Plaintiffs allege that Defendant Face-book, Inc. violated their privacy by tracking their browsing activity on third-party websites. This Court previously granted Facebook’s motion to dismiss, with leave to amend, for lack of standing and failure to state a claim. Plaintiffs filed an amended complaint, and Facebook now moves to dismiss. Facebook’s motion will be GRANTED.
I. BACKGROUND
Facebook operates a social networking website.
Plaintiffs allege that Facebook uses “likе” buttons to track Plaintiffs’ web browsing activity. Id. ¶¶ 3-5. Because URLs are transmitted to Facebook each time a user visits a page that contains a “like” button, Plaintiffs allege that Face-book violated various privacy laws by collecting detailed records of Plaintiffs’ private web browsing history. Id. Plaintiffs allege that Facebook’s cookies enable it to uniquely identify users and correlate their identities with their browsing activity, even when users are logged out of Face-book. Id. ¶¶ 48-49. As discussed below, Plaintiffs also allege that Facebook circumvented certain privacy settings of the
Plaintiffs’ initial class-action complaint alleged various statutory and common-law privacy violations. Dkt. No. 35. Facebook moved to dismiss. Dkt. No. 44. This Court granted Facebook’s motion to dismiss, with leave to amend, on the grounds that Plaintiffs failed to establish Article III standing with respect to some of their claims, and that Plaintiffs failed to state a claim with respect to the rest. Order Granting Def.’s Mot. to Dismiss (“MTD Order”), Dkt. No. 87. Plaintiffs filed an amended complaint alleging violations of the federal Wiretap Act, 18 U.S.C. §§ 2510 et seq. (SAC ¶¶ 179-92); violations of the federal Stored Communiсations Act (“SCA”), 18 U.S.C. §§ 2701 et seq. (SAC ¶¶ 193-208); violations of the California Invasion of Privacy Act (“CIPA”), Cal. Crim. Code §§ 631, 632 (SAC ¶¶ 209-19); invasion of privacy under the California Constitution (SAC ¶¶ 220-31); ' intrusion' upon seclusion (SAC ¶¶ 232-41); breach of contract (SAC ¶¶ 242-52); breach of the duty of good faith and fair dealing (SAC ¶¶ 253-61); fraud, Cal. Civ. Code §§ 1572, 1573 (SAC ¶¶ 262-69); trespass to chattels (SAC ¶¶ 270-73); violations of the California Comprehensive Computer Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502 (SAC ¶¶ 274-85); and larceny, Cal. Penal Code §§ 484, 496 (SAC ¶¶286-95).
II. LEGAL STANDARD
A. Rule 12(b)(1)
Dismissal under Fed. R. Civ. P. 12(b)(1) is appropriate if the complaint fails to allege facts sufficient to establish subject-matter jurisdiction. Savage v. Glendale Union High Sch.,
B. Rule 12(b)(6)
A motion to dismiss, under Fed. R. Civ. P. 12(b)(6) tests the legal sufficiency of claims alleged in the complaint. Parks Sch. of Bus., Inc. v. Symington,
III. DISCUSSION
A. Standing
To establish Article III standing, a plaintiff must have “(1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is. likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v.
