holding that the plaintiffs produced sufficient evidence showing they did not consent to the defendants' actionsSummary of this case from In re Google Location History Litig.
Case No. 13-cv-00453-JST
David M. Given, Nicholas A. Carlin, Brian Samuel Clayton Conlon, Conor Hughes Kennedy, Phillips Erlewine Given & Carlin LLP, Frank H. Busch, Ivo Michael Labar, James Matthew Wagstaffe, Michael John Von Loewenfeldt, Daniel Jack Veroff, Kerr & Wagstaffe LLP, San Francisco, CA, Jeffrey Scott Edwards, Edwards Law, Carl F. Schwenker, Dirk M. Jordan, Law Offices of Carl F. Schwenker, Austin, TX, James S. Notis, Jennifer Sarnelli, Gardy & Notis, LLP, Englewood Cliffs, NJ, Orin Kurtz, Gardy and Notis, LLP, New York, NY, Brian Russell Strange, Strange & Butler, John Theodore Ceglia, Strange & Carpenter, Los Angeles, CA, for Plaintiffs. Gregory J. Casas, Greenberg Traurig, LLP, Houston, TX, Jedediah Wakefield, Kathleen Lu, Tyler Griffin Newby, Fenwick & West LLP, Michael Henry Page, Durie Tangri LLP, Michael G. Rhodes, Matthew Dean Brown, Cooley LLP, Claudia Maria Vetesi, Molly A. Smolen, Morrison & Foerster LLP, Harmeet K. Dhillon, Krista Lee Baughman, Micah R. Jacobs, Rachel Kung-Lan Loh, Dhillon Law Group Inc., Jui-Ting Anna Hsia, Katherine Robison, Zwillgen Law LLP, San Francisco, CA, James G. Snell, Lauren Beth Cohen, Julie Erin Schwartz, Perkins Coie LLP, Jessica S. Ou, Gibson Dunn, Lori R. Mason, Cooley LLP, Palo Alto, CA, Timothy L. Alger, Greenberg Traurig LLP, Irvine, CA, John Randall Tyler, Ryan T. Mrazik, Perkins Coie LLP, Christopher Brian Durbin, Cooley LLP, Seattle, WA, Alan D. Albright, Gray Cary Ware & Freidenrich LLP, Peter D. Kennedy, George & Donaldson, L.L.P., Shannon W. Bangle, Beatty, Bangle, Strama P.C., Adam Hugh Sencenbaugh, Hal L. Sanders, Jr., Haynes & Boone LLP, Austin, TX, Clayton Cole James, Jessica Adler Black Livingston, Hogan Lovells US LLP, Denver, CO, Jenny Qian Shen, Electronic Arts Inc., Redwood City, CA, Maren Jessica Clouse, Robert B. Hawk, Hogan Lovells US LLP, Menlo Park, CA, Mazda Kersey Antia, Erin Elisa Goodsell, Cooley LLP, San Diego, CA, David Frank McDowell, Morrison & Foerster LLP, Shelley Gershon Hurwitz, Holland & Knight LLP, Naomi Elana Beckman-Straus, Valentine Antonavich Shalamitski, Mitchell Silberberg & Knupp LLP, Robert N. Klieger, Ellen Carol Kenney, Matthew Zachary Kaiser, Hueston Hennigan LLP, Los Angeles, CA, Judith R. Nemsick, Christopher G. Kelly, Holland & Knight LLP, Christine Lepera, Jeffrey M. Movit, Mitchell Silberberg & Knupp LLP, New York, NY, Jacob Alan Sommer, Marc J. Zwillinger, Zwillgen PLLC, Washington, DC, for Defendants.
David M. Given, Nicholas A. Carlin, Brian Samuel Clayton Conlon, Conor Hughes Kennedy, Phillips Erlewine Given & Carlin LLP, Frank H. Busch, Ivo Michael Labar, James Matthew Wagstaffe, Michael John Von Loewenfeldt, Daniel Jack Veroff, Kerr & Wagstaffe LLP, San Francisco, CA, Jeffrey Scott Edwards, Edwards Law, Carl F. Schwenker, Dirk M. Jordan, Law Offices of Carl F. Schwenker, Austin, TX, James S. Notis, Jennifer Sarnelli, Gardy & Notis, LLP, Englewood Cliffs, NJ, Orin Kurtz, Gardy and Notis, LLP, New York, NY, Brian Russell Strange, Strange & Butler, John Theodore Ceglia, Strange & Carpenter, Los Angeles, CA, for Plaintiffs.
Gregory J. Casas, Greenberg Traurig, LLP, Houston, TX, Jedediah Wakefield, Kathleen Lu, Tyler Griffin Newby, Fenwick & West LLP, Michael Henry Page, Durie Tangri LLP, Michael G. Rhodes, Matthew Dean Brown, Cooley LLP, Claudia Maria Vetesi, Molly A. Smolen, Morrison & Foerster LLP, Harmeet K. Dhillon, Krista Lee Baughman, Micah R. Jacobs, Rachel Kung-Lan Loh, Dhillon Law Group Inc., Jui-Ting Anna Hsia, Katherine Robison, Zwillgen Law LLP, San Francisco, CA, James G. Snell, Lauren Beth Cohen, Julie Erin Schwartz, Perkins Coie LLP, Jessica S. Ou, Gibson Dunn, Lori R. Mason, Cooley LLP, Palo Alto, CA, Timothy L. Alger, Greenberg Traurig LLP, Irvine, CA, John Randall Tyler, Ryan T. Mrazik, Perkins Coie LLP, Christopher Brian Durbin, Cooley LLP, Seattle, WA, Alan D. Albright, Gray Cary Ware & Freidenrich LLP, Peter D. Kennedy, George & Donaldson, L.L.P., Shannon W. Bangle, Beatty, Bangle, Strama P.C., Adam Hugh Sencenbaugh, Hal L. Sanders, Jr., Haynes & Boone LLP, Austin, TX, Clayton Cole James, Jessica Adler Black Livingston, Hogan Lovells US LLP, Denver, CO, Jenny Qian Shen, Electronic Arts Inc., Redwood City, CA, Maren Jessica Clouse, Robert B. Hawk, Hogan Lovells US LLP, Menlo Park, CA, Mazda Kersey Antia, Erin Elisa Goodsell, Cooley LLP, San Diego, CA, David Frank McDowell, Morrison & Foerster LLP, Shelley Gershon Hurwitz, Holland & Knight LLP, Naomi Elana Beckman-Straus, Valentine Antonavich Shalamitski, Mitchell Silberberg & Knupp LLP, Robert N. Klieger, Ellen Carol Kenney, Matthew Zachary Kaiser, Hueston Hennigan LLP, Los Angeles, CA, Judith R. Nemsick, Christopher G. Kelly, Holland & Knight LLP, Christine Lepera, Jeffrey M. Movit, Mitchell Silberberg & Knupp LLP, New York, NY, Jacob Alan Sommer, Marc J. Zwillinger, Zwillgen PLLC, Washington, DC, for Defendants.
