Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA San Francisco Division
AUDRA GRAHAM and STACY MOISE, Case No. 20-cv-06903-LB individually and on behalf of all others similarly situated, ORDER GRANTING DEFENDANTS’ MOTIONS TO DISMISS Plaintiffs, Re: ECF No. 35, 36 v. NOOM, INC., and FULLSTORY, INC., Defendants. INTRODUCTION
Noom is a web application that helps its users lose weight and lead healthier lifestyles. Noom uses FullStory’s software (called “session replay”) to record what visitors are doing on the Noom website, such as their keystrokes, mouse clicks, and page scrolling, thereby allowing a full picture of the user’s website interactions. Noom contends that the software improves its website design
22
and the user’s experience. The plaintiffs — on behalf of a putative California class — claim that 23
FullStory is illegally wiretapping their communications with Noom (and Noom is aiding and 24
25 First Am. Compl. (FAC) – ECF No. 27 at 2 (¶ 1 & n.1 (citing N OOM , https://www.noom.com)), 5–11
(¶¶ 18–32, 38). Citations refer to material in the Electronic Case File (ECF); pinpoint citations are to the ECF-generated page numbers at the top of documents. No. 20-cv-06903-LB abetting that eavesdropping) in violation of their right to privacy under California’s Invasion of Privacy Act (CIPA) and the California Constitution. [2]
Noom and FullStory moved to dismiss the claims, in part on the ground that FullStory — as Noom’s vendor for analyzing its website traffic — was a party to the communication (and not an eavesdropper). FullStory also contends that the court lacks personal jurisdiction because it has no forum-related conduct. [3] The plaintiffs do not plausibly plead that FullStory eavesdropped on their communications with Noom and instead plead only that FullStory is Noom’s vendor for software services. They thus do not meet their prima facie burden to establish specific jurisdiction over FullStory, and they do not plausibly plead wiretapping in violation of California law.
STATEMENT
website (and what information FullStory’s software captured), and the case’s procedural history. FullStory’s Software its clients (including Noom) to capture and analyze data so that the clients can see how visitors are [5] The clients put FullStory’s code on their websites to capture the data, and using their websites. The next sections describe how FullStory’s software works, how the plaintiffs used Noom’s It provides software to [4] FullStory is a Delaware corporation headquartered in Atlanta, Georgia. then they can review the data, which is stored in the cloud on FullStory’s servers. The software records visitor data such as keystrokes, mouse clicks, and page scrolling. Through a function called Session Replay, FullStory’s clients can see a “playback” of any visitor’s session. If the visitor is still on the site, the clients can see the session live. [7]
A video example of a session is on FullStory’s website and shows a fictional user “flipping through” FullStory’s Definitive Guide to Session Replay . The accompanying marketing materials say, “Notice how you can see interactions, mouse movements, clicks, interactions with overlays, and more — and everything is listed in order in a stream at the right side of the replay. This is what a session replay looks like in a FullStory app.” [8] The Plaintiffs’ Use of Noom’s Website
The plaintiffs are California citizens and residents, and Noom is a Delaware company headquartered in New York, New York. The plaintiffs browsed Noom’s website (from California) to investigate Noom’s “diet offerings.” [9] FullStory’s Session Replay function “created a video capturing [their] keystrokes and mouse clicks on the website . . . and also captured the date and time of their visits, the duration of the visits, [their] IP addresses, their locations at the time of the visits, their browser types, and the operating system on their devices.” [10] identifiable information] and PHI [protected health information],” and FullStory’s software “captures these electronic communications . . . [e]ven if users do not complete the form.” The “When users access [] Noom’s website, they fill out a form and enter PII [personally captured PII and PHI includes — in addition to the information in the last paragraph — height, weight, gender, age, diet and exercise habits, some medical information, and email addresses.
