ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS’ MOTIONS TO DISMISS
A putative nationwide class of plaintiffs bring suit against Apple, Inc., Admob, Inc., Flurry, Inc., AdMarval, Inc., Google, Inc., and Medialets, Inc., (aside from Apple, collectively “Mobile Industry Defendants”
I. BACKGROUND
A. Factual Background
Unless otherwise noted, the following allegations are taken from the Amended Consolidated Complaint and are presumed to be true for purposes of ruling upon Defendants’ motions to dismiss. Generally speaking, Plaintiffs’ Amended Consolidated Complaint asserts claims with respect to two separate putative classes of individuals and challenges two separate aspects of the iDevices used by Plaintiffs.
The iDevice Class
iDevices enable users to download apps via Apple’s “App Store” application and website. First Amended Consolidated Complaint (“AC”) ¶ 86. Apple exercises significant control over the apps that are available in its store. Id. ¶¶ 123-126. Apple’s App Store has set Apple products apart from Apple’s competitors: “[i]n the post 3G 2.0 iOS era, the success of Apple’s iPhones sales [sic] is inextricably linked to consumers’ access to its App Store.” Id. ¶ 86. Apple represents to users of the App Store that it “takes precautions—including administrative, technical, and physical measures—to safeguard your personal information against theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.” Id. ¶ 78.
Although the apps at issue in this litigation are provided for free, Plaintiffs contend that they in fact pay a price for the use of the “free” apps because these Apple-approved apps allow their personal data to be collected from their iDevices. AC ¶¶ 1; 160. Plaintiffs allege that Apple designs its mobile devices to allow personal information to be disclosed to the Mobile Industry Defendants. Id. ¶¶ 159-60. ‘When users download and install the Apps on their iDevices the [Mobile Industry Defendants’] software accesses person
Plaintiffs allege that, in light of Apple’s public statements about protecting user privacy, Plaintiffs did not expect or consent to the Mobile Industry Defendants’ tracking and collecting their app use or otherwise personal information. Id. ¶ 173-74. Moreover, Plaintiffs allege that they consider the information about their mobile communications to be personal and confidential. Id. ¶ 177.
Plaintiffs assert that these practices have led to several concrete harms to the “iDevice Class,” defined as “[a]ll persons residing in the United States who have purchased iPhones and downloaded free Apps from the App Store on a mobile device that runs Apple’s iOS, from December 1, 2008 to the date of the filing of this Complaint.” AC ¶ 203. For one, the Mobile Industry Defendants’ actions have consumed finite resources in the form of bandwidth and storage space on their iDevices. Id. ¶ 198. For example, downloading the Weather Channel App “caused a compressed.zip file of approximately two megabytes in size to be downloaded to each of Plaintiffs’ iDevices and for purposes unrelated to those expected in the Weather Channel App.” Id. Additionally, the transmission of personal information to the Mobile Industry Defendants was done without encryption, thus “exposing each Plaintiff to unreasonable risks of the interception of their personal information.” Id. ¶¶ 66-67. Finally, Plaintiffs allege that as a result of Apple’s failure to disclose its practices with respect to the allegedly “free apps,” Plaintiffs overpaid for their iDevices. In other words “[h]ad Apple disclosed the true cost of the purportedly free Apps ... the value of the iPhones would have been materially less than what Plaintiffs paid.” Id. ¶ 29.
The Geolocation Class
Additionally, Plaintiffs Gupta and Rodimer represent the “Geolocation Class,” a putative class of iDevice purchasers who “have unwittingly, and without notice or consent transmitted location data to Apple’s servers.” Id. ¶ 204. Apple designed its iOS 4 software to retrieve and transmit geolocation information located on its customers’ iPhones to Apple’s servers. Id. ¶30. Plaintiffs allege that in June 2010, with the release of its iOS 4 operating system, Apple began intentionally collecting Plaintiffs’ precise geographic location and storing that information on the iDevice in order to develop an expansive database of information about the geographic location of cellular towers and wireless networks throughout the United States. Id. ¶¶ 115, 137. The geographic location information was accumulated from either Wi-fi towers or cell phone towers, and in some cases from the GPS data on Plaintiffs’ devices. Id. ¶ 115. Apple represented that users could prevent Apple from collecting geolocation data about them by switching the Location Services setting on their iDevices to “off.” Id. ¶ 31. Plaintiffs contend that Apple continued to monitor and store information about Plaintiffs locations even when the functionality was dis
B. Procedural History
This case is a consolidated multi-district litigation involving nineteen putative class action lawsuits. See generally First Consolidated Class Action Complaint (“Consolidated Complaint”), 10-cv-05878-LHK, ECF No. 71. The first two of these consolidated actions were filed on December 23, 2010. See Lalo v. Apple, Inc., et al., lO-cv-05878-LHK (the “Lalo Action”) and Freeman v. Apple, Inc., et al., 10-cv-05881-LHK (the “Freeman Action”). Other actions in this District and throughout the country have followed. These other actions, filed throughout the country, involve substantially similar allegations against Apple and other Defendants. On August 25, 2011, the Judicial Panel on Multidistrict Litigation (“MDL Panel”) issued a Transfer Order, centralizing these actions in the Northern District of California before the undersigned. See August 25, 2011 Transfer Order in MDL No. 2250, ECF No. 1.
The First Consolidated Complaint was filed on April 21, 2011. The Consolidated Complaint contained eight claims: (1) Negligence against Apple only; (2) Violation of Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030; (3) Computer Crime Law, Cal.Penal Code § 502; (4) Trespass on Chattel; (5) Consumer Legal Remedies Act (“CLRA”), Cal. Civ.Code § 1750 against Apple only; (6) Unfair Competition under Cal. Bus. & Prof.Code § 17200; (7) Breach of Covenant of Good Faith and Fair Dealing; and (8) Unjust Enrichment. Defendant Apple filed a motion to dismiss the First Consolidated Complaint on June 20, 2011. Lalo Action, ECF No. 142. The Mobile Industry Defendants also filed a motion to dismiss on the same day. Lalo Action, ECF No. 145. Plaintiffs’ opposition was filed on July 18, 2011. Lalo Action, ECF No. 153. Replies were filed on August 3, 2011. Lalo Action, ECF Nos. 159,160.
