rejecting breach of contract as a separate basis for injury in fact because nominal damages are not available in California and plaintiffs did not allege any other injury resulting from breachSummary of this case from In re Facebook Privacy Litigation
Case No. C-12-01382-PSG
ORDER GRANTING MOTION TO
(Re: Docket No. 53, 57, 59)
See Docket No. 45.
Unless otherwise noted, the following allegations are taken from the amended consolidated complaint, see Docket No. 50. For the reasons stated in the court's previous order, the court grants Google's request for judicial notice of the same documents. See Docket No. 45.
By now, most people know who Google is and what Google does. Google serves billions of online users in this country and around the world. What started as simply a search engine has expanded to many other products such as YouTube and Gmail. Google offers these products and most others without charge. With little or no revenue from its users, Google still manages to turn a healthy profit by selling advertisements within its products that rely in substantial part on users' personal identification information ("PII"). As some before have observed, in this model, the users are the real product.
Before March 1, 2012, Google maintained separate privacy policies for each of its products, each of which confirmed that Google used a user's PII to provide that particular product. These policies also confirmed that Google would not use the PII for any other purpose without the user's explicit consent. As Google put it, "[w]hen you sign up for a particular service that requires registration, we ask you to provide personal information. If we use this information in a manner different than the purpose for which it was collected, then we will ask for your consent prior to such use."
For example, in a legal notice issued to Gmail users in 2011, Google stated, "We will not use any of your content [defined to include "text, data, information, images, photographs, music, sound, video, or other material."] for any purpose except to provide you with the service." Docket No. 50 ¶ 84. Google has also pledged that "Gmail stores processes, and maintains your messages, contact lists, and other data related to your account in order to provide the service to you." Id. ¶ 85.
Id. ¶ 83.
• first and last name;
• home or other physical address (including street name and city);
• current, physical location, a user's email address, and other online contact information (such as the identifier or screen name);
• IP address;
• telephone number (both home and mobile numbers);
• list of contacts;
• search history from Google's search engine;
• web surfing history from cookies placed on the computer; and
• posts on Google+.
Id. ¶ 7.
Plaintiffs contend that Google's new policy violates its prior policies because the new policy no longer allows users to keep information gathered from one Google product separate from information gathered from other Google products. Plaintiffs further contend that Google's new policy violates users' privacy rights by allowing Google to take information from a user's Gmail account, for which users may have one expectation of privacy, for use in a different context, such as to personalize Google search engine results, or to personalize advertisements shown while a user is surfing the internet, products for which a user may have an entirely different expectation of privacy. In addition to commingling Plaintiffs' PII across the various Google products, Plaintiff contend Google has shared Plaintiffs' PII with third-party entities who have partnered with Google in order to develop applications for the Google Play app store to help it place targeted advertisements.
See id., ¶¶ 4, 10, 22, 58, 120, 133, 183, 346.
Plaintiffs bring this nationwide class action against Google on behalf of all persons and entities in the United States who acquired a Google account between August 19, 2004, and February 29, 2012, and maintained such an account until, on, or after March 1, 2012. Plaintiffs also bring this action on behalf of a subclass of persons and entities in the United States who acquired a device powered by Android between August 19, 2004 and February 29, 2012, continued to own that device on or after March 1, 2012, and switched to a non-Android device on or after March 1, 2012 (the "Android Device Switch Subclass"). Plaintiffs also seek to represent a second subclass of persons and entities in the U.S. who acquired a device powered by Android between August 19, 2004 and the present, and downloaded at least one Android application through Google Play (the "Android App Disclosure Subclass").
See id. 50, ¶¶ 36-37.
Plaintiffs allege that they each acquired a Gmail account before the March 1, 2012 announcement of the new policy and continued to use it after the new policy took effect. They each further allege they purchased an Android phone before March 1 and that after implementing the new policy Google aggregated their personal information without consent or compensation. Mr. Marti further alleges Google used his likeness in display advertisements without authorization. Mr. Nisenbaum further alleges that after March 1, for privacy reasons, he replaced his Android phone for privacy reasons with an iPhone. The other plaintiffs allege use of various Android-powered phones and that they downloaded various Android Applications ("apps") from the Google Play store. Based on these allegations, Plaintiffs bring claims against Google for statutory and common law misappropriation of likeness, violation of California's Unfair Competition Law ("UCL"), breach of contract, common law intrusion upon seclusion, violation of California's User Legal Remedies Act ("CLRA"), violation of the Wiretap Act, and violation of the Stored Communications Act ("SCA").
II. LEGAL STANDARDS
To satisfy Article III, a plaintiff "must show that (1) it has suffered an 'injury in fact' that is (a) concrete and particularized and (b) actual or imminent, not conjectural or hypothetical; (2) the injury is fairly traceable to the challenged action of the defendant; and (3) it is likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision." A suit brought by a plaintiff without Article III standing is not a "case or controversy," and an Article III court therefore lacks subject matter jurisdiction over the suit. In that event, the suit should be dismissed under Fed. R. Civ. Pro. 12(b)(1). The injury required by Article III may exist by virtue of "statutes creating legal rights, the invasion of which creates standing." In such cases, the "standing question . . . is whether the constitutional or standing provision on which the claim rests properly can be understood as granting persons in the plaintiff s position a right to judicial relief." At all times the threshold question of standing "is distinct from the merits of [a] claim" and does not require "analysis of the merits." The Supreme Court also has instructed that the "standing inquiry requires careful judicial examination of a complaint's allegations to ascertain whether the particular plaintiff is entitled to an adjudication of the particular claims asserted."
See Friends of the Earth, Inc. v. Laidlaw Envtl. Sys. (TOC), Inc., 528 U.S. 167, 180-181 (2000).
See id. (quoting Warth, 422 U.S. at 500).
Maya v. Centex Corp., 658 F.3d 1060, 1068 (9th Cir. 2011).
