Case No. 22-cv-03580-WHO
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
September 7, 2023
ORDER ON MOTION TO DISMISS
Plaintiffs challenge defendant Meta Platform, Inc.s alleged use of proprietary computer code to obtain certain healthcare-related information of Facebook
BACKGROUND
Plaintiffs are five Facebook users who are proceeding anonymously due to the sensitive nature of this litigation. Consolidated Class Action Complaint (“CCAC,” Dkt. 185) ¶¶ 24-28. They allege that Meta improperly acquires their confidential health information in violation of state and federal law and in contravention of Metas own policies regarding use and collection of Facebook users data. Id. ¶¶ 1-2, 5, 7.
Each of plaintiffs healthcare providers—MedStar Health System, Rush University System fоr Health, WakeMed Health & Hospitals, Ohio State University Wexner Medical Center, and North Kansas City Hospital—allegedly installed the Meta Pixel on its patient portals. See id. ¶¶ 24-28. Plaintiffs claim that when they logged into their patient portal on their medical providers website, the Pixel transmitted information to Meta. Id. ¶¶ 6, 8-13, 22. They contend that this information, contemporaneously redirected to Meta, revealed their status as patients and was monetized by Meta for use in targeted advertising. Id. ¶¶ 9, 13.
Plaintiffs initially moved for a preliminary injunction. Dkt. No. 46. I denied that motion, finding that while plaintiffs presented sufficient evidence of a “weighty injury,” the scope of their injury and technical feasibility of plaintiffs proposed solutions were not clear and the balance of equities and public interest factors did not support injunctive relief based on the record at that juncture. Dkt. No. 159 (“PI Order“).
In February 2023, Interim Class Counsel filed their Consolidated Class Action Complaint. Dkt. No. 185. In the CCAC, plaintiffs expand the scope of their suit and bring 13 claims: (1) breach of contract; (2) breach of the duty of good faith and fair dealing; (3) violation of the Electronic Communications Privacy Act (“ECPA” or “Wiretap Act“); (4) violation оf the California Invasion of Privacy Act (“CIPA“); (5) intrusion upon seclusion; (6) California constitutional invasion of privacy; (7) negligence per se; (8) trespass to chattels; (9) violation of Californias Unfair Competition Law (“UCL“); (10) violation of Californias Consumer Legal Remedies Act (“CAFA“); (11) larceny; (12) violation of Californias Comprehensive Computer Data Access and Fraud Act (“CDAFA“); and (13) unjust enrichment.
Defendant has moved to dismiss each of the claims asserted in the CCAC.1
LEGAL STANDARD
Under
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the Court accepts the plaintiffs allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true “allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). If the court dismisses the complaint, it “should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). In making this determination, the court should consider factors such as “the presence or absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party and futility of the proposed amendment.” Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989).
DISCUSSION
I. ELECTRONIC COMMUNICATIONS PRIVACY ACT – CLAIM 3
“The Wiretap Act prohibits the unauthorized interception of an electronic communication.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606–07 (9th Cir. 2020), cert. denied sub nom. Facebook, Inc. v. Davis, 141 S. Ct. 1684 (2021) (quoting
A. Intent
Addressing the intent and intercept elements of the ECPA claim in the PI Order, I wrote:
“Intercept” is defined under the Wiretap Act as “the aural or other acquisition of the contents of any wire, electronic, or oral communication through the use of any electronic, mechanical, or other device.”
18 U.S.C. § 2510(4) . Although the statute does not define “acquisition,” the Ninth Circuit has construed the term according to its ordinary meaning as the “act of acquiring, or coming into possession of [.]” United States v. Smith, 155 F.3d 1051, 1055 n.7 (9th Cir. 1998). “Such acquisition occurs when the contents of a wire communication are captured or redirected in any way.” Noel v. Hall, 568 F.3d 743, 749 (9th Cir. 2009) (internal citation and quotation marks omitted).According to plaintiffs, the Pixel is “designed for the very purpose of intercepting communications on third-party websites by surreptitiously and contemporaneously redirecting these communications to Meta.” Mot. at 11 (citing Smith Decl. ¶¶ 7–14). Plaintiffs have put forward evidence that Meta receives information through the Pixel. See, e.g., Smith Decl. ¶¶ 4–5, 32–33. Meta does not dispute that the intentional or interception elements are met. Sеe Opp. at 20–21. Plaintiffs appear likely to succeed on these two elements of their claim.
PI Order at 18.
Meta points out that it did not dispute the intent element at the preliminary
While plaintiffs acknowledge that Meta mаy tell third parties and Facebook users that it intends to prevent receipt of sensitive health information, plaintiffs contend that is not what Meta really intends. See, e.g., CCAC ¶¶ 122-123, 144-146, 150, 161 (plaintiffs allege Metas tools and filters are not effective, not fully implemented, and call into question Metas true intent). What Metas true intent is, what steps it actually took to prevent receipt of health information, the efficacy of its filtering tools, and the technological feasibility of implementing other measures to prevent the transfer of health information, all turn on disputed questions of fact that need development on a full evidentiary record. See, e.g., Lopez v. Apple, Inc., 519 F. Supp. 3d 672, 684 (N.D. Cal. 2021) (“At the pleading stage, however, interception may be considered intentional where a defendant is aware of the defect causing the interception but takes no remedial action.“) (quoting In re Google Assistant Priv. Litig., 457 F. Supp. 3d 797, 815 (N.D. Cal. 2020)). At this stage, intent has been adequately alleged.
