Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA SAN JOSE DIVISION PATRICK CALHOUN, et al., Case No. 20-CV-05146-LHK Plaintiffs, ORDER GRANTING IN PART AND DENYING IN PART MOTION TO v. DISMISS WITH LEAVE TO AMEND Re: Dkt. No. 57 GOOGLE LLC, Defendant.
Plaintiffs Patrick Calhoun, Elaine Crespo, Hadiyah Jackson, and Claudia Kindler (collectively, “Plaintiffs”), individually and on behalf of all others similarly situated, sue Defendant Google LLC (“Google”). Before the Court is Google’s motion to dismiss Plaintiffs’ complaint. ECF No. 57. Having considered the parties’ submissions and oral arguments, the relevant law, and the record in this case, the Court GRANTS IN PART AND DENIES IN PART Google’s motion to dismiss with leave to amend.
I. BACKGROUND
A. Factual Background 1. Google’s Alleged Collection of Plaintiffs’ Data
26 Plaintiffs are users of Google’s Chrome browser who allege that they “chose not to ‘Sync’ 27 their [Chrome] browsers with their Google accounts while browsing the web . . . from July 27, 2016 to the present.” ECF No. 1 (“Compl.”) ¶ 1. Chrome’s Sync feature enables users to store their personal information by logging into Chrome with their Google account. Id . ¶ 39. [1]
Plaintiffs allege that “Chrome sends . . . personal information to Google when a user exchanges communications with any website that includes Google surveillance source code . . . regardless of whether a user is logged-in to Google Sync or not.” Id . ¶ 134 (emphasis omitted). According to Plaintiffs, Google’s code “is found on websites accounting for more than half of all internet tracking” and “Chrome is . . . used on a majority [59%] of desktop computers in the United States, giving Google unprecedented power to surveil the lives of more than half of the online country in real time.” Id . ¶¶ 9, 194.
Plaintiffs allege Google collects five different types of personal information: (1) “The user’s unique, persistent cookie identifiers”; (2) “The user’s browsing history in the form of the contents of the users’ GET requests and information relating to the substance, purport, or meaning of the website’s portion of the communication with the user”; (3) “In many cases, the contents of the users’ POST communications”; (4) “The user’s IP address and User-Agent information about their device”; and (5) The user’s X-Client Data Header. Id . ¶ 134. First, according to Plaintiffs, Google collects “[t]he user’s unique, persistent cookie identifiers.” Id . ¶ 134. “A cookie is a small text file that a web-server can place on a person’s web browser and computing device when that person’s web browser interacts with the website server.” Id . ¶ 55. According to Plaintiffs, “[c]ookies are designed to and, in fact, do operate as a means of identification for Internet users.” Id . ¶ 57. Plaintiffs allege that “Google uses several cookies to identify specific Internet users and their devices.” . ¶ 61. Plaintiffs further allege that “Google also engages in a controversial practice known as ‘cookie synching’ which further allows Google to associate cookies with specific individuals.” Id . ¶ 62.
Second, Plaintiffs allege that Google collects “[t]he user’s browsing history in the form of the contents of the users’ GET requests and information relating to the substance, purport, or meaning of the website’s portion of the communication with the user.” Id . ¶ 134. A GET request is one of “[t]he basic commands that Chrome uses to send the users’ side of a communication.” Id . ¶ 114. When a user types a website address or clicks a link to a website, “Chrome contacts the website . . . and sends a [GET request].” Id . ¶ 115. According to Plaintiffs, Chrome “[p]laces the contents of [a] GET . . . request in storage in the browser’s web-browsing history and short-term memory.” Id . ¶ 117. Chrome allegedly stores the contents of the communication “so that, if the user’s web-browser crashes unexpectedly, when the user re-starts their browser, the browser will be able to offer the user the ability to return to their last communications prior to the browser’s crash.” Id . ¶ 118. Third, Plaintiffs allege that Google collects “[i]n many cases, the contents of the users’ POST communications.” Id . ¶ 134. Like a GET request, a POST request is one of “[t]he basic commands that Chrome uses to send the users’ side of a communication.” Id . ¶ 114. “If . . . [a] user were filling out a form on [a] website and clicks a button to submit the information in the form, Chrome . . . makes [a] connection with the website server [and] . . . sends a ‘POST’ request that includes the specific content that the user placed in the form.” Id . ¶ 116. According to Plaintiffs, Chrome “[p]laces the contents of [a] . . . POST request in storage in the browser’s web- browsing history and short-term memory.” Id . ¶ 117. Chrome allegedly stores the contents of the communication “so that, if the user’s web-browser crashes unexpectedly, when the user re-starts their browser, the browser will be able to offer the user the ability to return to their last communications prior to the browser’s crash.” . ¶ 118.
Fourth, according to Plaintiffs, Google collects “[t]he user’s IP address and User-Agent information about their device.” Id . ¶ 134. “An IP address is a number that identifies a computer connected to the Internet.” . ¶ 47. “IP addresses of individual Internet users are used by Internet service providers, websites, and tracking companies to facilitate and track Internet communications.” Id . ¶ 50. Plaintiffs allege that “Google tracks IP addresses associated with specific Internet users” and “associate[s] specific users with IP addresses.” Id . ¶¶ 51–52. Plaintiffs further allege that “[b]ecause Google collects the IP Address and user agent information together, Google can identify a user’s individual device even if more than one device shares the same IP address.” Id . ¶ 54.
Finally, Plaintiffs allege that Google collects the user’s X-Client Data Header. Id . ¶ 134. The X-Client Data Header “is an identifier that when combined with IP address and user-agent, uniquely identifies every individual download version of the Chrome browser.” Id . ¶ 69. Plaintiffs allege that, as of March 6, 2018, the X-Client Data Header “is sent from Chrome to Google every time users exchange an Internet communication, including when users log-in to their specific Google accounts, use Google services such as Google search or Google maps, and when Chrome users are neither signed-in to their Google accounts nor using any Google service.” Id . ¶ 70. 2. Google’s Representations to Plaintiffs According to Plaintiffs, “Google expressly promises Chrome users that they ‘don’t need to provide any personal information to use Chrome,’ and that ‘[t]he personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by turning on sync[.]’” . ¶ 2. Conversely, Google contends that it explicitly disclosed
the alleged data collection. Mot. at 3–5. Four documents are of particular relevance regarding Google’s representations to users: (1) Google’s Terms of Service; (2) Google’s Privacy Policy; (3) Chrome’s Terms of Service; and (4) Chrome’s Privacy Notice. The Court discusses each document in turn.
First, as of March 31, 2020, Google’s Terms of Service stated that the “Terms of Service help define Google’s relationship with you as you interact with our services.” Compl. Exh. 4. Google’s Terms of Service state that “[u]understanding these terms is important because, by using our services, you’re agreeing to these terms.” . Prior versions of Google’s Terms of Service made similar statements.