DaimlerChrysler, 547 U.S. at 352 (quoting Allen v. Wright, 468 U.S. 737, 752 (1984)); see Chandler v. State Farm Mut. Auto. Ins. Co., 598 F. 3d 1115, 1121-22 (9th Cir. 2010).
A complaint must state a "short plain statement of the claim showing that the pleader is entitled to relief." While "detailed factual allegations" are not required, a complaint must include more than an unadorned, the defendant-unlawfully-harmed-me accusation." In other words, a complaint must have sufficient factual allegations to "state a claim to relief that is plausible on its face." A claim is facially plausible "when the pleaded factual content allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Accordingly, under Fed. R. Civ. P. 12(b)(6), which tests the legal sufficiency of the claims alleged in the complaint, "[d]ismissal can be based on the lack of cognizable legal theory or the absence of sufficient facts alleged under a cognizable legal theory."
Ashcroft v. Iqbal, 129 S.Ct. 1937, 1949 (2009).
Id. at 1940 (quoting Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 570 (2007)).
Balistreri v. Pacifica Police Dep't., 901 F.2d 696, 699 (9th Cir. 1990).
When evaluating a Rule 12(b)(6) motion, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party. Review of a motion to dismiss is limited to the face of the complaint, materials incorporated into the complaint by reference, and matters of which the court may take judicial notice. The court is not required to accept "legal conclusions cast in the form of factual allegations if those conclusions cannot reasonably be drawn from the facts alleged." Further, the court need not accept as true allegations that contradict matters that are either subject to judicial notice or attached as exhibits to the complaint.
See Metzler Inv. GMBH v. Corinthian Colls., Inc., 540 F.3d 1049, 1061 (9th Cir. 2008).
See id. at 1061.
Clegg v. Cult Awareness Network, 18 F.3d 752, 754-55 (9th Cir. 1994).
See In re Gilead Sciences Securities Litigation, 536 F.3d 1049, 1055 (9th Cir. 2008).
Claims sounding in fraud or mistake must comply with the heightened pleading requirements of Fed. R. Civ. P. 9(b) by pleading with particularity the circumstances surrounding the fraud or mistake. Rule 9(b) applies to the state claims at issue here as they involve allegations that users were misled. The allegations must be "specific enough to give defendants notice of the particular misconduct which is alleged to constitute the fraud charged so that they can defend against the charge." This includes "the who, what, when, where, and how of the misconduct charged."
Semegen v. Weidner, 780 F.2d 727, 731 (9th Cir. 1985).
Vess v. Ciba-Geigy Corp. USA, 317 F.3d 1097, 1106 (9th Cir. 2003).
"Dismissal with prejudice and without leave to amend is not appropriate unless it is clear that the complaint could not be saved by amendment." A dismissal with prejudice, except one for lack of jurisdiction, improper venue, or failure to join a party operates as an adjudication on the merits. Dismissal without leave to amend, however, may be granted for reasons of undue delay, bad faith, repeated failure to cure deficiencies by previous amendments, futility of the amendment, and prejudice.
Eminence Capital, LLC. v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003).
A. Article III Standing
Once again, the issues of standing and in particular injury-in-fact are front-and-center in Google's Rule 12 challenge to the operative complaint. And so once again, standing is where the court begins. Before considering the standing question, however, the court cannot help but make a few observations. First, despite generating little or no discussion in most other cases, the issue of injury-in-fact has become standard fare in cases involving data privacy. In fact, the court is hard-pressed to find even one recent data privacy case, at least in this district, in which injury-in-fact has not been challenged. Second, in this district's recent case law on data privacy claims, injury-in-fact has proven to be a significant barrier to entry. And so even though injury-in-fact may not generally be Mount Everest, as then-Judge Alito observed, in data privacy cases in the Northern District of California, the doctrine might still reasonably be described as Kilimanjaro.
See White v. Lee, 227 F.3d 1214, 1242 (9th Cir. 2000) ("A challenge to standing under Article III 'pertain[s] to a federal court's subject matter jurisdiction' and is therefore 'properly raised in a motion under Federal Rule of Civil Procedure 12(b)(1).'").
See, e.g., In re iPhone Application Litig., Case No. 5:11-md-02250-LHK, 2013 WL 6212591 (N.D. Cal. Nov. 25, 2013); Pirozzi v. Apple Inc., 913 F. Supp. 2d 840, 847 (N.D. Cal. 2012).
See Danvers Motor Co., Inc. v. Ford Motor Co., 432 F.3d 286, 294 (3d Cir. 2005).
In any event, this time around, Plaintiffs aim to establish their standing with six theories of injury that can fairly be grouped into three categories: (1) commingling of Plaintiffs' PII, (2) direct economic injury, and (3) violations of statutorily created rights. The court considers each category in turn.
See Docket No. 57 at 4-9; Docket No. 50 ¶ 129-135.
1. Personal Identification Information
Plaintiffs claim that when Google combined information that Plaintiffs provided to discrete Google products, without Plaintiffs' consent, Google injured them in two different ways. First, Google did not compensate them for the substantial economic value of the combined information. Second, Google's unauthorized co,mingling of their information, especially their likeness, was a breach of contract. Neither alleged harm, however, is sufficient to establish an injury-in-fact.
See Docket No. 50 ¶¶ 132, 169-178.
In 2011, Google's revenues were $37.91 billion, approximately 95% of which ($36.53 billion) came from advertising. In 2012, Google's revenues increased to $46.04 billion, approximately 95% of which ($43.69 billion) came from advertising. See Docket No. 50 ¶ 3.
As the court previously explained, injury-in-fact in this context requires more than an allegation that a defendant profited from a plaintiff's personal identification information. Rather, a plaintiff must allege how the defendant's use of the information deprived the plaintiff of the information's economic value. Put another way, a plaintiff must do more than point to the dollars in a defendant's pocket; he must sufficient allege that in the process he lost dollars of his own. Plaintiffs' allegations certainly plead that Google made money using information about them for which they were provided no compensation beyond free access to Google's services. But an allegation that Google profited is not enough equivalent to an allegation that such profiteering deprived Plaintiffs' of economic value from that same information.
