Summary
considering app that allowed users to take and edit photos and videos and concluding that “user and device identifiers” were not the type of information that could give rise to a privacy injury, although collection and storage of biometric information was sufficient to support standing
Summary of this case from E. H. v. Meta Platforms, Inc.Opinion
21-cv-05143-HSG
09-30-2022
SYDNEY JI, et al., Plaintiffs, v. NAVER CORPORATION, et al., Defendants.
ORDER GRANTING MOTIONS TO DISMISS WITH LEAVE TO AMEND RE: DKT. NOS. 47, 52, AND 53
HAYWOOD S. GILLIAM, JR. UNITED STATES DISTRICT JUDGE
Pending before the Court are Defendants' motions to dismiss. See Dkt. Nos. 47 (“Naver Mot.”), 52 (“Foreign LINE Mot.”), and 53 (“LINE E-A Mot.”). The motions are fully briefed. See Dkt. Nos. 67 (“Naver Opp.”), 68 (“LINE Opp.”), 71 (“Naver Reply”), and 79 (“LINE Reply”).The Court held a hearing on May 12, 2022. See Dkt. No. 96. For the reasons detailed below, the Court GRANTS the motions to dismiss WITH LEAVE TO AMEND.
The Naver Defendants and LINE E-A each submitted Requests for Judicial Notice (Dkt. Nos. 51 and 54, respectively). Plaintiffs did not file an opposition, so the Court grants the Requests, but only to the extent of simply recognizing the existence of the documents. None of the materials submitted as part of the Requests for Judicial Notice are the basis for the ruling on the motions to dismiss. Plaintiffs also filed objections under Local Rule 7-3(d)(1) to the declarations submitted with the Naver Reply (Dkt. No. 74) and the LINE Reply (Dkt. No. 75). The objections are sustained because submitting this new information with the reply brief is improper when it could have been submitted earlier. Plaintiffs also filed a supplemental submission regarding SenseTime (Dkt. No. 69), to which the Naver Defendants objected (Dkt. No. 72). This objection is also sustained.
I. BACKGROUND
Plaintiffs Sydney Ji, June Abe, Lee Shubert, Kira Tomlinson, Ranela Sunga, and Stefanie Bonner (“Plaintiffs”) bring this putative class action against Defendants Naver Corporation (“Naver”), Naver Cloud Corporation (“Naver Cloud”), Naver Cloud America Inc. f/k/a/ Naver Business Platform America Inc. (“Naver Cloud America”), Snow Corporation (“Snow Corp.”), Snow Inc., Z Holdings Corporation (“Z Holdings”), LINE Corporation (“Line Corp.”), LINE Plus Corporation (“LINE Plus”), and LINE Euro-Americas Corporation (“LINE E-A”). See Dkt. No. 1 (“Complaint”) ¶¶ 5-19.
According to the Complaint, Defendants used two apps-LINE Messenger and B612-to “surreptitiously collect vast troves of private and/or personally identifiable user data without user consent-including unique biometric information and private message content.” Id. ¶¶ 1-3. LINE Messenger is a messenger app which Plaintiffs allege “collects users' biometric information such as face geometry scans” through an embedded SenseTime software development kit (“SDK”). Id. ¶ 2. Plaintiffs further allege that even though LINE “claims to provide ‘end-to-end' encryption for user chats,” “material portions of user messages . . . are intercepted and taken in unencrypted form.” Id. According to Plaintiffs, the app's users “have not consented to these activities.” Id.
B612 is an app that allows users to take and edit photos and videos. Id. ¶ 43. The app also contains augmented reality (“AR”) features that “allow users to utilize filters to alter their image, including, for example, making their skin appear smoother or changing their image into an animated display like a stuffed animal.” Id. ¶ 44. Plaintiffs allege that B612 collects users' biometric information through the SenseTime SDK and then “transmits [] face geometry scans from user devices to at least one of Defendants' servers.” Id. ¶ 3. Plaintiffs further allege that the app transmits user data “to non-secure servers in China and Hong Kong where, on information and belief, it is available to the Chinese Communist Party for retention in a database used for intelligence gathering and other purposes.” Id. According to Plaintiffs, the app's users “have not consented to these activities.” Id.
Plaintiffs bring ten causes of action, on behalf of themselves and a putative class, against the Defendants: (1) “Negligence-All Plaintiffs”; (2) “Intrusion Upon Seclusion-Plaintiffs Ji, Abe, Tomlinson, Sunga, and Bonner”; (3) “Violation of the Right to Privacy - California Constitution-Plaintiffs Ji, Abe, Tomlinson, Sunga, and Bonner”; (4) “Violation of the California Unfair Competition Law, Bus. & Prof. Code §§ 17200, et seq.-Plaintiffs Ji, Abe, Tomlinson, Sunga, and Bonner”; (5) “Violation of the California False Advertising Law, Bus. & Prof. Code §§ 17500, et seq.-Plaintiffs Ji, Abe, Tomlinson, Sunga, and Bonner”; (6) “Violation of the California Invasion of Privacy Act, California Penal Code §§ 630, et seq.-Plaintiffs Ji, Abe, Tomlinson, Sunga, and Bonner”; (7) “Violation of the Electronic Communications Privacy Act, 18 U.S.C. §§ 2510, et seq.-All Plaintiffs; (8) “Violation of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030-All Plaintiffs”; (9) “Violation of the Illinois Biometric Information Privacy Act, 740 ILCS 14/1, et seq.-Plaintiff Shubert”; and (10) “Restitution / Unjust Enrichment-All Plaintiffs.” See generally id.
