Court: District Court, N.D. California; July 21, 2014; Federal District Court
ORDER GRANTING-IN-PART MOTION TO DISMISS AND GRANTING MOTION TO STRIKE PAUL S. GREWAL, United States Magistrate Judge. Plaintiffs filed a class action lawsuit against Google, Inc. over two years ago, alleging the improper commingling of user data across various Google products and unauthorized data disclosure to third parties. The court has previously dismissed the Plaintiffs’ claims twice and is now considering a third dismissal. The court grants the motion to dismiss but only in part.
The class action targets individuals and entities in the U.S. who obtained a Google account between August 19, 2004, and February 29, 2012, and who maintained their accounts after the introduction of a new privacy policy on March 1, 2012. Specific subclasses include: (a) users of Android devices acquired between May 1, 2010, and February 29, 2012, who switched to non-Android devices post-March 1, 2012 (Android Device Switch Subclass), and (b) users who acquired Android devices between August 19, 2004, and the present and downloaded at least one app from the Android Market or Google Play (Android App Disclosure Subclass).
Google’s business model relies primarily on advertising, which constituted approximately 95% of its revenue, amounting to $36.53 billion in 2011 and $43.69 billion in 2012. To facilitate targeted advertising, Google collects extensive user data, including personal information, browsing habits, and Gmail communication contents. Prior to March 1, 2012, Google did not automatically combine data from different services linked to a user's account. Although Google maintained a general privacy policy indicating the potential for data combination, specific policies for individual products like Gmail and Android devices included limitations that contradicted this general statement, specifying that certain data would not be identifiable to the user.
Google's privacy policy, effective prior to March 1, 2012, prohibited the combination of certain Android user information with data from other services. However, on March 1, 2012, Google unified its policy, allowing for the commingling of user data across accounts and its disclosure to third parties for advertising purposes. Plaintiffs, who obtained Google accounts or Android devices before February 29, 2012, filed a lawsuit on March 20, 2012, challenging the policy change and claiming it violated prior agreements and consumer privacy rights without user consent. The court dismissed the initial complaint due to insufficient allegations of concrete economic harm and a lack of standing.
After being granted leave to amend, Plaintiffs filed an amended complaint on March 7, 2013, broadening their claims and detailing injuries. Although the court found sufficient standing, it dismissed the case again for failing to support their claims adequately. The amended complaint included allegations related to Google's 'Emerald Sea' initiative, aimed at transforming the company into a social media advertising entity through extensive user data profiling. Plaintiffs argued that Google maintained previous privacy policies to mislead consumers while pursuing ad revenue.
The collective grievances cite violations of privacy policies, economic costs from replacing Android devices, and increased resource consumption due to third-party disclosures. The legal theories presented include violations of the California Consumers Legal Remedies Act, the Federal Wiretap Act, the Stored Electronic Communications Act, California’s Unfair Competition Law, and common law claims of breach of contract and intrusion upon seclusion. Google has moved to dismiss again, asserting that Plaintiffs lack standing and have not provided sufficient factual support for their claims. The legal standard for Article III standing requires a concrete injury, traceability to the defendant's action, and a likelihood of redress from a favorable ruling.
A lawsuit initiated by a plaintiff lacking Article III standing does not constitute a 'case or controversy,' resulting in a lack of subject matter jurisdiction for an Article III court. Such a suit should be dismissed under Federal Rule of Civil Procedure 12(b)(1). Article III requires an 'injury' that may be established through statutes that create legal rights, which, when violated, confer standing. The standing inquiry is separate from the merits of the claim and does not necessitate evaluating the claim's merits. The Supreme Court mandates a thorough review of the complaint’s allegations to determine if the plaintiff is entitled to pursue the claims.
Under Rule 12(b)(6), a complaint must present a concise statement demonstrating the entitlement to relief. If a plaintiff fails to provide sufficient facts for a plausible claim, the complaint may be dismissed. A claim is considered facially plausible when its factual allegations allow for a reasonable inference of the defendant's liability. Dismissal can occur due to a lack of a legal theory or insufficient factual allegations. The court must accept factual allegations as true and view them favorably towards the non-moving party, though it need not accept conclusory statements or unreasonable inferences. Dismissal with prejudice without leave to amend is only appropriate when it is clear that amendment would not remedy the complaint.
