. Plaintiffs again argue that these statements are materially false and misleading because the risks warned of had already materialized and were not disclosed. Opp. at 9 ("The above statements were materially misleading because they presented the risk of improper access, disclosure, and use of user data as merely hypothetical ...."). Plaintiffs first allege that it was misleading for Facebook to state that, "[a]ny failure to prevent or mitigate security breaches and improper access to or disclosure of our data could result in the loss or misuse of such data, which could harm our business and reputation and diminish our competitive position ." (Statement 23 ). Plaintiffs next allege that it was misleading for Facebook to warn that if "third parties or developers fail to adopt or adhere to adequate data security practices, or in the event of a breach of their networks, our data or our users’ data may be improperly accessed, used, or disclosed ." (Statement 24 ). In Plaintiffs’ view, these statements are misleading because Defendants knew that Kogan had already improperly disclosed the data of tens of millions of Facebook users to Cambridge Analytica and that the data was still in use by Cambridge Analytica. Opp. at 9 ; but see supra III.C.1.a.
Plaintiff relies on the SEC's Complaint, which alleges that Facebook's risk factor statements were misleading. This reliance is misplaced. Defendant Facebook did not admit to this charge. Ex. 16 at ¶ 2, Dkt. 126-17 ("Without admitting or denying the allegations of the complaint ...."). Statements made by the SEC in settlement documents are not law, they are "untested assertions by litigants" and the position articulated by the SEC is "not binding on this Court." In re UBS Auction Rate Secs. Litig. , 2010 WL 2541166, at *19 n.11.
For a risk disclosure to be false or misleading, a plaintiff must allege facts indicating that, when the risk factor was made, the risk warned of was "already affecting" the defendant. Lloyd v. CVB Fin. Corp. , 2012 WL 12883522, at *19 (C.D. Cal. Jan. 12, 2012) ; see also Baker v. Seaworld Entm't, Inc. , 2016 WL 2993481, at *12 (S.D. Cal. Mar. 31, 2016) (holding that risk disclosure statements not materially false or misleading because "[p]laintiffs ... fail to plausibly allege Defendants knew that [warned-of risks] were having any impact on attendance"); Kim v. Advanced Micro Devices, Inc. , 2019 WL 2232545, at *7–8 (N.D. Cal. May 23, 2019) ("An omission is misleading where it ‘affirmatively create[s] an impression of a state of affairs that differs in a material way from the one that actually exists.") (quoting Brody , 280 F.3d at 1006 ).
Williams v. Globus Medical Inc. , 869 F.3d 235 (3d Cir. 2017) is instructive. There, the relevant risk disclosure warned that "if any of our independent distributors were to cease to do business with us, our sales could be adversely affected." Id. at 242. The plaintiffs argued that this statement was misleading because the defendants failed to warn investors that they had in fact lost an independent distributor. Id. at 241. The court disagreed. The risk warned of was the risk of adverse effects on sales, not the loss of independent distributors generally. Id. The risk at issue thus only materialized if sales were adversely affected at the time the risk disclosures were made. Id. Accordingly, because the plaintiffs failed to allege that the company's sales were adversely affected by the decision to terminate the distributor, the risk disclosure was not misleading and the defendants’ duty to disclose was not triggered. Id. at 243 ; see also Kim , 2019 WL 2232545, at *7–8 (finding risk factors statements not misleading because "the potential risks disclosed in the SEC filings had not come to fruition when Defendants filed the challenged risk disclosures").
The same analysis applies here. The relevant risks discussed in Statements 22, 23, 25, and 26 are reputation, business, or competitive harm, not improper access to or the disclosure of user data. Plaintiffs do not allege that, at the time the risk disclosure was made, the Cambridge Analytica scandal was harming Facebook's reputation, business, or competitive position. Nor can they. At the time these risk disclosures were made in February 2017, both Kogan's and Cambridge Analytica's misuse of user data were matters of public knowledge (with no alleged harm to Facebook's business, reputation, or competitive positions). See Ex. 17, Dkt. 126-18 (Guardian story published in December 2015). Accordingly, Statements 22, 23, 25, and 26 were not misleading because the potential risks presented therein were not yet "affecting" Facebook.
Statement 24 presents a different scenario. There, the risk identified is the improper use or disclosure of user data. This is what Plaintiffs allege occurred (see supra for more discussion on whitelisting). However, Plaintiffs have a chronology problem. When Defendants identified data misuse and disclosure as relevant risks in 2016, Kogan's and Cambridge Analytica's misuse of Facebook user data was already public knowledge, and had been so for more than a year. See SAC ¶ 5 n.3 (citing Harry Davies, Ted Cruz Using Firm that Harvested Data on Millions of Unwitting Facebook Users , The Guardian (Dec. 11, 2015), https://www.theguardian.com/us-news/2015/dec/11/senator-ted-cruz-president-campaign-facebook-user-data). Thus, as of December 2015, investors knew that Kogan had collected user data through his app and then sold that data to Cambridge Analytica in violation of Facebook's policies, and that Cambridge Analytica in turn used Kogan's data to create psychological profiles of voters for the purpose of assisting political campaigns. SAC ¶¶ 5, 86–92, 232, 280. Investors therefore had all of the information they needed to evaluate Statement 24 —because the risk of data misuse and loss had already been realized, investors would not have been misled as to this risk. See Paskowitz v. Arnall , 2019 WL 3841999, at *9 (W.D.N.C. Aug. 15, 2019) ("At the same time the Company disclosed the ‘risks’ of attracting and retaining key personnel[,] the Company also disclosed the identities of the key personnel and the numbers of investment professionals working in the business. Therefore, investors would not have been misled concerning the degree to which the ‘risk’ of employee departures had been realized ...."); cf. Sgarlata v. PayPal Holdings, Inc. , 2018 WL 6592771, at *2 (N.D. Cal. Dec. 13, 2018) (finding material misstatement where statement failed to fully disclose an unknown-risk because that created a false impression of reality); see also Brody , 280 F.3d at 1006 ("[An omission] must affirmatively create an impression of a state of affairs that differs in a material way from the one that actually exists.").
The Court also notes that Plaintiffs have not overcome Defendants’ argument that Facebook reasonably believed that the data had been deleted and thus that there was no risk of improper access.
For this reason, Plaintiffs reliance on Berson v. Applied Signal Technology, Inc. , 527 F.3d 982 (9th Cir. 2008) is misplaced. There, the company failed to disclose information that rendered its risk disclosures misleading. Id. at 987. In contrast, the events that Plaintiffs claim render Facebook's risk disclosures misleading were fully disclosed in 2015 (i.e. , before Defendant Facebook's risk disclosure statements were submitted to the SEC).
For these reasons, the Court holds that Plaintiffs have failed to plead falsity as required by the PSLRA for Statements 22–26 and the Court GRANTS Defendants’ motion to dismiss as to those statements.
e. Statements About Cambridge Analytica Investigation
Plaintiffs next argue that Defendants’ statements about "the results of Facebook's investigation into Cambridge Analytica's data misuse" were false and/or misleading. SAC ¶¶ 361–66 (Statements 27–29 ). Plaintiffs claim it was misleading for Defendant Facebook to state in March 2017 that its "investigation to date ha[d] not uncovered anything that suggests wrongdoing with respect to Cambridge Analytica's work on the [Brexit] and Trump campaigns" because Facebook had found evidence of wrongdoing by Cambridge Analytica in or before December 2015—namely, that Cambridge Analytica had improperly accessed the data of Facebook users, had misused it during campaigns, and that Kogan had violated Facebook policies by transferring user data to Cambridge Analytica. Id. ¶¶ 97–100, 136–38, 141–49, 152, 365–66.