See Docket No. 45 at 9-10 (citing In re iPhone Application Litig., Case No. 5:11-md-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20. 2011), Low v. LinkedIn Corp., Case No. 5:11-CV-01468-LHK, 2011 WL 5509848 (N.D. Cal. Nov. 11, 2011), and LaCourt v. Specific Media, Inc., Case No. SACV 10-1256-GW (JCGX), 2011 WL 1661532 (C.D. Cal. Apr. 28, 2011)).
See generally, Del Vecchio v. Amazon.com Inc., Case No. 5:11-cv-0366-RSL, 2011 WL 6325910, *3 (W.D. Wash. Dec. 1, 2011) ("While it may be theoretically possible that Plaintiffs' information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.").
As before, the court finds the reasoning in LaCourt v. Specific Media instructive. There the plaintiffs alleged that the defendant installed cookies to track users' internet browsing to build behavior profiles to better target advertisements. The court found the tracked users lacked standing because, among other reasons, they did not "explain how they were 'deprived' of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party." Other courts have agreed.
See Specific Media, Inc., 2011 WL 1661532, *4-5.
Id. at *5.
See, e.g., Low v. LinkedIn Corp., 2011 WL 5509848 at *4-5; Goodman, 2012 WL 2412070 at *7.
Addressing a set of facts similar to the present case, in In re Google Android User Privacy Litig., the court found no Article III standing where plaintiffs alleged that Google's unauthorized use of PII reduced its value to them because the plaintiffs failed to tie Google's use to their alleged loss, such as being foreclosed from capitalizing on its value. Here, Plaintiffs similarly have not alleged how Google's use of PII in any way deprives them of the ability to profit from the same information.
See In re Google Android User Privacy Litig., Case No. 5:11-md-02264-JSW, 2013 WL 1283236, at *2, 4 ("Plaintiffs also do not allege they attempted to sell their personal information, that they would do so in the future, or that they were foreclosed from entering into a value for value transaction relating to their PII, as a result of the Google Defendants' conduct.").
Plaintiffs rely on Goodman v. HTC to support their argument that Google's commingling of information did inflict an injury-in-fact sufficient for standing. However, in Goodman, the court held that "misappropriation of personally identifiable information does not allege injury in fact, absent a separate statutory or constitutional right." The court thus explicitly rejected Article III standing under the theory Plaintiffs urge here. The court separately addresses the statutory theory below.
See Docket No. 57 at 8.
Goodman, 2012 WL 2412070, at *5 (emphasis added).
See id. at *7-8.
Finally, although Plaintiffs assert that the breach of contract arising from Google's unauthorized commingling activities offers a separate basis for injury-in-fact, they still fail to articulate a sufficient contract injury. Nominal damages are not available in California for breach of contract, and the amended complaint does not allege any other injury based on the breach. In their opposition, Plaintiffs assert that "one of the most egregious ways in which Google breaches its contracts ... is by misusing Plaintiffs' information to misappropriate their likeness." But even if this point in opposition were presented in the complaint itself, which it is not, Plaintiffs still cite no case law holding that a contract breach by itself constitutes an injury in fact. This is insufficient.
See Docket No. 57 at 8.
2. Direct Economic Injuries
The court next considers whether Plaintiffs have alleged direct economic injuries sufficient to establish injury-in-fact. As the Supreme Court has noted, "palpable economic injuries have long been recognized as sufficient to lay the basis for standing." Plaintiffs each allege that they were injured when their Android devices sent their respective names, email addresses, and locations to the developer of each app they purchased or downloaded because they had to pay for the battery and bandwidth consumed by the unauthorized transmissions. Mr. Nisenbaum, representing the Android Device Switch Subclass, claims further injury in that he overpaid for his Android phone in 2010 because he would not have bought the phone had Google disclosed its intention to use his information as alleged in the complaint. Mr. Nisenbaum also claims that he replaced his Android phone with an iPhone in 2012 as a result of Google's policy change, causing him further economic injury.
Sierra Club v. Morton, 405 U.S. 727, 733 (1972).
See Docket No. 50 ¶¶ 131, 156-168.
See id. ¶¶ 130, 146-155.
The Court will consider each of these direct economic injury theories in turn to determine if they articulate "something more" than pure economic harm to support subject-matter jurisdiction under Rule 12(b)(1).
See In re LinkedIn User Privacy Litig., 932 F. Supp. 2d 1089, 1094 (N.D. Cal. 2013).
With respect to Plaintiffs' injury claims based on battery and bandwidth consumption, courts have found that the unauthorized use of system resources can suffice to establish a cognizable injury. For example, in Goodman, the court found standing based upon battery discharge where the application at issue sent fine location data every three hours or whenever the device's screen was refreshed. Similarly, in In re iPhone Application Litigation, the court found standing where the device systematically collected and transmitted location information. In In re Google Android User Privacy Litigation, the plaintiffs did not clearly allege how frequently Google collected geolocation data from a phone, but did allege that collecting relocation data was particularly battery intensive, that "their batteries discharged more quickly[,] and that their services were interrupted." This latter allegation was deemed sufficient to establish standing. At the same time, in Hernandez v. Path, Inc., the court found that any harm from the use of phone resources in an app's uploading a user's address book a single time upon first running the app was de minimis and thus insufficient to establish injury.
Goodman, 2012 WL 2412070.
In re iPhone Application Litigation, 844 F. Supp. 2d 1040, 1054-56 (N.D. Cal. 2012) ("iPhone I").
In re Google Android User Privacy Litig., 11-MD-02264 JSW, 2013 WL 1283236, at *2, 4 (N.D. Cal. Mar. 26, 2013) ("Android").