The Defendants have filed three motions to dismiss, on behalf of the following sub-groups: 1) the “Naver Defendants,” comprised of Naver, Naver Cloud, Naver Cloud America, Snow Corp., and Snow Inc.; 2) the “Foreign LINE Defendants,” comprised of Z Holdings, Line Corp., and Line Plus; and 3) LINE Euro-Americas. The Foreign LINE Defendants and LINE EuroAmericas will be collectively referred to as the “LINE Defendants.”
II. LEGAL STANDARD
Federal Rule of Civil Procedure 8(a) requires that a complaint contain “a short and plain statement of the claim showing that the pleader is entitled to relief.” Fed.R.Civ.P. 8(a)(2). A defendant may move to dismiss a complaint for failing to state a claim upon which relief can be granted under Rule 12(b)(6). “Dismissal under Rule 12(b)(6) is appropriate only where the complaint lacks a cognizable legal theory or sufficient facts to support a cognizable legal theory.” Mendiondo v. Centinela Hosp. Med. Ctr., 521 F.3d 1097, 1104 (9th Cir. 2008).
To survive a Rule 12(b)(6) motion to dismiss, a plaintiff must plead “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). A claim is facially plausible when a plaintiff pleads “factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009). In reviewing the plausibility of a complaint, courts “accept factual allegations in the complaint as true and construe the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). Courts do not “accept as true allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Secs. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008) (quoting Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001)).
III. DISCUSSION
A. Personal Jurisdiction
Naver, Naver Cloud, and the Foreign LINE Defendants move to dismiss the Complaint against them based on lack of personal jurisdiction. See Naver Mot. at 11; Foreign LINE Mot. at 3. “When a defendant moves to dismiss for lack of personal jurisdiction, the plaintiff bears the burden of demonstrating that the court has jurisdiction over the defendant.” Pebble Beach Co. v. Caddy, 453 F.3d 1151, 1154 (9th Cir. 2006). “The general rule is that personal jurisdiction over a defendant is proper if it is permitted by a [state's] long-arm statute and if the exercise of that jurisdiction does not violate federal due process.” Id. In California, the long-arm statute extends jurisdiction to the limits of due process, so the resolution of the Court's jurisdiction turns on the federal due process analysis. See id. at 1155. “For due process to be satisfied, a defendant, if not present in the forum, must have sufficient ‘minimum contacts' with the forum state such that the assertion of jurisdiction ‘does not offend traditional notions of fair play and substantial justice.'” Id. (quoting Int'l Shoe Co. v. Washington, 326 U.S. 310, 315 (1945)).
There are two potential bases for jurisdiction: general and specific. See Bristol-Myers Squibb Co. v. Superior Court, 137 S.Ct. 1773, 1779-80 (2017). Here, the Plaintiffs claim the Court has specific jurisdiction over Naver, Naver Cloud, and the Foreign LINE Defendants. The Ninth Circuit uses the following three-prong test to analyze whether specific jurisdiction exists:
Plaintiffs do not claim that the Court has general jurisdiction over these defendants.
(1) the non-resident defendant must purposefully direct [its] activities or consummate some transaction with the forum or resident thereof; or perform some act by which [it] purposefully avails itself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws; (2) the claim must be one which arises out of or relates to the defendant's forum-related activities; and (3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it must be reasonable.Schwarzenegger v. Fred Martin Motor Co., 374 F.3d 797, 802 (9th Cir. 2004). Plaintiffs bear the burden on the first two prongs. Id. If they succeed in satisfying both, then the burden shifts to the defendants to “present a compelling case” that the exercise of jurisdiction would not be reasonable. Id. (quotation omitted). “If any of the three requirements is not satisfied, jurisdiction in the forum would deprive the defendant of due process of law.” Omeluk v. Langsten Slip & Batbyggeri A/S, 52 F.3d 267, 270 (9th Cir. 1995).
To assess “purposeful direction” under the first prong, courts apply the “effects test” to determine whether the defendant “(1) committed an intentional act, (2) expressly aimed at the forum state, (3) causing harm that the defendant knows is likely to be suffered in the forum state.” Yahoo! Inc. v. La Ligue Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199, 1206 (9th Cir. 2006) (quotation omitted).
“The parties may submit, and the court may consider, declarations and other evidence outside the pleadings in determining whether it has personal jurisdiction.” Stack v. Progressive Select Ins. Co., No. 20-cv-00338-LB, 2020 WL 5517300, at *4 (N.D. Cal. Sept. 14, 2020) (citing Doe v. Unocal Corp., 248 F.3d 915, 922 (9th Cir. 2001)). “Although the court ‘may not assume the truth of allegations in a pleading which are contradicted by affidavit,' the court resolves factual disputes in the plaintiff's favor.” Toy v. Honeywell Int'l Inc., No. 19-CV-00325-HSG, 2019 WL 1904215, at *3 (N.D. Cal. Apr. 29, 2019) (quoting CollegeSource, Inc. v. AcademyOne, Inc., 653 F.3d 1066, 1073 (9th Cir. 2011)).
i. Naver and Naver Cloud
Naver and Naver Cloud argue that Plaintiffs' claims against them should be dismissed because the two “South Korean companies do not have sufficient contacts with California to establish personal jurisdiction.” Naver Mot. at 11. Plaintiffs claim that “Naver owns and operates, and at all relevant times owned and operated, the B612 app.” Naver Opp. at 3 (quoting Compl. ¶ 23). Naver also has employees in the United States and, according to Plaintiffs, Naver's Chief Business Officer for North America is located in Palo Alto, California. Naver Opp. at 6.