B. Content
Meta also argues that plaintiffs have not and cannot plausibly plead interception of covered “content.” The statute broadly defines “content” to include “any information concerning the substance, purport, or meaning of [a] communication.”
In the PI Order, I found that plaintiffs had made a strong showing on this element:
In my view, the log-in buttons and the kinds of descriptive URLs identified in the Smith Decl. are “contents” within the meaning of the statute. Unlike in Zynga, the URLs at issue here would not merely reveal the name of a Facebook user or group—as Smith explained,
the transmitted URLs include both the “path” and the “query string.” Smith Decl. ¶¶ 50–51; see also id. ¶ 189 (showing hardfordhospital.org/services/digestive-health/conditions-we treat/colorectal-small-bowel-disorders/ulcerative-colitis URL). These items are content because they concern the substance of a communication. See Zynga, 750 F.3d at 1107; In re Google Inc. Cookie Placement Consumer Priv. Litig., 806 F.3d 125, 137 (3d Cir. 2015) (“If an address, phone number, or URL is . . . part of the substantive information conveyed to the recipient, then by definition it is content.“); see also In re Google RTB Consumer Priv. Litig., No. 21-cv-2155-YGR, 2022 WL 2165489, at *10 (N.D. Cal. June 13, 2022) (finding that categories of the website, categories that describe the current section of the website, and referrer URL that caused
navigation to the current page constituted “content“).
PI Order at 19. Meta acknowledges this prior conclusion, but argues that unspecified “remaining items” that are transferred “mostly” do not qualify as content and claims based on “those communications” should be dismissed. Mot. at 9-10; Reply at 4.
At this juncture, plaintiffs have adequately alleged covered content is transferred. The boundaries of what transferred information is content under the Act is better determined on a full evidentiary record.
C. Consent
Finally, Meta argues that the ECPA’s one-party consent exemption (exempting liability for intercepted information resulting from one party’s consent) bars the claim as a matter of law. Meta points out, again, that it is the third-party web developers who make their Pixel-enhanced websites available to plaintiffs and their other healthcare customers, and by doing so those healthcare entities have necessarily consented to the transmission of data to Meta.
In the PI Order, I explained:
[T]he Wiretap Act exempts liability in certain circumstances. The statute provides that:
It shall not be unlawful under this chapter for a person not acting under color of law to intercept a wire, oral, or electronic communication where such person is a party to the communication or where one of the parties to the communication has given prior consent to such interception unless such communication is intercepted for the purpose of committing any criminal or tortious act in violation of the Constitution or laws of the United States or of any State.
18 U.S.C. § 2511(2)(d) . In other words, the Wiretap Act allows interception where the interception is made by a “party” to the communication or where a “party” has consented to the interception.Id. This exception does not apply, however, where the interceptor acts “for the purpose of” committing any crime or tort in violation of state or federal law.Id.
PI Order at 20.2
On this motion to dismiss, the issue of consent is front and center and the
Plaintiffs counter with Brown v. Google LLC, No. 4:20-CV-3664-YGR, 2023 WL 5029899, at *9 (N.D. Cal. Aug. 7, 2023). There, the court rejected summary judgment on the consent issue under the ECPA claim, despite the defеndant having “generally disclosed” its data tracking practices, because it also “promote[d] the privacy afforded by Incognito” as a browsing mode. Id. In that situation, Google “itself created a situation where there is a dispute as to whether users’ consent of Google’s data collection generally is substantially the same as their consent to the collection of their private browsing data in particular.” Id.
The facts alleged here – that while Meta disclosed its purported attempts to prevent third-party developers who incorporated the Pixel from sending sensitive data to Meta, Meta in fact intended to receive and did receive that sensitive data – bring this case closer to Brown. Id., 2023 WL 5029899 *7 (“For consent to be actual, the disclosures must explicitly notify users of the practice at issue.“). Meta has not pointed to anything I can judicially notice on this motion to dismiss to show as a matter of law that the healthcare providers did not just presumably but differently in a motion to dismiss context,” and recognized that the “parties will have the opportunity to refine their arguments regarding Meta’s purpose in intercepting the information at issuе here later in the litigation.” PI Order at 20-22.
actually consented to the sending of sensitive healthcare information of its customers. Determination of whether actual consent was given depends on what Meta disclosed to healthcare providers, how it described and trained healthcare providers on the Pixel, and how the healthcare providers understood the Pixel worked and the information that then could or would be collected by Meta. These evidence-bound determinations are inappropriate to reach on this motion.
Metas motion to dismiss the ECPA claim is DENIED.