ORDER DENYING YELP'S MOTION FOR SUMMARY JUDGMENT
Re: Dkt. No. 689
JON S. TIGAR, United States District Judge
Before the Court is Defendant Yelp, Inc.'s motion for summary judgment. The Court will deny the motion.
Plaintiffs challenge conduct by Apple and various developers of applications ("apps") for Apple devices. See Second Consolidated Amended Complaint ("SCAC"), ECF No. 478. Plaintiffs allege that Yelp and other app developers improperly uploaded address book data from their phones without their consent. See , e.g. , id. ¶¶ 119-120. Yelp now moves for summary judgment on the ground that Plaintiffs consented to allow this uploading.
A. Contacts Data
The facts of this putative class action have been recited in detail in prior orders and require only a brief summary here. Each Apple device comes pre-loaded with a "Contacts" app that owners may use as an address book to input and store various information about the owner's contacts. Id. ¶ 54, 55. The Plaintiffs allege that this information "is highly personal and private, and "is not shared, is not publicly available, is not publicly accessible, and is not ordinarily obtainable by a third party unless the owner physically relinquishes custody of his or her device to another individual." Id. ¶ 56. Plaintiffs further allege that Yelp and other app developers uploaded their contacts data without their consent.
B. The Yelp App's "Friend Finder" Feature
The Yelp app introduced a Friend Finder" feature on approximately January 16, 2010. ECF No. 689-1 ¶ 4. This feature allowed Yelp users to locate other Yelp users they know by comparing the email addresses in the user's local Contacts app with a database of email addresses of registered Yelp users. Id. ¶ 2.
The Plaintiffs contend that the declaration of Yelp's engineer, Steven Sheldon, is inadmissible. ECF No. 727 at 9. Specifically, they argue that the declaration is inadmissible because (1) Sheldon was not disclosed as a witness in Yelp's initial disclosures, and (2) Sheldon was hired after the class period and therefore lacks personal knowledge. Id. In response, Yelp argues that it intends to use Mr. Sheldon as an expert witness; expert witness identifications are not due until January 2017; and the failure to disclose him as a witness in their initial disclosures was harmless. ECF No. 759 at 6.
A party that "fails to provide information or identify a witness as required by Rule 26(a) or (e)...is not allowed to use that information or witness to supply evidence on a motion, at a hearing, or at a trial, unless the failure was substantially justified or is harmless." Fed. R. Civ. P. 37(c)(1). Under Rule 26(a)(2), Yelp is required to disclose its expert witnesses "at the time and in the sequence that the court orders." Fed. R. Civ. P. 26(a)(2)(D). Here, the Court ordered the parties to identify their expert witnesses by January 2017. ECF No. 712. Therefore, Yelp has not failed to timely identify Sheldon as an expert witness as required by Rule 26(a), and his declaration is not rendered inadmissible by Rule 37(c)(1). The Court also concludes that Sheldon may provide expert testimony based on his knowledge and examination of Yelp's source code as one of Yelp's engineers regardless of whether he was employed at Yelp during the class period. See Fed. R. Evid. 703 ; see also Cree v. Flores , 157 F.3d 762, 773 (9th Cir.1998) ("Mr. Yallup testified as an expert witness; therefore, his testimony was not subject to the strictures of Federal Rules of Evidence 602 [requiring personal knowledge] and 803.").
Although the exact language of this statement has changed slightly over the years, it has remained substantially the same since at least September 15, 2008. Id.
Contacts: You can invite your friends to join the Site by providing their contact information or by allowing us to use your address book from your computer, mobile device, or other sites. If you invite a friend to join and connect with you on the Site, we may use and store your friends' contact information long enough to process your requests.
You may choose to provide us with another person's e-mail address so that person may be invited to create an account on this website and become your friend. We use this information to contact and, if necessary, remind that person about the invitation. By providing us with another person's e-mail address, you represent to us that you have obtained the consent of the person concerned as regards such disclosure to us of their personal information. All invitees are provided with the option not to receive further invitations.
A registered Yelp user who navigated to the "Friend Finder" feature between January 16, 2010 and February 22, 2012 would see the following pop-up dialog box:
Id. Between February 22, 2012 and March 8, 2012, the dialog box was changed to read the following: "Find Friends. We'll need to look at your contacts to find friends. Don't worry, we're not storing them." Id. Underneath that dialog box, the user could select either "No Thanks" or "OK." Id. During either time period, if the user clicked "Yes, Find Friends" or "OK" the Yelp app transmitted the email addresses in the user's Contacts app to Yelp's servers and cross-checked those email addresses against the email addresses of registered Yelp users. Id. ¶ 5.