The plaintiffs injury must be “particularized” and “concrete.” Id. at 1548, To be particularized, it “must affect the plaintiff in a personal 'and individual way,” Id. To be concrete, it must be real, not abstract. Id. at 1548-49, A concrete injury can be tangible or intangible. Id. A plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirements of Article III.” Id at 1549. A plaintiff does not “automatically satisffy] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to suе tó vindicate that right.” Id However, a statutory violation can confer standing when the “alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. “In determining whether an intangible harm constitutes injury in fact, both history and the judgment of Congress play important roles.”- Id- If a plaintiff lacks Article III standing to - pursue a claim, then the claim must be dismissed, for lack of subject-matter jurisdiction. Steel Co. v. Citizens for a Better Env’t,
i. Wiretap Act, SCA, and CIPA
This Court previously found that Plaintiffs had ' established standing ' for their Wiretap Act, SCA, and CIPA сlaims. MTD Order 13-15, Economic injury is not required to establish standing under any of those three statutes. See In re Google Inc. Gmail Litig., No. 13-md-02430-LHK,
Plaintiffs allege that Facebook “intercepts” and “tracks” their internet communications, in violation of all three statutes. SAC ¶¶ 179-219, These allegations are sufficient to confer standing for Plaintiffs’ Wiretap Act, SCA, and CIPA claims,
ii. Trespass to Chattels, CDAFA, Fraud, and Larceny
This Court previously found that Plaintiffs did not establish standing for their clаims for trespass to chattels and violations of the CDAFA. MTD Order 8-1Í. Unlike.the statutory claims discussed above, claims for trespass to chattels and CDAFA violations require a showing of economic harm or loss. To prevail on a claim for trespass to chattels based on access to a computer, system, a plaintiff must establish that (1) .the defendant intentionally and without authorization interfered with the plaintiffs possessory interest in the computer system and (2) the defendant’s unauthorized used proximately caused damage to the. plaintiff. eBay, Inc. v. Bidder’s Edge, Inс.,
In their SAC, Plaintiffs have added claims for fraud (Cal. Civ. - Code § 1672), constructive fraud (Cal. Civ. Code § 1673); and larceny (Cal- Penal Code §§ 484, 496). SAC ¶¶ 262-69, 286-95. As with claims for trespass to chattels and violations of the CDAFA, Plaintiffs’ fraud claims require a showing of actual damage. See Rodriguez v. JP Morgan Chase & Co.,
This Court previously found that Plaintiffs have not established a “realistic economic harm or loss that is attributable to Facebook’s alleged conduct.” MTD Order 10. Although Plaintiffs’ personal web browsing, information might have “some degree of intrinsic value,” this Court held that Plaintiffs failed to show, “for the purposes' of Article III standing, that they personally lost the opportunity to sell their information or that the value of their information was somehow diminished after it was collected by Facebook.” Id. The SAC contains no new facts that establish economic harm or loss'. 'Nor does the SAC establish that Facebook intended to permanently deprive Plaintiffs of property of any sort. As such, Plaintiffs lack Article III standing to pursue their claims for, trespass to chattels, violations of the CDAFA, fraud, and larceny. These claims must be dismissed under Fed. R. Civ. P. 12(b)(1) for lack of subject-matter jurisdiction;
iii. Invasion of Privacy and Intrusion upon Seclusion
Plaintiffs allege that Facebook committed privacy toft violations by collecting URLs of pages that Plaintiffs visited and by using persistent cookies to associatе Plaintiffs’ identities with their web browsing histories. SAC ¶¶ 68-78. Unlike the claims discussed in the previous section, a plaintiff need not show actual loss to establish standing for common-law claims of invasion of privacy and intrusion upon seclusion. See, e.g., Van Patten v. Vertical Fitness Grp., LLC,
iv. Breach of Contract and Breach of the Duty of Good Faith and Fair Dealing
In the SAC, Plaintiffs add claims for breach of contract and breach of the duty of good faith and fair dealing. Actual damages are not requirеd to establish standing for contractual claims. In re Facebook Privacy Litig.,
B. Sufficiency of Allegations
i. Wiretap Act and CIPA
A claim under the Wiretap Act requires a showing that the defendant “(1) intentionally (2) intercepted, endeavored to intercept or procured another person to intercept or endeavor to intercept (3) the contents of (4) an electronic communication, (5) using a device.” Google Cookie Placement,
Facebook contends that it did not “intercept” Plaintiffs’ communications within the meaning of the Wiretap Act. The Court agrees. The Wiretap Act provides that, with some exceptions, “[i]t shall not be unlawful ... for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication.” 18 U.S.C. § 2511(2)(d) • (emphasis added). Plaintiffs argue that Facebook’s acquisition of URL data constitutes an “interception” of Plaintiffs’ communications with websites they visit. Pis.’ Opp’n to Def.’s Mot. to Dismiss 13-14, Dkt. No. 104-3. But Plaintiffs’ argument misstates the means by which Facebook receives that data. As Facebook points out, two separate communications occur when someone visits a page where a Facebook “like” button is embedded. MTD 12-13. First, the user’s browsеr sends a GET request to the server where the page is hosted. Second,- as the page loads, the code snippet for the Facebook button triggers a second, independent GET request to Facebook’s servers. That second request contains the URL of the page where the “like” button is embedded, as well as the contents of cookies that Facebook has previously set on that user’s computer. The parties to the first transaction are the web user (e.g., one of the Plaintiffs) and the server where the page is located (e.g., the server that handles requests . for http://www.cnn.com/). The parties to the second transaction are that same web user and a Facebook server— but not cnn.com. As to the second transaction, Facebook has not “intercepted” the communication within the meaning of the Wiretap Act because it is “a party to the communication” under 18 U.S.C. § 2511(2)(d). Facebook is not a party to the first communication (between the user and cnn.com), and it does not intercept any data that those parties exchange. The fact that a user’s web browser automatically sends the same information to both parties does not establish that one party intercepted the user’s communication with the other. As such, the Court finds that Plaintiffs have failed to , state a claim under the Wiretap Act.
