MEMORANDUM: OPINION
I. INTRODUCTION
On December 19, 2012, four named plaintiffs (“plaintiffs”) filed a consolidated amended complaint (“CAC”) in this multidistrict consolidated litigation against Google Inc. (“Google”), Vibrant Media, Inc. (“Vibrant”), Media Innovation Group LLC (“Media”), and WPP, pic (“WPP”), (collectively “defendants”), as well as PointRoll, Inc.
Pending before the court are three motions to dismiss: Google’s motion to dismiss the consolidated amended complaint (D.I.56); Vibrant’s motion to dismiss for failure to state a claim (D.I.93); and Media and WPP’s motion to dismiss for failure to state a claim (D.I.96). The court has jurisdiction pursuant to 28 U.S.C. § 1331 and 28 U.S.C. § 1332(d), and supplemental jurisdiction over the state law claims under 28 U.S.C. § 1367.
II. BACKGROUND
A. Parties
Google is a Delaware corporation with its headquarters at 1600 Amphitheatre Parkway, Mountain View, CA 94043. Google is a technology leader and also delivers relevant, cost-effective online advertising. (D.I. 46 at ¶¶ 14, 19) Vibrant is a Delaware corporation, headquartered in New York, New York. Vibrant is known for its in-text ads, which pop up in the text of articles on the web. (D.I. 46 at ¶¶ 16, 24) Media is a Delaware limited liability company headquartered in New York, New York. Media provides targeted online advertising. (D.I. 46 at ¶¶ 17, 25) WPP, a public limited company with its main offices in Dublin, Ireland, and London, United Kingdom, owns Media and describes itself as “the world leader in marketing communications services.” (D.I. 46 at ¶¶ 18, 26)
B. Factual Background
Internet “cookies” are used to track an individual’s activities and communications on a particular website and across the internet.
“Every document has a unique ‘URL’ (Universal Resource Locator) that identifies its physical location in the Internet’s infrastructure.” (D.I. 46 at ¶ 10 n.l) When a user requests a website, “the user’s Safari browser starts by sending a GET request to the server which hosts the publisher’s webpage,” to retrieve the data for display on the user’s monitor. (Id. at ¶ 85) Many websites will leave part of their webpage blank for third-party companies to insert advertisements. Upon receiving a GET request from a user seeking to display a particular webpage, the server for that webpage will respond to the browser, instructing the browser to send a GET request to the third-party company charged with serving the advertisements for that particular webpage. The third party receives the GET request and a copy of the user’s request to the first-party website and responds by sending the advertisement to the user’s browser which displays it on the user’s device. (Id. at ¶ 41)
Defendants used coding in advertisements to circumvent Apple’s Safari browser’s default blocker and deceive the IE browser into accepting third-party cookies. (D.I. 46 at ¶¶ 68-190) Google stopped only when caught and began removing the illicit cookies. (Id. at ¶ 119) If users are logged-in to a Google account, Google is then able “to synchronize the ads with the particular user’s personalized information,” allowing for targeted advertising. (Id. at ¶ 89) This information includes the information provided by the user, defined by Google to include “information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google,” as well as address information and browsing history information. (Id. at ¶ 98) One of the third-party cookies set by defendants assigned a unique ID to the user’s computing device which allowed defendants to associate future information received to the unique ID. (Id. at ¶¶ 78, 95,150,153-54)
III. ARTICLE III STANDING
Article III standing requires: “(1) an injury-in-fact ...; (2) a causal connection between the injury and the conduct complained of; and (3) that it must be likely, as opposed to merely speculative, that the injury will be redressed by a favorable decision.” Winer Family Trust v. Queen,
Plaintiffs cite to many articles to support their allegations that personally identifiable information (“PII”) has monetary value and is a commodity that companies trade and sell. (D.I. 46 at ¶¶ 49-67) Specifically, “[t]he cash value of users’ personal information can be quantified,” with web browsing histories valued at $52 per year. (Id. at ¶ 56) Plaintiffs also describe a company which calculates the value of a user’s web activity. (Id. at ¶ 66) Google offers users the opportunity to join a panel which allows Google to track the websites the user visits in exchange for gifts, such as gift cards to retailers. (Id. at ¶¶ 57-60) Plaintiffs describe a company in the United Kingdom which offers users a real market for their personal information and a start-up company which “enables people to sell themselves to advertisers directly,” valuing user’s data at $12 per year. (Id. at ¶¶ 63-64)
District courts have been reluctant to equate loss of PII, without more, to injury in fact. For instance, in LaCourt v. Specific Media, Inc., No. 10-1256,
they “are persons who have set the privacy and security controls on their browsers to block third-party cookies and/or who periodically delete third-party cookies,” and that they each had a “Flash cookie” installed on their computer by Specific Media without their notice or consent. Plaintiffs allege that they sought to maintain the secrecy and confidentiality of the information obtained by Defendant through the use of [local shared objects]. They further allege that “Defendant’s conduct has caused economic loss to Plaintiffs and Class Members in that their personal information has discernable value, both to Defendant and to Plaintiffs and Class Members, and of which Defendant has deprived Plaintiffs and Class Members and, in addition, retained and used for its own economic benefit.”
