Case Information
*1 UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
SAN JOSE DIVISION JAY BRODSKY, еt al., Case No. 19-CV-00712-LHK Plaintiffs, ORDER GRANTING MOTION TO DISMISS WITH PREJUDICE v. Re: Dkt. No. 46 APPLE INC., Defendant.
Plaintiffs Jay Brodsky, Brian Tracey, Alex Bishop, Brendan Schwartz, William Richardson, and John Kyslowsky (“Plaintiffs”) bring this putative class action against Defendant Apple Inc. (“Apple”) for alleged privacy and property violations based on Apple’s two-factor authentication login tool. The Court previously granted Apple’s motion to dismiss the First Amended Complaint (“FAC”), but granted Plaintiffs leave to amend. ECF No. 40 (“Order”). Currently before the Court is Apple’s motion to dismiss Plaintiffs’ Second Amended Complaint (“SAC”). ECF No. 46 (“Mot.”). [1] Because the SAC fails to cure deficiencies previously identified *2 in the Court’s prior Order, the Court GRANTS Apple’s motion to dismiss with prejudice.
I. BACKGROUND
A. Factual Background
Plaintiffs are residents of New York, California, Ohio, Pennsylvania, Colorado, and Texas. ECF No. 43 ¶ 8 (“SAC”) . Apple is a California corporation that designs and sells products including iPhones, iPads, Macbooks, Apple TVs, and Apple Watches. Id. ¶¶ 9, 17. Once a consumer buys an Apple product, the Apple product is associated with the consumer’s Apple ID, which is an individual’s email address. Id. ¶¶ 20, 34. An Apple ID is required to use Apple services, such as FaceTime and iMessage. Id. ¶ 20.
Plaintiffs allege that Apple’s provision of two-factor authentication (“2FA”) as an Apple ID login process violates Plaintiffs’ right to privacy. Id. ¶ 1. As in the FAC, the SAC identically alleges that 2FA is enabled in three instances: “(i) a software update occurs on one of the Apple devices; (ii) on creаtion of a new Apple ID; or (iii) owner of the Apple device turns on two-factor authentication in the Settings.” Id. ¶ 35; see also FAC ¶ 16. When enabled, 2FA requires a multi-step login process before a user can access Apple services. First, the user must enter his Apple ID password on the Apple device on which the user wishes to use Apple services. SAC ¶ 42. Second, the user must enter his Apple ID password on a second trusted Apple device and wait to receive a six-digit verification code on the second Apple device. Id. Third, the user must enter the six-digit verification code on the first Apple device. Id. According to Plaintiffs, 2FA takes “2-5 or more minutes” than other login processes. ; see also FAC ¶ 17 (pleading identical allegations).
After 2FA is enabled, Apple will sometimes send an email to the user that explains that the user can disable 2FA: “If you didn’t enable two-factor authentication and believe someone else has access to your account, you can return to your previous security settings. This link and your issues to be decided must similarly be included in the motion’s pagination. See Civ. Loc. R. 7- 2(b)(4); 7-4(a)(3). Apple’s motion to dismiss also includes excessively long footnotes. One spans half a page. See Mot. at 10 n.5. *3 Apple ID security questions will expire on October 15, 2018.” SAC ¶ 61; FAC ¶ 18. Plaintiffs allege that the link allowing a user to disable 2FA expires within 14 days after 2FA’s enablement, and that afterwards, Plaintiffs cannot disable 2FA. SAC ¶¶ 2, 3, 61. The email also explains that 2FA “is an additional layer of security designed to ensure that you’re the only person who can access your account, even if someone knows your password” and that 2FA “significantly improves the security of your Apple ID and helps protect the photos, documents, and other data you store with Apple.” Id. ¶ 61.
Plaintiff Brodsky alleges that in September 2015, a software update enabled 2FA for Plaintiff Brodsky’s Apple ID. Id. ¶ 37. As in the FAC, the SAC includes the exact same allegations that “Plaintiff Brodsky’s Apple devices had a software update that enabled 2FA for Apple ID without his knowledge or consent on or around September of 2015.” .; see also FAC ¶ 19. Plaintiff Tracey alleges that “[o]n or around September 2017, 2FA was turned on for Plaintiff Tracey’s Apple ID after a software update on his Apple devices.” SAC ¶ 38. Specifically, Plaintiff Tracey alleges that “[h]e needs access to the latest software updates for his work,” but that “Apple does not provide an option to upgrade software without 2FA.” Id. Plaintiff Tracey, however, does not allege that he did not voluntarily consent to the software update that included enabling 2FA.
The SAC alleges that the remaining four Named Plaintiffs—Plaintiffs Bishop, Schwartz, Richardson, and Kyslowsky—“do not remember when 2FA was enabled for them.” Id. ¶ 39. Instead, the SAC alleges the following as to the remaining four Named Plaintiffs. As to Plaintiff Bishop, the SAC alleges that on or around January 2019, “based on an unforeseen consequence outside of his control,” Plaintiff Bishop “lost access to his trusted device to receive his 2FA passcode.” Id . ¶ 48. Plaintiff Bishop could not access Apple services using Apple ID “for days.” Id.
As to Plaintiff Schwartz, the SAC alleges that Plaintiff Schwartz lost his second trusted Apple device “based on events outside of his control.” ¶ 49. Then, Apple placed Plaintiff *4 Schwartz in its account recovery process and Plaintiff Schwartz could not use his Apple ID “for months.” Id.
As to Plaintiff Richardson, the SAC alleges that Plaintiff Richardson “was locked out of [his devices] when he could not recollect offhand his password on one of the devices on or around April 2019.” Id. ¶ 50. Plaintiff Richardson allegedly lost access to his downloaded and purchased data and spent $219.94 installing new hardware and software. Id.
As to Plaintiff Kyslowsky, the SAC does not include any details about when, how, or why he was locked out of his Apple devices.