In this case, Google challenges the plaintiffs' complaint on two grounds: lack of standing and insufficient pleadings under Iqbal and Twombly standards. The court previously found that the plaintiffs had standing based on specific injuries, including battery power loss and costs incurred from purchasing new phones influenced by privacy concerns. However, Google contends that these reasons do not establish Article III standing and argues that previously asserted injuries do not hold up. The court finds Google's argument regarding the alleged risk of future harm from data commingling persuasive, while the arguments concerning the other injuries are not.
Allegations of heightened security risks resulting from unauthorized data disclosures do not confer standing for claims of unfair competition and intrusion upon seclusion. Google contends that such risks do not meet the Article III injury-in-fact requirement, as a previous court ruling established that unauthorized disclosure alone does not suffice. Plaintiffs argue that their injury stems from the increased risk of further harm (such as interception, harassment, and identity theft) due to the disclosure. The Ninth Circuit permits standing based on credible threats of future harm, but establishing this harm is challenging. Previous cases, including Low v. LinkedIn and Yunker v. Pandora, found insufficient harm to confer standing since the alleged risks were deemed too speculative. In this case, the lack of criminal activity and the nature of Google's authorized disclosures further align it with those precedents rather than Krottner, where sensitive data was stolen.
Regarding Nisenbaum's claims related to the Device Switch Subclass under UCL and CLRA, Google argues he lacks standing due to his association with a 2009 privacy policy that permits data commingling and a shift in his claim's basis for phone replacement. However, the court has dismissed the relevance of the 2009 policy and previously ruled that Nisenbaum's phone replacement conferred standing. His claim of economic injury from the policy change remains valid, as he asserts he would not have replaced his phone but for Google's policy switch. Thus, despite changes in his motivations, Nisenbaum’s injury is traceable to Google's policies, maintaining his standing to pursue claims on behalf of the subclass.
Battery life depletion is a critical factor in establishing standing for the Plaintiffs, who allege that Google Play's unauthorized information transmission during app downloads negatively impacts their device's battery life. Google contends that the claims related to this injury are no longer valid, asserting there is no causal connection between its actions (disclosing user information to app developers) and the alleged injury (increased battery use). Google further argues that since developers access data from its servers and not directly from users' devices, this should not affect battery consumption. However, the court notes that determining this causal relationship involves factual inquiries unsuitable for resolution at this stage of litigation. Google acknowledges that its data disclosures lead to minimal data transmission from devices, and prior court rulings confirm that resource depletion claims, like battery drain, establish standing. Therefore, the Plaintiffs maintain standing to assert their claims.
Regarding the sufficiency of the pleadings, the court confirms that Google is immune from claims under the Wiretap Act and the Stored Communications Act based on its role as an electronic communication service provider, and the Plaintiffs have not amended their claims to circumvent this immunity. Consequently, the breach of contract claim is dismissed for failing to state a viable claim.
The Plaintiffs also pursue a claim under the California Consumers Legal Remedies Act (CLRA) for the Device Switch Subclass, alleging that Google misled potential buyers regarding the privacy of device-related information in its 2008 Android Policy. They argue that had Google disclosed its intention to alter this policy in June 2010, Plaintiff Nisenbaum would not have purchased his Android device. To succeed under the CLRA, Plaintiffs must demonstrate reliance on Google's misrepresentations and resulting damages, which are subject to heightened pleading standards under Rule 9(b).
Google contends that Plaintiffs’ CLRA claim should be dismissed, asserting that software does not qualify as a good or service under Cal. Civ. Code § 1770. However, Plaintiffs argue their claim is based on the sale of the Android device itself, which is considered tangible property linked to the disputed privacy policy. The CLRA allows for liability even if there is no direct sale between Google and Plaintiffs, particularly concerning affirmative misrepresentations rather than omissions. Plaintiffs assert that Google intentionally misrepresented the privacy policy's implications regarding the handling of personal information.