Id. at *2. . The district court found that plaintiffs did not “explain how they were ‘deprived’ of the economic value of their personal information simply because their unspecified personal information was purportedly collected by a third party” and, therefore, did not have standing. Id. at *6; see also, Del Vecchio v. Amazon.com Inc., No. 11-366,
In the case at bar, the CAC details that online personal information has value to third-party companies and is a commodity that these companies trade and sell. (D.I. 46 at ¶¶ 49-67) Examining the facts alleged in the light most favorable to plaintiffs, the court concludes that, while plaintiffs have offered some evidence that the online personal information at issue
For the above reasons, the court concludes that plaintiffs have not alleged injury-in-fact sufficient to confer Article III standing. However, because a statutory violation, in the absence of any actual injury, may in some circumstances create standing under Article III, the court will address whether plaintiffs have pled sufficient facts to establish a plausible invasion of the rights created by the various statutes asserted. Alston v. Countrywide Financial Corp.,
IV. MOTION TO DISMISS
A. Standard of Review
A motion filed under Federal Rule of Civil Procedure 12(b)(6) tests the sufficiency of a complaint’s factual allegations. Bell Atl. Corp. v. Twombly,
The court’s determination is not whether the non-moving party “will ultimately prevail” but whether that party is “entitled to offer evidence to support the claims.” United States ex rel. Wilkins v. United Health Grp., Inc.,
B. The Electronic Communications Privacy Act
The Electronic Communications Privacy Act (“the Wiretap Act”) protects “any person whose wire, oral, or electronic communication is intercepted, disclosed, or intentionally used in violation of this chapter....” 18 U.S.C. 2520(a). It imposes liability on a person who “intentionally intercepts” and discloses the “contents” of an “electronic communication,” 18 U.S.C. § 2511(l)(a), (c); § 2510(4), unless “such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception....” 18 U.S.C. § 2511(2)(d). “ ‘[C]ontents,’ when used with respect to any wire, oral, or electronic communication, includes any information concerning the substance, purport, or meaning of that communication.” 18 U.S.C. § 2510(8). “Contents” is information the user intended to communicate, such as the spoken words of a telephone call. United States v. Reed,
Based on plaintiffs’ factual allegations, plaintiffs’ browsers voluntarily sent to Google the information inputted by plaintiffs, regardless of whether plaintiffs’ browsers had any Google cookies set. Because of this, Google is plausibly a party to the communications. However, as defendants bypassed the browser settings to place cookies that would allow them to later associate plaintiffs’ data, the court declines to characterize defendants as within the statutory “party” exception. Moreover, viewing the facts in the light most favorable to plaintiffs, plaintiffs’ browsers sent different information in response to targeted advertising than would have been sent without the setting of third-party cookies. For this reason also, Google is not appropriately deemed a party to the communications.
Plaintiffs argue that defendants intercepted both transactional information and “contents,” such as the URLs and “information that Class Members exchanged with first-party websites during the course of filling out forms or conducting searches.” (D.I. 81 at 17) Most of this information cannot be characterized as “contents.” Specifically, “personally identifiable information that is automatically generated by the communication” is not “contents” for the purposes of the Wiretap Act. See, e.g., In re iPhone Application Litig.,
With respect to URLs, it is important to note that plaintiffs’ browsers would send a URL regardless of whether a third party cookie was set. To date, no courts have characterized URLs as “contents” for the purposes of the Wiretap Act.