Importantly, these statements focus on Cambridge Analytica's use of misappropriated Facebook user-data on political campaigns only.
Defendants argue that the SAC lacks contemporaneous facts from which the Court can infer that, as of March 2017, Facebook had determined that the misappropriated data was still being used in connection with the Brexit and Trump campaigns. Id. ; see also Reply at 13. The Court agrees. In their Opposition, for the first time , Plaintiffs allege that top management knew about Cambridge Analytica's involvement with the Trump campaign because around June 2016, Facebook embedded three employees in the Trump campaign, where the employees worked side-by-side with Cambridge Analytica people on a gigantic dataset that "was obviously the same one that had been misappropriated by Cambridge Analytica two years earlier." Opp. at 15. Yet, the SAC mentions Trump's campaign and Brexit only in passing. See SAC ¶ 164 ("Facebook [had] repeatedly lied to journalists about the severity of the Cambridge Analytica scandal as part of an alleged coverup of a privacy breach that gave up to 87 million users’ personal data to the Trump-linked political firm."); Id. ¶¶ 140–43 (stating only that Facebook knew of Cambridge Analytica's involvement in Brexit, but failing to plead specific factual allegations to that effect).
The Court cautions Plaintiffs about misrepresenting the context of an alleged misrepresentation. In their opposition, Plaintiffs contend that Statement 28 was not limited to the Trump/Brexit campaign. Opp. at 21. By the statement's terms, this might be true. However, in context of the article in which it is quoted, it is obvious from the title of that article alone that Statement 28 relates to Facebook's investigation into wrongdoing during the Trump campaign. See Mattathias Schwartz, Facebook Failed to Protect 30 Million Users from Having Their Data Harvested by Trump Campaign Affiliate , Intercept (Mar. 30, 2017), https://theintercept.com/2017/03/30/facebook-failed-to-protect-30-million-users-from-having-their-data-harvested-by-trump-campaign-affiliate/ (discussing the models or algorithms used by the Trump campaign and stating that Facebook "continues to maintain that whatever happened during the run-up to the election was business as usual" (emphasis added)). This is to say, Statements 27–29 are all confined to Facebook's investigation of data misuse by Cambridge Analytica during the Trump and Brexit campaigns.
It is well established that a complaint may not be amended by briefs in opposition to a motion to dismiss. See Diamond S.J. Enter. v. City of San Jose , 395 F. Supp. 3d 1202, 1231 (N.D. Cal. 2019). Given the dearth of allegations in the SAC linking Cambridge Analytica's privacy violations to the Brexit and Trump campaigns, there is no factual basis for this Court to conclude that Defendant Facebook made a material misrepresentation when it stated that its investigation "had not uncovered anything that suggests wrongdoing with respect to Cambridge Analytica's work on the [Brexit] and Trump campaigns." See Metzler , 540 F.3d at 1070 ("The PSLRA has exacting requirements for pleading ‘falsity.’ ... A litany of alleged false statements, unaccompanied by the pleading of specific facts indicating why those statements were false, does not meet this standard."). Although the SAC includes voluminous allegations which tend to show that Facebook's investigation revealed wrongdoing by Kogan and Cambridge Analytica, the SAC fails to connect that wrongdoing to either the Brexit or Trump campaign. For that reason, the Court cannot conclude that Statements 27–29 are actionable and the Court GRANTS Defendants’ motion to dismiss as to these statements. f. Statements About Response to Data Misuse
Plaintiffs again rely on the SEC Complaint to show falsity as to Statements 27–29 . A closer look at the SEC Complaint, however, reveals that the SEC's complaint contains no allegations linking Cambridge Analytica's policy violation to the Brexit or Trump campaign; in fact, the complaint omits that portion of the challenged statement all together. Ex. 15, Dkt. 126-16.
Secondly, the SAC includes a footnote, see ¶ 152 n.131, which references an article in which Roger McNamee, a Facebook investor and mentor of Defendant Zuckerberg, discusses how Facebook had three employees infiltrate President Trump's campaign. Pursuant to the incorporation by reference doctrine, the Court can consider this article. However, Plaintiffs do not argue that this footnote alone meets the PSLRA's specificity requirements and the Court cannot find any precedent stating that the PSLRA's requirements can be met through the incorporation by reference doctrine. For that reason, the Court finds that this footnote does not show "specific facts" demonstrating falsity. See Irving Firemen's Relief & Ret. Fund v. Uber Techs. , 2018 WL 4181954, at *6 (N.D. Cal. Aug. 31, 2018) (noting that, in this district, courts have rejected the "laborious deconstruction and reconstruction of a great web of ... allegations").
Statements 30–33 concern statements about Facebook's "responses to instances of data misuse." In January, February and June 2017, Defendants stated that they would take "swift action" against companies that mislead people or misuse their information and would require such companies to destroy improperly collected data. SAC ¶¶ 368–70 (Statements 30–32 ). In March 2018, Defendants stated that they were "committed to vigorously enforcing their policies to protect people's information" and would take necessary steps against third-parties who had misused data. Id. ¶ 376 (Statement 33 ). Plaintiffs argue that these statements were misleading because Facebook did not: (1) take swift action against third parties who had misused information; (2) require data misusers to destroy or delete improperly collected data; or (3) vigorously enforce its policies. Id. ¶¶ 375, 379.
The Court previously dismissed these statements. The analysis underlying that dismissal has not changed. When Statements 30–32 were made in 2017, Facebook "[had ] investigate[d] the alleged data misuse, [had ] remove[d] Kogan's app from Facebook, and [had ] obtain[ed] certifications and confirmations that all user data had been destroyed." September 2019 Order at 30; see also SAC ¶¶ 137–38; supra III.C.1.a. Likewise, Facebook never made a promise that it would "automatically" require improperly collected data to be destroyed. Facebook only promised that it would require the data to be destroyed; it did not specify the means it would use to ensure such deletion. Thus, relying on certifications of deletion—however unverified and self-serving those certifications may have been—was permissible. See SAC ¶¶ 138, 144; 171–80. This Court thus cannot say that Statement 33 was false when made because it is not clear that Facebook was neither committed "to vigorously enforcing [its] policies to protect people's information" nor taking "whatever steps [were] required" (whatever those might be) against third parties who had misused user information. For these reasons, the Court holds that Plaintiffs have failed to plead falsity as required by the PSLRA for Statements 30–33 and the Court GRANTS Defendants’ motion to dismiss as to these statements.
Moreover, Statement 33 is seemingly inactionable puffery. "[S]tatements projecting ‘excellent results,’ a ‘blowout winner’ product, ‘significant sales gains,’ and ‘10% to 30% growth rate over the next several years’ " have been held not actionable as mere puffery. In re Fusion-io , 2015 WL 661869, at *14 (citing In re Cornerstone Propane Partners, L.P. Sec. Litig. , 355 F. Supp. 2d 1069, 1087 (N.D. Cal. 2005) ). A promise to "vigorously enforce" privacy policies or "take whatever steps necessary" is comparable to the vague, generalized statements of corporate optimism discussed in In re Fusion-io .
g. Statements About User Consent
Statement 34 pertains to the issue of consent, specifically whether users knowingly provided Kogan with their data. This Court previously held that these statements were not actionable. Plaintiffs allege three main theories of misconduct regarding consent: (i) third-party consent (i.e. , allowing a user to give share information about their friends with third-party app developers), (ii) whitelisting, and (iii) sharing of data with third-parties contrary to stated policy. At issue here is (i) and (ii). See id. ¶ 89 (admitting that specific users who took Kogan's quiz consented to Kogan's app's use of their personal data, but arguing that the app's access of the personal data of users’ friends’ violated the then-existing privacy policy).
