Facebook, Inc. (“Facebook”) operates an online “social network” that permits its members to interact with each other through a website — www.facebook.com. Id. at ¶ 9. This consolidated, multi-district lawsuit against the social network, brought by and on behalf of individuals with active Facebook accounts from May 27, 2010, through September 26, 2011 (the “Class Period”), seeks “in excess of $15 billion in damages and injunctive relief’ and “arises from Facebook’s knowing interception of users’ internet communications and activity after logging out of their Facebook accounts.” See Corrected First Am. Consolidated Class Action Compl. (“CCAC”), Docket Item No. 35, at ¶ 1. Plaintiffs Perrin Davis, Cynthia Quinn, Brian Lentz, and Matthew Vickery (collectively, “Plaintiffs”), each of whom had an active Face-book account during the entire Class Period, allege that Facebook tracked and stored their post-logout internet usage using small text files — or “cookies” — which Facebook had embedded in their computers’ browsers. Id. at ¶¶ 103-106.
Federal jurisdiction arises pursuant to 28 U.S.C. §§ 1331 and 1332(d). Presently
I. BACKGROUND
A. “Cookies”
As noted, a “cookie” is a small text file that a server creates and sends to a browser, which then stores' the file in a particular directory on an individual’s computer. Id. at ¶ 38. A cookie contains a limited amount of information whiсh can relate to the browser or to a specific individual. Id. at ¶¶ 38, 39.
When an individual using a web browser contacts a server — often represented by a particular webpage or internet address— the browser software checks to see if that server has previously set any cookies on the individual’s computer. Id. at ¶ 39. If the server recognizes any valid, unexpiréd cookies, then the computer “sends” those cookies to the server. Id. at ¶ 39. After examining the information stored in the cookie, the server knows if it is interacting with a computer with which it has interacted before. Id. at ¶ 41. Since servers create database records that correspond to individuals, sessions and browsers, the server can locate the database record that corresponds to the individual, session or browser using the information frоm the cookie. Id.
B. Facebook and its Use of “Cookies”
Plaintiffs allege that Facebook is the brainchild of the company’s founder, Mark Zuckerberg, who wrote the first version of “The- Facebook” in his Harvard University dorm room and later launched Facebook as a company in 2004. Id. at ¶ 10. Since then, Facebook has become the largest social networking site in the world with other 800 million users world-wide and over 150 million' users in the United States. Id. at ¶ 11. According to Plaintiffs, the key to this success “was to convince people to create unique, individualized profiles with such personal information as employment history and political and religious affiliations, which then could be shared among their own network, of family and friends.” Id. at ¶ 10. Facebook uses this repository of personal data to connect advertisers with its users. Id. at ¶ 12. Historically, 90% of Faceboоk’s revenue is attributable to third-party advertising and “Facebook is driven to continue to find new and creative ways to leverage its access to users’ data in order to sustain its phenomenal growth.” Id. at ¶ 13.
Facebook does not charge a fee for membership. Id. at ¶ 14.: However, Plaintiffs contend that Facebook membership is not free. Id. at ¶ 14. Specifically, they allege that through the- Statement, of Rights and Responsibilities and other documents , and policies governing use of the website, “Facebook conditions its membership upon users providing sensitive and personal information... including, name, birth date, gender and email address,” and requires that users accept numerous Face-book cookies on their computers. Id. at ¶¶ 14,16. These cookies' allow Facebook to intercept a user's еlectronic communications and track internet browsing history. Id.
Facebook cookies come in two flavors. The first is a “session cookie,” which is set when a user logs into Facebook. Id. at ¶ 15. It is directly associated with a user’s Facebook account and contains unique information, such as the user’s Facebook identification. Id. Session cookies are sup
The second type is a “tracking cookie,” which is also known as a persistent cookie. Id. This cookie sends data back to Face-book any time an individual makes a'request of www.facebook.com, such as when an individual accesses a page with the Facebook “like” button. Id. The tracking takes place, however, regardless of whether the individual actually interacts with the “like” button; “[i]n effect, Facebook is getting details of where you go on the Internet.” Id. Tracking cookies do not expire when a user logs out of Facebook. Id. In fact, Facebook sets these cookies on an individual’s computer whether or not they have a Facebook account. Id.
