Summary
denying leave to amend only after three rounds of dismissal motions and after discovery had closed
Summary of this case from Autotek Inc. v. Cnty. of SacramentoOpinion
Case No. 5:12-cv-001382-PSG
07-15-2015
IN RE GOOGLE, INC. PRIVACY POLICY LITIGATION
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS
(Re: Docket No. 105)
You might think that after three years of complaints, motions to dismiss, orders on motions to dismiss, leave to amend, amended complaints and more, at least the fundamental question of Plaintiffs' Article III standing to pursue this suit would be settled. You might think that, but you would be wrong.
Google also moves for summary judgment based on the absence of factual dispute as to the use of bandwidth or electricity for transmission or payments. See Docket No. 105 at 13. The court need not reach the parties' summary judgment arguments to resolve the issue of Plaintiffs' standing. But even if that were not the case, because Plaintiffs offer no evidence that any personal information was ever transmitted from any Android device to any third-party developer, summary judgment in Google's favor would be required.
For no less than the fourth time, Defendant Google, Inc. moves to dismiss Plaintiffs' complaint. In the wake of the court's orders on Google's previous motions to dismiss, only two claims remain: breach of contract and fraudulent unfair competition. Plaintiffs bring both claims on behalf of an "app disclosure" subclass. In granting Google's third motion to dismiss, the court previously held that Plaintiffs' only alleged injury-in-fact was the depletion of battery and bandwidth resulting from systemic, repeated transmission of personal information from Android devices to third-party developers. But in taking the leave the court granted to amend their claims, Plaintiffs managed something somewhat unusual: they pled themselves out of a case. Because injury-in-fact is now insufficiently alleged, especially as Plaintiffs claim injury without alleging any actual disclosure to third parties from Plaintiffs' own devices, the court GRANTS Google's motion to dismiss, without further leave to amend.
See Docket Nos. 45, 67, 85.
See Docket No. 85 at 13-14.
I.
"To establish Article III standing, an injury must be 'concrete, particularized, and actual or imminent; fairly traceable to the challenged action; and redressable by a favorable ruling.'" The injury required by Article III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." In such cases, the "standing question . . . is whether the constitutional or statutory provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." At all times the threshold question of standing "is distinct from the merits of [a] claim" and does not require "analysis of the merits." The "standing inquiry requires careful judicial examination of a complaint's allegations to ascertain whether the particular plaintiff is entitled to an adjudication of the particular claims asserted."
Clapper v. Amnesty Int'l USA, 133 S. Ct. 1138, 1147 (2013) (quoting Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139, 149 (2010)).
Edwards v. First Am. Corp., 610 F.3d 514, 517 (9th Cir. 2010) (quoting Warth v. Seldin, 422 U.S. 490, 500 (1975)); see also Robins v. Spokeo, Inc., 742 F.3d 409, 412 (9th Cir. 2014) cert. granted, 135 S. Ct. 1892 (2015).
Id.
Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011).
DaimlerChrysler Corp. v. Cuno, 547 U.S. 332, 352 (2006) (emphasis removed) (quoting Allen v. Wright, 468 U.S. 737, 752 (1984)); see also Chandler v. State Farm Mut. Auto. Ins. Co., 598 F.3d 1115, 1121-22 (9th Cir. 2010).
This is a putative nationwide class action brought by Plaintiffs Michael Goldberg, Robert DeMars and Scott McCullough against Google on behalf of all persons and entities in the United States that purchased at least one paid Android application through the Android Market and/or Google Play Store between February 1, 2009 and May 31, 2014.
See Docket No. 103 at ¶ 1. Unless otherwise stated, facts cited come from Plaintiffs' consolidated third amended complaint.
Google is a technology and advertising company that provides free web-based products to billions of consumers around the world. Free products are not, however, truly free. Google requires massive amounts of revenue to sustain itself. To generate revenue from advertising, Google logs personal identifying information, browsing habits, search queries, responsiveness to ads, demographic information, declared preferences and other information about each consumer that uses its products. Google then uses this information to place advertisements tailored to each consumer while the consumer is using any Google product or browsing third-party sites that have partnered with Google to serve targeted ads.