From April 14, 2014 until March 31, 2020, Google’s Terms of Service invoked Google’s Privacy Policy as follows: “You can find more information about how Google uses and stores content in the privacy policy or additional terms for particular services.” Compl. Exh. 2, 3. As of March 31, 2020, Google’s Terms of Service explicitly excluded Google’s Privacy Policy: “Besides these terms, we also publish a Privacy Policy. Although it’s not part of these terms, we encourage you to read it to better understand how you can update, manage, export, and delete your information” Compl. Exh. 4.
Google’s Terms of Service also invoke Google’s service-specific terms and policies: “Next to each service, we also list additional terms and policies that apply to that particular service. The Terms of Service, additional terms, and policies define our relationship and mutual expectations as you use these services.” Id . Finally, Google’s Terms of Service state that “California law will govern all disputes arising out of or relating to these terms, service-specific additional terms, or any related services, regardless of conflict of laws rules.” Compl. Exh. 4. Second, Google’s Privacy Policy states: “[A]s you use our services, we want you to be clear how we’re using information and the ways in which you can protect your privacy.” Compl. Exh. 7. Google’s Privacy Policy states:
Our Privacy Policy explains:
• What information we collect and why we collect it.
• How we use that information.
• The choices we offer, including how to access and update information. .
Google’s Privacy Policy in effect from June 28, 2016 to August 29, 2016 made the following disclosures regarding Google’s collection of data from users: We collect information about the services that you use and how you use them, like when you . . . visit a website that uses our advertising services, or view and interact with our ads and content.
This information includes: . . . device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number). When you use our services or view content provided by Google, we automatically collect and store certain information in server logs, [including] details of how you used our service, such as your search queries . . . Internet protocol address . . . device event information such as . . . the date and time of your request and referral URL [and] cookies that may uniquely identify your browser or your Google Account. Cookies and similar technologies.
We and our partners use various technologies to collect and store information when you visit a Google service, and this may include using cookies or similar technologies to identify your browser or device. We also use these technologies to collect and store information when you interact with services we offer to our partners, such as advertising services or Google features that may appear on other sites. Our Google Analytics product helps businesses and site owners analyze the traffic to their websites and apps. When used in conjunction with our advertising services, such as those using the DoubleClick cookies, Google Analytics information is linked, by the Google Analytics customer or by Google, using Google technology, with information about visits to multiple sites. . (emphasis omitted). Subsequent versions of Google’s Privacy Policy made similar disclosures. Third, Chrome’s Terms of Service state the following: “By using Chrome or Chrome OS, you agree to the Google Terms of Service . . . and these Google Chrome and Chrome OS Additional Terms of Service.” Compl. Exh. 6.
Finally, the Chrome Privacy Notice invites users to “[l]earn how to control the information that’s collected, stored, and shared when you use the Google Chrome browser on your computer or mobile device.” Compl. ¶ 37, Exhs. 17–33. The Chrome Privacy Notice states: “You don’t need to provide any personal information to use Chrome, but Chrome has different modes you can use to change or improve your browsing experience. Privacy practices are different depending on the mode you’re using.” . The Chrome Privacy Notice then states that “Basic browser mode . . . stores information locally on your system. This information might include:” “Browsing history information”; “Personal information and passwords”; and “Cookies or data from websites you visit.” . The Chrome Privacy Notice later states: “The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google account by turning on sync.” Compl. ¶ 38, Exhs. 28–33. [2]
B. Procedural History
On July 27, 2020, Plaintiffs filed the instant case against Google. Compl. Plaintiffs sought to represent a class of “all persons residing in the United States who used Google’s Chrome browser on or after July 27, 2016 without choosing to Sync with any Google account and whose personal information was collected by Google.” . ¶ 259.
Plaintiffs brought 16 claims: (1) unauthorized interception of electronic communications under the Wiretap Act; (2) unauthorized electronic communication service (“ECS”) disclosure under the Wiretap Act, 18 U.S.C. § 2510; (3) unauthorized access to stored ECS communications under the Stored Communications Act (“SCA”), 18 U.S.C. § 2701; (4) unauthorized disclosures of stored communications under the SCA,18 U.S.C. § 2701; (5) violation of the California Invasion of Privacy Act (“CIPA”), Cal. Penal Code § 631; (6) invasion of privacy; (7) intrusion upon seclusion; (8) breach of contract; (9) breach of the implied covenant of good faith and fair dealing; (10) quasi-contract (restitution and unjust enrichment); (11) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030(g); (12) violation of the California Computer Data Access and Fraud Act, Cal. Penal Code § 502; (13) statutory larceny, Cal. Penal Code §§ 484 and 496; (14) violation of the California Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200, et seq. ; (15) punitive damages under Cal. Civil Code § 3294; and (16) declaratory relief under 28 U.S.C. § 2201(a). Id . ¶¶ 266–426.
On September 18, 2020, the Court directed the parties to select 10 claims to litigate. ECF No. 51. On September 25, 2020, the parties selected the following 10 claims: (1) unauthorized disclosure under the Wiretap Act; (2) unauthorized access under the SCA; (3) unauthorized disclosures of stored communications under the SCA; (4) violation of the CIPA; (5) intrusion upon seclusion; (6) breach of contract; (7) breach of the implied covenant of good faith and fair dealing; (8) violation of the CFAA; (9) statutory larceny; and (10) violation of the UCL. ECF No. 54.
On October 5, 2020, Google filed the instant motion to dismiss, ECF No. 57 (Mot.),
and a request for judicial notice, ECF No. 58. On November 9, 2020, Plaintiffs filed an opposition
to Google’s motion, ECF No. 67 (“Opp’n”), and their own request for judicial notice, ECF No. 66.
On December 3, 2020, Google filed a reply in support of their motion to dismiss, ECF No. 81
(“Reply”), and a response to Plaintiffs’ request for judicial notice, ECF No. 82.
The Court may take judicial notice of matters that are either “generally known within the
trial court’s territorial jurisdiction” or “can be accurately and readily determined from sources
whose accuracy cannot reasonably be questioned.” Fed. R. Evid. 201(b). However, to the extent
any facts in documents subject to judicial notice are subject to reasonable dispute, the Court will
not take judicial notice of those facts.
See Lee v. City of Los Angeles
,
Plaintiffs request that the Court take judicial notice of an October 6, 2020 House Report;
an October 13, 2011 Federal Trade Commission (“FTC”) Order; and an August 8, 2012 FTC
Complaint. ECF No. 66. The Court will take judicial notice of these documents as public records,
which are proper subjects of judicial notice.
See, e.g.
