Doe v. Microsoft Corporation
2:23-cv-00718
W.D. Wash.Dec 19, 2023Background
- Jane Doe, a Kaiser Permanente patient, alleges that Microsoft and Qualtrics collected and used her confidential health data via software on the Kaiser website without proper disclosure or consent.
- The data allegedly collected included sensitive health details and browsing behaviors, tied to user identifiers.
- Plaintiff asserted both statutory and common law claims, including violations of the California Invasion of Privacy Act (CIPA), California Constitution, Computer Fraud and Abuse Act (CFAA), unjust enrichment, UCL, statutory larceny, and conversion.
- The case comes before the U.S. District Court (W.D. Wash.) on motions to dismiss filed by Microsoft and Qualtrics.
- The court also considered judicial notice of various online documents and privacy policies proffered by both defendants.
- The court ruled on both the sufficiency of the pleadings and the applicability of various legal theories at the motion to dismiss stage.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Standing | Data is personal, non-anonymized, and valuable; loss of value | No personal loss alleged; data not specific to plaintiff | Plaintiff has standing under Ninth Circuit precedent |
| Sufficiency of Pleading (Rule 8) | Used Kaiser site for years, sharing the described information | Did not specify dates/instances; lack of personal/traceable impact | Complaint sufficient under Rule 8 |
| Consent to Data Collection | No actual, explicit, or unambiguous consent given | Kaiser’s privacy policies put users on notice; consent is implied | Consent defense denied—no clear, specific consent |
| CIPA (Wiretapping/Recording & Party Exception) | Qualtrics/Microsoft acted as 3rd parties, intercepted data | Only acted as Kaiser’s agent/extension; no actual wiretapping or device | Some CIPA claims survive, some dismissed in part |
| CFAA (Computer Fraud/Abuse) | Loss of data value is actionable; threat to safety alleged | No cognizable CFAA “loss” pled; data value diminution not covered | CFAA claims dismissed with prejudice |
| Unjust Enrichment | Defendants profited from personal data without compensation | No unjust enrichment; legal remedies available | Claim survives, may proceed as independent claim |
| UCL (Unlawful/Unfair Practices & Standing) | Loss of economically valuable data suffices for standing | Release of information not "money or property" under UCL | Plaintiff has UCL standing; claim survives |
| Statutory Larceny/Conversion | Data taken without consent, using misrepresentation | No theft or exclusive property interest, no misrepresentation alleged | Both claims dismissed |
Key Cases Cited
- Lee v. City of Los Angeles, 250 F.3d 668 (9th Cir. 2001) (consideration of materials outside pleadings at 12(b)(6) stage)
- Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) (standing for loss of value of personal data)
- Ashcroft v. Iqbal, 556 U.S. 662 (2009) (pleading standard for Rule 12(b)(6))
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (2007) (plausibility standard for pleadings)
- Warth v. Seldin, 422 U.S. 490 (1975) (liberal construction of standing at pleading stage)
- In re Zynga Privacy Litigation, 750 F.3d 1098 (9th Cir. 2014) (defining "contents" under the Wiretap Act/CIPA)
- Kremen v. Cohen, 337 F.3d 1024 (9th Cir. 2003) (conversion and property rights in intangible objects)
- Kwikset Corp. v. Superior Court, 246 P.3d 877 (Cal. 2011) (UCL injury-in-fact and lost money or property)