Naver's Chief Privacy Officer, Jinkyu Lee, submitted a declaration acknowledging that “NAVER is the parent corporation to SNOW Corporation, the maker of the B612 app,” but asserting that it was “not involved in the development, operation, or marketing of the B612 app, and has never provided customer service to users of that app.” Dkt. 48 (“Lee Decl.”) at ¶ 9. Plaintiffs argue that this declaration does not refute the possibility of Naver's current involvement with the B612 app. While the Court finds this semantic argument less than compelling, “as the court [must] resolve[] factual disputes in the plaintiff's favor,” it will assume for the purposes of this motion that Naver “owns and operates . . . the B612 app.” Compl. ¶ 23.
Naver Cloud is a wholly owned subsidiary of Naver. Compl. ¶ 12. Plaintiffs claim in their opposition that Naver Cloud “supports the Naver IT infrastructure involved in the collection and transmission of LINE Messenger and B612 user data” and that it provides “ISP services for, and uses its own devices to host, certain domains . . . that are directly involved in the unlawful collection and transmission of LINE Messenger and B612 user data.” Naver Opp. at 3. Plaintiffs also now assert that Naver Cloud “acquired, installed, operated, and managed LINE Corp.'s server, data storage, and data management with respect to user data” including “user data from the United States and California.” Naver Opp. at 4. Naver Cloud America (a U.S company based in San Jose, California) is a wholly owned subsidiary of Naver Cloud. Compl. ¶ 37. Plaintiffs also argue that “the contacts of Naver's subsidiaries with California can be imputed to Naver because they are its agents” but it does not identify where in its Complaint it pleads facts to support this argument. Naver Opp. at 7.
The first prong of the specific jurisdiction test requires a party to either purposefully direct its activities toward California or to purposefully avail itself of the privilege of conducting activities in California. See Schwarzenegger, 374 F.3d at 802. Applying the Yahoo! “effects” test, the Court finds that Plaintiffs have not pled sufficient facts to establish that Naver purposefully directed its activities toward California or purposefully availed itself of the privilege of conducting activities in California. See Yahoo, 433 F.3d at 1206. Plaintiffs similarly fail to plead sufficient facts to meet this requirement regarding Naver Cloud. At bottom, Plaintiffs have failed to allege facts that show that Naver or Naver Cloud engaged in intentional acts “expressly aimed” at the forum state. Pebble Beach Co., 453 F.3d at 1156. As Plaintiffs have not met the first prong of the specific jurisdiction test as to Naver or Naver Cloud, the Court finds that the Complaint does not establish personal jurisdiction over these two defendants. See id. at 1155 (holding that, as “Plaintiff's arguments fail under the first prong . . . we need not address whether the claim arose out of or resulted from [Defendant's] forum-related activities or whether an exercise of jurisdiction is reasonable . . .”). The Complaint is DISMISSED WITH LEAVE TO AMEND as to Naver and Naver Cloud.
ii. Foreign LINE Defendants
The Foreign LINE Defendants argue that Plaintiffs' claims against them should be dismissed because the Court lacks personal jurisdiction over them. Foreign LINE Mot. at 4. Plaintiffs claim that the Court has specific personal jurisdiction over the Foreign LINE Defendants because each of the Foreign LINE Defendants “have committed intentional acts, as part of a global enterprise of affiliated companies working together to make the LINE Messenger and B612 apps available to consumers, unlawfully collecting use data through those apps, and generating advertising revenue from the apps and the stolen user data.” Foreign LINE Opp. at 18.
Z Holdings is a subsidiary of a joint venture between Naver and third-party SoftBank located in Tokyo. Compl. ¶ 16. For specific jurisdiction purposes, Plaintiffs contend that Z Holdings's “intentional act” is that it is “charged with operation of LINE Messenger, along with its subsidiaries, including LINE Corp., LINE Plus, and LINE E-A.” LINE Opp. at 19-20. They claim that Z Holdings's operation of LINE Messenger is established by a report of the Special Committee for Global Data Governance, which allegedly “confirm[s] that Z Holdings governs the handling of user data by LINE Messenger and its other portfolio businesses.” Id. at 20. LINE Corporation (“LINE Corp.”) is a wholly owned subsidiary of Z Holdings located in Tokyo. Compl. ¶ 17. Plaintiffs contend that LINE Corp.'s “intentional act” is that it is the “the registrant of key domains . . . that intercept and obtain user data sent from one LINE Messenger user to another.” Id. at 20. Defendant LINE Plus Corporation (“LINE Plus”) is a wholly owned subsidiary of LINE Corp. located in South Korea. Compl. ¶ 18. Plaintiffs contend that LINE Plus's “intentional act” is that it “provide[d] marketing and sales services for the LINE platform outside of Japan.” Id. at 21. Finally, LINE Euro-Americas Corp. (“LINE E-A”), which does not contest personal jurisdiction, is a Delaware corporation located in Palo Alto and Los Angeles and it is a wholly owned subsidiary of LINE Plus. Compl. ¶ 19.