,
United States v. Black
,
Plaintiffs request that the Court take judicial notice of three publicly available Google
webpages. ECF No. 66. Google requests that the Court take judicial notice of four versions of
Google’s Privacy Policy. ECF No. 58. These documents appear on publicly available websites and
are thus proper subjects for judicial notice.
See, e.g.
,
In re Google Assistant Privacy Litig.
, 457 F.
Supp. 3d 797, 813–14 (N.D. Cal. 2020) (taking judicial notice of Google’s Terms of Service,
Privacy Policy, and a Google blog post);
Matera v. Google, Inc.
,
Google does not contest that the documents of which Plaintiffs request judicial notice are
proper subjects of judicial notice. ECF No. 82. However, Google contends that Plaintiffs seek
judicial notice of these documents for improper purposes.
Id
. Specifically, Google argues that the
Court cannot take judicial notice of the October 6, 2020 House Report for the purpose of
establishing that House investigators had the same understanding of Google’s Privacy Policy as
Plaintiffs did. . at 1. Google further contends that the Court cannot take judicial notice of the
FTC documents to show that Google is acting in bad faith. . at 2. Finally, Google argues that the
Court cannot take judicial notice of the three publicly available webpages to show that Google
knows that Google’s Privacy Policy is not sufficient for blanket consent.
Id
. at 4.
The Court agrees with Google that the Court cannot take judicial notice of any facts in
these documents that are subject to reasonable dispute.
See Lee
,
Finally, Plaintiffs move to file supplementary material, ECF No. 127, in response to
arguments Google made about the Court’s website at the February 25, 2021 motion to dismiss
hearing in a related case,
Brown v. Google
(“
Brown
”).
See
Case No. 20-CV-03664-LHK, Tr. of
Feb. 25, 2021 Hearing at 47:13–16, ECF No. 104. Google never raised these arguments in their
briefs on the motions to dismiss in either case or at the February 18, 2021 hearing on the instant
motion to dismiss. The Court did not consider Google’s untimely arguments in the Court’s order
denying the motion to dismiss in the
Brown
case, ECF No. 113, and will not do so here.
See In re
Apple Inc. Securities Litigation
,
II. LEGAL STANDARD
A. Dismissal Pursuant to Federal Rule of Civil Procedure 12(b)(6)
Rule 8(a) of the Federal Rules of Civil Procedure requires a complaint to include “a short
and plain statement of the claim showing that the pleader is entitled to relief.” Fed. R. Civ. P. 8(a).
A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil
Procedure 12(b)(6). Rule 8(a) requires a plaintiff to plead “enough facts to state a claim to relief
that is plausible on its face.”
Bell Atlantic Corp. v. Twombly
,
The Court, however, need not accept as true allegations contradicted by judicially
noticeable facts,
see Shwarz v. United States
,
B. Leave to Amend
If the Court determines that a complaint should be dismissed, it must then decide whether
to grant leave to amend. Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend
“shall be freely given when justice so requires,” bearing in mind “the underlying purpose of Rule
15 to facilitate decisions on the merits, rather than on the pleadings or technicalities.”
Lopez v.
Smith
,
In its motion to dismiss, Google first contends that Plaintiffs’ claims should be dismissed because Plaintiffs and the websites consented to Google’s receipt of the data. Mot. at 8–11. Google later argues that Plaintiffs’ claims should be dismissed because of the statutes of limitations. Mot. at 25. Google also argues that Plaintiffs have failed to state nine of the ten selected claims for additional reasons. Id . at 11–25. The Court addresses in turn: (1) consent; (2) the statutes of limitations; and (3) Google’s other arguments for dismissal.
A. Consent
Google contends that (1) all claims should be dismissed because Plaintiffs consented to Google’s receipt of the data, and (2) Plaintiffs’ unauthorized disclosure claims under the Wiretap Act and the SCA should be dismissed because the websites consented to Google’s receipt of the data. . at 8–11. The Court addresses each argument in turn.
1. Google has not shown that Plaintiffs consented.
Consent is a defense to Plaintiffs’ claims.
See
18 U.S.C. § 2511(3)(b)(ii) (Wiretap Act)
(stating that a communication may be divulged “with the lawful consent of the originator”); 18
U.S.C. § 2702(b)(3) (SCA unauthorized disclosure) (stating that a communication may be
divulged with the “lawful consent of the originator”);
id
. § 2701(c)(2) (SCA unauthorized access)
(providing an exception from liability for conduct authorized by the user);
Smith v. Facebook, Inc.
,
In the instant motion, Google contends that users expressly consented to Google’s alleged
data collection. Mot. at 9. In
In re Google, Inc.
, this Court rejected a similar argument made by
Google.
In the instant case, Google contends that Plaintiffs “consented to Google’s [Terms of Service], which incorporated Google’s Privacy Policy.” Mot. at 9. Google further argues that Google’s Privacy Policy disclosed the alleged data collection:
We collect information about the services that you use and how you use them, like when you . . . visit a website that uses our advertising services, or view and interact with our ads and content. This information includes: . . . device-specific information (such as your hardware model, operating system version, unique device identifiers, and mobile network information including phone number).
When you use our services or view content provided by Google, we automatically collect and store certain information in server logs, [including] details of how you used our service, such as your search queries . . . Internet protocol address . . . device event information such as . . . the date and time of your request and referral URL [and] cookies that may uniquely identify your browser or your Google Account.
Compl. Exh. 7.
However, the Court concludes that this general disclosure is insufficient for two reasons. First, Google contends that Plaintiffs “consented to Google’s [Terms of Service], which incorporated Google’s Privacy Policy.” Mot. at 9. However, as of March 31, 2020, Google’s Terms of Service explicitly excluded Google’s Privacy Policy: “Besides these terms, we also publish a Privacy Policy. Although it’s not part of these terms , we encourage you to read it to better understand how you can update, manage, export, and delete your information.” Compl. Exh. 4 (emphasis added). Thus, a reasonable user consenting to Google’s Terms of Service on or after March 31, 2020 might have concluded that she was not consenting to Google’s Privacy Policy. Second, the Chrome Privacy Notice makes specific representations that could suggest to a reasonable user that Google would not engage in the alleged data collection. From April 14, 2014 until March 31, 2020, Google’s Terms of Service directed users to the additional terms for specific services, such as the Chrome Privacy Notice. See Compl. Exh. 2, 3 (“You can find more information about how Google uses and stores content in the privacy policy or additional terms for particular services.”).
The Chrome Privacy Notice invites users to “[l]earn how to control the information that’s collected, stored, and shared when you use the Google Chrome browser on your computer or mobile device.” Compl. ¶ 37, Exhs. 17–33. The Chrome Privacy Notice states: “ You don’t need to provide any personal information to use Chrome , but Chrome has different modes you can use to change or improve your browsing experience. Privacy practices are different depending on the mode you’re using.” . (emphasis added).