3. Procedural History
The plaintiffs’ amended complaint has three claims: (1) wiretapping, in violation of Cal. Penal Code § 631(a); (2) the sale of eavesdropping software, in violation of Cal. Penal Code § 635(a); and (3) invasion of privacy under California’s Constitution. [12] The putative class is “all California residents who visited Noom.com, and whose electronic communications were intercepted or recorded by FullStory.” [13] All parties consented to magistrate jurisdiction. [14] The parties do not dispute that there is subject-matter jurisdiction under the Class Action Fairness Act, 28 U.S.C. § 1332(d)(2)(A). [15] Noom and FullStory moved to dismiss the case. [16] The court held a hearing on April 8, 2021. STANDARDS OF REVIEW Rule 12(b)(1) A complaint must contain a short and plain statement of the ground for the court’s jurisdiction.
Fed. R. Civ. P. 8(a)(1). The plaintiffs have the burden of establishing jurisdiction.
Kokkonen v.
Guardian Life Ins. Co. of Am.
,
The defendants contend that the plaintiffs lack standing. Standing pertains to the court’s subject-
matter jurisdiction and thus is properly raised in a Rule 12(b)(1) motion to dismiss.
Chandler v.
State Farm Mut. Auto. Ins. Co.
,
A court should dismiss a complaint without leave to amend only if the jurisdictional defect cannot
be cured by amendment.
Eminence Capital, LLC v. Aspeon, Inc
.,
“In opposing a defendant’s motion to dismiss for lack of personal jurisdiction, the plaintiff
bears the burden of establishing that jurisdiction is proper.”
Ranza v. Nike, Inc.
,
A complaint must contain a “short and plain statement of the claim showing that the pleader is
entitled to relief” to give the defendant “fair notice” of what the claims are and the grounds upon
which they rest. Fed. R. Civ. P. 8(a)(2);
Bell Atl. Corp. v. Twombly
,
To survive a motion to dismiss, a complaint must contain sufficient factual allegations, which
when accepted as true, “state a claim to relief that is plausible on its face.”
Ashcroft v. Iqbal
, 556
U.S. 662, 678 (2009) (quoting
Twombly
,
of CIPA, Cal. Penal Code § 631(a); (2) sale of eavesdropping software, in violation of CIPA, Cal. Penal Code § 635(a); and (3) invasion of privacy in violation of California’s Constitution. In addition, Noom contends that the plaintiffs lack standing to pursue injunctive relief, and FullStory contends that it has no forum-related contacts (and there thus is no personal jurisdiction). Because the plaintiffs do not plausibly plead FullStory’s wiretapping, the court dismisses the claims, holds that they did not meet their prima facie burden to establish specific personal jurisdiction over FullStory, and dismisses the claim for injunctive relief. Section 631(a) Claim
Section 631(a) defines the following behavior as a crime: Any person [1] who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection . . . with any telegraph or telephone wire, line, cable, or instrument, . . . or [2] who willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state, or [3] who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained, or [4] who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above . . . .
Cal. Penal Code § 631(a). The defendants moved to dismiss the claim on three grounds: (1) there is no wrongful eavesdropping; (2) the claim rests in part on the collection of information that is not protected content; and (3) Noom’s privacy policy discloses the data collection.
1.1 Eavesdropping
Under section 631(a), if a person secretly listens to another’s conversation, the person is liable.
Ribas v. Clark
,
In another case in this district, the plaintiffs’ counsel predicated a section 631(a) claim on the
same theory.
Revitch v. New Moosejaw, LLC
, No. 18-cv-06827-VC,
The district court held that the allegations plausibly pleaded a section 631(a) claim that NaviStone was a third-party eavesdropper. It rejected NaviStone’s contention that it received the communications directly and therefore was a party to them: “it cannot be that anyone who receives a direct signal escapes liability by becoming a party to the communication. Someone who presses up against a door to listen to a conversation is no less an eavesdropper just because the sound waves from the next room reach his ears directly.” And it held Moosejaw liable as an aider and abettor of NaviStone’s wrongdoing. at *1–2.
The plaintiffs contend that, applying
Moosejaw
, FullStory is not a party, it instead is a third
party that is liable for eavesdropping, and its contract with Noom does not make it any less of an
eavesdropper. As a result, they contend, Noom is liable for FullStory’s wrongdoing. But the
allegations about FullStory are different than the acts that courts hold plausibly support a claim of
surreptitious wiretapping by a third party.