In summary, Plaintiffs contend that the Foreign LINE Defendants expressly aimed their intentional acts at California in three ways. They first contend that the foreign LINE Defendants collectively “promote the expansion of LINE Messenger's user base in California” through LINE Friends Inc., a non-party U.S. subsidiary of LINE Corp., that sells LINE Messenger merchandise online and at a brick-and-mortar store in Los Angeles. Id. at 22. Second, Plaintiffs argue that LINE E-A-a wholly owned subsidiary of LINE Plus headquartered in California-also previously “promoted LINE Messenger in North and South America” and currently “supports business-to-business activities and partnerships for LINE Plus and LINE Corp.” Id. (quotations omitted). Third, Plaintiffs contend that LINE Plus was established “to more effectively pursue global expansion [of LINE Messenger] outside of Japan” and “provide marketing and sales service for the LINE platform outside of Japan.” Id. (quotations omitted). LINE Plus has had seven employees in the United States, with at least two in California at some point. Id. Fourth, Plaintiffs argue that “hardware used to intercept and obtain LINE Messenger user data is located in California” because Naver Cloud and Naver Cloud America provide ISP services for “one of the offending domains that Defendants have used to unlawfully intercept and obtain LINE Messenger user data.” Id. at 23.
Plaintiffs fail to meet the requirements of the specific jurisdiction test as to the Foreign LINE Defendants. See Schwarzenegger, 374 F.3d at 802. Applying the Yahoo! “effects” test, the Court finds that Plaintiffs have not plead sufficient facts to establish that the Foreign LINE Defendants purposefully directed their activities toward California or purposefully availed themselves of the privilege of conducting activities in California. To begin with, LINE Messenger itself has weak ties to California. Plaintiffs do not meaningfully dispute that (1) LINE Messenger is a global communications app that has no particular focus on California; and (2) over 99.2% of daily active LINE Messenger users are located outside of the United States. See Dkt. 52-5 (“Irie Decl.”) at ¶ 3, 8-9. Plaintiffs also do not allege that any of the foreign LINE Defendants advertise directly to California or target California consumers with third-party advertisements. As a result, to the extent any of the foreign LINE Defendants operate LINE Messenger, that is not an intentional act “expressly aimed” at California. See Voodoo SAS v. SayGames LLC, No. 19-cv-07480-BLF, 2020 WL 3791657, at *4-6, 8 (N.D. Cal. July 7, 2020) (finding no personal jurisdiction over the maker of an app in part because it was downloaded from outside the United States 80% of the time).
Plaintiffs' allegations about the foreign LINE Defendants' relationships with other entities like LINE-EA and LINE Friends are also unpersuasive. Plaintiffs' allegations about LINE E-A and LINE Plus fail to show that either of those entities has expressly aimed any action at California. Claims that LINE E-A previously promoted LINE Messenger in two entire continents-North and South America-do not equate to LINE E-A specifically targeting California. And likewise, allegations that LINE Plus provides marketing and sales services for LINE Messenger “outside of Japan” do not mean that LINE Plus directed any marketing or sales services at California. Moreover, Plaintiffs do not allege any alter-ego or agency relationship between those entities (LINE Opp. at 23) and the “unilateral activity of another party or a third person is not an appropriate consideration when determining whether a defendant has sufficient contacts with a forum State.” Walden v. Fiore, 571 U.S. 277, 284 (2014) (quotation omitted). Finally, to the extent Plaintiffs justify jurisdiction based on the foreign entities' ties to LINE Friends Inc.-a non-party U.S. subsidiary of LINE Corp. that sells LINE Messenger merchandise online and at a brick-and-mortar store in Los Angeles-none of the claims here “arise out of or relate to” those activities, as required by the second prong of the specific jurisdiction test. Schwarzenegger, 374 F.3d at 802.
As to LINE Plus, Plaintiffs additionally argue that it was established in 2013 to pursue global expansion of the app and “provide marketing and sales services for the LINE platform outside of Japan.” LINE Opp. at 22. Plaintiffs also argue that LINE Plus had at least two employees in California as of April 2021. These asserted bases for jurisdiction are also unpersuasive. First, promoting LINE Messenger “outside of Japan” generally is not the same as promoting it in California specifically. And second, the presence of one or two employees in California, without more, is not enough to establish specific jurisdiction here because there is no indication that Plaintiffs' claims “arise out of or relate to” the alleged presence of these employees. Schwarzenegger, 374 F.3d at 802. All claims against the Foreign LINE Defendants are DISMISSED WITH LEAVE TO AMEND.
iii. Jurisdictional Discovery
In the alternative, Plaintiffs ask the Court to order jurisdictional discovery. Jurisdictional “discovery should ordinarily be granted where pertinent facts bearing on the question of jurisdiction are controverted or where a more satisfactory showing of the facts is necessary.” Laub v. U.S. Dep't of Interior, 342 F.3d 1080, 1093 (9th Cir. 2003). But “where a plaintiff's claim of personal jurisdiction appears to be both attenuated and based on bare allegations in the face of specific denials made by the defendants, the Court need not permit even limited discovery....” Pebble Beach Co., 453 F.3d at 1160 (quotation omitted). Here, the Court finds that Plaintiffs' claim of personal jurisdiction is both attenuated and based on bare allegations. The Court thus finds that Plaintiffs fail to make the threshold showing that jurisdictional discovery is warranted. Accordingly, the Court DENIES Plaintiffs' request for jurisdictional discovery, without prejudice to renewal if Plaintiffs can adequately address the numerous pleading shortcomings identified in this order, including the improper group pleading discussed below.
B. Group Pleading
One of the recurring problems with Plaintiffs' complaint is that their claims repeatedly raise allegations against undifferentiated groups of defendants, without specifying what entity or entities supposedly took what particular actions. The Naver Defendants argue that “[p]leading ten causes of action, without specifying which defendants they pertain to, or why each defendant's actions constitutes a legal violation, is plainly insufficient.” Naver Mot. at 16. The Court agrees that Plaintiffs fail to plead the claims with enough specificity for Defendants to determine which claims apply to which Defendants. This group pleading is not sufficient to put Defendants on notice of the claims against them. The Complaint is DISMISSED WITH LEAVE TO AMEND as to the Naver Defendants.