Furthermore, the Chrome Privacy Notice then states that “Basic browser mode . . . stores information locally on your system. This information might include:” “Browsing history information”; “Personal information and passwords”; and “Cookies or data from websites you visit.” Id . The Chrome Privacy Notice later states: “ The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google account by turning on sync .” Compl. ¶ 38, Exhs. 28–33 (emphasis added).
Based on these disclosures, a reasonable user could have concluded that he or she did not need to provide any personal information to use Chrome without sync. See Compl. ¶ 37, Exhs. 17– 33 (“ You don’t need to provide any personal information to use Chrome , but Chrome has different modes you can use to change or improve your browsing experience.”) (emphasis added). Moreover, a reasonable user could have concluded that using Chrome without sync was a way to control “the information that’s collected, stored, and shared when you use the Google Chrome browser.” See id . (stating that “[p]rivacy practices are different depending on the mode you’re using”). Specifically, a reasonable user could have concluded that if he or she used Chrome without sync, his or her personal information would not be sent to Google. See Compl. ¶ 38, Exhs. 28–33 (“The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google account by turning on sync.”). Plaintiffs allege that these representations were misleading because Google collected Plaintiffs’ personal information when Plaintiffs used Chrome without sync. . ¶ 134. Specifically, Google collected “unique, persistent cookie identifiers”; “browsing history”; “POST communications”; the “user’s IP address and User-Agent information about their device”; and the user’s X-Client Data Header. . ¶ 134.
This data falls within the definition of personal information under California law, which governs Google’s Terms of Service. See Compl. Exh. 4. Indeed, California law defines personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including “Internet or other electronic network activity information,” such as “browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement.” Cal. Civ. Code § 1798.140. Moreover, Google’s own Privacy Policy defines personal information as “information that you provide to us which personally identifies you, such as your name, email address, or billing information, or other data that can reasonably be linked to such information by Google, such as information we associate with your Google account.” Compl. Exh. 16. [4] As Google’s counsel conceded at the hearing on the instant motion, the data at issue in the instant case falls within these broad definitions of personal information. See Tr. of Feb. 18, 2021 Hearing at 51:24–52:1, 52:19, ECF No. 114.
In response, Google contends that Chrome’s Privacy Notice is accurate where it states that “ The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google account by turning on sync.” Compl. ¶ 38, Exhs. 28–33 (emphasis added). According to Google, readers would understand that “ the personal information that Chrome stores ” does not include “unique, persistent cookie identifiers”; “browsing history”; “POST communications”; the “user’s IP address and User-Agent information about their device”; and the user’s X-Client Data Header. See Reply at 2; Tr. of Feb. 18, 2021 Hearing at 30:12–16, 51:10–13, 53:3–19, ECF No. 114. However, the Court finds Google’s argument unpersuasive because it is inconsistent with California state law, which governs Google’s agreement with users, and Google’s Privacy Policy. See Cal. Civ. Code § 1798.140 (defining personal information as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household,” including “Internet or other electronic network activity information,” such as “browsing history, search history, and information regarding a consumer’s interaction with an internet website, application, or advertisement”); Compl. Exh. 16 (Google’s Privacy Policy) (defining personal information as “information that you provide to us which personally identifies you, such as your name, email address, or billing information, or other data that can reasonably be linked to such information by Google, such as information we associate with your Google account”). Accordingly, the Court concludes that a reasonable user could read Google’s representations to mean that, if the user was not synced, his or her browsing history, cookies, and site data would not be sent to Google.
In conclusion, the Court concludes that Google did not notify users that Google engages in
the alleged data collection. To the contrary, Google’s representations might have led a reasonable
user to believe that Google did not collect his or her personal information when the user was not
synced. Accordingly, Google cannot show that Plaintiffs expressly consented to Google’s
collection of data.
See In re Google
,
and the SCA should be dismissed because the websites consented to Google’s receipt of the data. Mot. at 9–11. The Wiretap Act and the SCA provide an exception to liability where an electronic communication service (“ECS”) divulges contents with the “lawful consent” of “the originator or an addressee or intended recipient of such communication.” See 18 U.S.C. §§ 2511(3)(b)(ii) (Wiretap Act); id . § 2702(b)(3) (SCA). Accordingly, Google argues that the websites lawfully consented to Google’s receipt of the data. Mot. at 9–11.
“[A]s ‘the party seeking the benefit of the exception,’ it is Google’s burden to prove
consent.”
Matera v. Google Inc.
,
Google argues that the websites provided implied consent to Google’s interception. Mot at.
11. In making this argument, Google cites two twenty-year-old district court cases regarding
DoubleClick (now known as Google Ad Manager), a service which was purchased by websites to
gather users’ data for advertising purposes.
See Chance v. Avenue A
,
As the Court explained above, neither Google’s Privacy Policy nor any other disclosure to
which Google points states that Google engages in the alleged data collection while users are
using Chrome without sync.
See
Section III(A)(1),
supra
. To the contrary, Google’s disclosures
state that the data will not be sent to Google when users use Chrome without sync.
Id
.
Specifically, the Chrome Privacy Notice states: “
The personal information that Chrome stores
won’t be sent to Google unless you choose to store that data in your Google account by turning on
sync
.” Compl. ¶ 38, Exhs. 28–33 (emphasis added). The Chrome Privacy Notice also states: “
You
don’t need to provide any personal information to use Chrome
, but Chrome has different modes
you can use to change or improve your browsing experience. Privacy practices are different
depending on the mode you’re using.” . (emphasis added). Thus, Google has not established that
websites consented to, or even knew about, the interception of the subset of their communications
that are with users who use Chrome without sync.
See Pharmatrak
,
B. Statutes of Limitations
Google next argues that Plaintiffs’ complaint should be dismissed because each of
Plaintiffs’ claims exceed the applicable statutes of limitations. Mot. at 23–25. “A claim may be
dismissed under Rule 12(b)(6) on the ground that it is barred by the applicable statute of
limitations only when ‘the running of the statute is apparent on the face of the complaint.’”
Von
Saher v. Norton Simon Museum of Art at Pasadena
,
Seven of the selected claims have a limitations period of between one and three years.
Specifically, “[u]nder the CIPA, the applicable statute of limitations is one year.”
Brodsky v.
Apple, Inc.
,
not sync their accounts from July 27, 2016 to the present, the seven selected claims that have a statute of limitations of three years or less are time-barred. Mot. at 25. Google further argues that, for Plaintiffs’ remaining selected claims, to which a four year statute of limitation applies, “Plaintiffs must allege when the challenged conduct first occurred so the Court may determine when the claims accrued.” . The Court rejects Google’s argument because each violation triggers a separate statute of limitations, and Plaintiffs allege that violations took place in July 2020, shortly before Plaintiffs’ complaint was filed on July 27, 2020.