C. The California Invasion of Privacy Act
To prevail on their claim under the California Invasion of Privacy Act, Penal Code § 630, et seq. (the “CIPA”), plaintiffs would have to demonstrate that Google “willfully and without the consent of all parties to the communication, or in any unauthorized manner,” intercepted, used, or disclosed the “contents or meaning” of a “communication” that is “in transit.” 14 Cal. Pen. Code § 631(a); CAC ¶266.
As with the Wiretap Act claim above, the court concludes that Google would have received the inputted information, including the URL, regardless of the
C. The Stored Communications Act
The Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et seq., renders liable whoever “(1) intentionally accesses without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeds an authorization to access that facility; and thereby obtains, alters or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system.... ” 18 U.S.C. § 2701(a). The general prohibitions under § 2701(a) do not apply “to conduct authorized (1) by the person or entity providing a wire or electronic communications service; [or] (2) by a user of that service with respect to a communication of or intended for that us.er.” 18 U.S.C. § 2701(c).
In enacting the SCA, Congress was concerned that the Fourth Amendment may not protect against searches and seizures of copies of electronic communications stored by third parties. See S.Rep. No. 99-541 (1986), reprinted in 1986 U.S.C.C.A.N. 3555, 3557,
Certainly the technological landscape today is much different than it was in 1986, when the SCA was enacted. Along with the changes in technology have come different privacy concerns, as illustrated by the instant litigation. The question framed by the pending motion is whether the language of the SCA can be interpreted broadly enough, consistent with the rules of statutory interpretation, to accommodate the evolving technology.
Statutory interpretation begins with the plain language of the statute. See Jimenez v. Quarterman,
Of the courts that have found it appropriate to apply the language of the SCA in a contemporary context, the analysis of the
Congress chose a broad term — facility— where it intended the statute to cover a particular function, such as internet access, as opposed to a particular piece of equipment providing that access, such as a router, laptop or smart phone. As technology evolves, identifying a smart phone as a facility through which an [electronic communication service or] ECS is provided is not as “strained” as it once may have seemed.... While earlier stages of technological development may have required large facilities for data storage, the draw of mobile devices is that their smaller storage space enables communication and information access regardless of the user’s location.
Id. at 10-11. In concluding that “a mobile device can be a facility for the purposes of the SCA” (id.), the court further reasoned that “[a] chief purpose of smart phones is to ‘promote the ease’ of actions such as navigating from place to place, sharing information with others, and capturing images,” all consistent with the dictionary definition of “facility,” that is, “ ‘something that promotes the ease of any action, operation, transaction or course of conduct.’ ” Id.
The problem with embracing this expanded notion of the term “facility,” however, is that it confounds the distinction between “users” and “providers” which, in turn, realigns the targeted conduct and makes the statutory exceptions found in § 2701(c) nonsensical. With respect to the legislative history of the SCA as related above, there can be no dispute that the individual owners of personal computers were the “users” contemplated under the statute and that the “providers” of the “electronic communication services” were contemplated to be third parties. As explained by the court in iPhone II, if now the “facility” is an individual’s own personal computer that “provides” the electronic communication service, then
the web site is a “user” of the communication service provided by the individual’s computer, and consequently any communication between the individual computer and the web site is a communication “of or intended for” that web site, triggering the § 2701(c)(2) exception for authorized access. Likewise here, if plaintiffs’ iPhones were the facilities, then any app downloaded by a plaintiff would be a “user” of that service for whom the iPhone’s communications are intended; any communication between the iPhone and the app would be of or intended for that app; and the app developers would then be free under § 2701(c)(2) to authorize the disclosure of such communication to the Mobile Industry Defendants.
Despite the temptation, the court declines to try to fit a square peg (modern technology) into the proverbial round hole (the intent of Congress as reflected in the statutory language of the SCA). An individual’s personal computing device is not “a facility through which an electronic communication service is provided,” as required under the SCA.