On September 20, 2011, the Court granted Defendants’ motions to dismiss on the basis that Plaintiffs failed to establish Article III Standing. See generally September 20, 2011 Order Granting Motions to Dismiss for Lack of Article III Standing (“September 20 Order”), ECF No. 8,
On November 22, 2011, Plaintiffs’ filed the First Amended Consolidated Class Action Complaint (“Amended Consolidated Complaint” or “AC”). ECF No. 25. The Amended Consolidated Complaint contains thirteen causes of action: (1) Violation of the Stored Communications Act (“SCA”), 18 U.S.C. § 2701, et seq., on behalf of the Geolocation Class against Apple only; (2) Violation of the Electronic Communications Privacy Act (“ECPA”), 18 U.S.C. § 2510, et seq., on behalf of the Geolocation Class against Apple only; (3) Violation of the California Constitution Art. I, Section 1 on behalf of the Geolocation Class
II. LEGAL STANDARD
A. Motion to Dismiss Under Rule 12(b)(1)
A jurisdictional challenge may be facial or factual. Safe Air for Everyone v. Meyer,
B. Motion to Dismiss Under Rule 12(b)(6)
A motion to dismiss pursuant to Rule 12(b)(6) for failure to state a claim upon which relief can be granted “tests the legal sufficiency of a claim.” Navarro v. Block,
For purposes of ruling on a Rule 12(b)(6) motion to dismiss, the Court accepts all allegations of material fact as true and construes the pleadings in the light most favorable to the plaintiffs. Manzarek v. St. Paul Fire & Marine Ins. Co.,
C. Leave to Amend
Under Rule 15(a) of the Federal Rules of Civil Procedure, leave to amend “shall be freely given when justice so requires,” bearing in mind “the underlying purpose of Rule 15 to facilitate decision on the merits, rather than on the pleadings or technicalities.” Lopez v. Smith,
III. ANALYSIS
A. Article III Standing
An Article III federal court must ask whether a plaintiff has suffered sufficient injury to satisfy the “case or controversy” requirement of Article III of the U.S. Constitution. To satisfy Article III standing, plaintiff must allege: (1) injury-in-fact that is concrete and particularized, as well as actual and imminent; (2) wherein injury is fairly traceable to the challenged action of the defendant; and (3) it is likely (not merely speculative) that injury will be redressed by a favorable decision. Friends of the Earth, Inc. v. Laidlaw Envtl. Servs. (TOC), Inc.,
Because “injury” is a requirement under both Article III and Plaintiffs’ individual causes of action, the Court notes at the outset that “the threshold question of whether [Plaintiffs have] standing (and the
1. Injury In Fact
Plaintiffs’ initial complaint relied heavily upon a theory that collection of personal information itself created a particularized injury for the purposes of Article III standing. Relying on LaCourt v. Specific Media, Inc.,
In contrast to the First Consolidated Complaint, Plaintiffs’ allegations in the Amended Consolidated Complaint have been significantly developed to allege particularized injury to the Plaintiffs in this case. For one, Plaintiffs have articulated additional theories of harm beyond their theoretical allegations that personal information has independent economic value. In particular, Plaintiffs have alleged actual injury, including: diminished and consumed iDevice resources, such as storage, battery life, and bandwidth (AC ¶¶ 3, 63b, 72d, 198); increased, unexpected, and unreasonable risk to the security of sensitive personal information (AC ¶¶ 4, 18, 66-67); and detrimental reliance on Apple’s representations regarding the privacy protection afforded to users of iDevice apps (AC ¶¶ 72c, 80-82).
Additionally, Plaintiffs have addressed the deficiencies identified in the Court’s September 20 Order. Specifically, in the Amended Consolidated Complaint, Plaintiffs describe: (a) the specific iDevices used (see, e.g., AC ¶¶ 64a-g); (b) which Defendants accessed or tracked their personal information (see, e.g., AC ¶¶ 56-63); (c) which apps they downloaded that accessed or tracked them personal informa
Moreover, Plaintiffs also have identified an additional basis for establishing Article III standing. The injury required by Article III may exist by virtue of “statutes creating legal rights, the invasion of which creates standing.” See Edwards v. First Am. Corp.,
In this case, Plaintiffs have alleged a violation of their statutory rights under the Wiretap Act, 18 U.S.C. §§ 2510, et seq., against Apple, as well as the Stored Communications Act, 18 U.S.C. §§ 2701, et seq., against the Mobile Industry Defendants. AC ¶¶ 219-233; 342-347. The Wiretap Act provides that any person whose electronic communication is “intercepted, disclosed, or intentionally used” in violation of the Act may in a civil action recover from the entity which engaged in that violation. 18 U.S.C. § 2520(a). Similarly, the Stored Communications Act generally prohibits (1) intentionally accessing without authorization a facility through which an electronic communication service is provided; or (2) intentionally exceeding authorization to access that facility; and obtaining, altering, or preventing authorized access to a wire or electronic communication while it is in electronic storage. 18 U.S.C. § 2701(a)(l)-(2).