See id. at ¶ 2.
See id. at ¶ 4.
Google always has maintained a general or default privacy policy purporting to permit Google to "combine the information you submit under your account with information from other services." This would allow Google, for example, to associate a consumer's Gmail account (and therefore his or her name and identity, his or her private contact list or the contents of his or her communications) with the consumer's Google search queries or the consumer's use of other Google products like Android, YouTube, Picasa, Voice, Google+, Maps, Docs and Reader. But before March 1, 2012, this general policy was qualified, limited and alleged to be contradicted in privacy policies associated with specific Google products, including both Gmail and Android-powered devices. The privacy policies associated with Android-powered devices, for example, specified that, although the default terms would generally apply, "[c]ertain applications or features of your Android-powered phone may cause other information [that is, other than certain delimited "usage statistics"] to be sent to Google but in a fashion that cannot be identified with you personally" and that "[y]our device may send us location information (for example, Cell ID or GPS information) that is not associated with your [Google] Account." These categories of information, and certain other discrete categories of Android user information identified by the terms of the Android-powered device policy in effect prior to March 1, 2012, could not be "combine[d] . . . with information from other services." On March 1, 2012, Google replaced these various policies with a single, unified policy that unequivocally allows Google to comingle user data across accounts and disclose it to third-parties for advertising purposes.
See id. at ¶ 6.
See id. at ¶ 5.
Id.
Id.
See id. at ¶¶ 7-12.
This brings us to the activity now in dispute. Google Play, formerly known as the Android Market, is the primary gateway for Android users to acquire, purchase and download apps and other digital media for their Android devices. The process of purchasing an app requires multiple components, including the creation of a Wallet account, the request for the app and the creation of a record of the purchase for the Developer Console. To create a Wallet account, a user must have a Google account and provide his or her name, usename, country and zip code. The request of an app consumes resources including electric power, CPU cycles, main memory and network capacity or bandwidth. In the Checkout Merchant Center, operative from February 2009 to early 2013, and the Play Developer Console, operative from 2012 to May 2014, a purchase of a paid application through the Android Market/Google Play Store allowed the app developer to access the purchaser's name, email address and course address, or "the physical or geographical location associated with the Play account and/or the Android device used to download the application." Google stopped making available purchaser details (including name and email address) to app developers in May 2014. But Google has continued to process app purchase transactions, to maintain user accounts and otherwise operate normally since May 2014.
See Docket No. 103 at ¶ 64.
See id. at ¶ 136. See also Docket No. 108-6, Ex. D at 80-93; id. at 83 ("The device calls the DFE [Device Frontend] CommitPurchaseAction. The DFE sends a DeliveryInfoRequest to the Mixer, which sends it via the VCA to IMAS, which returns the AndroidAppDeliveryData including the secure URL for the actual download. In parallel the DFE sends a CompletePurchaseRequest to the Blixer. This inserts an Order into Checkout and then waits for status to indicate that the purchase has succeeded (or failed). It then sends a PNR [PurchaseNotificationRequest] via the VCA to IMAS, which updates the purchase record in the user profile.") (emphasis added); id. at 85 (/commitPurchase also "[c]opies purchase context data (the details of the order to be created) into a CompletePurchaseRequest and sends it to the Blixer, with skip delivery set true. The data sent includes the 'risk hashed device info,' an obfuscated device identifier (e.g. IMEI) sent by the device, and information about any challenges the user has passed (e.g., providing their Gaia password).").
See Docket No. 105-10 at ¶¶ 6-8.
See Docket No. 103 at ¶ 68; Docket No. 108-6, Ex. B at 3, 5-6; ("The process of completing a purchase in the store now branded as Google Play consumes limited resources local to or used by the purchaser's device.").