Nevertheless, for purposes of completing this analysis, the court addresses whether plaintiffs have sufficiently
The court understands that there is a difference between storage of electronic communications in browser-managed files stored on a computer’s hard drive, and storage of electronic communications in the random access memory (“RAM”) of a computer, with only the latter arguably satisfying the statutory requirement for “temporary, intermediate storage.” There seems to be a consensus that “[t]he cookies’ long-term residence on plaintiffs’ hard drives places them outside of § 2510(17)’s definition of ‘electronic storage’ and, hence, [the SCA’s] protection.” In re Double-Click, Inc. Privacy Litig.,
In conclusion, although plaintiffs have satisfied their pleading requirement as to “electronic storage,”
E. The Computer Fraud and Abuse Act
The Computer Fraud and Abuse Act (CFAA) is primarily a criminal statute, intended to protect against traditional computer hacking. P.C. Yonkers, Inc. v. Celebrations the Party and Seasonal Superstore, LLC,
Plaintiffs have not alleged the kind of damage or loss required to maintain a CFAA claim. More specifically, plaintiffs have not identified any impairment of the performance or functioning of their computers.
D. The California Computer Crime Law
The California Computer Crime Law (“CCL”) prohibits “tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems.” Cal. Pen. Code § 502(a). Only someone “who suffers damage or loss by reason of a violation” may bring a civil action under the law. Id. § 502(e). Each subsection of the CCL asserted by plaintiffs, with the exception of § 502(c)(8), requires a showing that Google acted “without permission.” Id. § 502(c)(l, 2, 6, 7). Courts have interpreted acting “without permission” under § 502 as “accessing or using a computer, computer network, or website in a manner that overcomes technical or code-based barriers.” Facebook, Inc. v. Power Ventures, Inc., No. C0805780,
As discussed in the analysis of Article III standing, plaintiffs have not sufficiently alleged damage or loss. Further, plaintiffs fail to sufficiently meet the “without permission” element of § 502. In this regard, plaintiffs allege that Safari’s default settings provide an exception to the third-party cookie blocking for situations where a user submits a form to the third-party’s website servers. Google exploited this exception by adding coding to ads, such that Safari believed the exception to be satisfied and that the user had submitted a form to Google. In doing so, Google exploited a standard Safari browser function. Although Google’s actions may be objectionable, Google did not access plaintiffs’ browsers by “overcoming] technical or code-based barriers.” Nor did Google introduce a “contaminant” to “usurp the normal operation” of plaintiffs’ browsers. The method of Google’s exploitation of a normal function of plaintiffs’ browsers is not in dispute and does not meet the requirements of the statute; therefore, Google’s motion to dismiss this count is granted.
E. The California Constitution
An invasion of privacy in violation of the California Constitution requires plaintiffs to show “(1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by defendant constituting a serious invasion of privacy.” Hill v. Nat’l Collegiate Athletic Ass’n,
Even if plaintiffs could succeed in meeting the first two elements, the third element proves fatal to their claim. The transfer of inputted information
F. The California Unfair Competition Law
The California Unfair Competition Law (“UCL”) protects against business practices that are “unlawful, unfair or fraudulent.” Cal. Bus. & Prof. Code § 17200. A private plaintiff needs to have “suffered injury in fact and ... lost money or property as a result of the unfair competition.” Id. § 17204; Kwikset Corp. v. Superior Court,
As discussed above, plaintiffs have not articulated an injury in fact sufficient for Article III standing. Similarly, plaintiffs have not shown a loss of money or property from Google’s actions sufficient to confer standing under the UCL. See e.g., Facebook,
G. The California Consumers Legal Remedies Act
The California Consumer Legal Remedies Act (“CLRA”) prohibits “unfair methods of competition and unfair or deceptive acts or practices” in connection with the sale or lease of goods and services. Cal. Civ. Code § 1770. An action may be brought under the CLRA pursuant to § 1780(a), which provides that “[any] consumer who suffers any damage as a result of the use or employment by any person of a method, act, or practice declared to be unlawful by Section 1770 may bring an action against such person.” Id. § 1780(a). “Services” within the context of the CLRA are defined as “work, labor, and services other than a commercial or business use, including services furnished in connection with the sale or repair of goods.” Id. § 1761(b). “Goods” are defined as “tangible chattels.” Id. § 1761(a). The CLRA does not apply to the sale or license of software, because software is neither a “good” nor a “service” covered by the CLRA. See Ferrington v. McAfee,
Plaintiffs’ argument that Google’s advertising is a “service” and not software is unavailing, as plaintiffs’ use of software browsers and the subsequent software activity is the conduct alleged to be “unfair.” The California case law is clear that software and software activity are not covered by the CLRA. See, e.g., In re Sony Gaming Networks & Customer Data Sec. Breach Litig.,
V. CONCLUSION
For the above reasons, defendants’ motions to dismiss are granted. Google’s request for judicial notice (D.I.58) is denied as moot as the court did not rely on the referenced documents.