Raising a similar argument premised on the traceability requirement for Article III standing, the LINE Defendants allege that Plaintiffs make no “specific allegations” as to the LINE Defendants' role in the purported injuries and argue that any causal relationship to any injury Plaintiffs could have suffered could only exist between Plaintiffs and the various third parties alleged to have collected data from the apps. LINE E-A Mot. at 3-4; Foreign LINE Defendants Mot. at 24. As the Court found that it does not have personal jurisdiction over the Foreign LINE Defendants, the Court only analyzes traceability as to LINE E-A. LINE E-A argues that the Complaint should be dismissed because it was not the cause of Plaintiffs' alleged harm. LINE E A Mot. at 4. Plaintiffs argue that this argument amounts to “one tortfeasor blaming another, which is insufficient.” LINE Opp. at 32. But Plaintiffs allege that the LINE Defendants (as a group, not LINE E-A specifically) intercepted users' private messages. Compl. at ¶¶ 77-88, 221, 235. This is not sufficient to fulfill the Spokeo traceability requirement as it is not clear what role Plaintiffs allege LINE E-A played in any of the claimed transgressions. Spokeo v. Robins, 578 U.S. 330, 338 (2016). The Complaint is DISMISSED WITH LEAVE TO AMEND as to the LINE E-A.
In any amended complaint, Plaintiffs must specify with particularity which entity took which alleged actions, and may not evade this requirement by making allegations against groups of “defendants” generically.
Even though the Complaint has been dismissed against all Defendants over which the Court has jurisdiction, in the interest of streamlining any further pleading litigation, the Court addresses certain key arguments below regarding Article III standing and failure to state a claim. The Court does not address all of the arguments made by Defendants.
The Court does not address the LINE Defendants' forum non conveniens argument (as it applies to LINE E-A, the only LINE defendant over which the Court has personal jurisdiction) because it was abandoned by the LINE Defendants. See Line Reply at 1, n.1.
C. Article III Standing
“As the party invoking federal jurisdiction, the plaintiffs bear the burden of demonstrating that they have standing.” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2207 (2021). To establish standing, a “[p]laintiff must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, 578 U.S. at 338. Further, “in a suit for damages, the mere risk of future harm, standing alone, cannot qualify as a concrete harm.” See TransUnion, 141 S.Ct. at 2210-11. Defendants first argue that “Plaintiffs' claims fail because they do not plausibly allege a cognizable injury.” Naver Mot. at 5; see also Foreign LINE Defendants Mot. at 24; LINE EA Mot. at 3.
“[U]nder Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant's statutory violation may sue that private defendant over that violation in federal court.” TransUnion, 141 S.Ct. at 2205 (emphasis in original). TransUnion also requires that “the asserted harm [have] a close relationship to a harm traditionally recognized as providing a basis for a lawsuit in American courts-such as physical harm, monetary harm, or various intangible harms. . .” Id. at 2200 (internal quotations omitted). This test, however, “does not require an exact duplicate in American history and tradition.” Id. at 2204.
Plaintiffs' Complaint identifies four theories of harm-invasion of privacy; harm to their mobile devices as well as data usage and electricity costs; risk of identity theft and surveillance; and diminution of value.
i. Invasion of Privacy
Plaintiffs make three main types of invasion of privacy claims: 1) Defendants took Plaintiffs' “User/Device Identifiers,” 2) Defendants took Plaintiffs' “Biometric Identifiers” (ostensibly through facial scans of user-submitted photos and videos), and 3) the LINE Defendants intercepted Plaintiffs' videos, URLs, and keywords. See Compl. ¶¶ 65, 77-88, 99, 135. Plaintiffs argue that they have met the TransUnion “close analogue test” because they have identified “disclosure of private information and intrusion upon seclusion” as the historical analogues. See Naver Opp. at 11.
The LINE Defendants' objections to Plaintiffs' claims regarding the alleged interception of videos, URLs, and keywords are discussed below.
a. User/Device Identifiers
Defendants argue that the “User/Device Identifiers” Plaintiffs mention in the Complaint “are not the kind of sensitive information that can confer standing for a privacy claim” because “Courts reject the idea that collection of this sort of information gives rise to privacy injury.” Naver Mot. at 6. Plaintiffs argue that unlike “general location and contact information” which may not be protectable, “Plaintiffs allege Defendants collected and disclosed highly sensitive information, including Plaintiffs' face geometry scans, video viewing histories, user and device identifiers, and contents of their non-public messages.” Naver Opp. at 18, n.15. Defendants' argument in that section of the motion was limited to the proposition that the collection of “user and device identifiers” cannot give rise to a privacy injury. As to those identifiers, the Court agrees that Plaintiffs have not alleged enough facts to show that the “user and device identifiers” are the type of information that could give rise to a privacy injury. See, e.g., In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 604 (9th Cir. 2020), cert. denied sub nom. Facebook, Inc. v. Davis, 141 S.Ct. 1684 (2021) (quotations omitted) (explaining that users do “not maintain a reasonable expectation of privacy” in the “the to/from addresses of their messages or the IP addresses of the websites they visit”; Heeger v. Facebook, Inc., 509 F.Supp.3d 1182, 1189 (N.D. Cal. 2020) (holding that “there is no legally protected privacy interest in IP addresses”); cf. In re Zynga Priv. Litig., 750 F.3d 1098, 1107-08 (finding that “information about a user's communication, not the communication itself” does not qualify as protected “content” under ECPA). The Court addresses below other categories of information alleged.
b. Biometric Identifiers
Defendants next argue that “having one's face scanned by a photo editing app is not a privacy injury that would be traditionally recognized by American courts.” Naver Mot. at 6 (quotations omitted). For a claim based on the disclosure of private information and intrusion upon seclusion, 1) there must be a reasonable expectation of privacy, and 2) the publicity or intrusion must be “highly offensive.” See Facebook., 956 F.3d at 601.