, Facebook tracked its users to third-party websites (through Facebook’s code on the
Facebook
commerce sites to intercept visitor data and create marketing databases of consumer information. In
websites) — even when its users were not signed into Facebook, and then it sold that data to
, for example, NaviStone was a marketing company that partnered with e-
In
Moosejaw
advertisers.
By contrast, FullStory is a vendor that provides a software service that captures its clients’ data,
hosts it on FullStory’s servers, and allows the clients to analyze their data. Unlike NaviStone’s and
Facebook’s aggregation of data for resale, there are no allegations here that FullStory intercepted and
used the data itself. Instead, as a service provider, FullStory is an extension of Noom.
[21]
It provides a
tool — like the tape recorder in
Rogers
— that allows Noom to record and analyze its own data in aid
of Noom’s business.
[22]
See
As a result, Noom is not liable for aiding and abetting FullStory’s wrongdoing because there is
no wrongdoing.
Cf. Moosejaw
,
Section 631(a) prohibits the unauthorized access of the contents of any communications. Cal.
Penal Code § 631(a);
Brodsky v. Apple Inc.
,
Given the plaintiffs’ concessions, the court dismisses the claim to the extent that it is predicated
on non-content information.
See Hytto
,
and analysis. when they accessed the website and before they could read the policy, notice was insufficient, and The plaintiffs counter that they could not consent to wiretapping that happened the policy in any event did not disclose wiretapping. or collect usage information, such as tracking technologies (that alter settings and configurations 1.3 Privacy Policy FullStory also contends that Noom’s privacy policy discloses the possibility of data collection The privacy policy discloses that Noom “may use various methods and technologies” to store
on the user’s device), cookies, web beacons, and embedded scripts.
An embedded script is programming code that is designed to collect information about User’s interactions with the Website, Mobile App and Services, such as the links User clicks on. The code is temporarily downloaded onto User’s Device from Noom’s web server and/or Mobile App or a third party service provider, is active only while User is connected to the Website and/or Mobile App, and is deactivated or deleted thereafter. The privacy policy is available via a link at the bottom of Noom’s homepage and is in “small, 1 non-contrasting font (i.e. light grey against a white background). . . .” 2 Visitors to the website are given no notice and are not prompted to take any affirmative
3
action to demonstrate assent. Visitors are not required to read or acknowledge the Privacy 4 Policy to use the website. In any event, by the time a website user visited the Privacy
Policy, the [software] on Noom’s website will have already deployed. [28] The parties largely talk past each other in their briefs. FullStory’s main argument is that to be liable, its acts must be surreptitious, and given the policy’s disclosures, the plaintiffs did not plausibly plead its surreptitious acts. [29] The plaintiffs mainly argue traditional principles of consent (although they also contend that the policy does not disclose wiretapping). FullStory counters that it never argued traditional consent (although it points out in its reply that retroactive consent can be valid). The parties’ arguments about consent do not permit resolution of the issue. As to the adequacy of the privacy policy’s disclosures, FullStory made a practical argument but did not cite cases to support it. (Perhaps there are none.) Given the court’s holding that there is no wiretapping, the issues — consent and the policy’s alleged failure to disclose wiretapping — are moot. On this round of motions, the privacy policy is not a separate ground to dismiss the claim. * * * The court dismisses the section 631(a) claim with leave to amend. Section 635(a) Claim
Section 635(a) defines the following behavior as a crime:
Every person who manufactures, assembles, sells, offers for sale, advertises for sale, possesses, transports, imports, or furnishes to another any device which is primarily or exclusively designed or intended for eavesdropping upon the communication of another . . . shall be punished. . . .
Cal. Penal Code § 635(a). The defendants moved to dismiss on two grounds: (1) the plaintiffs were not injured and thus do not have a private right of action under section 635(a) or Article III standing; and (2) FullStory’s code is not a device designed primarily or exclusively for eavesdropping.
First, the plaintiffs do not have a private right of action and lack Article III standing. CIPA creates a private right of action for “any person who has been injured by a violation of this chapter. . . .” Cal. Penal Code § 637.2(a). “It is not a necessary prerequisite to an action pursuant to this section that the plaintiff has suffered, or be threatened with, actual damages.” Id . § 637.2(c).