When a Facebook user leaves the Face-book webpage without logging out and then browses the web, both tracking cookies (such as a “datr” cookie) and session cookies (such as a “c_user” cookie) are left to operate on the computer. Id. Under those circumstances, Facebook is notified through the datr cookie whenever the user ■loads a page with embedded content from Facebook, and also can easily connect that data back to the user’s individual Face-book profile through the c_user cookie. Id.
For example, if a logged-in Facebook user accesses the news website www.cnn. com through the browser on his or her computer, the CNN server responds with the file for the CNN homepage, which also contains embedded code from Facebook. Id. at ¶¶ 59, 60. The user’s browse!*, triggered by the Facebook code, sends a request to the Facebook server to display certain content on the CNN webpage, such as the Facebook “like” button. Id. at' ¶ 61. This request also includes information contained in the user’s datr and c_user cookies as well as the specific details of the webpage that the user accessed. Id. at ¶ 63. When Facebook receives this information, the Facebook server adds it to its database records for the browser and the user. Id. at ¶ 67. The Facebook.. server then responds by sending the requested content to the user’s browser. Id. at ¶ 70.
C. Facebook Tracks Logged-Out Users
■Aside from tracking logged-in users, Plaintiffs allege that Facebook has 'also intentionally tracked users’ browsing activity after they logged-out of the Facebook website despite contrary representations in the social network’s governing materials. Id. at ¶ 17. Facebook is able to engage, in such tracking though the persistent datr cookie its server embeds after the user accesses www.facebook.coni. Id. at ¶ 73.
Again using the CNN website as an example, if a user logs out of Facebook and then directs his or her computer’s browser to www.enn.com, the CNN server responds in much the same way as if the user was still logged-in to Facebook: by sending to the browser a file with the contents of the CNN website which contains a piece of Facebook code pertaining to' the “like” button. Id. at ¶¶ 72-75. The browser, triggered by the Facebook code, sends a request to the Facebook "server to display the “like” button on the CNN web-page. Id. at ¶ 77. This request also includes any personally identifiable information contained in cookies associated with the browser, such as the datr cookie. Id. at ¶ 78. The Facebook server then creates a database log entry of the request, stores the cookie information it received, and responds by sending the content requested for display on the CNN website. Id. at ¶¶ 78-82.
Plaintiffs allege' the information Face-book receives through tracking logged-out users is specific enough to identify the user without the need for an additional Facebook cookie containing the user’s idеntification. Id. ■ at ¶ 83. Indeed, they
Plaintiffs contend that the personal information Facebook receives from its users, including users’ browsing history, has “massive economic value” and that a market exists for such information. Id, at ¶¶ 112,122-124. They point out that “internet giant” Google, Inc. conducts a panel called • “Google Screenwise Trends,” the purpose of which is “to learn more about how everyday people use the Internet.” Id. at 1Í.118. Through this program, internet users consent to share with Google; the websites they visit and how they use them in exchange for- gift cards, “mostly valued at exactly $5.” Id. at.,1HI 119,121.
Plaintiffs further allege the value of their personal information can be quantified. Id. at ¶ 116. Based on a study published- in 2011, Plaintiffs allege that the contact information users must provide to Facebook when becoming a member is worth $4.20 per year. Id. In addition, demographic information is worth $3.00 per year and web browsing histories are worth $52:00 per year. Id. Aggregated across Facebook’s approximately 800 million users, these values translate into membership “fees” of $3.36 billion, $2.4 billion and $41.6. billion, respectively, for each category of information. Id.
D. Relevant Procedural History
A number of cases challenging Face-book’s tracking practices were filed in and outside this, district. They were eventually transferred to the undersigned. The court consolidated the cases for pretrial consideration and appointed interim class counsel. See Docket Item No. 19. Plaintiffs thereafter filed the CCAC, which is the currently operative pleading. See Docket Item No. 35. This motion followed.