II. CALIFORNIA INVASION OF PRIVACY ACT – CLAIM 4
In the PI Order, I concluded that plaintiffs had adequately alleged and supported their CIPA claim under both sections 631(a) and 632, based on Metas challenges to “content” under 631(a) and “confidential communications” under 632. PI Order at 23-24. Meta now moves to dismiss the California state law analog to the ECPA, raising arguments not addressed in my PI Order.
A. Extraterritoriality
Meta initially argues that CIPA does not apply “extraterritorially,” because CIPA’s
I disagree for three reasons. First, this cоntention is arguably premature. Kellman v. Spokeo, Inc., 599 F. Supp. 3d 877, 894 (N.D. Cal. 2022), motion to certify appeal denied, No. 3:21-CV-08976-WHO, 2022 WL 2965399 (N.D. Cal. July 8, 2022) (deferring choice of law analyses until class certification, after discovery shed light on whether defendants’ acts had a substantial nexus to California).
Second, plaintiffs have plausibly alleged that the conduct at issue, in terms of the design and marketing of the Pixel technology and development and implementation of its Terms of Service, occurred in California;. See, e.g., Schmitt v. SN Servicing Corp., No. 21-CV-03355-WHO, 2021 WL 3493754, at *3 (N.D. Cal. Aug. 9, 2021) (data breach allegations regarding defendant who operated out of California “sufficient to allow out-of-state plaintiffs to seek recovery under California law“); Valentine v. NebuAd, Inc., 804 F. Supp. 2d 1022, 1028 (N.D. Cal. 2011) (“A legislative purpose that articulates an interest in protecting those within California is not inconsistent with also allowing non-Californians to pursue claims against California residents.“); see also Oman v. Delta Air Lines, Inc., 889 F.3d 1075, 1079 (9th Cir. 2018), certified question accepted sub nom. Oman v. Delta Air Lines, No. S248726, 2018 WL 10809386 (Cal. July 11, 2018), and certified question answered, 9 Cal. 5th 762 (2020) (“If the conduct that creates liability occurs in California, California law properly governs that conduct.“).
Third, Facebook’s Terms of Service specify that California law applies to disputes between Faceboоk and its users. CCAC ¶ 292. That alone may not be dispositive, but it supports allowing these non-resident plaintiffs to assert a claim against a California resident under CIPA. See Maldonado v. Apple, Inc, No. 3:16-CV-04067-WHO, 2021 WL 1947512, at *6 (N.D. Cal. May 14, 2021) (“California Supreme Court held that choice-of-law clauses in contracts are generally enforceable and laid out a multipart test to determine whether to follow the contracted-for jurisdiction’s law or disregard it.“).
I am not determining or foreclosing any choice-of-law issues. Choice-of-law has not been squarely raised. I am denying the motion to dismiss the CIPA claim based on Meta’s exterritoriality argument.
B. Intent
Meta also argues plaintiffs fail to allege plausible facts to support the intent element of CIPA, which requires a showing of Meta’s “affirmative desire” to intercept communications. Intent under CIPA is determined consistently with intent under ECPA, and for the same reasons as discussed above, intent has been adequately alleged. Whether Meta’s affirmative disclosures and back-end filtering process sufficiently negate intent depends on Meta’s knowledge as well as its implementation and the efficacy of its alleged contractual efforts and back-end filtering. Those will be tested on an evidentiary record. Similarly, Meta’s point that Pixel captures some data that healthcare entities may permissibly share with Meta might provide a defense to some portion of plaintiffs’ CIPA claim, but it does not negate the plausible allegations that sensitive healthcare information is intentionally captured and transmitted to Meta.
C. Sent or Received
Meta points out that CIPA only covers interception of a communication while “it is being sent from, or received at
D. Device
The last CIPA challenge is whether the Pixel is a “device” under Section 632(a) because it is a piece of software. Meta points out that two judges in this District, when considering “electronic tracking devices” under
Plaintiffs respond that the section 637.7 cases so not apply to this section 632(a) case. They instead discuss decisions construing and interpreting CIPA consistently with the ECPA which hold that servers or software qualify as “devices” under the ECPA. Oppo. at 10 n.2.3 Most on point is In re Carrier IQ, Inc., 78 F. Supp. 3d 1051, 1084 (N.D. Cal. 2015). There, plaintiffs alleged that a software application, once installed on users’ phones, “surreptitiously intercepted personal data and communications and transmitted this data to Carrier IQ and its customers.” Id. The Honorable Edward M. Chen held that “plaintiffs have sufficiently alleged that the Carrier IQ Software is a device for purposes of the Wiretap Act.” Id. at 1084. The section 637.7 cases are
distinguishable, and absent contrary authority under section 632(a), I agree that the Pixel software is a device under section 632(a).
Metas motion to dismiss the CIPA claim is DENIED.