Defendants argue that “an individual has no privacy interest in their own face.” Naver Mot. at 6. The Ninth Circuit, however, has held that “that an invasion of an individual's biometric privacy rights has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Patel v. Facebook, Inc., 932 F.3d 1264, 1273 (9th Cir. 2019) (internal quotations omitted). In Patel, the Ninth Circuit found that the plaintiffs had alleged a “concrete and particularized harm, sufficient to confer Article III standing” when they claimed the defendant had violated the Illinois Biometric Information Privacy Act (BIPA) “by collecting, using, and storing biometric identifiers (a “scan” of “face geometry”) from their photos without obtaining a written release and without establishing a compliant retention schedule.” Id. at 1268, 1275 (citations omitted). Defendants argue that “Plaintiffs' unprecedented claim that their privacy was violated when they willingly scanned their own faces with an app they chose to use for that purpose does not pass muster . . .” Naver Mot. at 6 (emphasis in original). The Court, however, finds Defendants' argument irreconcilable with Patel, which held that plaintiffs suffered a concrete injury when the defendant there collected and stored a scan of their “face geometry” from pictures posted on its website. Plaintiffs have alleged enough facts to support Article III standing as to their invasion of privacy claims based on collection and storage of biometric information.
Defendants argue that Patel is irreconcilable with TransUnion and that the Court should therefore disregard Patel. See, e.g., Dkt. 97 (“Hearing Transcript”) at 9:15-17. The Court rejects Defendants' argument because it fails to meet the Ninth Circuit's controlling standard, which requires TransUnion to “have undercut the theory or reasoning underlying [Patel] in such a way that the cases are clearly irreconcilable.” Miller v. Gammie, 335 F.3d 889, 900 (9th Cir. 2003) (en banc). This is a high bar to clear and Defendants fail to do so. See Apache Stronghold v. United States, 38 F.4th 742, 763 (9th Cir. 2022) (quotations and citations omitted) (explaining that the “clearly irreconcilable” condition “is a high standard” and concluding that “[i]f, as a panel, we can apply our precedent consistently with that of the higher authority, we must do so”).
ii. Harm to Mobile Devices
Defendants argue that Plaintiffs' claim of “unspecified depletion of mobile resources is insufficient to support standing.” Naver Mot. at 7 (citations omitted). Plaintiffs respond that “battery depletion . . . is economic harm that confers Article III standing.” Naver Opp. At 13. Defendants have the better argument.
In analyzing this issue, district courts within this circuit have distinguished between conduct that draws upon the user's cell phone battery frequently or systemically-and which is therefore more likely to reduce battery life-and infrequent or episodic cell phone use that is likely to result only in a de minimis effect on the battery. The former is enough to allege injury under the UCL: the latter is not.Holt v. Facebook, Inc., 240 F.Supp.3d 1021, 1035 (N.D. Cal. 2017). Plaintiffs do not allege facts sufficient to show that their cell phone batteries were drained “frequently or systematically.” Plaintiffs likewise make no allegations that support that Defendants' alleged actions had anything other than a de minimis effect on their data and electricity costs. Even if Plaintiffs' UCL (claim 4) and CIPA (claim 6) claims had not been dismissed based on improper group pleading, as pled they would be subject to dismissal for lack of standing, and any amended complaint should address this problem.
iii. Risk of Identity Theft and Surveillance
TransUnion held that in a suit for damages “pre-existing risk” of future harm cannot “constitute a basis for the person's injury and for damages” TransUnion, 141 S.Ct. at 2211 (2021). Plaintiffs claim that their information has been “transmitted to domains that are accessible to the Chinese government, exposing [them] to a heightened, imminent risk of misuse, fraud, identity theft, Chinese government surveillance and financial harm.” Compl. ¶ 179. Plaintiffs do not allege, however, that the information actually has been taken by the Chinese government or other entities. Defendants argue that these allegations of possible future injury and risk of harm fail as a matter of law. Naver Mot. 7-8. The Court finds that Plaintiffs' allegations amount to no more than a conjectural and hypothetical risk of access or misuse, which is not sufficient under TransUnion. See Krottner v. Starbucks Corp., 628 F.3d 1139, 1143 (9th Cir. 2010) (finding standing to sue where a laptop with sensitive employee data was stolen thereby creating an increased risk of identity theft but explaining that had the allegations been “more conjectural or hypothetical-for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future-we would find the threat far less credible”). Even if Plaintiffs' negligence claim (claim 1) had not been dismissed based on improper group pleading, as pled it would be subject to dismissal for lack of standing, and any amended complaint should address this problem.
iv. Diminution of Value
Plaintiffs claim a “diminution of the value of their private and personally-identifiable information” as part of the basis for their FAL claim (claim 5). Compl. ¶ 224. Defendants argue that Plaintiffs “do not allege they actually wanted or attempted to sell, or in fact sold, their information on any sort of market as required to plead this kind of injury.” Naver Mot. at 8. Plaintiffs respond that “deprivation of a property interest in one's personal information” is “sufficient economic injury.” Naver Opp. at 13. Courts in this District have held that to proceed on an economic injury theory, data privacy plaintiffs must allege the existence of a market for their data and the impairment of the ability to participate in that market. See, e.g., Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1040 (N.D. Cal. 2019) (“It is not enough to merely say the information was taken and therefore it has lost value ....That the information has external value, but no economic value to plaintiff, cannot serve to establish that plaintiff has personally lost money or property.”). Even if Plaintiffs' FAL claim (claim 5) had not been dismissed based on improper group pleading, as pled it would be subject to dismissal for lack of standing, and any amended complaint should address this problem.