Under the first consolidated complaint Statement 34 was not "false," because the operative privacy policy in 2014 (which is when users allegedly took the quiz) allowed for third-party consent. See September 2019 Order at 43. In their SAC, Plaintiffs allege that the user data obtained by Cambridge Analytica was taken after the April 2014 announcement in which Defendant Zuckerberg pledged to shut off third-party access. SAC ¶¶ 89, 101. Allegedly, in the summer and early fall of 2014—after the April 2014 announcement—GSR (controlled by Kogan) retained a surveying firm to recruit and pay approximately 270,000 Facebook users to download Kogan's app and take his personality quiz. From this, Kogan collected the Facebook data of the 270,000 takers and many app users’ friends. Id. ¶ 104. This is how Kogan was able to harvest the data from 50 million people. Id. ¶ 106. And, this is the data that was later sold to Cambridge Analytica.
Plaintiffs maintain that the above timeline resolves the issue of third-party consent. In their view, because Facebook announced in April 2014 that it would change its policy of allowing third-party consent, Defendant Zuckerberg falsely stated in 2018 that "everyone gave their consent." A closer look at the April 2014 announcement reveals a different story. According to the April 2014 announcement, "existing apps [had] a full year to upgrade." Ex. 30, Dkt. 126-31. Importantly, GSR's collection method relied on a "pre-existing application functioning under Facebook's old terms of service." SAC ¶ 103. The "This Is Your Digital Life" app thus predated the April 2014 announcement; indeed, as Plaintiffs admitted in their earlier complaint, the app was developed in 2013. September 2019 Order at 4. So, when GSR collected user data in June 2014, pursuant to the privacy policy in place, everyone did give their "consent." Accordingly, it is irrelevant that GSR harvested the data after the April 2014 announcement. The dispositive inquiry is when was the application that allowed such data harvesting authorized. Pursuant to Plaintiffs’ own pleadings, the app was authorized before the April 2014 announcement and thus third-party consent was permissible until April 30, 2015. Ex. 30, Dkt. 126-31. For these reasons, Plaintiffs still have not shown that Statement 34 was false when made and the Court GRANTS Defendants’ motion to dismiss as to this statement.
Statement 35 discusses actions allegedly taken by Facebook to make the platform "safer." Specifically, in 2014, the platform was changed to "dramatically limit the data apps could access." SAC ¶ 383. Plaintiffs have plead falsity as to this statement. When Statement 35 was made, Facebook allegedly continued to provide user data to "whitelisted" app developers, mobile device makers, and others, often in contravention of users’ privacy settings. Id. ¶¶ 384, 387. Accordingly, in light of the alleged secret whitelisting, it was not the case that Facebook had "limit[ed] the data apps could access" or that a Cambridge Analytica-type event would not occur again, see supra III.C.1.b. For this reason, the Court DENIES Defendants’ motion to dismiss as to this statement.
h. Statements About Compliance with FTC Consent Decree
Statements 36–42 pertain to statements made by Defendants about Facebook's compliance with the 2012 FTC consent decree. See id. ¶¶ 388–403.
In the Ninth Circuit, "vague, generalized assertions of corporate optimism or statements of ‘mere puffing’ are not actionable material misrepresentations under federal securities laws" because no reasonable investor would rely on such statements. In re Fusion-io , 2015 WL 661869, at *14 (collecting cases). When valuing corporations, investors do not "rely on vague statements of optimism like ‘good,’ ‘well-regarded,’ or other feel good monikers." In re Cutera , 610 F.3d at 1111. Statements like "[w]e are very pleased with the learning from our pilot launch," "so far we're getting really great feedback," and "we are very pleased with our progress to date," are inactionable puffery. Wozniak v. Align Tech., Inc. , 850 F.Supp.2d 1029, 1036 (N.D. Cal. Feb. 3, 2012). Likewise, "statements projecting ‘excellent results,’ a ‘blowout winner’ product, ‘significant sales gains,’ and ‘10% to 30% growth rate over the next several years’ " have been held not actionable as mere puffery. In re Fusion-io , 2015 WL 661869, at *14 (citing In re Cornerstone Propane Partners , 355 F. Supp. 2d at 1087 ).
In Statement 39 Defendant Zuckerberg stated that Facebook "worked hard to make sure that" it was in compliance with the FTC consent decree. SAC ¶ 39. Plaintiffs argue that this statement was misleading because Defendants were violating the FTC consent decree by allowing third-parties to access user data, in contravention of user privacy settings. Id. ¶ 396. Defendants argue that this statement is too vague to be actionable. The Court previously held that this statement was too vague to be actionable. That opinion has not changed.
First, courts often hold that statements regarding general compliance are too vague to be actionable misrepresentations or omissions. See, e.g., Lomingkit v. Apollo Educ. Grp. Inc. , 2017 WL 633148, at *23 (D. Ariz. Feb. 16, 2017). Plaintiffs argue that Statement 39 was not a "general" statement of corporate compliance, but rather was a specific representation about a specific consent decree. As support, Plaintiffs rely on Hefler v. Wells Fargo & Co. , 2018 WL 1070116, at *8 (N.D. Cal. Feb. 27, 2018). There, the defendant (Wells Fargo) was under investigation following improper sales activities. An executive stated that the company was having a "terrific reaction from our regulators from a compliance standpoint." Id. The court determined that this was an actionable misrepresentation because a reasonable investor would not consider a regulatory investigation a "terrific reaction." Plaintiffs argue that like Hefler , Statement 39 is actionable because it creates a contrary impression of the existing state of affairs. The Court disagrees. First, unlike in Hefler , there was no ongoing regulatory investigation. Second, Defendant Zuckerberg did not value Facebook's compliance efforts—that is, he did not state that Facebook was doing a "terrific" job complying. He only stated that Facebook was working "very hard" to ensure that they were compliant. This is the exact type of vague, unverifiable statement that courts routinely hold inactionable. See Wozniak , 850 F.Supp.2d at 1035–37. For this reason, the Court GRANTS Defendants’ motion to dismiss as to Statement 39.
In Statements 37–38 and 40–41, Defendants made representations about following and/or trying to follow the 2012 FTC consent decree. In Statements 36 and 42 , Defendants discuss the risks of non-compliance. Plaintiffs maintain that Statements 36–38 and 40–42 are material misrepresentations because, at the time the statements were made, Defendants knew that they were violating aspects of the FTC consent decree and failed to disclose such violations and/or presented violations as hypothetical risks. SAC ¶¶ 400, 402–03. Defendants, however, had no obligation to tell investors that they might not be in compliance with the FTC consent decree. Indeed, companies are not required to engage in "self-flagellation" by disclosing unproven allegations. Haberland v. Bulkeley , 896 F. Supp. 2d 410, 426 (E.D.N.C. 2012) ; In re Paypal Holdings, Inc. , 2018 WL 466527, at *3 (N.D. Cal. Jan. 18, 2018) ("Federal securities laws do not impose upon companies a ‘duty to disclose uncharged, unadjudicated wrongdoing.’ ") (citing City of Pontiac Policemen & Firemen's Ret. Sys. v. UBS AG , 752 F.3d 173, 184 (2d Cir. 2014) ). Defendants thus had no duty to disclose unproven allegations.