Plaintiffs, however, do assert that they paid for third-party apps in “monthly, yearly, or one-time subscription[s]” and that 2FA “intercepts access to Third-Party Apps” and Apple services. Id. ¶¶ 21, 46, 51. According to Plaintiffs, 2FA thereby “virtually dispossesse[s]” Plaintiffs of their access to these third-party apps and Apple services for the duration of time necessary to login through 2FA. Id. ¶¶ 44, 46. B. Procedural History On February 8, 2019, Plaintiff Brodsky filed the instant case against Apple. ECF No. 1. On March 29, 2019, Plaintiffs filed the FAC, which added Tracey, Bishop, and Schwartz as named Plaintiffs. The FAC alleged five causes of action: (1) trespass to chattels, FAC ¶¶ 47-52; (2) violation of the California Invasion of Privacy Act (“CIPA”), California Penal Code § 631, id. ¶¶ 53-56; (3) violation of the California Computer Crime Law (“CCCL”), California Penal Code § 502, id. ¶¶ 57-69; (4) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, id. ¶¶ 70-78; and (5) unjust enrichment, id. ¶¶ 79-81. Plaintiffs brought suit on behalf of the following putative class:
All persons or entities in the United States who own or owned an Apple Watch, iPhone, iPad, MacBook, or iMac or use Apple Services that have enabled two-factor authentication (“2FA”), subsequently want to disable 2FA, and are not allowed to disable 2FA. ¶ 29. The class period began “when Apple introduced 2FA in 2015.” Id. ¶ 28.
26
On May 1, 2019, Apple filed a motion to dismiss Plaintiffs’ FAC. ECF No. 32. On May 27 4
*5 15, 2019, Plaintiffs filed an opposition. On May 22, 2019, Apple filed a reply in support of its motion to dismiss. ECF No. 37.
On May 15, 2019, the parties filed a joint case management statement. ECF No. 35. In the joint case management statement, Apple asked the Court to stay discovery until after the Court determines whether Plaintiffs can state a claim. Id. at 6. On May 16, 2019, the Court stayed discovery “until the Court orders otherwise.” ECF No. 36.
On August 30, 2019, the Court granted Apple’s motion to dismiss all five of Plaintiffs’ causes of action. ECF No. 40 (“Order”). First, the Court dismissed Plaintiffs’ claim for trespass to chattels for two reasons. Id . at 5-8. Plaintiffs did not adequately allege a claim for trespass to chattels because “Plaintiff [did] not allege facts to indicate that Plaintiffs failed to authorize the enablement of 2FA.” . at 6. Specificаlly, the Court concluded that the FAC “allege[d] that 2FA is enabled when an Apple ID user voluntarily turn[ed] on 2FA, install[ed] a software update, or create[d] a new Apple ID,” but that “[n]one of those means to enable 2FA permit[ted] Apple to enable 2FA unilaterally and without Plaintiffs’ authorization.” Id. Plaintiff Brodsky did not allege whether he read or reviewed the software update or “whether the message disclosed that the update would enable 2FA.” Id. at 7. Additionally, the Court held that Plaintiffs had not alleged that any trespass harmed Plaintiffs as required under binding California Supreme Court precedent. Id. Rather, Plaintiffs only pleaded that “each login process [took] an additional estimated 2-5 more minutes with 2FA,” and such allegations were “plainly insufficient to allege the requisite showing of harm.” Id. In situations where Plaintiffs argued that they “suffer[ed] longer dispossessions,” the Court nonetheless concluded that Apple did not proximately cause Plaintiffs’ dispossession from their Apple devices or services because the FAC “d[id] not allege that Apple or 2FA led Plaintiffs to lose access to their trusted devices.” Id. at 8. Rather, the FAC simply alleged that Plaintiffs lost access based on events “outside of [their] control.” Id. Accordingly, the Court granted Apple’s motion to dismiss Plaintiffs’ trespass to chattels claim under California law.
Second, the Court dismissed Plaintiffs’ claim for violating the CIPA, again for two *6 reasons. The Court noted that “[t]he CIPA is an anti-wiretapping statute that is violated when a person, without authorization, ‘reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable.’” Id. at 9 (quoting Cal. Penal Code § 631(a)). The CIPA, however, “prohibit[s] only third party access to ongoing communications,” and “the only communications that Plaintiffs allege Apple ‘intercepted’ are Plaintiff’s communications to Apple.” Id. at 9-10 (quotation marks omitted). Furthermore, the Court concluded that Plaintiffs “also failed to identify the contents of any communication that Apple allegedly intercepted, as required to state a claim under the CIPA” because Plaintiffs’ “login activities,” such as usernames and passwords, did not qualify as “contents” under prevailing law. Id. at 10-11. As a result, the Court granted Apple’s motion to dismiss Plaintiffs’ CIPA claim. Third, the Court addressed Plaintiffs’ claims under the federal CFAA. Id. at 11-14.
Relying on binding Ninth Circuit precedent, the Court concluded that “the plain language of the CFAA target[s] the unauthorized procurement or alteration of information not its misuse or misappropriation,” and that under the CFAA, “Plaintiffs must also plead that Apple’s actions caused loss of more than $5,000 during any one-year period.” Id. at 12 (quotation marks omitted). On this basis, the Court dismissed Plaintiffs’ CFAA claims because Plaintiffs authorized 2FA through voluntary software updates. Id. at 13. Insofar as Plaintiffs “attеmpt[ed] to allege that Apple exceeded Plaintiffs’ authorization,” this argument also failed because Plaintiffs had not alleged that they “revoked any consent for Apple’s servers to receive Plaintiffs’ login activities.” Id. at 13. Importantly, the Court noted that “Plaintiffs also d[id] not explain how Apple’s access to Plaintiffs’ ‘login activities’ via 2FA [was] at all different from Apple’s access to such login activities when Plaintiffs employ a different Apple ID login method.” Id. Finally, the Court also disposed of Plaintiffs’ CFAA claims because Plaintiffs failed to plead $5,000 in damages over a one-year period. at 14. Therefore, the Court granted Apple’s motion to dismiss Plaintiffs’ CFAA claims.