For a short period of time between January 2010 and March 2010, the text was slightly different: The prompt read "Find friends using your Contacts and Facebook friends? You'll be able to see their bookmarks and find out when they are nearby." Id. This minor change in verbiage does not affect the Court's analysis.
C. Apple's Review of the Yelp App
As an app developer, Yelp was bound by several contracts with Apple. Yelp entered into a Program License Agreement ("PLA") in which it appointed Apple as its "worldwide agent for the delivery of [its app]." ECF No. 727-6, Ex. C at 2, 7-8, § 3.1(e). The PLA provides that "applications may not collect user or device data without prior user consent." Id. at 9, § 3.3.9. Yelp was also subject to Apple's App Store Review Guidelines. ECF No. 727-5, Ex. B at 3, § 1.1. Guideline 17.1 provides that "[a]pps cannot transmit data about a user without obtaining the user's prior permission and providing the user with access to information about how and where the data will be used." Id. at 16, § 17.1.
In February 2012, Apple conducted an internal technical investigation to determine whether certain apps, including Yelp, complied with its privacy guidelines. Apple concluded that the "[o]ld version sends contact data up to yelp.com without the user's permission." ECF No 727-7, Ex. D at 16. Even though Yelp had recently changed the dialog box to alert users that the app would "need to look at your contacts to find friends," Apple nonetheless concluded that the "[n]ew version... doesn't inform the user that the date [sic] is uploaded to yelp.com." Id. at 16, 18, 20 ("The alert should clarify to the user that their data is being uploaded to yelp.com.").
In response to this internal investigation, Yelp changed its pop up dialog box to display the following message: "To find friends, we'll need to upload your contacts to Yelp. Don't worry, we're not storing them." ECF No. 689-1 ¶ 4 (emphasis added); ECF No. 727-7, Ex. D at 2; ECF No. 727-4, Ex. A at 3. The Plaintiffs do not challenge Yelp's conduct after these changes were implemented. ECF No. 727 at 16:2.
D. Public Response
Around the same time Apple was conducting its internal investigation, major media sources began reporting about the alleged privacy breach. See Plaintiff's Request for Judicial Notice, ECF No. 749, Exs. A-F; Plaintiff's Request for Judicial Notice, ECF No. 728, Exs. A-F. Congress reacted by opening an inquiry into Apple's privacy practices. See ECF No. 748-11, Ex. J; ECF No. 748-12, Ex. K; see also Protecting Mobile Privacy: Your Smartphones, Tablets, Cell Phones and Your Privacy : Hearing Before the Subcommittee on Privacy, Tech. and the Law of the S. Judiciary Comm., 112th Cong. (2011), available at https://www.judiciary.senate.gov/imo/media/doc/CHRG-112shrg86775.pdf. And the Federal Trade Commission also issued a Civil Investigative Demand to investigate whether apps uploaded user's contacts without their consent. See ECF No. 748-13, Ex. L.
The Plaintiffs ask the Court to take judicial notice of several news articles from sources including the New York Times, Time Magazine, and the British Broadcasting Corporation. See ECF No. 749 at 2; ECF No. 728 at 2. Pursuant to Federal Rule of Evidence 201(b), "[t]he court may judicially notice a fact that is not subject to reasonable dispute because it: (1) is generally known within the trial court's territorial jurisdiction; or (2) can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned." The Court "may take judicial notice of publications introduced to indicate what was in the public realm at the time, not whether the contents of those articles were in fact true." Von Saher v. Norton Simon Museum of Art at Pasadena , 592 F.3d 954, 960 (9th Cir.2010) (internal quotation marks omitted). The Court therefore takes judicial notice of these publications "solely as an indication of what information was in the public realm at the time." Von Saher , 592 F.3d at 960.
E. Procedural History
Plaintiffs brought this suit against Apple and several app developers, including Yelp, as a putative class action. See ECF Nos. 362, 478. The Plaintiffs allege that Yelp uploaded address book data from their Contacts app without their consent. See SCAC, ECF No. 478, ¶¶ 2, 119, 120, 146, 178, 184, 195, 208. Based on these allegations, the Plaintiffs assert a cause of action for invasion of privacy (intrusion upon seclusion) against Yelp. See id. ¶¶ 243-255 (alleging that Yelp and the other App defendants "intentionally intruded on and into each respective Plaintiff's solitude, seclusion or private affairs" by "surreptitiously obtaining, improperly gaining knowledge, reviewing and retaining Plaintiffs' private address books (or substantial portions thereof) as stored in the Contacts App on Plaintiffs' iDevices"). This is the only remaining claim against Yelp. See ECF Nos. 471, 543 (dismissing all other claims).
The Court recently certified a limited class against another app developer defendant, Path, Inc., based on allegations similar to those against Yelp. ECF No. 761 at 28.
The Court has subject matter jurisdiction over this action under the Class Action Fairness Act of 2005. The amount in controversy exceeds the sum or value of $5,000,000, exclusive of interests and costs; there are 100 or more class members; and there is minimal diversity because certain members of the class are citizens of a different state than any Defendant as required by 28 U.S.C. § 1332(d)(2).
III. LEGAL STANDARD
Summary judgment is proper when a "movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law." Fed. R. Civ. P. 56(a). "A party asserting that a fact cannot be or is genuinely disputed must support the assertion by" citing to depositions, documents, affidavits, or other materials. Fed. R. Civ. P. 56(c)(1)(A). A party may also show that such materials "do not establish the absence or presence of a genuine dispute, or that an adverse party cannot produce admissible evidence to support the fact." Fed. R. Civ. P. 56(c)(1)(B). An issue is "genuine" only if there is sufficient evidence for a reasonable fact-finder to find for the non-moving party. Anderson v. Liberty Lobby, Inc. , 477 U.S. 242, 248–49, 106 S.Ct. 2505, 91 L.Ed.2d 202 (1986). A fact is "material" if the fact may affect the outcome of the case. Id. at 248, 106 S.Ct. 2505. "In considering a motion for summary judgment, the court may not weigh the evidence or make credibility determinations, and is required to draw all inferences in a light most favorable to the non-moving party." Freeman v. Arpaio , 125 F.3d 732, 735 (9th Cir.1997).
