META PLATFORMS, INC. v. BRANDTOTAL LTD., et al.
Case No. 20-cv-07182-JCS
UNITED STATES DISTRICT COURT NORTHERN DISTRICT OF CALIFORNIA
June 6, 2022
ORDER REGARDING MOTION FOR SANCTIONS AND MOTIONS FOR SUMMARY JUDGMENT
Re: Dkt. Nos. 246, 268, 272
Provisionally Filed Under Seal
Redacted Public Version
I. INTRODUCTION
Plaintiff Meta Platforms, Inc. (“Meta“) and Defendants BrandTotal Ltd. and Unimania, Inc. (collectively, “BrandTotal“) each move for summary judgment. Meta also moves for sanctions based on purported spoliation of evidence and perjured testimony. The Court held a hearing on May 16, 2022. Each of those motions is GRANTED in part and DENIED in part, as discussed below.1 This order does not resolve the parties’ motions to exclude expert testimony (dkts. 248, 251), which will be addressed in a separate order.
This order is provisionally filed under seal. Any party that believes compelling reasons warrant sealing any portion of this order may bring a motion no later than June 3, 2022 to retain narrowly tailored redactions under seal.
II. OVERVIEW AND PROCEDURAL HISTORY
Meta is a technology company that, among other things, operates two ubiquitous social networks: Facebook and Instagram. Much of its revenue is derived from selling the right to advertise on those services. Meta provides its advertising clients with information about how their
BrandTotal provides advertising consulting services to corporate clients regarding how those clients’ and their competitors’ digital advertisements are presented to social media users. One of its primary methods of collecting that information is incentivizing individual users, whom it refers to as “panelists,” to share data about the advertisements they are served while browsing social networks. The primary product at issue in this case, a browser extension called UpVoice, awards users points that can be redeemed for gift cards in exchange for using a browser extension that automatically sends data to BrandTotal while a user browses websites like Facebook. Other BrandTotal products, many of which are now defunct, provided less tangible incentives to users, allowing them to do things like keep track of the advertisements they had seen or view other users’ Instagram stories anonymously, again in exchange for collecting advertising data for BrandTotal. Two of those products, addressed below in the context of Meta‘s motion for sanctions, also logged users’ Instagram access credentials to a server that BrandTotal used primarily for debugging its software for period of around four months.
The current version of UpVoice introduced in 2021 (“UpVoice 2021“) (as well as a Spanish-language near-equivalent product called Calix that BrandTotal recently developed in partnership with a third-party2) merely logs information that Facebook transmits to the user about advertisements in the course of the user‘s regular interaction with the website, as well as demographic information that the user specifically enters into UpVoice (rather than UpVoice collecting it from Facebook). Earlier versions of UpVoice and BrandTotal‘s other products automatically caused users’ browsers to query Facebook‘s servers for information, and collected demographic information about users from Facebook in addition to information about advertisements. BrandTotal also gathers data more proactively: its servers collect data directly from webpages that are publicly available for most advertisements on Facebook, it hires contractors to gather data using a program called the “Restricted Panel Extension” for advertisements that are not available to the public and instead require a user to be logged in (for
After successfully petitioning Google to remove the then-existing version of UpVoice from its online store, Meta—known at the time as Facebook, Inc.—filed claims against BrandTotal in California state court on October 1, 2020. Meta quickly dismissed that case without prejudice and filed the present case here on October 14, 2020. BrandTotal filed counterclaims and moved for a temporary restraining order (“TRO“). The Court denied that motion for failure to show that the relief BrandTotal sought was in the public interest. Order re TRO (dkt. 63).4
On February 19, 2021, the Court granted Meta‘s motion to dismiss all of BrandTotal‘s counterclaims, largely with leave to amend. 1st MTD Order (dkt. 108).5
BrandTotal reasserted all of its counterclaims in an amended pleading. On June 3, 2021, the Court dismissed BrandTotal‘s declaratory judgment counterclaims, BrandTotal‘s counterclaim for intentional interference with contract to the extent it was based on contracts with investors, BrandTotal‘s interference with prospective advantage counterclaim to the extent it was based on potential customers and investors, and BrandTotal‘s counterclaims under the “unfair” and “fraudulent” prongs of the UCL. 2d MTD Order (dkts. 152, 158).6 The Court denied Meta‘s motion to dismiss BrandTotal‘s interference with contract and prospective advantage counterclaims and to the extent they were based on existing customers, panelists, and Google, and its counterclaim under the “unlawful” prong of the UCL. Id.
BrandTotal moved for a preliminary injunction, but the parties agreed at the hearing to resolve that motion with a commitment by Meta not to interfere with UpVoice 2021 while this
On August 31, 2021, the Court denied BrandTotal‘s motion for leave to add a defamation counterclaim after the deadline to amend pleadings had expired, and dismissed with prejudice BrandTotal‘s reasserted counterclaim under the UCL‘s “unfair” prong for failure to allege Meta‘s market power in a relevant product market. 3d MTD Order (dkt. 178).7
BrandTotal‘s operative third amended counterclaims assert the following theories: (1) intentional interference with BrandTotal‘s contracts with its corporate customers, its panelists, and Google, 3d Am. Counterclaims (dkt. 183) ¶¶ 94-130; (2) intentional interference with prospective economic advantage regarding the same relationships, id. ¶¶ 131-39; and (3) violation of the UCL‘s “unlawful” prong by virtue of the intentional interference theories, id. ¶¶ 140-46.
Since BrandTotal did not challenge the sufficiency of Meta‘s allegations through a motion to dismiss and Meta never sought preliminary injunctive relief, Meta‘s claims against BrandTotal have not been directly at issue in any previous motion. Meta asserts the following claims in its operative first amended complaint: (1) breach of contract, citing the Facebook and Instagram terms of usе, 1st Am. Compl. (“FAC,” dkt. 148) ¶¶ 83-89; (2) unjust enrichment, id. ¶¶ 90-96; (3) violation of the Computer Fraud and Abuse Act (“CFAA,”
III. META‘S MOTION FOR SANCTIONS
A. Background
Meta‘s sanctions motion primarily concerns two related issues: (1) data from a debugging log called Rapid7 that BrandTotal allowed to be deleted on a regular schedule, including after this action commenced and purportedly after learning that it was relevant; and (2) deposition testimony
At all relevant times, BrandTotal has used Rapid7 as a logger tool to track the operation of its various software products. The Rapid7 log received information about processes executed by BrandTotal‘s software and stored that information for a period of thirty days, with each entry automatically deleted thirty days after it was created. See O‘Laughlin Decl. (dkt. 246-2) Ex. 5 (Regev Nov. 2021 Dep.) at 194:20-22. According to BrandTotal, the Rapid7 log was used only for troubleshooting and debugging, not for BrandTotal‘s business of preparing marketing insights for its customers. Regev Sanctions Decl. (dkt. 288-1) ¶¶ 5-6.
As of October of 2020, at least some BrandTotal developers knew that “access tokens and cookies” from users of certain BrandTotal products (Story Savebox and Anonymous Story Viewer, or “ASV“) had been sent to the Rapid7 log, but until BrandTotal Vice President Yair Regev‘s November 18, 2021 deposition, BrandTotal took no steps to preserve those logs and prevents their automatic deletion. O‘Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 196:11-197:21. Meta‘s data security team also knew as of October 2020 that ASV collected and exfiltrated users session ID tokens and sessions IDs, which would be sufficient for a third party to make requests to Instagram servers as if that third party were the user, Karve Oct. 2020 Decl. (dkt. 42) ¶¶ 22-23, but it is not clear from the record that Meta knew at that time where or how BrandTotal stored that data after collecting it. According to Regev, Meta would have been able to determine from BrandTotal‘s source code what information was sent to Rapid7. Regev Sanctions Decl. ¶ 6. After Meta filed a declaration in October of 2020 address the collection of user access credentials, BrandTotal modified ASV and Story Savebox to cease doing so, but did not take steps to preserve the Rapid7 logs or prevent their automatic deletion.
During deposition in January of 2021 related to BrandTotal‘s efforts to obtain a preliminary injunction, Dor testified on behalf of BrandTotal that ASV had never transmitted users’ session tokens or session IDs (which could be used to access Instagram as if one were that
Dor‘s successor, Regev, conceded that Dor‘s testimony on that subject was inaccurate and did not reflect what BrandTotal knew at the time of Dor‘s deposition. O‘Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 184:13-186:2. After leaving the company in 2021, Dor testified in a March 2022 deposition that he did not recall whether BrandTotal used Rapid7 or any оther logging service, and that although he oversaw developers, his own role was not sufficiently technical for him to have “connected to these logs” during his time at BrandTotal. Schultz Sanctions Decl. (dkt. 293-1) Ex. 27 (Dor March 2022 Dep.) at 74:6-75:5. BrandTotal altered the software to remove the collection of access credentials around four months after it started collecting that data, and ASV was removed from the Google‘s browser extension store in October of 2020, but BrandTotal‘s Rapid7 log may have continued to receive that information from users who downloaded ASV while it was available from Google and who did not update their software after the code was altered. Regev Sanctions Decl. ¶ 12; O‘Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 186:6-21. Neither ASV nor Story Savebox is currently available for download. O‘Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 186:3-5.
Meta‘s attorneys first learned at some point after September 17, 2021 that data from Facebook and Instagram was stored in the Rapid7 logs, BrandTotal thereafter produced excerpts of the Rapid7 data, and Meta confirmed from Regev during his November 18, 2021 testimony that the Rapid7 logs had at one point contained users’ access tokens but older logs had been lost due to the thirty-day retention and automatic deletion process. See O‘Laughlin Decl. Ex. 13 (email from Meta‘s counsel to BrandTotal‘s counsel). In response to a specific request by Meta‘s counsel, BrandTotal produced all Rapid7 data that remained available at that time (running from October 2021), and continued to do so on a weekly basis beyond the close of expert discovery. Taylor Sanctions Decl. (dkt. 288-2) ¶¶ 19-20.
Meta does not dispute BrandTotal‘s contention that none of BrandTotal‘s source code produced in this litigation—either for BrandTotal‘s consumer products or for its own server-side operations—draws data from the Rapid7 log, as opposed to sending data to it. See Regev Sanctions Decl. ¶ 10. Meta has not identified evidence indicating that any other BrandTotal product collected the sort of access credentials at issue, or that newly installed versions of ASV or
Meta seeks an order imposing the following adverse presumption against BrandTotal:
- The Court will treat the following facts as established for purposes of adjudicating Meta‘s summary judgment motion, and that the fact-finder at trial will be instructed that it may presume:
- Defendants were obligated to preserve the data logged on the Rapid7 server between October 2020 and October 2021, but intentionally failed to do so because the data was unfavorable to Defendants.
- The deleted data would have shown that between October 2020 and October 2021 (i) Defendants continuously misappropriated access credentials from Meta users and exfiltrated them to BrandTotal-controlled servers; (ii) Defendants did not anonymize or encrypt this sensitive data; (c) [sic] Defendants used these access credentials to pose as legitimate Meta users and scrape password-protected data from Meta‘s computers, in violation of Meta‘s Terms of Service; and (iv) Defendants attempted to conceal the collection and use of these access credentials because they knew their conduct was unlawful.
- The deleted data would have shown that between October 2020 and October 2021, Defendants continuously used accounts they created or purchased in order to gain access to Facebook and Instagram, pose as legitimate Meta users, and scrape data from Meta‘s computers in violation of Meta‘s Terms of Service.
Proposed Order re Sanctions (dkt. 246-28). Meta also seeks to preclude BrandTotal “from relying on Mr. Oren Dor‘s January 13, 2021 testimony,” and to recover its “fees and costs, including expert costs, incurred in connection with bringing this motion.” Id.
BrandTotal argues that it “did not intentionally (or even affirmatively) delete anything,” but “[r]ather, the data within the logger tool merely expired after 30-days as part of BrandTotal‘s ordinary course of business.” Opp‘n to Sanctions (dkt. 288) at 2. It also argues that Meta was not prejudiced because other evidence shows the conduct at issue, id. at 13-15, that the relief Meta seeks is excessive, id. at 15-18, and that it should be permitted to use Dor‘s testimony, id. at 18-21. Based on its contention that sanctions are not appropriate, BrandTotal also argues that it should not be required to pay Meta‘s attorneys’ fees. Id. at 21-22.