Other courts in this district have recognized that a violation of the Wiretap Act or the Stored Communications Act may serve as a concrete injury for the purposes of Article III injury analysis. In re Face-book Privacy Litig.,
2. Causation: Fairly Traceable to Actions of Defendants
Defendants argue that Plaintiffs have also failed to allege any injury fairly traceable to Apple or to the Mobile Industry Defendants. See Apple’s Mot. to Dismiss at 10-11; Mobile Industry Defs’ Mot. to Dismiss at 16. The allegations in the Amended Consolidated Complaint assert conduct by Defendants which directly or indirectly led to the alleged harm. See Warth,
Similarly, Plaintiffs have alleged harm to the iDevice Class that is fairly traceable to both Apple and the Mobile Industry Defendants. Plaintiffs allege that Apple designed its products and the App Store to allow individuals to download third party apps. Additionally, in order to encourage consumers to download apps, Apple represents to users of the App Store that it “takes precautions—including administrative, technical, and physical measures-—-to safeguard your personal information against theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.” Id. at ¶ 78. Plaintiffs also allege that the Mobile Industry Defendants’ software accesses personal information on those devices without users’ awareness or permission and transmits the information to the Mobile Industry Defendants. Moreover, Apple has designed its products to allow consumers’ personal information to be transmitted to third parties, such as the Mobile Industry Defendants. According to Plaintiffs, this transfer has led to the consumption of bandwidth and storage space on their iDevices and has led them to overpay for their devices. Thus, as a matter of pleading Article III standing, Plaintiffs have sufficiently articulated the alleged injury is fairly traceable to the conduct of both Defendants. See Hepting v. AT & T Corp.,
B. Rule 12(b)(6) Motion to Dismiss Causes of Action
In light of the Court’s finding that Plaintiffs have established Article III standing, the Court will turn to whether Plaintiffs have plausibly stated a claim as to each cause of action alleged in the Amended Consolidated Complaint.
1. Stored Communications Act
Plaintiffs’ first claim, brought by Plaintiffs Gupta and Rodimer on behalf of the Geolocation Class solely against Apple, is that Apple’s conduct violated the federal Stored Communications Act, 18 U.S.C. § 2701, et seq. (“SCA”). AC ¶¶ 224-25. Plaintiffs bring a separate claim under the SCA on behalf of the iDevice Class against all Mobile Industry Defendants.
Enacted in 1986 as Section II of the Electronic Communications Protection Act (“ECPA”), the SCA creates criminal and
Plaintiffs Gupta and Rodimer assert that Apple violated § 2701(a)(1) and (a)(2) by intentionally accessing and collecting temporarily stored location data from Geolocation Class members’ iPhones after Locations Services was turned “off.” AC ¶¶ 224-25. Plaintiffs further assert that the Mobile Industry Defendants violated § 2701(a)(1) by intentionally accessing electronic communications while in electronic storage by collecting temporarily stored location data from the iDevice Class’s iPhones. See AC ¶¶ 58-64, 347.
Both Apple and the Mobile Industry Defendants advance four arguments why Plaintiffs’ SCA claims should be dismissed for failure to state a claim, which the Court will address in turn: (1) an iPhone is not a “facility through which an electronic communication service is provided;” (2) location data on users’ iPhones is not in “electronic storage;” (3) Defendants are either the electronic communications services (“ECS”) providers or the intended recipient of the communications, so Plaintiffs’ claims are barred by the exceptions contained in 18 U.S.C. § 2701(e)(l)-(2); and (4) Plaintiffs allege only that the iPhones communicated with Apple’s servers, not that Apple accessed Plaintiffs’ iPhones through unauthorized log-ins.
a. Facility
To state a claim under the SCA, Plaintiffs must allege that Defendants accessed without authorization “a facility through which an electronic communication service is provided.” 18 U.S.C. § 2701(a)(1). An “electronic communication service” (“ECS”) is “any service which provides to users thereof the ability to send and receive wire or electronic communications.” 18 U.S.C. § 2510(15). While the computer systems of an email provider, a bulletin board system, or an ISP are uncontroversial examples of facilities that provide electronic communications services to multiple users, less consensus surrounds the question presented here: whether an individual’s computer, laptop, or mobile device fits the statutory definition of a “facility through which an electronic communication service is provided.” The Court agrees with Defendants that it does not. Plaintiffs do not suggest that something other than their iPhones are the “facilities” allegedly accessed without authorization. See generally Opp’n at 10-11. Instead, Plaintiffs urge the Court to follow a number of non-binding decisions that have accepted that personal computers can be facilities. See Chance v. Ave. A, Inc.,
By contrast, the courts that have taken a closer analytical look have consistently concluded that an individual’s personal computer does not “provide[ ] an electronic communication service” simply by virtue of enabling use of electronic communication services. See, e.g., Crowley v. Cyber-Source Corp.,
Similarly, in Chance, a decision that Plaintiffs themselves cite, the court first assumed that the plaintiffs’ computers were “facilities” under the SCA for purposes of argument, but then quickly explained why “the subsequent implications of this rather strained interpretation of a ‘facility through which an electronic communication service is provided’ are fatal to [plaintiffs’] cause of action.” Chance,
The Court therefore concludes that Plaintiffs fail to state a claim under the SCA because their iOS devices do not constitute “facilities] through which an electronic communication service is provided.”
b. Electronic Storage
Next, Defendants argue that information stored on a user’s iPhone cannot be information in “electronic storage” for purposes of the SCA. To state a claim under the SCA, Plaintiffs must show not only that Defendants accessed a facility through which an electronic communication service is provided, but furthermore that Defendants “obtain[ed], alter[ed], or prevented] authorized access to a wire or electronic communication while it [was] in electronic storage in such system.” 18 U.S.C. § 2701(a) (emphasis added). The SCA defines “electronic storage” as “(a) any temporary, intermediate storage of a wire or electronic communication incidental to the electronic transmission thereof; and (b)
The Court finds persuasive the reasoning in In re Doubleclick, Inc. Privacy Litigation,
The same conclusion was reached in In re Toys R Us, Inc. Privacy Litig., No. 00-cv-2746,
Here, the Geolocation Plaintiffs allege that Apple retrieved information from their iPhones revealing their real-time location information and that this information was necessarily only “temporarily stored” on their iPhones, because “anything other than temporary and regularly overwritten ... data (constantly updated cell tower and WiFi network information) would quickly consume the iPhone’s available memory.” Opp’n at 11-12. However, Plaintiffs’ own allegations in the amended complaint state that “in the /Library/Application Support/MobileSync/Backups/ folder on a user’s iDevice, Apple maintains an unencrypted log of the user’s movements, as often as 100 times a day, for up to a one-year period.” AC ¶ 107(a). Thus, it appears that this location data resides on Plaintiffs’ iPhone hard drive for up to a one-year period, which is not merely a “temporary, intermediate storage ... incidental to the electronic transmission” of an electronic communication. Nor do Plaintiffs allege that Defendants accessed the data at a time when the data was only in temporary, intermediate storage. Thus, the Court again agrees with Defendants that Plaintiffs fail to state a claim under the SCA because they fail to allege that Defendants accessed data in “electronic storage.”