The Ninth Circuit and California Supreme Court have held that separate, recurring
invasions of the same right each trigger their own separate statute of limitations. The Ninth Circuit
has held that, for Wiretap Act claims, “each interception is a discrete violation” with its own
statute of limitations.
Bliss v. CoreCivic, Inc.
,
Because Plaintiffs allege that Google engaged in interceptions of their communications shortly before filing their complaint, Plaintiffs’ claims are not barred by the statutes of limitations. Indeed, Plaintiffs allege that Google intercepted their communications in July 2020. Compl. ¶¶ 154, 168, 174, 180. Plaintiffs filed the instant case on July 27, 2020, well within any of the applicable statutes of limitations. See Compl. Thus, the Court DENIES Google’s motion to dismiss on the basis of the statutes of limitations. C. Other Arguments for Dismissal Finally, Google contends that Plaintiffs have failed to state nine of the ten selected claims for additional reasons. . at 11–25. The Court addresses in turn the following claims: (1) unauthorized disclosure under the Wiretap Act and the SCA; (2) unauthorized access under the SCA; (3) intrusion upon seclusion; (4) breach of contract; (5) breach of the implied covenant of good faith and fair dealing; (6) violation of the CFAA; (7) statutory larceny; and (8) violation of the UCL.
1. Plaintiffs have not stated a claim for unauthorized disclosure under the Wiretap Act or the SCA.
The Wiretap Act provides that “a person or entity providing an electronic communication service to the public shall not intentionally divulge the contents of any communication . . . while in transmission on that service to any person or entity.” 18 U.S.C. § 2511(3)(a). Similarly, the SCA provides that “a person or entity providing an electronic communication service the public shall not knowingly divulge to any person or entity the contents of a communication while in electronic storage by that service.” . § 2702(a).
Plaintiffs allege that Chrome is an electronic communication service (“ECS”) that “intentionally divulged the contents of user communications with non-Google websites to Google while those user communications were in transmission on Chrome” and “in electronic storage by Chrome.” Compl. ¶¶ 289–90, 316–17. Google contends that Plaintiffs’ unauthorized disclosure claims should be dismissed because Plaintiffs fail to allege that Google divulged the contents of any communication to a third party. Mot. at 11–12, 16–17.
The Court agrees with Google. In the instant case, Plaintiffs allege that Chrome “is an ECS.” Compl. ¶¶ 289–90, 316–17. Because Chrome is a Google service, [5] the “person or entity providing [the ECS]” is Google. 18 U.S.C. § 2511(3)(a), id . § 2702(a). The Wiretap Act and the SCA prohibit “the person or entity providing [the ECS]” from divulging the contents of any communication to any person or entity, but Plaintiffs do not allege that Google divulged the contents of any communication to a third party. Rather, Plaintiffs allege that Google divulged information to itself. Compl. ¶¶ 289–90, 316–17. Accordingly, Plaintiffs’ unauthorized disclosure claims under the Wiretap Act and the SCA fail. Another court in this district recently rejected an unauthorized disclosure claim under the SCA for similar reasons. In In re Google Assistant Privacy Litigation , the plaintiffs alleged that another Google service, Google Assistant, disclosed audio or transcripts to Google. 457 F. Supp. 3d 797, 822 (N.D. Cal. 2020) [hereinafter “ Google Assistant ”]. The court concluded that the plaintiffs could not state an unauthorized disclosure claim under the SCA because the plaintiffs did not allege that Google had divulged the information to a third party, and “[Google’s] own use of Plaintiffs’ data for advertising purposes does not constitute an unlawful ‘disclosure.’” . The same reasoning requires dismissal of Plaintiffs’ unauthorized disclosure claims in the instant case.
In response, Plaintiffs invoke the ordinary course of business exception to the Wiretap Act. Opp’n at 13. However, as Plaintiffs acknowledge, the ordinary course of business exception applies to interception claims under the Wiretap Act, not unauthorized disclosure claims. See 18 U.S.C. § 2510(5)(a)(ii) (precluding liability for interceptions under the Wiretap Act based on the use of “any telephone or telegraph instrument, equipment or facility, or any component thereof . . . being used by a provider of wire or electronic communication service in the ordinary course of its business”).
Unlike the interception provision of the Wiretap Act, the unauthorized disclosure provision
of the Wiretap Act provides that “
a person or entity providing an [ECS] to the public
shall not
intentionally divulge the contents of any communication . . . while in transmission on that service
to any person or entity.” 18 U.S.C. § 2511(3)(a) (emphasis added). Google is the “person or entity
providing [the] ECS” in the instant case, and Plaintiffs do not allege that Google divulged the
contents of any communication to any third party. Thus, the Court GRANTS Google’s motion to
dismiss Plaintiffs’ claims for unauthorized disclosure under the Wiretap Act and the SCA. The
Court does so with leave to amend because (1) Plaintiffs have not had an opportunity to amend
their complaint; (2) amendment would not be futile, unduly prejudice the opposing party, or cause
undue delay; and (3) Plaintiffs have not acted in bad faith.
See Leadsinger
,
2. Plaintiffs have not stated a claim for unauthorized access under the SCA.
The SCA provides a cause of action against a person who “intentionally accesses without
authorization a facility through which an electronic communication service is provided” or “who
intentionally exceeds an authorization to access that facility; and thereby obtains, alters, or
prevents unauthorized access to a wire or electronic communication while it is in electronic
storage in such a system.” 18 U.S.C. § 2701(a). To state a claim under 18 U.S.C. § 2701(a),
Plaintiffs must show that Defendants “(1) gained unauthorized access to a ‘facility’ where it (2)
accessed an electronic communication in ‘electronic storage.’”
In re Facebook, Inc. Internet
Tracking Litigation
,
The Court concludes that Plaintiffs cannot state an SCA claim for two reasons. First, Google is exempt from liability because Google is the entity providing Chrome. Second, Plaintiffs’ personal computing devices are not facilities. The Court addresses each issue in turn.
First, the SCA provides an exception from liability for “conduct authorized . . . by the
person or entity providing” the alleged ECS. 18 U.S.C. § 2701(c)(1). Plaintiffs allege that Chrome
is an ECS. Compl. ¶ 303. However, Plaintiffs never allege who the person or entity providing the
ECS is.
Id
. ¶¶ 301–313. In the absence of an allegation by Plaintiffs, the Court concludes that
Google is the entity providing the ECS because Google provides the Chrome browser, which is a
Google service.