Where the party moving for summary judgment would bear the burden of proof at trial, that party bears the initial burden of producing evidence that would entitle it to a directed verdict if uncontroverted at trial. See C.A.R. Transp. Brokerage Co. v. Darden Rests., Inc. , 213 F.3d 474, 480 (9th Cir.2000). Where the party moving for summary judgment would not bear the burden of proof at trial, that party bears the initial burden of either producing evidence that negates an essential element of the non-moving party's claim, or showing that the non-moving party does not have enough evidence of an essential element to carry its ultimate burden of persuasion at trial.
If the moving party satisfies its initial burden of production, then the non-moving party must produce admissible evidence to show that a genuine issue of material fact exists. See Nissan Fire & Marine Ins. Co. v. Fritz Cos. , 210 F.3d 1099, 1102–03 (9th Cir.2000). The non-moving party must "identify with reasonable particularity the evidence that precludes summary judgment." Keenan v. Allan , 91 F.3d 1275, 1279 (9th Cir.1996). Indeed, it is not the duty of the district court to "to scour the record in search of a genuine issue of triable fact." Id. "A mere scintilla of evidence will not be sufficient to defeat a properly supported motion for summary judgment; rather, the nonmoving party must introduce some significant probative evidence tending to support the complaint." Summers v. Teichert & Son, Inc. , 127 F.3d 1150, 1152 (9th Cir.1997) (citation and internal quotation marks omitted). If the non-moving party fails to make this showing, the moving party is entitled to summary judgment. Celotex Corp. v. Catrett , 477 U.S. 317, 323, 106 S.Ct. 2548, 91 L.Ed.2d 265 (1986).
Under California law, a claim for intrusion upon seclusion has two elements: (1) intrusion into a private place, conversation or matter, (2) in a manner highly offensive to a reasonable person. Shulman v. Grp. W Prods., Inc. , 18 Cal.4th 200, 231, 74 Cal.Rptr.2d 843, 955 P.2d 469 (1998), as modified on denial of reh'g (July 29, 1998); see also Restatement (Second) of Torts § 652B (1977) ("One who intentionally intrudes, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns, is subject to liability to the other for invasion of his privacy, if the intrusion would be highly offensive to a reasonable person"). The Court now addresses whether the Plaintiffs have produced evidence of these elements such that they could carry their burden at trial.
Although the laws of several states are potentially implicated because the Plaintiffs reside in different states, Yelp concedes that "for the purposes of this motion, the [state law] standards are congruent." ECF No. 689 at 15, n. 2. Accordingly, the Court applies California law.
Yelp argues that the Plaintiffs' intrusion upon seclusion claim fails as a matter of law because the Plaintiffs consented to allow Yelp to access their local Contacts app to find friends, thereby defeating any reasonable expectation of privacy in their address book data and any potential intrusion upon seclusion claim. See ECF No. 689 at 18-19.
Effective consent negates an intrusion upon seclusion claim. See Restatement (Second) of Torts § 892A (1979) ("One who effectively consents to conduct of another intended to invade his interests cannot recover in an action of tort for the conduct or for harm resulting from it."). To satisfy the first element of an intrusion upon seclusion claim, the plaintiff must have had "an objectively reasonable expectation of seclusion or solitude in the place, conversation or data source." Shulman , 18 Cal.4th at 232, 74 Cal.Rptr.2d 843, 955 P.2d 469 ; see also Varnado v. Midland Funding LLC , 43 F.Supp.3d 985, 992 (N.D.Cal.2014). And a plaintiff cannot have a reasonable expectation of privacy if she consented to the intrusion. Hill v. Nat'l Collegiate Athletic Assn. , 7 Cal.4th 1, 26, 865 P.2d 633, 26 Cal.Rptr.2d 834 (1994) ("The plaintiff in an invasion of privacy case must have conducted himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant."). Therefore, if the Plaintiffs effectively consented to Yelp's use of their address book data, they cannot maintain an intrusion upon seclusion claim. In addition, "[i]f voluntary consent is present, a defendant's conduct will rarely be deemed ‘highly offensive to a reasonable person’ so as to justify tort liability." Hill , 7 Cal.4th at 26, 26 Cal.Rptr.2d 834, 865 P.2d 633.
However, consent is only effective if the person alleging harm consented "to the particular conduct, or to substantially the same conduct" and if the alleged tortfeasor did not exceed the scope of that consent. Restatement (Second) of Torts § 892A (1979) §§ 2(b), 4. After all, "privacy, for purposes of the intrusion tort, is not a binary, all-or-nothing characteristic." Sanders v. Am. Broad. Companies, Inc. , 20 Cal.4th 907, 916, 85 Cal.Rptr.2d 909, 978 P.2d 67 (1999). "There are degrees and nuances to societal recognition of our expectations of privacy: the fact that the privacy one expects in a given setting is not complete or absolute does not render the expectation unreasonable as a matter of law."Id.
Yelp argues that the Plaintiffs "allowed... Yelp's access to their Contacts list to perform the precise function they desired: to connect with their friends to improve the Apps' social networking experiences." ECF No. 689 at 19. In response, the Plaintiffs argue that consent to "access" or "look at" their contacts is not the same as consent to "upload" those contacts. ECF No. 727 at 23. In other words, "permission to look at data does not equate with permission to take it." Id. at 7. At the summary judgment stage, the Court agrees with the Plaintiffs.