c. Statutory Exceptions
Defendants argue that, even if Plaintiffs had alleged that Apple accessed a communication in “electronic storage” in a “communications facility,” this conduct would fall under specific SCA exceptions for service providers or intended parties to certain communications, as provided by § 2701(c)(2). Under § 2701(c), conduct authorized by the ECS provider falls beyond the scope of § 2701(a)(1). Likewise,
The Court finds that the second exception under § 2701(c) applies to the Mobile Industry Defendants, but not to Apple. Here, Plaintiffs allege that Apple itself caused a log of geolocation data to be generated and stored, and that Apple designed the iPhone to collect and send this data to Apple’s servers. AC ¶¶ 107(a), 114, 138. Apple, however, is neither an electronic communications service provider, nor is it a party to the electronic communication between a user’s iPhone and a cellular tower or WiFi tower. Thus, the Court fails to see how Apple can avail itself of the statutory exception by creating its own, secondary communication with the iPhone. With respect to the Mobile Industry Defendants, Plaintiffs allege that when users download and install Apps on their iPhones, the Mobile Industry Defendants’ software accesses personal information on those devices and sends that information to Defendants. AC ¶ 161. These allegations are highly similar to those dismissed in In re Doubleclick and In re Facebook Privacy Litigation,
d. Access Without Authorization
Defendants’ final argument is that Plaintiffs fail to state a claim under the SCA because they have not alleged that Defendants “accessed” their iPhones, even if their iPhones are considered “facilities” under the SCA. Defendants again cite the Crowley decision, where the district court found that, notwithstanding plaintiffs conelusory allegations that the defendants “accessed” his computer, in fact “Crowley sent his information to Amazon electronically; Amazon did not gain access to his computer in order to obtain the personal information at issue.” Crowley,
The reasoning in Crowley is not as applicable to this particular argument because the nature of Plaintiffs’ allegations here is rather distinct. Plaintiffs allege that when users download and install Apps on their iPhones, the Mobile Industry Defendants’ software accesses personal information on those devices and supplies Defendants with details such as consumers’ cellphone numbers, address books, UDIDs, and geolocation histories. AC ¶ 161. This information is not simply information that Plaintiffs themselves have voluntarily sent to the App developers, but rather information that is stored on the iPhone.
Although the Court is not persuaded that Plaintiffs have failed to allege that Defendants “accessed” their iPhones in order to obtain location data, the Court concludes that Plaintiffs have failed to allege facts sufficient to support a claim that Defendants accessed a communications facility and thereby obtained access to an electronic communication while it was in electronic storage in such system. Accordingly, Defendants’ respective motions to dismiss claims one and eleven for violations of the SCA are GRANTED. The motions are granted with prejudice, for the reasons discussed in Section III.D.
Plaintiffs’ second claim, brought by Plaintiffs Gupta and Rodimer on behalf of the Geolocation Class solely against Apple, is that Apple’s conduct violated two provisions of the federal Wiretap Act, 18 U.S.C. §§ 2510-2522 (2000). See AC ¶¶ 230-31. The Wiretap Act generally prohibits the “interception” of “wire, oral, or electronic communications.” 18 U.S.C. § 2511(1). More specifically, the Wiretap Act provides a private right of action against any person who “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication,” 18 U.S.C. § 2511(l)(a), or who “intentionally uses, or endeavors to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of [the Wiretap Act],” id. § 2511(l)(d). See id. § 2520 (providing a private right of action). Plaintiffs here assert that Apple violated § 2511(l)(a) and § 2511(l)(d) by collecting Plaintiffs’ precise geographic location data from Wi-fi towers, cell phone towers, and GPS data on Plaintiffs’ devices, and by using that location data to develop an expansive database of information about the geographic location of cellular towers and wireless networks throughout the United States, to Apple’s benefit. AC ¶¶ 115,137, 230-31.
Apple contends that Plaintiffs have failed to state a claim under the Wiretap Act for the following two reasons: (1) location data is not the “content” of any communication for purposes of the Wiretap Act; and (2) Apple could not have unlawfully “intercepted” the communication because it was the intended recipient of the location data. Apple MTD at 20-22.
a. Content of Communications
The Wiretap Act prohibits “interceptions” of electronic communications and defines “intercept” as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.” § 2510(4) (emphasis added). The “contents” of a communication, in turn, are defined in the statute as “any information concerning the substance, purport, or meaning of that communication.” § 2510(8). “[A]ny transfer of signs, signals, writing, images, sounds, data, or intelligence of any nature transmitted in whole or in part by a wire, radio, electromagnetic, photoelectronic or photooptical system that affects interstate or foreign commerce,” with certain exceptions not relevant to this case, qualifies as an “electronic communication.” § 2510(12).
Apple argues that information about the identities of parties to a communication and other call data is not “content” as defined by the Wiretap Act. The Court agrees. In United States v. Reed,
b. Interception
The Court is less convinced by Apple’s second argument that dismissal is warranted because Apple was the intended recipient of the Geolocation Class members’ location data and therefore cannot be held liable under the Wiretap Act. Apple invokes a statutory exception to liability that protects the intended recipient of a communication. The exception provides that it is not “unlawful ... for a person not acting under color of law to intercept a wire, oral, or electronic communication, where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or [any federal or state law].” 18 U.S.C. § 2511(2)(d).
Apple points to the assertion in the AC that “Apple designed iOS 4 to access and transmit location data from the mobile device to Apple’s servers,” and from that statement concludes that Apple, is an intended recipient of the location data from users’ mobile devices. See AC ¶ 142. However, this is not a fair reading of the Plaintiffs’ allegations. The intended communication is between the users’ iPhone and the Wi-fi and cell phone towers, and Plaintiffs appear to allege that Apple designed its operating system to intercept that communication and transmit the information to Apple’s servers. Apple cannot manufacture a statutory exception through its own accused conduct, and thus the Court does not agree that § 2511(2)(d) applies.