See
Section III(C)(1),
supra
. In the instant case, Google was the entity allegedly
collecting Plaintiffs’ data. Accordingly, Google, the entity providing the ECS, authorized the
alleged collection of data. Because the alleged misconduct was authorized by the entity providing
the ECS, Google is not subject to liability under the SCA’s unauthorized access provision.
See
18
U.S.C. § 2701(c)(1).
Another court in this district came to a similar conclusion when plaintiffs brought an
unauthorized access claim under the SCA based on a new Google privacy policy that permitted
Google to collect and combine personal information collected from different Google services into
a single user profile.
See In re Google, Inc. Privacy Policy Litigation
,
Second, Plaintiffs’ personal computing devices are not facilities. In the Complaint, Plaintiffs point to four facilities: (1) Plaintiffs’ personal computing devices; (2) Plaintiffs’ Chrome browsers; (3) the browser-managed files which constitute all of the programs contained within Plaintiffs’ Chrome browsers; and (4) Plaintiffs’ IP addresses. . ¶ 307.
The SCA does not provide a statutory definition of facility.
Google Assistant
, 457 F. Supp.
3d at 820. However, the SCA specifies that a facility must be one “through which an [ECS] is
provided.” 18 U.S.C. § 2701(a)(1). Based on this language, several “courts in this Circuit and
others have interpreted ‘facility’ to exclude users’ personal devices.”
Google Assistant
, 457 F.
Supp. 3d at 821. For example, the Fifth Circuit concluded that an individual’s personal device
“does not provide an electronic communication service just because the device enables use of
electronic communication services.”
Garcia v. City of Laredo, Tex.
,
This Court and several courts in this district have also concluded that a user’s personal
device is not a facility under the SCA.
See Google Assistant
,
The Court comes to the same conclusion about Plaintiffs’ personal devices in the instant
case. As this Court previously explained, interpreting personal devices as facilities would “render
other parts of the [SCA] illogical.”
In re iPhone Application Litig.
,
Based on the two deficiencies explained above, the Court GRANTS Google’s motion to
dismiss Plaintiffs’ unauthorized access claim under the SCA. The Court does so with leave to
amend because (1) Plaintiffs have not had an opportunity to amend their complaint; (2)
amendment would not be futile, unduly prejudice the opposing party, or cause undue delay; and
(3) Plaintiffs have not acted in bad faith.
See Leadsinger
,
3. Plaintiffs have stated an intrusion upon seclusion claim.
“To state a claim for intrusion upon seclusion under California common law, a plaintiff
must plead that (1) a defendant ‘intentionally intrude[d] into a place, conversation, or matter as to
which the plaintiff has a reasonable expectation of privacy[,]’ and (2) the intrusion ‘occur[red] in a
manner highly offensive to a reasonable person.”
Facebook Tracking
,
a. Plaintiffs have adequately alleged that they had a reasonable expectation of privacy.
To meet the first element, the plaintiff must have had an “objectively reasonable
expectation of seclusion or solitude in the place, conversation, or data source.”
Shulman v. Group
W. Prods., Inc.
,
In
Facebook Tracking
, the Ninth Circuit considered whether the plaintiffs, who were
Facebook users, had adequately pleaded that they had a reasonable expectation of privacy.
Id
. at
602. Like the instant case,
Facebook Tracking
concerned GET requests that were sent from
Facebook users’ browsers to Facebook after they had logged out of Facebook.
Id
. at 601. Like
Google, Facebook allegedly received copies of GET requests that users sent to third-party
websites because Facebook’s embedded code caused the users’ browses to generate copies of the
GET requests and transmit them to Facebook.
Compare id
. at 607
with
Compl. ¶¶ 122–23.
The Ninth Circuit concluded that the plaintiffs had adequately pleaded that they had a
reasonable expectation of privacy based on the amount of data collected, the sensitivity of the data
collected, the nature of the data collection, and Facebook’s representations to users.
Facebook
Tracking
,
Other cases have come to similar conclusions. For example, in
Google Cookie
, the Third
Circuit considered whether the plaintiffs had stated an intrusion upon seclusion claim under
California law based on Google’s alleged placement of cookies on the browsers of users who had
enabled cookie blockers.
First, Plaintiffs have adequately alleged that they had a reasonable expectation of privacy based on the amount of data collected, the sensitivity of the data collected, and the nature of the data collection. Indeed, as explained above, the instant case involves the same data and the same process by which the data was collected as Facebook Tracking . Compare id . at 607 (describing how Facebook’s code directs the user’s browser to copy the referrer header and sends a duplicate request to Facebook) with Compl. ¶ 122 (describing how Google’s code directs the user’s browser to send a duplicate request to Google). Like in Facebook Tracking , the amount of data collected and the nature of the data collection demonstrate that Plaintiffs had a reasonable expectation of privacy. Like in Facebook Tracking , Plaintiffs allege that the amount of data collected was vast. See Compl. ¶ 122 (alleging that “up to 86 percent of popular websites” use Google’s code). Finally, like in Facebook Tracking , Plaintiffs allege that a vast amount of data was collected secretly, without any notice to users. Id . ¶ 5 (alleging that “Chrome secretly sends personal information to Google even when a Chrome user does not Sync”).
Second, like the plaintiffs in Facebook Tracking , Plaintiffs in the instant case could have reasonably assumed that Google would not receive their data while they were using Chrome without sync based on Google’s representations. See Section III(A)(1), supra . Accordingly, the Court concludes that Plaintiffs have adequately alleged that they had a reasonable expectation of privacy. b. Plaintiffs have adequately alleged that the alleged intrusion was highly offensive. “Determining whether a defendant’s actions were ‘highly offensive to a reasonable person’ requires a holistic consideration of factors such as the likelihood of serious harm to the victim, the degree and setting of the intrusion, the intruder’s motives and objectives, and whether countervailing interests or social norms render the intrusion inoffensive.” Facebook Tracking , 956
17
F.3d at 606 (quoting
Hernandez
,
on the degree to which the intrusion is unacceptable as a matter of public policy.” Id . (citing 20
Hernandez
,
21
In Facebook Tracking , the Ninth Circuit held that “[t]he ultimate question of whether 22
Facebook’s tracking and collection practices could highly offend a reasonable individual is an 23
issue that cannot be resolved at the pleading stage.” . Specifically, the Ninth Circuit concluded 24
that “Plaintiffs’ allegations of surreptitious data collection when individuals were not using 25
Facebook are sufficient to survive a dismissal motion on the issue” of whether the alleged 26
intrusion was highly offensive. .
27
As explained above, Plaintiffs in this case allege that Google was surreptitiously collecting the same type of data through the same process that was at issue in Facebook Tracking . See Section III(C)(3)(a), supra . Moreover, as explained above, Google’s representations regarding Chrome’s sync function could have led users to assume that Google would not receive the personal information at issue in the instant case while they were not synced. See Section III(A)(1), supra .