There is a material factual dispute as to whether Yelp's in-app user prompt obtained effective consent to upload the address book data to its servers. The Plaintiffs point to several pieces of evidence that a reasonable fact-finder could rely on to find in their favor. First, the textual in-app display did not explicitly disclose that Yelp would "upload" the address book data to its own servers in order to perform the matching function. Rather, the text of the disclosure during the class period simply told users that the feature would "[f]ind friends on Yelp using your Contacts" or "look at your contacts to find friends." ECF No. 689-1 ¶ 4. And the Plaintiffs have produced evidence suggesting that, based on these disclosures, they expected a matching process that would take place locally on their phone, not on Yelp's servers. See Depo. Tr. of Claire Hodgins, ECF No. 759-3 at 10-22 (testifying that she thought the matching process would take place "on [her] phone"). Second, Yelp's own agent (Apple) concluded that both versions of Yelp's disclosure during the class period "send[ ] contact data up to yelp.com without the user's permission" and "[don't] inform the user that the date [sic] is uploaded to yelp.com." ECF No 727-7, Ex. D at 16, 18, 20. Apple's privacy guidelines suggest that app users had a reasonable expectation of privacy in knowing how their data would be used, and the breach of those guidelines suggests that Yelp exceeded the scope of users' consent when it uploaded Contacts data without explicit permission. See Puerto v. Superior Court , 158 Cal.App.4th 1242, 1252, 70 Cal.Rptr.3d 701 (2008) (holding that employees had a legitimate expectation of privacy in their addresses and telephone numbers "in light of employers' usual confidentiality customs and practices"). Based on this evidence, the Court cannot conclude as a matter of law that the in-app disclosures obtained effective consent to upload the users' Contacts data as opposed to just accessing it locally. This is an issue for the jury.
Throughout its briefing, Yelp argues that the Plaintiffs' intrusion upon seclusion claim only survived the prior motions to dismiss because the Plaintiffs alleged that Yelp "misused" or "misappropriated" the address book data in other, unauthorized ways—such as storing, disseminating, or selling the data. ECF No. 689 at 7-8, 13; ECF No. 759 at 14, 17. Accordingly, Yelp argues that, because the Plaintiffs have not produced evidence of these particular kinds of unauthorized use their claim fails as a matter of law. Id.
Yelp reads the Court's previous orders and the crux of the Plaintiffs' allegations too narrowly. The Court has not said, and the Plaintiffs have not alleged, that these are the only ways that Yelp could have overstepped the bounds of the consent it obtained. Rather, the Plaintiffs also alleged, and the Court found plausible when ruling on multiple motions to dismiss, that "Defendants had exceeded the parameters of that consent by otherwise transmitting, uploading , storing, and using that information for unauthorized purposes or in unauthorized ways." ECF No. 543 at 32 (emphasis added). Although the Court noted that discovery might ultimately prove that allegation to be unfounded, the Court reached no ultimate conclusion on the issue. Id. at 33, n. 17. ("After further factual development, Defendants may succeed in demonstrating that the parameters of Plaintiffs' consent was coterminous with Defendants' use of that data. But that is a matter that cannot be resolved at this stage of the proceedings."). That discovery having now taken place, it is clear that the issue cannot be decided as a matter of law.
Yelp relies on two cases to further support its consent argument: Hill v. Nat'l Collegiate Athletic Assn. , 7 Cal.4th 1, 26, 26 Cal.Rptr.2d 834, 865 P.2d 633 (1994) and Perkins v. LinkedIn Corp. , 53 F.Supp.3d 1190 (N.D.Cal.2014). ECF No. 689 at 18. Both cases are distinguishable.
In Hill , student athletes brought invasion of privacy claims against the NCAA under the California Constitution based on the NCAA's requirement that student athletes undergo drug testing. The California Supreme Court held that the athletes manifested voluntary consent to the testing, thereby defeating their invasion of privacy claim. See Hill , 7 Cal.4th at 42, 26 Cal.Rptr.2d 834, 865 P.2d 633. However, the plaintiffs in that case were "required to sign a three-part statement and consent form," which included the following "Drug-Testing Consent" provision: "By signing this part of the form, you certify that you agree to be tested for drugs." Id. at 11, 26 Cal.Rptr.2d 834, 865 P.2d 633. Based on this explicit consent form, the Court held that the student athletes had a diminished expectation of privacy. Id. at 42, 26 Cal.Rptr.2d 834, 865 P.2d 633. Here, unlike in Hill , Yelp's brief screen prompt did not explicitly disclose that it would upload users' address book data. Hill does not dispose of the present case.
Perkins is also distinguishable. In that case, the court held that LinkedIn remained within the scope of the consent that it obtained from users when it sent an email inviting their contacts to join LinkedIn, but that it exceeded the scope of that consent when it sent subsequent reminder emails. Id. at 1215–17. LinkedIn's disclosures said "Why not invite some people?" and "Stay in touch with your contacts who aren't on LinkedIn yet. Invite them to connect with you." Id. at 1215. If a user agreed to invite people, LinkedIn sent an email to the contact that said "I'd like to add you to my professional network" with the name of the LinkedIn user below. Id. The plaintiffs conceded that they consented to LinkedIn sending an email to their contacts to invite them to connect on LinkedIn; however, they argued that they did not consent to an email in which their own name would be displayed as a personal "endorsement" of LinkedIn. Id. The court was not persuaded by the plaintiffs' distinction between "invitations" and "endorsements," and concluded that those terms were "synonymous" in that instance. Id. The users agreed to a disclosure that said "Invite [contacts] to connect with you ," and "a reasonable user who saw the disclosure" consented to an email that necessarily included his or her own name for the purpose of fostering a connection. Id. (emphasis added). In other words, LinkedIn obtained consent to invite a user's friends to connect with him or her, which necessarily involved mentioning the other user by name. In contrast to Perkins , it is unclear whether a reasonable user who saw Yelp's disclosure message consented to having the email addresses in their local Contacts uploaded to a Yelp server in order to perform the matching function. The disclosure simply said "[f]ind friends on Yelp using your Contacts" or "look at your contacts to find friends." ECF No. 689-1 ¶ 4 (emphasis added). Unlike in Perkins , where consent to the disclosure message necessarily included consent to put the user's name in the invitation email, consent to allow Yelp to "find friends" or "look at" the contacts on your device does not necessarilyinclude consent to upload that data to Yelp's servers; rather, a reasonable user could think that the matching function would take place on their local device. In other words, "upload" and "look at" are not interchangeable.
