Opinion
22-cv-07557-PCP
03-25-2024
IN RE META PIXEL TAX FILING CASES This relates to all actions.
ORDER DENYING IN PART AND GRANTING IN PART MOTION TO DISMISS AND GRANTING REQUESTS FOR JUDICIAL NOTICE
In this consolidated putative class action against Meta Platforms, Inc., plaintiffs bring several state and federal law claims arising from Meta's alleged collection of their personal financial data through tracking tools installed on tax preparation websites including H&R Block, TaxAct, and TaxSlayer. Meta has moved to dismiss these claims and both parties seek judicial notice of certain documents. For the reasons that follow, Meta's motion is granted in part and denied in part, and the requests for judicial notice are granted. Plaintiffs may amend their complaint to attempt to address the shortcomings in the dismissed claims by April 19, 2024.
I. Background
The following facts from the complaint are accepted as true for purposes of this motion.
Meta operates the social network Facebook. It makes money by selling ads. Part of Meta's value proposition is its ability to target users: Meta catalogs users' names, birthdays, genders, locations, contact information, and communications, as well as technical identifiers like IP addresses and device IDs. Meta assembles the information it collects about individual users and draws inferences to uncover attributes like “interests,” “behavior,” and “connections.” Meta then offers advertisers the ability to target ads based on this data.
Meta has developed a tool called the Meta Pixel that third-party web developers can install on their sites. On the back end, the Pixel is a snippet of JavaScript code that loads a library of functions which developers can use to track actions users take on their sites. These user actions are logged and sent to Meta, where developers can use and analyze the data, such as by measuring how effective their ads are or defining custom audiences for ad targeting. Every time the Pixel logs an action on a third-party website, the Pixel sends the data to Meta. Meta then attempts to match the action to one of its own users. If a user is logged into Facebook when visiting a third-party site, web cookies allow Meta to link the data transmitted by the Pixel directly to that specific user's Facebook account. If the Pixel data includes personal information like a name or email, Meta can also use that to perform a match. In addition to the utility offered to third-party developers, the Pixel benefits Meta, which amasses the data collected by the Pixel into detailed “dossiers” that it keeps for registered Facebook users and non-users alike. This data, in turn, is used to target ads based on individuals' interests and activity, including their activity on non-Meta products. Meta offers other tools to developers that work similarly, including the Facebook SDK (which allows advertisers to track user actions on mobile apps) and the Conversion API (which allows developers to track actions taken by users who have opted out of tracking).
Meta has policies that make certain disclosures about its practices, including a Terms of Service, Data Policy, and Cookies Policy. Plaintiffs assert that none of these policies ever specifically indicated that Meta might acquire confidential financial information obtained from users' interactions with third-party tax sites. Meta also has policies that direct developers not to share with Meta data that “includes health, financial or other categories of sensitive information.” Meta claims that it does not use sensitive personal data for ad targeting. Plaintiffs argue that these assertions are false or misleading and inconsistent with Meta's business model.
H&R Block, TaxAct, and TaxSlayer are widely used services for filing taxes online. These services installed the Pixel and other Meta tracking tools on their websites. As a result, the tracking tools transmitted financial information about the tax sites' users to Meta, including names, email addresses, and data about income, filing status, refund amounts, and dependents' college scholarship amounts. In particular, plaintiffs allege that TaxAct sent its users' filing status, adjusted gross income, and refund amount to Meta; that H&R Block transmitted data about health savings accounts and college tuition grants and expenses; and that TaxSlayer transmitted phone numbers and names, including of dependents. Plaintiffs allege that Meta's tracking tools link specific users to the tax-related information sent by TaxAct, H&R Block, and TaxSlayer.
The eight named plaintiffs in this consolidated action are residents of California, Illinois, New York, Washington, and Missouri who used TaxAct, H&R Block, and TaxSlayer to prepare their taxes. Each alleges that their financial information was sent to Meta from the H&R Block, TaxSlayer, or Tax Act website. Plaintiffs seek to represent a nationwide class of everyone in the United States whose tax filing information was obtained by Meta from an online tax preparation provider, as well as corresponding state subclasses limited to residents of California, Illinois, New York, Washington, and Missouri.
Plaintiffs filed the present consolidated complaint against Meta after the Court granted the parties' stipulation to relate and consolidate several pending cases. Plaintiffs assert sixteen claims under a variety of state and federal laws on behalf of the putative nationwide class as well as corresponding state subclasses. Compl., Dkt. No. 71. Meta has now moved to dismiss the consolidated complaint for failure to state a claim under Rule 12(b)(6). Motion, Dkt. No. 107. Meta also requests judicial notice of six documents. Dkt. No. 107-1.
II. Legal Standards
A complaint that does not state a plausible claim upon which relief can be granted can be dismissed under Federal Rule of Civil Procedure 12(b)(6). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). Legal conclusions “can provide the framework of a complaint” but “must be supported by factual allegations.” Id. at 679. The Court must “accept all factual allegations in the complaint as true and construe the pleadings in the light most favorable to the nonmoving party.” Rowe v. Educ. Credit Mgmt. Corp., 559 F.3d 1028, 1029-30 (9th Cir. 2009).
“Generally, district courts may not consider material outside the pleadings when assessing the sufficiency of a complaint.” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 998 (9th Cir. 2018). There are two exceptions.
First, Federal Rule of Evidence 201 permits judicial notice of “a fact that is not subject to reasonable dispute” because the fact is “generally known” or “can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” A court may take notice of “undisputed matters of public record,” but not of “disputed facts stated in public records.” Lee v. City of L.A., 250 F.3d 668, 690 (9th Cir. 2001) (emphasis in original). Thus, “when a court takes judicial notice of another court's opinion, it may do so not for the truth of the facts recited therein, but for the existence of the opinion.” Id. (cleaned up).
Second, the doctrine of incorporation by reference permits a court to treat an extrinsic document as if it were part of the complaint if the pleading “refers extensively to the document” or if “the document forms the basis” of a claim. Khoja, 899 F.3d at 1002. Incorporation can be proper “when assessing the sufficiency of a claim requires that the document at issue be reviewed,” but is not warranted when “the document merely creates a defense to the well-pled allegations.” Id. Incorporation by reference “is designed to prevent artful pleading by plaintiffs” but should not be used as a “tool for defendants to short-circuit the resolution of a well-pleaded claim.” Id. at 1003.
III. Requests for Judicial Notice
Meta requests judicial notice of six documents under Federal Rule of Evidence 201(b) and the doctrine of incorporation by reference.
First, Meta seeks notice of the July 26, 2022 Terms of Service available on its website. Meta argues that this document is judicially noticeable because it is incorporated by reference in the complaint or, alternatively, because it is available on a public website and not subject to reasonable dispute. Although Plaintiffs' complaint refers two times to Meta's “Terms of Service,” Compl. ¶¶ 64, 65, this is not enough for the document to be incorporated by reference into the complaint. The complaint does not refer extensively to Meta's Terms of Service, nor do plaintiffs' claims arise from or depend on that agreement. See Kuhn v. Three Bell Cap., ___ F.Supp.3d ___, 2023 WL 6780524, at *2 (N.D. Cal. 2023). Instead, the portion of the complaint that refers to the Terms of Service appears to anticipate a potential defense.
Nonetheless, the Court takes judicial notice of the July 26, 2022 version of the Terms of Service that Meta has submitted because the document is publicly available from a source whose accuracy cannot reasonably be questioned and its contents can be accurately determined. This notice is limited to the existence and contents of this July 26, 2022 version of Meta's terms of service. The Court cannot conclude from Meta's submission that this was the version in effect during the period relevant to plaintiffs' claims, or that plaintiffs ever assented to the terms therein.
Meta also seeks notice of five other documents: its June 15, 2023 Privacy Policy, also available on its website; its June 16, 2023 Cookies Policy; its April 25, 2023 Business Tools Terms; a Meta Business Help Center article entitled “About restricted Meta Business Tools data”; and a second help article entitled “About sensitive financial information.” As with the first request, the Court will take notice of the existence and contents of these documents but cannot draw other conclusions or inferences.
Plaintiffs request judicial notice of the September 7, 2023 order in Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 2023 WL 5837443 (N.D. Cal.). This request is also granted.
IV. Motion To Dismiss
Meta seeks dismissal of each of plaintiffs' claims. The Court addresses them in turn.
1. Count I: California Invasion of Privacy Act (Cal. Penal Code § 631)
Section 631 of the California Penal Code makes punishable anyone who, “by means of any machine, instrument, or contrivance, or in any other manner,” does any of four things:
(1) “intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system”;
(2) “willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any
message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state”;
(3) “uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained”; or
(4) “aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section.” Section 631 is a criminal statute, but Section 637.2 provides a civil cause of action for damages or an injunction to anyone “injured by a violation of this chapter .. against the person who committed the violation.”
Plaintiffs' complaint does not clearly invoke the fourth prong of Section 631, see Compl. ¶¶ 100-03, and they concede that they are not pursuing a claim under the first prong, Opposition, Dkt. No. 114, at 15-16. Accordingly, any claims under prongs one or four are dismissed with leave to amend.
Meta makes several arguments in support of dismissing the Section 631 claim under prongs two and three. Because none have merit at this stage for the reasons set forth below, Meta's motion to dismiss the remaining portions of the Section 631 claim is denied.
a. Intent
Meta first argues that the Section 631 claim fails because the complaint does not adequately plead intent as required by the statute. Section 631's second prong requires that the unauthorized reading be done “willfully.” The complaint specifically alleges that “Meta willfully . read or attempted to read or learn the contents or meaning of electronic communications of Plaintiff and class members.” Compl. ¶ 102. The complaint acknowledges that Meta has policies in place that prohibit websites that use Meta tracking tools from transmitting confidential or sensitive information, but it contends that these policies are a “sham” because Meta knew that confidential information like tax data was transmitted through its tracking tools and that “Meta usually does not take enforcement action against companies that it knows are sharing potentially sensitive information with it.” Compl. ¶¶ 73-75. Plaintiffs claim that the sensitive financial information transmitted to Meta can serve as a “highly valuable demographic marker[] for advertising purposes,” and was therefore “valuable to Meta.” Compl. ¶ 72.
