McDonald v. Aps
385 F. Supp. 3d 1022
N.D. Cal.2019Background
- Parents filed putative class actions against game developer defendants (Disney, Viacom, Kiloo, Sybo) and SDK/ad-tech vendors (e.g., Flurry, AdColony, Vungle, Kochava), alleging apps for children secretly collected persistent device identifiers and other personal data and monetized it for targeted advertising.
- Complaints allege SDKs embedded in apps exfiltrated identifiers (IDFA, IDFV, AAID, IMEI), IP, device fingerprinting, timestamps, and geolocation; SDKs retained, shared, and used this data for profiling and ad attribution.
- Plaintiffs asserted state-law claims: intrusion upon seclusion (California common law), California constitutional privacy, New York GBL § 349, California UCL, Massachusetts statutory privacy and Chapter 93A consumer claims (depending on plaintiff/state).
- Defendants moved to dismiss under Rule 12(b)(6) and some for lack of personal jurisdiction; plaintiffs amended complaints to avoid COPPA preemption concerns; the Court related but did not consolidate the cases.
- The court denied dismissal of the California intrusion and constitutional privacy claims and most consumer-protection claims (NY GBL, CA UCL) but granted dismissal (with leave to amend) on limited issues: Massachusetts 93A for the Massachusetts plaintiff (lack of alleged injury), deficient pleading as to multiple Flurry/Oath entities, lack of personal jurisdiction over Kochava, and lack of specific-jurisdiction allegations against Sybo for non-California plaintiffs.
Issues
| Issue | Plaintiff's Argument | Defendant's Argument | Held |
|---|---|---|---|
| Intrusion upon seclusion (California tort) | Apps and embedded SDKs secretly collected persistent, user-identifying data from children and used it for targeted ads; this is a highly offensive intrusion | Collecting device/browser data is routine commercial practice and not an egregious privacy invasion | Claim survives 12(b)(6): plaintiffs pleaded specific collection/use, offensiveness alleged; factual development required |
| California constitutional privacy claim | Parallels tort claim; secret tracking of children on phones is a serious invasion of privacy | Same as tort arguments; contend dismissal appropriate | Denied as duplicative/parallel to intrusion claim; survives at pleading stage |
| New York GBL § 349 (Kiloo & Disney) | Data collection/identification is consumer injury and deceptive practice actionable under § 349 | Insufficient allegation of actual harm or ability to link data to individuals (relying on PulsePoint/Mount) | Survives: plaintiffs alleged user-identifiable, persistent tracking and targeted-ad harms |
| California UCL (unlawful/unfair/fraudulent prongs) | Privacy invasions make advertising/monetization practices unlawful/unfair/fraudulent | Conduct is routine commercial behavior not violating UCL | Unlawful and unfair claims survive; fraudulent-omission pleaded with Rule 9(b) particularity |
| Massachusetts Chapter 93A & statutory privacy (Disney case) | Secret collection and monetization harmed Massachusetts plaintiff | Plaintiff Supernault alleged only free downloads (no monetary injury) | 214 §1B claim survives generally; 93A claim dismissed as to Supernault for lack of alleged injury (leave to amend) |
| Personal jurisdiction — Kochava (Idaho) | Plaintiffs argue Kochava knew apps would be used in California and contracts with CA entities suffice | Contacts insufficient: must be defendant-created forum contacts; plaintiff cannot be sole link | Dismissed for lack of specific jurisdiction; leave to amend given once more |
| Personal jurisdiction — Sybo (Denmark) for non-CA plaintiffs | Plaintiffs allege joint venture and data monetization benefiting Sybo in CA | Complaint lacks facts showing Sybo’s California-related conduct; contracting alone insufficient under Bristol-Myers Squibb | NY-resident GBL claim against Sybo dismissed for lack of specific jurisdiction; leave to amend |
| Corporate identification — Flurry/Oath entities | Plaintiffs originally lumped three entities together as "Flurry" | Defendants claim insufficiently pleaded distinct liability for each corporate entity | Complaint dismissed as to those named entities for failure to plead facts separating them; leave to amend |
Key Cases Cited
- Hill v. Nat’l Collegiate Athletic Ass’n, 7 Cal. 4th 1 (Cal. 1994) (elements and "egregious breach of social norms" test for constitutional privacy)
- Shulman v. Group W Prods., Inc., 18 Cal. 4th 200 (Cal. 1998) (intrusion-into-seclusion tort elements and offensiveness analysis)
- Hernandez v. Hillsides, Inc., 47 Cal. 4th 272 (Cal. 2009) (analyzing constitutional and common-law privacy claims together)
- Bell Atl. Corp. v. Twombly, 550 U.S. 544 (U.S. 2007) (plausibility pleading standard)
- Ashcroft v. Iqbal, 556 U.S. 662 (U.S. 2009) (pleading standard and rejection of conclusory allegations)
- Bristol-Myers Squibb Co. v. Superior Court, 137 S. Ct. 1773 (U.S. 2017) (limits on specific personal jurisdiction for nonforum plaintiffs)
- Sheehan v. San Francisco 49ers, Ltd., 45 Cal. 4th 992 (Cal. 2009) (caution about resolving privacy claims on demurrer without factual record)
- In re Nickelodeon Consumer Privacy Litig., 827 F.3d 262 (3d Cir. 2016) (privacy and tracking-cookie context considered; distinguished on facts)
- Carpenter v. United States, 138 S. Ct. 2206 (U.S. 2018) (observations on sensitivity of cell-phone/location data)