Case Information
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA BRETT HEEGER et al., Case No. 18-cv-06399-JD Plaintiffs, ORDER RE MOTIONS TO DISMISS v. Re: Dkt. No. 76 FACEBOOK, INC., Defendant. BRENDAN LUNDY et al., Case No. 18-cv-06793-JD Plaintiffs, Re: Dkt. No. 82 v. FACEBOOK, INC., Defendant.
These cases are related putative class actions by Facebook users, who challenge Facebook, Inc.’s collection of personal location data. Facebook’s motion to dismiss in , Case No. 18- 6399, is granted, and its motion to dismiss in Lundy , Case No. 18-6793, is granted and denied in part.
BACKGROUND
In both cases, the first amended class action complaints are the operative pleadings. See Case No. 18-6399, Dkt. No. 74 (“ FAC”); Case No. 18-6793, Dkt. No. 80 (“ FAC”). While the allegations in the complaints overlap to a considerable degree, Lundy presents some material variations that warrant a different outcome for the motion. Facebook is the sole named defendant in each action.
The Heeger FAC added three named plaintiffs -- Zachary Henderson, Caleb Rappaport, and Elizabeth Pomiak -- to plaintiff Brett Heeger, who filed the original complaint. FAC ¶¶ 14-17. As alleged in the FAC, Facebook “describ[es]” the “Location History” feature in its mobile app, and the “Location Services” setting on users’ cell phones, as “settings through which Facebook users can purportedly control location tracking.” Id . ¶¶ 4-5. But Facebook “collects users’ location data without those users’ consent, regardless of their settings.” Id . ¶ 5. Facebook then “highlights the detail and specificity of that data” to its advertisers, and “uses th[e] data to precisely target its advertiser customers’ advertisements to Facebook users.” Id . The FAC alleges California state law claims on behalf of a putative class of “[a]ll Facebook users in the United States who turned off ‘Location History’ or ‘Location Services’ or both, during the applicable limitations period,” for: (1) violation of the California Invasion of Privacy Act, Cal. Pen. Code § 630 et seq. (“CIPA”); (2) violation of California’s constitutional right of privacy; (3) intrusion upon seclusion; and (4) unjust enrichment. Id . ¶¶ 67, 81-107. The Lundy FAC was brought by two plaintiffs: Brendan Lundy and Myriah Watkins. Lundy FAC ¶¶ 10-19. The FAC alleges that they “never granted Facebook permission to access [their] location data through [their] Location Services or Facebook App settings,” and that they specifically had their “Location History” Facebook app setting turned to “off.” . ¶¶ 11, 16. Plaintiffs allege that “[c]ontrary to plaintiffs’ device settings selections, and contrary to Facebook’s Privacy Policy in effect during the relevant time period, Facebook tracked plaintiffs’ locations using their IP addresses and enhanced location determination techniques.” . ¶ 5. Facebook is said to have “bundled this location information with plaintiffs’ other personal information,” and then “monetized these bundled packages . . . for targeted advertising purposes, thus enriching itself” in the amount of “hundreds of millions of dollars from increased advertising revenue.” .
Unlike , the plaintiffs limit their claims to the time period before April 19, 2018. See id . ¶ 99 (alleging the lawsuit is brought on behalf of persons “who were users of Facebook prior to April 19, 2018 who did not give Facebook permission to collect and use their location information”). Plaintiffs acknowledge that Facebook adopted on that date a “revised privacy policy” which disclosed “that Facebook will collect location data using IP addresses, even without user permission.” Id . ¶¶ 25-26. The Lundy FAC quotes the revised policy, which expressly advised users that “[y]ou can control whether your device shares precise location information with Facebook Company Products via Location Services,” but also that “[w]e may still understand your location using things like check-ins, events, and information about your internet connection.” Id . ¶ 26. It agrees that this revised policy, unlike the prior version, “advises users that it will collect their location information, including location information derived from IP addresses without user consent, and bundle this location information, with ‘information about [their] interests, actions and connections,’ to deliver personalized advertising and sponsored content.” Id . ¶ 27.