In sum, Plaintiffs have failed to state a claim under § 2511(l)(a) or § 2511(l)(d). Accordingly, Apple’s motion to dismiss count two for violation of the Wiretap Act is GRANTED. The motion is granted with prejudice, for the reasons discussed in Section III.D.
Plaintiffs, on behalf of both the Geolocation and iDevice Classes, assert that Defendants’ conduct violates then-right to privacy pursuant to Article I, Section 1 of the California Constitution. The California Constitution creates a privacy right that protects individuals from the invasion of their privacy not only by state actors but also by private parties. Am. Acad. of Pediatrics v. Lungren,
Even assuming, without deciding, that Plaintiffs have established the first two elements of a constitutional invasion of privacy claim, Plaintiffs’ claim fails under the third element. “Actionable invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill,
Here, the information allegedly disclosed to third parties included the unique device identifier number, personal data, and geolocation information from Plaintiffs’ ¡Devices. Even assuming this information was transmitted without Plaintiffs’ knowledge and consent, a fact disputed by Defendants, such disclosure does not constitute an egregious breach of social norms. See, e.g. Folgelstrom v. Lamps Plus, Inc.,
Plaintiffs, on behalf of both the Geolocation and iDevice Classes, assert a claim of negligence against Apple. ■ The elements of negligence under California law are: “(a) a legal duty to use due care; (b) a breach of such legal duty; [and] (c) the breach as the proximate or legal cause of the resulting injury.” Evan F. v. Hughson United Methodist Church,
Even assuming that Apple owes an affirmative duty to protect Plaintiffs’ personal data from disclosure to third parties, it is not clear how Plaintiffs have been harmed by Apple’s alleged breach. As recognized by the Court’s September 20 Order, in order to state a claim for negligence, Plaintiff must allege an “appreciable, nonspeculative, present injury.” See Aas v. Super. Ct.,
Plaintiffs allege that they were harmed “as a result of Apple’s breach of its duties, which damage is separate and apart from any damage to their iPhones themselves.” AC ¶ 257. Beyond this allegation, Plaintiffs have not identified what the “appreciable, nonspeculative, present injury” is. All of the allegations of harm identified in the Amended Consolidated Complaint are either too speculative to support a claim for negligence under California law, or they stem from disappointed expectations from a commercial transaction and thus do not form the basis of a negligence claim. See, e.g. AC ¶¶ 3, 63b, 72d, 198 (diminished and consumed iDevice resources, such as storage, battery life, and bandwidth); AC ¶¶ 4, 18, 66-67 (increased, unexpected, and unreasonable risk to the security of sensitive personal information); AC ¶¶ 29, 72c, 80-82 (disappointed expectations from commercial transaction). Because Plaintiffs have failed to establish actionable injury to state a claim for negligence, Apple’s motion to dismiss is GRANTED. The motion is granted with prejudice, for the reasons discussed in Section III.D.
5. Computer Fraud and Abuse Act
Plaintiffs, on behalf of both the Geolocation and iDevice Classes, assert that the Defendants have violated the Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030. The CFAA is a federal statute that creates liability for “knowingly and with intent to defraud, accessing] a protected computer without authorization, or exceeding] authorized access.” 18 U.S.C. § 1030(a)(4).
The CFAA prohibits the following conduct, which is at issue in this lawsuit:
“knowingly caus[ing] the transmission of a program, information, code, or com*1065 mand, and as a result of such conduct, intentionally causing] damage without authorization, to a protected computer; “intentionally accessing] a protected computer without authorization, and as a result of such conduct, recklessly causing] damage; or
“intentionally accessing] a protected computer without authorization, and as a result of such conduct, causing] damage and loss.
18 U.S.C. § 1030(a)(5)(A)-(C); see also AC ¶¶ 269-271; 284-286. A person who “intentionally accesses a computer without authorization,” accesses a computer without any permission at all, while a person who “exceeds authorized access,” has permission to access the computer, but accesses information on the computer that the person is not entitled to access. See LVRC Holdings LLC v. Brekka,
The CFAA is primarily a criminal statute. AtPac, Inc. v. Aptitude Solutions, Inc.,
(I) loss to 1 or more persons during any 1-year period (and, for purposes of an investigation, prosecution, or other proceeding brought by the United States only, loss resulting from a related course of conduct affecting 1 or more other protected computers) aggregating at least $5,000 in value;
(II) the modification or impairment, or potential modification or impairment, of the medical examination, diagnosis, treatment, or care of 1 or more individuals;
(III) physical injury to any person;
(IV) a threat to public health or safety; [or]
(V) damage affecting a computer used by or for an entity of the United States Government in furtherance of the administration of justice, national defense, or national security.