II. LEGAL STANDARD
A. Federal Rule of Civil Procedure . 12(b)(1)
A Rule 12(b)(1) motion challenges subject matter jurisdiction and may be either facial or factual. Wolfe v. Strankman,
Standing is properly challenged through a Rule 12(b)(1) motion. White v. Lee,
B. Federal Rule of Civil Procedure 12(b)(6)
Federal Rule of Civil Procedure 8(a) requires a plaintiff to plead each claim with sufficient specificity to “give the defendant fair notice of what the ... claim is and the grounds upon which it rests.” Bell Atl. Corp. v. Twombly,
When deciding whether to grant a motion to dismiss, the court usually “may not consider any material beyond the pleadings.” Hal Roach Studios, Inc. v. Richard Feiner & Co.,
In addition, the court must generally accept as true all “well-pleaded factual allegations.” Ashcroft v. Iqbal,
III. DISCUSSION
; Plaintiffs assert the following claims in the CCAC: (1) violation of the Federal Wiretap Act, 18 U.S.C. § 25.10 et seq.; (2) violation of the Stored .Communications Act (“SCA”), 18 U.S.C. § 2701 et seq.; .(3) violation of the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030
Under Rule 12(b)(1), Facebook argues that all of these claims fail for lack of standing. Under Rule 12(b)(6), Facebook further argues that the fraud-based claims lack the factual specificity required by Federal Rule of Civil Procedure 9(b), and that Plaintiffs have not stated an actionable claim. These arguments are discussed below.
A. Standing
i. Constitutional Standing
The constitutional standing doctrine “functions to ensure, among other things, that the scarce resources of the federal courts are devoted to those disputes in which the parties have a concrete stake.” Friends of the Earth, Inc. v. Laidlaw Envtl. Servs., Inc.,
Noting the lack of allegations that anyone was willing to pay for their personal information or that its purported conduct lessened the value of that information or affected its marketability, Face-book argues that Plaintiffs have not established a cognizable injury in fact. To satisfy the “injury in fact” element, “the plaintiff must show that he personally has suffered some actual or threatened injury as a result of the putatively illegal conduct of the defendant.” Gladstone Realtors v. Village of Bellwood,
When confronted with data privacy claims similar to the ones brought by Plaintiffs, courts have found insufficient for standing purposes generalized assertions of economic harm based solely on the alleged value of personal information. In LaCourt v. Specific Media, Inc., No. SACV 10-1256-GW(JCGx),
The district court agreed with Specific Media and dismissed the complaint. The court determined that, while it “probably would decline to say that it is categorically impossible for [the plaintiffs] to allege some property interest that was compromised” by Specific Media’s information collection practices, the plaintiffs had not alleged they were actually deprived of the economic value of their browsing histories. Id. at *4,
A similar conclusion was reached in Low v. LinkedIn Corporation, No.11-CV-01468-LHK,
An out-of-circuit case, In re Google Inc. Cookie Placement Consumer Privacy Litigation (“Google Cookie Placement”),
The court finds these decisions instructive mainly because Plaintiffs’ allegations are virtually indistinguishable from those rejected in LaCourt, Low and Google Cookie Placement. Like the plaintiffs in those cases, Plaintiffs allege that the information collected by Facebook’s cookies have economic value and, if the study cited in the CCAC is accurate, that value may be significant when user information is aggregated. The court accepts as true Plaintiffs’ ascription of some degree of intrinsic value to their personal information for this motion. But what Plaintiffs have failed to do is adequately connect this value to a realistic economic harm or loss that is attributable to Facebook’s alleged conduct. In other words, Plaintiffs have not shown, for the purposes of Article III standing, that they personally lost the opportunity to sell their information or that
Unlike other data privacy cases, Plaintiffs have alleged the existence of a limited market for their browsing histories. ’That allegation, however, is still not enough to establish a qualifying injury in fact. That programs may exist to compensate internet users with $5 gift cards in exchange for monitoring their browsing activity is a fact of little assistance to Plaintiffs when they have not also alleged an inability to participate in these programs after Face-book collected their information.
Nor do the allegations of consequential damages incurred by one plaintiff, Davis, provide a persuasive basis to find a sufficiently-pled injury in fact. Other than a conclusóry allegation deeming it so, it is not apparent how charges for an email service which alerts users when Facebook makes changes to its privacy policy or privacy settings are “fairly traceable” to the conduct alleged in the complaint.
As pled, the CCAC only alludes to injury that is conjectural or hypothetical. Since Plaintiffs have not demonstrated that Fa-cebook’s conduct resulted in some concrete and particularized harm, they have not articulated a cognizable basis for standing pursuant to Article III.
ii. Statutory Standing
For their part, Plaintiffs do not directly address Facebook’s constitutional standing argument, choosing instead to focus on statutory standing. Thus, the issue becomes whether any of the statutory claims assérted in the CCAG can satisfy the federal standing requirement.