The complaint in also differs from Heeger in the claims alleged against Facebook. The Lundy plaintiffs make claims for: (1) violation of article I, section 1 of the California constitution; (2) intrusion upon seclusion; (3) intentional misrepresentation and omission; (4) deceit by concealment or omission, Cal. Civ. §§ 1709 & 1710; (5) breach of contract; (6) breach of implied covenant of good faith and fair dealing; (7) negligent misrepresentation; and (8) unjust enrichment. . ¶¶ 108-96. 12(b)(6) of the Federal Rules of Civil Procedure. Dkt. No. 76; Dkt. No. 82. Lundy [1] Facebook has moved to dismiss both amended complaints under Rules 12(b)(1) and
DISCUSSION
I. FACEBOOK’S MOTION TO DISMISS IN HEEGER
This is the second round of pleadings motions in . The Court granted Facebook’s initial motion to dismiss, with leave to amend. Dkt. No. 70. In that order, the Court concluded that plaintiff Heeger had established Article III standing to sue on the privacy and other claims. . at 2-4. On substantive grounds, the CIPA claim was dismissed because the complaint did not plausibly allege the use of an “electronic tracking device” as required by California Penal Code § 637.7(a). . at 4. The privacy claims for intrusion upon seclusion and violation of the California constitutional right to privacy were dismissed because the complaint did not “provide enough facts to undertake the context-specific inquiry into the plausibility of the privacy expectation or the offensiveness of the intrusion.” . at 5-6. The Court determined that the complaint “does not state the precision of the location data Facebook is alleged to have collected after users turned off ‘Location History.’” . at 6. The Court underscored that “[t]his is important because a generalized location, such as one that locates a user no more precisely than within several city blocks, may not implicate much in the way of privacy concerns,” whereas “[h]ighly specific location data . . . that identifies a user’s pinpoint comings and goings would likely present substantially greater concerns.” .
Plaintiffs amended the complaint, but with scant improvement. The Heeger FAC now reads like a book report that simply summarizes third-party news stories about Facebook’s ostensible capacity to “discern precise locations” from user data. See , e.g. , FAC ¶¶ 8, 48- 50, 53 & nn.4-5, 29-31. [2] Few facts are alleged without the caveat of “on information or belief,” or without hedging on whether Facebook actually does what Heeger accuses, or simply has the ability to do it. See, e.g., id. ¶ 49 (alleging that “Facebook can also match IP addresses taken from users who have turned Location Services and Location History off with IP address information taken from users who have not limited Facebook’s ability to access their location and who have given Facebook access to extremely precise location data, like Wifi access points or GPS”) (first emphasis added); id . & n.29 (citing an article entitled, How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots , and alleging “upon information and belief, Facebook does this in order to obtain precise location data about all its users, without disclosing this practice.”).
These allegations did nothing to fill in the substantive gaps in the original complaint. They
did little more than parrot internet musings about things Facebook may or may not be doing, and
which plaintiffs may or may not have experienced themselves. When these fillers are stripped
away, all that the FAC alleges is that Facebook collected plaintiffs’ IP addresses.
See id
.
¶ 41 (“At a minimum, Facebook tracks its users’ IP addresses regardless of whether they have
affirmatively sought to limit Facebook’s ability to track their locations by turning Location
History and Location Services ‘off.’”); ¶ 42 (“Facebook . . . continues to track users’ approximate
location using IP addresses”); n.24 (Facebook’s statements do not “make clear that Facebook is
collecting IP address information even in cases where users have chosen to limit Facebook’s
access to their location data”); ¶ 45 (“turning Location History ‘off’ has no impact on Facebook’s
collection of location information -- at a minimum IP address information”); ¶ 46 (Facebook’s
representations obscure the fact that “Facebook continues collecting IP address information (and
in some cases other location information)”). In addition, the primary and sole factual allegation
made about location data actually collected from the plaintiffs is that plaintiff Heeger “discovered
104 pages of IP addresses showing locations where he accessed his Facebook account spanning
from 2014 through August 2018.”