In fact, Yelp's argument ignores Perkins ' implicit holding that consent is defined by the scope of its terms. Yelp argues that "[o]nce Plaintiffs consented to Yelp's access to that information, the alleged tort evaporates; there is no invasion to begin with, and subsequent transmission cannot change that." ECF No. 689 at 13:9-10. In contrast, the California Supreme Court has said that "privacy, for purposes of the intrusion tort, is not a binary, all-or-nothing characteristic." Sanders , 20 Cal.4th at 916, 85 Cal.Rptr.2d 909, 978 P.2d 67. Rather, "[t]here are degrees and nuances to societal recognition of our expectations of privacy," and "the fact that the privacy one expects in a given setting is not complete or absolute does not render the expectation unreasonable as a matter of law." Id. ; see also e.g. , Sheehan v. San Francisco 49ers, Ltd. , 45 Cal.4th 992, 89 Cal.Rptr.3d 594, 201 P.3d 472 (2009) ("Hill does not stand for the proposition that a person who chooses to attend an entertainment event consents to any security measures the promoters may choose to impose no matter how intrusive or unnecessary....a person can be deemed to consent only to intrusions that are reasonable under the circumstances."). Like the California Supreme Court in Sanders , the court in Perkins made clear that users can consent to some aspects of a defendant's conduct while not consenting to other aspects of a defendant's conduct. For example, the court in Perkins held that, although the plaintiffs consented to LinkedIn's initial endorsement email, they had "plausibly alleged that they did not consent to the second and third reminder endorsement emails." 53 F.Supp.3d at 1216. Because "[n]othing in LinkedIn's disclosures alerts users to the possibility that their contacts will receive not just one invitation, but three," the court held that "Plaintiffs have adequately pleaded lack of consent to the sending of the second and third endorsement emails." Id. at 1217. In sum, Perkins reaffirms that consent is not absolute, but rather a matter of degree. And, like the court in Perkins , a reasonable jury could find that nothing in Yelp's disclosures alerted users to the possibility that their contacts' email addresses would be uploaded to Yelp's servers in order to perform the matching function.
In response, Yelp argues that "the operation of the Friend Finder function... inevitably requires that data be transmitted from the users' phone to Yelp's servers for processing." ECF No. 759 at 14:8-10. This statement misses the point. The question is not whether Yelp's engineers establish during litigation that the only feasible way to compare the users' contacts to registered Yelp users is to upload the contacts to Yelp's server. The question is whether, and to what extent, the Plaintiffs effectively consented to allow Yelp to use their contact data at the time of the challenged invasion. Cf . Hill , 7 Cal.4th at 26, 26 Cal.Rptr.2d 834, 865 P.2d 633 ("The plaintiff in an invasion of privacy case must have conducted himself or herself in a manner consistent with an actual expectation of privacy, i.e., he or she must not have manifested by his or her conduct a voluntary consent to the invasive actions of defendant."). This inquiry hinges on the "objectively reasonable expectation [s]" of the Plaintiffs. Shulman , 18 Cal.4th at 232, 74 Cal.Rptr.2d 843, 955 P.2d 469.
Yelp mentions throughout its Reply brief that "all of the Plaintiffs now know that the Apps at issue (and others) have to upload data to analyze it, and yet all of them continue to consent to multiple applications using their Contacts." ECF No. 759 at 15:5-7; id. at 13:6-8. The Plaintiffs' current knowledge that Yelp uploads their address book data is irrelevant to whether they effectively consented to Yelp's uploading of their data at the time of the challenged conduct.
Perhaps recognizing that the consent inquiry hinges on whether the Plaintiffs' expectations were objectively reasonable, Yelp next argues that the Plaintiffs did not have to understand that their contacts data would be uploaded to Yelp's servers in order to effectively consent to the Friend Finder function. ECF No. 759 at 14-15. In other words, Yelp argues that "consent to [the Friend Finder] process does not require the user to understand how the process works." Id. After all, Yelp argues, "[w]e consent to all sorts of things every day without the slightest idea how they are accomplished." Id.
But the details about how the process works matter to the consent analysis if those details involve conduct that transcends what was consented to and interferes with the Plaintiffs' objectively reasonable expectations of privacy. Shulman , 18 Cal.4th at 232, 74 Cal.Rptr.2d 843, 955 P.2d 469. Here, the Plaintiffs have presented evidence that the act of uploading their contacts' email addresses without their permission changed the nature of Yelp's intrusion. For example, one of the Plaintiffs testified that she "gave Yelp permission to access [her] contacts," but not to "upload [her] contacts on to their servers." Depo. Tr. of Claire Hodgins, ECF No. 759-3 at 106:23-107:5. She further testified that uploading the data was qualitatively different than accessing it because "uploading means that you can then use that information how you please." ECF No. 777-3 at 5:7-12. Other Plaintiffs testified that the act of uploading the contacts data to a server was "egregious," and that they didn't consent to Yelp "taking" their information by moving it from their phone to somewhere else. Depo. Tr. of Nirali Mandalaywala, ECF No. 777-2 at 7:5-18; Depo. Tr. of Giuliana Biondi, ECF No. 777-4 at 3:18-4:4. It remains to be seen whether these expectations were objectively reasonable, but that is a question for the jury, not this Court. See Shulman , 18 Cal.4th at 233-34, 74 Cal.Rptr.2d 843, 955 P.2d 469 (reversing the lower court's grant of summary judgment as to the plaintiff's intrusion upon seclusion claim because the determination as to whether the plaintiff's expectation of privacy was reasonable was a "question[ ] for the jury").