These allegations are sufficient to plead willfulness for the purposes of Rule 12(b)(6).
Meta argues that it could not have intended to receive the information at issue because its Business Tools Terms forbid developers from sending sensitive information to Meta and require that developers have all necessary rights and permissions to lawfully share whatever information they send. But the only version of Meta's Business Tools Terms before the Court was issued in 2023, after this lawsuit was filed. And even for the period those Terms were in effect, the Court cannot conclude from their mere existence that Meta and developers intended to or did comply with the terms rather than deviating from them to their mutual benefit.
Meta's argument presents a question of fact that the Court cannot resolve at this stage. Whatever agreements may have been in place, those agreements do not establish as a matter of law that Meta did not intend to receive the information plaintiffs claim was transmitted. “What Meta's true intent is, what steps it actually took to prevent receipt of [sensitive] information, the efficacy of its filtering tools, and the technological feasibility of implementing other measures to prevent the transfer of [that] information, all turn on disputed questions of fact that need development on a full evidentiary record.” Doe, 2023 WL 5837443, at *3.
b. Consent
The second and third prongs of Section 631 are only violated by actions taken “without the consent of all parties to the communication.” Here, the relevant parties are the tax preparation sites and their users (the plaintiffs in this case).
Users. Plaintiffs assert that Meta did not have users' consent to collect their confidential tax information because even if Meta's agreements with users disclosed that some data would be collected, the agreements “never specifically indicated that Meta may acquire confidential tax information obtained from Facebook users' interactions on third-party online tax preparation sites.” Compl. ¶¶ 63-67. They further allege that the tax preparation sites did not disclose that such information would be sent to Meta or request plaintiffs' consent to do so. Compl. ¶ 68.
Meta counters that “Facebook's policies (which every user must agree to when they sign up for an account) contain clear, broad, and explicit disclosures about Meta's collection of information about activity on third-party websites,” and that because plaintiffs used Facebook, their “knowing authorization” of Facebook's practices “constitutes ... consent.” Motion at 23-24 (cleaned up). Meta is correct that plaintiffs could have consented to having their data collected if they agreed to terms disclosing the practices. But nothing before the Court permits it to conclude at this stage that plaintiffs in fact agreed to this collection. Indeed, Meta does not contend that its Terms of Service specifically disclosed that it would receive sensitive financial information. To the contrary, Meta asserts that it publicly stated that such information would not be collected.
As with intent, whether plaintiffs consented to having their data collected is a question of fact. Drawing all inferences in plaintiffs' favor, the Court cannot determine at the 12(b)(6) stage that plaintiffs consented to Facebook collecting sensitive financial data simply because the complaint mentions that Meta has certain agreements in place (without conceding assent) and because Meta believes that these agreements adequately disclose the collection practices at issue.
Tax preparation sites. Plaintiffs argue that Meta also has not met its burden of establishing that it obtained tax preparation sites' consent to collect confidential tax information. See Opposition at 17. The complaint alleges that tax preparation sites including H&R Block, TaxAct, and TaxSlayer “had the tracking pixel deployed on their websites.” Compl. ¶ 55. It also states that the Meta pixel is a tool “that website owners can install on their websites.” Compl. ¶ 27. Meta argues that “[b]ecause those websites must have chosen to deploy Meta's tools on their websites, it necessarily follows that one of the parties to the communication-the websites themselves- gave prior consent to . interception.” Reply, Dkt. No. 121, at 15 (cleaned up). But this conclusion draws a pivotal inference in Meta's favor-that by merely installing Meta's tracking tools, website operators understood how and what data would be transmitted to Meta and consented to that transmission. The Court cannot draw this inference against the plaintiffs at this stage. See Doe, 2023 WL 5837443, at *5 (“Meta has not pointed to anything I can judicially notice on this motion to dismiss to show as a matter of law that the healthcare providers did not just presumably but actually consented to the sending of sensitive healthcare information of its customers. Determination of whether actual consent was given depends on what Meta disclosed to healthcare providers, how it described and trained healthcare providers on the Pixel, and how the healthcare providers understood the Pixel worked and the information that then could or would be collected by Meta. These evidence-bound determinations are inappropriate to reach on this motion.”).
Because the facts alleged in the complaint do not establish that Facebook users or tax preparation sites consented to Meta's collection of sensitive financial information, the Court cannot dismiss the Section 631 claims on the basis of the parties' purported consent.
c. Contents
Section 631 covers reading or learning the “contents or meaning” of a communication. Meta argues that plaintiffs have not adequately alleged that Meta intercepted the actual contents of communications because the complaint does not identify any “specific communications” between plaintiffs and the tax sites that were allegedly intercepted. Motion at 22. The complaint alleges:
The financial information that was transmitted to Meta from the tax filing websites included form field information and/or information affirmatively provided by the website user to the website. Website users intended to convey information to the tax filing websites about their contact information, filing status, gross income, dependents, social security numbers, and other tax filing and financial information, and that information was surreptitiously shared with Meta in realtime as the information was provided. ... Each of the Plaintiffs had their tax and financial information unlawfully transmitted from the websites of either H&R Block, TaxSlayer, or TaxAct, depending on which website they used to prepare and file their taxes.Compl. ¶¶ 60, 62. This description of the information at issue satisfies Rule 12. Plaintiffs do not need to plead the specific and presumably highlight sensitive contents of the communications they say were intercepted in order to plausibly allege that interception occurred.
d. Extraterritoriality
Meta argues that the plaintiffs who do not live in California cannot bring a claim under Section 631, a California statue. Motion at 24. Meta separately argues, with some apparent contradiction, that under the choice-of-law provision the non-California plaintiffs allegedly agreed to, they can only bring claims under California law.
Whether out-of-state plaintiffs can pursue claims under California law and whether the out-of-state plaintiffs here are required to pursue claims solely under California law present complicated choice-of-law issues that are seldom properly resolved on a motion to dismiss. See, e.g., Urban v. Tesla, Inc., --- F.Supp.3d -, 2023 WL 6796021, at *3-4 (N.D. Cal. 2023). Particularly given the alleged choice-of-law provision, the record before the Court on Meta's 12(b)(6) motion does not permit the Court to conclude that the non-California plaintiffs cannot pursue claims under California law.
In any case, because Meta does not dispute that the named plaintiffs who are California citizens can bring California claims, the Court need not resolve these choice-of-law issues to permit plaintiffs' Section 631 claim to move forward.
e. Shotgun Pleading
Finally, Meta argues that plaintiffs have failed to identify the specific facts in their complaint that support each part of their Section 631 claim, resulting in an impermissible “shotgun” pleading. Motion at 23. While it is true that the complaint includes a single statement of facts section and plaintiffs do not reallege in full detail the particular facts that support each of their sixteen individual claims, the allegations are not so indecipherable as to violate Rule 8. Meta can, of course, seek elaboration through contention interrogatories or other forms of discovery.
* * *
In sum, plaintiffs' Section 631 claims are dismissed to the extent they allege violations of the first or fourth prong of the statute. Meta's motion to dismiss Count I is otherwise denied.
2. Count II: California Invasion of Privacy Act (Cal. Penal Code § 632)
Section 632 of the California Penal Code makes punishable anyone who “intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication, whether the communication is carried on among the parties in the presence of one another or by means of a telegraph, telephone, or other device, except a radio.”
Meta argues that this claim should be dismissed for many of the same reasons as the Section 631 claim: because all parties consented to having their sensitive financial information disclosed to Meta, because plaintiffs have not adequately alleged intent, and because this statute does not apply to the non-California plaintiffs. Motion at 24-25. Meta raises no arguments for dismissal specific to the Section 632 claim. Because the Court rejects each of Meta's arguments for the reasons discussed with respect to Count I, Meta's motion to dismiss Count II is also denied.
3. Count III: Illinois Eavesdropping Statute (720 Ill. Comp. Stat. 5/14)
The Illinois eavesdropping statute provides, in relevant part, that “[a] person commits eavesdropping when he or she knowingly and intentionally . [i]ntercepts, records, or transcribes, in a surreptitious manner, any private electronic communication to which he or she is not a party unless he or she does so with the consent of all parties to the private electronic communication.” 720 Ill. Comp. Stat. 5/14-2(a).
Meta first argues that any claims under the laws of states other than California, including this one, are foreclosed by the choice-of-law provisions in Meta's Terms of Service. But Meta has not established what terms were purportedly in effect during the relevant period, let alone that any of the plaintiffs ever agreed to those terms. All that is currently before the Court is the fact that on July 26, 2022, Meta had posted on its website a document entitled “Terms of Service.” The Court has taken judicial notice of the existence and contents of this document, which states that users “agree . that the laws of the State of California will govern these Terms and any claim, cause of action, or dispute without regard to conflict of law provisions.” Dkt. No. 107-3, at 8. But this apparent choice of law provision can only apply to plaintiffs' claims if they assented to the Terms of Service, which is a question of fact not now before the Court. On a Rule 12(b)(6) motion where the Court is limited to plaintiffs' pleadings and must draw all reasonable inferences in their favor, the Court cannot hold plaintiffs to this purported agreement.