Other than pointing to its disclosures, which the Court has already addressed,
supra
Section III(A)(1), Google also argues that its conduct is not “highly offensive” because its
interceptions “served a legitimate commercial purpose.” Mot. at 19–20. However, whether an
intrusion is highly offensive requires a holistic consideration of a multitude of factors, only one of
which is the “countervailing interests . . . [that] render the intrusion inoffensive,” such as the
intrusion’s commercial purpose.
See Facebook Tracking
,
Thus, Plaintiffs have alleged sufficient facts to prevail on the issues of whether they had a reasonable expectation of privacy and whether the intrusion was highly offensive. Accordingly, Plaintiffs have stated an intrusion upon seclusion claim. The Court DENIES Google’s motion to dismiss Plaintiffs’ intrusion upon seclusion claim.
4. Plaintiffs have stated a claim for breach of contract.
“In order to establish a contract breach, Plaintiffs must allege: (1) the existence of a
contract with [Google], (2) their performance under that contract, (3) [Google] breached that
contract, and (4) they suffered damages.”
Facebook Tracking
,
Google argues that Plaintiffs have failed to state a breach of contract claim for three
reasons. First, Google argues that Plaintiffs have failed to plausibly allege that Google breached
any promise in the Chrome Privacy Notice. Mot. at 20. In support of this argument, Google cites
Google Assistant
, where another court in this district dismissed the plaintiffs’ breach of contract
claim.
Despite Google’s promises, Plaintiffs allege that “Google intentionally and unlawfully
causes Chrome to record and send users’ personal information to Google regardless of whether a
user elects to Sync or even has a Google account.” . ¶ 3. The information sent includes: “IP
addresses linked to user agents”; “[u]nique, persistent cookie identifiers including the Client ID”;
“[u]nique browser identifiers called X-Client Data Headers”; and “[b]rowsing history.” . ¶ 4. All
of this identifying information falls within the definition of personal information under California
law, which governs Google’s Terms of Service, and under Google’s Privacy Policy.
See
Cal. Civ.
Code § 1798.140 (defining personal information as “information that identifies, relates to,
describes, is reasonably capable of being associated with, or could reasonably be linked, directly
or indirectly, with a particular consumer or household,” including “Internet or other electronic
network activity information,” such as “browsing history, search history, and information
regarding a consumer’s interaction with an internet website, application, or advertisement”);
Compl. Exh. 16 (defining personal information as “information that you provide to us which
personally identifies you, such as your name, email address, or billing information, or other data
that can reasonably be linked to such information by Google, such as information we associate
with your Google account”).
Second, Google contends that Plaintiffs cannot state a claim because Plaintiffs
“simultaneously claim that Google’s receipt of the Data constituted a breach of contract when they
‘agreed to share’ the Data with Google as a form of consideration.” Mot. at 20;
see also
Compl. ¶
356 (alleging that “Plaintiffs and other Un-Synched Chrome users also did not receive the benefit
of the bargain . . . for which they paid valuable consideration in the form of the [personal
information] they agreed to share”). However, just because Plaintiffs decided to share some of
their personal information does not mean that they agreed to share all of their personal
information.
See In re Google
,
However, the Court concludes that the instant case is distinguishable because the documents involved in the instant case did make commitments, rather than just providing information. First, Google’s Terms of Service is the contract between the users and Google. Google’s Terms of Service stated that the “Terms of Service help define Google’s relationship with you as you interact with our services.” Compl. Exh. 4. Google’s Terms of Service state that “[u]understanding these terms is important because, by using our services, you’re agreeing to these terms.” . Furthermore, Google’s Terms of Service explicitly incorporated the additional terms, including the Chrome Privacy Notice, into the contract between the users and Google. From April 14, 2014 until March 31, 2020, Google’s Terms of Service invoked additional terms as follows: “Our Services are very diverse, so sometimes additional terms or product requirements . . . may apply . . . . [T]hose additional terms become part of your agreement with us if you use those services.” Compl. Exhs. 2, 3. The most recent version of Google’s Terms of Service directs users to “[f]ollow these terms and service-specific additional terms” and state that where there is a conflict between Google’s Terms of Service and “service-specific additional terms,” the latter terms will govern. Compl. Exh. 4. This language demonstrates that, rather than being an informational resource, the Chrome Privacy Notice is part of the contract between Plaintiffs and Google. Thus, Plaintiffs have adequately pled a breach of contract claim. Accordingly, the Court DENIES Google’s motion to dismiss Plaintiffs’ breach of contract claim.
5. Plaintiffs have stated a claim for breach of the implied covenant of good faith and fair dealing.
As to Plaintiffs’ claim for breach of the implied duty of good faith and fair dealing, Google
argues that the claim should be dismissed because it does not go beyond the breach of contract
theories that Plaintiffs assert. Mot. at 21. In
Facebook Tracking
, the Ninth Circuit affirmed the
district court’s dismissal of the plaintiffs’ claim for breach of the implied covenant of good faith
and fair dealing because “as pleaded, the allegations did not go beyond the breach of contract
theories asserted by Plaintiffs and were thus properly dismissed.”
However, when the allegations go beyond the breach of contract theories, courts have
concluded that the plaintiffs have stated a breach of contract claim and a breach of the implied
covenant of good faith and fair dealing claim.
See, e.g.
,
Facebook Consumer Profile
, 402 F. Supp.
3d at 802 (noting that plaintiffs could state claims for breach of contract and breach of the implied
covenant of good faith and fair dealing when the defendant makes a material modification to the
contract without providing notice);
In re Easysaver Rewards Litig.
,
25
The CFAA is an anti-hacking statute that creates liability for “knowingly caus[ing] the 26
transmission of a program, information, code, or command, and as a result of such conduct, 27
intentionally caus[ing] damage without authorization, to a protected computer.” 18 U.S.C. §
1030(a)(5)(A)(i). “Under the CFAA, Plaintiffs must . . . plead that [Google’s] actions caused loss
of more than $5,000 during any one-year period.”
Brodsky v. Apple, Inc.
,
Google contends that Plaintiffs fail to allege that Google’s conduct caused them to
experience a loss of more than $5,000 during a one-year period. Mot. at 22. The Court agrees. As
Plaintiffs conceded during the hearing on the instant motion, the Complaint never alleges that
Plaintiffs suffered losses exceeding $5,000 during a one-year period.