Although it cannot be supplanted by a statute, an Article III injury can exist solely by virtue of “statutes creating legal rights, the invasion of which creates standing.” Edwards v. First Am. Corp.,
So-called “statutory standing” can be established by pleading a violation of a right conferred by statute so long as the plaintiff alleges “a distinct and palpable injury to himself, even if it is an injury shared by a large class of other possible litigants.” Warth,
Here, Plaintiffs’ arguments in support of statutory standing are uncompelling for several of their claims. First, it is axiomatic that standing permitted by statute does not translate into standing for common law claims. See Davis v. Fed. Election Comm’n,
Second, the court agrees with Facebook that three of Plaintiffs’ statutory claims, those for violation of the UCL, CLRA and the CCCL, require a plausible economic injury for standing. Reid v. Johnson & Johnson,
The three remaining statutory claims are different, however, because economic injury is not a prerequisite for standing under their provisions. See Chapman v. Pier 1 Imps. (U.S.), Inc.,
Here, Plaintiffs allege that Facebook intercepted and tracked their internet activity and acquired this information after they logged out of the Facebook website using the datr cookie embedded on their computers. Plaintiffs also assert this conduct violated the Wiretap Act, SCA and CIPA. Consistent ■ with other district courts to have examined statutory standing to bring similar claims, this court finds Plaintiffs’ allegations sufficient to make out a distinct and palpable injury considering the conduct prohibited by those statutes. In re Faсebook Privacy Litig.,
In sum, Plaintiffs have established statutory standing for claims under the Wiretap Act, SCA and CIPA.-The court is mindful, however, that the issue of standing is distinct from whether or not Plaintiffs have actually stated a plausible claim. In re Facebook Privacy Litig.,
B. Sufficiency of Allegations
The court now turns to whether Plaintiffs have stated a plausible claim under the Wiretap Act, SCA or CIPA.
The Wiretap Act and SCA represent “two chapters” within the Electronic Communications Privacy Act of 1986 (“ECPA”). In re Zynga Privacy Litig.,
Facebook argues the CCAC’s claim under the Wiretap Act is insufficient because Plaintiffs did not plead that Face-book intercepted the “contents” of an electronic communication. Under the Wiretap Act, the “contents” of a communication are defined as “any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). The Ninth Circuit has held that as used in the Wiretap Act “the term ‘contents’ refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication” such as a name, address, or the identify of a subscriber or customer. In re Zynga Privacy Litig.,
For Plaintiffs’ Wiretap Act claim, Zynga Privacy Litigation poses a significant hurdle. Although Plaintiffs do not specify just what information of thеirs was intercepted by Facebook, Plaintiffs generally allege that, through cookies embedded on a user’s browser, Facebook receives personal information about logged-out users information as well as the identity of the webpages that the users visited. But since they also allege in other portions of the CCAC that causer and datr cookies contain only a Facebook user’s unique identification information and a record of browsing history, they have not alleged that Facebook intercepted anything that qualifies as “content” under the Wiretap Act. In turn, Plaintiffs have not stated a claim under the statute. In fact, since the intercepted information described in the CCAC is so similar to the referer headers addressed in Zynga Privacy Litigation, Plaintiffs may never be able to state an action
The SCA claim is also deficient. As relevant here, “electronic storage” means “any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof.” 18 U.S.C. § 2510(17)(A). The “language and legislative history’' of the definition “make evident” that “electronic storage” does include cookies stored on a user’s computer; “[r]ather it appears that the section is specifically targeted at communications temporarily stored by electronic communications services incident to their transmission — for example, when an email service stores a message until the addressee downloads it.” In re Doubleclick Privacy Litig.,
ii. CIPA
The section of CIPA upon which Plaintiffs base their claim, Penal Code § 631, establishes liability for:
[a]ny person who, by means of any machine,- instrument, or contrivance, or in any other manner, intentionally taps, or makes аny unauthorized . connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to. learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any .wire, line, or cable, or is being sent from, or received at any place within this state.