Meta cites Palomino v. Facebook, Inc. for the proposition that “California has a strong policy favoring enforcement of choice-of-law provisions.” No. 16-CV-04230-HSG, 2017 WL 76901, at *3 (N.D. Cal. Jan. 9, 2017). Maybe so. But in that case plaintiffs had “concede[d] that they agreed to Facebook's Terms of Service” and the California choice of law clause included therein. Id. Here, absent such a concession, there is no agreement for the Court to enforce at this stage. Accordingly, the Court must apply California's default choice of law rules in evaluating plaintiffs' claims. See Klaxon Co. v. Stentor Elec. Mfg. Co., 313 U.S. 487, 496 (1941). And under those rules, “when there is no advance agreement on applicable law, but the action involves the claims of residents from outside California, the trial court may analyze the governmental interests of the various jurisdictions involved to select the most appropriate law.” Wash. Mut. Bank, FA v. Super. Ct., 24 Cal.4th 906, 915 (2001). Here, plaintiffs have invoked the Illinois eavesdropping statute and Meta makes no arguments (aside from premature contractual ones) for why this Illinois law should not apply. At the motion to dismiss stage, the Court will therefore infer in plaintiffs' favor that the Illinois statute materially differs from California law and that Illinois has a sufficiently strong interest in having its law applied.
Meta also raises the same consent and intent arguments discussed above with respect to Count I. These arguments fail for the same reasons.
Meta raises one argument specific to the Illinois eavesdropping statute, asserting that plaintiffs have not plausibly alleged that Meta intended to intercept communications in a “surreptitious manner.” The complaint alleges that the Meta pixel is “an invisible 1x1 web element-an invisible pixel.” Compl. ¶ 27. This is enough to plausibly state a claim. Meta counters that its policies require websites “to post prominent notice on each page the Pixel is used.” Motion at 25. But the complaint does not allege that the tax preparation sites at issue actually posted such a notice. Whether plaintiffs had notice that Meta's tracking tools were being used on the tax sites presents a factual dispute the Court cannot resolve at this stage.
Meta's motion to dismiss Count III is therefore denied.
4. Count IV: Washington Privacy Act (Wash. Rev. Code § 9.73.030)
The Washington Privacy Act provides that “it shall be unlawful for any individual, partnership, corporation, association, or the state of Washington, its agencies, and political subdivisions to intercept, or record any .. [p]rivate communication transmitted by telephone, telegraph, radio, or other device between two or more individuals between points within or without the state by any device electronic or otherwise designed to record and/or transmit said communication regardless how such device is powered or actuated, without first obtaining the consent of all the participants in the communication.” Wash. Rev. Code § 9.73.030.
Meta's consent, intent, and choice-of-law arguments with respect to this statute fail for the reasons previously discussed. But Meta also argues that the Washington statute is limited to communications “between two or more individuals” and therefore does not apply to communications to an automated system like the tax filing websites. Motion at 25. The parties do not dispute that users of tax sites are “individuals” for purposes of this statute. The question is whether the tax sites on the other end of those users' communications qualify as individuals such that intercepting communications with the sites violates this statute.
In the briefing on this issue, neither party points to a relevant construction of the Washington Privacy Act by the Washington Supreme Court or any Washington Court of Appeals. The text of the statute, however, appears to support Meta's construction. Section 9.73.030 states that it applies to any “individual, partnership, corporation, [or] association,” and prohibits covered entities from intercepting communications between “individuals.” This suggests that “individual,” as used in the statute, has a meaning distinct from a corporation or other business entity.
For the purposes of this motion and on the basis of the briefing before the Court, the Court concludes that Section 9.73.030 does not apply to communications between an individual and a business entity's automated system. Accordingly, the Court will dismiss Count IV. The dismissal is with leave to amend to identify any individuals who received communications made through the automated systems at issue. Alternatively, the plaintiffs may reassert the claim as stated in the consolidated complaint with the understanding that the parties will brief the proper statutory construction of Section 9.73.030 in more depth in any motion to dismiss the amended complaint.
Although the law of the case doctrine generally precludes reconsideration of “an issue previously decided by the same court, or a higher court in the identical case[,] ... [application of the doctrine is discretionary.” United States v. Lummi Indian Tribe, 235 F.3d 443, 452 (9th Cir. 2000).
5. Count V: Missouri Wiretap Act (Mo. Ann. Stat. § 542.418, et seq. )
Meta argues that the Missouri Wiretap Act claim should be dismissed for the same reasons rejected above with respect to Count I. The only difference between the Missouri statute and the California provision at issue in Count I is that the Missouri Wiretap Act requires consent of only one party. Because Meta cannot at this stage establish that any party consented, Meta's motion to dismiss Count V is also denied.
6. Count VI: Wiretap Act (18 U.S.C. § 2510, et seq. )
Meta's arguments for dismissing the federal Wiretap Act claims are the same as its arguments for dismissing the Missouri Wiretap Act claim. Its motion to dismiss Count VI is therefore also denied.
7. Count VII: Unjust Enrichment
Plaintiffs' seventh claim is for unjust enrichment under California law. As the California Supreme Court has explained:
Meta argues that unjust enrichment is not an independent claim. Motion at 35. Its position is supported by a 2015 Ninth Circuit decision that relied on several California cases to conclude that “in California, there is not a standalone cause of action for ‘unjust enrichment,' which is synonymous with ‘restitution.'” See Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015). As plaintiffs point out, however, the California Supreme Court subsequently allowed an independent claim for unjust enrichment to proceed. See Hartford Cas. Ins. Co. v. J.R. Mktg., L.L.C., 61 Cal.4th 988 (2015). And the Ninth Circuit has since then relied on Hartford (albeit nonprecedentially) to allow a standalone claim of unjust enrichment to move forward. See Bruton v. Gerber Products Co., 703 Fed. App'x. 468, 470 (9th Cir. 2017).
An individual who has been unjustly enriched at the expense of another may be required to make restitution. Where the doctrine applies, the law implies a restitutionary obligation, even if no contract between the parties itself expresses or implies such a duty. Though this restitutionary obligation is often described as quasi-contractual, a privity of relationship between the parties is not necessarily required.
Restitution is not mandated merely because one person has realized a gain at another's expense. Rather, the obligation arises when the enrichment obtained lacks any adequate legal basis and thus cannot conscientiously be retained.Hartford Cas. Ins. Co. v. J.R. Mktg., L.L.C., 61 Cal.4th 988, 998 (2015) (cleaned up) (applying Restatement (Third) of Restitution and Unjust Enrichment).
Plaintiffs claim that Meta has “wrongfully and unlawfully received, used, and/or sold Plaintiffs' . confidential tax and financial information without their consent,” and has “benefited financially by doing so.” Compl. ¶ 148. Plaintiffs assert that they lack an adequate legal remedy and are entitled to disgorgement of profits that Meta obtained via this conduct. Compl. ¶ 152.
Meta first argues that plaintiffs fail to establish that they lack an adequate remedy at law. Plaintiffs counter that under the Third Restatement's approach, “[a] claimant otherwise entitled to a remedy for unjust enrichment, including a remedy originating in equity, need not demonstrate the inadequacy of available remedies at law.” Restatement (Third) of Restitution and Unjust Enrichment § 4 (2011). The Court need not resolve this dispute, however, because plaintiffs do allege that legal remedies are inadequate, and no more is required at this stage. Cf., e.g., Weizman v. Talkspace, Inc., ___ F.Supp.3d ___, 2023 WL 8461173, at *4 & n.3 (N.D. Cal. 2023).
Meta next argues that its contracts with its users squarely address its data collection practices, precluding the relief plaintiffs seek. Under California law, “[a]n action based on an implied-in-fact or quasi-contract cannot lie where there exists between the parties a valid express contract covering the same subject matter.” Rutherford Holdings, LLC v. Plaza Del Rey, 223 Cal.App.4th 221, 231 (2014). But Meta's argument is again premature. Meta has not established that the parties had a contract. Cf. Vizcarra v. Michaels Stores, Inc., ___F.Supp.3d ___, 2024 WL 64747, at *9 (N.D. Cal. 2024) (dismissing unjust enrichment/quasi-contract claim where plaintiff had specifically pleaded the existence of an enforceable contract but had not pleaded, in the alternative, that the contract was invalid or unenforceable).
Meta finally argues that pleading a restitution claim based on a fraud or consumer protection claims requires alleging an actionable misrepresentation or omission, and that plaintiffs have failed to do so. Motion at 36 (citing In re Apple Processor Litig., No. 18-CV-00147-EJD, 2022 WL 2064975, at *12 (N.D. Cal. June 8, 2022)). Here, though, plaintiffs' unjust enrichment claims are not necessarily based on fraud or consumer protection claims. Plaintiffs assert that Meta's acquisition of their data was itself wrong and unlawful. Plaintiffs also plead several other state and federal law claims based on the same conduct-claims which are sufficiently pleaded. Meta cites no clear authority establishing the additional requirement they propose for plaintiffs' unjust enrichment claim.
Because plaintiffs have adequately pleaded a claim for unjust enrichment, Meta's motion to dismiss Count VII is denied.
8. Count VIII: California Invasion of Privacy Act (Cal. Penal Code § 635)
Section 635 of the California Penal Code makes punishable anyone who “manufactures, assembles, sells, offers for sale, advertises for sale, possesses, transports, imports, or furnishes to another any device which is primarily or exclusively designed or intended for eavesdropping upon the communication of another.” Plaintiffs assert that the Meta Pixel is a “device” that is “primarily or exclusively designed” for eavesdropping, and that Meta has therefore violated Section 635. They bring a civil claim for violation of this criminal provision pursuant to Section 637.2.
The parties do not dispute that the Pixel is a “device” under this statute even though it is software rather than hardware. Meta contends, however, that Section 637.2 does not allow claims under Section 635, and that the Pixel is not “primarily or exclusively” designed for eavesdropping.
Section 637.2 provides a right of action to “[a]ny person who has been injured by a violation of this chapter .. against the person who committed the violation.” Meta argues that plaintiffs were not injured by Meta's creation of the Pixel, but rather by tax websites' use of the Pixel, and that plaintiffs therefore cannot rely upon Section 637.2 to bring a claim against Meta under Section 635. Motion at 27. It is difficult to see how anyone could ever be injured by the mere manufacture of a prohibited eavesdropping device that was never used. By including Section 635 within the provisions enforceable under Section 637.2, however, the California Legislature clearly intended to permit private enforcement, while Meta's position would render that right of action almost entirely toothless. The better interpretation is that injuries caused by use of an eavesdropping device are traceable to the manufacture, sale, and provision of that device, and that an injured party therefore has a private right of action against the creator of the device.