Id. at § 1030(g) & (c)(4)(A)(i)(I)(V). The only potential basis for liability in this case is pursuant to subclause (I) which requires a plaintiff to demonstrate “loss to 1 or more persons during any 1-year period ... aggregating at least $5,000” in “economic damages.” Id. Loss is defined as “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” Id. at § 1030(e)(ll). The term “damage” means “any impairment to the integrity or availability of data, a program, a system, or information.” Id. at § 1030(e)(8); see Creative Computing v. Getloaded.com LLC,
The Geolocation Class
Plaintiffs, on behalf of the Geolocation Class, assert that Apple’s practice of using iDevices to retain location history files violates the above referenced provisions of the CFAA. Apple
Apple rightly argues that class members “voluntarily installed” the software that caused users’ iDevices to maintain, synchronize, and retain detailed, unencrypted location history files. AC ¶ 264; Apple’s Mot. to Dismiss at 23. Voluntary installation of software that allegedly harmed the phone was voluntarily downloaded by the user. Other courts in this District and elsewhere have reasoned that users would have serious difficulty pleading a CFAA violation. See In re Apple & ATTM Antitrust Litig.,
Additionally, Apple argues that the type of harm alleged with respect to this class—the cost of memory space on the class members’ iPhones as a result of storing unauthorized geolocation data—is insufficient to establish the $5,000 damages minimum. In order to establish access and transmission claims pursuant to the CFAA, as the Geolocation Class attempts to here, Plaintiffs must establish that they suffered economic damage. See Czech v. Wall Street on Demand, Inc.,
Here, although Plaintiffs allege that the storage of the location histories on their iDevices consume valuable memory space, which constitutes economic damages for the purposes of the CFAA, courts have consistently rejected this argument in similar contexts. See, e.g. Del Vecchio v. Amazon.com, Inc., C11-366,
Typically, in order to establish economic damages, the consumer must establish that the Defendant intended to impair the recipient’s service. Czech,
The Court further finds persuasive the reasoning employed in AtPac, Inc. v. Aptitude Solutions, Inc., in which the district court narrowly construed the class of eases in which civil actions may be brought pursuant to the CFAA:
Congress’ restricting of civil actions to cases that cause the types of harm listed in 18 U.S.C. § 1030(c)(4)(A)® subsections (I) through (V) reemphasizes the court’s conclusion that the sort of conduct alleged against [defendant] does not fall under the CFAA’s prohibitions. “Loss” is grouped along with the harms of physical injury, threat to public health and safety, impairment of medical diagnosis or treatment, and damage to federal government computers that deal with national security and defense. It is no surprise that courts interpreting the definition of “loss” sufficient to bring a civil action have done so narrowly given the company that subsection (I) keeps. The definition of “loss” itself makes clear Congress’s intent to restrict civil actions under subsection (I) to the traditional computer “hacker” scenario-where the hacker deletes information, infects computers, or crashes networks.
Although Plaintiffs have alleged that the location files consume valuable memory space on their iDevices, Plaintiffs have not plausibly alleged that the location file impairs Plaintiffs’ devices or interrupts service, or otherwise fits within the statutory requirements of “loss” and “economic damage” as defined by the statute. 18 U.S.C. § 1030(e)(ll), (8). Thus, the Geolocation Class has failed to state a claim under the CFAA.
The iDevice Class
The Plaintiffs’ claim under the CFAA on behalf of the iDevice Class suffers from a
Moreover, Plaintiffs have not established that the alleged privacy breaches performed by the Mobile Industry Defendants and allowed by Apple meet the statutory loss required for all civil actions identified above. Plaintiffs have put forth two theories that they believe demonstrate “loss to 1 or more persons during any 1-year period ... aggregating at least $5,000” in “economic damages.” Id. at § 1030(g) & (c)(4)(A)(i)(I)(V). As explained below, both of these theories are insufficient to establish civil liability under the CFAA.
As explained previously in the September 20 Order, courts have tended to reject the contention that personal information— such as the information collected by the Mobile Industry Defendants—constitutes economic damages under the CFAA. See, e.g. In re Zynga Privacy Litig.,
Similarly, while Plaintiffs allege that the creation of location history files and app software components “consumed portions of the cache and/or gigabytes of memory on their devices.” AC ¶ 72(d), and that the Mobile Industry Defendants conduct shortens the battery life of the iDevice, these allegations do not plausibly establish that Defendant’s conduct impairs Plaintiffs’ devices or service. See, e.g. Czech,
In sum, Defendants’ motions to dismiss the sixth and seventh causes of action for violations of the CFAA are GRANTED. The motions are granted with prejudice, for the reasons set forth in Section III.D.
6. Trespass
Plaintiffs, on behalf of both the Geolocation and iDevice Classes, assert a claim for trespass against all Defendants. Under California law, trespass to chattels “lies where an intentional interference with the possession of personal property has proximately caused injury.” Intel Corp. v. Hamidi,
An action for trespass arises “when [the trespass] actually did, or threatened to, interfere with the intended functioning of the system, as by significantly reducing its available memory and processing power.” Id. at 1356,
7. Consumer Legal Remedies Act
Plaintiffs, on behalf of both the Geolocation Class and the iDevice Class, allege that Apple has violated the CLRA. The CLRA prohibits “unfair methods of competition and unfair or deceptive acts or practices.” Cal. Civ.Code § 1770. An action may be brought under the CLRA pursuant to § 1780(a), which provides that
The CLRA only applies to a limited set of consumer transactions, and is not a law of “general applicability.” Ting v. AT & T,
In its September 20 Order, the Court explained that Plaintiffs had failed to allege “any damage” as a result of Defendants’ actions and “to the extent Plaintiffs’ allegations are based solely on software, Plaintiffs do not have a claim under the CLRA.” September 20 Order at 15. Plaintiffs were told that they “must remedy these deficiencies in any amended complaint.” Id. Apple essentially argues that Plaintiffs have failed to address the previously identified deficiencies, and the CLRA claim must be dismissed because: (1) Plaintiffs have not alleged any facts establishing that Plaintiffs sustained any actual damage, (2) Plaintiffs’ claim is based on the downloading of software, which is not covered by the CLRA, and (3) the CLRA applies only to the purchase or lease of goods or services, and Plaintiffs’ claim is based on the downloading of free apps. See Apple MTD at 25-26; Apple Reply at 11-12. Apple’s arguments, however, misconstrue the nature of Plaintiffs’ CLRA claim in the Amended Consolidated Complaint.
As described more fully above, Plaintiffs, on behalf of the Geolocation Class, allege that Apple has stored geolocation data on users’ iDevices for Apple’s own benefit, and at a cost to consumers. Moreover, Plaintiffs allege that Apple continued to collect user’s geolocation data even when users switched the Location Services setting to “off.” Thus, Plaintiffs contend that had Apple “disclosed the true cost of the ... geolocation features, the value of the iPhones would have been materially less than what Plaintiffs paid.” Id. ¶ 29.