B. Legal Standard for Discovery Sanctions
“Federal courts have the authority to sanction litigants for discovery abuses both under the
A district court also has inherent authority to impose sanctions for spoliation of evidence. Leon v. IDX Sys. Corp., 464 F.3d 951, 958 (9th Cir. 2006); Glover v. BIC Corp., 6 F.3d 1318, 1329 (9th Cir. 1993). The majority of courts use a three-part test to determine whether spoliation occurred, consisting of the following elements: “‘(1) that the party having control over the evidence had an obligation to preserve it at the time it was destroyed; (2) that the records were destroyed with a “culpable state of mind;” and (3) that the evidence was “relevant” to the pаrty‘s claim or defense such that a reasonable trier of fact could find that it would support that claim or defense.‘” Apple Inc. v. Samsung Elecs. Co., 881 F. Supp. 2d 1132, 1138 (N.D. Cal. 2012) (quoting Zubulake v. UBS Warburg LLC, 220 F.R.D. 212, 215 (S.D.N.Y. 2003)) (footnotes omitted). “[T]he ‘culpable state of mind’ factor is satisfied by a showing that the evidence was
If spoliation is found, courts often consider three factors to determine whether and what type of sanctions to issue: “(1) the degree of fault of the party who altered or destroyed the evidence; (2) the degree of prejudice suffered by the opposing party; and (3) whether there is a lesser sanction that will avoid substantial unfairness to the opposing party.” Nursing Home Pension Fund v. Oracle Corp., 254 F.R.D. 559, 563 (N.D. Cal. 2008) (quoting Schmid v. Milwaukee Elec. Tool Corp., 13 F.3d 76, 79 (3d Cir. 1994)). Among other sanctions, trial courts have “the broad discretionary power to permit a jury to draw an adverse inference from the destruction or spoliation against the party or witness responsible for that behavior” so long as the party responsible had “simple notice of ‘potential relevance to the litigation,‘” with no requirement to prove bad faith. Glover, 6 F.3d at 1329 (quoting Akiona v. United States, 938 F.2d 158, 161 (9th Cir. 1991)).
C. BrandTotal‘s Conduct Warrants a Permissive (as Opposed to Mandatory) Adverse Inference Instruction
The relief that Meta seeks here is internally inconsistent: while Meta asks the Court to treat certain facts as established for the purpose of Meta‘s summary judgment motion, it seeks an instruction at trial only that the jury may presume such facts to be true. See Proposed Sanctions Order (dkt. 246-28). Such an approach is in tension with the usual rules for summary judgment, where courts view the facts and draw all possible inferences in the light most favorable to the nonmoving party, in order to determine whether the nonmoving party could prevail at trial. Meta‘s approach here could potentially have the Court grant summary judgment in Meta‘s favor on a record where BrandTotal might prevail if the case went to trial. Meta cites no authority for
The Court has little trouble concluding that the Rapid7 database—which provided a detailed running log of the operation of BrandTotal‘s software, recording at least to some degree the actual data BrandTotal collected from Facebook and Instagram—included information relevant to the case, that BrandTotal knew it included that information, and that BrandTotal should have taken steps to preserve it once litigation was contemplated, i.e., no later than when Meta filed its first complaint against BrandTotal in state court. There is no dispute that BrandTotal failed to do so until roughly a year after the case began. See, e.g., O‘Laughlin Decl. Ex. 5 (Regev Nov. 2021 Dep.) at 196:15-18. The Court is also satisfied that the loss of a real-time log of at least some of BrandTotal‘s data collection prejudices Meta‘s ability to understand and prove the scope and nature of that conduct. As one example, there currently does not appear to be any way to assess how many users’ access credentials were logged by BrandTotal or when BrandTotal stopped receiving that information from users of outdated versions of its products. Similarly, the Rapid7 logs would have provided greater insight than is now available as to how extensively BrandTotal used “fake” accounts that it purchased or created to gather data from Facebook and Instagram from October 2020 to October 2021. There is also no dispute that the deleted Rapid7 logs cannot be replaced or recovered through additional discovery. Meta has therefore established the basic elements of spoliation for the purpose of
When it comes to the specific relief Meta seeks, however, Meta has not met
Negligence—even gross negligence—in failing to retain relevant evidence is not sufficient to support an adverse inference under
In Porter, the City and County of San Francisco did not dispute that it had an obligation to preserve the recording of a call to law enforcement. Id. at *3. The court found that the city failed to take reasonable steps to do so, that the recording could not be restored or replaced after it was deleted pursuant to a two-year retention policy, and that the plaintiff was prejudiced by losing evidence potentially relevant to a witness‘s credibility or other issues in the case. Id. at *3-4. Turning to the intent requirement of
Since the Okupnik call cannot be restored or retrieved, and constitutes relevant and material evidence, the court finds that an appropriate sanction is to inform the jury that the call was spoliated. To that end, the court orders that the jury may hear a short factual statement at trial regarding the spoliation of this evidence. The statement should inform the jury that CCSF had a duty to preserve a copy of the Okupnik call, and that despite this duty, the recording of the call was erased and is no longer available. As a result, CCSF‘s actions have prevented the jury from hearing what Okupnik communicated to SFSD in that call, how he communicated it, and what SFSD said in response to Okupnik.
Id. The court also awarded the plaintiff his attorneys’ fees for bringing the sanctions motion, but not for “time spent in the meet and confer process, because such work was necessary regardless of whether a sanctions motion ensued.” Id. at *5.
In another case from this district, the defendant improperly failed to preserve video footage of the plaintiff‘s slip-and-fall injury at the defendant‘s gas station, prejudicing the plaintiff‘s ability to prove his case. Phan v. Costco Wholesale Corp., No. 19-cv-05713-YGR, 2020 WL 5074349, at *2-3 (N.D. Cal. Aug. 24, 2020). In the absence of any evidence of malicious intent, however, the court declined to infer that the loss of the video was anything more than “sloppiness,” and thus found that
Here, as in Porter and Phan,
BrandTotal‘s negligence could potentially support an adverse inference instruction under the Court‘s inherent authority even if not under
Under the circumstances, the Court finds that instructions similar to those used in Porter, Phan, and Posner are appropriate. If the case proceeds to trial, the jury will be instructed that BrandTotal had a duty to preserve its Rapid7 logs from October of 2020 through October of 2021 but failed to do so. The jury will also receive the CACI 204 instruction, modified as follows:
You may consider whether one party intentionally concealed or destroyed evidence, or intentionally allowed evidence to be lost.9 If you decide that a party did so, you may decide that the evidence would have been unfavorable to that party.
D. Dor‘s Testimony
On December 23, 2021, the parties agreed that BrandTotal would not rely on any testimony from Dor postdating that stipulation. Stipulation (dkt. 215) ¶ 10; see also Order on Stipulation (dkt. 216). Meta now argues that as a result of Dor‘s purported perjury regarding the
While Meta is correct that courts may impose sanctions for a party‘s perjured testimony, it cites no case imposing a comparable sanction to what it seeks here. See Sanctions Mot. (dkt. 246) at 20 (citing Valley Eng‘rs Inc. v. Elec. Eng‘g Co., 158 F.3d 1051, 1058 (9th Cir. 1998) (imposing case-dispositive sanctions in an extreme case); Excel Innovations, Inc. v. Indivos Corp., No. C-03-3125 MMC (JCS), 2006 WL 8439364, at *13 (N.D. Cal. Nov. 21, 2006) (same); Bowoto v. Chevron Texaco Corp., No. C 99-02506 SI, 2008 WL 552456, at *3 (N.D. Cal. Feb. 27, 2008) (denying a motion for sanctions that asked the court to infer perjury, and deferring that issue to the jury, but imposing lesser sanctions for failure to preserve evidence)). Meta has not argued that the case-dispositive sanctions imposed in Valley Engineers and Excel Innovations are warranted here. Nor has it offered any explanation for why the particular remedy it seeks is appropriate.
BrandTotal has not materially relied on any testimony by Dor in its summary judgment briefing, so this portion of the sanctions motion does not affect the outcome of the parties’ motions for summary judgment. See Defs.’ Opp‘n to MSJ (dkt. 299) at 3 (citing Dor‘s testimony to show a 2018 change to BrandTotal‘s security practices, which is not relevant to the outcome of the motion and is supported by other evidence); Defs.’ MSJ Reply (dkt. 311) at 17 (addressing portions of Dor‘s testimony offered by Meta, for facts also confirmed by Meta‘s expert witness). It is not clear if or how BrandTotal would seek to use Dor‘s past testimony at trial.
While it is possible that Dor lied in his deposition, it is not clear that he was not simply mistaken or uninformed about the nature of the Rapid7 log and the two BrandTotal products at issue, which were not central to the case at that time. Taking into account that “credibility of witnesses is almost categorically a trial issue,” Alameda Books, Inc. v. City of Los Angeles, 631 F.3d 1031, 1042-43 (9th Cir. 2011), that Meta would likely be able to impeach any testimony
E. Attorneys’ Fees
While Meta has not shown that it is entitled to an adverse inference sanction under
The Court finds that an award of attorneys’ fees is appropriate to cure the prejudice to Meta that resulted from BrandTotal‘s spoliation of evidence. Based on Meta‘s overreach in seeking a more extreme remedy under
The parties shall meet and confer by videoconference and file no later than June 10, 2022 either: (1) a stipulation as to the amount of such fees and costs; or (2) a joint letter brief no longer than five pages laying out their respective positions on the value of fees and costs to be awarded.
IV. MOTIONS FOR SUMMARY JUDGMENT
BrandTotal seeks summary adjudication or judgment in its favor on the following issues: (1) that section 3.2.3 of the Facebook terms of service is unenforceable as contrary to public policy; (2) that section 3.2.3 is unconscionable; (3) that Meta cannot prevail on its CFAA and CDAFA claims; and (4) that Meta cannot prevail on its UCL claim. Defs.’ MSJ (dkt. 268). BrandTotal asserts in its reply that it is also entitled to summary judgment on Meta‘s tortious interference claim with respect to UpVoice 2021 for reasons other than the purported unenforceability of Meta‘s terms of service, Defs.’ MSJ Reply at 13, but the Court declines to address that argument raised for the first time in the reply.
Meta seeks summary judgment on its own claims for breach of contract and violation of the CFAA and CDAFA, and partial summary judgment on its UCL claim. Pl.‘s MSJ (dkt. 272) at 10-22. It also seeks summary judgment on BrandTotal‘s counterclaims for interference and under the UCL. Id. at 23-35.
A. Legal Standard
Summary judgment on a claim or defense is appropriate “if the movant shows that there is no genuine dispute as to any material fact and the movant is entitled to judgment as a matter of law.”
Once the movant has made this showing, the burden then shifts to the party opposing summary judgment to designate “‘specific facts showing there is a genuine issue for trial.‘” Id. (citation omitted); see also
A party need not present evidence to support or oppose a motion for summary judgment in a form that would be admissible at trial, but the contents of the parties’ evidence must be amenable to presentation in an admissible form. See Fraser v. Goodale, 342 F.3d 1032, 1036-37 (9th Cir. 2003). Neither conclusory, speculative testimony in affidavits nor arguments in moving papers are sufficient to raise genuine issues of fact and defeat summary judgment. Thornhill Publ‘g Co., Inc. v. GTE Corp., 594 F.2d 730, 738 (9th Cir. 1979). On summary judgment, the court draws all reasonable factual inferences in favor of the non-movant, Scott v. Harris, 550 U.S. 372, 378 (2007), but where a rational trier of fact could not find for the non-moving party based on the record as a whole, there is no “genuine issue for trial” and summary judgment is appropriate. Matsushita Elec. Indus. Co. v. Zenith Radio, 475 U.S. 574, 587 (1986).
B. Breach of Contract
Under California law, the “cause of action for damages for breach of contract is comprised of the following elements: (1) the contract, (2) plaintiff‘s performance or excuse for nonperformance, (3) defendant‘s breach, and (4) the resulting damages to plaintiff.” Armstrong Petroleum Corp. v. Tri-Valley Oil & Gas Co., 116 Cal. App. 4th 1375, 1391 n.6 (2004).