ORDER
At Wilmington this 9th day of October, 2013, consistent with the memorandum opinion issued this same date;
IT IS ORDERED that Google’s motion to dismiss the consolidated amended complaint (D.I.56), Vibrant’s motion to dismiss for failure to state a claim (D.I.93), and Media and WPP’s motion to dismiss for failure to state a claim (D.I.96), are granted.
Notes
. The Judicial Panel on Multidistrict Litigation has centralized these actions in this district for consolidated pretrial proceedings pursuant to 28 U.S.C. § 1407. (D.I.l) There are 25 individual cases. Unless otherwise noted, all citations are made to the record of Civ. No. 12-2358.
. All facts are taken from the CAC.
. As identified by plaintiffs, a copy of the user's request to the first-party website (D.I. 46 at ¶ 41). If users are logged-in to a Google account, this information may also be matched up to information provided by the user, defined by Google to include "information which you provide to us which personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google,” as well as address information and browsing history information. (Id. at ¶¶ 89, 98)
. Count I, against all defendants.
. In the context of a Fourth Amendment analysis and in dicta, the United States Court of Appeals for the Ninth Circuit did note its concern over unauthorized access to URLs:
"[s]urveillance techniques that enable the government to determine not only the IP addresses that a person accesses but also the [URL] of the pages visited might be more constitutionally problematic. A URL, unlike an IP address, identifies the particular document within a website that a person views and thus reveals much more information about the person’s Internet activity. For instance, a surveillance technique that captures IP addresses would show only that a person visited the New York Times’ website at http://www.nytimes.com, whereas a technique that captures URLs would also divulge the particular articles the person viewed.”
U.S. v. Forrester,
. Count VIII, against Google.
. Count II, against all defendants.
. The issue of whether the third-party cookies were accessed in a computer’s RAM or in its hard drive would be an issue of fact to be vetted through discovery.
. Count III, against all defendants.
. Plaintiffs’ undeveloped argument — "Google’s impairing the integrity of [pllaintiffs’ browser 'system' through illicit cookies and of [pllaintiffs’ ‘data’ or 'information' through unpermitted capture and use underscores [pllaintiffs’ statutory 'damage’ ” — is not supported by the facts alleged in the CAC and does not identify the kind of loss or damage defined by the CFAA. (D.I. 81 at 24)
. The court does not view "Google’s intentional circumvention of Safari and IE [as] each a 'single act’ permitting aggregation of damages,” as suggested by plaintiffs. Instead, the facts alleged in the CAC suggest multiple acts by multiple defendants. The acts occurred at different times and to different plaintiffs. As such, plaintiffs cannot aggregate their alleged damages. In re iPhone Application Litig., No. 11-02250,
. Count VII, against Google.
. The term "computer contaminant” is defined as follows:
... any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They in-*449 elude, but are not limited to, a group of computer instructions commonly called viruses or worms, that are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network.
Cal. Pen. Code § 502(b)(10).
. Counts IV and V, against Google.
. E.g., a copy of the user’s request to the first-party website (D.I. 46 at If 41). If users are logged-in to a Google account, this information may also be matched up to the information provided by the user, defined by Google to include "information which you provide to us which ' personally identifies you, such as your name, email address or billing information, or other data which can be reasonably linked to such information by Google,” as well as address information and browsing history information. (Id. at ¶¶ 89, 98)
. Count VI, against Google.
. Count IX, against Google.