See Hernandez v. Path, Inc., Case No. 12-CV-01515 YGR, 2012 WL 5194120 (N.D. Cal. Oct. 19, 2012) (depletion of two to three seconds of battery capacity is de minimis); Caldwell v. Caldwell, 545 F.3d 1126, 1134 (9th Cir. 2008) (concurrence) (de minimis injury does not support standing). See Hernandez, 2012 WL 5194120, *1, 2, n.2 (N.D. Cal. Oct. 19, 2012).
Plaintiffs' allegations here are closer to Goodman, iPhone I and Android than Hernandez. Like Hernandez, Plaintiffs' alleged unauthorized battery consumption only happened infrequently, when a plaintiff first downloaded an app. But in Hernandez the allegedly unauthorized upload only happened once, when a plaintiff downloaded the Path app. Here, it happens each time a user downloads any app. The plaintiff who downloaded the most apps, according to the amended complaint, did so at least 27 times. In addition, like the plaintiffs in Goodman and Android, Plaintiffs here specifically allege a greater discharge of battery power as a result of unauthorized conduct and as in iPhone I the discharge is systemic rather than episodic. This is sufficient to establish more than a de minimis injury.
See Docket No. 60 ¶ 163.
With respect to Mr. Nisenbaum's further allegations of injury, they, too, support standing for purposes of Article III.
First, the allegation that Mr. Nisenbaum bought a new phone after the policy change and that his motivation for choosing an iPhone over the Android device was substantially for privacy reasons, establishes that he was injured by making the purchase. To be sure, users frequently replace old phones for all kinds of reasons beyond privacy. For example, from the complaint, it appears Mr. Nisenbaum had his Android device for approximately two years, the length of most phone contracts that often include a discount for bundled phones, before purchasing a new phone. But Mr. Nisenbaum specifically alleges that but for the policy switch he would not have otherwise have bought a new phone. The alleged injury is fairly traceable to Google based on Mr. Nisenbaum's allegation that he relied on Google's previous policies in purchasing the Android phone in the first place.
See id. at ¶ 130.
See Docket No. 50 ¶ 19 ("Nisenbaum owned and used an Android device before and after March 1, 2012, but subsequently ceased using the device and acquired and Apple device in its place in substantial part because of Google's invasive practices.").
See id. ¶¶ 19, 150-51.
Second, Mr. Nisembaum's allegations regarding overpayment establish injury. In Pirozzi v. Apple, the court explained that Article III standing under an overpayment theory may be supported by "allegations [by plaintiffs] that, when they purchased their  devices, they relied upon representations regarding privacy protection, which caused them to pay more than they would have for their devices." Similarly, in Goodman, the court found standing for overpayment of a smartphone where plaintiffs alleged they would have "paid less for the phones had [d]efendant's not misrepresented the relevant features." The court held that a "general averment of quality, alleged to be false, was sufficient to constitute an alleged injury in the form of overpayment." The allegations here are equally sufficient.
See, e.g., Pirozzi v. Apple Inc., 913 F. Supp. 2d 840, 846-47 (N.D. Cal. 2012) ("Overpaying for goods or purchasing goods a person otherwise would not have purchased based upon alleged misrepresentations by the manufacturer would satisfy the injury-in-fact and causation requirements for Article III standing.").
Goodman, 2012 WL 2412070, at *5.
Id. at *6.
Google highlights that Mr. Nisenbaum has not alleged that he bought his phone from Google or that Google manufactured the phone. But the complaint is clear that Mr. Nisenbaum's phone ran on Android, Google's open-source operating system, and that in order to access the Google Play marketplace included in Android, Mr. Nisenbaum had to create a Google account. Under such circumstances, the alleged harm of overpayment to a third party is fairly traceable to Google.
See Maya v. Centex Corp., 658 F.3d 1060, 1073 (9th Cir. 2011).
3. Violation of Statutory Rights
The final category of Plaintiffs' injury-in-fact theories concerns statutory rights. The Ninth Circuit has made it clear that Article III standing can also be established by virtue of "statutes creating legal rights, the invasion of which creates standing." Courts have found that both state and federal statutes can create these legal rights. To decide if a statute created such a legal right, a court must determine whether the "standing provision on which the claim rests properly can be understood as granting persons in the plaintiff's position a right to judicial relief." Put another way, plaintiffs have standing where they have a "direct stake in the controversy." Although Article III always requires an injury, the alleged violation of a statutory right that does not otherwise require a showing of damages is an injury sufficient to establish Article III standing. For example, in a case where a credit card company failed to make required disclosures and the Truth in Lending Act created a private right of action for such failures without a showing of damages, the Ninth Circuit held that the plaintiff "suffered the loss of a statutory right to disclosure and has therefore suffered injury in fact for purposes of Article III standing." Similarly, in Edwards v. First American Corp., the Ninth Circuit held that a plaintiff had standing for a violation of the Real Estate Settlement Procedures Act even when she could not allege that she was financially harmed.
See Cantrell v. City of Long Beach, 241 F.3d 674, 684 (9th Cir. 2001) ("state law can create interests that support standing in federal courts").
Id. See also Jewel v. Nat'l Sec. Agency, 673 F.3d 902, 908 (9th Cir. 2011) (finding standing for an allegation of violation of the Stored Communication Act without other specific injury).
Goodman, 2012 WL 2412070, at *8 (quoting U.S. v. Students Challenging Regulatory Agency Procedures (SCRAP), 412 U.S. 669, 687 (1973)).
See Edwards v. First Am. Corp., 610 F.3d at 516 (finding standing for violation of the Real Estate Settlement Procedures Act even though plaintiff could not allege that she was overcharged); Jewel, 673 F.3d at 908 (finding Article III injury-in-fact for alleged violations of three surveillance statutes that each "explicitly creates a private right of action for claims of illegal surveillance" without requiring a showing of damages).