Id
. ¶ 14.
Consequently, the FAC plausibly alleges only that Facebook collected plaintiffs’
IP addresses and even then, only when they were using the Facebook app or were visiting
Facebook’s website. . ¶ 41. This creates an Article III standing problem for plaintiffs. As
Article III of the United States Constitution states, federal courts have the “power to decide legal
questions only in the presence of an actual ‘Cas[e]’ or ‘Controvers[y].’”
Wittman v.
Personhuballah
,
As Facebook suggests, it is the injury in fact prong that requires the closest examination
here. To establish injury in fact, a plaintiff must show that he or she suffered “an invasion of a
legally protected interest which is (a) concrete and particularized, and (b) actual or imminent, not
conjectural or hypothetical.”
Lujan
,
allegations in his original complaint, Dkt. No. 70, that conclusion must be reconsidered in light of
the pleading amendments. The amended allegations show that plaintiffs do not have standing to
bring claims for intrusion upon seclusion, violation of the California constitution, article I, section
1, or for a violation of CIPA, because they have not plausibly alleged any privacy injuries.
See In
re Facebook
,
The fact that the IP addresses at issue here are assigned to cell phones does not lead to a
different conclusion. While the United States Supreme Court noted in
Carpenter v. United States
,
In addition, the number of cell sites has mushroomed in response to rising cell phone data traffic in the United States, which has led to “increasingly compact coverage areas, especially in urban areas.” . at 2211-12. In Carpenter , the CSLI data was described as placing defendant “within a wedge-shaped sector ranging from one-eighth to four square miles,” and the government highlighted it as some of its best evidence showing “he was at the site of the robberies.” . at 2218. The total lack of any similar allegations about IP addresses in the Heeger FAC, as well as the general understanding of IP addresses the Court has from other cases, indicates IP address data is far less finely detailed.
In effect, the allegation that Facebook collected “IP addresses showing locations where
[plaintiff Heeger] accessed his Facebook account,” Dkt. No. 74 ¶ 14, describes a practice akin to a
pen register recording the outgoing phone numbers dialed on a landline telephone.
Carpenter
, 138
S.Ct. at 2216. That will not do for a privacy injury. “Telephone subscribers know, after all, that
the numbers are used by the telephone company ‘for a variety of legitimate business purposes,’
including routing calls,” and it is doubtful that “people in general entertain any actual expectation
of privacy in the numbers they dial.” . So too for an IP address. Device “users ‘should know
that [IP address] information is provided to and used by Internet service providers for the specific
purposes of directing the routing information.” ,
The collection of IP addresses is a country mile from the CSLI data collected in
Carpenter
,
and plaintiffs do not argue otherwise. There is no legally protected privacy interest in IP addresses
alone, which is the only interest plaintiffs concretely allege. Consequently, they cannot be injured
from the collection of IP addresses, and so lack Article III standing for the privacy claims under
California common law, the California constitution, and CIPA that are premised on that ostensible
injury.
This conclusion is entirely consonant with the Court’s ongoing duty to police standing.
Standing was established in the original complaint on the basis of Heeger’s allegation that
“Facebook systematically and covertly tracks, collects, and stores users’ private location
information even after users have affirmatively opted not to share their location history,” as well
as that Facebook tracked and stored users’ “detailed location histories without their knowledge
and consent.” Dkt. No. 70 at 2-3 (quoting Dkt. No. 1 (Complaint) ¶¶ 9, 71). But after the Court
required plaintiffs to put a finer point on the facts in an amended complaint, plaintiffs made clear
that all that they were alleging was the collection of IP addresses. In effect, plaintiffs planted their
flag in quicksand. The Court has not hesitated to find Article III standing in other cases alleging
intangible privacy harms,
see
,
e.g.
,
Patel v. Facebook Inc.