Meta also argues that the Pixel is not “primarily or exclusively designed or intended for eavesdropping.” But Plaintiffs allege that the Pixel is “primarily or exclusively designed” for eavesdropping. Compl. ¶ 157. They also allege that the Pixel is “invisible” and that it transmits internet users' communications in real time directly to Meta. Compl. ¶¶ 27-29. Drawing all reasonable inferences in plaintiffs' favor, as required, these nonconclusory allegations are sufficient to plead that the Pixel is primarily designed for eavesdropping. Meta may have a strong argument at summary judgment or at trial, but at the 12(b)(6) stage the question is not whether the Court can imagine any purpose for the Pixel other than eavesdropping but instead whether plaintiffs' allegations are sufficient to plausibly state a claim.
Because plaintiffs have alleged facts that, taken as true, state a Section 635 violation, Meta's motion to dismiss Count VIII is denied.
9. Count IX: Wiretap Act (18 U.S.C. § 2512)
18 U.S.C. § 2512(1)(b) is similar to Section 635. It makes punishable any person who “intentionally . manufactures, assembles, possesses, or sells any electronic, mechanical, or other device, knowing or having reason to know that the design of such device renders it primarily useful for the purpose of the surreptitious interception of wire, oral, or electronic communications, and that such device or any component thereof has been or will be sent through the mail or transported in interstate or foreign commerce.” 18 U.S.C. § 2512(1)(b). Section 2520, in turn, provides that “any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used in violation of this chapter may in a civil action recover from the person or entity, other than the United States, which engaged in that violation.”
Meta again argues that the Pixel's design does not render it primarily useful for surreptitiously intercepting communications. But plaintiffs allege that it does. Compl. ¶ 163. The Court must accept these allegations, and cannot at this stage resolve the parties' factual dispute over whether the Pixel's design renders it primarily useful for electronic eavesdropping.
Meta next points out that Section 2512(1)(b) requires intent and knowledge that the design of the device render it primarily useful for surreptitiously intercepting communications. Meta argues that it cannot have intended the Pixel to be surreptitious because it disclosed to users that third parties send data through Pixel, and because it purportedly required third parties to make similar disclosures to users in their own policies. Motion at 27. But this is again a question of fact that would require evidence of the specific disclosures Meta made throughout the class period- evidence not now before the Court. Further, although disclosures about how the Pixel collects data might support a conclusion that collection was not surreptitious, the fact that additional disclosures not inherent to the device's design are necessary to warn tracked individuals about how it works might also indicate that the Pixel's design does render it useful for surreptitious collection.
Meta finally argues that Section 2520's private right of action does not extend to Section 2512(1)(b). Section 2520's language is narrower than that of the California statute. While the California statute provides a right of action to anyone “injured by a violation of this chapter .. against the person who committed the violation,” Cal. Penal Code § 637.2, the federal provision provides a right of action only to “any person whose . communication is intercepted, disclosed, or intentionally used in violation of this chapter” against “the person or entity . which engaged in that violation,” 18 U.S.C. § 2520. In other words, while the California cause of action is provided to anyone injured as a result of any violation of the chapter, the federal cause of action is limited to only those violations that involve interception, disclosure, or intentional use of a communication.
The Ninth Circuit has not considered whether Section 2520 provides a right of action for Section 2512(1) violations. See Yoon v. Lululemon USA, Inc., 549 F.Supp.3d 1073, 1084 (C.D. Cal. 2021). But “the three circuit courts that have considered the question have all concluded that ‘§ 2520 provides a cause of action against only those defendants whose violation . consists of an intercept, disclosure, or intentional use of a communication.'” Id. (citing Luis v. Zang, 833 F.3d 619, 636 (6th Cir. 2016); DirecTV, Inc. v. Treworgy, 373 F.3d 1124, 1127 (11th Cir. 2004); DIRECTV, Inc. v. Robson, 420 F.3d 532, 539 & n.31 (5th Cir. 2005)). In Luis v. Zang, though, the Sixth Circuit emphasized that its “narrow” holding did not apply to a defendant who “allegedly violates § 2512(1)(b) by manufacturing, marketing, and selling a violative device” and who also “plays an active role in the use of the relevant device to intercept, disclose, or intentionally use a plaintiff's electronic communications.” 833 F.3d at 637.
The Court agrees with the Sixth Circuit that Section 2520 at the very least provides a private cause of action to enforce Section 2512(1)(b) against a defendant who also played an active role in the unlawful interception, disclosure, or use of the plaintiff's communication. This construction gives meaning to both Section 2520's language permitting a private cause of action against a defendant who “engaged in” a violation of Section 2512(1)(b), and Section 2520's language limiting the class of plaintiffs to those whose communications have been intercepted, disclosed, or intentionally used. It also ensures a close causal connection between these two aspects of the private cause of action by requiring that the defendant have been an active participant in both the manufacture or the device and its use to intercept private communications.
Because plaintiffs' claim fails within this narrower construction, the Court need not determine whether Section 2520 also permits a broader set of plaintiffs to pursue claims for violations of Section 2512(1)(b).
The plaintiff in Luis alleged that the defendant “manufactured, marketed, sold, and actively operated the violative device, all while knowing that its device was to be used primarily for the surreptitious interception of electronic communications.” 833 F.3d at 639 (emphasis in original). Plaintiffs' allegations here are similar. Meta did not just develop the Pixel and post its source code online for other parties to use but instead, according to plaintiffs' allegations, continued to play an active role in hosting and operating the Pixel and in receiving and using the data it collected.
Under the Court's construction of Sections 2512(1)(b) and 2520, plaintiffs have therefore stated a valid claim and Meta's motion to dismiss Count IX is denied.
10. Count X: Illinois Consumer Fraud and Deceptive Business Practices Act (815 Ill. Comp. Stat. 505)
The Illinois Consumer Fraud and Deceptive Business Practices Act (ICFA) prohibits “[u]nfair methods of competition and unfair or deceptive acts or practices, including .. the use or employment of any deception, fraud, false pretense, false promise, misrepresentation or the concealment, suppression or omission of any material fact, with intent that others rely upon the concealment, suppression or omission of such material fact, or the use or employment of any practice described in Section 2 of the ‘Uniform Deceptive Trade Practices Act' . in the conduct of any trade or commerce . whether any person has in fact been misled, deceived or damaged thereby.” 815 Ill. Comp. Stat. 505/2. The Illinois Supreme Court has held that a Section 505/2 claim requires: “(1) a deceptive act or practice by the defendant, (2) the defendant's intent that the plaintiff rely on the deception, (3) the occurrence of the deception in the course of conduct involving trade or commerce, and (4) actual damage to the plaintiff (5) proximately caused by the deception.” McIntosh v. Walgreens Boots All., Inc., 2019 IL 123626, ¶ 21.
The Illinois plaintiffs allege in Count X that Meta failed to disclose that the Pixel was being improperly used on tax preparation websites and that it had no reasonable security measures to prevent those sites from sharing confidential tax filing information. They also allege that Meta knowingly deceived them by representing that it did not collect sensitive financial information when it in fact did. The parties agree that Rule 9(b)'s heightened pleading standard applies to Count X.
Claims based on omission are permitted under the ICFA. But under this statute “an ‘omission' is an omission from a communication, rather than a general failure to disclose.” Darne v. Ford Motor Co., No. 13 CV 03594, 2017 WL 3836586, at *10 (N.D. Ill. Sept. 1, 2017) (emphasis added). As the Illinois Supreme Court has explained:
[T]o maintain an action under the Act, the plaintiff must actually be deceived by a statement or omission that is made by the defendant. If a consumer has neither seen nor heard any such statement, then she cannot have relied on the statement and, consequently, cannot prove proximate cause. ... A consumer cannot maintain an action under the Illinois Consumer Fraud Act when the plaintiff does not receive, directly or indirectly, communication or advertising from the defendant.De Bouse v. Bayer, 235 Ill.2d 544, 554-55 (2009).
Meta argues that plaintiffs fail to state a claim because they do not allege that they actually saw and were deceived by any of Meta's statements. Plaintiffs do not contest this. To be certain, the complaint does allege specific communications from Meta. See Opposition at 30; Compl. ¶ 69. But the complaint does not allege that plaintiffs actually reviewed any of these communications.
Plaintiffs also dispute whether the ICFA requires actual reliance. They cite Ash v. PSP Distribution, LLC, in which an Illinois appellate court stated that the ICFA “does not require actual reliance.” 2023 IL App (1st) 220151, ¶ 23. But this phrasing is misleading. The Illinois Supreme Court has explained that “reliance is not an element of statutory consumer fraud, but a valid claim must show that the consumer fraud proximately caused plaintiff's injury.” Connick v. Suzuki Motor Co., 174 Ill.2d 482, 501 (1996) (cleaned up). In other words, while plaintiffs may be correct that reliance is not itself an element of a statutory consumer fraud claim (as opposed to common law fraud where it is an element, see Siegel v. Levy Org. Dev. Co., 153 Ill.2d 534, 54243 (Ill. 1992)), reliance instead folds into the causation analysis. See also Ahern v. Apple Inc., 411 F.Supp.3d 541, 572 (N.D. Cal. 2019) (“Illinois law does in fact require reliance when defendants allegedly commit partial omissions through an affirmative representation.”).
Plaintiffs separately argue that Meta's alleged omission would be material, meaning that “a reasonable consumer would have acted differently had the consumer known the omitted fact.” See Ash v. PSP Distribution, LLC, 2023 IL App (1st) 220151, ¶ 23. But under Illinois law, materiality is distinct from causation: Plaintiffs must establish first that they received a communication from which a fact was omitted, and second that the fact was material.