Despite recognizing the absence of a duty to disclose alleged FTC-violations, Plaintiffs argue that because Defendants "chose to speak on [the FTC consent decree]," they had an obligation not to make material misrepresentations about it. This is of course true. See Hefler , 2018 WL 1070116, at *8. But, Plaintiffs invert this obligation and predicate the material misrepresentations on Defendants’ failure to discuss the alleged FTC violations. This is perplexing—the law is clear that Defendants had no duty to disclose unproven violations.
At the time Statements 36–38 and 40–42 were made, the FTC only stated an intent to investigate Facebook, but had not made any formal findings that Facebook violated the 2012 decree order. September 2019 Order at 27. Defendants had no obligation or requirement to elaborate on any alleged non-compliance because they had not yet been found to be non-compliant. Hence, at the time of these statements (specifically, at the time of the risk disclosures) the risk of being found non-compliant was hypothetical. See In re Teledyne Defense Contracting Deriv. Litig. , 849 F. Supp. 1369, 1382 (C.D. Cal. 1993) (dismissing securities violation claim because directors need not disclose alleged wrongdoing "when such charges have not yet been brought, let alone proven"). For these reasons, the Court GRANTS Defendants’ motion to dismiss as to Statements 36–38 and 40–42.
i. Statements About User Notification
Statements 43 & 44 refer to statements made by Defendant Facebook in an April 2017 white paper. SAC ¶¶ 405–06. In the white paper, Defendants stated they would "notify specific people" targeted by sophisticated attackers and "proactively" notify people they believed would be targeted. Id. Plaintiffs argue that these statements are materially false and misleading because Defendants did not "notify" Facebook users whose accounts were compromised or at risk of being compromised; did not provide "notifications to specific people" whose accounts or data had been targeted or compromised; and did not provide "proactive notifications to people" whose data may be at risk. Id. ¶ 407. As support, Plaintiffs point to Defendant Zuckerberg's Senate testimony, in which he confirms that "there was a decision made" not to notify the tens of millions of users whose data was compromised pursuant to the Cambridge Analytica data-scandal, see id. ¶ 408, and to Defendant Sandberg's admission that Facebook has "the responsibility to disclose to people when problems occur, see id. ¶ 409.
The Court previously considered these statements and found them not to be false. Again, "Plaintiffs seem to ignore that these statements refer to ‘targeted data collection and theft.’ " September 2019 Order at 38; see also Ex. 28, Dkt. 126-29 (emphasis added). Specifically, this page advised users about protecting their accounts from data collection by methods like "phishing with malware to infect a person's computer and credential theft to gain access to ... online accounts." Ex. 28, Dkt. 126-29. The portion of the white paper that Plaintiffs cite expressly focuses on bad actors who "steal" user data using methods like phishing. Moreover, notification is limited to persons targeted by "sophisticated attackers," or persons "suspected of working on behalf of a nation-state." Id. at n.5. The SAC does not allege that Cambridge Analytica or any of the whitelisted developers used methodologies like phishing to gain access to user data or that such actors were suspected of working on behalf of a nation-state (the closest allegation is about Huawei and Mail.Ru Group, but Plaintiffs only allege that Huawei has "deep ties" to the Chinese government and that Mail.Ru is connected to the Kremlin). See SAC ¶ 16. Thus, the factual background of this action does not render Statements 43 & 44 false because Plaintiffs’ SAC focuses on situations where app developers had valid access to the Facebook platform. See Hong v. Extreme Networks, Inc. , 2017 WL 1508991, at *15 (N.D. Cal. Apr. 27, 2017) (holding that the plaintiffs’ allegations of falsity were insufficient because "the reasons Plaintiffs offer as to why the statements are false or misleading bear no connection to the substance of the statements themselves").
As noted in the Court's earlier order, phishing is "a cybercrime in which a target or targets are contacted by email, telephone, or text message by someone posing as a legitimate institution to lure individuals into providing sensitive data such as personally identifiable information, banking and credit card details, and passwords." What Is Phishing? , Phishing.org , https://www.phishing.org/what-is-phishing (last visited July 27, 2020).
Defendant Sandberg and Zuckerberg's 2018 statements do not change this analysis. Even while Executive Defendants expressed that they "should have" informed users and that they "got [it] wrong" by withholding notice from Cambridge Analytica victims, Defendants statements of regret over how the Cambridge Analytica scandal was handled do not render unrelated statements false. For these reasons, the Court GRANTS Defendants’ motion to dismiss as to Statements 43 and 44.
j. Statement About GDPR Compliance
Statement 45 is about Defendant Facebook's compliance with the GDPR. SAC ¶¶ 411–13. During an October 2017 interview, Defendant Sandberg stated that "Europe[ ] has passed a single privacy law [i.e. , the GDPR] and we are adhering to that . But privacy is something we take really seriously." Id. ¶ 411. Plaintiffs maintain that this statement was materially false and misleading because at the time of the statement Defendant Facebook was not "adhering to" the GDPR, as demonstrated by Facebook overriding users’ privacy settings to allow whitelisted developers access to user data. Id. ¶ 412.
The Court previously considered this statement and found that Plaintiffs failed to allege falsity. That analysis has not changed. September 2019 Order at 43–44. As the Court previously held, Statement 45 expressed an intention to adhere to the GDPR; it is not a profession of being fully compliant. Indeed, GDPR did not become effective until May 25, 2018. SAC ¶ 229. Thus, Statement 45 cannot be rendered false by Facebook's alleged failure to fully comply with the GDPR, which was not even in effect at the time the statement was made. For this reason, the Court holds that Plaintiffs failed to plead falsity as required by the PSLRA for Statement 45 and the Court thus GRANTS Defendants’ motion to dismiss as to this statement.
k. Statements About Use of Platform to Influence Elections
Statements 46–48 pertain to statements made by Defendants about Russian interference in the U.S. elections. Id. ¶¶ 414–19. Plaintiffs allege that it was false for Facebook's then-general counsel (Mr. Stretch) to state that the Company had provided "everything we have to date" regarding Russian efforts to influence the 2016 election, and that it was false for Mr. Stretch to say that Facebook had seen "only what appear[ed] to be insignificant overlap between the targeting and content used by the [Russian Internet Research Agency] and that used by the Trump campaign." Id. ¶¶ 414–15. Plaintiffs argue that these statements were materially false and misleading when made because the statements do not to include information about the results of Facebook's Cambridge Analytica investigation, which should have revealed that user data had repeatedly been used to design effective political advertising for the 2016 Trump campaign. Id. ¶¶ 416–18.
Plaintiffs, however, have failed to allege facts that show that Statements 46–48 were false when made. That is, Plaintiffs have not plead specific facts from which the Court can infer that Facebook had not provided complete information about Russian efforts to influence the 2016 election or that Facebook had seen significant overlap between the targeting and content used by the Russian IRA and the Trump campaign. See Brody , 280 F.3d at 1006 (statements are only misleading if they "affirmatively create an impression of a state of affairs that differs in a material way from the one that actually exists").