Fourth, the Court dismissed Plaintiffs’ claims under the CCCL. . at 14-16. The Court *7 held that “the CCCL prohibits only access or disruptions to a computer system that are ‘without permission,’” and that “a defendant acted without permission . . . [when] the offending software was designed in such a way to render ineffective any barriers the Plaintiffs must wish to use to prevent access to their information.” Id. at 15 (quotation marks omitted). Because Plaintiffs did not offer any allegations about how Plaintiffs attempted to prevent 2FA’s access to their information, Plaintiffs’ CCCL claims failed. Id. Additionally, Plaintiffs’ CCCL claims failed because the FAC “merely parrot[ed] the language of the CCCL,” and such “boilerplate allegations also provide[d] a reason to dismiss Plaintiffs’ CCCL claims.” Id. at 15-16. As a result, the Court granted Aрple’s motion to dismiss Plaintiffs’ CCCL claims.
Fifth, the Court analyzed Plaintiffs’ unjust enrichment claim under California law. Id. at 16-17. California law, however, “does not recognize a separate cause of action for unjust enrichment.” Id. at 16 (citation omitted). Though “courts have [sometimes] construed purported claims for unjust enrichment as quasi-contract claims seeking restitution,” “Plaintiffs’ FAC include[d] no allegation that Apple is liable in quasi-contract.” Id. at 16-17. Therefore, the Court granted Apple’s motion to dismiss Plaintiff’s unjust enrichment claims. Sixth, in the alternative, the Court found that Plaintiffs’ claims under the CIPA, CFAA, and CCCL were time-barred. Id. at 17-19. “The longest applicable statute of limitations [was] three years,” but Plaintiffs only brought suit “approximately three and a half years after Plaintiff Brodsky alleges that he enabled 2FA on his Apple devices.” Id. at 17. Additionally, the continuous accrual doctrine, the continuing violation doctrine, and the delayed discovery rule did not apply and thus did not save Plaintiffs’ CIPA, CFAA, and CCCL claims. . at 18-19.
Finally, as to Plaintiffs’ common law claims—namely the trespass to chattels and unjust enrichment claims—the Court found that the FAC failed to satisfy Rule 8. Id. at 20. Specifically, Plaintiffs had not alleged their states of residence or which state’s law applied to each of Plaintiffs’ common law claims such that “Apple [could not] adequately defend itself, nor [could] the Court assess the sufficiency of Plaintiffs’ claims.” The Court directed Plaintiffs to “amend their pleading to specify their states of residence and clarify under which state’s common law Plaintiffs *8 bring their trespass to chattels and unjust enrichment claims.” Id. The Court also noted that “[f]ailure to cure the deficiencies identified herein or in Apple’s motion to dismiss will result in dismissal with prejudice. Id.
On September 26, 2019, Plaintiffs filed the SAC. ECF No. 43. The SAC adds two new Named Plaintiffs, William Richardson and John Kyslowsky, who are residents of Colorado and Texas respectively. Id . ¶ 8. The SAC also alleges that Plaintiff Brodsky is a New York resident, Plaintiff Tracey is a California resident, Plaintiff Bishop is an Ohio resident, and Plaintiff Schwartz is a Pennsylvania resident. Id . Additionally, the SAC alleges that California law applies to all of Plaintiffs’ claims based on a choice of law provision in Apple’s terms and use agreements. Id. ¶ 15; see also id . ¶ 76 (“California’s substantive laws including common law apply to every member of the Class, regardless of where in the United States the Class Member resides based on Apple’s ‘Controlling Law’ provisions in its Terms and Conditions agreements for all of its products and services.”). The SAC also alleges that Plaintiffs’ states of residence “have the substantively same laws for common law claims at issue here, i.e. , trespass of [sic] chattels and unjust enrichment claims,” such that “applying California law for common law claims is appropriate here because the differences of application will not be substantive.” . ¶ 77. Additionally, the SAC now pleads that Plaintiffs pay for third-party apps in “monthly, yearly, or one-time subscription[s].” Id. ¶ 21. Plaintiffs also assert that 2FA “intercepts access to Third-Party Apps” and Apple services, id. ¶¶ 46, 51, just as Plaintiffs previously argued that “Apple has ‘intercepted’ the user’s communication with the Apple service,” Order at 11; see id . (“However, if a user cannot access an Apple service like FaceTime due to 2FA, as Plaintiffs allege, the user cannot create any communication over FaceTime for Apple to ‘intercept.’”). The SAC also adds a new allegation that “[b]y filing . . . this lawsuit, Plaintiffs hereby revoke any authorization Apple may have to continue to operate 2FA on Apple Devices.” ¶ 65.
Based on these allegations, the SAC realleges the same five causes of action as the FAC: (1) trespass to chattels, id . ¶¶ 94-100; (2) violation of the California Invasion of Privacy Act (“CIPA”), California Penal Code § 631, id. ¶¶ 101-05; (3) violation of the California Computer *9 Crime Law (“CCCL”), California Penal Code § 502, id. ¶¶ 106-18; (4) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, id. ¶¶ 119-128; and (5) unjust enrichment, id. ¶¶ 129-33. Plaintiffs again bring suit on behalf of the following putative class:
All persons or entities in the United States who own or owned an Apple Watch, iPhone, iPad, MacBook, or iMac or use Apple Services that have enabled two-factor authentication (“2FA”), subsequently want to disable 2FA, and are not allowed to disable 2FA.
Id. ¶ 71. The class period began “when Apple introduced 2FA in 2015.” Id. ¶ 70. In the SAC, Plaintiffs again seek to represent subclasses as in the FAC. Id . ¶¶ 72-73. The SAC, however, includes a new subclass whereby Plaintiffs Richardson and Kyslowsky seek to represent an analogous subclass of “senior persons in the United States.” ¶ 74.
On October 22, 2019, Apple filed the instant motion to dismiss Plaintiff’s SAC. ECF No. 46 (“Mot.”). On November 5, 2019, Plaintiffs filed an opposition. ECF No. 47 (“Opp.”). On November 19, 2019, Apple filed a reply. ECF No. 50 (“Reply”). II. LEGAL STANDARD A. Motion to Dismiss Under Federal Rule of Civil Procedure 12(b)(6) Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a complaint to include “a short and plain statement of the claim showing that the pleader is entitled to relief.” A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure
12(b)(6). The United States Supreme Court has held that Rule 8(a) requires a plaintiff to plead
“enough facts to state a claim to relief that is plausible on its face.”
Bell Atlantic Corp. v.