The contractual provision most central to this case is section 3.2.3 of Meta‘s terms of use for Facebook, which reads as follows:
You may not access or collect data from our Products using automated means (without our prior permission) or attempt to access data you do not have permission to access.
Schultz MSJ Decl. (dkt. 272-6) Ex. 5 § 3.2.3.11 Section 4.2. states that the terms of use generally
1. BrandTotal‘s Motion Regarding Breach of Contract
BrandTotal seeks summary judgment on Meta‘s contract claim based on two defenses: that section 3.2.3 violates public policy, and that it is unconscionable.
a. Section 3.2.3 and Public Policy
BrandTotal contends that the prohibition of unauthorized automated access violates public policies related to consumer data ownership, Defs.’ MSJ at 15-18, market competition, id. at 18-22, and the free flow of information and speech, id. at 22-27.
“Under general principles of California contract law, a contract is unlawful, and therefore unenforceable, if it is ‘[c]ontrary to an express provision of law’ or ‘[c]ontrary to the policy of express law, though not expressly prohibited.‘” Sheppard, Mullin, Richter & Hampton, LLP v. J-M Mfg. Co., 6 Cal. 5th 59, 73 (2018) (quoting
The principle that a court may decline to enforce a contract based on public interest beyond express law is in tension with an even older line of U.S. Supreme Court precedent holding that because “the term ‘public policy’ is vague, there must be found definite indications in the law of the sovereignty to justify the invalidation of a contract as contrary to that policy,” as “ascertained by reference to the laws and legal precedents and not from general considerations of supposed public interests.” Muschany v. United States, 324 U.S. 49, 65-66 (1945). Muschany involved contracts between private parties and the United States, which were invoked by those parties as defendants in a federal eminent domain suit as evidence of the fair value of their property, and which the United States argued were unenforceable as contrary to federal policy. Id. at 51-54. On its own, it could perhaps be read narrowly as a matter of federal common law, with no application to the California contract claim at issue here, as perhaps could many more recent cases restating its rule in the context of labor arbitration and collective bargaining agreements. See, e.g., E. Associated Coal Corp. v. United Mine Workers of Am., Dist. 17, 531 U.S. 57, 62 (2000) (“The Court has made clear that any such public policy must be explicit, well defined, and dominant. It must be ascertained by reference to the laws and legal precedents and not from general considerations of supposed public interests.” (cleaned up)). Some of the cases on which Muschany relied, however, involved the Supreme Court examining state law.
In Vidal v. Girard‘s Executors, 43 U.S. (2 How.) 127 (1844), the Court declined to invalidate a charitable bequest that prohibited the school for orphans it established from employing religious ministers. Despite accepting the proposition that “that the Christian religion is a part of the common law of Pennsylvania,”13 the Court determined that the bequest did not
In another case on which Muschany relied, Twin City Pipe Line Co. v. Harding Glass Co., 283 U.S. 353 (1931), the Court considered whether any public policy of Arkansas invalidated a settlement agreement among various Arkansas corporate entities, taking a cautious approach deferential to established law:
The meaning of the phrase ‘public policy’ is vague and variable; courts have not defined it, and there is no fixed rule by which to determine what contracts are repugnant to it. The principle that contracts in contravention of public policy are not enforceable should be applied with caution and only in cases plainly within the reasons on which that doctrine rests. It is only because of the dominant public interest that one who, like respondent, has had the benefit of performance by the other party will be permitted to avoid his own promise. . . .
In determining whether the contract here in question contravenes the public policy of Arkansas, the Constitution, laws, and judicial decisions of that state, and as well the applicable principles of the common law, are to be considered. Primarily it is for the lawmakers to determine the public policy of the state.
The parties here have not addressed this tension between federal and California caselaw or how best to resolve it in this case, and BrandTotal has generally tethered its public policy arguments to specific sources of law. This Court therefore does not reach questions of whether the U.S. Supreme Court‘s requirement that “public policy” in this context must be rooted in positive law is best viewed as a matter of due process (such that California authority to the contrary might be wrongly decided) or a prudential limit of the federal courts (such that the authority to invalidate
Having determined that a basic sense of what is in the public interest is not sufficient here to invalidate section 3.2.3, the Court proceeds to consider the particular constitutional and statutory policies BrandTotal has advanced.
i. California Consumer Privacy Laws
BrandTotal cites the
The Court has repeatedly “rejected BrandTotal‘s scattershot citations to the CCPA that failed to tie that law‘s actual requirements to the conduct at issue in this case,” noting that the “fact that information about advertising interactions falls within the statute‘s definition of ‘personal information’ does not, in itself, say anything about whether Facebook must provide BrandTotal access to such information.” 3d MTD Order at 12. BrandTotal‘s present motion does not go significantly further when it comes to the CCPA, citing only the same definition that the Court has previously found insufficient, as well as a comment in legislative history from one of its authors, then-Assemblymember (and now Superior Court Judge) Edwin Chau, that “Californians should
BrandTotal is more specific in addressing the CPRA (a law enacted by California voters through a 2020 ballot initiative that amends portions of the CCPA), citing its statements of purpose “that ‘the ability of individuals to control the use, including the sale, of their personal information’ is ‘fundamental to’ their right of privacy under the California Constitution,” “that ‘[c]onsumers should be able to control the use of their personal information’ and ‘should have meaningful options over how it is collected, used, and disclosed,‘” and “that ‘[c]onsumers should benefit from businesses’ use of their personal information.‘” Defs.’ MSJ at 15-16 (quoting CPRA §§ 2(A), 3(A)(2), 3(A)(7)14) (alterations in original).
This argument has at least two weaknesses. First, with narrow exceptions, the CPRA does not become operative until January 1, 2023. CPRA § 31(a). While the CPRA sets forth state policies to enhance users’ control over their personal information, it also incorporates a policy of allowing businesses time to adapt their operations to the new law. Relying on the CPRA to invalidate Meta‘s terms of use before most of the substantive provisions of that law take effect would undermine the latter policy and potentially conflict with the stated intent of the voters. Second, the CPRA recognizes a number of policy interests besides data control and portability, including that “[b]usinesses should take reasonable precautions to protect consumers’ personal information from a security breach,” CPRA § 3(B)(6), and that while “[t]he law should enable pro-consumer new products and services and promote efficiency of implementation for business,”
At least with respect to UpVoice 2021, which has removed many of the more questionable methods of data collection employed by some of BrandTotal‘s earlier products, there is certainly an argument that allowing users to record and sell data regarding the advertisements that Facebook shows them would further a public policy of establishing user ownership of personal data and empowering users to share in the financial benefits that flow from that data. See, e.g., CPRA §§ 2(A), 3(A)(7). But the application of that policy to a social media platform‘s ability to restrict automated access, as Meta has with section 3.2.3, is by no means straightforward. Mindful that “questions of public policy are primarily for the legislative department to determine,” Sheppard,
ii. Market Competition
Next, BrandTotal contends that section 3.2.3 is unenforceable because it subverts the policy of market competition underlying
Despite arguing throughout this case that Meta monopolizes the market for social media advertising, and by extension social media advertising analytics, BrandTotal has at no point asserted a claim under the Sherman Act. The closest it has come is attempting to state a claim under the “unfair” prong of the UCL, which requires showing a violation of either the letter or the spirit of the antitrust laws. See, e.g., 2d MTD Order at 24-25; 3d MTD Order at 9-10. The Court ultimately dismissed that claim with prejudice because, despite repeated attempts, BrandTotal failed to provide plausible allegations of a product market, market power, or any basis for an exception to the usual rule that the antitrust laws permit market participants to refuse to deal with their competitors. See 1st MTD Order at 16-17; 2d MTD Order at 24-28; 3d MTD Order at 10-18.
BrandTotal has offered no meaningful economic analysis of the market it asserts for social media advertising analytics, and leaves key questions unanswered. Are there competitors besides Meta and BrаndTotal? What is each party‘s market share? Could other methods of advertising analysis serve as substitutes for the type of data collection and processing BrandTotal performs? Cf. Wilcox Report ¶¶ 31, 33, 34, 40 (BrandTotal‘s expert witness discussing survey-based methods of collecting advertising intelligence). What qualifies as “social media,” as opposed to other forms of internet advertising that customers might seek to analyze?17
Instead, BrandTotal relies on mere assertions in its motion that section 3.2.3 “not only completely extinguishes all competition for analysis of Facebook advertising, but also has a malign ripple effect on competition in the advertising analytics market more broadly,” Defs.’ MSJ at 20, which it contends in its reply that Meta has not contested, Defs.’ MSJ Reply at 4. But in the context of summary judgment, as the party advancing an affirmative defense of contract unenforceability, BrandTotal has the burden to support its assertions with evidence, which it has not done. BrandTotal‘s motion cites evidence that it competes with Facebook, and that its customers have sought BrandTotal‘s services to better understand their own advertising campaigns despite Facebook offering them similar analysis, Defs.’ MSJ at 19-21, but cites no evidence beyond that regarding the nature of the market at issue or whether the sort of data collection barred by section 3.2.3 is necessary to competing in that market. The Court having previously “assume[d] for the sake of argument that BrandTotal‘s alleged markets” for “Third Party Commercial Advertising Information” on “personal social networking services in the United States” or on Facebook and Instagram were “sufficiently plausible to survive the limited scrutiny
While BrandTotal is correct that it need not show a violation of the letter of the Sherman Act to render section 3.2.3 unenforceable, but instead could prevail by showing a violation of policies underlying that law, see Sheppard, Mullin, 6 Cal. 5th at 73, that analysis is similar to the BrandTotal‘s putative UCL claim that the Court repeatedly addressed and dismissed on the pleadings, where a plaintiff must show “conduct that threatens an incipient violation of an antitrust law, or violates the policy or spirit of one of those laws because its effects are comparable to or the same as a violation of the law, or otherwise significantly threatens or harms competition.” Cel-Tech Commc‘ns, Inc. v. L.A. Cellular Tel. Co., 20 Cal. 4th 163, 187 (1999). A party seeking to establish a violation of the “spirit” of the antitrust laws for the purpose of such a claim, without showing an actual violation, must identify and prove some “‘unusual’ aspect of the alleged conduct that would make that conduct something that violates the ‘policy and spirit’ of the antitrust laws without violating the actual laws themselves,” comparable to the Cel-Tech defendant‘s “‘privileged status as one of two holders of a lucrative government-licensed duopoly.‘” Synopsys, Inc. v. ATopTech, Inc., No. C 13-2965 MMC, 2015 WL 4719048, at *10 (N.D. Cal. Aug. 7, 2015) (quoting Cel-Tech, 20 Cal. 4th at 190). The Court finds the same analysis appropriate in considering whether the policy underlying the Sherman Act is sufficient to render section 3.2.3 unenforceable without showing a violation of that law. Cf. Epic Games, Inc. v. Apple Inc., No. 4:20-cv-05640-YGR, 2021 WL 4128925, at *122 (N.D. Cal. Sept. 10, 2021) (declining to hold contracts unenforceable for violating policy favoring competitive markets even
Here, as the Court has previously held on a motion to dismiss BrandTotal‘s UCL unfairness claim, BrandTotal‘s “theory of what makes Facebook‘s conduct unfair is relatively straightforward: Facebook is extremely large and powerful,” and uses that clout to advance its own competitive interests and prevent BrandTotal from effectively competing. 2d MTD Order at 25-26. Once again, BrandTotal has not identified any unusual circumstances of this case that would threaten competition while evading antitrust enforcement under the actual terms of the antitrust laws, nor has it shown a violation of the antitrust laws. Absent such a showing, the Court declines to hold that the policies underlying those laws require invalidating Meta‘s terms of use.