,
Plaintiffs also lack Article III standing for the unjust enrichment claim because they have
failed to make any allegation that “they retain a stake in the profits garnered from” the collection
of their IP addresses. ,
The FAC is dismissed in its entirety for lack of Article III standing. Plaintiffs may, if they wish, attempt to cure these deficiencies by filing an amended complaint, which will likely constitute plaintiffs’ final opportunity to amend. II. FACEBOOK’S MOTION TO DISMISS IN LUNDY Facebook’s prior motion to dismiss the Lundy complaint was mooted when plaintiffs elected to voluntarily amend. Dkt. Nos. 48, 76. Among other amendments, plaintiffs voluntarily dismissed some defendants and filed the FAC against Facebook only. Dkt. Nos. 77, 80. This is the Court’s first decision with respect to the pleading allegations in Lundy .
A. Article III Standing
Facebook again says that plaintiffs have “fail[ed] to plead adequately the ‘injury in fact’ necessary to demonstrate Article III standing.” Dkt. No. 82 at 6. The principles and analysis in the discussion apply here with equal force.
For the intrusion upon seclusion, California constitutional privacy, breach of contract, and
breach of implied covenant of good faith and fair dealing claims, the salient question is whether
plaintiffs have plausibly alleged privacy injuries,
see In re Facebook
,
Estimated location inferred from IP 32.584, -97.168 Created Dec 16, 2017 2:32 pm Id .
Plaintiffs allege that “[t]he ‘Login Protection Data’ and ‘Where You’re Logged In’ subfiles, located under the obscurely labeled ‘Security and Login Information’ file, contain precise longitude and latitude coordinates inferred from IP addresses,” as discussed above. Id . ¶ 51. They also say that “Facebook then further refined plaintiffs’ location derived from the IP addresses using enhanced location tracking methodologies.” Id . “For purposes of illustration,” plaintiffs allege that Facebook logged plaintiff Lundy’s IP address on August 31, 2018, at 6:38 p.m., as “71.209.176.35.” Id . ¶ 53. Inputting that IP address into “IP location service providers’ websites for free to determine the location based on that IP address,” returned results showing Lundy might have been in Phoenix, Gilbert, or Mesa, Arizona. . ¶ 54. Facebook’s log, however, included not just Lundy’s IP address but also his geocoordinates of “34.6, latitude, -112.28 longitude,” “show[ing] that Mr. Lundy was in Prescott, Arizona at that date and time. . ¶ 53. Given that “[t]he various IP location providers result in geocoordinate locations for the same IP address more than 100 miles away in the Phoenix, Arizona metropolitan area,” plaintiffs say “[t]hese differences indicate that Facebook used an enhanced location determination technique based on data collected from other users instead of, or in addition to, simply plotting plaintiff Lundy’s IP address location in order to more precisely pinpoint the location of the IP address.” . ¶ 55.
This alleges considerably more than the collection of IP addresses. Plaintiffs have made
specific, factual allegations pointing to “enhanced” geocoordinate location information. As the
Court said in the first motion to dismiss order in , “[b]oth the common law and the literal
understandings of privacy encompass the individual’s control of information concerning his or her
person.” Dkt. No. 70 at 3 (quoting
Patel
,
To have standing to pursue the fraud claims, plaintiffs must demonstrate that they suffered an economic injury. See id . & n.4 (“[f]raud . . . requires damages”). And for their unjust enrichment claim, plaintiffs “must allege they retain a stake in the profits garnered from” the location data collected from plaintiffs “because the circumstances are such that, as between the two parties, it is unjust for Facebook to retain it.” Id . at 599-600 (quotations and alterations omitted). “Under California law, this stake in unjustly earned profits exists regardless of whether an individual planned to sell his or her data or whether the individual’s data is made less valuable.” Id . at 600. Here, as in , plaintiffs have alleged that the location data collected from them “carry financial value.” Id . They say that “[l]ocation data presents one of the most valuable forms of data that Facebook collects about its users for its advertisers,” and that “[t]he location data bundled with plaintiffs’ personal information is . . . worth $1.72” per individual. Dkt. No. 80 ¶ 77. They also point to a 2015 survey in which U.S. respondents, “on average, believe[d] that their physical location is worth $16.1, and their home address is worth $12.9.” . ¶ 78. Plaintiffs add that Facebook “targeting advertisers for its mobile users has become the Company’s focus for generating advertising revenue,” and “[a]s of 2018, over 90% of Facebook’s advertising revenue came from mobile users.” . ¶¶ 79-81. Plaintiffs also allege that Facebook “collected users’ IP addresses, identified the users’ locations through their IP addresses, then bundled that location information with other user information and monetized it by selling it for targeted advertising purposes.” . ¶ 3.