See Docket No. 103 at ¶ 67. Although the complaint makes passing reference to "transmission" of this information rather than mere access, Plaintiffs' opposition confirms that the gravamen of its complaint is about access alone. See Docket No. 108-4 at 2-4.
See Docket No. 108-6, Ex. C at 81:13-19.
See Docket No. 108-4 at 5.
Plaintiffs' original complaint alleged that Google violated both its prior policies and consumers' privacy rights, but the court held that Plaintiffs lacked standing because they did not plead facts sufficient to show concrete economic harm or prima facie statutory or common law violations. "[N]othing in the precedent of the Ninth Circuit or other appellate courts confers standing on a party that has brought statutory or common law claims based on nothing more than the unauthorized disclosure of personal information." Plaintiffs' first consolidated amended complaint expanded the bounds of the alleged class and the explanations of Plaintiffs' injuries, but the court dismissed for failure to plead sufficient facts to support any of their claims. Plaintiffs' second consolidated amended complaint added allegations of Google's Emerald Sea plan, but effectively alleged the same harms as before.
See Docket No. 45 at 8-10.
In re Google, Inc. Privacy Policy Litig., Case No. 12-cv-01382-PSG, 2012 WL 6738343, at *5 (N.D. Cal. Dec. 28, 2012).
See Docket No. 67 at 18-30.
See Docket No. 68.
After Google's third motion to dismiss, two claims remained: an "app disclosure subclass" breach of contract claim and the subclass's fraudulent unfair competition claim. The court ruled that Plaintiffs could proceed on those two causes of action alone, although it later granted Plaintiffs' motion to file a consolidated third amended complaint to "trim" their allegations. In addition to adding Goldberg as a plaintiff, the CTAC (i) dropped any allegations relating to Google's use of the personal information of Android users that obtained free applications, as distinguished from paid applications, from Google; and (ii) revised the class period. The class now is limited to Android users that purchased paid apps through the Android Market/Google Play Store between February 1, 2009 and May 31, 2014. This class period represents the period of time during which Google allegedly and knowingly disclosed to third parties the names, email addresses and account location information belonging to each Android user that purchased a paid app through the Android Market/Google Play Store, in direct contravention of its express promises that it would not do so.
See Docket No. 85 at 27-28; Docket No. 97 at 1; Docket No. 101.
See Docket No. 97 at 1.
See id.
See id.
II.
This court has subject matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d), in part because the aggregated claims of the individual class members exceed the sum or value of $5,000,000. The parties further consented to the jurisdiction of the undersigned magistrate judge under 28 U.S.C. § 636(c) and Fed. R. Civ. P. 72(a).
See Docket No. 103 at ¶ 20.
See Docket Nos. 10, 12.
The plaintiff always bears the burden of establishing standing. Where the plaintiff lacks standing, a complaint must be dismissed for lack of subject matter jurisdiction under Fed. R. Civ. P. 12(b)(1). In reviewing such a motion, the court "is not restricted to the face of the pleadings, but may review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction." To successfully oppose a Rule 12(b)(1) motion, the nonmovant must put forth "the manner and degree of evidence required" by the particular "stage[] of the litigation." "At the pleading stage, general factual allegations of injury resulting from the defendant's conduct may suffice, for on a motion to dismiss," the court "'presumes that general allegations embrace those specific facts that are necessary to support the claim.'" "At all times the threshold question of standing 'is distinct from the merits of a claim' and does not require 'analysis of the merits.'" All disputes of fact are resolved in favor of the nonmovant.
See Chandler, 598 F.3d at 1122.
See Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-60 (1992); Steel Co. v. Citizens for a Better Env't, 523 U.S. 83, 109-10 (1998); White v. Lee, 227 F.3d 1214, 1242-43 (9th Cir. 2000).
McCarthy v. U.S., 850 F.2d 558, 560 (9th Cir. 1988).
Lujan v. Defenders of Wildlife, 504 U.S. at 561.
See id. (citing Lujan v. National Wildlife Federation, 497 U.S. 871, 888 (1990)).