Plaintiffs further argue that Statement 48 was misleading because there was a significant risk that Kogan's data (and thus Cambridge Analytica's data) was similar to the Russian IRA's data since "Kogan had worked closely with Russian operatives in the past, giving rise to a heightened risk that data provided to Cambridge Analytica had been obtained by Russian agents either before or after the [Cambridge Analytica data scandal] was originally reported." Id. ¶ 419. But, this is mere speculation—the Court cannot infer that Facebook had seen "significant overlap" between the user data used by Russian IRA and the Trump campaign based on Plaintiffs’ bare allegation that "Kogan worked closely with Russian operatives." See In re Stratosphere Corp. Sec. Litig. , 1997 WL 581032, at *13 (D. Nev. May 20, 1997) (circumstantial evidence to show falsity must be plead with particularity). Accordingly, the Court cannot conclude that Statements 46–48 are false because Plaintiffs have not met their burden of showing particular facts from which this Court can infer falsity. The Court thus GRANTS Defendants’ motion to dismiss as to these statements.
l. Statements About User Metrics
Statements 49–62 pertain to statements by Defendants about Facebook's Daily Active User ("DAU") and Monthly Active User ("MAU") metrics. SAC ¶¶ 420–21. Plaintiffs argue that these statements were misleading because at the time the DAU and MAU figures were collected in 2017, Facebook was using an "incorrect methodology to calculate duplicate accounts," which caused Facebook to overstate its user-figures. Id. ¶ 423 ("Facebook admitted to this reality on November 1, 2017, when it implemented a ‘new methodology for duplicate accounts that included improvements to the data signals we rely on to help identify such accounts.’ "). Plaintiffs further argue that the statements are materially false and misleading because Defendants failed to account for the number of fake accounts on Facebook. Id. ¶ 424 ("In May 15, 2018, Facebook announced for the first time that it had deleted a total of 1.277 billion fake accounts during the period from Q4 2017 to Q2 2018."). Lastly, Plaintiffs argue that the statements are materially false and misleading because Defendants omitted to include information about (1) their whitelisting privacy practices and (2) how the active user engagement metrics were not reliable indicators of the health or strength of Facebooks business. Id. ¶ 425.
As this Court noted in its earlier order, simply using a new methodology to count accounts is not misleading. See Ironworkers Local 580—Joint Funds v. Linn Energy, LLC , 29 F. Supp. 3d 400, 426 (S.D.N.Y. 2014) (rejecting claim that changed formula for calculating financial metrics amounted to "some sort of admission that statements made in prior reporting periods were false or materially misleading"). There is no requirement that companies like Facebook use specific methods to calculate user engagement (or at least Plaintiffs have not identified such a requirement). Plaintiffs’ effort to transform Defendants’ business decision to change its methodologies into some sort of admission that its prior statements were false and materially misleading is misguided and rejected.
Likewise, Plaintiffs’ omission arguments are rejected. The necessary predicate to any action under the securities laws is either (1) making a "misstatement" or (2) omitting to say something that is needed in order for the full truth to be told. Id. at 426. Thus, in order for Statements 49–62 to contain omissions, Plaintiffs must plead specific facts that tend to show that the statement only told "half" the truth or that a defendant had a "duty to disclose" information but failed to do so. Basic , 485 U.S. at 239 n.17, 108 S.Ct. 978 ; see also supra III.C.1.a. Plaintiffs have not met this burden. First, Plaintiffs argue that Defendants omitted information about their whitelisting practices. Yet, nowhere in Statements 49–62 do Defendants make any qualitative comment about user growth. Rather, each statement is quantitative—Defendants thus cannot be said to have told a "half-truth" by not discussing their whitelist policy because they never promised any results. Perhaps if Defendants had made guarantees about continued user growth, this Court could find that they made a material omission by failing to include information about whitelisting (which, as Plaintiffs note, would be likely to affect user engagement). But, that is not the case—simply stating the relevant data and promising to "continue to monitor" user engagement makes no promise about future results.
Second, Plaintiffs argue that Defendants omitted information about the reliability of their user metrics. Again, nowhere in Statements 49–62 do Defendants make any promises about the reliability of their metrics, nor is there any identifiable requirement for Defendants to do so. See Basic , 485 U.S. at 239 n.17, 108 S.Ct. 978. It thus cannot be said that Defendants presented a "half" truth by presenting their data.
For these reasons, the Court holds that Plaintiffs have failed to plead falsity as required by the PSLRA for Statements 49–62 and the Court GRANTS Defendants’ motion to dismiss as to those statements.
m. Statements About 1Q18 Results
Statements 65 and 66 relate to statements made by Defendants during Facebook's 1Q18 Earnings Call. SAC ¶¶ 427–43. In these statements, Defendants discussed Facebook's 1Q18 financial results and the anticipated impact of GDPR on Facebook. Plaintiffs claim that these statements were false or misleading because they were meant to "assure investors that the Cambridge Analytica data scandal had not, and would not, have a meaningful financial impact on the business" and that "data breaches like Cambridge Analytica scandal were behind the company." Id. ¶ 432.
For the reasons discussed in III.C.1.k, Statements 63 & 64 are not plead with sufficient falsity. These statements pertain to statements about DAU and MAU data. The Court GRANTS Defendants’ motion to dismiss as to those statements.
Under the PSLRA "Safe Harbor" Provision, "forward-looking statements are not actionable as a matter of law if they are identified as such and accompanied by "meaningful cautionary statements identifying important facts that could cause actual results to differ materially from those in the forward looking statement." 15 U.S.C. § 78u-5(c)(1)(A)(i). A forward-looking statement is "any statement regarding (1) financial projections, (2) plans and objectives of management for future operations, (3) future economic performance, or (4) the assumptions ‘underlying or related to’ any of these issues." No. 84 Emp'r Teamster Joint Council Pension Trust Fund v. Am. W. Holding Corp. , 320 F.3d 920, 936 (9th Cir. 2003) (citing 15 U.S.C. § 78u5 (i)). "[I]f a forward-looking statement is identified as such and accompanied by meaningful cautionary statements, then the state of mind of the individual making the statement is irrelevant, and the statement is not actionable regardless of the plaintiff's showing of scienter." In re Cutera Sec. Litig. , 610 F.3d 1103, 1112 (9th Cir. 2010).
Here, Defendants argue Statements 65 and 66 are forward-looking statements protected by the PSLRA's Safe Harbor. The Court agrees. Statement 65 is a statement about Facebook's intent to use GDPR to strengthen its privacy policies and its commitment to improving its ads model. Management's plans or objectives for future operations and predictions of future economic performance are protected forward-looking statements. 15 U.S.C. § 78u–5(i)(1)(A)–(C). At bottom, Statement 65 concerns Executive Defendants’ objectives for future Facebook operations. See SAC ¶ 430 ("Going forward , we will continue to focus on [GDPR, ad improvement, and choice]." (emphasis added)). Because Statement 65 is an inactionable forward-looking statement accompanied by meaningful cautionary language, see n.11, the Court GRANTS Defendants’ motion to dismiss as to this statement.
Importantly, at the start of the earnings call, Defendants reminded investors that the remarks may "include forward-looking statements" and that "[a]ctual results may differ." Ex. 10, Dkt. 126-11.