Twombly
,
B. Leave to Amend
If the Court determines that a complaint should be dismissed, it must then decide whether
to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to
amend “shall be freely given when justice so requires,” bearing in mind “the underlying purpose
of Rule 15 to facilitate decisions on the merits, rather than on the pleadings or technicalities.”
Lopez v. Smith
,
III. DISCUSSION
Apple moves to dismiss each of Plaintiffs’ claims for failure to state a claim. Apple also contends that certain claims are fail to satisfy Rule 8’s pleading standard or are barred by the *11 statute of limitations. The Court first addresses the sufficiency of each of Plaintiffs’ individual claims before turning to Apple’s other arguments.
A. Claim for Trespass to Chattels
Plaintiffs allege that Apple committed trespass to chattels because Apple “interfered with Plaintiffs and Class Members’ possessory interest of their one or more Apple devices by requiring an extraneous login process through two-factor authentication that is imposed on Plaintiffs and Class members without authorization or consent.” SAC ¶ 96.
As an initial matter, the Court notes that the SAC alleges that California law applies to all of Plaintiffs’ claims based on a choice of law provision in Apple’s terms and use agreements. ¶ 15; see also id . ¶ 76 (“California’s substantive laws including common law apply to every member of the Class, regardless of where in the United States the Class Member resides based on Apple’s ‘Controlling Law’ provisions in its Terms and Conditions agreements for all of its products and services.”). For Plaintiffs’ common law claims—namely their claims for trespass to chattels and unjust enrichment—Plaintiffs allege that they bring those claims under the common law of New York, Ohio, Pennsylvania, Colorado, and Texas “[i]n the alternative.” Id. ¶¶ 95, 130. However, the SAC also alleges that Plaintiffs’ states of residence “have the substantively same laws for common law claims at issue here, i.e. , trespass of [sic] chattels and unjust enrichment claims,” such that “applying California law for common law claims is appropriate here because the differences of application will not be substantive.” . ¶ 77.
Furthermore, in any event, Apple argues in its motion to dismiss that Plaintiffs’ common law claims must be dismissed insofar as those claims rely on non-California law. See Mot. at 10 n.5, 24 n.7. Plaintiffs do not respond to Apple’s arguments, and as such, Plaintiffs have abandoned their common law claims premised on non-California law. Moore v. Apple, Inc. , 73 F. Supp. 3d 1191, 1205 (N.D. Cal. 2014) (stating that a failure in an opposition to address arguments raised in a motion to dismiss constitutes abandonment of the claim, which results in dismissal with prejudice). Accordingly, the Court proceeds to analyze Plaintiffs’ common law claims under *12 California law.
Under California law, trespass to chattels “lies where an intentional interference with the
possession of personal property has proximately caused injury.”
Intel Corp. v. Hamidi
, 30 Cal.
4th 1342, 1350-51 (2003). To state a trespass to chattels claim, a plaintiff must plead that “(1) the
defendant intentionally and without authorization interfered with plaintiff’s possessory interest in
the computer system; and (2) defendant’s unauthorized use[] proximately caused damage.”
In re
Facebook Internet Tracking Litig.
,
As with the previous motion to dismiss, Apple argues that (1) Apple did not enable 2FA without Plaintiffs’ authorization; and (2) Plaintiffs have not alleged that Apple damaged Plaintiffs. The Court addresses each argument in turn. 1. Plaintiffs Have Not Alleged that 2FA was Enabled Without Plaintiffs’ Authorization First, Apple contends that Plaintiffs consented to 2FA, and thus, that any interference with
possession was authorized. Under
Hamidi
, a trespass only occurs where an interference is
“unauthorized.”
As a result, what the Court is left with are the same allegations that were previously found wanting in the Court’s prior Order. Here, Plaintiffs again do not allege facts that Plaintiffs failed to authorize the enablement of 2FA. Rather, just like the FAC, the SAC identically alleges that 2FA is enabled in three instances: when an Apple ID user voluntarily turns on 2FA, installs a *13 software update, or creates a new Apple ID. SAC ¶ 35; FAC ¶ 16. As the Court previously concluded, “[n]one of those means to enable 2FA permits Apple to enable 2FA unilaterally and without Plaintiffs’ authorization.” . at 6.
Plaintiffs nevertheless persist and argue that they had “no notice оf [the] 2FA feature
upgrade.” Opp. at 6. To be sure, as the Court noted in its prior Order, courts have recognized that
“consent to enter may be limited and that a trespass claim may lie when the scope of consent is
exceeded.”
In re Apple Inc. Device Performance Litig.
(“
In re Apple
”),
update that allegedly enabled 2FA on his phone, nor about whether Plaintiff Brodsky read or
reviewed the message that accompanied the update and whether the message disclosed that the
update would enable 2FA.
Id.
¶ 37. Nor has Plaintiff Tracey alleged any facts related to his
alleged involuntary enablement of 2FA through voluntary software updates.
Id.
¶ 38. Plaintiffs’
bald assertions in the SAC that they did not consent to enabling 2FA is a legal conclusion not
entitled to the presumption of truth.
See In re Gilead Scis. Sec. Litig.
,
2. Plaintiffs Have Not Alleged That Any Trespass Harmed Them
Second, Plaintiffs’ claim for trespass to chattels fails because Plaintiffs have again failed to
allege that Apple harmed Plaintiffs through 2FA. The California Supreme Court has explained
that, “while a harmless use or touching of personal property may be a technical trespass (see Rest.
2d of Torts, § 217), an interference (not amounting to dispossession) is not actionable under
*14
modern California and broader American law without a showing of harm.”
Intel Corp.
, 30 Cal.
4th at 1350-51. In the context of a trespass to a computer system, a plaintiff must allege “that the
purported trespass: (1) caused physical damage to the personal property, (2) impaired the
condition, quality, or value of the personal property, or (3) deprived plaintiff of the use of personal
property for a substantial time.”