Cf. Hoffman v. 162 N. Wolfe LLC, 228 Cal.App.4th 1178, 1193-94 (2014) (“Reliance can be proved in a fraudulent omission case by establishing that had the omitted information been disclosed, the plaintiff would have been aware of it and behaved differently.” (cleaned up))
The ICFA also requires actual damages. 815 Ill. Comp. Stat. 505/10a. “Only a person who suffers actual damages as a result of a violation of the Consumer Fraud Act may bring a private action.” Morris v. Harvey Cycle & Camper, Inc., 392 Ill.App.3d 399, 402 (2009). “The Consumer Fraud Act provides remedies for purely economic injuries. Actual damages must be calculable and measured by the plaintiffs loss.” Id. (cleaned up).
Plaintiffs' theory of actual damages is simple: They provided valuable data to Meta without being paid its fair value in return. Opposition at 27. Meta points to several nonprecedential decisions that have in varying contexts concluded that certain privacy harms are not economic. See Motion at 31-32. Many of these situations are clearly distinguishable. In a data breach, for example, the harm is that permissibly obtained user data was lost, not that it was taken without permission in the first place. See, e.g., Pruchnicki v. Envision Healthcare Corp., 845 Fed. App'x. 613, 614 (9th Cir. 2021). So to with allegations that data collectors have improperly used data to which they rightly had access. See, e.g., Hart v. TWC Prod. & Tech. LLC, 526 F.Supp.3d 592 (N.D. Cal. 2021); Campbell v. Facebook Inc., 77 F.Supp.3d 836 (N.D. Cal. 2014). Meta fails to grapple with the substance of plaintiffs' theory in this case that they provided something of value to Meta and received nothing in return. This can constitute an economic injury. “[A] party who has provided goods or services in a transaction and has not been paid the fair value of those goods or services has suffered an economic injury ... The same logic would apply to parties ... who have provided valuable data . and have received no money in return.” Brown v. Google LLC, No. 20 CV-03664-LHK, 2021 WL 6064009, at *17 (N.D. Cal. Dec. 22, 2021). Calculating that economic damage is a factual question not before the Court at this time.
Nonetheless, because plaintiffs have not adequately pleaded causation, Count X is dismissed with leave to amend.
11. Count XI: Illinois Uniform Deceptive Trade Practices Act (815 Ill. Comp. Stat. 510/2, et seq. )
The Illinois Uniform Deceptive Trade Practices Act (DTPA) identifies several kinds of practices as deceptive. Plaintiffs assert that Meta's representation that it does not collect sensitive financial information from its users when it in fact does and its failure to disclose that the Pixel is being used improperly on tax preparation sites violate several provisions of this statute because these practices are “a mechanism for:
(a) Representing that goods or services have characteristics that they do not have;
(b) Representing that goods or services are of a particular standard, quality, or grade if they are of another;
(c) advertising goods or services with intent not to sell them as advertised; and
(d) Engaging in other conduct that creates a likelihood of confusion or misunderstanding.”Compl. ¶ 188 (citations omitted).
Meta argues that this claim fails because the statute only provides for injunctive relief. See 815 Ill. Comp. Stat. 510/3 (“A person likely to be damaged by a deceptive trade practice of another may be granted injunctive relief.”). As the Appellate Court of Illinois has explained:
Notwithstanding the DTPA's primary focus on acts between competitors, a consumer action is possible under the DTPA. In order to maintain such an act, the consumer must allege facts which would indicate that he is likely to be damaged in the future. The problem in most consumer actions under the DTPA is the inability to allege facts indicating the likelihood of damage in the future.Popp v. Cash Station, Inc., 244 Ill.App.3d 87, 98-99 (1992) (cleaned up).
Here, plaintiffs' DTPA claim suffers from the same shortcoming as the one in Popp. The claim centers on Meta's alleged misrepresentations and failures to disclose. See Compl. ¶ 187. While it is certainly plausible that plaintiffs could continue to be harmed by Meta's receipt of sensitive financial information if the alleged conduct continues, plaintiffs' DTPA claim is based on deception about that conduct not the conduct itself. Because Plaintiffs are now aware of Meta's alleged receipt of financial data, it is difficult to see how they will continue to be harmed in the future by any misrepresentations about or failures to disclose those practices.
Plaintiffs point to paragraph 226, which states (as part of the California Consumers Legal Remedies Act claim) that “Plaintiffs and Class Members have been harmed, and that harm will continue unless Meta is enjoined from continuing its conduct as described herein.” But this does not sufficiently allege “more than [a] speculative claim” that plaintiffs are likely to be harmed in the future by misrepresentations about Meta's data collection practices. See Camasta v. Jos. A. Bank Clothiers, Inc., 761 F.3d 732, 741 (7th Cir. 2014) (DTPA claim) (“Camasta's claim is based solely on the conjecture that because JAB harmed him in the past, they are likely to harm him in the future.. Since Camasta is now aware of JAB's sales practices, he is not likely to be harmed by the practices in the future.”).
Of course, plaintiffs' awareness of Meta's alleged receipt of financial data does not mean they cannot possibly allege future harm. “[T]he Camasta court merely repeated the well-accepted rule that the standing inquiry for the purpose of injunctive relief is probabilistic, i.e., is there ‘likelihood' that some harm will be suffered by the plaintiff in the future? Interpreting .. Camasta ... to instead announce a broad rule that strips a prospective plaintiff of standing to seek an injunction solely because they are aware of a past wrong overreads that court's language and leads to anomalous results.” Le v. Kohls Dep't Stores, Inc., 160 F.Supp.3d 1096, 1111 (E.D. Wis. 2016); see also, e.g., Davidson v. Kimberly-Clark Corp., 889 F.3d 956, 969 (9th Cir. 2018) (describing circumstances in which “a previously deceived consumer may have standing to seek an injunction against false advertising or labeling, even though the consumer now knows or suspects that the advertising was false at the time of the original purchase”).
Because plaintiffs have not sufficiently alleged any entitlement to injunctive relief under the DTPA, Count XI is dismissed with leave to amend.
Because the Court dismisses Count XI for failure to plead an entitlement to injunctive relief, the Court need not address Meta's other challenges to the sufficiency of that Count.
12. Count XII: New York Deceptive Practices Act (N.Y. Gen. Bus. Law § 349)
Section 349 of the New York General Business Law (GBL) provides: “Deceptive acts or practices in the conduct of any business, trade or commerce or in the furnishing of any service in this state are hereby declared unlawful.” “A plaintiff bringing a claim under the GBL must allege (1) that the defendant's deceptive acts were directed at consumers, (2) the acts are misleading in a material way, and (3) the plaintiff has been injured as a result. An act is materially misleading if it is likely to mislead a reasonable consumer acting reasonably under the circumstances.” Martin v. Meredith Corp., 657 F.Supp.3d 277, 287 (S.D.N.Y. 2023). “[T]o qualify as a prohibited act under the statute, the deception of a consumer must occur in New York.” Goshen v. Mut. Life Ins. Co. of N.Y., 98 N.Y.2d 314, 325 (2002).
Meta first argues that plaintiffs have failed to allege that any deception occurred in New York. But the New York plaintiffs each assert that they were New York residents domiciled in the state, and that they used the tax preparation websites to file their taxes. Although the complaint does not specifically plead that these plaintiffs prepared their taxes in New York, the Court will draw the obvious and reasonable inference that they did.
Section 349 is similar to the Illinois Consumer Fraud and Deceptive Business Practices Act. In particular, the New York statute does not require actual reliance but does require causation. As the New York Court of Appeals has explained:
[R]eliance is not an element of a section 349 claim. The plaintiff, however, must show that the defendant's material deceptive act caused the injury.... Reliance and causation are twin concepts, but they are not identical.Stutman v. Chem. Bank, 95 N.Y.2d 24, 29 (2000). Thus while plaintiffs need not establish reliance on Meta's allegedly deceptive statements or misrepresentations, they must show causation.
Plaintiffs point to Meta's Business Tool Terms, which direct web developers not to share date that they “know [or] reasonably should know . includes health, financial, or other categories of sensitive information,” as the source of the alleged deception. Compl. ¶ 69(A); see also id. ¶ 75; Opposition at 31. But as with their Illinois Consumer Fraud and Deceptive Business Practices Act claim, plaintiffs do not assert that any of them ever actually saw or read Meta's statements. Plaintiffs also allege that Meta “surreptitiously obtaining and disclosing [users'] tax filing and other financial information” was itself a deceptive act or practice that violated Section 349. Compl. ¶ 197. But Meta's alleged data collection practices, on their own, are not inherently misleading-a requirement needed to state a Section 349 claim-even if they might be impermissible for other reasons. Instead, what might make “surreptitious” practices like those alleged here misleading is whether Meta misrepresented or failed to disclose them. Misrepresentation requires that there actually be a representation, and causation, in turn, requires that plaintiffs have been aware of that representation. Thus “to plead a § 349 .. claim successfully, Plaintiffs must allege that they saw the misleading statements of which they complain.” Lugones v. Pete & Gerry's Organic, LLC, 440 F.Supp.3d 226, 240 (S.D.N.Y. 2020).
Here, as with the Illinois claims, plaintiffs focus on Meta's alleged failure to make sufficient disclosures. Meta does not argue or point to authority holding that under New York law, an omission must be one from a particular communication rather than a general failure to disclose (as Illinois requires). At a minimum, though, plaintiffs must plausibly allege that they would have seen the disclosures they fault Meta for omitting to establish causation. Because plaintiffs do not allege that they actually read the various agreements where Meta makes other relevant disclosures about its data collection practices, plaintiffs must offer some other theory for how they would have seen Meta's disclosure if Meta had made one. Cf. Hoffman v. 162 N. Wolfe LLC, 228 Cal.App.4th 1178, 1193-94 (2014) (“Reliance can be proved in a fraudulent omission case by establishing that had the omitted information been disclosed, the plaintiff would have been aware of it and behaved differently.” (cleaned up)). Without such allegations, plaintiffs have not adequately pleaded causation as required to state a Section 349 claim.
Count XII is therefore dismissed with leave to amend.