III. CONSTITUTIONAL PRIVACY (CLAIM 6) AND INTRUSION ON SECLUSION (CLAIM 5)
Addressing the invasion of privacy and intrusion on seclusion claim in the PI Order, I explained that plaintiffs had shown enough to demonstrate a reasonable expectation of privacy in their medical communications (despite Meta’s policies generally disclosing its collection of data from users and its disclosures that it would require partners to obtain lawful rights to share protected user data) and that Meta’s conduct was highly offensive. PI Order at 24-27. Meta argues here that the California’s constitutional privacy protections do not apply extraterritorially and plaintiffs have failed to adequately allege their sensitive information was received by Meta.
As with CIPA, plaintiffs have plausibly alleged that the conduct causing them
Concerning the protected interest, Meta argues that plaintiffs have failed to plausibly allege a violation of their constitutionally protected privacy interests because the named plaintiffs fail to identify with specificity what, if any, private or particularly sensitive information about them Meta allegedly received. Meta is correct that these named plaintiffs do not identify in the CCAC what specific, personal or private information they conveyed to their healthcare providers that they reasonably believe Meta received.
In opposition, plaintiffs do not dispute this or identify any particular categories of information that they shared with their healthcare providers that they reasonably believe was captured by Meta. Instead, they rely on In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) to argue they do not need to disclose the specific information they contend Meta received. But in that case, there was no dispute that Facebook collected “a full-string detailed URL, which contains the name of a website, folder and sub-folders on the web-server, and the name of the precise file requested,” when it operated. Id. at 605. Here, as Meta repeatedly points out and plaintiffs admit, there is information collected by the Pixel software that does not constitute sensitive, personal information.
Given the nature of this case – where plaintiffs allege that both unprotected and constitutionally protected information was captured by Meta’s Pixel – plaintiffs are required to amend to describe the types оr categories of sensitive health information that they provided through their devices to their healthcare providers. That basic amendment (which can be general enough to protect plaintiffs’ specific privacy interests) will allow these privacy claims to go forward.4
Plaintiffs’ invasion of privacy claims are DISMISSED with leave to amend.
IV. CALIFORNIA’S COMPREHENSIVE COMPUTER DATA ACCESS AND FRAUD ACT – CLAIM 12
CDAFA provides that only an individual who has “suffer[ed] damage or loss by reason of a violation” of the statute may bring a civil action “for compensatory damages and injunctive relief or other equitable relief.”
A. Loss or Damage
Meta initially seeks dismissal of plaintiffs’ CDAFA claim because plaintiffs have not alleged and cannot allege “damage or loss” in an action like this that is based on privacy violations as opposed to
and the loss of the right to protection of the data,” as that type of loss was not covered by the statute. Id. at 488 (citing Nowak v. Xapo, Inc., No. 5:20-cv-03643-BLF, 2020 WL 6822888, at *4-5 (N.D. Cal. Nov. 20, 2020) (dismissing CDAFA claim based on loss of value of stolen cryptocurrency in part because the nature of the loss was not cognizable under CDAFA)).
Plaintiffs respond that they adequately allege actionable “loss or damage” under CDAFA by alleging: (1) the Pixel “has precluded” them from being able to communicate with their healthcare providers through their computers or otherwise and (2) their protected information is diminished in value. Plaintiffs cite a number of cases from this District that they claim support these types of damages under CDAFA. However, each of the cases plaintiffs rely on dealt with different sections of CDAFA or allegations of impaired device performance. Oppo. at 13.5
Plaintiffs provide no support for their argument that an “inаbility” to use their computer devices to communicate with their healthcare providers in the future is a cognizable form of loss or damage actionable under the CDAFA. Their diminished value of information claim is foreclosed by the reasoning in Cottle.
Plaintiffs indicated at the hearing that they might be able to plead a different theory of impairment of their computing devices. They may do so. The CDAFA claim is DISMISSED, with leave to amend.
B. Other CDAFA Elements
Meta also attacks the substance of the CDAFA claim. The CCAC relies on various substantive sections of CDAFA: sections 502(c)(1), (c)(2), (c)(3), (c)(6), (c)(7), and (c)(8). In opposition plaintiffs address only (1) and (8).6 In their further amended CCAC, plaintiffs shall
limit the CDAFA claim to these two subsections only.
Meta argues that plaintiffs have not alleged a claim under (1) because intent has been sufficiently alleged. Consistent with the ECPA and CIPA discussions above, however, plaintiffs have adequately alleged intent. Meta next contends that plaintiffs cannot plausibly allege a claim under (8), as it was the healthcare entities’ web developers who introduced Pixel onto their own websites, not Meta. Plaintiffs’ allegations regarding how Meta
Meta also asserts that even if it could be vicariously liable, plaintiffs have not alleged and cannot plausibly allege that the Pixel is a prohibited “contaminant.”7 In In re iPhone Application Litig., No. 11-MD-02250-LHK, 2011 WL 4403963 (N.D. Cal. Sept. 20, 2011) the court explained:
Section 502(c)(1[2]) defines “computer contaminant” as “any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms. . . to contaminate other computer programs or computer data, consume computer resources, modify, destroy, record, or transmit data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network.” See
Cal.Penal Code § 502(b) (10) (emphasis added). Thus, the very definition of a “computer contaminant” limits liability to conduct that occurs “without the intent or permission of the owner of the information.” Moreover, the section on “computer contaminants” appears to be aimed at “viruses or worms,” and other malware that usurps the nоrmal operation of the computer or computer system. Although Plaintiffs[] are given leave to amend to clarify their allegations in an amended complaint, it is not clear to the Court how Section 502(c)(8) applies to the case at hand.”