v. CFAA
Defendants argue that Plaintiffs' CFAA claim “must also be dismissed for lack of standing, because Plaintiffs do not allege any damage or loss to support their claim, as required by the statute.” Naver Mot. at 8. The statute provides that “Any person who suffers damage or loss by reason of a violation of this section may maintain a civil action against the violator to obtain compensatory damages and injunctive relief or other equitable relief.” 18 U.S.C. § 1030(g). It is not clear to the Court whether Plaintiffs disagree with Defendants' position because the Court was unable to follow their purported cross-reference. Even if Plaintiffs' CFAA claim (claim 8) had not been dismissed based on improper group pleading, as pled it would be subject to dismissal for lack of standing, and any amended complaint should address this problem.
At several points in the briefing, the parties cross-referenced and incorporated by reference arguments made in other briefs in the case. This is improper and at times made it exceedingly difficult to identify which arguments the parties were making or refuting. The parties are directed not to do this in future filings: all arguments should be addressed on the merits, in self-contained sections of the briefs, without cross-referencing.
vi. Traceability
In addition to pleading an injury-in-fact, Plaintiffs must show that the injury “is fairly traceable to the challenged conduct of the defendant.” Spokeo, 578 U.S. at 338. The Naver Defendants argue that, in the context of the CIPA and ECPA claims, Plaintiffs have failed to allege that Defendants 1) “engaged in any ‘conduct' that could have brought about harm,” and that 2) Plaintiffs' allegations are insufficient to show a “causal connection” between any alleged conduct and injury or that any alleged injury is fairly traceable to the alleged conduct of the Naver Defendants. Naver Mot. at 10-11. In light of its earlier finding that it lacks jurisdiction over Naver and Naver Cloud, the Court will only analyze the traceability of the claims as to Naver Cloud America, Snow Corp, and Snow Inc. Plaintiffs allege that Naver Cloud America 1) supported the operation of the apps, 2) support the “Information Technology infrastructure for the Naver Defendants,” and 3) serve as the Internet Service Provider (ISP) for “and use their own devices to host domains that are directly involved in the mishandling of U.S. user data.” Compl. ¶ 25, Naver Opp. at 14. Plaintiffs allege that Snow Corp. and Snow Inc. directly operate the B12 app, which “unlawfully collects users' face geometry scans.” Compl. ¶¶ 3, 26, 27; see also Naver Opp. at 14.
Plaintiffs miss the point. The root of the Naver Defendants' argument is that the CIPA and ECPA claims are based on messaging interception tied to the LINE Messenger app. Plaintiffs' allegations regarding the Naver Defendants' control or support of the B612 app are irrelevant in this context. In the CIPA and ECPA claims, Plaintiffs do not identify conduct on the part of Snow Corp. or Snow Inc. that is fairly traceable to any injuries Plaintiffs may have suffered under CIPA and ECPA. Even if Plaintiffs' CIPA (claim 6) and ECPA (claim 7) claims had not been dismissed based on improper group pleading, as pled against Snow Corp. and Snow Inc. they would be subject to dismissal for lack of standing, and any amended complaint should address this problem.
As to Naver Cloud America, in the context of the CIPA and ECPA claims, Plaintiffs only allege that it is one of the ISPs for a particular domain. Compl. ¶ 230. Plaintiffs allege that “Defendants use devices linked to [this domain] to intercept videos contained in . . . chat messages.” Id. This allegation of passive conduct is not sufficient for this Court to determine that Plaintiffs' alleged injuries are “fairly traceable to the challenged conduct of the defendant.” Spokeo, 578 U.S. at 338. Even if Plaintiffs' CIPA (claim 6) and ECPA (claim 7) claims had not been dismissed based on improper group pleading, as pled against Naver Cloud America they would be subject to dismissal for lack of standing, and any amended complaint should address this problem.
For purposes of ruling on this issue, the Court assumes that Plaintiffs made a typo in writing out the domain names and that “obs-us.line-apps.com” (the domain to which Defendants allegedly link devices to intercept messages) is the same as “ovs-us.line-apps.com” (the domain for which Naver Cloud America is allegedly an ISP).
D. Failure to State a Claim
i. Intrusion Upon Seclusion / California Constitutional Privacy Claim
When both intrusion upon seclusion and invasion of privacy claims are present, courts conduct a combined inquiry that considers (1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the offensiveness or seriousness of the intrusion. Facebook., 956 F.3d at 601.
a. Facial Biometric Information
The Naver Defendants argue that Plaintiffs' intrusion upon seclusion and California Constitutional Privacy claims (claims 2 and 3) should be dismissed because “Plaintiffs had no reasonable expectation of privacy in their facial image when using a selfie app to modify their image.” Naver Mot. at 18. LINE E-A argues that claims 2 and 3 should be dismissed because Plaintiffs “do not allege a reasonable expectation of privacy in a legally protected privacy interest.” LINE E-A Mot. at 8. Plaintiffs have alleged that both the LINE and Naver defendants have taken users' “face geometry” information. Compl. ¶¶ 65. As explained above, in Patel the Ninth Circuit recognized a cognizable privacy interest in one's facial biometric information, even in photos that have been uploaded to a photo-sharing site. See Patel, 932 F.3d at 1267, 1275. Analogizing from Patel, this Court finds that Plaintiffs have plausibly alleged a cognizable privacy interest in their facial biometric information.