In re Google, Inc. Privacy Policy Litig., Case No. 12-cv-01382-PSG, 2014 WL 3707508, at *3 (N.D. Cal. July 21, 2014) (quoting Maya, 658 F.3d at 1068).
Dreier v. United States, 106 F.3d 844, 847 (9th Cir. 1996).
III.
To establish Article III standing, it is the plaintiff's burden to "show (1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." Because Plaintiffs fail to satisfy all three prongs, they lack standing to pursue their claims.
See Chandler, 598 F.3d at 1122.
Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc., 528 U.S. 167, 180-81 (2000).
First , Plaintiffs have no evidence of concrete, particularized and actual or imminent "injury-in-fact" because they no longer allege that the battery-and-bandwidth -using transmission containing personal information ever occurs from Plaintiffs' phones. Plaintiffs also do not allege that any battery-and-bandwidth-using transmission ever went to a third party. The app purchase process involves transmissions only to or from Google. While Plaintiffs allege that for a period of time it was possible for developers to look up the record of a particular transaction on a Google server and also access the user's email and rough address, mere risk of future disclosure is not an Article III injury-in-fact. In Low v. LinkedIn Corp., the court specifically rejected allegations of the risk of future disclosures as "insufficient to establish an injury-in-fact that is concrete and particularized, as well as actual and imminent." With no allegation of dissemination or improper receipt of information, any profit or loss made from any alleged disclosure, let alone a potential disclosure, is "conjectural." With no allegation of "appreciable and actual" harm, Plaintiffs allege no injury-in-fact.
See Docket No. 108-4 at 16; Docket No. 108-6, Ex. D at 83, 85; Docket No. 108-6, Ex. B at 4 (affirming that no personal information is transmitted to Google or anyone else in the purchase process).
See Docket No. 103 at ¶¶ 136, 147; 170-171; see also Docket No. 105-10 at ¶ 10.
See Docket No. 103 at ¶¶ 136, 147; 170-171; see also Docket No. 105-10 at ¶ 10.
See Docket No. 103 at ¶¶ 136, 141, 144, 166, 168, 172.
See Low v. LinkedIn Corp., Case No. 11-cv-01468-LHK, 2011 WL 5509848, at *4 (N.D. Cal. Nov. 11, 2011) (citing Birdsong v. Apple, Inc., 590 F. 3d 955, 960-61 (9th Cir. 2009)) (finding lack of standing because of the "conjectural and hypothetical nature" of the alleged injury).
Lujan v. Defenders of Wildlife, 504 U.S. at 560.
Ruiz v. Gap, Inc., 380 F. App'x 689, 691-92 (9th Cir. 2010).
Pointing to the Ninth Circuit's recent unpublished opinion in In re Facebook Privacy Litigation, Plaintiffs argue they have standing under two theories of injury-in-fact in addition to battery and bandwidth use: economic injury resulting from Google's providing access to Plaintiffs' personal information to third parties, and the non-economic harm associated with the very fact of this access. In Facebook, the complaint alleged that Facebook transmitted to advertisers both the user's Facebook user id and the page the user was viewing at the time, which advertisers could then combine with the information on the user's Facebook page to assemble a comprehensive dossier. The plaintiffs affirmatively pled both that there was a "robust" market for that information and that plaintiffs had been financially harmed by Facebook usurping their ability to sell that information themselves. Judge Ware dismissed the claim on a Rule 12(b)(6) motion based on Facebook's argument that it had in fact not interfered with the plaintiffs' ability to sell their own personal information. The Ninth Circuit reversed because the plaintiffs had indeed alleged that they were harmed "by the dissemination of their personal information and by losing the sales value of that information."