The court previously dismissed the CLRA claims due to a lack of allegations that Google intended to misuse Plaintiffs' information beyond what was advertised. Although this deficiency has been addressed, a critical flaw remains: the complaint does not state that Nisenbaum or subclass members were aware of Google’s privacy policy before agreeing to the terms. Without showing reliance on any misrepresentation, the CLRA claim cannot proceed.
Plaintiffs attempt to counter this by claiming reliance can be inferred or presumed from existing case law, but the cited cases pertain to the UCL, not the CLRA, and involve plaintiffs who were exposed to misrepresentations. Furthermore, reliance cannot be presumed from a material omission when the claim is based on affirmative misrepresentations. Lastly, while Plaintiffs suggest that Nisenbaum was exposed to the privacy policy during account registration, this occurred post-purchase, making any reliance on the policy unreasonable at the time of the device purchase. Consequently, the CLRA claim for the Device Switch Subclass must be dismissed due to inadequate pleading.
Regarding the UCL claim, California’s UCL allows actions against businesses for unfair, unlawful, or fraudulent practices, and Plaintiffs assert their claim under all three prongs. To sustain the unlawful prong, Plaintiffs must establish that Defendant’s actions violate another law.
Unlawful conduct that is part of a uniform course of fraudulent behavior must adhere to Rule 9(b)’s heightened pleading standards, requiring plaintiffs to specify facts that demonstrate the likelihood of public deception by the defendant. The Ninth Circuit mandates that claims under the fraudulent prong of the Unfair Competition Law (UCL) are subject to these standards. For the UCL's unfair prong, the definition of 'unfair' business practices remains ambiguous; typically, such practices offend public policy or are considered immoral or injurious. Courts assess unfairness by weighing the impact on victims against the defendant's justifications.
Plaintiffs’ claims under the UCL fail because the underlying California Consumer Legal Remedies Act (CLRA) claim is deficient, particularly as it does not establish reliance. The unfairness claim is based on a new theory suggesting that Google’s actions violated the plaintiffs’ constitutional right to privacy. However, this theory falters as the plaintiffs fail to substantiate their assertion that Google’s conduct constituted a serious invasion of privacy, a requirement that includes demonstrating a legally protected interest, a reasonable expectation of privacy, and egregious conduct by the defendant. Courts have consistently ruled that sharing basic digital information does not meet the threshold for serious invasions of privacy.
The Device Switch Subclass's UCL claim is dismissed as all theories of harm are unsubstantiated. Additionally, the breach of contract claim for the App Disclosure subclass is revisited. The essential elements of a breach of contract under California law include the existence of a contract, the plaintiff’s performance, the defendant’s breach, and resultant damages. The previous dismissal was due to a contract provision permitting data commingling. However, the current complaint successfully claims breach on behalf of the Android App Disclosure Subclass by alleging that they entered into a contract with Google, detailing relevant terms that were breached through unauthorized data disclosures, resulting in damages from resource consumption.
Google contends that the complaint does not adequately support a breach of contract claim for three main reasons. First, Google asserts that the complaint lacks specific dates for when class members made App purchases via Google Play, thereby obscuring which privacy policy applied at those times. However, the complaint clarifies that Google employed multiple, varying privacy policies depending on the device, platform, and service used, detailing specific policies in effect during each transaction and alleged violations. While these allegations may not meet the heightened standards for fraud claims under Rule 9(b), they are sufficient for a breach of contract claim under the more lenient Rule 8.
Second, Google argues that the plaintiffs are not parties to the general privacy policy cited in their claims, but this is unsubstantiated since Google's 2009 policy is not properly presented in court. Third, Google claims the plaintiffs have not identified explicit contract terms that were breached, which is incorrect. The complaint references specific terms from the Android device policy and the November 2011 Google Wallet Privacy Policy regarding the sharing of personal information, which includes provisions for consumer notification when additional information is needed.