b. User Information, Videos, URLs, and Keywords
LINE E-A also claims that the data allegedly collected by the LINE Defendants is not the type of “sensitive and confidential information necessary to state a claim for invasion of privacy.” LINE E-A Mot. at 8-9 (quotations omitted). Plaintiffs argue that the claims at issue here are similar to the claims Plaintiffs made in In re Facebook, Inc. Internet Tracking Litig., where the Ninth Circuit determined that the Plaintiffs had a reasonable expectation of privacy in URLs that “could emanate from search terms inputted into a third-party search engine” and which “could divulge a user's personal interests, queries, and habits on third-party websites operating outside of [the defendant]'s platform.” 956 F.3d at 603; see also LINE Opp. at 38. Putting aside the allegations about face geometry scans addressed above, the Court finds that the claims made here are more analogous to those in In re Zynga Privacy Litigation, 750 F.3d 1098 (9th Cir. 2014). As the Facebook court explained, in Zynga, the tracked URLs “revealed only that a . . . user had clicked on a link to a gaming website” and users “clicked on links to the gaming websites after they had logged into their . . . user accounts” causing the linked material to appear within the defendant's interface. 956 F.3d at 605 (emphasis in original). Here, Plaintiffs allege that LINE Messenger “tracks videos watched, created, liked, and/or commented on by users” . . . “when a LINE Messenger user is operating within the LINE messenger timeline feature . . .” Compl. ¶ 100. These allegations are not sufficient to state a claim for intrusion upon seclusion or invasion of privacy. Cf. Zynga, 750 F.3d at 1108-09 (“[T]he referer header information at issue here includes only basic identification and address information, not a search term or similar communication made by the user, and therefore does not constitute the contents of a communication.”).
ii. CIPA/ECPA
To establish a claim under CIPA, Plaintiffs must show that Defendants “maliciously and without the consent of all parties to the communication, intercept[ed], receive[d], or assist[ed] in intercepting or receiving a communication transmitted between” cellular devices. Cal. Penal Code § 632.5(a). Plaintiffs have not alleged maliciousness, failing to state a claim under the section.
Plaintiffs then claim that their citation to Section 632.5(a) was a “mere scrivener's error” and that they intended to cite Section 632.7(a), which does not require maliciousness. LINE E-A Opp. at 47-48, n.22. Section 632.7(a) requires Plaintiffs to allege that Defendants “without the consent of all parties to a communication, intercept[ed] or receive[d] and intentionally record[ed], or assist[ed] in the interception or reception and intentional recordation of, a communication transmitted between two” devices. Cal. Penal Code § 632.7(a). As Defendants point out, Section 632.7(a) may not require maliciousness but it does require that Defendants recorded (or assisted in recording) the communications. Even if Plaintiffs' CIPA (claim 6) had not been dismissed based on improper group pleading, as pled it would be subject to dismissal for failure state a claim (as it did not allege recording), and any amended complaint should address this problem.
Under the ECPA sections cited by Plaintiffs, they must show: (1) the intentional interception of wire, oral, or electronic communications; or (2) the intentional disclosure of the contents of any intercepted wire, oral, or electronic communication. 18 U.S.C. § 2511(1)(a), (c). Defendants argue that the interception alleged in the complaint is, in fact, the process of a communication app transmitting communications from the originating device to the recipient device. See LINE E-A Mot. at 17. The Court finds that a determination of whether the Defendants actions are covered under the “ordinary course of business exception” to the Wire Tapping Act requires factual determinations that are not appropriate at this stage.
iii. CFAA
Plaintiffs allege that Defendants violated Section 1030(a)(2)(C) which allows punishment of a Defendant who “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains . . . information from any protected computer.” 18 U.S.C. § 1030. Defendants claim that “data collection and device hacking are distinct” and that “only the latter is at issue in a CFAA claim.” LINE Reply at 28. The Court agrees. See hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1196 (9th Cir. 2022) (“The CFAA was enacted to prevent intentional intrusion onto someone else's computer-specifically, computer hacking.”); cf. United States v. Nosal, 676 F.3d 854, 857 (9th Cir. 2012) (declining to accept an interpretation that “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute”). Even if Plaintiffs' CFAA (claim 8) had not been dismissed based on improper group pleading, as pled it would be subject to dismissal for failure state a claim, and any amended complaint should address this problem.
In the LINE E-A Opposition, Plaintiffs claim that Defendants violated Sections 1030(a)(5)(A) and 1030(a)(5)(C). LINE E-A Opp. at 48. The Court does not evaluate whether Plaintiffs' claims are sufficient under these sections because they are not the basis for the cause of action that Plaintiffs actually pled in the Complaint.
The Court need not address Plaintiffs' BIPA claim, but notes that at least some courts interpreting Illinois law have held that the alleged conduct needs to have taken place in Illinois. See Neals v. PAR Tech. Corp., 419 F.Supp.3d 1088, 1091 (N.D. Ill. 2019); cf. Avery v. State Farm Mutual Automobile Insurance Co., 216 Ill.2d 100, 186-187 (2005). Plaintiffs should carefully assess and meet BIPA's pleading requirements in any amended complaint, and the parties should be prepared to brief this issue in any subsequent pleading litigation.
IV. CONCLUSION
Accordingly, the Court GRANTS the motions to dismiss WITH LEAVE TO AMEND. Plaintiffs shall file any amended complaint no later than 28 days from the date of this order.
IT IS SO ORDERED.