Whether plaintiffs can, on amendment, plausibly allege facts establishing recognized “loss or damage” sufficient to state a claim under CDAFA will also inform whether the Pixel is a contaminant that “usurps” the normal operation of plaintiffs’ devices. See also Flextronics Int‘l, Ltd. v. Parametric Tech. Corp., No. 5:13-CV-00034-PSG, 2014 WL 2213910, at *5 (N.D. Cal. May 28, 2014) (“a plaintiff need only allege that the actions of the contaminant (modify/damage/destroy/record/ transmit) were undertaken by overcoming a technical barrier without the permission of the owner; the introduction of the contaminant to the system need not surmount the same hurdle.“).
The motion to dismiss the CDAFA claim is GRANTED with leave to amend.
V. BREACH OF CONTRACT – CLAIMS 1 & 2
A. Limitation of Liability in Metas Terms of Service
Meta argues initially that a “limitation of liability” clause in its TOS bars the breach of contract claims. That clause provides: “[Meta]’s liability shall be limited to the fullest extent permitted by applicable law, and under no circumstance will we be liable to you for any lost profits, revenues, information, or data, or consequential, special, indirect, exemplary, punitive,
Meta notes that at least one court in this District has applied Meta’s limitation provision to defeat express and implied contract claims, rejecting the argument that the limitation provision was unconscionable. See Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1037 (N.D. Cal. 2019) (“Perhaps regrettably, [w]ith respect to claims for breach of contract, limitation of liability clauses are enforceable unless they are unconscionable, that is, the improper result of unequal bargaining power or contrary to public policy. Food Safety Net Servs. v. Eco Safe Sys. USA, Inc., 209 Cal. App. 4th 1118, 1126 (2012).“). The Bass court then determined that the limitations provision was not unconscionable as applied to the contract and quasi-contract
causes of action. Id. at 1038; see also Darnaa, LLC v. Google LLC, 756 F. App‘x 674, 676–77 (9th Cir. 2018) (rejecting unconscionability argument, “[a]s interpreted by California courts,
Plaintiffs respond that Meta’s attempt to limit its liability for the breach claim runs afoul of
In addition to the substantive differences between the allegations in Bass and this case, plaintiffs also note that other courts in this district have allowed breach of contract claims to continue against Facebook despite the limitation of liability clause. See, e.g., Lundy v. Facebook Inc., No. 18-CV-06793-JD, 2021 WL 4503071, at *2 (N.D. Cal. Sept. 30, 2021) (“For the damages element of plaintiffs’ contract and quasi-contract claims, plaintiffs have adequately pleaded claims for disgorgement and nominal damages. [] These types of damages are not covered by the limitation of liability provision Facebook points to in its motion to dismiss. [] Nominal damages may be recovered for a breach of contract under California law.” (internal citations omitted)); Shared.com v. Meta Platforms, Inc., No. 22-CV-02366-RS, 2022 WL 4372349, at *4 (N.D. Cal. Sept. 21, 2022) (allowing breach of contract and other claims to proceed past motion to dismiss stage despite limitation of liability clause because the “discovery process would aid in determining more concretely whether each claim avers direct or indirect damages. The limitations provision will therefore not mandate dismissal of any of Plaintiff’s claims, though Defendant can always reassert the limitations provision in, for example, a motion
for summary judgment“).
Here, plaintiffs have pleaded entitlement to nominal damages and restitution. CCAC ¶ 317. Given the differences between the
B. Sufficiently Definite Promises and Breach
Next Meta argues that the contractual provisions on which plaintiffs based their breach of contract claim are not “sufficiently definite.” The specific contractual promises made in Meta’s Privacy Policy and TOS and plaintiffs’ allegations regarding breach are identified at paragraph 312 in the CCAC:
- “We require Partners to have the right to … share your information before giving it to us.”
Plaintiffs allege: “Meta does not require Partners to have the right to share health information with Meta before giving it to Meta.”
- “We employ dedicated teams around the world … to detect potential misuse of our Products, harmful conduct towards others, and situations where we may be able to help support or protect our community.”
Plaintiffs allege: “Meta does not employ dedicated teams to prevent its unauthorized acquisition of health information. To the contrary, Meta employs dedicated teams to еncourage health entities to share health information with Meta that the health entities lack rights to share.”
- “We … develop advanced technical systems to detect potential misuse of our Products, harmful conduct towards others, and situations where we may be able to help support or protect our community. If we learn of content or conduct like this, we will take appropriate action – for example … removing content, blocking access to certain features, disabling an account, or contacting law enforcement.”