Similarly, the Amended Consolidated Complaint has clarified Plaintiffs’ theory with respect to the iDeviee Class. Plaintiffs allege that the availability of apps in the Apps Store is a meaningful part of Plaintiffs’ decision to purchase an Apple product. Thus, Plaintiffs’ theory with respect to the iDeviee Class rests on representations made that Apple “takes precautions—including administrative, technical, and physical measures—to safeguard your personal information against theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.” Plaintiffs contend that, in light of Apple’s statements about protecting user privacy, Plaintiffs did not expect
Moreover, the gravamen of the CLRA claim of the Geolocation Class is not that free apps downloaded by Plaintiffs were deficient, but rather that the iPhones (a “good” covered by the CLRA) purchased by the class members did not perform as promised based on a specific functionality of the device. Plaintiffs’ claim thus arises out of the sale of a good, and not the downloading of free software. Similarly, Plaintiffs’ CLRA claim on behalf of the iDevice class is also premised on Plaintiffs’ purchase of the iDevices themselves, and not exclusively on the downloading of free apps. As explained above, Plaintiffs’ theory is premised on the design of iDevices, in conjunction with the App Store and representations regarding privacy protection that led Plaintiffs to purchase the iDevices at a higher price than they otherwise would have paid. Accordingly, at the pleading stage, at least, Plaintiffs have sufficiently alleged that they are consumers under the CLRA, and their allegations relate to the purchase of goods. See Cal. Civ.Code § 1761(d). While these allegations may prove false, at this stage they are sufficient to state a claim under the CLRA. Apple’s motion to dismiss Plaintiffs’ ninth cause of action for violation of the CLRA is DENIED.
8. Unfair Competition Law
Plaintiffs, on behalf of both the Geolocation Class and the iDevice Class, allege that Apple has violated the UCL.
a. Standing
A plaintiff must show he personally lost money or property because of his own actual and reasonable reliance on the allegedly unlawful business practices, in order to establish standing for a UCL claim. Kwikset Corp. v. Superior Court,
In the Amended Consolidated Complaint, Plaintiffs have fleshed out their UCL claim to articulate a more traditional theory of a UCL violation. Plaintiffs, on behalf of the Geolocation Class, allege that Apple intentionally collected and stored their geographic location on the iDevices Plaintiffs had purchased despite Apple’s assertion that users could disable this particular functionality. Plaintiffs contend that had Apple “disclosed the true cost of the ... geolocation features, the value of the iPhones would have been materially less than what Plaintiffs paid.” AC ¶ 29. For the Plaintiffs in the Geolocation Class, the loss of money or property is in the form of the allegedly overinflated cost of the iDevice itself as a result of the false statements regarding the geoloeation features of the device. See, e.g. Kwikset Corp.,
Thus, Plaintiffs have sufficiently alleged a loss of money or property as a result of the UCL violation. See also Stearns v. Ticketmaster Corp.,
b. Unlawful Prong
The unlawful prong of the UCL prohibits “anything that can properly be called a business practice and that at the same time is forbidden by law.” CelTech Commc’ns, Inc. v. L.A. Cellular Tel. Co.,
c. Unfair Prong
The UCL also creates a cause of action for a business practice that is “unfair” even if not specifically proscribed by some other law. Korea Supply Co. v. Lockheed Martin Corp.,
Regardless of what test the Court applies, the Court cannot say that at this stage Plaintiffs’ claim is precluded as a matter of law. With respect to the Geolocation Class, Plaintiffs have alleged breaches of Apple’s representations that it would not track consumer’s whereabouts. It is possible that Apple’s conduct might be useful to society, and that this benefit outweighs the harm to Plaintiffs. For example, if Apple is collecting location data to improve its own services, the benefit may outweigh the intrusion of collecting user’s location data. However, at this juncture the Court cannot say that Apple’s practices are not injurious to consumers, or that any benefit to consumers outweighs the harm.
Similarly, Plaintiffs have alleged “unfair” business practices with respect to the iDevice Class. Plaintiffs, on behalf of the iDevice Class, allege that Apple promotes the availability of free apps and the use of the App Store to potential purchasers of iDevices. Similarly, Apple makes affirmative representations regarding its protection of user’s personal information. In contrast, according to Plaintiffs, Apple allowed third parties to collect consumers’ information without their knowledge. While the benefits of Apple’s conduct may ultimately outweigh the harm to consumers, this is a factual determination that cannot be made at this stage of the proceedings. Nor can the Court conclude at this stage that Apple’s practices are not injurious to consumers as a matter of law. At this point, the Court declines to dismiss Plaintiffs’ UCL claim under the unfair prong.
d. Fraudulent Prong
In order to state a cause of action under the fraud prong of the UCL, a plaintiff must show that members of the public are likely to be deceived. Schnall v. Hertz Corp.,
Similarly, with respect to the iDeviee Class, Plaintiffs have alleged that Apple failed to disclose the “material fact that the iDeviee, the App Store, the Apps, and the entire Apple ecosystem (and system of relationships with developers and [Mobile Industry Defendants]) was designed to foster the unauthorized taking of and profiting from Plaintiffs’ personal information. AC ¶ 338. Moreover, Apple affirmatively asserted that it “takes precautions—including administrative, technical, and physical measures—to safeguard your personal information against theft, loss, and misuse, as well as against unauthorized access, disclosure, alteration, and destruction.” Plaintiffs contend that, in light of Apple’s material omissions and affirmative statements regarding protecting user privacy, Plaintiffs did not expect or consent to the Mobile Industry Defendants’ tracking and collecting their app use or personal information. Id. ¶ 173-74. Moreover, Plaintiffs allege that Apple’s failures to disclose its practices have materially affected the value of the devices purchased. While these allegations may prove false, at this stage they are sufficient to state a claim. Accordingly, Plaintiffs have stated a claim under the fraudulent prong of the UCL.
In sum, Apple’s motion to dismiss Plaintiffs’ tenth cause of action for violation of the UCL is DENIED.