See
Compl. ¶¶ 372–381
(failing to allege that Plaintiff suffered losses exceeding $5,000 during a one-year period); Tr. of
Feb. 25, 2021 Hearing at 18:3–5, ECF No. 114 (“[W]e did not have an allegation specifically
saying that losses would exceed $5,000.”);
id
. at 18:10–12 (“There is no sentence in the complaint,
which we acknowledge that says that -- that alleges that losses exceed $5,000.”). Thus, the Court
GRANTS Google’s motion to dismiss Plaintiffs’ CFAA claims. The Court does so with leave to
amend because (1) Plaintiffs have not had an opportunity to amend their complaint; (2)
amendment would not be futile,
[7]
unduly prejudice the opposing party, or cause undue delay; and
(3) Plaintiffs have not acted in bad faith.
See Leadsinger
,
7. Plaintiffs have stated a statutory larceny claim.
California Penal Code Section 484 forbids theft, which includes obtaining property “by . . . false . . . representation or pretense.” Cal. Penal Code § 484. California Penal Code Section 496(a) prohibits the obtaining of property “in any manner constituting theft.” Cal. Penal Code § 496(a). Plaintiffs allege that Google violated these sections by stealing Plaintiffs’ personal information without Plaintiffs’ consent. Compl. ¶¶ 394–403.
Google argues that Plaintiffs cannot plead a statutory larceny claim for two reasons. First,
Google argues that the personal information that Google allegedly stole is not property. Mot. at
22. In support of this argument, Google cites this Court’s 2012 decision in
Low v. LinkedIn
Corporation
, which dismissed Plaintiffs’ conversion claim based on LinkedIn’s alleged
“exercise[] [of] dominion” over Plaintiffs’ personal browsing history and other personally
identifiable information because “the weight of authority holds that a plaintiff’s ‘personal
information’ does not constitute property.”
Furthermore, California courts have also acknowledged that users have a property interest
in their personal information.
See CTC Real Estate Servs. v. Lepe
,
Second, Google argues that Plaintiffs cannot show that Google committed larceny. Mot. at 23. Specifically, Google argues that it did not take Plaintiffs’ personal information, but rather made a copy, and thus there is no taking. Id . However, California courts have held that copying is theft because “although the owner may retain possession of the original property, there has been nevertheless a deprivation of property when a copy is made.” People v. Kwok , 63 Cal. App. 4th 1236, 1249–50 (1998). Thus, Plaintiffs have adequately alleged a statutory larceny claim. Accordingly, the Court DENIES Google’s motion to dismiss Plaintiffs’ statutory larceny claim. 8. Plaintiffs have stated a UCL claim. The UCL “provides a cause of action for business practices that are (1) unlawful, (2)
unfair, or (3) fraudulent.”
Backhaut v. Apple, Inc.,
First, Google argues that Plaintiffs lack statutory standing under the UCL because they fail
to allege that Google caused them to lose “money or property.” Mot. at 23–24. However, to satisfy
the statutory standing requirement under the UCL, a plaintiff must merely suffer an injury in fact
that is an “economic injury.”
Kwikset Corp. v. Superior Court
,
Third, as to damages, Google argues that monetary damages are unavailable to Plaintiffs
under the UCL. “The only monetary remedy available in a private action under the unfair
competition law is restitution.”
Clark v. Superior Court
,
Accordingly, the Court DENIES Google’s motion to dismiss Plaintiffs’ UCL claim.
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS Google’s motion to dismiss the following claims with leave to amend:
• Unauthorized disclosure under the Wiretap Act
• Unauthorized access under the SCA
• Unauthorized disclosure under the SCA
• CFAA The Court DENIES Google’s motion to dismiss the following claims: • Breach of contract
• Breach of implied covenant of good faith and fair dealing • Intrusion upon seclusion • Statutory larceny • UCL • CIPA Plaintiffs shall file any amended complaint within 30 days of this Order. Failure to do so, or failure to cure deficiencies identified herein or identified in the instant motion to dismiss, will result in dismissal of the deficient claims with prejudice. Plaintiffs may not add new causes of
action or add new parties without stipulation or leave of the Court. Plaintiffs are directed to file a redlined complaint comparing the complaint to any amended complaint as an attachment to Plaintiffs’ amended complaint.
IT IS SO ORDERED.
Dated: March 17, 2021
___________________________________ LUCY H. KOH United States District Judge
Notes
[1] According to Google, “Chrome offers four modes: (1) Basic Browser; (2) Signed In; (3) Signed In with sync enabled; and (4) Incognito.” ECF No. 57 (“Mot.”) at 1 n.1. In the instant case, Plaintiffs allege that they used only the first two modes. . In a related case, Brown v. Google , the plaintiffs challenge Google’s data collection while they were in private browsing mode, which is called Incognito mode in Chrome. See Case No. 20-CV-03664-LHK, ECF No. 168, ¶ 11.
[2] The previous versions of Chrome’s Privacy Notice made very similar statements. See Compl. ¶ 25 38, Exhs. 17–24 (“The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by signing into Chrome. Signing in enables 26 Chrome’s synchronization feature.”); Compl. ¶ 38, Exhs. 25–27 (“The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google 27 Account by turning on Chrome sync.”).
[3] Consent is also a defense to Plaintiffs’ breach of contract and good faith and fair dealing claims because if Plaintiffs consented to the alleged data collection, Google would not have breached its contract with Plaintiffs by engaging in the alleged data collection. Furthermore, consent is a defense to Plaintiffs’ UCL claim, which is predicated on Google’s representations and Plaintiffs’ other claims. See Section III(C)(8), infra .
[4] Even the Chrome Privacy Notice states that browsing history falls within the definition of “personal browsing data.” See Compl. Exhs. 18–23 (stating that personal browsing data can include browsing history).
[5] Plaintiffs acknowledge that Chrome is a Google service. Indeed, Plaintiffs allege that Google’s 27 Terms of Service were part of the contract between Plaintiffs and Google. Compl. ¶ 26, 351.
[6] The previous versions of Chrome’s Privacy Notice made very similar statements. See Compl. ¶ 25 38, Exhs. 17–24 (“The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google Account by signing into Chrome. Signing in enables 26 Chrome’s synchronization feature.”); Compl. ¶ 38, Exhs. 25–27 (“The personal information that Chrome stores won’t be sent to Google unless you choose to store that data in your Google 27 Account by turning on Chrome sync.”).
[7] The Court notes that, in Andrews v Sirius XM Radio , the Ninth Circuit recently rejected a CFAA claim where the plaintiff alleged that he had suffered the requisite loss under the CFAA because the defendant “allegedly ‘stole [his] personal information without compensating [him].’” 932 F.3d 1253, 1262 (9th Cir. 2019). The Ninth Circuit concluded that the CFAA had “a narrow conception of ‘loss,’ and the definition does not include a provision that aligns with [the plaintiff’s] theory.” . Because Plaintiffs in the instant case never alleged that they suffered loss, the Court cannot evaluate whether Andrews precludes Plaintiffs’ theory of loss.