Plaintiffs allege: “Meta has developed advanced technical systems to detect potential misuse of certain products and is fully capable of using those systems to detect Pixel Partners from which it is acquiring health information without authorization. However, Meta has not used those systems to stop acquiring such information and has not taken appropriate action to prevent health entities from sharing health information with Meta in the absence of the right to do so.”
- “We work with external service providers, partners, and other relevant entities … to detect potential misuse of our Products, harmful conduct towards others, and situations where we may be able to help support or protect our community, including to respond to user reports of potentially violating content.”
Plaintiffs allege: “Meta does not work with external service providers, Partners, or other relevant entities to detect potential misuse of sending health information to Meta through the Pixel without the right to do so. To the contrary, Meta works with Partners to help those Partners avoid the meaningless restrictions Meta places on ads that are targeted to health. As shown above, Meta teaches health entities how to avoid its restrictions on personalized health targeted ads by removing certain words that would give users the idea that the ad was specifically targeted to them, all the while continuing to target ads to specific
users based on personal attributes, including health.”
CCAC ¶ 312; see also ¶¶ 96-97 (noting Meta “requires” some information including sensitive and protected information from users for services to work), 117 (same).9 Plaintiffs’ specific references to identified provisions in Meta’s TOS and Privacy Policy are sufficiently definite to “determine the scope of the duty and the limits of performance must be sufficiently defined to provide a rational basis for the assessment of damages.” Ladas v. California State Auto. Assn., 19 Cal. App. 4th 761, 770 (1993).
Plaintiffs have also plausibly alleged that Meta breached the promises. Meta overreads the impact of plaintiffs’ “admissions” that Meta may have “discouraged” partners from sending sensitive or protected information and Meta employed a filter to reduce the transfer of sensitive or protected information. Meta ignores plaintiffs’ detailed and plausible allegations regarding how and why the transfer of sensitive or protected information is necessary for Meta’s advertising services to function in the way Meta advertised those services, as well as allegations that Meta knew its filter was not effective and could have improved its filter or taken other steps to block the transfer of the sensitive or protected information. That is sufficient at this juncture.
The motion to dismiss the breach of contract and related breach of the duty of good faith and fair dealing claims is DENIED.10
VI. UNJUST ENRICHMENT – CLAIM 13
Meta moves to dismiss the unjust enrichment claim, which California law construes as a quasi-contract claim, in light of plaintiffs’ express contract claim. But plaintiffs may plead this claim as an alternative at this juncture, even if the contract claim can be read to cover plaintiffs’ allegation that Meta sold their data without consent and unjustly retained the proceeds. See Astiana v. Hain Celestial Grp., Inc., 783 F.3d 753, 762 (9th Cir. 2015). Meta also argues that the claim cannot stand as plaintiffs have failed to plead that they lack adequate remedies at law under Sonner v. Premier Nutrition Corp., 971 F.3d 834, 844 (9th Cir. 2020). But plaintiffs do allege that their remedies at law are inadequate. See CCAC ¶¶ 448, 489.
The motion to dismiss the unjust enrichment claim is DENIED.
VII. NEGLIGENCE PER SE – CLAIM 7
Under California law, negligence per se is not a separate cause of action, but a negligence claim analyzed under the per se doctrine. See Dent v. Nat‘l Football League, 902 F.3d 1109, 1118 (9th Cir. 2018). Under that doctrine, the standard of care can be established by a statute, and a defendant’s violation of that statue can “give rise to a presumption that it failed to exercise due care” where that violation “proximately caused an injury,” the injury resulted from something
Meta attacks plaintiffs’ attempt to plead a breach of the duty of care required to state a negligence-based claim. Plaintiffs’ only identified source of duty is HIPAA, and at least one court this District and another within the Ninth Circuit have rejected HIPAA as a basis of a negligence per se claim. See, e.g., Austin v. Atlina, No. 20-CV-6363-YGR, 2021 WL 6200679, at *3 (N.D. Cal. Dec. 22, 2021)
(“Because there is no private right of action under HIPAA, plaintiff’s HIPAA claim is not cognizable under common law“); Teeter v. Easterseals-Goodwill N. Rocky Mountain, Inc., No. CV-22-96-GF-BMM, 2023 WL 2330241, at *4 (D. Mont. Mar. 2, 2023) (dismissing negligence per se cause of action based on HIPAA); see also Delta Sav. Bank v. United States, 265 F.3d 1017, 1026 (9th Cir. 2001) (“[t]o bring suit under the FTCA based on negligence per se, a duty must be identified, and this duty cannot spring from a federal law. The duty must arise from state statutory or decisional law, and must impose on the defendants a duty to refrain from committing the sort of wrong alleged here,” and citing authоrity explaining “[t]he pertinent inquiry is whether the duties set forth in the federal law are analogous to those imposed under local tort law“) (quotations omitted); In re: Netgain Tech., LLC, No. 21-CV-1210 (SRN/LIB), 2022 WL 1810606, at *16 (D. Minn. June 2, 2022) (“Here, Plaintiffs have not cited any precedent in California, Minnesota, Nevada, South Carolina, or Wisconsin that permits a state-law negligence per se claim to proceed based on the theory that there is a violation of Section 5 of the FTC Act.“); but see In re Ambry Genetics Data Breach Litig., 567 F. Supp. 3d 1130, 1143 (C.D. Cal. 2021) (allowing negligence/negligence per se claim based on violations of FTCA and HIPAA to proceed).11
Following the majority of the cases that have considered the issue, the negligence per se claim based on a duty created by HIPAA is DISMISSED with leave to amend so that plaintiffs may attempt to identify a state law source of the duty of care.