13. Count XIII: Negligence/Negligence Per Se
“To state a claim for negligence in California, a plaintiff must establish the following elements: (1) the defendant had a duty, or an obligation to conform to a certain standard of conduct for the protection of others against unreasonable risks, (2) the defendant breached that duty, (3) that breach proximately caused the plaintiff's injuries, and (4) damages.” Dent v. Nat'l Football League, 902 F.3d 1109, 1117 (9th Cir. 2018). “[U]nder California law, negligence per se is a doctrine, not an independent cause of action.” Id.
a. Duty and Breach
Plaintiffs assert that in creating the Pixel and offering it to third-party website, Meta owed them a duty to exercise reasonable care to protect their confidential financial information from unauthorized disclosure to Meta, Compl. ¶ 205, and that Meta also had statutory obligations establishing a duty under the negligence per se doctrine, id. ¶ 211. Plaintiffs argue that Meta breached its duty by allowing unauthorized disclosures of plaintiffs' financial information and failing to comply with its own stated standards. Compl. ¶¶ 206-10. Plaintiffs claim that Meta knew the nature of the data that was being transmitted from its tracking tools yet took no action, and that it knew (or should have known) that it was receiving confidential tax information and that its safeguards were not working. Id.
There is a “statutory presumption of duty” in California. Modisette v. Apple Inc., 30 Cal.App. 5th 136, 144 (2018). “The general rule in California is that everyone is responsible for an injury occasioned to another by his or her want of ordinary care or skill in the management of his or her property or person. In other words, each person has a duty to use ordinary care and is liable for injuries caused by his failure to exercise reasonable care in the circumstances.” Cabral v. Ralphs Grocery Co., 51 Cal.4th 764, 771 (2011) (cleaned up). The rule is codified in Section 1714 of the Civil Code, which provides: “Everyone is responsible, not only for the result of his or her willful acts, but also for an injury occasioned to another by his or her want of ordinary care or skill in the management of his or her property or person.”
“The court may depart from the general rule of duty if other policy considerations clearly require an exception.” Regents of Univ. of Cal. v. Super. Ct., 4 Cal. 5th 607, 628 (2018). Factors that can “justify excusing or limiting a defendant's duty of care” include “the foreseeability of harm to the plaintiff, the degree of certainty that the plaintiff suffered injury, the closeness of the connection between the defendant's conduct and the injury suffered, the moral blame attached to the defendant's conduct, the policy of preventing future harm, the extent of the burden to the defendant and consequences to the community of imposing a duty to exercise care with resulting liability for breach, and the availability, cost, and prevalence of insurance for the risk involved.” Id. (quoting Rowland v. Christian, 69 Cal. 2d 108, 113 (Cal. 1968)). “The Rowland factors fall into two categories. The first group involves foreseeability and the related concepts of certainty and the connection between plaintiff and defendant. The second embraces the public policy concerns of moral blame, preventing future harm, burden, and insurance availability. The policy analysis evaluates whether certain kinds of plaintiffs or injuries should be excluded from relief.” Id. at 629. “These factors must be evaluated at a relatively broad level of factual generality,” and a Court must “determine not whether they support an exception to the general duty of reasonable care on the facts of the particular case .. but whether carving out an entire category of cases from that general duty rule is justified by clear considerations of policy.” Id. at 628-29 (cleaned up).
Accordingly, to determine whether Meta is entitled to an exception to the general duty of care with respect to plaintiffs' negligence claims, the Court must abstract beyond the facts alleged in this case and consider whether there are clear policy justifications to carve out services that provide tracking and analytics tools to third party websites that could improperly disclose their users' sensitive personal information (and themselves directly benefit from providing those tools).
The foreseeability factors do not support creating any exception to the general rule of duty. That Meta not only instructs website developers not to share sensitive data, Compl. ¶ 69, but also has systems in place to monitor and filter out potentially sensitive information, Motion at 14, suggests that it is foreseeable to creators of tracking tools configurable by third-party developers that those developers will use the tools to transmit sensitive information. There is also a sufficiently close connection between the type of conduct at issue here and the injuries that could result: Meta is alleged to have set up a tool by which websites could send users' sensitive personal data to Meta, to Meta's benefit and to the detriment of those users (with injuries including loss of privacy, the time and resources required to respond, diminution in value, and loss of the benefit of the bargain).
“The second Rowland factor, the degree of certainty that the plaintiff suffered injury, has been noted primarily, if not exclusively, when the only claimed injury is an intangible harm such as emotional distress.” Kesner v. Super. Ct., 1 Cal. 5th 1132, 1148 (2016). Here, the connection between the alleged injuries (primarily intangible privacy harms) and the alleged conduct (offering a tool for sharing all sorts of identifiable data) is close and straightforward. Moreover, that such injuries could occur when website developers foreseeably use tools made available by platforms like Meta to share their users' data is fairly certain.
The closeness factor “is strongly related to the question of foreseeability itself.” Cabral, 51 Cal.4th at 779. This factor is also closely related to proximate cause, a separate element of a negligence claim. See Modisette, 30 Cal.App. 5th at 154 n. 15. The difference is that closeness, as part of the duty analysis, must be analyzed at a higher level of generality than the facts of a particular case, while causation is case-specific. Here, at least at a general level, there is a “logical cause and effect relationship between [the alleged] negligence and the harm suffered.” See Cabral, 51 Cal.4th at 780.
In sum, none of the foreseeability factors support finding an exception from the general presumption of duty for the category of cases at issue here.
The public policy factors also do not support exempting creators of tracking tools from the generally applicable duty principles. Start with moral blame. “Courts have relied on moral blame to find a duty in instances where the plaintiffs are particularly powerless or unsophisticated compared to the defendants or where the defendants exercised greater control over the risks at issue.” Modisette, 30 Cal.App. 5th at 145. Here Meta clearly has greater control and sophistication than the users of websites that deploy the Pixel. Indeed, while particularly savvy users might attempt to opt-out of tracking, plaintiffs allege that Meta specifically developed tools that would “ignore[] users' decision to opt out of tracking, collecting the same data it would otherwise.” Compl. ¶ 52.
Policy considerations of preventing future harm also support maintaining a duty. “From a policy standpoint, to hold that Facebook has no duty of care here would create perverse incentives for businesses who profit off the use of consumers' personal data to turn a blind eye and ignore .. risks.” Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1039 (N.D. Cal. 2019) (cleaned up).
Finally, Meta has not shown that any outsize burden justifies an exception from the general duty of care in situations like this.
The insurance factor is not relevant here. See Modisette, 30 Cal.App. 5th at 145 (“Neither party discusses the prevalence of insurance in this context nor is insurance referenced in the first amended complaint. For this reason, we do not incorporate this consideration in our analysis.”).
Having establish that creators of tracking tools like Meta's owe a duty of care to users like plaintiffs, the next question is the standard of care. See Rosales v. City of L.A., 82 Cal.App.4th 419, 430 (2000). This is a question of law:
The formulation of the standard of care is a question of law for the court. Once the court has formulated the standard, its application to the facts of the case is a task for the trier of fact if reasonable minds might differ as to whether the defendant's conduct has conformed to the standard. In most cases, courts have fixed no standard of care for tort liability more precise than that of a reasonably prudent person under like circumstances. But the proper conduct of a reasonable person under particular situations may become settled by judicial decision or be prescribed by statute or ordinance.Ramirez v. Plough, Inc., 6 Cal.4th 539, 546-47 (1993).
Under the doctrine of negligence per se, the standard of care can be created by statute. See Rosales, 82 Cal.App.4th at 430. Plaintiffs point to two federal statutes as the source of the relevant standard of care and argue that Meta's actions in violation of these provisions constitute per se negligence.
The first provision is Section 7213A(a)(2) of the Internal Revenue Code, which provides:
“It shall be unlawful for any person .. willfully to inspect .. any return or return information acquired by such person or another person under a provision of section 6103 referred to in section 7213(a)(2) or under section 6104(c).” Plaintiffs, however, fail to identify how any of the referenced statutory provisions apply to either the tax preparation sites or Meta.
Second, plaintiffs cite Section 7216 of the Internal Revenue Code, which governs persons “engaged in the business of preparing, or providing services in connection with the preparation of,
returns of the tax imposed by chapter 1, or any person who for compensation prepares any such return for any other person.” This may establish a standard of care for tax preparation sites, but on its face it does not appear to apply to services like Meta.
The “subsections of Section 6103 referred to in Section 7213(a)(2)” are subsections “(d), (i)(1)(C), (3)(B)(i), or (7)(A)(ii), (k)(10), (13), (14), or (15), (1)(6), (7), (8), (9), (10), (12), (15), (16), (19), (20), or (21) or (m)(2), (4), (5), (6), [and] (7)”. 26 U.S.C. § 7213(a)(2). Section 6103(d) governs disclosure of returns to state officials and agencies; subsection (i) governs disclosure to federal employees; the relevant portions of subsection (k) govern disclosures to prison officials, to whistleblowers, for cybersecurity and anti-fraud purposes, and to the Social Security Administration; the relevant portions of subsection (1) govern disclosures to certain other government agencies and government contractors; and the relevant portions of subsection (m) govern disclosures to other federal agencies. Section 6104(c) governs disclosures related to certain tax-exempt organizations.
Accordingly, there appears to be no basis to find that any of these statutory provisions establishes a per se standard of care applicable to Meta.
Absent a standard of care imposed by statute, the default is that of a reasonably prudent person under like circumstances, and plaintiffs allege that Meta failed to exercise reasonable care in handling their confidential information. Compl. ¶¶ 207-10. Meta asserts that it should not have a duty to avoid receipt of sensitive information. See Reply at 13. But Meta does not cite any on point California decisions that establish a differing standard of care in situations like this one, nor does it specifically argue that the default standard should not apply here. For purposes of Meta's 12(b)(6) motion, the Court will therefore assume that the default duty rules and standard of care apply.