Fields v. Wise Media, LLC
,
Plaintiffs argue that the SAC adequately alleges harm because Plaintiffs are “blocked 100%” for “ongoing short periods of time when 2FA is triggered” or “when not connected to the internet” and because they are “lock[ed] out for days . . . when access to a trusted device to receive 2FA is lost.” Opp. at 8. However, as in the FAC, the SAC only alleges that 2FA takes “2-5 or more minutes” than other login processes. SAC ¶ 42. Plaintiffs’ allegations are insufficient to allege the requisite showing of harm. In In re
iPhone Application Litigation , this Court concluded thаt Apple programs that consumed the devices’ memory and “shortened the[ir] battery life” were insufficient to state a claim. 844 F. Supp. 2d 1040, 1069 (N.D. Cal. 2012). The allegations did not suggest that Apple’s trespass “caused an interference with the intended functioning” of the devices. ; see also Hamidi , 30 Cal. 4th at 1347 (holding that trespass to chattels “does not encompass, and should not be extended to encompass, an electronic communication that neither damages the recipient computer system nor impairs its functioning”).
In the instant case, as the Court previously held, a delay of 2-5 minutes does not impair the
functioning of Plaintiffs’ Apple devices or Apple IDs. Order at 7;
In re iPhone Application Litig.
,
Furthermore, as recognized in the Court’s earlier Order, insofar as Plaintiffs contend that
*15
Plaintiffs suffer longer dispossessions, any such allegations fail to adequately allege proximate
causation. Order at 8. Plaintiffs offer no new argument as to how their pleading adequately
alleges proximate causation. Instead, the SAC includes the same or nearly identical allegations as
the FAC, and Plaintiffs fail to allege that Apple or 2FA led Plaintiffs to lose acсess to their trusted
devices. Rather, Plaintiff Bishop lost access to his trusted device “based on an unforeseen
consequence outside of his control,” and Plaintiff Schwartz lost access to his trusted device “based
on events outside of his control.” SAC ¶¶ 48-49. As to Plaintiff Richardson, the SAC alleges that
he “was locked out of [his devices] when he could not recollect offhand his password on one of
the devices on or around April 2019.” ¶ 50. In none of these instances did Apple or 2FA cause
Plaintiffs’ dispossession from their Apple devices and Apple services.
See Thrifty-Tel, Inc. v.
Bezenek
,
B. Claim for Violation of the California Information Privacy Act (“CIPA”) The Court next addresses Plaintiffs’ CIPA claim. Plaintiffs allege that Apple violated the CIPA because via 2FA, “Apple, by injecting itself in the process by requiring extra logging [sic] steps, has acquired without authorization confidential electronic communication owned by *16 Plaintiffs and Class Members.” SAC ¶ 102.
The CIPA is an anti-wiretapping statute that is violated when a person, without
authorization, “reads, or attempts to read, or to learn the contents or meaning of any message,
report, or communication while the same is in transit or passing over any wire, line, or cable.”
Cal. Penal Code § 631(a). The CIPA was “passed to protect against the invasion of privacy,”
Matera v. Google Inc.
,
In the instant case, Plaintiffs contend that 2FA violates Plaintiffs’ privacy rights under the
CIPA. Apple responds that (1) the CIPA prohibits only a third party’s interceptions and that
Apple is not a third party; and (2) Plaintiffs fail to allege the contents of any communications that
Apple intercepted. The Court addresses each argument in turn.
1. Plaintiffs Have Failed To Allege That Apple Was Not A Party To The
Communications
Courts have interpreted the CIPA to prohibit only “third party access to ongoing
communications.”
In re Facebook Internet Tracking Litig.
,
Servs. Ltd. P’Ship
,
Plaintiffs disagree and argue that CIPA liability attaches “irrespective of whether Apple is
a party.” Opp. at 11. Plaintiffs again rely on
Ramos v. Capitol One, N.A.
,
27 16
*17 communications that Plaintiffs send to Apple’s servers.
In the alternative, Plaintiffs contend that Apple is not a party to Plaintiffs’ communications. . Plaintiffs, however, do not cite to any allegations in the SAC for this argument. Instead, Plaintiffs simply point to two tables that appear only in their opposition brief. Opp. at 11-12. Plaintiffs assert that these two tables allegedly demonstrate that Apple is not a party to Plaintiffs’ communications. The tables are reproduced below: *18 Even if the Court considers Tables 2 and 3, which are not pleaded in the SAC, the Court nonetheless concludes that Plaintiffs fail to allege that Apple was a third party to Plaintiffs’ communications. Table 2 allegedly shows what happens when users attempt to access a third- party app with 2FA enabled. Table 3 purportedly shows what happens when users attempt to access a third-party app with 2FA disabled. However, regardless of whether 2FA is enabled or disabled, users must still communicate with Apple, who “passes through the [user’s] request” to the third-party app. Opp. at 12 (Table 3). Nothing in Tables 2 or 3 suggest that Apple is a third party to communications. Instead, Tables 2 and 3 confirm that the only communications that Plaintiffs argue Apple “intercepted” are Plaintiffs’ communications to Apple. As in In re Facebook , Apple cannot intercept communications to which Apple is already a party. Thus, Plaintiffs have not alleged a violation of the CIPA. 2. Plaintiffs Have Failed To Allege The Contents Of Any Intercepted Communication Second, Plaintiffs have also failed to identify the contents of any communication that
Apple allegedly intercepted, as required to state a claim under the CIPA.
See
Cal. Penal Code
§ 631(a) (prohibiting unauthorized access of the “contents” of any communication). “The analysis
for a violation of CIPA is the same as that under the federal Wiretap Act.”
Cline v. Reetz-Laiolo
,
Under the Wiretap Act, the term “contents” is defined as “any information concerning the
substance, purport, or meaning of that communication.” 18 U.S.C. § 2510. The Ninth Circuit has
held that “record information regarding the characteristics of the message that is generated in the
course of the communication” does not qualify as “contents.”
In re Zynga Privacy Litig.
, 750 F.3d
1098, 1106 (9th Cir. 2014). Record information, the Ninth Circuit explained, “includes the name,
address, and subscriber number or identity of a subscriber or customer.” . (quotation marks
omitted). Accordingly, text messages qualify as contents under the Wiretap Act.
In re Carrier
IQ, Inc.
,
*19
In the instant case, Plaintiffs allege that Apple intercepted Plaintiffs’ “requests” to “access
to Third-Party Apps” or presumably Plaintiffs’ user names and passwords. SAC ¶¶ 51-52.
However, as the Ninth Circuit has concluded, a CIPA claim cannot be predicated on such record
information.
In re Zynga Privacy Litig.