DeMando v. Morris, 206 F.3d 1300, 1303 (9th Cir. 2000).
See Edwards, 610 F.3d at 516. The case was briefed and argued before the Supreme Court, but the Court ultimately decided that the writ of certiorari was "improvidently granted" and dismissed. 132 S. Ct. 2536 (2012).
Plaintiffs have alleged unauthorized access and wrongful disclosure of communications, including disclosure to third parties. Plaintiffs also have alleged the interception of communications. Courts have recognized that such alleged violations of the Wiretap Act or the Stored Communications Act are sufficient to establish Article III injury. These statutes grant persons in Plaintiffs' position a right to relief and thus Plaintiffs have standing for these claims. The complaint also alleges that Mr. Marti was injured when Google used his name or likeness in connection with its function without authorization. California Civil Code Section 3344 prohibits the commercial use another's name or likeness. The statute thus creates a right of action for "persons injured as a result thereof." Where a plaintiff alleges an unauthorized commercial use of a person's name or likeness, "courts generally presume that [injury] has been established" for a Section 3344 claim. In Fraley v. Facebook, the court found standing for allegations nearly identical to Mr. Marti's . The court agrees with Fraley that Section 3344 provides a right whose alleged violation creates standing.
See Docket No. 50 ¶ 133.
See Docket No. 50 ¶ 134.
See Docket No. 50 ¶¶ 129, 136-145.
Del Amo v. Baccash, CV 07-663-PSG, 2008 WL 4414514 (C.D. Cal. Sept. 16, 2008) (citing Miller v. Collectors Universe, Inc., 159 Cal. App. 4th 988, 1005 (2008)); see also Motschenbacher v. R. J. Reynolds Tobacco Co., 498 F.2d 821, 825 (9th Cir. 1974) (suggesting that the appropriation itself may create injury, the court noted that "the appropriation of the identity of a relatively unknown person may result in economic injury or may itself create economic value in what was previously valueless.").
See Fraley v. Facebook, Inc., 830 F. Supp. 2d 785, 797 (N.D. Cal. 2011).
Google disputes any injury-in-fact from the +1 feature because Plaintiffs have not alleged an unauthorized use. However, the amended complaint states that Google did not compensate Mr. Marti for the commercial use of his personal endorsement and that he "did not authorize Google's use of that endorsement." As explained above, whatever the merits of the parties' competing views of consent, a merits analysis is not appropriate when considering standing.
See Docket No. 50 ¶ 143.
See Catholic League for Religious & Civil Rights v. City & Cnty. of San Francisco, 624 F.3d 1043, 1049 (9th Cir. 2010) ("Nor can standing analysis, which prevents a claim from being adjudicated for lack of jurisdiction, be used to disguise merits analysis, which determines whether a claim is one for which relief can be granted if factually true.").
In sum, while the Plaintiffs' allegations regarding the loss of PII is insufficient to establish the required injury-in-fact, their economic and certain statutory injuries are sufficient to support standing for each of their Plaintiffs' stated claims. The court therefore will next turn to whether these claims are those upon which relief may be granted.
See Lujan, 504 U.S. at 578 ("injury required by Art. III may exist solely by virtue of 'statutes creating legal rights, the invasion of which creates standing..'"); Jewel, 673 F.3d at 908 (finding Article III injury-in-fact for claims asserted under federal surveillance statutes because the statutes created a private right of action for failure to comply with the statutory procedures).
B. ADEQUACY OF CLAIMS
1. Wiretap Act
The Wiretap Act, as amended by the Electronic Communication Privacy Act ("ECPA"), generally prohibits the intentional interception of "wire, oral, or electronic communications." The purpose of the Wiretap Act is to protect the privacy of communications. The Wiretap Act provides a private right of action against any person who "intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication."
18 U.S.C. § 2511(1); see also Joffe v. Google, Inc., Case No. 11-7483, 2013 WL 4793247, at *3 (9th Cir. Sept. 10, 2013).
See Gelbrand v. United States, 408 U.S. 41, 48 (1972).
The Act defines "intercept" as "the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device." However, the definition of "electronic, mechanical, or other device" excludes:
Id. § 2510(4).
any telephone or telegraph instrument, equipment or facility, or any component thereof,Thus, as a provider of electronic communication services, Google is immune from claims alleging interception by a "device" based on equipment used "by a provider of wire and electronic communication service in the ordinary course of business."
(i) furnished to the subscriber or user by a provider of wire or electronic communication service in the ordinary course of its business and being used by the subscriber or user in the ordinary course of its business or furnished by such subscriber or user for connection to the facilities of such service and used in the ordinary course of its business; or
(ii) being used by a provider of wire or electronic communication service in the ordinary course of its business, or by an investigative or law enforcement officer in the ordinary course of his duties.
Id. § 2510(5)(a) .
Similarly, each Google agent enjoys broad immunity in his handling of communications "in the normal course of his employment while engaged in any activity which is a necessary incident to the rendition of his service or to the protection of the rights or property of the provider of that service." 18 U.S.C. § 2511(2)(a)(i).
The amended complaint fails to allege any interception by Google that falls outside the scope of this broad immunity. While Plaintiffs point to their allegations that Google's use of the accused devices to intercept Gmail communications and co-mingle the contents and distribute those contents without consent was not necessary to the delivery of Gmail, this narrow read of the exemption, as being limited to only action taken to deliver the electronic communication, does not square with the plain meaning of the statutory text at issue. The text exempts from the definition of "intercept" any use of a device by a provider "in the ordinary course of its business." Rather than narrowing the exemption to only the provision of electronic communications services itself, or some such narrower scope, Congress specifically chose the broader term "business" that covers more far-ranging activity. For good measure, Congress also teamed the term "business" with the terms "ordinary course," suggesting an interest in protecting a provider's customary and routine business practices.
See Docket No. 50 ¶ 185.