In hiQ Labs, Inc. v. LinkedIn Corporation, 31 F.4th 1180 (9th Cir. 2022), the Ninth Circuit recently reaffirmed its decision (which had been vacated for reconsideration in light of an19
Taking into account the caution that is always appropriate in considering whether a contract should be declared unenforceable as contrary to public policy, the Court holds that BrandTotal has not met its burden to set aside section 3.2.3 based on harm to competition.
iii. Free Speech and Flow of Information
BrandTotal contends that section 3.2.3. impermissibly burdens interests in free speech and the flow of information, rooted in the
The Supreme Court has recognized that the First Amendment protects commercial advertising, in part due to the need for public “information as to who is producing and selling what product, for what reason, and at what price” to allow for informed participation in and regulation of the economy. Va. State Bd. of Pharmacy v. Va. Citizens Consumer Council, Inc., 425 U.S. 748, 765 (1976). The conduct at issue here, however, is a few steps removed from the state restrictions on advertising in the Board of Pharmacy case. This case does not concern direct state action, although BrandTotal is correct that judicial enforcement of a private contract restricting speech can implicate the First Amendment at least to some degree.21 But BrandTotal does not argue that section 3.2.3 prevents anyone from advertising their services. Nor does section 3.2.3 directly prevent anyone from sharing information about advertisements-the provision is not implicated by a Facebook user discussing the advertisements they have seen, for example, or even by advertising cоnsultants manually browsing Facebook‘s public ad library to prepare reports for clients. Instead, section 3.2.3 prohibits a particular method of interacting with Meta‘s services: “access[ing] or collect[ing] data from [Meta‘s] products using automated means,” one application of which is BrandTotal‘s automated collection of advertising data. BrandTotal cites no authority
The second line of cases on which BrandTotal relies for its free speech arguments stems from Lear, Inc. v. Adkins, 395 U.S. 653 (1969), where the Supreme Court held that an inventor could not rely on estoppel against a licensee or the contractual force of a license agreement to recover royalties if his patent were held invalid. See Defs.’ MSJ at 22-23. Circuit courts have divided as to whether or when Lear applies outside the context of patent law. Compare Idaho Potato Comm‘n v. M & M Produce Farm & Sales, 335 F.3d 130, 135-39 (2d Cir. 2003) (applying Lear to hold that a defendant who had agreed, as part of a since-lapsed license agreement, never to challenge the validity of certain certification marks registered with the USPTO was not estopped from doing so because enforcing the agreement undermined free market principles related to the purpose of certification marks), with Saturday Evening Post Co. v. Rumbleseat Press, Inc., 816 F.2d 1191, 1200 (7th Cir. 1987)22 (declining to apply Lear to copyright because the “economic power conferred is much smaller” than that conferred by a patent, and noting that the Sherman Act is a more appropriate framework for any such contract with a meaningful effect on competition), and Beer Nut, Inc. v. King Nut Co., 477 F.2d 326, 328-29 (6th Cir. 1973) (balancing the interests addressed in Lear to hold that it does not apply in the trademark context, and that a licensee was estopped from contesting the validity of a mark). Regardless, unlike a license agreement, section 3.2.3 does not govern the publication or use of information once obtained; it prohibits some forms of access to Meta‘s servers. Lear and its progeny do not show that Meta‘s terms of use are unenforceable.
In its reply, BrandTotal abandons any effort to link this argument to precedent, dismissing Meta‘s “focus[] on distinguishing cases that BrandTotal cited for a general proposition . . . that
The Court therefore concludes that BrandTotal has not shown Meta‘s terms of use to be unenforceable as contrary to public policy.
b. Unconscionability
BrandTotal argues that the terms of use are unconscionable, specifically addressing: (1) the provision in section 4 extending certain restrictions (including section 3) beyond the termination of an account; and (2) a limitation of Meta‘s liability to no more than the greater of $100 or the amount the user has paid Meta in the previous year. Defs.’ MSJ at 32-33. Although BrandTotal focuses on those provisions as substantially unfair, it argues that the appropriate remedy is to deem section 3.2.3 unenforceable. Id. at 33.
Meta contends that BrandTotal waived its unconscionability defense by failing to include it in its October 2021 response to an interrogatory requesting “the full basis for [BrandTotal‘s] contention” that “it did not breach any contacts with [Meta]” or that the terms of use “were not[]
“In order to render a contract unenforceable under the doctrine of unconscionability, there must be both a procedural and substantive element of unconscionability.” Ferguson v. Countrywide Credit Indus., Inc., 298 F.3d 778, 783 (9th Cir. 2002) (citing Armendariz v. Found. Health Psychcare Servs., Inc., 24 Cal. 4th 83, 6 P.3d 669, 690 (2000)). “[T]he former focus[es] on ‘oppression’ or ‘surprise’ due to unequal bargaining power, the latter on ‘overly harsh’ or ‘one-sided’ results.” Armendariz, 24 Cal. 4th at 114 (citation omitted). While both of those aspects must be present to find the contract unconscionable, “they need not be рresent in the same degree[:] . . . the more substantively oppressive the contract term, the less evidence of procedural unconscionability is required to come to the conclusion that the term is unenforceable, and vice versa.” Id. “Unconscionability is ultimately a question of law for the court.” Marin Storage & Trucking, Inc. v. Benco Contracting & Eng‘g, Inc., 89 Cal. App. 4th 1042, 1055 (2001). Neither party has suggested here that the question of whether Facebook‘s terms are unconscionable is inappropriate for resolution on summary judgment.
“Procedural unconscionability ‘concerns the manner in which the contract was negotiated and the circumstances of the parties at that time.‘” Ferguson, 298 F.3d at 783 (quoting Kinney v. United Healthcare Servs., Inc., 70 Cal. App. 4th 1322, 1329 (1999)). That analysis “begins with an inquiry into whether the contract is one of adhesion.” Armendariz, 24 Cal. 4th at 113. “California courts have consistently held that where a party in a position of unequal bargaining power is presented with an offending clause without the opportunity for meaningful negotiation, oppression and, therefore, procedural unconscionability, are present.” Ferguson, 298 F.3d at 784. That test is met with respect to Meta‘s terms of use, at least for nearly all users.23 There is no dispute that BrandTotal was offered Meta‘s terms on a take-it-or-leave-it basis, with no power to negotiate. Under California law, that is enough to meet the procedural element of unconscionability. See Baltazar v. Forever 21, Inc., 62 Cal. 4th 1237, 1244 (2016) (“Ordinary contracts of adhesion, although they are indispensable facts of modern life that are generally enforced, contain a degree of procedural unconscionability even without any notable surprises, and bear within them the clear danger of oppression and overreaching.” (cleaned up)).
Meta‘s argument that “courts routinely conclude that sign-up flows like Meta‘s are sufficient to bind users to terms of service” misses the mark. See Pl.‘s Opp‘n to MSJ (dkt. 303) at 21. The cases Meta cites considered whether the users had consented to the terms, held that they had, and either did not reach questions of unconscionability or found at least some degree of procedural unconscionability. See Britt v. ContextLogic, Inc., No. 3:20-cv-04333-WHA, 2021 WL 1338553 (N.D. Cal. Apr. 9, 2021) (finding mutuals assent and declining to reach questions of unconscionability as properly delegated to an arbitrator); Nevarez v. Forty Niners Football Co., LLC, No. 16-cv-07013, 2017 WL 3492110, at *12 (N.D. Cal. Aug. 15, 2017) (finding “a low degree of procedural unconscionability” sufficient to consider whether the contract was highly substantively unconscionable); Loewen v. Lyft, Inc., 129 F. Supp. 3d 945, 956 (N.D. Cal. 2015) (same); Swift v. Zynga Game Network, Inc., 805 F. Supp. 2d 904, 915 (N.D. Cal. 2011) (noting that the plaintiff failed to address the standard for unconscionability or present any argument as to
Since the test uses a sliding scale where the degree of each form unconscionability is relevant, however, there is reason to evaluate other aspects of procedural unconscionability before turning to the substantive terms of the agreement. BrandTotal notes that Meta‘s sign-up process includеs only text in a small font informing users that “[b]y clicking Sign Up, you agree to our Terms, Data Policy and Cookies Policy,” with “Terms” as a small hyperlink, but does not specifically present users with the terms or include a separate box to check to indicate that the user agrees to those terms. Defs.’ MSJ at 31 (citing Martens Opening Report ¶¶ 63-66).
Any inconspicuousness of the terms of use might be relevant to whether it is procedurally unconscionable as to individuals creating accounts for personal use. See In re Facebook Biometric Info. Priv. Litig., 185 F. Supp. 3d 1155, 1166 (N.D. Cal. 2016) (raising concerns about Facebook‘s process of obtaining consent to its terms of use, but finding them enforceable). As to BrandTotal, however, it is less clear why that should matter. BrandTotal is a business built around collecting data from social networks and other websites. It would reasonably have been expected to seek out and understand those terms before agreeing to them. See Burrell Opp‘n Dec. Ex. 30 (Leibovich Nov. 2021 Dep.) at 20:23-22:5 (confirming the BrandTotal‘s CEO knew before this lawsuit that all Facebook users must agree to the terms of service before creating an account). BrandTotal in fact sought a legal opinion regarding section 3.2.3, albeit belatedly in 2019, years after it had first created accounts. See Burrell Opp‘n Decl. Ex. 4.25 Although as noted above Meta‘s terms were at least to some degree procedurally unconscionable because BrandTotal had no meaningful opportunity to negotiate them, the manner in which Meta presented them during the sign-up
BrandTotal‘s motion for summary judgment does not argue that section 3.2.3, standing alone, meets that standard. Instead, BrandTotal focuses on section 4.2‘s provision that section 3 (and certain subsections of section 4) remain in place following termination of the remainder of the agreement when a user deletes their account of Meta disables it, and section 4.3‘s limitation of Meta‘s liability to exclude certain forms of damages and limit monetary damages against Meta to “not exceed the greater of $100 or the amount [the user] has paid [Meta] in the past twelve months.” Schultz MSJ Decl. Ex. 5, §§ 4.2-3; see Defs.’ MSJ at 32-33. In its reply, BrandTotal contends that section 3.2.3 is itself substantively unconscionable for the reasons stated in its arguments regarding public policy, Defs.’ MSJ Reply at 15-16, but for the same reasons discussed above in the Court‘s analysis of those arguments, BrandTotal has not shown that any public policy implication of section 3.2.3 meets the high standard of substantive unconscionability applicable where the only meaningful procedural defect is a contract of adhesion.
Turning to the related provisions BrandTotal has invoked, the Court is not persuaded that the survival of section 3.2.3 beyond the termination of an account is substantively unconscionable. Thаt is not to say that any open-ended commitments in exchange for the temporary provision of a service would be enforceable. The provision at issue here, though, relates specifically to the manner in which a user continues to access Meta‘s services after their account is terminated. If a user were to walk away from Meta‘s products entirely, the continuing force of section 3.2.3 would have no effect on them. Notwithstanding the importance of social media platforms as “what for
As for the limitation of liability, that provision is only connected to section 3.2.3 in that, by its terms, Meta could potentially recover far greater damages from BrandTotal for violating section 3.2.3 than BrandTotal could recover from Meta on any potential claim of its own. The limitation of liability is certainly “one-sided,” see Armendariz, 24 Cal. 4th at 114, but it is only tangentially related to section 3.2.3. California law grants “a trial court some discretion as to whether to sever or restrict [an] unconscionable provision or whether to refuse to enforce the entire agreement,” but “contemplate the latter course only when an agreement is ‘permeated’ by unconscionability.” Id. at 122 (examining
To the extent BrandTotal is asserting that Meta‘s terms are unconscionable as applied to
Because BrandTotal has not shown sufficient substantive unconscionability of section 3.2.3 to render it unenforceable in conjunction with the relatively minor procedural unconscionability of a contract of adhesion, BrandTotal‘s motion for summary judgment on this issue is DENIED.