,
Additionally, in the Court’s prior Order, the Court rejected Plaintiffs’ argument that when 2FA prevents a user from accessing his Apple ID or services (such as when the user has lost his trusted device), Apple has “intercepted” the user’s communication with the Apple service. Order at 11. The Court explained that “if a user cannot access an Apple service like FaceTimе due to 2FA, as Plaintiffs allege, the user cannot create any communication over FaceTime for Apple to ‘intercept.’” Order at 11. Plaintiffs recycle that same argument in the SAC, but also allege that “[o]n information and belief, Apple also uses its 2FA to intercept content, such as photos, music and other files on Apple devices stored locally” and on third-party apps. SAC ¶ 51. This allegation, however, contradicts the other allegations in the SAC. First, the SAC’s allegation that Apple “uses its 2FA to intercept content, such as photos, music and other files on Apple devices stored locally” is incorrect. The SAC alleges that 2FA is simply a process for logging into an Apple ID, which is a separate process from accessing “files on Apple devices stored locally.” . ¶¶ 3, 51.
Second, in any event, Plaintiffs clarify in their opposition brief that the “photos, music[,] and other files . . . stored locally” are not in fact stored locally. Instead, Plaintiffs clarify that “photos, music[,] and other files . . . stored locally” actually refers to content in Apple Services and third-party apps. See Opp. at 12 (“SAC lists out and gives examples of different Apple Services and Third-Party Apps used by Plaintiffs. Undisputedly, these Apps and Services include Content. For example, Google drive includes files, photos with content hosted by third party, Google Servers.” (citations omitted)). However, as thе SAC alleges elsewhere, Apple’s *20 “intercepts access to Third-Party Apps” and Apple Services and “intercepts such requests and communications by interjecting 2FA in the process . . . when opening a Third-Party App” or Apple Services. Id . ¶¶ 51-52. As the Court previously held, “if a user cannot access a [service] like FaceTime [or other third-party apps] due to 2FA, as Plaintiffs allege, the user cannot create any communication . . . for Apple to ‘intercept.’” Order at 11. Therefore, just as in the FAC, the SAC fails to allege the contents of any communication that Apple intercepted.
Accordingly, the Court GRANTS Apple’s motion to dismiss Plaintiffs’ CIPA claim.
Plaintiffs failed to cure the same deficiencies the Court previously identified in its prior Order, and
any new allegations fail to justify a different conclusion. Order at 9-11. As the Court previously
warned, “failure to cure the deficiencies identified herein or in Apple’s motion to dismiss will
result in dismissal with prejudice.” . at 20. Furthermore, courts are justified in denying leave to
amend when a plaintiff “repeated[ly] fail[s] to cure deficiencies by amendments previously
allowed.”
Carvalho
,
The CFAA is an anti-hacking statute that creates liability where a defendant “intentionally
accesses a computer without authorization or exceeds authorized access,” and thus obtains
“information from any protected computer” or financial records. 18 U.S.C. § 1030(a)(2). The
CFAA also creates liability for “knowingly caus[ing] the transmission of a program, information,
code, or command, and as a result of such conduct, intentionally caus[ing] damage without
*21
authorization, to a protected computer.” § 1030(a)(5)(A)(i). Thus, “the plain language of the
CFAA target[s] the unauthorized procurement or alteration of information, not its misuse or
misappropriation.”
United States v. Nosal
,
Finally, the CFAA was enacted “primarily to address the growing problem of computer
hacking,” such that the en banc Ninth Circuit has favored an interpretation of the statute that
“maintаins the CFAA’s focus on hacking rather than turning it into a sweeping Internet-policing
mandate.”
Nosal
,
1. Plaintiffs Have Not Alleged That Any Access Was Unauthorized
First, both CFAA provisions under which Plaintiffs bring their claims apply only where a
defendant accesses or transmits a program to a computer “without authorization” or by “exceeding
authorized access.” “‘[A]uthorization,’” however, in the CFAA context, “is most naturally read in
reference to the
identity
of the person accessing the computer or website, not
how
access occurs.”
*22
hiQ Labs, Inc. v. LinkedIn Corp.
,
2. Plaintiffs Have Also Failed to Plead $5,000 in Damages Second, Plaintiffs have again failed to plead the requisite damages under the CFAA.
Plaintiffs contend that the SAC adequately alleges damages to satisfy the CFAA’s $5,000 requirement by “list[ing] the number of [A]pple devices owned, [A]pple services subscriptions[,] and access to third-party apps that are constructively disp[ossessed].” Opp. at 14. However, Plaintiffs cannot rely on these allegations regarding the full cost of their devices and services subscriptions because the gravamen of the SAC is that 2FA adds only an “additional estimated 2-5 or more minutes” to log in with Apple ID. SAC ¶ 42. Insofar as the SAC alleges that some Plaintiffs could not accеss Apple services or third-party apps for longer periods of time, Plaintiffs acknowledge that they either forgot their passwords or that they were locked out based on “events outside [their] control,” which cannot be attributed to Apple. Id. ¶¶ 48-50. Without more, the SAC does not adequately plead how Plaintiffs’ damages based on their devices, Apple services subscriptions, or third-party apps for 2-5 minutes satisfy the CFAA’s $5,000 loss during a one- year period requirement.
Plaintiffs’ only remaining damages allegation is that “Apple has collected personal information that has economic value to the Plaintiffs and Class Members, the unauthorized collection of which resulted in the deprivation or diminution of such economic value, causing Plaintiffs and Class Members to sustain . . . economic loss with an aggregated value of at least $5,000 during a one-year period.” . ¶ 126. Plaintiffs, however, do not rely on this allegation in their opposition, and for good reason. See Opp. at 13-14.
Recently, the Ninth Circuit decided a CFAA case where Plaintiffs’ “theory of loss [was]
that he and his fellow class members were denied the profits they might have received from
*24
commodifying the personal information that [the defendant] allegedly obtained through unlawful
means.”
Andrews v. Sirius XM Radio Inc.
,
Accordingly, the Court GRANTS Apple’s motion to dismiss Plaintiffs’ CFAA claims.