Whether plaintiffs' pleaded facts establish a breach of that duty and standard is a question for the jury. Indeed, several of Meta's arguments are best understood as asserting that its actions are not unreasonable and therefore do not constitute breach of the duty, as opposed to asserting that reasonable care is not the appropriate standard. Accordingly, plaintiffs have sufficiently pleaded duty and breach.
b. Proximate Cause
Plaintiffs plead that they were injured as a result of Meta's negligence. Compl. ¶ 212. And they specifically assert that “Meta encouraged the transmission of financial information by providing tax-filing websites with technology that Meta knew would result in the transmission of confidential information, and took no action against websites when Meta began obtaining and using that information.” Compl. ¶ 214. Whether Meta's conduct is the proximate cause of the alleged harm to plaintiffs is a question of fact for the jury. See Ramirez, 6 Cal.4th at 546; see also Restatement (Second) of Torts § 328C (1965) (cited by Ramirez) (“In an action for negligence the jury determines, in any case in which different conclusions may be reached on the issue .. whether the defendant's conduct is a legal cause of the harm to the plaintiff.”).
c. Damages
Plaintiffs have pleaded several forms of injury and seek damages on that basis. Compl. ¶¶ 213, 216. Their claimed injuries include: “(1) the loss of privacy of Plaintiff's protected financial information; (2) time and resources expended to investigate and respond to Meta's violations; (3) diminution in value of their protected financial information; and (4) loss of the benefit of their bargain with Meta.” Compl. ¶ 213.
Meta argues that plaintiffs' damages claims are barred by the economic loss rule. “Economic” loss in this context means an injury to “a plaintiff's interest in prospective economic advantage.” J'Aire Corp. v. Gregory, 24 Cal.3d 799, 803 (1979) (emphasis added). A quintessential example is “consequent loss of profits.” Robinson Helicopter Co. v. Dana Corp., 34 Cal.4th 979, 988 (2004). Economic loss can also include “damages for inadequate value” or “costs of repair and replacement of [a] defective product.” Id. In short, economic loss captures the harm from expectations about the future being “frustrated” or “disappointed.” Id.
California courts apply the economic loss rule in several circumstances. First, “when courts are concerned about imposing liability in an indeterminate amount for an indeterminate time to an indeterminate class.” Sheen v. Wells Fargo Bank, N.A., 12 Cal. 5th 905, 922 (2022). Second, “the rule functions to bar claims in negligence for pure economic losses in deference to a contract between litigating parties.” Id. This “contractual economic loss rule” applies only when parties “are in contractual privity,” and bars only claims that “arise from-or are not independent of-the ... underlying contracts.” Id. at 923.
There is no reason to conclude at this stage that plaintiffs' negligence claims are entirely foreclosed as a matter of law by the economic loss rule. Meta argues that “the economic loss rule bars negligence claims where plaintiffs allege only losses related to the disclosure of their personal data.” Motion at 34. But the cases it cites do not support this argument. Further, Meta fails to demonstrate that plaintiffs' alleged injuries are in fact economic losses. Indeed, Meta itself argues elsewhere that plaintiffs' injuries do not constitute the “loss of money or property.” Motion at 28, 31-32. In addition, plaintiffs' allegations are retrospective rather than prospective. They focus on “loss of privacy,” “diminution in value,” and a “loss of the benefit of their bargain” that has already occurred. As discussed in greater detail with respect to Count XVI below, plaintiffs have a proprietary interest in their personal data, so harms to that interest may extend beyond disappointed future expectations. Plaintiffs also allege other injuries, including loss of time and resources. See, e.g., Bass, 394 F.Supp.3d at 1039 (concluding that loss of time is not a purely economic loss).
In In re iPhone Application Litigation, for example, the Court briefly summarized California's economic loss rule and concluded that “the allegations of harm identified in the . Complaint are either too speculative to support a claim for negligence under California law, or they stem from disappointed expectations from a commercial transaction and thus do not form the basis of a negligence claim.” 844 F.Supp.2d 1040, 1064 (N.D. Cal. 2012). The Court did not squarely hold that privacy harms are always economic losses; instead, it simply concluded that plaintiffs who had transacted directly with defendant had not alleged nonspeculative injury beyond disappointed expectations. See also In re Google Android Consumer Privacy Litig., No. 11-MD-02264-JSW, 2013 WL 1283236, at *13 (N.D. Cal. Mar. 26, 2013) (dismissing negligence claims that were “nearly identical” to the ones in In re iPhone Application Litigation without further analysis).
For these reasons, Meta fails to show that plaintiffs' alleged injuries are solely economic.
This also is not the kind of case where courts are concerned about indeterminate liability. Cf. S. Cal. Gas Leak Cases, 7 Cal. 5th 391, 412 (2019) (allowing recovery to “people who experience slight physical injury” but not those “who suffer .. purely economic losses” after a massive gas leak because “drawing arbitrary lines is unavoidable” and “the ripple effects of industrial catastrophe on this scale in an interconnected economy defy judicial creation of more finely tuned rules”). Here, the harm, time, and class can all be readily determined.
As explained earlier, the Court also has no basis to conclude at this stage that the parties are in contractual privity, let alone that plaintiffs' negligence claims arise from any purported contract. The “contractual economic loss rule” is therefore inapplicable.
Finally, even where the economic loss rule applies there is an exception if there is a “special relationship” between the parties, as plaintiffs allegations suggest may be the case here. This exception applies to claims where a plaintiff who is not in contractual privity with a defendant seeks to recover purely economic losses for negligent performance of services under a contract. The factors California courts weigh to determine whether there is a special relationship are essentially the same as the factors used to consider whether a duty exists in the first place. Compare Rowland, 69 Cal. 2d at (1968) (duty factors) with J'Aire, 24 Cal.3d at 804 (special relationship factors). The special relationship factors “are (1) the extent to which the transaction was intended to affect the plaintiff, (2) the foreseeability of harm to the plaintiff, (3) the degree of certainty that the plaintiff suffered injury, (4) the closeness of the connection between the defendant's conduct and the injury suffered, (5) the moral blame attached to the defendant's conduct and (6) the policy of preventing future harm.” J'Aire, 24 Cal.3d at 804.
Here, Facebook's provision of tracking tools to web developers like the tax preparation sites was clearly intended to affect users, like plaintiffs, who were the targets of the tracking. “[T]he first factor is met when plaintiffs share personal data with a company with the understanding that the company will protect that data.” Huynh v. Quora, Inc., 508 F.Supp.3d 633, 655 (N.D. Cal. 2020) (collecting cases). The other factors overlap with the foreseeability and public policy Rowland factors discussed above with respect to duty. For the same reasons, they weigh in favor of finding a sufficiently special relationship between Meta and plaintiffs to preclude application of the economic loss rule. See also, e.g., Huynh, 508 F.Supp.3d at 654-59 (weighing all six J'Aire factors to find a special relationship between users and a social media platform in the context of a data breach).
In sum, drawing all factual inferences in plaintiffs' favor, plaintiffs have adequately alleged a negligence claim. Meta's motion to dismiss Count XIII is therefore denied.
14. Count XIV: Cal. Consumer Legal Remedies Act (Cal. Civ. Code § 1780 et seq. )
Section 1780 of the California Civil Code allows “[a]ny consumer who suffers any damage as a result of the use or employment by any person of a method, act, or practice declared to be unlawful by Section 1770” to “bring an action against that person to recover or obtain” any of several forms of relief, including actual damages, injunctive relief, restitution, or punitive damages. Section 1770, in turn, proscribes several forms of conduct. Plaintiffs allege that Meta violated Section 1770 in three ways.
First, they allege that “[b]y failing to disclose that Meta was secretly collecting and using tax filing and other financial data for its own advertising and other business purposes, Meta violated section 1770(2) of the CLRA by ‘[m]isrepresenting the source, sponsorship, approval, or certification of goods or services.'” Compl. ¶ 222.
Second, they allege that “[b]y making the same omissions, Meta violated section 1770(5) of the CLRA by ‘[r]epresenting that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have.'” Compl. ¶ 223.
Third, they allege that “[b]y making the same omissions, Meta violated section 1770(14) of the CLRA by ‘[r]epresenting that a transaction confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law.'” Compl. ¶ 224.
For these three alleged violations plaintiffs seek all relief available under the CLRA except for actual damages. Compl. ¶ 227.
Meta argues that plaintiffs are not “consumers” entitled to bring a claim under Section 1780. Section 1761 of the Civil Code defines a “consumer” as “an individual who seeks or acquires, by purchase or lease, any goods or services for personal, family, or household purposes.” While the complaint asserts in a conclusory fashion that plaintiffs are consumers for the purposes of Section 1761, the complaint fails to identify any specific purchase or lease of goods or services by plaintiffs. Instead, it merely alleges that plaintiffs each “used” the tax websites at issue to e-file their taxes. In the absence of any factual allegations establishing plaintiffs' status as consumers under Section 1761, the Court must grant, with leave to amend, Meta's motion to dismiss Count XIV.
15. Count XV: California Penal Code § 496
Section 496 of the California Penal Code makes it a crime to “receive[] any property that has been stolen or that has been obtained in any manner constituting theft or extortion, knowing the property to be so stolen or obtained.” Section 484 defines “theft” as meaning to “steal, take, carry, lead, or drive away the personal property of another,” or “by any false or fraudulent representation or pretense, defraud any other person of .. real or personal property.”
Plaintiffs allege that Meta's conduct was “theft,” either directly or by false pretense. They allege that “Meta stole, took, and fraudulently appropriated [their] individually identifiable tax and other financial information without their consent.” Compl. ¶ 233. They also allege that “Meta concealed, aided in the concealing, sold and/or utilized the information at issue here for Meta's commercial purposes and financial benefit.” Compl. ¶ 234.