B. Highly Offensive
Next, Yelp argues that the Plaintiffs cannot succeed on their intrusion upon seclusion claim as a matter of law because "identifying social connections to users is far from a ‘highly offensive’ practice." ECF No. 689 at 17:14-15.
To prevail on an invasion of privacy claim, the intrusion must also be "highly offensive to a reasonable person and sufficiently serious and unwarranted as to constitute an egregious breach of the social norms." Hernandez v. Hillsides, Inc. , 47 Cal.4th 272, 295, 97 Cal.Rptr.3d 274, 211 P.3d 1063 (2009) (internal citations and quotation marks omitted). "A court determining the existence of ‘offensiveness' would consider the degree of intrusion, the context, conduct and circumstances surrounding the intrusion as well as the intruder's motives and objectives, the setting into which he intrudes, and the expectations of those whose privacy is invaded." Miller v. Nat'l Broad. Co. , 187 Cal.App.3d 1463, 1483–84, 232 Cal.Rptr. 668 (Ct.App.1986). "California tort law provides no bright line on [offensiveness]; each case must be taken on its facts." Hernandez , 47 Cal.4th at 287, 97 Cal.Rptr.3d 274, 211 P.3d 1063 (quoting Shulman , 18 Cal.4th at 237, 74 Cal.Rptr.2d 843, 955 P.2d 469 ) (internal quotation marks omitted). "[W]hat is ‘highly offensive to a reasonable person’ suggests a standard upon which a jury would properly be instructed." Deteresa v. Am. Broad. Companies, Inc. , 121 F.3d 460, 465 (9th Cir.1997) (quoting Miller , 187 Cal.App.3d at 1483, 232 Cal.Rptr. 668 ). However, "there is a preliminary determination of ‘offensiveness' which must be made by the court in discerning the existence of a cause of action for intrusion." Id. "If the undisputed material facts show no reasonable expectation of privacy or an insubstantial impact on privacy interests, the question of invasion may be adjudicated as a matter of law." Id. (internal citations and quotation marks omitted).
Yelp argues that "mechanical access to a list of email addresses in order to perform a commonplace social media function is far short of conduct that shocks the conscience, or so transgresses social norms that it can be deemed outrageous" and that "such commercial uses of address information are not ‘highly offensive.’ " ECF No. 689. In other words, Yelp argues that uploading address book data without users' consent is not highly offensive because it is "commonplace" and "commercial" in nature. Id. at 17:17-18.
Yelp relies heavily on Folgelstrom v. Lamps Plus, Inc. , 195 Cal.App.4th 986, 125 Cal.Rptr.3d 260 (2011), as modified (June 7, 2011), to support its argument. In Folgelstrom , a California appellate court held that the retailer's practice of asking for a customer's zip code and then trading the customer's information with a third party credit reporting agency in exchange for the customer's full mailing address so that it could send the customer promotional materials was not highly offensive. Folgelstrom , 195 Cal.App.4th at 989, 993, 125 Cal.Rptr.3d 260 ("However questionable the means employed to obtain plaintiff's address, there is no allegation that Lamps Plus used the address once obtained for an offensive or improper purpose."). In reaching this conclusion, the court explained that it had "found no case which imposes liability based on the defendant obtaining unwanted access to the plaintiff's private information which did not also allege that the use of plaintiff's information was highly offensive." Id. at 993, 125 Cal.Rptr.3d 260. Yelp relies on Folgelstrom to argue that the subsequent use of any private information obtained—and not just the initial intrusion itself—must be highly offensive to succeed on an intrusion upon seclusion claim, and that "commercial uses of address information are not highly offensive." Id. at 16-18.
In re iPhone Application Litig. involved the disclosure to third parties of an iDevice user's unique device identifier number, personal data, and geolocation information. 844 F.Supp.2d at 1063. That court held without explanation that "[e]ven assuming this information was transmitted without Plaintiffs' knowledge and consent, a fact disputed by Defendants, such disclosure does not constitute an egregious breach of social norms," citing Folgelstrom . Id. As noted above, however, Folgelstrom addressed different facts than those in iPhone Application Litigation , and the latter court did not explain how expansion of Folgelstrom 's holding, counter to the privacy interests of iDevice users, was consistent with California's community privacy norms.
Yelp also cites Puerto v. Super. Ct. , 158 Cal.App.4th 1242, 1253–54, 70 Cal.Rptr.3d 701 (2008) for the proposition that "contact information is not ‘particularly sensitive’ and is not the type of information deemed ‘private.’ " ECF No. 689 at 12. Puerto concerned the discovery of absent class member contact information and has nothing to do with intrusion on seclusion claims.
Fundamentally, this case is about whether Apple's conduct and that of application developers violated community norms of privacy. "A ‘reasonable’ expectation of privacy is an objective entitlement founded on broadly based and widely accepted community norms." Hill , 7 Cal.4th at 37, 26 Cal.Rptr.2d 834, 865 P.2d 633. The "community norms" aspect of the "reasonable expectation of privacy" element means that " ‘[t]he protection afforded to the plaintiff's interest in his privacy must be relative to the customs of the time and place, to the occupation of the plaintiff and to the habits of his neighbors and fellow citizens.’ " In re Yahoo Mail Litig. , 7 F.Supp.3d 1016, 1038 (N.D.Cal.2014) (quoting TBG Ins. Servs. Corp. v. Superior Court , 96 Cal.App.4th 443, 450, 117 Cal.Rptr.2d 155, (2002) ).