Courts generally defer to the results of such a textual analysis. The "first step in interpreting a statute is to determine whether the language at issue has a plain and unambiguous meaning." In so doing, the court "must begin with ... the assumption that the ordinary meaning of that language accurately express the legislative purpose." "If the statutory language is unambiguous and the statutory scheme is coherent and consistent, judicial inquiry must cease." Plaintiffs' own allegations make clear that the activities at issue here, concerning Google's core targeted advertising, is within its business' ordinary course.
Wilson v. C.I.R., 705 F.3d 980, 987-88 (9th Cir. 2013) (citation omitted).
Although the Ninth Circuit has yet to rule on the subject, other appellate courts that have agreed that the "ordinary course of business" exception is not limited to actions necessary to providing the electronic communication services ("ECS") at issue. For example, in Hall v. Earthlink, the Second Circuit relied on the "ordinary course of its business" exception to affirm the dismissal of a claim brought against an ISP where the plaintiff alleged that the ISP continued processing his emails after he terminated his account. Nothing in processing a closed account's emails facilitates was necessary to the provision of ECS, suggesting that the processing was performed for other business reasons, and still the Second Circuit held that such processing was not an "interception."
396 F.3d 500, 505 (2nd Cir. 2005).
In Kirch v. Embarq Management Co., the Tenth Circuit held that the defendant was protected by the exception when it conducted a test using third-party advertising technology and its customers' communications, because the defendant had "no more of its users' electronic communications than it had in the ordinary course of its business as an ISP." The trial court's decision affirmed by Kirch noted that the "ordinary course of its business" defense "appears to have merit, as plaintiffs have admitted that Embarq conducted the NebuAd test to further legitimate business purposes and that behavioral advertising is a widespread business and is commonplace on the Internet." Kirch thus supports the application of Section 2510(5)(a)(ii) where the provider is furthering its "legitimate business purposes"—including advertising—and is not limited to only those acts that are technically necessary to processing email.
702 F.3d 1245, 1250 (10th Cir. 2012).
Kirch, 2011 WL 3651359, at *9 n.42 (D. Kan. Aug. 19, 2011) (emphasis added).
The more fundamental problem with Plaintiffs' narrow construction of Section 2510(5)(a)(ii) is that in defining "ordinary course of business" as "necessary" it begs the question of what exactly its means for a given action to be "necessary" to the delivery of Gmail. For example, in delivering Gmail is it really "necessary" do more than just the comply with email protocols such as POP, IMAP and MAPI? What about spam-filtering or indexing? None of these activities have anything specifically to do with transmitting email. And yet not even Plaintiffs suggest that these activities are unnecessary and thus lie outside of the "ordinary course business."
Plaintiffs separately argue that the "ordinary course of business" exception cannot apply because of their allegations that Google exceeded the scope of the consent secured by their agreements with Plaintiffs. But the two cases Plaintiffs cite for this proposition, George v. Carusone and United States v. Harpel, are inapposite. Both George and Harpel addressed the surreptitious recording of telephone calls. Here, Plaintiffs claim is not that Google did anything in secret, but rather that it publicly announced a new practice in conflict with it prior representations. In fact, in a case cited by George, United States v. Sababu, the Seventh Circuit specifically held that an interception was excepted as being in the "ordinary course of business" because the practice at issue was announced to the prisoners affected.
891 F.2d 1308, 1329 (7th Cir. 1989).
The undersigned is mindful that only recently, in In re Google Inc. Gmail Litigation, this court held that the "ordinary course of business" exception applies "only where an electronic communication service provider's interception facilitates the transmission of the communication at issue or is incidental to the transmission of such communication," and only if the alleged interceptions were an instrumental part of the transmission of email." Id. But among other things, the court's thorough analysis addressed allegations that Google's practices violated its own internal policies, further establishing that its actions are outside the course of its business. In this case, Plaintiffs allege no such violation of any internal policy, rendering Plaintiffs claim insufficiently stated to overcome the hurdle that Rule 12(b)(6) imposes.
C. Stored Communications Act
"The SCA was enacted because the advent of the Internet presented a host of potential privacy breaches that the Fourth Amendment does not address." Despite this purpose, the SCA has a narrow scope: "[t]he SCA is not a catch-all statute designed to protect the privacy of stored Internet communications."
Orin S. Kerr, A User's Guide to the Stored Communications Act, and a Legislator's Guide to Amending It, 72 GEO. WASH. L. REV. 1208, 1214 (2004).
Plaintiffs claim that Google violated the SCA in two ways. First, they claim that in aggregating users' information between Google services without their consent, Google exceeded the scope of Google's authorized access in violation of 18 U.S.C. § 2701(a). This claim borders on frivolous, considering the plain language of subsection (c) of Section 2701(a) that exempts conduct authorized "by the person or entity providing a wire or electronic communications service." Whatever the propriety of Google's actions, it plainly authorized actions that it took itself.
It is an offense under 18 U.S.C. § 2701(a) to "intentionally exceed an authorization to access" a facility through which an electronic communication service is provided.
Second, Plaintiffs claim that Google shared stored communications with third parties in violation of Section 2702(a). Section 2702(a) prohibits providers of electronic communication services from "knowingly divulg[ing] to any person or entity the contents of a communication . . . ." Plaintiffs' only allegation supporting its second theory is that:
See Docket No. 57 at 21.
insofar as Google engages independent, unidentified third-party entities to process and distribute user information across its product platforms, including the contents of Plaintiffs' Gmail communications, Google intentionally discloses the contents of those communications outside of Google.But "insofar" is not a concrete allegation; it is theoretical and does not support a claim. Even if this were a concrete allegation, it is too conclusory to support a claim. Plaintiffs simply fail to state any claim under the SCA.
Docket 50 at ¶ 183.
See Bruns v. Nat'l Credit Union Admin., 122 F.3d 1251, 1257 (9th Cir. 1997).