Plaintiffs failed to cure the same or similar deficiencies the Court previously identified in its prior
Order, and the SAC offers no new facts to justify a different conclusion. Order at 11-14. As the
Court previously warned, “failure to cure the deficiencies identified herein or in Apple’s motion to
dismiss will result in dismissal with prejudice.” . at 20. Furthermore, courts are justified in
denying leave to amend when a plaintiff “repeated[ly] fail[s] to cure deficiencies by amendments
previously allowed.”
Carvalho
,
D. Claims for Violation of the California Computer Crime Law (“CCCL”)
Next, the Court discusses Plaintiffs’ claims under the CCCL, Cal. Penal Code § 502. The
CCCL is also sometimes referred to as the California Comprehensive Computer Data Access and
Fraud Act and abbreviated as “CDAFA.”
Facebook, Inc. v. Grunin
,
Plaintiffs bring claims under five provisions of the CCCL, Cal. Penal Code §§ 502(c)(1),
(3)-(5), and (7). SAC ¶¶ 109-13. For each claim, Plaintiff alleges that Apple “knowingly and
*25
without permission” accessed, altered, or otherwise disrupted Plaintiffs’ Apple devices.
Id
. Case
law suggests that Plaintiffs’ CCCL claims rise or fall with Plaintiffs’ CFAA claims because “the
necessary elements of Section 502 do not differ materially from the necessary elements of the
CFAA,” except in terms of damages.
Multiven, Inc. v. Cisco Sys., Inc.
,
Like the CFAA, the CCCL prohibits only access or disruptions to a computer system that
are “without permission.” This means that, like a CFAA claim, a CCCL claim cannot be based
simply on the method by which a defendant accesses a computer if the defendant otherwise has
authorization to access the computer. As the Ninth Circuit held, “taking data using a
method
prohibited by the applicable terms of use, when the taking itself generally is permitted, does not
violate the [CCCL].”
Oracle USA
,
*26
Furthermore, Plaintiffs’ CCCL claims fail for an additional reason. As the Court
previously held, “Plaintiffs’ specific CCCL claims all merely parrot the language of the CCCL.”
Order at 15. As before, the SAC includes the same exact allegations that the Court previously
found insufficient in the FAC. Plaintiffs allege that “Apple knowingly and without permission has
used and caused to be used Plaintiffs’ and Class Members’ Apple Services and Third-Party Apps
configured on their Apple devices.” SAC ¶ 110; FAC ¶ 61. This allegation mirrors the language
of California Penal Code § 502(c)(5), which renders liable a defendant who “[k]nowingly and
without permission uses or causes to be used computer services.” Cal. Penal Code § 502(c)(5).
Plaintiffs have simply inserted their Apple services and third-party apps in place of “computer
services.” For example, the SAC includes no factual allegations about how it is even possible for
Apple to “use” a third-party app on Plaintiffs’ devices—particularly if Plaintiffs’ are “locked” out
of their devices. These boilerplate allegations also provide a reason to dismiss Plaintiffs’ CCCL
claims.
See Gonzales v. Uber Techs., Inc.
,
E. Claim for Unjust Enrichment
Plaintiffs’ fifth and final claim is for unjust enrichment. SAC ¶¶ 129-33. However,
California does not recognize a separate cause of action for unjust enrichment.
See Hill v. Roll
*27
Int’l Corp.
,
In some circumstances, courts have construed purported claims for unjust enrichment as
quasi-contract claims seeking restitution.
Astiana v. Hain Celestial Grp., Inc.
,
Here, the SAC alleges that “Plaintiffs have a contract with Apple pursuant to the Terms of Use of Apple Devices and Services that is breached by Apple’s interference as alleged,” SAC ¶ 131, but the SAC does not plead any allegations suggesting that this contract is unenforceable or invalid. Plaintiffs, however, contend that they are entitled to plead alternative or inconsistent theories of recovery under Federal Rule of Civil Procedure 8(d)(2). Opp. at 15.
To be sure, Rule 8 allows a party to set out two or more claims hypothetically and
regardless of consistency. Fed. R. Civ. P. 8(e)(2)-(3). However, “[e]ven though [Rule 8] of the
Federal Rules of Civil Procedure allows a party to state multiple, even inconsistent claims, it does
not alter a substantive right between the parties and accordingly does not allow a plaintiff invoking
state law to an unjust enrichment claim while also alleging an express contract.”
Deras
, 2018 WL
2267448, at *3 (quoting
Gerlinger v. Amazon.com, Inc.
,
Accordingly, the Court GRANTS Apple’s motion to dismiss Plaintiffs’ unjust enrichment
claim. Plaintiffs failed to cure similar deficiencies the Court previously identified in its prior
Order, and the SAC offers no new facts to justify a different conclusion. Order at 16-17. As the
Court previously warned, “failure to cure the deficiencies identified herein or in Apple’s motion to
dismiss will result in dismissal with prejudice.” . at 20. Furthermore, courts are justified in
denying leave to amend when a plaintiff “repeated[ly] fail[s] to cure deficiencies by amendments
previously allowed.”
Carvalho
,
F. Rule 8 and Statutes of Limitations
Finally, the Court addresses Apple’s Rule 8 and statute of limitations argument. Apple notes that “[n]otwithstanding the opportunity to amend their Complaint, the SAC is silent as to when the Plaintiffs [Bishop, Schwartz, Richardson, and Kyslowsky] first enabled 2FA.” Mot. at 8, n.4. Additionally, Apple contends that Plaintiff Brodsky’s CIPA, CFAA, and CCCL claims are time-barred and that Plaintiff Tracey’s CIPA claim is time-barred. Mot. at 8-9.
Plaintiff Brodsky alleges that he enabled 2FA on his Apple devices in September 2015.
SAC ¶ 37. Plaintiff Tracey now alleges that he enabled 2FA on his Apple devices in September
2017. ¶ 38. Plaintiff Brodsky did not file the instant putative class action until February 8,
2019, approximately three and a half years after Plaintiff Brodsky alleges that he enabled 2FA on
his Apple devices and more than sixteen months after Plaintiff Tracey alleges that he enabled 2FA
on his Apple devices. ECF No. 1. As before, the remaining Named Plaintiffs—Plaintiffs Bishop,
Schwartz, Richardson, and Kyslowsky—do not allege when 2FA was enabled on their devices.