See In re Facebook Privacy Litig., 572 F. App'x, 494 (9th Cir. 2014) (unpublished). Under 9th Cir. R. 36-3, this decision is not binding precedent. See also In re Google Android Consumer Privacy Litig., Case No. 11-md-02264-JSW, 2013 WL 1283236, at *4 (N.D. Cal. March 26, 2013) (finding no Article III standing, notwithstanding allegations of improper access to and use of personal information, where plaintiffs "do not allege they attempted to sell their personal information, that they would do so in the future, or that they were foreclosed from entering into a value for value transaction relating to their [personally identifying information], as a result of the Google Defendants' conduct.").
See Docket No. 108-4 at 9.
See In re Facebook Privacy Litig., 791 F. Supp. 2d 705, 708 (N.D. Cal. 2011).
Id. at 708-09.
See id. at 718.
In re Facebook Litig., 572 F. App'x at 494.
Plaintiffs cite their expert Fernando Torres's report to show an analysis of what third parties would pay for a consumer database containing identifying information for mass marketing purposes. Torres analyzed the value of the information made available by Google to app developers from several perspectives. First, Torres concludes that the information disclosed by Google has economic value, which class members have lost. To estimate this, he analyzed and quantified what third parties would pay for a consumer data base containing this information, for mass marketing purposes. He also analyzed and quantified the amount of revenue that third parties could realize from the use of this information. Torres further explained that "[b]ecause Google has disclosed this information to the application developers, the members of the Subclass have lost the sales value of that information that they otherwise would have had." In addition, Torres concludes that the class members are injured because they have a quantifiable interest in protecting the privacy of the information that Google discloses to app developers.
See Docket No. 108-4 at 13; Docket No. 108-6, Ex. A at ¶¶ 16(a), 17, 29(b)(i).
See Docket No. 108-6, Ex. A at ¶¶12, 16(a), 17, 29(b)(i).
See id. at ¶¶ 16(a), 17, 29(b)(i).
See id. at ¶¶ 22-24, 29(b)(iii).
Id. at ¶ 14.
See id. at ¶¶19-21, 29(b)(ii).
There is just one problem with Torres's various conclusions: they are not reflected anywhere in the CTAC. Plaintiffs do not allege economic injury from any dissemination—or any dissemination at all—or any injury in the form of loss of the Plaintiffs' ability to sell their own information or its market value. Plaintiffs plead neither the existence of a market for their email addresses and names nor any impairment of their ability to participate in that market. Indeed, the named Plaintiffs freely publish their names and email addresses through their work websites. If disclosure did occur, then, it would not constitute injury. Even if Plaintiffs' complaint need not show any proof of deprivation of the opportunity to sell their personal information to anyone, Plaintiffs still need to make a pleading, and they do not.
See, e.g., Docket No. 103 at ¶¶ 148; 173-174; 318.
See, e.g., id. at ¶¶ 146-151. The mere misappropriation of personal information, without a resultant economic harm—for example in the form of being deprived of the ability to monetize that information—is neither damage nor injury-in-fact. See LaCourt v. Specific Media, Inc., Case No. 10-cv-1256-GW, 2011 WL 1661532, at *5 (C.D. Cal. Apr. 28, 2011) ("[T]he Complaint does not identify a single individual who was foreclosed from entering into a 'value-for-value exchange' . . . . Plaintiffs do not explain how they were 'deprived' of the economic value of their personal information"); In re JetBlue Airways Corp. Privacy Litig., 379 F. Supp. 2d 299, 328-29 (E.D.N.Y. 2005) ("[E]ven if [plaintiffs'] privacy interests were indeed infringed by the data transfer, such a harm does not amount to a diminishment of the quality or value of a materially valuable interest in their personal information."); In re DoubleClick Inc. Privacy Litig., 154 F. Supp. 2d 497, 525 (S.D.N.Y. 2001) ("Demographic information is constantly collected on all consumers . . . . [W]e are unaware of any court that has held the value of this collected information constitutes damage to consumers"); Dwyer v. Am. Express Co., 652 N.E.2d 1351, 1356 (Ill. App. Ct. 1995) ("[D]efendants' practices do not deprive any of the [plaintiffs] of any value their individual names may possess.").