All of these allegations are “sufficient at the pleading stage to demonstrate that these
profits were unjustly earned,” and plaintiffs have consequently “sufficiently alleged a state law
interest whose violation constitutes an injury sufficient to establish standing to bring their claims
for . . . fraud” as well as for unjust enrichment.
In re Facebook
,
B. Intrusion Upon Seclusion and California Constitutional Privacy Claims
While plaintiffs have made out standing to sue, the substantive facts alleged for their
causes of action need work. To state a claim for intrusion upon seclusion under California
common law, a plaintiff must plead that “(1) a defendant ‘intentionally intruded into a place,
conversation, or matter as to which the plaintiff has a reasonable expectation of privacy,’ and
(2) the intrusion ‘occurred in a manner highly offensive to a reasonable person.’”
In re Facebook
,
“The existence of a reasonable expectation of privacy, given the circumstances of each
case, is a mixed question of law and fact.”
In re Facebook
,
The Court cannot conclude that there is a factual question as to whether the location data Facebook allegedly collected here might be sensitive and confidential. At most, plaintiffs have alleged that Facebook “pinned” plaintiff Lundy down to a city and state. As the Court determined in , “a generalized location, such as one that locates a user no more precisely than within several city blocks, may not implicate much in the way of privacy concerns.” Dkt. No. 70 at 6. The city-level tracking alleged in Lundy is substantially more general and imprecise, and plaintiffs have not provided any factual allegations to show otherwise. Plaintiffs also do not allege that Facebook tracked this city data after users had logged out. Facebook is said to have collected it only while plaintiffs were using the app. FAC ¶ 47. Consequently, plaintiffs have not plausibly alleged a reasonable expectation of privacy in
the location data collected by Facebook. The Court has doubts about the seriousness of the alleged invasion as well, but does not need to decide that now. The two privacy claims are dismissed with leave to amend. C. Intentional Misrepresentation and Omission, Deceit by Concealment or Omission, and Negligent Misrepresentation In their complaint, plaintiffs asserted claims for intentional misrepresentation and omission; deceit by concealment or omission, Cal. Civ. Code §§ 1709, 1710; and negligent misrepresentation. Both sides discuss these claims together in their motion papers. See Dkt. No. 82 at 9-13; Dkt. No. 83 at 9-12. Plaintiffs do not dispute Facebook’s statement that all three claims require “(1) a misrepresentation or omission of material fact; (2) knowledge of falsity; (3) intent to defraud or to induce reliance; (4) justifiable reliance; and (5) resulting damage. Negligent misrepresentation relaxes only the intent element.” Dkt. No. 82 at 9-10.
Plaintiffs have plausibly alleged a misrepresentation or omission. The complaint cites these statements in the Facebook Data Policy that was in effect during the relevant time period: We collect information from or about the computers, phones, or other devices where you install or access our Services, depending on the permissions you’ve granted. . . . Here are some examples of the device information we collect: . . .
• Device locations, including specific geographic locations, such as through GPS, Bluetooth, or WiFi signals.
• Connection information such as the name of your mobile operator or ISP, browser type, language and time zone, mobile phone number and IP address.