The plaintiffs “do not base their standing on mere possession of a wiretapping device, but on FullStory’s knowledge and active involvement in using that device to monitor [their] communications.” Because there is no eavesdropping, there is no violation of CIPA. The plaintiffs thus suffered no injury, and they have no private right of action. . § 637.2(a). That means that they lack Article III standing too. If FullStory had eavesdropped on them, then
there would be concrete injury.
Moosejaw
,
Invasion of Privacy Under California’s Constitution The plaintiffs claim that the defendants intentionally invaded their privacy rights under the California Constitution “by implementing FullStory’s wiretaps on Noom’s Website.” [34] Because there is no wiretap, the plaintiffs did not plausibly plead a legally protected privacy interest.
The elements of a claim for invasion of privacy under the California Constitution are “(1) the
[plaintiffs] possess a legally protected privacy interest, (2) they maintain a reasonable expectation
of privacy, and (3) the intrusion is ‘so serious as to constitute an egregious breach of social norms’
such that the breach is ‘highly offensive.’”
Facebook
,
4. Standing to Seek Injunctive Relief
Noom moved to dismiss the claims for injunctive relief because the plaintiffs did not plead their intent to use Noom’s platform in the future. The plaintiffs countered that Ms. Moise’s intent “is reasonably inferred” and can be cured through amendment (and abandoned Ms. Graham’s claim). The court dismisses Ms. Graham’s claim with prejudice and Ms. Moise’s claim with leave to amend. Personal Jurisdiction over FullStory
The plaintiffs have not met their prima facie burden to establish specific jurisdiction.
In diversity cases, “federal courts ordinarily follow state law in determining the bounds of their
jurisdiction over persons.”
Picot v. Weston
,
There are two types of personal jurisdiction: general and specific.
Bristol-Myers Squibb Co. v.
Super. Ct.
,
(1) The non-resident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws;
(2) the claim must be one which arises out of or relates to the defendant’s forum-related
activities; and
(3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e. it
Picot
,
Under the
Calder
effects test, purposeful direction exists when a defendant commits an act
outside the forum that was intended to and does in fact cause injury in the forum, meaning, the
defendant must (1) commit an intentional act (2) expressly aimed at the forum (3) that causes harm
that the defendant knows is likely to be suffered in the forum.
Calder v. Jones
,
mere foreseeable effect.”
Pebble Beach
,
The allegations in the complaint establish only that FullStory is Noom’s vendor for a software service that Noom uses to analyze its data. A vendor’s selling a product to Noom — even if Noom has substantial business here and the vendor knew it — does not establish specific personal jurisdiction over the vendor. The plaintiffs do not contest this point. Instead, they predicate jurisdiction on FullStory’s wiretapping. They allege that (1) “Defendants knew that a significant number of Californians would visit Noom’s website, because they form a significant portion of Noom’s customer base,” and (2) “[b]y intercepting the transmissions of Noom website users, Defendants targeted their wrongful conduct at customers, some of whom Defendants knew, at least constructively, were residents of California,” thus causing harm in California. Their basis for jurisdiction is the wiretapping of those customers: “At least three courts have held the ‘intentional act’ standard is easily satisfied where plaintiff alleges wiretapping claims.” Because they did not plausibly plead wiretapping, the plaintiffs have not met their prima facie burden to establish specific personal jurisdiction. CONCLUSION
The court dismisses the complaint with leave to amend within 21 days (except it dismisses Ms. Graham’s claim for injunctive relief with prejudice). Any amended complaint must attach a blackline comparison between the current complaint and the amended complaint.
IT IS SO ORDERED.
Dated: April 8, 2021 ______________________________________ LAUREL BEELER United States Magistrate Judge
Notes
[2] Id. at 2 (¶¶ 1–2), 5 (¶ 18), 11 (¶ 45), 16–21 (¶¶ 64–93); Mot. – ECF No. 36 at 8 (citing id. at 5 (¶ 18)). 24
[3] Mots. – ECF Nos. 35 & 36. 25
[4] FAC – ECF No. 27 at 3–4 (¶ 10).
[5] Id. at 5 (¶ 18), 11 (¶ 39).