D. Misappropriation of Likeness
California Civil Code Section 3344 prohibits the use of another's name or likeness without the person's consent. The cause of action requires a plaintiff to prove: "(1) the defendant's use of the plaintiff's identity; (2) the appropriation of plaintiff's name or likeness to defendant's advantage, commercially or otherwise; (3) lack of consent;  (4) resulting injury;" (5) "a knowing use by the defendant;" and (6) "a direct connection between the alleged use and the commercial purpose. Here, Plaintiffs fail to adequately allege lack of consent.
A statutory claim under Section 3344 requires that the plaintiff make all the allegations required for a common law misappropriation claim, and two additional allegations: "1) knowing use; and 2) a "direct connection ... between the use and the commercial purpose." Abdul-Jabbar v. Gen. Motors Corp., 85 F.3d 407, 414 (9th Cir. 1996).
See Fraley, 830 F. Supp. 2d at 805-06.
Plaintiffs in this case only make a threadbare allegation that Google did not obtain their consent to use their name or likeness in advertisements associated with its "+1" feature, and the claim is not supported by other allegations. To the contrary, the complaint alleges that Ms. Marti voluntarily clicked on the feature, that Google clearly disclosed how the feature worked as part of the feature's launch, and that the feature worked as Google said it would when Marti used it. In particular, the amended complaint quotes Google as: describing the feature as "the digital shorthand for 'this is pretty cool'" and a way "to share recommendations with the world;" explaining that to "[t]o recommend something, all you have to do is click +1 on a webpage or ad you find useful;" and giving the example of a person planning a winter trip to Tahoe, California who, when doing a search, "may now see a +1 from [his] slalom-skiing aunt next to the result for a lodge in the area."
See Docket No. 50 ¶ 248.
See Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) ("Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice.").
Docket No. 50 ¶ 107.
Id. at ¶ 108.
Without some contradictory allegations, this is a clear disclosure of how the feature worked such that the voluntary use of it constituted consent. Plaintiffs therefore have not stated any claim for statutory or common law misappropriation of likeness.
For example, Plaintiffs might have a claim if they could allege that the feature did not work as Google explained, that Google did not adequately disclose how the feature worked, a theory of how clicking on the "+1" feature did not demonstrate consent, or an allegation that his name or likeness was associated with brands, products, or websites he did not "+1."
See Iqbal, 556 U.S. at 678 ("To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to 'state a claim to relief that is plausible on its face.'").
E. Breach of Contract
"Under California law, the elements of a breach of contract claim are: (1) the existence of a contract, (2) plaintiff's performance or excuse for nonperformance, (3) defendant's breach, and (4) resulting damage to plaintiff." Here, Google does not appear to contest the first or second elements, and instead focuses on the third and fourth arguments. Google argues that it has not breached its contact with Plaintiffs because the original contract included provisions for it to make the types of very changes that Plaintiffs allege breached the contract. Plaintiffs have a different interpretation of the provisions in question and urge the court not to engage in contract interpretation at this time.
The Ninth Circuit has explicitly noted that the court need not accept as true allegations that are plainly contradicted by the documents at hand on a motion to dismiss. The policy plainly includes a provision for the commingling of PII across Google products. That provision states: "We may combine the information you submit under your account with information from other services." In light of this express provision, it is not plausible to say that Google could be considered to have breached the contract. Plaintiffs again have failed to state a claim.
See Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008).
See Docket No. 54, Ex. B, at 2.
F. California's Unfair Competition Law ("UCL")
California's UCL provides a private cause of action for users who are harmed by unfair, unlawful, or fraudulent business practices. Plaintiffs here plead their UCL claim under all three prongs. To sustain a claim under the unlawful prong, Plaintiffs must allege facts that, if proven, would demonstrate that Defendant's conduct violated another, underlying law. If the unlawful conduct is part of a uniform course of fraudulent conduct, it must meet Fed R. Civ. Pro. 9(b)'s heightened pleading standards, but if it does not, then the ordinary pleading standards will suffice. Under the fraudulent prong, Plaintiffs must allege specific facts to show that the members of the public are likely to be deceived by the actions of the defendant. The Ninth Circuit has established that this prong is subject to Fed. Rule Civ. P. 9(b)'s heightened pleading requirements. With respect to Plaintiffs' final claim under the UCL's unfair prong, "[t]he standard for determining what business acts or practices are "unfair" in user actions under the UCL is currently unsettled." Generally speaking, "[a]n unfair business practice under the UCL is "one that either offends an established public policy or is immoral, unethical, oppressive, unscrupulous, or substantially injurious to users." To determine whether a business practice is unfair, a court should consider "the impact of the practice or act on its victim, balanced against the reasons, justifications and motives of the alleged wrongdoer;" this prong of the UCL should be used to enjoin deceptive or sharp practices."
See Lozano v. AT & T Wireless Servs., Inc., 504 F.3d 718, 731 (9th Cir. 2007).
See Trazo v. Nestle USA, Inc., Case No. 5:12-CV-2272-PSG, 2013 WL 4083218, at *9 (N.D. Cal. Aug. 9, 2013).
See Finuliar v. BAC Home Loans Servicing, L.P., Case No. 3:11-cv-02629-JCS, 2011 WL 4405659 (N.D. Cal. Sept. 21, 2011) (" 'Fraudulent,' as used in the statute, does not refer to the common law tort of fraud but only requires a showing members of the public 'are likely to be deceived.'").
See Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009).