Statement 66 is also a forward looking statement; it concerns predictions of the impact of the GDPR on ad revenue. See September 2019 Order at 26 (holding comparable statement inactionable). Specifically, Defendant Wehner stated that he did not "expect [GDPR to] significantly impact advertising revenue" and that Defendants believed any effect to be "relatively minor." SAC ¶ 431. This statement plainly concerns Facebook's future economic performance in light of GDPR. See 15 U.S.C. § 78u–5(i)(1)(A)–(C). The statement is accompanied by meaningful cautionary language. See supra n. 11; see also SAC ¶ 431 (Defendant Wehner acknowledged that there was potential "for some impact"). Because Statement 66 is an inactionable forward-looking statement accompanied by meaningful cautionary language, the Court GRANTS Defendants’ motion to dismiss as to this statement.
In Statement 68, Defendant Zuckerberg stated that he believed the vast majority of people "want their data used." SAC ¶ 437. Plaintiffs claim that this statement was false and/or misleading because it was meant to assure investors that GDPR would not cause (and had not caused) a decline in active use of Facebook's platform and portrayed Facebook as GDPR-compliant. Id. ¶ 438. Plaintiffs further claim that the statement omitted information about Defendants’ privacy misconduct. Plaintiffs have not sufficiently alleged falsity—they do not allege facts tending to show that people did not want their data used. Moreover, the statement says nothing about GDPR compliance or the costs associated with compliance. See Hong , 2017 WL 1508991, at *15. Moreover, Defendants’ alleged privacy misconduct has no bearing on this statement. Plaintiffs allege no reason why users’ decision to opt-in to data sharing would be effected by any alleged privacy misconduct. For these reasons, Plaintiffs have not alleged falsity as to Statement 68 and the Court GRANTS Defendants’ motion to dismiss as to this statement.
Plaintiffs have plead sufficient falsity as to Statements 67 and 69. In Statement 67 , Defendant Zuckerberg stated that situations "like" the Cambridge Analytica scandal would not occur again. Id. ¶ 434. But, accepting Plaintiffs’ whitelisting allegations as true, "Facebook had not been protecting privacy" and so there was a risk that a Cambridge Analytica-type scandal could occur again. Id. ¶ 435. Statement 69 is materially misleading for the same reason—the statement assures users and investors that users’ control their data and that Facebook has "strong protections" in place for user information. Id. ¶ 440. However, Plaintiffs’ whitelisting allegations render this statement misleading. For these reasons, Defendants’ motion to dismiss Statements 67 and 69 on falsity grounds is DENIED .
n. Statements About the Sale of User Data
Statements 70–83 concern comments made by Facebook that it does not "sell data." SAC ¶¶ 444–60. Plaintiffs maintain that these statements were materially misleading because Facebook used user friend data "as consideration for a reciprocal exchange of value with third-party app developers and other companies who were ‘whitelisted’ for secret access to user friend data." Id. However, Plaintiffs (as they admit in their Opposition) do not allege that Facebook did sell data. To the contrary, Plaintiffs maintain that "selling" data includes data-bartering. Opp. at 27. Not so. "Selling" user data contemplates a cash-for-data transaction. Indeed, this is the type of transaction contemplated by Defendants when Statements 70–83 were made. See, e.g. , SAC ¶ 448 ("[W]e don't buy and sell [data]." (emphasis added)). Plaintiffs do not allege any facts from which this Court can plausibly infer that Defendants did sell (i.e. , for cash) user data. The closest Plaintiffs get is by pointing the court to a September 2013 email chain, which shows Facebook Directors discussing the fact that Facebook was requiring third-party app developers to "spend on [advertising at Facebook] at least $250,000 a year to maintain access to the data." Id. ¶ 72. There are no allegations, however, about which advertisers were required to do this, whether all advertisers were required to do this, or if Facebook actually required such spending to maintain data-access. See id. ¶ 459; see also Metzler , 540 F. 3d at 1070. Plaintiffs thus have not plead specific facts showing that Defendants sold data and thus have not alleged falsity for Statements 70–81 . The Court GRANTS Defendants’ motion to dismiss as to these statements.
Parts of Statements 82 & 83 are actionable. For the above reasons, the Court holds that the portions of these statements that refer to selling of information are not actionable. However, the portions of the statements that state Facebook does not "share" or "give" user information to "third parties" are actionable. As discussed above, Plaintiffs have plead sufficient facts to show falsity—Plaintiffs have demonstrated that, despite guarantees to the contrary, Facebook was sharing user data (including user friend data) to third-parties via whitelisting. See SAC ¶¶ 16, 63–80, 444–60. Accordingly, the portions of Statements 82 and 83 that refer to sharing—but not selling—of data are actionable.
2. Scienter
Having determined that Statements 1–21, 35, 67, 69, and parts of Statements 82 and 83 are actionable, the next issue is whether Plaintiffs have adequately pled a strong inference of scienter.
Scienter is required under the PSLRA and plaintiffs must plead "with particularity facts giving rise to a strong inference that the defendant acted with the requisite state of mind" regarding "each act or omission alleged." 15 U.S.C. § 78u-4(b)(2)(A). It can be established by intent, knowledge, or certain levels of recklessness. In re Verifone Holdings, Inc. Sec. Litig. , 704 F.3d 694, 702 (9th Cir. 2012). Recklessness must be deliberate. Schueneman v. Arena Pharma., Inc. , 840 F.3d 698, 705 (9th Cir. 2016) ("[S]cienter—a mental state that not only covers ‘intent to deceive, manipulate, or defraud,’ but also ‘deliberate recklessness.’ " (citations omitted)). Deliberate recklessness is an "extreme departure from the standards of ordinary care ... which presents a danger of misleading buyers or sellers that is either known to the defendant or is so obvious that the actor must have been aware of it." Id. Thus, recklessness only satisfies scienter under § 10(b) to the extent it reflects some degree of intentional or conscious misconduct. In re NVIDIA Corp. Sec. Litig. , 768 F.3d 1046, 1053 (9th Cir. 2014).
A "strong inference" of scienter exists "only if a reasonable person would deem the inference of scienter cogent and at least as compelling as any opposing inference one could draw from the facts alleged." Tellabs , 551 U.S. at 324, 127 S.Ct. 2499. In reviewing a complaint under this standard, the court must consider "all reasonable inferences to be drawn from the allegations, including inferences unfavorable to the plaintiffs." Metzler , 540 F.3d at 1061. To plead a strong inference of scienter, plaintiffs must plead particularized facts demonstrating that the individual defendants knew the supposedly false statements challenged by the plaintiffs were false or misleading when made or had access to information demonstrating that the individual defendants were deliberately reckless in allowing the false statements to be made. See id. at 1068.
In Statements 1–21 , Defendants claimed that users could "completely control" their data, that users could use "privacy and application setting" to control their data, that the platform was focused on "transparency and control," and that Facebook "respected the privacy settings that people had in place." The Court found above that Plaintiffs adequately alleged falsity as to these statements because of Defendants’ "whitelisting" practices.
To establish scienter for Executive Defendants Zuckerberg and Sandberg, Plaintiffs rely on Facebook's internal documents, which show that Defendants knowingly supplied user friend data to whitelisted developers. SAC ¶ 70. An internal memo, from 2013/2014 states that "during app review, we examine the APIs [Application Programming Interfaces] that the app uses in order to determine what [is] the appropriate level of reciprocity." Id. The guideline for review is "take data, give data." Id. Facebook emails dating from September 2013 note that "the capability will remain to give access features which are publicly deprecated [i.e. , discontinued] but available to whitelisted apps." Id. ¶ 71 (emphasis added) (alteration in original).