[6] Id. at 4 (¶ 11) (FullStory is a “marketing software-as-a-service” company), 8 (¶ 29) (FullStory records information locally in the user’s browser in real time, transmits the information to FullStory’s servers every few seconds, and “makes the information available to its clients”), 11 (¶ 38) (Noom pays FullStory “for the keystrokes, mouse clicks[,] and other communications of visitors to its website”).
[7] Id. at 8 (¶¶ 26–30).
[8] Id . at 5–6 (¶¶ 21–23) (emphasis omitted).
[9] at 2–3 (¶¶ 4–6).
[10] Id . at 11 (¶ 43).
[11] . at 2 (¶ 1) (defining PII and PHI), 11–12 (¶¶ 44–46).
[12] at 16–21 (¶¶ 64–93). 25
[13] . at 15 (¶ 57).
[14] Consents – ECF Nos. 6, 16, 24.
[15] FAC – ECF No. 27 at 4 (¶ 13).
[16] Mots. – ECF Nos. 35–36.
[17] Mot. – ECF No. 35 at 23–24; Mot. – ECF No. 36 at 15–16.
[18] Mot. – ECF No. 35 at 17–19; Mot. – ECF No. 36 at 12–13; Opp’n – ECF No. 39 at 9–12; Opp’n – ECF No. 40 at 18–20.
[19] Revitch v. New Moosejaw, LLC , No. 18-cv-06827-VC, Second Am. Compl. – ECF No. 43 at 2 (¶ 1), 4–17 (¶¶ 9–46).
[20] Opp’n – ECF No. 39 at 9–12; Opp’n – ECF No. 40 at 19–20.
[21] Mot. – ECF No. 35 at 18 (making this argument); Reply – ECF No. 41 at 11 (same). 23
[22] FullStory cites
Javier v. Assurance IQ
to support its argument. Reply – ECF No. 41 at 14 (citing No.
24
20-cv-02860-JSW,
[23] Mot. – ECF No. 35 at 20; Mot. – ECF No. 36 at 15 n.2; Reply – ECF No. 41 at 14–16.
[24] Opp’n – ECF No. 39 at 12–14; Opp’n – ECF No. 40 at 21–23.
[25] Mot. – ECF No. 35 at 21–22; Reply – ECF No. 41 at 17.
[26] Opp’n – ECF No. 40 at 24–29.
[27] Privacy Policy, Ex. A to Zhang Decl. – ECF No. 45-1 at 6. The court considers the privacy policy
under the incorporation-by-reference doctrine.
Knievel v. ESPN
,
[28] FAC – ECF No. 27 at 12 (¶ 48).
[29] Mot. – ECF No. 35 at 21–22.
[30] Opp’n – ECF No. 40 at 24–29.
[31] Reply – ECF No. 41 at 17.
[32] Mot. – ECF No. 35 at 23–25; Mot. – ECF No. 36 at 15–18.
[33] Opp’n – ECF No. 40 at 30 (citing FAC – ECF No. 27 at 2 (¶ 1), 11 (¶¶ 35–40, 43), & 19 (¶ 80)).
[34] FAC – ECF No. 27 at 21 (¶¶ 88–89).
[35] Opp’n – ECF No. 40 at 32 (quoting FAC – ECF No. 27 at 12 (¶ 47) and citing id. at 14 (¶ 53)).
[36] Opp’n – ECF No. 39 at 17 (citing FAC – ECF No. 27 at 2 (¶ 1) & 11 (¶ 45)).
[37] at 18–19 (quoting FAC – ECF No. 27 at 2 (¶¶ 4–5) & 12 (¶ 47)).
[38] Mot. – ECF No. 36 at 24–25.
[39] Opp’n – ECF No. 39 at 22–23.
[40] Opp’n – ECF No. 40 at 10.
[41] Mot. – ECF No. 35 at 14–15; Opp’n – ECF No. 40 at 11.
[42] FAC – ECF No. 27 at 3 (¶ 8), 4–5 (¶ 15).
[43] Id. at 4–5 (¶ 15).
[44] Opp’n – ECF No. 40 at 11 (citing
Hytto
,