Those customs and habits are very much in flux. The technology underlying the allegations in this case is still developing. The iPhone was introduced less than ten years ago, Charles Arthur, "The History of Smartphones: Timeline," Guardian UK Jan. 24, 2012 (on-line ed) (https://www.theguardian.com/technology/2012/jan/24/smartphones-timeline ), and the prospect of an application developer taking advantage of a user's contacts data is even newer still. When applying community standards, it is possible that a jury of persons selected from that community might conclude, as Yelp suggests, that Yelp's conduct was "far from "highly offensive." ECF No. 689 at 11. In the alternative, a jury might also find the intrusion highly offensive based on both the degree of intrusion (uploading the email addresses of a user's contacts to the Defendants' servers) and the setting in which the invasion took place (users' personal cellular phones). Miller , 187 Cal.App.3d at 1483–84, 232 Cal.Rptr. 668. Perhaps a democratically elected legislature will embody the community standards in a statute. In any of those events, a jury or legislature will have performed an important function in reflecting the community's standards as they relate to the privacy of information stored on a user's smartphone. A judge should be cautious before substituting his or her judgment for that of the community.
The sheer volume of media attention surrounding the app developers' conduct, and the fact that both Congress and a federal agency initiated investigations, are some evidence of the existence of developing social norms surrounding this technology.
In sum, this is not—or is not yet—a question that can be decided as a matter of law, and there is a triable issue of fact regarding whether Yelp's upload of the Plaintiffs' address book data was highly offensive to a reasonable person.
C. Copyright Act Preemption
Finally, Yelp argues that under the Plaintiffs' theory its "copying of the Plaintiffs' contact information becomes the only act alleged against Yelp" such that the claim is preempted by the Copyright Act. ECF No. 689 at 19-20.
The Copyright Act preempts a state law claim if: (1) the plaintiff asserts "rights that are equivalent" to those protected by the Copyright Act as defined in 17 U.S.C. § 106 ; and (2) the work involved falls within the "subject matter" of the Copyright Act as defined in 17 U.S.C. §§ 102 and 103. Kodadek v. MTV Networks, Inc. , 152 F.3d 1209, 1212 (9th Cir.1998).
Assuming the collection of email addresses falls within the "subject matter" of the Copyright Act, the Plaintiffs' state law privacy rights are nonetheless qualitatively different from the rights protected by the Copyright Act. "A right is ‘equivalent’ to copyright if it ‘is infringed by the mere act of reproduction, performance, distribution or display.’ " Entous v. Viacom Int'l, Inc. , 151 F.Supp.2d 1150, 1159 (C.D.Cal.2001) (quoting Nimmer on Copyright, § 1.10[B] at 1–12 to 1–13 (1989)). However, a state law claim is not "equivalent" to rights within the scope of copyright if it "contains an additional element not required for a copyright claim." Ryan v. Editions Ltd. W., Inc. , 786 F.3d 754, 760 (9th Cir.), cert. denied, ––– U.S. ––––, 136 S.Ct. 267, 193 L.Ed.2d 136 (2015) ; see also Montz v. Pilgrim Films & Television, Inc. , 649 F.3d 975, 981 (9th Cir.2011) (holding that a claim for breach of confidence "protects the duty of trust or confidential relationship between the parties, an extra element that makes it qualitatively different from a copyright claim.")
Yelp argues that the address book data is a "literary work" that falls within the subject matter of copyright. ECF No. 689 at 20. Although Yelp concedes that the collection of email addresses "likely does not qualify for copyright protection," it correctly points out that this does not preclude preemption. Id. ; see also Firoozye v. Earthlink Network , 153 F.Supp.2d 1115, 1124–25 (N.D.Cal.2001) (explaining that "the subject matter of copyright is broader than copyright protection" and, therefore, the relevant question for the purpose of copyright preemption is not whether the work is actually copyrightable, but rather "whether the work involved is a kind of work that comes within the subject matter of the Copyright Act"). Because factual compilations like the address book data at issue here may be copyrightable in some instances, the Court assumes that the data falls within the subject matter of the Copyright Act. See Feist Publications, Inc. v. Rural Tel. Serv. Co. , 499 U.S. 340, 348–49, 111 S.Ct. 1282, 113 L.Ed.2d 358 (1991) (acknowledging "thin" copyright protection for factual compilations—in that case, a telephone directory—to the extent that the author's selection and arrangement of those facts was original and "entail[ed] a minimal degree of creativity"); Firoozye , 153 F.Supp.2d at 1124–25 ("[M]aterial that falls within a category that is eligible for protection in certain instances must come within the Act's subject matter."). Regardless, the Court holds that the other requirement for copyright preemption is not satisfied.
As explained in § 106, the Copyright Act grants exclusive rights to reproduce the copyrighted work, prepare derivative works, distribute copies to the public, and perform or display the copyrighted work publicly. Laws v. Sony Music Entm't, Inc. , 448 F.3d 1134, 1143, n. 3 (9th Cir.2006) (quoting 17 U.S.C. § 106 ). In contrast, the Plaintiffs' state law privacy claim protects the Plaintiffs' rights to be free from highly offensive and unwarranted intrusions into a private sphere. Shulman , 18 Cal.4th at 231, 74 Cal.Rptr.2d 843, 955 P.2d 469. This "extra element"—using the Plaintiffs' data in a highly offensive way that intrudes into an area that they reasonably expect to remain private—changes the nature of the action. In this case, the Plaintiffs do not allege that Yelp violated their privacy rights by simply reproducing or copying the address book data, but rather by uploading their address book data to Yelp's servers to be analyzed against the database of existing Yelp users without their permission. Because this privacy claim alleges conduct that transcends the mere act of copying or reproducing the Plaintiffs' work, the Plaintiffs' claim is simply not "equivalent" to rights protected under copyright law. Therefore, the claim is not preempted by the Copyright Act.
In conclusion, there are genuine issues of material fact as to both the scope of the consent that Yelp obtained and whether uploading the Plaintiff's address book data remained within that scope. Accordingly, the Court denies Yelp's motion for summary judgment.
IT IS SO ORDERED.