9. Conversion
Plaintiffs, on behalf of the iDeviee Class, allege that Apple and the Mobile Industry Defendants are liable for conversion. California law defines conversion as “any act of dominion wrongfully asserted over another’s personal property in denial of or inconsistent with his rights therein.” In re Bailey,
To establish conversion, a plaintiff must show “ownership or right to possession of property, wrongful disposition of the property right and damages.” Kremen v. Cohen,
10. Unjust
Enrichment/Assumpsit/Restitution
Plaintiffs, on behalf of the iDevice Class, allege a claim against Apple and the Mobile Industry Defendants for Assumpsit and Restitution. Notwithstanding earlier cases suggesting the existence of a separate, stand-alone cause of action for unjust enrichment, the California Court of Appeals has recently clarified that “[u]njust enrichment is not a cause of action, just a restitution claim.” Hill v. Roll Int’l Corp.,
California courts have recognized multiple grounds for awarding restitution. See McBride v. Boughton,
However, like unjust enrichment, California does not recognize a cause of action for restitution. See Durell,
C. User Agreements
Apple also argues that all of Plaintiffs’ claims against it are foreclosed by Apple’s Privacy Policy and the Terms and Conditions of the iTunes Apps Store (the “Agreement”). See Apple’s Mot. to Dismiss at 11-14, McCabe Decl. Exs. F & G. Apple makes two main arguments: (1) to the extent that Plaintiffs contest Apple’s collection and transfer of user data, Apple’s conduct is explicitly permitted pursuant to the terms of the Privacy Policy, and (2) the iDeviee Class’s claims against Apple are foreclosed because the Agreement includes a disclaimer of liability arising from third party conduct.
As explained in the September 20 Order, the Court may consider agreements between the Plaintiffs and Apple under the incorporation by reference doctrine on a motion to dismiss. See, e.g., Rubio v. Capital One Bank,
Based on the record before the Court, Plaintiffs have a colorable argument that the terms of the privacy agreement were ambiguous and do not necessarily foreclose the remaining claims against Ap
Additionally, to the extent that Apple argues that it has no duty to review or evaluate apps and that it has disclaimed any liability arising from the actions of third parties, this argument both ignores contradictory statements made by Apple itself, and the allegations asserted by Plaintiffs regarding Apple’s own conduct with respect to the alleged privacy violations. For one, it is not clear that Apple disclaimed all responsibility for privacy violations because, while Apple claimed not to have any liability or responsibility for any third party materials, websites or services, Apple also made affirmative representations that it takes precautions to protect consumer privacy. Additionally, Plaintiffs’ allegations go beyond asserting that Apple had a duty to review or police third party apps. Instead, Plaintiffs allege Apple was responsible for providing user’s information to third parties. AC ¶¶ 25, 30. Plaintiffs allege that Apple is independently liable for any statutory violations that have occurred. At the motion to dismiss stage, then, the Court is not prepared to rule that the Agreement establishes an absolute bar to Plaintiffs’ claims.
D. Leave to Amend
In order to determine whether leave to amend should be granted, the Court must consider “undue delay, bad faith or dilatory motive on the part of the movant, repeated failure to cure deficiencies by amendments previously allowed, undue prejudice to the opposing party by virtue of allowance of the amendment, [and] futility of amendment, etc.’ ” Eminence Capital, LLC v. Aspeon, Inc.,
This is the second order that the Court has issued dismissing several of Plaintiffs’ claims for relief. After the September 20 Order outlining deficiencies in the Consolidated Complaint, Plaintiffs were granted leave to amend the complaint in order to address the deficiencies. Plaintiffs reasserted several claims in the Amended Consolidated Complaint that had been asserted in the first Consolidated Complaint. Thus, for many of Plaintiffs’ claims, including claims for trespass, negligence, violation of the CFAA, and restitution/assumpsit, this is the second time these claims are being dismissed. Therefore, the Court finds that amendment of these claims is futile. See Nordyke v. King,
In addition, Plaintiffs included for the first time violations of the SCA, the Wiretap Act, the California Constitution, and a claim for conversion in the Amended Consolidated Complaint. Although these claims were not initially raised in the Consolidated Complaint, the Court nonetheless finds that amendment would be futile as to these claims as well. As explained above, Plaintiffs’ claims fail not based on a deficiency in pleading, but rather because the theories regarding how Defendants’ prac
III. CONCLUSION
For the reasons stated above, the Court DENIES Defendants’ motions to dismiss pursuant to Rule 12(b)(1). However, the Court GRANTS the Mobile Industry Defendants’ motion to dismiss pursuant to Rule 12(b)(6) in its entirety, without leave to amend. The Court GRANTS in part, and DENIES in part, Apple’s motion to dismiss pursuant to Rule 12(b)(6). Specifically, Plaintiffs’ claims against Apple for violations of the Stored Communications Act, violations of the Wiretap Act, violations of the California Constitutional right to privacy, negligence, violations of the Computer Fraud and Abuse Act, trespass, conversion, and unjust enrichment/assumpsit/ restitution are dismissed without leave to amend. The claims against Apple for violations of the UCL and CLRA survive the motion to dismiss.
IT IS SO ORDERED.
Notes
. Mobile Industry Defendants are referred to by the Plaintiffs as the "Tracking Defendants.”
. The Court refers to the "iDevice Class" and the "Geolocation Class" even though these classes have not been certified pursuant to Federal Rule of Civil Procedure 23. Any reference to "classes” within this Order is merely for ease of discussion and is not intended to imply a position regarding whether either class would be certifiable under the federal rules.
. Originally this claim was brought against all Defendants, but Plaintiffs clarified in their Opposition to Defendants’ Motions to Dismiss ("Opp’n”) that Count Eleven was withdrawn as to Defendant Apple, and was only being asserted as to the Tracking Defendants. See Opp’n at 33 n. 30.
. The Mobile Industry Defendants also argue that Plaintiffs lack prudential standing to bring an SCA claim. Mobile Industry MTD at 17. Because the Court finds, on other grounds, that Plaintiffs have failed to state a claim for relief under the SCA, the Court need not address this argument. See Indep. Living Ctr. of S. Cal., Inc. v. Shewry,
. Apple also argues that it cannot be liable under the CFAA for negligent software design.
. The Court notes that a recent Ninth Circuit decision may impact whether or not a nationwide class may be certified under California state consumer protection laws. See Mazza v. Am. Honda Motor Co., Inc.,