VIII. TRESPASS TO CHATTELS – CLAIM 8
Under California law, trespass to chattels “lies where an intentional interference with the possession of personal property has proximately caused injury.” Intel Corp. v. Hamidi, 30 Cal. 4th 1342, 1350–51 (2003). This claim does not lie where injuries are to privacy and confidentiality. See Casillas v. Berkshire Hathaway Homestate Ins. Co., 79 Cal. App. 5th 755, 765 (2022).
In cases of interference with possession of personal property not amounting to conversion “the owner has a cause of action for trespass or case, and may recover only the actual damages suffered by reason of the impairment of the property or the loss of its use.” Hamidi, at 1351
Plaintiffs’ trespass claim is based on their assertions that Meta places the _fbp cookie on their devices via their health-care providers’ websites. They do not allege that the presence of that cookie “impairs” the operation of their devices in terms of diminished storage, decreased battery life, or otherwise. Instead, they assert that Meta’s tracking diminishes the value of plaintiffs’ computing devices because plaintiffs no longer want to use their devices to communicate with their healthcare providers. CCAC ¶¶ 415-28, 423-25. They analogize their inability to use their phones and computers to communicate with their healthcare providers (lest they disclose personal healthcare information) to the situation in Grace v. Apple Inc., No. 17-CV-00551, 2017 WL 3232464, at *11 (N.D. Cal. July 28, 2017). There, based on allegations that Apple heavily advertised the presence and ability to use Facetime in its iPhones and allegations that use of Facetime was integral to the plaintiffs’ use of their iPhones, the court allowed the trespass claim to continue because the removal of Facetime from plaintiffs’ phones due to Apple’s software update significantly impaired the value of plaintiffs’ phones.
Here, unlike in Grace, there are no allegations that any functionality inherent in their computing devices has been impacted by Meta’s conduct. Nor are there allegations that plaintiffs purchased any specific computing device with the purpose in whole or part of using that device to communicate with their healthcare providers. That these plaintiffs mаy have valued using their personal devices to communicate with their healthcare providers does not sufficiently impair the
value of those devices to allow the plaintiffs to state a trespass to chattels claim.
The trespass claim is DISMISSED with leave to amend.
IX. LARCENY – CLAIM 11
Plaintiffs’ larceny claim is brought under
The larceny claim is DISMISSED with leave to amend.
X. UNFAIR COMPETITION LAW (CLAIM 9) AND CONSUMERS LEGAL REMEDIES ACT (CLAIM 10)
A UCL claim may only be brought by “a person who has suffered injury in fact and has lost money or property as a result of the unfair competition.”
Courts in this district have dismissed cases where, like here, the injury is based on “the loss of the inherent value of their personal data,” see Cottle, 536 F. Supp. 3d at 484, as well as where it was undisputed that plaintiffs paid no money to the
defendant. See In re Facebook, Inc., Consumer Privacy, 402 F. Supp. 3d at 804 (noting “the plaintiffs here do not allege that they paid any premiums (or any money at all) to Facebook to potentially give rise to standing under California law” for purposes of UCL claim and dismissing claim for failure to allege “lost money or property“); Wesch v. Yodlee, Inc., No. 20-cv-05991-SK, 2021 WL 1399291, at *6 (N.D. Cal. Feb. 16, 2021) (holding that the plaintiffs had not alleged that they “surrender[ed] more or acquir[ed] less in a transaction than they otherwise would have” for purposes of UCL standing where they had not paid money to the defendant).
