Brodsky v. Apple Inc.
445 F.Supp.3d 110
N.D. Cal.2020Background
- Plaintiffs (six named individuals from various states) sued Apple claiming its two-factor authentication (2FA) login process was enabled without authorization and interfered with access to devices, Apple services, and third‑party apps.
- Plaintiffs asserted five causes of action: trespass to chattels, violation of the California Invasion of Privacy Act (CIPA), California Computer Crime Law (CCCL), the federal Computer Fraud and Abuse Act (CFAA), and unjust enrichment; they sought to represent a nationwide class (class period from 2015).
- The Second Amended Complaint (SAC) largely repeated the First Amended Complaint’s allegations (2FA enabled by software updates, new Apple IDs, or user settings; delays of ~2–5 minutes; occasional lockouts when a trusted device was unavailable) and added two plaintiffs and a revocation-by-filing allegation.
- The Court previously dismissed the FAC with leave to amend and, after reviewing Apple’s motion to dismiss the SAC, found Plaintiffs failed to cure defects identified earlier.
- The Court dismissed all claims with prejudice for recurring deficiencies: lack of allegations that 2FA was enabled without authorization, no actionable harm or $5,000 CFAA loss, failure to plead contents/interception for CIPA, boilerplate CCCL allegations, unjust‑enrichment barred by an existing contract, and Rule 8/statute‑of‑limitations problems for several plaintiffs.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Trespass to chattels — authorization | Apple enabled 2FA without consent (some via software updates) | 2FA enabled by voluntary updates, new IDs, or user action; thus authorized | Dismissed — plaintiffs failed to allege lack of authorization and failed to plead required harm; dismissed with prejudice |
| Trespass to chattels — harm/proximate causation | 2FA delays and occasional lockouts dispossessed users or deprived use | 2–5 minute delay does not impair device; alleged longer lockouts caused by events outside Apple’s control | Dismissed — delay not actionable; plaintiffs did not plausibly tie longer lockouts to Apple |
| CIPA — interception / third‑party | Apple intercepted communications (login requests, access to services/content) via 2FA | CIPA prohibits third‑party interception; Apple is party to user‑to‑Apple communications; plaintiffs didn’t plead intercepted "contents" | Dismissed — Apple not shown to be a third party to alleged communications; plaintiffs failed to plead contents |
| CFAA — unauthorized access | 2FA constituted unauthorized access/exceeding authorized access | Authorization relates to identity, not method; plaintiffs authorized Apple access via other login methods; no revocation of access | Dismissed — plaintiffs challenged method not identity; abandoned arguments; no allegation revoking access |
| CFAA — damages ($5,000) | Alleged economic loss from denied access, device/subscription value, and alleged data value | Alleged delays do not produce $5,000 loss; Ninth Circuit rejects theory that loss equals lost ability to monetize personal data | Dismissed — plaintiffs failed to plead $5,000 loss within one year |
| CCCL (Cal. Penal Code §502) | Apple knowingly and without permission accessed/used plaintiffs’ devices/services via 2FA | CCCL, like CFAA, requires access without permission; pleadings are boilerplate and do not show differing access via 2FA | Dismissed — plaintiffs failed to allege lack of authorization or factual detail; boilerplate allegations insufficient |
| Unjust enrichment / quasi‑contract | Plaintiffs seek restitution for alleged benefits Apple received | Plaintiffs have express contract (Terms of Use); no allegations that contract is unenforceable | Dismissed — California does not recognize stand‑alone unjust enrichment; quasi‑contract barred by existing contract absent facts showing unenforceability |
| Rule 8 / Statute of limitations | Tolling doctrines apply; class claims timely | Several named plaintiffs did not plead when 2FA was enabled; Brodsky and Tracey’s claims time‑barred | Dismissed — four plaintiffs’ claims dismissed for failing to plead dates (Rule 8); Brodsky and Tracey’s claims time‑barred; tolling doctrines inapplicable |
Key Cases Cited
- Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) (pleading must be plausible under Rule 8)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (court need not accept conclusory legal allegations)
- Intel Corp. v. Hamidi, 30 Cal.4th 1342 (2003) (California trespass to chattels requires unauthorized interference that causes harm)
- In re Zynga Privacy Litig., 750 F.3d 1098 (9th Cir. 2014) ("contents" excludes metadata/record information under wiretap analogues)
- United States v. Nosal, 676 F.3d 854 (9th Cir. 2012) (CFAA targets unauthorized procurement/alteration of information; courts avoid overbroad CFAA readings)
- LVRC Holdings LLC v. Brekka, 581 F.3d 1127 (9th Cir. 2009) (CFAA §1030 civil suit requires proof of loss/damages)
- Andrews v. Sirius XM Radio Inc., 932 F.3d 1253 (9th Cir. 2019) (rejected CFAA loss theory based on alleged loss of value of personal data)
- Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058 (9th Cir. 2016) (CFAA liability where service explicitly revoked authorization)
- Oracle USA, Inc. v. Rimini St., Inc., 879 F.3d 948 (9th Cir. 2018) (CCCL/CDAFA requires lack of authorization in initial access)
- In re iPhone Application Litig., 844 F. Supp. 2d 1040 (N.D. Cal. 2012) (minor performance impacts without device impairment insufficient for trespass claim)