2. Meta‘s Motion Regarding Breach of Contract
Meta seeks summary judgment in its favor on its breach of contract claim. Pl.‘s MSJ at 10-16. Again, this claim has four elements: “(1) the contract, (2) plaintiff‘s performance or excuse for nonperformance, (3) defendant‘s breach, and (4) the resulting damages to plaintiff.” Armstrong Petroleum Corp. v. Tri-Valley Oil & Gas Co., 116 Cal. App. 4th 1375, 1391 n.6 (2004).
a. The Contract
There is no dispute that BrandTotal created a number of accounts on Meta‘s platforms, and that all users who create accounts indicate that they agree to Meta‘s terms of use. See, e.g., Schultz MSJ Decl. Ex. 35 at 3 (responses to Request Nos. 21 and 22, admitting knowledge that all Facebook and Instagram users must agree to the applicable terms of use). BrandTotal contests two
As for termination, the terms of use specifically provide that section 3-including section 3.2.3‘s prohibition of unauthorized automated access and data collection-survives after a user deletes their account or Meta terminates an account. Schultz MSJ Decl. Ex. 5 § 4.2. As discussed above, BrandTotal has not shown that term to be unconscionable. Nor does it conflict with section 3‘s preface that the commitments stated therein are required in exchange for Meta providing services. See id. § 3, Defs.’ Opp‘n to MSJ at 20-21. As BrandTotal has admitted, Meta did provide services. Schultz MSJ Decl. Ex. 35 at 2 (response to Request No. 19). That Meta requires an ongoing commitment not to take certain action in return for services that might not last as long as that commitment is a coherent structure for an agreement, and section 4.2 is sufficiently clear as to its survival clause to dispel any reasonable confusion. BrandTotal therefore remains bound by section 3, including section 3.2.3.
Even if the relevant provisions of the terms of use did not survive the termination of an account, some of the “Muppet” accounts that BrandTotal employees created for data collection and debugging remained active as of 2022. Schultz MSJ Decl. Ex. 14 (Vardi Dep.) at 142:5-146:8. BrandTotal‘s assertion that it “disputes . . . that any of those accounts belong to BrandTotal” is not supported by evidence. See Defs.’ Opp‘n to MSJ at 21. BrandTotal thus remains bound by the terms of use.
b. Meta‘s Performance
BrandTotal specifically admitted performance by Meta prior to September 30, 2020. Schultz MSJ Decl. Ex. 35 at 2 (response to Request No. 19). There is evidence that certain accounts created by BrandTotal remained active as of February of 2022, suggesting that Meta has continued to perform under the terms of use at least as to accounts not terminated. See id. Ex. 14 (Vardi Dep.) at 142:5-146:8. In its response to a contention interrogatory that included a request
c. Breach by BrandTotal
The parties do not dispute that at least some conduct by BrandTotal breached the terms of use as written. Meta offers evidence that BrandTotal accessed and collected data from Facebook and Instagram using automated means through its various consumer products installed by users and through back-end processes from its own servers. See, e.g., Martens Opening Report ¶¶ 28-50 (summary of opinions).
In disputing the element of breach, BrandTotal argues only that UpVoice 2021 does not breach Meta‘s terms of use, because it collects data only from panelists’ computers. Defs.’ Opp‘n to MSJ at 22. In an October 2021 response to an interrogatory seeking all of BrandTotal‘s contentions that it did not breach the terms of use or that the terms are not enforceable, BrandTotal asserted only that the terms of use are unenforceable as against public policy and that the parties’ contractual relationship ended when Meta terminated BrandTotal‘s accounts in October of 2020. Schultz MSJ Decl. Ex. 36 at 9-11 (response to Interrogatory No. 20). Moreover, in a supplemental response to a request for admission that BrandTotal “collect[s] information and data from password-protected locations on the Facebook and Instagram platforms,” BrandTotal admitted that “the versions of UpVoice released after February 26, 2021, collect only the creative ID of an advertisement, the advertiser name, and the advertiser page name from password-protect locations of Facebook.” Id. Ex. 21 at 2 (supplemental response to Request No. 1).
BrandTotal has therefore waived any argument that UpVoice 2021-or any other conduct alleged in Facebook‘s amended complaint-did not violate the terms of use as written.28 Meta is
d. Damages
Finally, BrandTotal disputes the element of damage. Defs.’ Opp‘n to MSJ at 13-20. The only compensatory damages Meta has asserted are based on the cost of its investigation in response to BrandTotal‘s breach, but it also argues that it should be permitted to proceed based on a theory of unjust enrichment or the possibility of nominal damages.
Although damages are often recited as an element of a breach of contract claim, a recent California appellatе decision reaffirmed older authority holding that nominal damages are available for breach of contract and can support entry of judgment in favor of a plaintiff who suffered “no appreciable harm“:
We agree the trial court should have awarded nominal damages in light of the jury‘s unchallenged finding of breach. [California Civil Code] Section 3360 provides: “When a breach of duty has caused no appreciable detriment to the party affected, he may yet recover nominal damages.” California courts have applied section 3360 to conclude that “[a] plaintiff is entitled to recover nominal damages for the breach of a contract, despite inability to show that actual damage was inflicted upon him.” (Sweet v. Johnson (1959) 169 Cal.App.2d 630, 632, 337 P.2d 499 (Sweet).) Nominal damages may be properly awarded for the violation of a contractual right because “failure to perform a contractual duty is, in itself, a legal wrong that is fully distinct from the actual damages.” (Ibid.)
Elation Sys., Inc. v. Fenn Bridge LLC, 71 Cal. App. 5th 958, 965-66 (2021). The court specifically rejected the reasoning of two Ninth Circuit cases on which BrandTotal relies to assert that actual damages are a necessary element of the claim, in part because they did not “consider[] the availability of nominal damages in the absence of actual damage.” Id. at 967 (“Accordingly, we follow California law as provided in section 3360 and Sweet . . . and do not find Aguilera or Ruiz persuasive on the point.“); see Defs.’ Opp‘n to MSJ at 14-17 (citing, e.g., Aguilera v. Pirelli Armstrong Tire Corp., 223 F.3d 1010, 1015 (9th Cir. 2000); Ruiz v. Gap, Inc., 622 F. Supp. 2d 908 (N.D. Cal. 2009), aff‘d, 380 F. App‘x 689 (9th Cir. 2010)).
Ninth Circuit interpretations of state law are “only binding in the absence of any subsequent indication from the California courts that our interpretation was incorrect.” and “[i]n the absence of a pronouncement by the highest court of a state, the federal courts must follow the
Meta seeks summary judgment only as to liability, and not as to any particular amount of damages. See Pl.’s Prop’d Order (dkt. 272-9). Nor has BrandTotal moved for summary judgment—as opposed to arguing in its opposition to Meta’s motion—that any particular portion of Meta’s damages are not compensable. See generally Defs.’ MSJ. The Court therefore need not decide at this juncture whether Meta is entitled to all of the damages it has asserted, and declines to do so when no party specifically sought summary judgment as to such issues. Since at least nominal damages are available and sufficient to support the claim, Meta is entitled to judgment in its favor on its claim for breach of contract, with the amount of any actual damages to be proven at trial. Meta’s motion for summary judgment on this claim is GRANTED.
C. Meta’s CFAA and CDAFA Claims
Both parties seek summary judgment on at least some aspects of Meta’s claims under the CFAA and the CDAFA. The CFAA “subjects to criminal liability anyone who ‘intentionally accesses a computer without authorizаtion or exceeds authorized access,’ and thereby obtains computer information.
“[T]he CFAA was enacted ‘primarily to address the growing problem of computer
California’s CDAFA, also sometimes cited as the California Computer Crime Law or simply
1. BrandTotal’s Motion Regarding the CFAA and CDAFA
BrandTotal seeks summary judgment on these claims only “with respect to UpVoice 2021 and ongoing server-side collection.” Defs.’ MSJ at 33 (heading capitalization altered). It contends that UpVoice 2021 only accesses panelists’ computers, not Meta’s computers. BrandTotal also assert that under its current practices of collecting data directly from Facebook servers, it only accesses publicly available websites, which are outside the scope of the statutes.
Beginning with the question of whether UpVoice 2021 “accesses” Meta’s computers within the meaning of the CFAA, the Court agrees with BrandTotal that it does not. Meta’s expert David Martens only identifies that program as using “reactive” data collection, logging and sending to BrandTotal data that users receive from Facebook through their normal use of the website. See Martens Opening Report § 8.3.1. Meta cites evidence from BrandTotal witnesses that UpVoice 2021 “‘listen[s] to network data being transmitted over the wire’ from Meta’s
Turning to the question of BrandTotal’s access to Meta’s servers using its own computers, BrandTotal agrees that Meta revoked its access in October of 2020. The parties dispute whether BrandTotal continues to access password-protected portions of Facebook, or limits its access to portions of Facebook that are available to the public without a password.
Before reaching that dispute as to what, exactly, BrandTotal is doing, the Court begins with the question of whether the CFAA governs access to non-password-protected pages on Facebook and Instagram. The Ninth Circuit considered that question in hiQ, holding both before and after remand by the Supreme Court “that the concept of ‘without authorization’ does not apply to public websites.” hiQ, 31 F.4th at 1199 (applying the “gates up” or “gates down” framework that the Supreme Court set forth in Van Buren, 141 S. Ct. at 1658–59). The parties’ regular briefing on the present motions occurred after the Supreme Court vacated the Ninth Circuit’s first hiQ decision for reconsideration in light of Van Buren and before the Ninth Circuit reaffirmed that decision on remand. Meta’s argument that the CFAA applies where a specific party’s access to an
In a supplemental brief that Meta filed after the Ninth Circuit issued its new hiQ decision, Meta contends that the advertisement pages at issue are not actually public, but instead that “the general default for [those pages] is password protection” because while “Meta allows non-authenticated users to access certain ad URLs a very limited number of times, it then redirects them to a log-in page and prevents further access.” Pl.’s Supp’l Br. (dkt. 327) at 3 (citing Schultz MSJ Decl. Ex. 1 (Martens Opening Report) ¶¶ 209–21; id. Ex. 20 (Sherwood Report) ¶ 142 (asserting that most advertisement pages can be accessed without a password but acknowledging that Meta “restricts even this otherwise publicly available information by imposing technical limitations such as ‘lockout mechanisms.’”). In the Court’s view, these restrictions differ in degree rather than in kind from the technological restrictions that LinkedIn employed in hiQ to attempt to block automated and otherwise suspicious access, which the Ninth Circuit apparently considered insufficient to bring LinkedIn’s otherwise public pages within the scope of the CFAA. See hiQ, 31 F.4th at 1186 (“For example, LinkedIn’s Quicksand system detects non-human activity indicative of scraping; its Sentinel system throttles (slows or limits) or even blocks activity from suspicious IP addresses; and its Org Block system generates a list of known ‘bad’ IP addresses serving as large-scale scrapers.”). As the panel held in that case, the statute’s concept of access without authorization is predicated on the general public lacking authorization to access the material at issue at all:
[T]he wording of the statute, forbidding “access[] . . . without authorization,”
18 U.S.C. § 1030(a)(2) , suggests a baseline in which access is not generally available and so permission is ordinarilyrequired. “Authorization” is an affirmative notion, indicating that access is restricted to those specially recognized or admitted. . . . Where the default is free access without authorization, in ordinary parlance one would characterize selective denial of access as a ban, not as a lack of “authorization.”
Following hiQ, the Court holds that where a website is made available to the public without any authentication requirement in at least the first instance, “the concept of ‘without authorization’ does not apply,” see id. at 1199, even if the owner employs technological measures to block specific users, suspicious activity, or—as here—repeated access beyond a particular threshold. To hold otherwise could bring conduct ranging far beyond the CFAA’s purpose of preventing “hacking” within its scope of potential criminal liability, such as a user accessing a newspaper’s website from a smartphone after receiving notice on their computer that they had reached their monthly limit of free articles. The precedential decision in hiQ and the rule of lenity foreclose such an interpretation of the statute. Accordingly, BrandTotal is entitled to summary adjudication that such access does not violate the CFAA (or the nearly-coextensive CDAFA), and its motion is GRANTED as to that issue.30
Whether BrandTotal’s current practices are limited to accessing those public pages is a different question. For one thing, there is no dispute that BrandTotal currently uses its “Restricted Panel Extension” program to gather from particular restricted advertisement URLs that BrandTotal directs contractors to navigate to with the extension installed. Burrell Opp’n Decl. Ex. 39 (Regev Feb. 2022 Dep.) at 134:3–14. BrandTotal has not sought summary adjudication that such conduct, which uses a different program than UpVoice 2021, does not violate the CFAA, although as discussed separately below, the Court holds that Meta is not entitled to summary judgment on that issue.