SAC ¶ 39;
see
Order at 17 (“However, in line with the overall vagueness of Plaintiffs’ FAC, [some
Named] Plaintiffs . . . do not allege when 2FA was enabled on their Apple devices.”).
The longest applicable statute of limitations is three years. Under the CIPA, the applicable
statute of limitations is one year.
Ion Equip. Corp. v. Nelson
,
1. Plaintiffs Bishop, Schwartz, Richardson, and Kyslowsky Fail to Satisfy Rule 8 For Their CIPA, CFAA, and CCCL Claims
*30 At the outset, the Court acknowledges that Apple has the burden of proof to support its statute of limitations defenses as to Plaintiffs Bishop, Schwartz, Richardson, and Kyslowsky. Opp. at 5. However, the issue with the SAC with regard to Plaintiffs Bishop, Schwartz, Richardson, and Kyslowsky is not a statute of limitations problem, but rather, a Rule 8 problem.
Courts often dismiss claims under Rule 8 when plaintiffs fail to allege approximately when
the actionable misconduct occurred.
See Mir v. City of Torrance
,
This is especially true here because Plaintiffs Bishop, Schwartz, Richardson, and
Kyslowsky do not allege when 2FA was enabled on their devices, and Apple has raised the non-
frivolous possibility of multiple statute of limitations defenses. The Court notes that a failure to
plead when any alleged misconduct occurred will not necessarily be fatal under Rule 8. However,
where, as here, an applicable statute of limitations defense has been raised and is non-frivolous,
Plaintiffs’ repeated failure to plead the approximate date of alleged misconduct fails to satisfy
Rule 8’s requirement to “contain sufficient allegations of underlying facts to give fair notice and to
enable the opposing party to defend itself effectively.”
Starr v. Baca
,
As a result, because the SAC does not plead when 2FA was enabled for Plaintiffs Bishop,
Schwartz, Richardson, and Kyslowsky and therefore fails to satisfy Rule 8’s pleading standard, the
Court dismisses Plaintiffs Bishop’s, Schwartz’s, Richardson’s, and Kyslowsky’s CIPA, CFAA,
and CCCL claims. These Plaintiffs failed to cure similar deficiencies the Court previously
identified in its prior Order, and the SAC offers no new facts to justify a different conclusion.
Order at 17-20. As the Court previously warned, “failure to cure the deficiencies identified herein
or in Apple’s motion to dismiss will result in dismissal with prejudice.” . at 20. Furthermore,
courts are justified in denying leave to amend when a plaintiff “repeated[ly] fail[s] to cure
deficiencies by amendments previously allowed.”
Carvalho
,
2. The Statute of Limitations Bars Plaintiff Brodsky’s CIPA, CFAA, and CCCL Claims and Plaintiff Tracey’s CIPA Claim
As noted previously, the CIPA’s statute of limitations is one year, the CFAA’s statute of limitations is two years, and the CCCL’s statute of limitations is three years. Therefore, because Plaintiff Brodsky enabled 2FA in September 2015, the statute of limitations ran for Plaintiff Brodsky’s CIPA claim in September 2016, his CFAA claims in September 2017, and his CCCL claims in September 2018. Thus, Plaintiff Brodsky’s CIPA, CFAA, and CCCL claims are time- barred. Similarly, because Plaintiff Tracey enabled 2FA in September 2017, the statute of *32 limitations ran for Plaintiff Tracey’s CIPA claim in September 2018 such that Plaintiff Tracey’s CIPA claim is also time-barred.
Acknowledging this, Plaintiffs contend that Plaintiff Brodsky’s CIPA, CFAA, and CCCL claims and Plaintiff Tracey’s CIPA claim are nonetheless timely pursuant to the continuous accrual doctrine, the continuing violation doctrine, and the delayed discovery rule. Opp. at 4-5. However, none of these doctrines apply to toll the relevant statutes of limitations.
a. The Continuous Accrual Doctrine Does Not Apply
Under California law, the continuous accrual doctrine recognizes that “a series of wrongs
or injuries may be viewed as each triggering its own limitations period, such that a suit for relief
may be partially time-barred as to older events . . . but timely as to those within the applicable
limitations period.”
Wolf v. Travolta
,
California courts have largely confined the application of the continuing accrual theory to
“a limited category of cases, including installment contracts, leases with periodic rental payments,
and other types of periodic contracts that involve no fixed or total payment amount.”
Lamont v.
Time Warner, Inc.
,
Plaintiffs made periodic payments for Apple Services and third-party apps. Plaintiffs, however,
do not argue that Apple brеached a continuing duty by unlawfully charging them for payments for
their Apple Services or third-party apps. Order at 18 (“The continuous accrual doctrine applies
where the defendant owes the plaintiff a continuing duty ‘susceptible to recurring breaches.’”
(quoting
Aryeh
,
*34
b. The Continuing Violation Doctrine Does Not Apply
Plaintiffs next argue that the continuing violation doctrine applies and thus tolls the
relevant statutes of limitations. Unlike the continuous accrual doctrine, the continuing violation
doctrine “renders an entire course of conduct actionable,” including wrongful аcts that would
otherwise be untimely.
Aryeh
,
Plaintiffs’ claims because “the continuing violation doctrine applies only where ‘a wrongful
course of conduct [becomes]
apparent
only through the accumulation of a series of harms.’”
Order at 19 (quoting
Aryeh
,
c. The Delayed Discovery Rule Does Not Apply
Finally, as before, Plaintiffs cannot rely on the delayed discovery rule. Under the delayed
discovery rule, “the accrual of the action may be postponed and the running of the limitations
period tolled until the plaintiff discovers, or has reason to discover the cause of action.”
Quarry v.
Doe I
,
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS Apple’s motion to dismiss with prejudice. *36 IT IS SO ORDERED.
Dated: April 7, 2020
______________________________________ LUCY H. KOH United States District Judge
Notes
[1] Apple’s motion to dismiss contains a notice of motion that is separately paginated from the memorandum of points and authorities in support of the motion. Civil Local Rule 7-2(b) provides that the notice of motion and points and authorities should be contained in one document with a combined limit of 25 pages. See Civ. Loc. R. 7-2(b). Additionally, Apple’s statement of the