“To plausibly state a theft by false pretenses claim, plaintiffs must allege not only that Meta made specific false representations to them, but also that plaintiffs transferred their property to Meta in reliance on the representation.” Doe, 2023 WL 5837443, at *15 (cleaned up). As discussed above, plaintiffs do not currently plead that they actually saw (or relied on) any of the statements by Meta discussed in the complaint. Absent a misrepresentation and reliance, the theft by false pretense theory fails. Count XV is therefore dismissed with leave to amend to the extent it is premised on that theory.
Plaintiffs also assert that in addition to a false pretenses theory, they are also claiming theft based on the “simple stealing or taking of property.” Opposition at 32. But the verbs used in Section 484 are all active-“steal, take, carry, lead, or drive away”-while plaintiffs allege that the Pixel is designed to be passive. It is a tool that Meta “offers” to developers, and that “website owners can install on their websites.” Compl. ¶¶ 26-27. It is developers, rather than Meta, that select what information the Pixel sends; the Pixel is “triggered” only when a user “takes an action that the website developer has chosen to measure on its website.” Compl. ¶ 32 (cleaned up). While this setup, as pleaded, can plausibly serve as the basis for wiretap or privacy claims, the allegations here do not suggest that Meta itself was actively stealing users' data rather than merely creating conditions that allowed (or even incentivized) the tax preparation sites to transmit that data without users' consent.
Because plaintiffs have failed to adequately plead theft under either a direct or false-pretenses theory, Count XV is dismissed with leave to amend.
16. Count XVI: Unfair Competition Law (Cal. Bus. & Prof. Code § 17200, et seq. )
Finally, plaintiffs seek an injunction and restitution under California's Unfair Competition Law (UCL), which proscribes any “unlawful, unfair or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200. Plaintiffs allege that Meta has violated all three prongs. Remedies under the UCL are equitable in nature and legal damages cannot be recovered. Korea Supply Co. v. Lockheed Martin Corp., 29 Cal.4th 1134, 1144 (2003). UCL remedies are thus generally limited to restitution and prospective declaratory or injunctive relief, both of which plaintiffs seek here. See In re Vioxx Class Cases, 180 Cal.App.4th 116, 130 (2009).
a. Equitable Jurisdiction
The Ninth Circuit has held that plaintiffs seeking equitable relief under the UCL in a federal court sitting under diversity jurisdiction must establish that they lack an adequate remedy at law. Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020). Plaintiffs have done so. Under Sonner, a plaintiff “need not explain in great detail why her legal remedies are insufficient; an allegation to that effect is generally enough.” See Weizman, 2023 WL 8461173, at *4 n.3. Here, plaintiffs explicitly allege that they “lack an adequate remedy at law.” Compl. ¶ 252. They specifically assert that “[l]egal remedies available to Plaintiffs and class members are inadequate because they are not equally prompt and certain and in other ways efficient as equitable relief.” Id. They discuss in detail the distinctions between damages and restitution, asserting that restitution may result in a greater award than damages in this case and that claims for damages are less certain. Compl. ¶ 252; cf. Sonner, 971 F.3d at 844 (“Sonner concedes that she seeks the same sum in equitable .. as she requested in damages to compensate her for the same past harm. Sonner fails to explain how the same amount of money for the exact same harm is inadequate or incomplete, and nothing in the record supports that conclusion.”). These allegations suffice to establish that this Court has equitable jurisdiction to consider plaintiffs' UCL claims.
b. UCL Standing
Meta next challenges whether plaintiffs have suffered an injury that provides standing under the UCL, which provides that only “a person who has suffered injury in fact and has lost money or property as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204. The California Supreme Court has explained what sorts of injuries qualify:
There are innumerable ways in which economic injury from unfair competition may be shown. A plaintiff may (1) surrender in a
transaction more, or acquire in a transaction less, than he or she otherwise would have; (2) have a present or future property interest diminished; (3) be deprived of money or property to which he or she has a cognizable claim; or (4) be required to enter into a transaction, costing money or property, that would otherwise have been unnecessary.Kwikset Corp. v. Super. Ct., 51 Cal.4th 310, 323 (2011).
Privacy harms involving personal data can constitute an injury to money or property sufficient to provide standing under the UCL. Indeed, there are several ways to conceptualize these kinds of injuries as injuries to money or property.
The first is a “transactional” or “benefit-of-the-bargain” theory. Users may choose to share data with businesses and other entities. When they do so, they have certain expectations about how the data will be used and protected. If a user shares information with the expectation that it will be protected but the recipient does not actually protect it, then the user has surrendered in that transaction more than she otherwise would have. This constitutes an injury to money or property under Kwikset. This is true if the user originally paid for the business's service as part of the transaction, because the user presumably would have demanded a lower price if they knew their data would not be secured. Moore v. Centrelake Med. Grp., Inc., 83 Cal.App. 5th 515, 527 (2022) (“Here, appellants alleged they relied on Centrelake's false representations and promises concerning data security in entering contracts with Centrelake and accepting its pricing terms, paying more than they would have had they known the truth that Centrelake had not implemented and would not maintain adequate data security practices. We conclude these allegations adequately pled UCL standing under Kwikset.”). This logic applies with equal force to free services, because a user willing to provide certain information with expectations of security in exchange for a free service may not have been willing to do so without compensation if they realized what would actually happen to their information. And just as it applies to transactions where a user provides data with an understanding that it will be protected but the data is in fact not protected, it can also apply to transactions a user enters with an understanding that certain data will not be collected or shared but the data is in fact collected or shared. Any time a user transacts with a business or other entity and their expectations regarding their personal data are not met as a result of conduct alleged to violate the UCL, they can establish UCL standing by showing that they had to “surrender .. more, or acquire .. less” than they otherwise would have. See Kwikset, 51 Cal.4th at 323.
The second is a “diminished value” theory. People's personal information has value not only to them but on the marketplace. If that information is stolen or disseminated without their permission, its value may be diminished. The California Court of Appeal in Moore suggested that this could support UCL standing if a plaintiff alleged that they either “attempted or intended to participate” in the market for their data, “or otherwise to derive economic value from their PII.” 83 Cal.App. 5th at 538.
The third is a “right to exclude” theory. “California courts have . acknowledged that users have a property interest in their personal information,” Calhoun v. Google LLC, 526 F.Supp.3d 605, 635 (N.D. Cal. 2021) (collecting cases), so certain kinds of personal data may directly constitute property under the UCL. And “[o]ne of the main rights attaching to property is the right to exclude others.” People v. Stewart, 113 Cal.App.4th 242, 250 (2003); see 2 William Blackstone, Commentaries 2 (1766) (“There is nothing which so generally strikes the imagination, and engages the affections of mankind, as the right of property; or that sole and despotic dominion which one man claims and exercises over the external things of the world, in total exclusion of the right of any other individual in the universe.”). In challenging the unlawful disclosure of their sensitive financial information to Meta, plaintiffs effectively contend that they were deprived of their right to exclude Meta from that intangible property. The Court sees no reason why such a violation of plaintiffs' right to exclude would not constitute the diminishment of a “present or future property interest” for purposes of Kwikset's second prong.
Here, plaintiffs appear to invoke all three theories of injury. They allege:
Plaintiffs and Class Members have suffered an injury in fact, including the loss of money and/or property, as a result of Meta's unfair, unlawful and/or deceptive practices, to wit, the disclosure of their tax filing data which has value as is demonstrated by the use and sale of it by Meta.. Plaintiffs, the Class Members, and the public at large value their tax filing information at more than a trifle. And sale of this confidential and valuable information has now diminished the value of such information to Plaintiffs and the Class.
Meta's actions caused damage to and loss of Plaintiffs', Class Members' and other taxpayers' property right to control the dissemination and use of their personally identifiable financial and tax data and communications.
Each Plaintiff also suffered economic injury by the loss of their personal tax filing information to Meta with no consent or disclosure.
Meta's actions caused damage to and loss of Plaintiffs', Class Members' and other taxpayers' property rights to control the dissemination and use of the personally identifiable communications.Compl. ¶¶ 248-51. Taken together, these allegations are enough to establish an injury in fact resulting in a loss of money or property. That some of these injuries may be amorphous and difficult to quantify does not make them any less real or render them inadequate to establish UCL standing.
a. UCL Claims
Plaintiffs have adequately pleaded claims under at least two of the UCL's three prongs. First, they have plausibly alleged that Meta engaged in unlawful practices because they have adequately pleaded several of their other claims for the reasons discussed above. Second, plaintiffs' allegations are also sufficient to state a claim under the “intentionally broad” “unfair” prong of the UCL. See S. Bay Chevrolet v. Gen. Motors Acceptance Corp., 72 Cal.App.4th 861, 886 (1999); see also Vizcarra, 2024 WL 64747, at *7 (“[W]here the factual allegations are sufficient to plausibly allege violations of .. other prongs of the UCL, those same allegations also sufficiently state an unfairness prong claim under the UCL.”).
Plaintiffs have not adequately stated a claim under the UCL's “fraudulent” prong. Plaintiffs' theory is one of fraudulent omission, so they must plausibly allege that they would have seen the disclosures they fault Meta for omitting for the reasons already discussed above with respect to Count XII. Because plaintiffs do not allege that they read the agreements where Meta makes other disclosures, they must offer some other theory for how they would have seen any disclosure Meta would have made. See Hoffman, 228 Cal.App.4th at 1193-94; In re Anthem, Inc. Data Breach Litig., No. 15-MD-02617-LHK, 2016 WL 3029783, at *35 (N.D. Cal. May 27, 2016). But as noted already, the consolidated complaint contains no such allegations.
Accordingly, Meta's motion to dismiss is granted, with leave to amend, as to plaintiffs' fraudulent conduct UCL claim but otherwise denied.
V. Conclusion
For the reasons set forth above, Meta's motion is granted in part and denied in part and the requests for judicial notice are granted. Plaintiffs are granted leave to file an amended complaint to resolve the shortcomings identified above. An amended complaint, if plaintiffs choose to file one, shall be filed on or before April 19, 2024. If plaintiffs do not file an amended complaint by that date, Meta's response to the existing complaint will be due May 10, 2024.
IT IS SO ORDERED.