Meta asserts that BrandTotal has also engaged directly with password-protected pages since Meta revoked its access in October of 2020. BrandTotal concedes that it only “modified its
Given that the record is less than clear as to how BrandTotal currently uses access tokens, the Court declines to resolve the question of whether BrandTotal’s “ongoing server-side data collection” violates the CFAA, see Defs.’ MSJ at 34–35, which may turn more on semantic questions of what that term encompasses than on whether any of BrandTotal’s ongoing operations (such as testing software) violate the statute, and even by its terms would seem to raise disputed issues of fact as to whether a jury should credit Martens’s opinion (which BrandTotal has not moved to exclude) “that BrandTotal was using Access Tokens associated with specific individuals as part of its Direct Collection activities,” Martens Opening Report ¶ 369. BrandTotal’s motion for summary judgment as to that issue is therefore DENIED, except for the more limited holding above that access to non-password-protected pages does not implicate the CFAA or the CDAFA.
2. Meta’s Motion Regarding the CFAA and CDAFA
Meta seeks judgment in its favor on its CFAA and CDAFA claims. Pl.’s MSJ at 16–22. To the extent it seeks judgment that BrandTotal’s collection of data from panelists using UpVoice 2021, or its direct access to non-password-protected portions of Meta’s platforms violates those statutes, id. at 20–21, its motion is DENIED for the reasons discussed above.
BrandTotal does not dispute that Meta revoked its authorization to access Meta’s platforms as of October 1, 2020. See Burrell Opp’n Decl. Ex. 28 at 12–14 (response to Interrogatory No. 21). Meta does not argue that BrandTotal lacked authorization before that date. The relevant period for this claim is therefore from October 1, 2020 to the present, and Meta is entitled to summary adjudication that any direct access by BrandTotal to password-protected Meta servers during that period was not authorized.
a. Losses of at Least $5,000
BrandTotal contends that Meta is not entitled to summary judgment that it has incurred the required loss of at least $5,000 in a one-year pеriod as a result of BrandTotal’s purportedly unauthorized access. Defs.’ Opp’n to MSJ at 22 (citing
Meta also argues that BrandTotal waived any defense based on lack of damages by failing to raise it in response to a contention interrogatory. Pl.’s MSJ Reply (dkt. 314) at 11. The interrogatory at issue reads as follows:
INTERROGATORY NO. 21: Separately for each of Your Products, to the extent you contend that You did not violate the CFAA or CDAFA, describe in detail the full basis for Your contention (including by identifying all facts, Documents and witnesses that relate to Your contention). Your response should include the full basis for Your contention, if any, that You did not “knowingly,” “with intent to defraud,” or “intentionally” “access” a protected Facebook or Instagram computer “without authorization or exceeding authorization” or did not “obtain information” from a protected Facebook or Instagram computer as those terms are used for purposes of establishing liability under the CFAA, or did not “knowingly” “access” and “without permission” “alter, damage, delete, destroy, or otherwise use” or “take, copy, or make use of” any “data, computer,
computer system, or computer network” or “computer services” as those terms are used for purposes of establishing liability under the CDAFA.
Burrell Opp’n Decl. Ex. 28 at 12. Meta did not ask for any potential defense; it asked for the basis for BrandTotal’s contention that it did not violate the statute. BrandTotal’s defense that Meta did not incur at least $5,000 in losses is not contingent on BrandTotal having complied with the statute. In other words, even if BrandTotal violated the CFAA, Meta could not bring a civil claim against it unless it had sufficient losses (or satisfied one of the other potential criteria of
Turning to the merits of this element of the claim, the parties dispute whether investigative costs are cognizable. The statute defines “loss” as:
any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service[.]
As BrandTotal notes, some district courts have held that this definition “makes clear Congress’s intent to restrict civil actions under subsection (I) to the traditional computer ‘hacker’ scenario—where the hacker deletes information, infects computers, or crashes networks.” AtPac, Inc. v. Aptitude Solutions, Inc., 730 F.Supp.2d 1174, 1185 (E.D. Cal. 2010); see also Welenco, Inc. v. Corbell, 126 F. Supp. 3d 1154, 1169 (E.D. Cal. 2015) (quoting and following AtPac); In re iPhone Application Litig., 844 F. Supp. 2d 1040, 1067 (N.D. Cal. 2012) (same). The Supreme Court recently construed the “loss” provision somewhat similarly, noting that it “relates to costs caused by harm to computer data, programs, systems, or information services” and “focus[es] on technological harms—such as the corruption of files—of the type unauthorized users cause to computer systems and data,” and that such an understanding of the civil prоvisions of the CFAA informed the Court’s analysis of the criminal case before it. Van Buren, 141 S. Ct. at 1659–60. The Ninth Circuit took that analysis one step further, interpreting Van Buren as having “concluded
That line of cases could be construed as abrogating a slew of previous district court decisions holding that investigative costs are recoverable under the CFAA and count towards the requisite loss, potentially including attorneys’ fees to the extent they are incurred for investigative purposes or similarly in “responding” to a violation. See, e.g., Distinct Media Ltd. v. Shutov, No. 15-cv-03312-NC, 2017 WL 1234400, at *6 (N.D. Cal. Mar. 10, 2017) (awarding on default judgment “attorneys’ fees associated with its investigative efforts, including court-approved discovery to identify” the defendant); United States v. Nosal, No. CR-08-0237 EMC, 2014 WL 121519, at *4–5 (N.D. Cal. Jan. 13, 2014) (noting that “judges in this district have routinely held that such investigation costs are included within the definition of
The Court declines to construe Van Buren and hiQ as foreclosing a loss based on Facebook’s investigative costs. Van Buren drew a contrast between loss related to a technological breach and harm caused by later misuse of wrongfully obtained data, which is further removed from the sort of access violation at issue here. 141 S. Ct. at 1659–60. There is no indication that the Van Buren Court would place investigative costs as falling outside the scope of “the cost of responding to an offense” that the statute specifically incorporates.
That said, Meta faces a hurdle in showing sufficient loss in that, as discussed above with respect to UpVoice 2021 and BrandTotal’s access to non-password-protected websites, much of the conduct Meta was investigating did not actually violate the CFAA. It is not clear from Dr. Prowse’s report what costs Meta incurred in response to true violations, and Meta has not argued or offered authority for the proposition that it can count costs to investigate potential violations that do not turn out to be violations towards the $5,000 threshold. Meta’s motion for summary judgment on its CFAA claim is therefore DENIED.
BrandTotal did not move for summary judgment on the issue of the $5,000 loss threshold. Even it had, it likely would not be entitled to it, because a jury might reasonably infer that at least $5,000 of the nearly $100,000 that Dr. Prowse identified in post–October 2020 investigation costs was attributable to unauthorized access by BrandTotal. The Court also does not reach BrandTotal’s argument—which it similarly raised only in opposition to Meta’s motion, not in its own motion—that Meta’s losses were unrecoverable litigation expenses, but notes that despite Meta’s attorneys’ involvement in supervising the investigation both before and after Meta filed its complaint, Dr. Prowse’s description of the investigative work on which he based his cost analysis tends to suggest that at least some of that work for the sort of response to BrandTotal’s access to understand the nature of the violation that courts have held fall within the statutory definition of “loss.”31
Because the CDAFA does not include the $5,000 loss threshold see Brodsky, 445 F. Supp. 3d at 129, and because identifying issues that are not genuinely in dispute with respect to the CFAA claim could streamline the issues to be addressed at trial, the Court proceeds to the remaining elements of Meta’s CFAA and CDAFA claims.
b. Unauthorized Access to Meta’s Computers
Aside from the forms of access already addressed above in the context of BrandTotal’s motion, Meta asserts that BrandTotal continued to access password-protected Meta websites in a number of ways after Meta revoked access: (1) through previously-installed copies of its various consumer products, including the legacy version of UpVoice and versions of the ASV and Story Savebox programs that collected access tokens, which continued requesting data from Facebook and Instagram and sending data that data to BrandTotal after Google removed those products from its online store, as well as the Phoenix and Social One applications for Android smartphones, which Google never removed from its store and which continued to collect data from Meta’s platforms in a similar manner to the pre-litigation version of UpVoice until February 2021; (2) through the “Muppet” accounts that BrandTotal created or purchased to access restricted pages; and (3) through the Restricted Panel Extension, which a BrandTotal contractor uses to collect data from password-protected advertisement pages at BrandTotal’s direction. See Defs.’ MSJ at 17–18; Defs.’ MSJ Reply at 14–15.
i. Legacy Products and Surviving Android Applications
BrandTotal does not respond to Meta’s arguments regarding legacy applications that remained installed after October of 2020, and Meta does not return to that issue in its reply. Meta’s expert witness Martens states in his report that many of BrandTotal’s legacy applications—both those like the old version of UpVoice that were removed from Google’s store but remained installed on some users’ computers, and the two applications (Phoenix and Social One) that remained available for download—continued actively requesting data from Facebook’s servers while users were logged into Facebook until February 23, 2021, when BrandTotal altered code that those programs dynamically downloaded to execute their data collection, effectively remotely shutting down that active collection. Martens Opening Report ¶¶ 518–21, 565. BrandTotal’s two Android applications that targeted Instagram, ASV and Story Savebox,
This method of hijacking a user’s logged-in session with Facebook or Instagram to manipulate Meta’s servers to divulge further information is materially indistinguishable from the conduct in Power Ventures, where even after Facebook explicitly revoked its authorization, the defendant continued sending emails to users inviting them to share advertisements for Power Ventures’ services with the users’ Facebook friends. 844 F.3d at 1063, 1067. If the user clicked a link agreeing to do so, Power Ventures automatically “create[d] an event, photo, or status on the user’s Facebook profile.” Id. at 1063. While the Ninth Circuit concluded that Power Ventures had permission from the users to access their profiles, and that it initially reasonably believed that permission was sufficient to authorize it to access Facebook’s servers, the court held that after Facebook explicitly revoked Power Ventures’ authorization and attempted to block its IP addresses, its continued use of that email campaign and manipulation of users’ accounts (even with the users’ permission) constituted unauthorized access to Facebook’s servers. Id. at 1067–68. Here, as in that case, it is of no consequence whether BrandTotal had permission from its panelists to use their accounts for data collection. Once Meta revoked BrandTotal’s authorization to access its platforms, BrandTotal’s continued use of its various programs to actively collect data while panelists were logged into Facebook—which it had the power to stop, but did not before February of 202132—violated the CFAA. Meta’s motion is GRANTED as to summary adjudication of that
ii. Direct Collection by BrandTotal
BrandTotal’s direct collection of data also, in at least some instances, violated the CFAA and CDAFA. While the testimony in the record regarding the extent to which BrandTotal used “fake” user credentials to access restricted pages is muddled, BrandTotal concedes in its reply brief in support of its own motion for summary judgment that it only “modified its server-side collection software in ‘late October, beginning of November 2021’ to stop using access credentials of purchased users to collect information on restricted pages.” Defs.’ MSJ Reply at 18 (citing Taylor Reply Decl. Ex. KK (Regev Feb. 2022 Dep.) at 143:14–18 (dеscribing when BrandTotal began using the Restricted Panel Extension)); Burrell Opp’n Decl. Ex. 39 (Regev Feb. 2022 Dep.) at 109:10–22 (stating that the only way BrandTotal could access restricted pages before it began using the Restricted Panel Extension was by using “the fake users or some other technique”). Meta’s expert witness Martens states that BrandTotal at times used [REDACTED] to gather information from restricted advertisement pages that could only be accessed by a logged-in account, although Meta does not specifically cite that portion of his report in its briefing. Martens Opening Report ¶¶ 635–37. [REDACTED] Id.
Meta is entitled to summary adjudication that direct access by BrandTotal to password-protected areas of Meta’s platforms violated the CFAA and the CDAFA. Neither the frequency or duration of such access, nor the degree to which it continued beyond the October or November 2021 rollout of the Restricted Panel Extension, is entirely clear, however, and to the extent those questions are relevant to damages or any other aspect of these claims, they remain to be resolved
iii. Restricted Panel Extension
BrandTotal began using the Restricted Panel Extension (“RPE”) in October or November of 2021. Schultz MSJ Decl. Ex. 25 (Regev Feb. 2022 Dep.) at 143:14–18. BrandTotal collects data by directing an individual it has contracted with through a third party to install the RPE and visit specific restricted pages while logged into Facebook using that individual’s own account. Id. at 134:3–140:19. Meta’s briefs do not identify any relevant technological difference between the RPE and UpVoice 2021, instead focusing on the fact that the RPE is an “internal tool” used by someone working at BrandTotal’s direction. Pl.’s MSJ Reply (dkt. 314) at 14. There is no indication that Facebook has denied authorized access to the individual who uses the RPE, in their individual capacity. The question, then, is whether someone who lacks authorized access to a computer violates the CFAA by soliciting someone who has access to obtain particular data from the computer.