See Docket No. 108-4 at 110-111.
See Svenson v. Google Inc., Case No. 13-cv-04080-BLF, Docket. No. 118, at 2, 8-9 (N.D. Cal. Apr. 1, 2015) (alleging a market for personal information she alleged to be transmitted, and alleging loss of the opportunity to participate in that market. Concerning Google Wallet and Google Play, Svenson alleged that each App purchase involves the transmission of "Packets Contents" that are transmitted "in packets sent by Plaintiff and the class to Defendants," and contain "personal information about Buyers, including credit card information, purchase authorization, addresses, zip codes, names, phone numbers, email addresses, and/or other information.") (quoting complaint).
Second , Plaintiffs' claim of battery and bandwidth depletion has no nexus to Google's alleged breach or unfair competition. It is certainly alleged that each time a user purchases an app from Google Play, there are transmissions back and forth between the user's device and Google's servers. Those transmissions may include the process of browsing the Play catalog to select an App, sending a request to purchase an App and downloading the App once purchased. But Plaintiffs do not allege those transmissions contain any personal information. And while the parties do not dispute that a record of sale is logged in the user's Google Wallet records, the identifying information at issue is already a part of Google Wallet, provided by the user in the process of opening the account. Plaintiffs concede that the transmission of data "consists not of the user's actual name and email address in human-readable form but, instead, [application program interface] calls or messages providing certain computer-readable device- and user-specific data." Put another way, the loss of battery life or use of bandwidth is not "fairly traceable to the challenged action" as the downloading of the app occurs before any record of the transaction or making available of information for look-up.
See Docket No. 115 at 7.
See id.
See Docket No. 103 at ¶ 136.
See, e.g., Docket No. 108-6, Ex. B at 4.
See Docket No. 108-4 at 16; See Docket No. 108-6, Ex. D at 85, 83; Docket No. 108-6, Ex. B. at 4.
Third , any injury is not redressable by a favorable decision. No past or future change to merchant queries or receipt of information would alter the battery or bandwidth consumed in purchasing an app. Google no longer makes names and email addresses visible in response to Wallet or Play merchant queries, nor could there be any claim that the amount of battery power used in purchasing an App changed one iota as a result. Even if tomorrow this court ordered Google to cease making any transaction data whatsoever available to the developers from whom users purchase apps, it would not change the battery and bandwidth use of the purchase process at all.
To the extent that Plaintiffs' most recent complaint also seeks tort damages for invasion of privacy in relation to their contract damages, the court has already dismissed Plaintiffs' intrusion upon seclusion claim with prejudice. See Docket No. 85. This district sets a high bar for the requisite intrusion that is highly offensive to a reasonable person. See In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1054 (N.D. Cal. 2012). Intrusion upon seclusion, just like any other invasion of privacy tort, requires conduct that would be "highly offensive to a reasonable person." Hernandez v. Hillsides, Inc., 48 Cal. Rptr. 3d 780, 786 (2006), rev'd on other grounds, 47 Cal. 4th 272 (2009); see also Hill v. Nat'l Collegiate Athletic Ass'n, 7 Cal. 4th 1, 36-37 (1994) (holding invasion of privacy rights must be "sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right."). Plaintiffs have pled no such conduct, and in any event, their claims are based on the allegedly improper sharing of basic address information that each of them freely shared with Google in the first place.
IV.
Google's fourth motion to dismiss is GRANTED, without further leave to amend. Plaintiffs have amended their complaint no less than four times, and given that discovery is now closed, any further amendment introducing yet another theory of injury at this late date would be unfairly prejudicial to Google.
See Docket Nos. 45, 67, 85, 101.
See Docket No. 92; Eminence Capital, LLC v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003) (quoting Foman v. Davis, 371 U.S. 178, 182 (1962)) (listing grounds for dismissing with prejudice). --------
SO ORDERED.
Dated: July 15, 2015
/s/_________
PAUL S. GREWAL
United States Magistrate Judge