Plaintiffs rely on In re Solara Med. Supplies, LLC Customer Data Sec. Breach Litig., 613 F. Supp. 3d 1284, 1301 (S.D. Cal. 2020). But the injury in that case was based on a “benefit-of-the-bargain” theory that рlaintiffs “acquired less” in their transactions with the defendant (who sold medical devices to plaintiffs). See also Cappello v. Walmart Inc., 394 F. Supp. 3d 1015, 1019 (N.D. Cal. 2019) (benefit-of-the-bargain theory asserted by customers of defendant). There is no benefit of the bargain basis alleged in the CCAC with respect to the UCL claim, although benefit of the bargain allegations are made in support of the contract claim. See CCAC ¶ 316 (seeking benefit of the bargain contract damages). Given the different requirements to state a plausible remedy under a breach of contract claim and “loss of money or property” under the UCL, a cognizable “benefit of the bargain” theory has not adequately been alleged as a remedy for the UCL claim.13
With respect to diminished value of their data, in the most recent Northern District case to address the issue the Hon. Richard S. Seeborg reviewed recent cases and held:
Plaintiffs fail to show they have an economic injury. Plaintiffs do identify some support for the idea that personal information without consent constitutes economic injury. See Calhoun v. Google LLC, 526 F. Supp. 3d 605, 636 (N.D. Cal. 2021) (“[T]he Ninth Circuit and a number of district courts, including this
Court, have concluded that plaintiffs who suffered a loss of their personal information suffered economic injury and had standing.“) (citing cases, including In re Facebook Privacy Litig. (“Facebook Privacy“), 572 F. App‘x 494, 494 (9th Cir. 2014); and In re Yahoo! Inc. Cust. Data Sec. Breach
Litig., No. 16-MD-02752-LHK, 2017 WL 3727318, at *13 (N.D. Cal. Aug. 30, 2017)). The weight of the authority in the district and the state, however, point in the opposite direction: that the mere misappropriation of personal information does not establish compensable damages. Pruchnicki v. Envision Healthcare Corp., 845 F. App‘x 613, 615 (9th Cir. 2021) [citations omitted]. Because Plaintiffs have not alleged a specific monetary or economic loss, Plaintiffs lack standing to maintain their UCL claims.
Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118, at *8 (N.D. Cal. Apr. 6, 2023).
Judge Seeborg relied in part on Moore v. Centrelake Med. Grp., Inc., 83 Cal. App. 5th 515, 538 (2022), review denied (Dec. 14, 2022). There, the California Court of Appeal held that plaintiffs’ “lost-value-of-PII theory, as pled, is insufficient to support UCL standing,” because “[a]ppellants properly pled only that their PII was stolen and disseminated, and that a market for it existed. They did not allege they ever attempted or intended to participate in this market, or otherwise to derive economic value from their PII. Nor did they allege that any prоspective purchaser of their PII might learn that their PII had been stolen in this data breach and, as a result, refuse to enter into a transaction with them, or insist on less favorable terms. In the absence of any such allegation, appellants failed to adequately plead that they lost money or property in the form of the value of their PII.” Id. at 538.
Plaintiffs rely on Brown v. Google LLC, No. 20-CV-03664-LHK, 2021 WL 6064009 (N.D. Cal. Dec. 22, 2021). There, the Honorable Lucy H. Koh found that plaintiffs adequately alleged lost money or property sufficient to state their UCL claim where they alleged that “because Google previously has paid individuals for browsing histories, it is plausible that, had Plaintiffs been aware of Google’s data collection, they would have demanded payment for their data. Thus, by inducing Plaintiffs to give Google their data without payment, Google caused Plaintiffs to acquire in a transaction less[ ] than [they] otherwise would have. [] Second, because there are several browsers and platforms willing to pay individuals for data, it is plausible that Plaintiffs will decide to sell their data at some point. Indeed, each named Plaintiff has alleged that he or she is aware of these browsers and platforms. [] Accordingly, by obtaining Plaintiffs’ data and selling it to advertisers, Google diminished Plaintiffs’ future property interest. Kwikset, 51 Cal. 4th at 324.“).” Brown, at *15.
Here, plaintiffs contend their allegations bring them closer to Brown and satisfy the deficiencies identified in Moore. See CCAC ¶¶ 22 (alleging Meta “takes patients’ property and property rights without compensation and ignores their right to control the dissemination of their health information to third parties“), 215 (“Meta itself has paid users for their digital information“). But the crux of this case concerns Meta’s receipt of “individually identifiable health information,” that plaintiffs apparently do not want Meta or anyone other than their healthcare providers to have. Id., ¶¶ 1, 216 (“Americans typically do not want to see their individually identifiable health information for any purpose“). That brings it closer to Moore and Katz-Lacabe.
There is a different deficiency with plaintiffs’ claim under the CLRA. The CLRA claim is based on Meta’s representation “that it required its Partners tо have the right to collect, use and share Plaintiffs’ and Class members’ information but doing nothing to ensure their rights were protected.” CCAC ¶¶ 451-453. As a result, plaintiffs allege that Meta violated section 1770(2) of the CLRA by “[m]isrepresenting the source, sponsorship, approval, or certification of goods or services“; section 1770(5) of the CLRA by “[r]epresenting that goods or services have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities which they do not have“; and section 1770(14) of the CLRA by “[r]epresenting that a transaction confers or involves rights, remedies, or obligations which it does not have or involve, or which are prohibited by law.”
Meta moves to dismiss these misrepresentations claims under
DISMISSED with leave to amend so that plaintiffs can plead facts regarding reliance on thе alleged misrepresentations.14
CONCLUSION
For the foregoing reasons Meta’s motion is DENIED regarding the ECPA, CIPA, breach of contract, and unjust enrichment claims. The motion is GRANTED with leave to amend on the privacy, CDAFA, negligence per se, trespass, larceny, UCL, and CLRA claims. Plaintiffs shall file their amended complaint within twenty (20) days of the date of this Order.
Dated: September 7, 2023
William H. Orrick
United States District Judge