The Supreme Court addressed in Van Buren the converse situation of whether the individual accessing the computer under such an arrangement violates the CFAA, and held that they do not, because their access is authorized. There, a police officer who was authorized to access information in a law enforcement database used that database to look up the owner of a license plate at the request of an acquaintance (who happened to be a confidential informant for the FBI) in exchange for a promise of payment. 141 S. Ct. at 1653. The Court reversed the officer’s criminal conviction under the CFAA because he “did not ‘excee[d] authorized access’ to the database, as the CFAA defines that phrase, even though he obtained information from the database for an improper purpose.” Id. at 1662.
Here, the question is analogous to whether the acquaintance who offered to pay the officer for that information, and was not himself authorized to access it, would have violated the CFAA if the offer had been genuine (rather than part of a sting operation). Few courts have addressed that fact pattern, but the limited authority available suggests that hiring an authorized intermediary to obtain data from a computer the princiрal is not authorized to access does not violate the statute. In the Ninth Circuit’s en banc Nosal decision, a former employee of an executive search company,
On remand to the district court, the prosecution asserted additional facts regarding other individuals: an authorized user, J.F., “logged on to the computer using her credentials, then handed over the computer terminal to M.J. [an unauthorized user], who ran his own searches through the . . . database and then downloaded files therefrom.” United States v. Nosal (“Nosal II”), 930 F. Supp. 2d 1051, 1063 (N.D. Cal. 2013). Judge Chen held that was sufficient to allege that M.J. accessed the computer without authorization, as it was equivalent to using J.F.’s credentials to access what M.J. was not himself authorized to access. Id. He declined to reach the question of whether the statute “should be read so broadly as to encompass the situation where an unauthorized person looks over the shoulder of the authorized user to view password protected information or files,” holding only that a violation occurred where the unauthorized person actually interacted with the computer. Id.
In a 2015 case from this district, the plaintiff LED manufacturing companies alleged that the defendants directed one of the plaintiffs’ employees to procure confidential information from corporate computers before he left the plaintiffs’ employment to work for the defendants. Koninklijke Philips N.V. v. Elec-Tech Int’l Co., No. 14-cv-02737-BLF, 2015 WL 1289984, at *2 (N.D. Cal. Mar. 20, 2015). In granting a motion to dismiss, Judge Freeman noted that the plaintiffs did not provide sufficient allegations to establish an agency relationship, but held that “even a well-pled agency allegation would leave the Plaintiffs no closer to stating a claim under the CFAA,” because the defendants did not themselves access the plaintiffs computer and holding them for directing the misuse of data by an authorized user would run afoul of the Ninth Circuit’s conclusion in Nosal “that the CFAA was designed to target hacking, not misappropriation.” Id. at *4. Judge Freeman noted that the facts alleged did not amount to an unauthorized user directly interacting with the computer as in Nosal II, but instead merely misuse of information taken from the computer by an authorized user. Id. at *5. That such misappropriation occurred at the defendants’ direction did not mean the defendants “accessed” a computer within the meaning of the statute. See also Dresser-Rand Co. v. Jones, 957 F. Supp. 2d 610, 615 (E.D. Pa. 2013) (reaching the same conclusion in a similar case).
Following the decision in Koninklijke, the Ninth Circuit confronted yet another permutation of Nosal. In that iteration of the case, the relevant facts were that after Nosal and his accomplices had left the company, the accomplices continued to access its network using the access credentials of Nosal’s former executive assistant, who continued to work there at Nosal’s request. United States v. Nosal (“Nosal III”), 844 F.3d 1024, 1029 (9th Cir. 2016). The Ninth Circuit affirmed Nosal’s conviction for conspiracy to violate the CFAA, holding that his former employer had unambiguously revoked his and his accomplices’ access and his former assistant had no power to reinstate that access. Id. at 1029–30. Meta highlight’s the court’s conclusion that “once authorization to access a computer has been affirmatively revoked, the user cannot sidestep the statute by going through the back door and accessing the computer through a third party.” Id. at 1028. But that case involved unauthorized parties using an authorized user’s credentials to interact with the computer—more comparable to BrandTotal’s older products that affirmatively requested data from Meta’s servers after an authorized user had logged in—not merely soliciting an authorized user to collect and provide information, or even “look[ing] over the shoulder of the authorized user,” cf. Nosal II, 930 F. Supp. 2d at 1063, as BrandTotal essentially does with the RPE.
* * *
Meta’s motions for summary judgment is GRANTED as to the question of whether active collection of data from password-protected portions of Meta’s services by BrandTotal’s legacy programs, and by BrandTotal directly, violated the CFAA and the CDAFA. Meta’s motion is otherwise DENIED as to these claims. Meta will be entitled to judgment in its favor on the CDAFA claim based on its legacy programs and direct access to password-protected material, with relief to be determined at trial. Meta’s CFAA claim remains contingent on showing at trial at least $5,000 in loss caused by BrandTotal’s violations.
D. Meta’s UCL Claim (Both Parties’ Motions)
Both parties seek summary judgment on Meta’s claim under the UCL, which broadly prohibits unlawful, unfair, and fraudulent business acts. Korea Supply Co. v. Lockheed Martin Corp., 29 Cal. 4th 1134, 1143 (2003). “Unlawful acts are anything that can properly be called a business practice and that at the same time is forbidden by law . . . be it civil, criminal, federal, state, or municipal, statutory, regulatory, or court-made, where court-made law is, for example a violation of a prior court order.” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1151 (9th Cir. 2008) (ellipsis in original) (citations and internal quotation marks omitted). “Unfair acts among competitors means ‘conduct that threatens an incipient violation of an antitrust law, or
1. BrandTotal’s Motion: UpVoice 2021
BrandTotal has only sought summary judgment on this claim with respect to UpVoice 2021. Defs.’ MSJ at 35.
Beginning with the “unlawful” prong, as discussed above, Meta is entitled to summary judgment that BrandTotal’s use of UpVoice 2021 is a breach of Meta’s terms of use. But “breach of contract may form the basis for UCL claims only if ‘it also constitutes conduct that is ‘unlawful, or unfair, or fraudulent.’” Conder v. Home Sav. of Am., 680 F. Supp. 2d 1168, 1176 (C.D. Cal. 2010) (quoting Puentes v. Wells Fargo Home Mtg., Inc., 160 Cal. App. 4th 638, 645 (2008)) (emphasis omitted). As also discussed above, the Court holds that UpVoice 2021 does not violate the CFAA or CDAFA, which are Meta’s only stated grounds for asserting a violation of the “unlawful” prong of the UCL. Pl.’s Opp’n to MSJ at 33.
As stated in Meta’s complaint, the two grounds for its claim under the “fraudulent” prong of the UCL are that BrandTotal “falsely represented to Facebook and Instagram’s users that Facebook was a ‘participating site’ that sanctioned Defendants’ conduct,” and that BrandTotal “deceived Facebook into providing them with access to its computer network by using the login credentials of other users.” FAC ¶ 123. With respect to purported deception of users, BrandTotal offers undisputed evidence that it removed the statement on which Meta bases its claim from its website before launching UpVoice 2021. Leibovich TRO Decl. (dkt. 27-3) ¶ 29. Regardless, “courts have recognized that UCL fraud plaintiffs must allege their own reliance—not the reliance of third parties—to have standing,” such that competitors may not bring claims based on the reliance of third party customers, much less based on a mere possibility of such reliance. See O’Connor v. Uber Techs., Inc., 58 F. Supp. 3d 989, 1002 (N.D. Cal. 2014) (citing ZL Techs. v.
Finally, as discussed at length in the Court’s previous orders in this case, a competitor bringing a claim under the “unfair” prong must show “‘conduct that threatens an incipient violation of an antitrust law, or violates the policy or spirit of one of those laws because its effects are comparable to or the same as a violation of the law, or otherwise significantly threatens or harms competition.’” E.g., 2d MTD Order at 25 (quoting Cel-Tech, 20 Cal. 4th at 187). Meta has made no attempt to meet that standard here and has identified no evidence from which such an effect on competition could be found.
BrandTotal’s motion for summary judgment is therefore GRANTED as to a finding that its use of UpVoice 2021 does not violate the UCL. Since that is the only conduct it addressed in its motion, however, this holding does not reach any other past or present conduct by BrandTotal aside from its distribution of that product and its collection of data from users who have installed it.
2. Meta’s Motion
Meta seeks partial summary judgment on its UCL claim to the extent BrandTotal violated the CFAA and the CDAFA. Pl.’s MSJ at 22–23. BrandTotal argues in response only that its conduct does not violate those statutes. Defs.’ Opp’n to MSJ at 26. Meta’s motion is therefore granted in part and denied in part to the same extent as its CFAA and CDAFA claims discussed above. In other words, Meta’s motion for summary judgment on its UCL claim is granted with respect to conduct that the Court has found violates the CFAA and CDAFA, and denied with respect to conduct that the Court found did not violate those statutes.
Except with respect to UpVoice 2021, neither party sought summary judgment on Meta’s
E. BrandTotal’s Counterclaims (Meta’s Motion)
Meta seeks summary judgment in its favor on BrandTotal’s remaining counterclaims for intentional interference with contract (with respect to existing customers, panelists, and Google), intentional interference with prospective economic advantage (with respect to the same entities), and violation of the “unlawful” prong of the UCL by virtue of the same tortious interference. Pl.’s MSJ at 22–35. Since the elements of the two tortious interference theories largely overlap, and BrandTotal’s surviving UCL counterclaim is predicated entirely on tortious interference, the Court addresses these counterclaims together.
1. Legal Standard
“‘The elements which a plaintiff must plead to state the cause of action for intentional interference with contractual relations are (1) a valid contract between plaintiff and a third party; (2) defendant’s knowledge of this contract; (3) defendant’s intentional acts designed to induce a breach or disruption of the contractual relationship; (4) actual breach or disruption of the contractual relationship; and (5) resulting damage.’” hiQ, 31 F.4th at 1191 (quoting Pac. Gas & Elec. Co. v. Bear Stearns & Co. (“PG&E”), 50 Cal. 3d 1118, 1126 (1990)). While the typical case involves actual breach, the element of “disruption” of a contract can also be satisfied “where the plaintiff’s performance has been prevented or rendered more expensive or burdensome.” Id. at 1191 n.9 (citation and internal quotation marks omitted); see also PG&E, 50 Cal. 3d at 1129 (“[W]hile the tort of inducing breach of contract requires proof of a breach, the cause of action for interference with contractual relations is distinct and requires only proof of interference.”). A claim for interference with an at-will contract requires showing wrongfulness beyond mere interference, based on its resemblance to a claim for interference with prospective relations—in particular, the lack of any “legal basis in either case to expect the continuity of the relationship or to make decisions in reliance on the relationship.” Ixchel, 9 Cal. 5th at 1147.
A claim for intentional interference with prospective economic relations is similar to
2. Relevant Facts
The act of interference on which BrandTotal bases these claims is Meta’s outreach to Google regarding concerns about BrandTotal’s products, which led to the removal of UpVoice from Google’s online store. See Defs.’ Opp’n to MSJ at 26–27. Specifically, after Meta had investigated BrandTotal’s products over a period of years, Meta employee Jeremy Brewer wrote to Google employee Benjamin Ackerman on September 21, 2020, that Meta believed UpVoice, among other Google Chrome extensions, was “improperly scraping user PII (e.g., gender, relationship status, ad interests, etc.) without proper disclosure.” Schultz MSJ Decl. Ex. 34. Another Meta employee who had been involved with the investigation of BrandTotal, Sanchit Karve, followed up that day to note that similar extensions from a company called “oinkandstuff” had been removed by Google, and again a few days later to ask if Ackerman had “had a chance to look into our request.” Id. Ackerman responded on September 29, 2020: “. . . I will get the three that are live looked at. Just looking through their privacy policy it does look like they are collecting a bunch of information for advertising purposes, which is a no no.” Id.