Defendants do not argue that Plaintiffs have failed to plead scienter as to Defendant Facebook. The Court finds that Plaintiffs have pled sufficient information to support a strong inference of scienter. A corporation can only act through its employees and agents, and can thus only have scienter through them. In re ChinaCast Educ. Corp. Sec. Litig. , 809 F.3d 471, 475 (9th Cir. 2015). Thus, to show Defendant Facebook's scienter, Plaintiffs must show scienter as to any of Facebook's senior executives. See Cheung v. Keyuan Petrochemicals, Inc. , 2012 WL 5834894, at *3 (C.D. Cal. Nov. 1, 2012). Plaintiffs have met that burden. See III.C.2.
Defendants Zuckerberg and Sandberg were involved in the decision to exchange user friends’ data for reciprocal value from third parties. Id. ¶ 73. Internal Facebook documents show that Defendants Zuckerberg and Sandberg were actively involved in discussions about whitelist access. See id. ¶¶ 74–79. Indeed, these documents demonstrate that Defendants Zuckerberg and Sandberg were the original architects of Facebook's "full reciprocity" business model, in which Facebook gave access to user data and user friend data to certain whitelisted parties who, in a reciprocal exchange, would give Facebook data, ad revenues, or access to new users. Id. ¶¶70–80 ("Facebook employees pointed to Zuckerberg as being intimately involved in the discussions and decision-making around [whitelisting]."). These allegations show that Defendants Zuckerberg and Sandberg were actively involved in the whitelisting process and thus support an inference that Defendants Zuckerberg and Sandberg knew of Facebook's illicit whitelisting practices. Cf. Fleming v. Impax Labs. Inc. , 2018 WL 4616291, at *4 (N.D. Cal. Sept. 7, 2018) ("Even when viewed as a whole, the factual allegations in the amended complaint do not plausibly suggest that individual Defendants directly engaged in unlawful pricefixing ...." (emphasis added)).
Likewise, Plaintiffs have plead sufficient facts showing that Defendants knew that Facebook had little control over the deletion of misappropriated data and that the risk of a Cambridge Analytica type scandal could again occur due to its whitelisting practices. See Metzler , 540 F.3d at 1061. Because Statements 35, 67, 69, and the relevant portions of 82 and 83 rely on the same theory of falsity, Plaintiffs have shown scienter as to these statements also.
For these reasons, the Court holds that Plaintiffs have plead scienter as to Statements 1–5, 7–21, 35, 67, 69, and the relevant portions of 82 and 83. The Court thus DENIES Defendants’ motion to dismiss these statements on scienter grounds.
Statement 6 was made by Defendant Wehner. Plaintiffs do not allege that he knew of the above emails or was involved in whitelisting. Instead, Plaintiffs argue that the Court can infer scienter through Defendant Wehner's stock sales. The Court disagrees. "Insider stock sales are not inherently suspicious; they become so only when the level of trading is dramatically out of line with prior trading practices at times calculated to maximize the personal benefit from undisclosed information." In re Vantive Corp. Sec. Litig. , 283 F.3d 1079, 1093 (9th Cir. 2002), abrogated on other grounds by Gebhart v. SEC , 595 F.3d 1034 (9th Cir. 2010) (quotation marks and citation omitted). Absent from the SAC are allegations regarding Executive Defendants’ holdings of Facebook stock before the sale. SAC ¶¶ 490–91, 496, 502–03; see also In re Vantive Corp. Sec. Litig. , 283 F.3d at 1093 ("[B]y themselves, large numbers do not necessarily create a strong inference of fraud."). Hence, Plaintiffs have not provided "sufficient context of insider trading" to support an inference of fraud. Ronconi , 253 F.3d at 436. And, the Court cannot say that Defendant Wehner's sales are suspicious in light of his trading history. This is the only other grounds for scienter alleged as to Defendant Wehner. Because Plaintiffs have provided no particularized facts from which this Court can infer that Defendant Wehner consciously lied, the Court finds that Plaintiffs fail to plead scienter as to Statement 6 as required by the PSLRA and so this Court GRANTS Defendants’ motion to dismiss as to this statement.
3. Reliance
Plaintiffs must plead facts showing that they relied on the allegedly false or misleading statements in purchasing Facebook stock. See ScripsAmerica, Inc. v. Ironridge Glob. LLC , 119 F. Supp. 3d 1213, 1252–53 (C.D. Cal. 2015) ; Matrixx Initiatives, Inc. , 563 U.S. at 37–38, 131 S.Ct. 1309. The reliance element "ensures that there is a proper connection between a defendant's misrepresentation and a plaintiff's injury." Halliburton Co. v. Erica P. John Fund, Inc. , 573 U.S. 258, 268, 134 S.Ct. 2398, 189 L.Ed.2d 339 (2014) (citation and quotation marks omitted). "The traditional (and most direct) way a plaintiff can demonstrate reliance is by showing that he was aware of a company's statement and engaged in a relevant transaction—e.g. , purchasing common stock—based on that specific misrepresentation." Id. (citation and quotation marks omitted).
In Basic , the Supreme Court recognized that requiring such direct proof of reliance "would place an unnecessarily unrealistic evidentiary burden on the Rule 10b-5 plaintiff who has traded on an impersonal market." 485 U.S. at 245, 108 S.Ct. 978. To address this concern, Basic held that securities fraud plaintiffs can, in certain circumstances, satisfy the reliance element of a Rule 10b-5 action by invoking a rebuttable presumption of reliance, rather than proving direct reliance. Halliburton , 573 U.S. at 268, 134 S.Ct. 2398. This "fraud-on-the-market" theory of reliance holds that "the market price of shares traded on well-developed markets reflects all publicly available information, and, hence, any material misrepresentations." Basic , 485 U.S. at 246, 108 S.Ct. 978. Indeed, rather than scrutinize every piece of public information about a company for himself, the typical "investor who buys or sells stock at the price set by the market does so in reliance on the integrity of that price." Id. at 247, 108 S.Ct. 978. Thus, whenever the investor buys or sells stock at the market price, his "reliance on any public material misrepresentations ... may be presumed for purposes of a Rule 10b-5 action." Id. ; see also In re Apple Computer Sec. Litig. , 886 F.2d 1109, 1114 (9th Cir. 1989) ("In a fraud on the market case, the plaintiff claims that he was induced to trade stock not by particular representations made by corporate insiders, but by the artificial stock price set by the market in light of statements made by the insiders as well as all other material public information.").
A plaintiff relying on the fraud-on-the-market theory must make the following showings to demonstrate that the presumption of reliance applies: (1) that the alleged misrepresentations were publicly known; (2) that they were material; (3) that the stock traded in an efficient market; and (4) that the plaintiff traded the stock between the time the misrepresentations were made and when the truth was revealed. Halliburton , 573 U.S. at 268, 134 S.Ct. 2398. This showing establishes a presumptive—not conclusive—showing of reliance. Hence, "[a]ny showing that severs the link between the alleged misrepresentation and either the price received (or paid) by the plaintiff, or his decision to trade at a fair market price, will be sufficient to rebut the presumption of reliance." Basic , 485 U.S. at 248, 108 S.Ct. 978. So, for example, if a defendant could show that the alleged misrepresentation did not, for whatever reason, actually affect the market price, or that a plaintiff would have bought or sold the stock even had he been aware that the stock's price was tainted by fraud, then the presumption of reliance would not apply. Id. at 248–49, 108 S.Ct. 978 ; see also id. at 284, 134 S.Ct. 2398 ("[D]efendants must be afforded an opportunity before class certification to defeat the presumption through evidence that an alleged misrepresentation did not actually affect the market price of the stock."); In re Kalobios Pharm., Inc. Sec. Litig. , 258 F. Supp. 3d 999, 1008 (N.D. Cal. 2017) ("[T]he presumption may be rebutted where a defendant can show that the truth had actually been made available to the market through a different source." (emphasis added)); In re Convergent Techs. Sec. Litig. , 948 F.2d 507, 513 (9th Cir. 1991) ("[A]n omission is materially misleading only if the information has not already entered the market.").