Dkt. No. 80 ¶ 24; Dkt. No. 80-1 at ECF p.3. A typical user would reasonably conclude from these statements that Facebook would not collect device locations or IP address without user consent. Otherwise, the phrase “depending on the permissions you’ve granted” would be misleading in itself. Plaintiffs have also plausibly alleged that Facebook failed to disclose that it uses “enhanced location determination techniques to more accurately pinpoint IP address locations.” Dkt. No. 80 ¶ 58. The reliance allegations are less sound. Plaintiffs say they “specifically allege[d] . . . that they adjusted their devices and app settings to turn off permission to access their location data in 2013 and 2014.” Dkt. No. 83 at 11 (citing FAC ¶¶ 10, 11, 15, 16, 48, 143, 151). But those allegations do not adequately establish reliance, especially in light of Facebook’s assertion in reply that the Data Policy at issue became effective on September 29, 2016. Dkt. No. 85 at 7. Plaintiffs have also failed to explain how their continued use of Facebook even after discovery of this issue does not defeat any alleged reliance on their part.
The fraud claims are consequently dismissed with leave to amend.
D. Breach of Contract and Breach of Implied Covenant of Good Faith and Fair Dealing
“In order to establish a contract breach, plaintiffs must allege: (1) the existence of a
contract with Facebook, (2) their performance under that contract, (3) Facebook breached that
contract, and (4) they suffered damages.” ,
Neither side gave the breach of contract and implied covenant of good faith and fair
dealing claims much attention. Dkt. No. 82 at 15; Dkt. No. 83 at 15. The supporting allegations
in the FAC are thin, and the scant argument for them by plaintiffs did not justify keeping these
claims alive. Plaintiffs need to do more to establish the existence of a contract, especially in light
of the fact that the strongest language in their favor appears in the Data Policy, and in
In re
Facebook
, the circuit held that the Data Use Policy at issue in that case did “not constitute a
separate contract.”
For the implied covenant of good faith and fair dealing, as in , plaintiffs’
implied covenant allegations do not appear to “go beyond the breach of contract theories asserted
by plaintiffs.”
E. Unjust Enrichment Facebook moved to dismiss plaintiffs’ unjust enrichment claim because “in California, there is not a standalone cause of action for unjust enrichment”; a quasi-contract claim is barred where, as here, “an enforceable, binding agreement exists defining the rights of the parties”; and plaintiffs “fail to plead any misrepresentation or unfair action by Facebook.” Dkt. No. 82 at 15. Plaintiffs did not provide a clear response to these challenges, and said only that “[c]ontrary to Facebook’s argument, plaintiffs properly plead unjust enrichment along with its breach of contract claim.” Dkt. No. 83 at 15. Why this might be so is left unexplained. In effect, plaintiffs failed to oppose dismissal of the unjust enrichment claim, and it is dismissed for that reason with leave to amend.
CONCLUSION
Facebook’s motion to dismiss the FAC is granted, and its motion to dismiss the FAC is denied in part and granted in part. In both cases, plaintiffs are granted leave to amend, and any amended complaints must be filed by January 21, 2021.
//
//
//
// No new claims or defendants may be added without express leave of Court.
IT IS SO ORDERED.
Dated: December 24, 2020
JAMES DONATO United States District Judge
Notes
[1] When necessary for clarity, the Court will specify the case name for the ECF docket cites.
[2] The degree to which plaintiffs’ cited articles and materials actually support the associated FAC 27 allegations is not germane to the Court’s analysis. The Court consequently declines to take judicial notice of Facebook’s proffered Exhibits D through L. Dkt. No. 77. Facebook’s 28 unopposed request to take judicial notice of Exhibits A through C, Dkt. Nos. 77, 81, is granted.
[3] also noted that while “the Fourth Amendment imposes higher standards on the government than those on private, civil litigants, . . . we have nonetheless found analogies to Fourth Amendment cases applicable when deciding issues of privacy related to technology.” 956 F.3d at 604 n.7. Hence it is useful to look to Fourth Amendment cases such as Carpenter and Forrester .