Plaintiffs’-.CIPA claims (under Cal. Crim. Code §§ 631 and 632) fail for the
ii. SCA
' To state a claim under the SCA, a plaintiff must show that the defendant “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility.” 18 U.S.C. § 2701(a). The SCA defines “electronic storage” as “(A) any temporary, ’ intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (B) any storage of such communication by an electronic communication service for the purpose of backup protection of such communication.” 18 U.S.C. § 2510(17)(A), (B).
In their initial complaint, Plaintiffs argued that Facebook’s persistent cookies were in “electronic storage” beсause they permanently resided in Plaintiffs’ web browsers. MTD Order 16-17. This Court rejected Plaintiffs’ argument because Facebook’s cookies were not in “temporary, intermediate storage.” MTD Order 16-17.
In their SAC, Plaintiffs now allege that URLs are in “electronic storage” because they reside “in the toolbar” and “in [the] browsing history” of Plaintiffs’ web browsers. SAC ¶¶ 206-07. Plaintiffs’ new allegations fare no better. The SCA “is specifically targeted at communications temporarily stored by electronic services incident to their transmission.” In re Doubleclick Inc. Privacy Litig.,
Plaintiffs’ claim alsо fail because personal computers are not “facilities” under the SCA. See id. (“an individual’s personal computing device is not a ‘facility’ through which an electronic -communications service is provided.... a home computer of an- end user is not protected by the [SCA] ” (quoting Garcia v. City of Lar
Plaintiffs’ SCA claim must be dismissed.
iii. Invasion of Privacy and Intrusion upon Seclusion
To state a claim for intrusion upon seclusion, a plaintiff must show (1) that the defendant intentionally intruded into a place, conversation, or matter as to which the plaintiff had a reasonable expectation of privacy and (2) that the intrusion was “highly offensive” to a reasonable person. Hernandez v. Hillsdale,
Here, Plaintiffs have not established that they have a reasonable expectation of .privacy in the URLs, of the pages they visit. Plaintiffs could have taken steps to keep their browsing histories private. For instance, as Facebook explained in- its privacy policy, “[y]ou can. remove or block cookies using the settings in your browser.” MTD 6. Similarly, users can “take simple steps to block data transmissions from their browsers to third parties,” such as “using their browsers in ‘incognito’ mode” or “installing] plugin browser enhancements.” In re Hulu Privacy Litig., No. C 11-03764 LB,
Plaintiffs raise specific allegations with respect to a subclass of people who used the Internet Explorer web browser (the “IE Subclass”), Under a protocol called the Platform for Privacy Preferences Project (or “P3P”), a website can publish a policy containing a machine-readable version of the website’s privacy policy. SAC ¶¶ 86-88, Plaintiffs allege that, by default, Internet Explorer blocked cookies from websites that did not publish P3P policies, or from sites with poliсies that conflict with a user’s browser privacy settings, Id. ¶ 91. However, Internet Explorer allowed cookies from websites that published policies that did not conform to the syntax of the P3P protocol. Id. ¶ 94. During the class period, Plaintiffs allege that Facebook’s P3P policy contained “the tokens DSP and LAW, indicating that the Facebook privacy policy references a law that may determine remedies for breaches of their privacy policy and that there are ways to resolve privacy-related disputes.” Id. ¶95. Plaintiffs allege that this pоlicy did not accurately reflect Facebook’s cookie policies. Facebook later changed its P3P policy to a string that stated: “Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p.” Id. ¶¶ 97-100. This second policy does not conform to the P3P syntax. As a result, Internet Explorer .allowed Facebook to set cookies on users’ computers.