Plaintiffs rely on the fraud-on-the-market theory to establish reliance. SAC ¶¶ 533–34. Defendants argue that Plaintiffs cannot rely on the fraud-on-the-market's presumption of reliance because the market was already aware of the core information that Plaintiffs claim was omitted—namely, that Facebook "knowingly and recklessly allowed third-party app developers to harvest and misuse user data without their knowledge and consent, including, for example, Cambridge Analytica and its affiliated companies." Mot. at 34 (citing SAC ¶ 471). Defendants are correct; as the Court noted, in December 2015, The Guardian article disclosed that Kogan collected and sold data to Cambridge Analytica and that Cambridge Analytica had used that data to create psychological profiles of voters for the purpose of assisting political campaigns. SAC ¶¶ 5, 86–92, 232, 280. Mainstream news sources reported additional details about Cambridge Analytica's misuse of Facebook user data. Id. ¶¶ 141, 146 (describing The Wall Street Journal and The Washington Post articles). Based on the content of these articles, and the credibility and wide circulation of the respective sources, the Court agrees that the market was aware of Cambridge Analytica's data misuse. See Kalobios , 258 F. Supp. 3d at 1009.
Of course, the market was not aware of Cambridge Analytica's continued misuse until the March 2018 The Guardian article. In March 2018, the market learned that Cambridge Analytica had not deleted the misappropriated data and had used the data in connection with President Donald Trump's campaign. Importantly, Defendants had received assurances to the contrary from Cambridge Analytica, and Plaintiffs have failed to plead facts showing that Defendants knew or should have known that these assurances were false. Thus, this theory of reliance is not viable. See supra III.C.1.a.
An alternative theory of reliance exists. On June 3, 2018, The New York Times revealed that Facebook allowed whitelisted developers to access user data. See Gabriel J.X. Dance et al., Facebook's Device Partnerships Explained , The New York Times (June 4, 2018), https://www.nytimes.com/2018/06/04/technology/facebook-device-partnerships.html ("Facebook continued to allow that kind of access to dozens of the world's biggest tech and hardware companies—and only began shutting down the data-sharing partnerships after the Cambridge Analytica scandal erupted in March [2018]."). Plaintiffs have shown that Defendants’ statements about users "controlling" their data were false and made with scienter. See supra. Because these alleged misrepresentations were publicly known; material; Facebook stock traded in an efficient market; and Plaintiffs’ traded the stock between the time the misrepresentations were made and when the truth was revealed, see Halliburton , 573 U.S. at 268, 134 S.Ct. 2398, Plaintiffs have established a presumption of reliance. Defendants have not presented evidence rebutting this presumption and so the Court presumes investors relied on Statements 1–5, 7–21, 35, 67, 69, and the relevant portions of 82 and 83.
4. Causation
Even when deceptive conduct is properly plead, a securities fraud complaint must also adequately allege "loss causation." Lloyd v. Fin. Corp. , 811 F.3d 1200, 1210 (9th Cir. 2016). Loss causation is shorthand for the requirement that "investors must demonstrate that the defendant's deceptive conduct caused their claimed economic loss." Id. Thus, like a plaintiff claiming deceit at common law, the plaintiff in a securities fraud action must demonstrate that an economic loss was caused by the defendant's misrepresentations, rather than some intervening event. Dura Pharm. , 544 U.S. at 343–44, 125 S.Ct. 1627. Loss causation is a "context-dependent" inquiry. Miller v. Thane Int’, Inc. , 615 F.3d 1095, 1102 (9th Cir. 2010). It is a variant of proximate cause; and so, the ultimate issue is whether the defendant's misstatement, as opposed to some other fact, foreseeably caused the plaintiff's loss. Lloyd , 811 F.3d at 1210.
Plaintiffs have not adequately plead loss causation. Having determined that the only viable theory of falsity plead in the SAC is that Defendants mislead investors as to their privacy policies based on their alleged whitelisting practices, the relevant timeframe is stock sales from February 3, 2017 to June 3, 2018 (which is when the whitelisting was revealed). Plaintiffs allege no facts from which the Court can infer the stock price fell in June 2018. See SAC ¶ 512. The only point that Plaintiffs’ identify after the June 2018 revelations is July 26, 2018 (i.e. , following Defendants 2Q18 Earnings Release). While the Court could find that the whitelisting practices affected the stock prices following the 2Q18 Earnings Release, it is unclear if this is the ultimate reason for the drop. See, e.g. , SAC ¶¶ 520, 522, 526–27 (noting that stock-drop was attributed to Cambridge Analytica scandal, decline in user engagement, advertising revenues, and "related privacy concerns," including GDPR); see also supra I.A.2 (discussing 2Q18 earnings call). The Court thus cannot conclude that information about whitelisting was the "ultimate reason" for a stock decline. For this reason, the Court GRANTS Defendant's motion to dismiss.
5. Plaintiffs’ Section 20(a) and 20(A) Claims
Plaintiffs also bring claims for violations of Sections 20(a) and (A) of the Exchange Act. Both these claims, however, depend on a primary violation of Section 10(b) or Rule 10b-5. Lipton v. Pathogenesis Corp. , 284 F.3d 1027, 1035 n.15 (9th Cir. 2002) ("[T]o prevail on their claims for violations of § 20(a) and § 20A, plaintiffs must first allege a violation of § 10(b) or Rule 10b 5."). Because the Court determines Plaintiffs’ claim under Section 10(b) and Rule 10b-5 fail, Defendants motion to dismiss these claims is also GRANTED .
6. Leave to Amend
When dismissing a complaint for failure to state a claim, a court should grant leave to amend "unless it determines that the pleading could not possibly be cured by the allegation of other facts." Lopez v. Smith , 203 F.3d 1122, 1127 (9th Cir. 2000). Although the Court has determined that Plaintiffs fail to state a claim, it is possible Plaintiffs can cure their allegations by alleging, among other things, that Facebook embedded employees in the 2016 Trump campaign and thus knew that the deletion certifications were false and by alleging more facts about the stock price following the June 3, 2018 whitelisting revelation. Accordingly, because Plaintiffs may salvage their Complaint, the Court finds amendment would not be futile. Plaintiffs’ claims are therefore dismissed with leave to amend. Plaintiffs are advised that this will be their final opportunity to amend.
IV. CONCLUSION
Defendants’ motion to dismiss Plaintiffs’ SAC in its entirety is GRANTED with leave to amend. Should Plaintiffs choose to file an amended complaint, they must do so by September 23, 2020 . Failure to do so, or failure to cure the deficiencies addressed in this Order, will result in dismissal of Plaintiffs’ claims with prejudice. Plaintiffs may not add new claims or parties without leave of the Court or stipulation by the parties pursuant to Federal Rule of Civil Procedure 15.