Karve states that he had begun investigating BrandTotal browser extensions in March of
As of September 21, 2020, I understood from our investigation that BrandTotal’s claim that it anonymized user data was misleading because it used a hash function on user IDs that did not fully or securely anonymize the information collected. Even with a properly hashed user ID, for example, it is possible to correlate information from different entries bearing the same hashed user ID to discovery the identity of the user. Additionally, because Facebook user IDs have defined lengths and ranges of valid values, they can be reverse engineered relatively easily even when hashed. I also understood from our investigation that BrandTotal’s method of data collection was not targeted, meaning that in order to collect one piece of information, its extensions also collected additional, related information. The collection of that additional information was not disclosed to users. And finally, I was also aware that multiple individuals in a household could be using an extension installed on a shared household computer, some of whom might have been unaware of the extension’s operation and data collection.
Karve Decl. (dkt. 272-1) ¶ 7. Karve also states that Brewer’s “email accurately described Meta’s understanding of the operation of BrandTotal’s extensions and the substance of its disclosures to users, as based upon our investigations at the time.” Id. at ¶ 6. According to Karve, “[i]t is routine for Meta to report applications and extensions that violate Facebook and Instagram terms to Google.” Id. at ¶ 9.
Google—specifically Benjamin Ackerman—had opened an investigation into oinkandstuff in March of 2020. Ackerman Decl. (dkt. 272-3) Attach. 1 at -3.33 Ackerman had also received a report on September 17, 2020 of certain Chrome extensions believed to be developed by BrandTotal’s affiliate Unimania improperly manipulating their reviews on Google’s store. Ackerman Decl. ¶¶ 8–9. On September 29, 2020, the same day he responded to Karve, Ackerman added a note to the oinkandstuff investigation stating that he “got a report from some contacts at Facebook that the following extensions [including UpVoice] are also from oinkandstuff and are collecting unnecessary data.” Id. at Attach. 1 at -11. Based on a “quick look through their privacy policy” he determined that it “looks like they are selling that data for advertisers.” Id. According to Ackerman, Google ultimately removed UpVoice and the other extensions Meta reported based on Google’s determination, after its own investigation, that they “obfuscated their code base, did
3. Meta Acted with a Legitimate Business Purpose
Meta asserts that it was justified in any interference with BrandTotal’s contracts. “Under California law, a legitimate business purpose can indeed justify interference with contract”—or economic relations—“but not just any such purpose suffices.” See hiQ, 31 F.4th at 1192. “‘Whether an intentional interference by a third party is justifiable depends upon a balancing of the importance, social and private, of the objective advanced by the interference against the importance of the interest interfered with, considering all circumstances including the nature of the actor’s conduct and the relationship between the parties.’” Id. at 1193 (quoting Herron v. State Farm Mut. Ins. Co., 56 Cal. 2d 202, 206 (1961)). Courts must determine whether the defendant’s interest outweighs societal interests in stability of contracts (the defendant’s mere pursuit of economic advantage generally does not), “whether the means of interference involve no more than recognized trade practices,” “whether the conduct is within the realm of fair competition,” and—most importantly—“whether the business interest is pretextual or asserted in good faith.” Id. (citations and internal quotation marks omitted). A defendant’s enforcement of its own contract is not an absolute defense to interference—even then, the “determinative question” is whether the party acted in good faith. Richardson v. La Rancherita, 98 Cal. App. 3d 73, 81 (1979); see also Webber v. Inland Empire Invs., 74 Cal. App. 4th 884, 902 (1999).
The Court previously denied Meta’s motion to dismiss this counterclaim based on the legitimate purpose defense, holding that BrandTotal had “raise[d] at least a specter of bad faith sufficient to render . . . plausible” its allegation that Meta’s statements to Google “‘were known by [Meta] to be false, and its actions were malicious.’” 2d MTD Order at 14–15 (quoting 1st Am. Counterclaim ¶ 149). The Court reached that conclusion in the highly deferential context of whether the affirmative defense Meta asserted was “‘obvious from the face of’” BrandTotal’s counterclaims. Id. (quoting Rivera v. Peri & Sons Farms, Inc., 735 F.3d 892, 902 (9th Cir. 2013)).
Contemporary documentation from Meta’s investigation indicates that Meta believed BrandTotal was acting deceptively and abusing Meta’s platform. A March 31, 2020 internal report on the success of one of Meta’s monitoring programs highlighted BrandTotal’s products including UpVoice (as well as one other entity redacted in the record), asserting that “in most cases users are unaware this data is being accessed” and concluding that BrandTotal’s “spider web of services across different platforms to deceptively collect user metadata and ad targeting makes [sic] highlights the need to take more severe enforcement / legal action.” Schultz MSJ Decl. Ex. 41 at -1166, -1169. The report notes that BrandTotal collects various categories of user data, and that “while user ID and device ID is hashed before sending to remote server, this is misleading” because “User ID hashing is considered ‘pseudo anonymized’ since you can still correlate information from multiple entries bearing the same hashed user ID and discovery the user identity.” Id. at -1169. Another document from Meta’s investigation similarly asserts that, despite UpVoice employing techniques that would seem to anonymize user IDs, “the user id is still easily recoverable.” Id. Ex. 40 at -28702. The latter document includes an “Enforcement Plan,” prepared at a time when the enforcement date was “TBD,” that included “[c]ontact[ing] Google CWS [i.e., Chrome Web Store] team to take down following chrome extensions,” including UpVoice. Id. at -28716.
Regardless of whether Meta’s contemporary views of BrandTotal’s purportedly deceptive collection of user data were accurate, BrandTotal’s assertion here that “nothing in the contemporaneous documents obtained since the motion to dismiss hearing suggest Meta ‘believed’ BrandTotal was collecting user PII ‘without proper disclosure,’” Defs.’ Opp’n to MSJ at 30, is not accurate, because Meta apparently believed that many users were unaware of BrandTotal’s data collection, and that it was “deceptive,” as early as April of 2020. Schultz MSJ Decl. Ex. 41 at -1166, -1169. Google’s ultimate conclusion after its own investigation that UpVoice “did not
There is certainly also evidence that Meta was concerned about BrandTotal’s “scraping” of ads on Facebook and Instagram. See, e.g., Taylor Opp’n Decl. (dkt. 299-1) Ex. T at -14657 (April 2019 note reading: “Ads and targeted scraping is a priority for BU this half so to the extent they do that at scale, I think it merits enforcement.”). There is also evidence that Meta knew some of its advertising customers were using or interested in BrandTotal’s analytics services. See, e.g., id. Ex. V (September 24, 2020 request to Karve from Meta’s “marketing insights team” for information about UpVoice because “several advertiser partners [were] asking our sales team for their POV on it’s [sic] capabilities,” to which Karve responded, “We’re enforcing on them this week”); id. Ex. U (September 22, 2020 email among Facebook employees expressing interest in better understanding BrandTotal and potentially exploring a partnership).
But as discussed above in the context Meta’s breach of contract claim, BrandTotal’s scraping violates Meta’s terms of use, and BrandTotal has not met its burden to show that those terms are unenforceable. Generally, “if a defendant’s ‘conduct was lawful and undertaken to enforce its rights,’ it cannot be held liable for intentional interference with a contract even if it knew that such conduct might interrupt a third party’s contract.” SIC Metals, Inc. v. Hyundai Steel Co., 442 F. Supp. 3d 1251, 1256 (C.D. Cal. 2020) (quoting Webber, 74 Cal. App. 4th at 905), aff‘d, 838 F. Appx 315 (9th Cir. 2021). BrandTotal notes that SIC Metals acknowledged an exception for fraud, see id. at 1257 (quoting Quelimane Co. v. Stewart Title Guar. Co., 19 Cal. 4th 26, 56 (1998)). As discussed above, however, there is both declaration testimony and corroborating evidence that Meta’s email to Google accurately reflected its beliefs at the time about BrandTotal engaging in deceptive data collection. Discovery has now closed, and BrandTotal identifies no evidence that Meta instead believed that BrandTotal provided proper disclosures, or that its message was otherwise knowingly or recklessly false.
At the time of the events at issue, BrandTotal was routinely violating Meta’s terms of service at least by engaging in automated data collection without permission. Google determined
The Court does not reach the parties’ other arguments regarding these counterclaims, including whether BrandTotal’s contracts are enforceable, whether Meta knew of the contracts, whether Meta’s interference proximately caused harm, and whether any conduct was independently wrongful as needed to support a claim for interference with prospective relations or an at-will contract.
V. ADMINISTRATIVE MOTIONS TO FILE UNDER SEAL
The parties have filed a number of administrative motions to file documents under seal, or to consider whether an opponent’s confidential material should be sealed, in connection with the present substantive motions and their motions to exclude expert testimony. See dkts. 245, 249, 250, 267, 270, 271, 280, 281, 287, 292, 294, 297, 298, 300, 302, 312, 313, 315, 326. All of the motions at issue are “more than tangentially related to the merits of the case,” and thus require “compelling reasons” to seal. See generally Ctr. for Auto. Safety v. Chrysler Grp., LLC, 809 F.3d 1092 (2016).
For the most part, the parties have limited their requests to sensitive information about their respective operations that could cause competitive harm if disclosed. There is one exception: BrandTotal’s designation of any discussion of its past practices of purchasing or creating “fake” accounts to access Meta’s platforms. See, e.g., Defs.’ MSJ Reply at 18. BrandTotal asserts that it does not use that technique anymore, so disclosing that it once did so does not reveal meaningful
Otherwise, the parties’ administrative motions to seal are GRANTED as to all proposed redactions supported by their own or their opponent’s declarations, and DENIED as to material identified for consideration of sealing solely based on an opponent’s designation that the opponent did not seek to seal in a responsive declaration. BrandTotal shall file a statement no later than June 10, 2022 identifying each of its confidentiality designations (for its own filings and Meta’s filings) that is subject to the Court’s ruling above regarding fake accounts. If the Court finds BrandTotal’s list insufficient, it will order further disclosure. The parties shall file revised public versions conforming to this order—i.e., disclosing in the public record any opponent’s material not substantiated with an opponent’s declaration, any material included on BrandTotal’s June 10, 2022 list, and any further information the Court might order disclosed—no later than June 24, 2022.
VI. CONCLUSION
For the reasons discussed above, Meta’s motion for sanctions and each party’s motion for summary judgment is GRANTED in part and DENIED in part.
On the motion for sanctions, the Court finds that BrandTotal at least negligently failed to preserve relevant evidence. The Court will instruct the jury that BrandTotal failed to preserve the Rapid7 logs despite a duty to do so, and that the jury may draw an adverse inference if it finds that failure was intentional. BrandTotal is ORDERED to reimburse seventy-five percent of Meta’s fees and costs for bringing its sanctions motion.
Meta’s motion for summary judgment is GRANTED as to the following claims and issues: (1) Meta is entitled to judgment on its claim for breach of contract; (2) Meta is entitled to judgment on its CDAFA claim based on BrandTotal’s active data сollection through legacy user
BrandTotal’s motion for summary judgment is GRANTED as to the following issues: (1) BrandTotal’s use of UpVoice 2021 does not violate the CFAA, the CDAFA or the UCL; and (2) BrandTotal’s direct collection of data from non-password-protected pages on Meta’s platforms does not violate the CFAA or the CDAFA, even where Meta has imposed technological barriers attempting to block repeated or suspicious access.
The parties’ motions for summary judgment are otherwise DENIED.
The Court also GRANTS in large part the parties’ various administrative motions to file under seal. In an abundance of caution, the Court has provisionally filed this order under seal. Any party that believes any portion of this order cannot be publicly disclosed may bring a motion identifying compelling reasons to maintain under seal narrowly tailored redactions no later than June 3, 2022. If no such motion is filed by that date, the Court will file this order unredacted in the public record.
IT IS SO ORDERED.
Dated: May 27, 2022
JOSEPH C. SPERO
Chief Magistrate Judge