Plaintiffs allege that Facebook adopted an “affirmatively false” P3P policy in order to trick Internet Explorer into allowing Facebook’s cookiеs to be stored on users’ browsers. Id. ¶¶ 93-98. Facebook responds that it “did not circumvent technical barriers,” and in any event, Plaintiffs- have not alleged that any Plaintiff actually used the versions of Internet Explorer that implemented P3P. MTD 27 n.15.
Plaintiffs’ argument would compel Face-book to adopt the P3P protocol and publish a policy with specific contents. But adoption of P3P is voluntary: Facebook can choose to publish a machine-readable version of its privacy policy, but it has no legal duty to do so. Similarly, browser manufacturers can choose to support the P3P protocol, but they have no power to require websites to publish P3P policies, or to dictate' the contents of those policies. In this respect, ¡the facts are different from the scenario underlying the Third Circuit’s decision in Google Cookie Placement. There, the Plaintiffs alleged that Google deliberately circumvented cookie-blocking settings in users’ browsers, while claiming that it respected users’ decisions to “[set] your browser to refuse alb cookies.”
iv. Breach of Contract and Breach of the Duty of Good Faith and Fair Dealing
Plaintiffs allege that Facebook “breached its. contract with, Plaintiffs and each of the Class members by tracking
Other than general references' to “help pages” and a “social plug-in discussion,” Plaintiffs fail to explain where or when these statements appeared. Plaintiffs also fail to explain how these statements were incorporated into the binding SRR, other than by reference in the complaint to a “layered approach” through which Face-book made its policies easier to understand by “summarizing our practices оn the front page and then allowing people to click through the Policy for more details.” Id. ¶ 22. Plaintiffs do not, for instance, identify a trail of links leading from the SRR to the statements it identifies.
“In an action for breach of a written contract, a plaintiff must allege the specific provisions in the contract creating the obligation the defendant is said to have breached.” Woods v. Google Inc., No. 05:11-cv-1263-JF,
Plaintiffs’ claim for breach of the duty of good faith and fair dealing also fails. “[T]he implied covenant of good faith and fair dealing ‘cannot impose substantive duties or limits on the contracting parties beyond those incorporated in the specific terms of their agreement.’” Rosenfeld v. JPMorgan Chase Bank, N.A.,
IV. CONCLUSION
The Court orders as follows:
1. Facebook’s motion to dismiss Plaintiffs’ claims for trespass to chattels (SAC ¶¶ 270-73), violations of the CDAFA (SAC ¶¶ 274-85), fraud (SAC ¶¶ 262-69), and larceny (SAC ¶¶ 286-95) is GRANTED without leave to amend for lack of standing under Fed. R. Civ. P. 12(b)(1).
2.- Facebook’s motion to dismiss Plaintiffs’ claims for violations of the Wiretap Act (SAC ¶¶ 179-92), violations of the SCA (SAC ¶¶ 193-208), violations of the CIPA (SAC ¶¶ 209-19), invasion of privacy (SAC ¶¶ 220-31), and intrusion upon seclusion (SAC ¶¶ 232-41) is GRANTED without leave to amend for failure to state a claim under Fed. R. Civ. P. 12(b)(6).
3. Facebook’s motion to dismiss Plaintiffs’ claims for breach of contract (SAC ¶¶ 242-52) and breach of the duty of good faith and fair dealing (SAC ¶¶ 253-61) is GRANTED with leave to amend.
4. Facebook’s motion for a protective order temporarily staying further discovery (Dkt. No. 108) is DENIED.
5. Plaintiffs’ motion to compel discovery (Dkt. No. 110) is TERMINATED and
IT IS SO ORDERED.
. Plaintiffs dropped their claims for conversion and violations' of the Computer Fraud and Abuse Act, the California Unfair Competition Law, and the California Consumer Legal Remedies Act. Plaintiffs added claims for fraud, larcény, breach of contract, arid breach of the duty of good fáith and fair dealing.