Yanting Zhang v. Superior Court, 57 Cal.4th 364, 380 n. 9 (2013). One test holds that "an 'unfair' business practice occurs when it offends an established public policy or when the practice is immoral, unethical, oppressive, unscrupulous or substantially injurious to users." People v. Casa Blanca Convalescent Homes, Inc., 159 Cal.App.3d 509, 530 (Cal.Ct.App.1984). Another test requires that a plaintiff prove "that the defendant's "conduct is tethered to an ... underlying constitutional, statutory or regulatory provision, or that it threatens an incipient violation of an antitrust law, or violates the policy or spirit of an antitrust law." Byars v. SCME Mortgage Bankers, Inc., 109 Cal.App. 4th 1134, 1147 (Cal.Ct.App.2003). A third test requires that "(1) the user injury must be substantial; (2) the injury must not be outweighed by any countervailing benefits to users or competition; and (3) it must be an injury that users themselves could not reasonably have avoided." Drum v. San Fernando Valley Bar Ass'n, 182 Cal.App. 4th 247, 257, (Cal.Ct.App.2010).
McDonald v. Coldwell Banker, 543 F.3d 498, 506 (9th Cir.2008).
Wilson v. Hynek, 207 Cal.App. 4th 999, 1008 (Cal.Ct.App.2012).
To support their claim under the UCL's unlawful prong, Plaintiffs allege that Google's conduct violates California's Right of Publicity law, the common law principles of commercial misappropriation, the California CLRA, the Federal Wiretap Act, and the Stored Electronic Communications Act. As discussed in other sections, Plaintiffs have failed to set forth sufficient factual allegations to support these underlying charges, and without having plead any underlying unlawful conduct, Plaintiffs unlawful conduct claim under the UCL must be dismissed.
See Docket No. 50 ¶¶ 263-267.
With respect to their claim under the fraudulent prong, Plaintiffs allege that when Google collected their PII before March 1, 2012, it assured them that it would not use the information for any purpose other than delivering the service for which the users provided it. Subsequently, without seeking the consent of individual users (including Plaintiffs), Google compiled all the information it had collected about Plaintiffs from each and every one of its products, and made that information available for use in all products. But even though Plaintiffs provide details to support their allegations under Rule 9(b), as the court has already stated, the documents submitted for judicial notice undermine any notion that Google failed to disclose its data commingling practices before March 1, 2012.
See id. ¶¶ 82-85.
See Docket No. 50 ¶¶ 271-72.
G. Common Law Intrusion Upon Seclusion
In order to put forth a claim for intrusion upon seclusion, a plaintiff must plead facts to support two elements: "1) intrusion into a private place, conversation or matter, and 2) in a manner highly offensive to a reasonable person. . . . To show intrusion, a plaintiff must have 'an objectively reasonable expectation of seclusion or solitude in the place, conversation or data source,' and the defendant must have 'penetrated some zone of physical or sensory privacy surrounding, or obtained unwanted access to data about, the plaintiff.'" The California Supreme Court has clarified that in this context, "the concept of 'seclusion' is relative. The mere fact that a person [or their information] can be seen by someone does not automatically mean that he or she can legally be forced to be subject to being seen by everyone." Courts have recognized facts sufficient to support these elements in the context of repeated phone calls, eavesdropping on workplace conversations, and unauthorized review of email.
Thompson v. Chase Bank N.A., Case No. 4:09-cv-2153-DMS, 2010 WL 1329061 (S.D. Cal. Mar. 30, 2010) (citing Shulman v. Group W Productions, 18 Cal.4th 200, 232 (1998)).
Joseph v. J.J. Mac Intyre Companies, L.L.C., 281 F. Supp. 2d 1156, 1165 (N.D. Cal. 2003).
See Panahiasl v. Gurney, Case No. 5:04-04479-JF, 2007 WL 738642 (N.D. Cal. Mar. 8, 2007).
See Sanders v. Am. Broad. Companies, Inc., 20 Cal. 4th 907, 916 (1999).
See Yee v. Lin, Case No. 5:12-cv-02474 -WHA, 2012 WL 4343778 (N.D. Cal. Sept. 20, 2012).
Plaintiffs here allege that Google's PII commingling intruded upon their email, contact lists, web histories, and other secluded and private spaces. According to Plaintiffs, this expectation was reasonable in light of the previous privacy policies, which assured Plaintiffs of the isolated use of their data. But once again, the court does not find any expectation to be plausible in light of Google's earlier disclosure that it would commingle PII across products to support its advertising model. Without a plausible expectation, Plaintiffs seclusion on intrusion claim cannot stand.
H. California's User Legal Remedies Act ("CLRA")
Plaintiffs' sixth cause of action seeks recovery under Sections (a) (9), (14), and (16) of the CLRA, which ban advertising goods with intent not to sell them in the manner advertised, representing that a transaction conveys rights which it does not, and representing that the subject of a transaction has been conveyed in accordance with terms of a previous transaction, when it has not. In order to recover, Plaintiffs must also allege facts to establish that they relied on the misrepresentations in question, and that in so relying, they suffered damage. These allegations are subject to Rule 9(b)'s heightened pleading standards.
Marolda v. Symantec Corp., 672 F. Supp. 2d 992, 1003 (N.D. Cal. 2009).
Plaintiffs' claims are insufficiently plead because they fail to allege that Google intended to use the PII in a manner other was advertised at the time that the plaintiffs purchased the goods and registered for the services in question. Under the CLRA, the intent to deceive or misuse information must be present at the time of sale in order for a plaintiff to recover. Yet even if its commingling practices were not disclosed in 2010, Plaintiffs offer no factual allegations indicating that Google planned to change its policies as far back as 2010, such that the existing policies were aimed to deceive at the time the business relationship began. They have not put forth any allegations suggesting that Google did not intend to honor its existing privacy policies, at the time they became customers. They certainly do not provide the requisite level of detail under Rule 9(b) to support allegations of intent to deceive.
See Wilson v. Hewlett-Packard Co., 668 F.3d 1136, 1145 (9th Cir. 2012).
Google's motion to dismiss is GRANTED. Plaintiffs must file any further amended complaint by January 16, 2014. Having dismissed two complaints already, Plaintiffs are on notice that any further dismissal will likely be with prejudice.
Paul S. Grewal
United States Magistrate Judge