Cal. Penal Code § 631(a). ■
Facebook challenges the CIPA claim on multiple grounds, two of which are misplaced. It first contends that this criminal statute should be narrowly construed and should not be applied to electronic communications. Because that argument has been made before and squarely rejected, the court rejects it again here. In re Google Inc. Gmail Litig.,
Second, Facebook argues it cannot be considered an unauthorized participant in the transmission of Plaintiffs’ personal information because the process of tracking them browsing activity involved communication with a Facebook server. This characterization of the allegations is incomplete because Plaintiffs allege they were unaware'that Facebook was surreptitiously tracking them after they logged out of the Facebook website. Thus, while it is true that a Facebook server was involved, there are no allegations in the CCAC which demonstrate that Plaintiffs knew that fact while their browsing activity was being
Eacebook’s third and fourth arguments are well-taken, however. Plaintiffs have not pled facts to show how Facebook used a “machine, instrument, or contrivance” to obtain the ■ contents of communications. While it is undeniable that a computer may qualify as a “machine,” Plaintiffs must complete the scenario by explaining how Facebook’s cookies fall into -one 'of the three categories enumerated -in the statute. To be sure, the cookie is a required piece under Plaintiffs’ theory because the offensive transmission of information between two cоmputers — the user’s computer and the Facebook server — apparently does not occur without it. Thus, if a cookie is truly a “contrivance” as Plaintiffs contend, a word they define as a “device, especially a mechanical one” or “plan or scheme,” Plaintiffs must include facts, in their pleading to show why it is so. In its current form, the CCAC only defines a cookie as a small text file containing á limited amount of information which sits idly on a user’s computer until contacted by a server.
Nor have Plaintiffs adequately alleged that Facebook obtained the contents of a communication attributable to any of them. The section of the CCAC which does purport to provide Plaintiffs’ “specific factual allegations” is anything but specific. In essence, it is just a list of the named plaintiffs coupled with the samе set generalized facts for each one. See CCAC, at ¶¶ 103-106. Such allegations do not suffice to “nudge” their CIPA claim “across the line from conceivable to plausible.” Iqbal,
For these reasons, Plaintiffs have not stated a. CIPA claim.
IV. ORDER
Based qn the foregoing, Facebpok’s Motion to Dismiss (Docket Item No. 44) is GRANTED as follows:
1. The withdrawn claim for violation of the CFAA is DISMISSED WITHOUT LEAVE TO AMEND. .
2. The claims for invasion of privacy, intrusion upon' seclusion, conversion, trespass to chattels, and for violation of the UCL, violation of’the CCCL and violation of the CLRA are DISMISSED WITH LEAVE TO AMEND-for lack of standing.
3. The claims for violation of the Wiretap Act, violation of the SCA and violation of CIPA are DISMISSED WITH LEAVE TO AMEND for failure to state a claim.
Facebook’s request for judicial notice (Docket Item No. 45) is DENIED because this motion was resolved without’ relying on those documents.
Any amended complaint must be filed on or before November 30, 2015.
The court schedules this case for a Case Management Conference at 10:00 a.m. on January 14, 2016. The parties shall file a Joint Case Management Conference Statement on or before January 7, 2016.
IT IS SO ORDERED.
Notes
. According to the CCAC, "P3P” refers to the Platform for Privacy Preferences, which is a standard format for computer-readable privacy policies published by the World Wide Web Consortium in 2002. See CCAC, at ¶ 86. A P3P “compact policy" is a computer-readable encoded version of the portion of a privacy policy relating to cookies. Id.
. Plaintiffs have withdrawn this claim. It will therefore be dismissed without leave to amend.
. Notably, this reasoning is unaffected by Ninth Circuit's 2014 limited standing discussion in In re Facebook, Privacy Litigation,
. In their opposition, Plaintiffs raise several new facts relating to consequential damages and other issues. Those facts have no bearing on whether the CCAC is adequate. See Schneider v. Cal. Dep’t of Corr.,
. In any event, the claims for invasion of privacy and intrusion upon seclusion are also subject to dismissal for failure to state a claim even if Plaintiffs rely on some other form of damage for these claims. To the extent they can be considered separate claims — a concept which is itself questionable — both require "(1) intrusion into a private place, conversation or matter, (2) in a manner highly offensive to a reasonable person.” Shulman v.Group W Prods., Inc.,