Additionally, the complaint indicates that Google's general privacy policy limits access to personal information to authorized personnel bound by confidentiality obligations, subject to disciplinary actions for breaches of these obligations.
Regarding the intrusion upon seclusion claim for the App Disclosure Subclass, the court requires plaintiffs to demonstrate two elements: (1) an intrusion into a private space or matter and (2) that this intrusion is highly offensive to a reasonable person. Plaintiffs must show an objectively reasonable expectation of privacy and that the defendant unlawfully accessed this privacy. The notion of 'seclusion' is relative, as visibility does not equate to consent for public exposure. Courts have recognized sufficient facts for these elements in various contexts, including unauthorized eavesdropping and monitoring of private communications.
Google contends that the court should adhere to its previous ruling that the commingling of user data does not constitute a valid claim for intrusion. However, the court finds that the Plaintiffs’ revised theory—claiming that the intrusion stems from Google's disclosure of user data to third-party developers against its own policies—also fails to establish a claim, as the Plaintiffs' allegations do not meet the district's high standard for what constitutes an intrusion offensive to a reasonable person. Consequently, the court dismisses the intrusion claims.
Regarding the App Disclosure subclass's fifth cause of action under the Unfair Competition Law (UCL), the court notes that their argument under the unfair prong does not hold, as previous rulings indicated that the benefits of receiving free services outweigh the alleged harms from changed policies. However, their claim under the fraudulent prong of the UCL is more substantial. The Plaintiffs allege that Google's privacy policy misled consumers into believing their data would be safeguarded, while it was actually planning to share it more broadly. The detailed allegations meet the specificity required by Rule 9(b), demonstrating reliance on the misleading policies and resulting harm, such as loss of battery power.
In conclusion, after evaluating all claims, only the App Disclosure Subclass's breach of contract claim and its UCL fraudulent prong claim will proceed. All other claims are dismissed with prejudice, as the court deems that any omissions were intentional, indicating that the case is ready to advance.
The court has issued an order regarding the plaintiffs in the case, originally naming Robert DeMars and Lorena Barrios, and now including three additional plaintiffs: Pedro Marti, David Nisenbaum, Nicholas Anderson, Matthew Villani, and Scott McCullough in the second amended complaint. The court grants the plaintiffs' motion to strike the declaration of Silva Reyes, emphasizing that motions to dismiss should rely solely on the complaint and judicially noticed documents. The court finds the 2009 Mobile Privacy Policy unsuitable for judicial notice due to authenticity disputes but will consider the 2008 Mobile Privacy Policy, which the plaintiffs do not contest.
In terms of standing, the court assesses the plaintiffs' claims of economic harm, including involuntary battery, bandwidth consumption, and overpayments due to reliance on fraudulent privacy statements, alongside alleged statutory violations. The court notes that some claims, specifically breach of contract and violations under the Federal Wiretap Act and the Stored Electronic Communications Act, are preserved for appeal, regardless of their prior dismissal. The court cites case law establishing that claims dismissed with prejudice do not need to be re-plead in subsequent complaints for preservation purposes. Various precedents from the Ninth Circuit are referenced to support the ruling on standing and the criteria for a motion to dismiss, highlighting the requirement for more than conclusory statements in claims.
The document addresses the issue of standing in cases involving invasion of privacy claims. It cites various legal precedents, including Krottner v. Starbucks Corp., which established that standing can be found when a plaintiff alleges negligence leading to theft of sensitive data, even if the theft has not yet occurred. It emphasizes that for standing to be established, the injury must be concrete, particularized, and either actual or imminent, referencing Lujan v. Defenders of Wildlife.
The text notes that while some cases, such as Low v. LinkedIn Corp. and Yunker v. Pandora Media, Inc., found a lack of standing due to insufficient allegations of harm, other cases, like In re iPhone Application Litigation, demonstrated that specific allegations regarding the defendant's actions and the resulting harm could establish standing. The court acknowledges that invasion of privacy claims inherently provide a concrete adverseness necessary for adjudication.
The excerpt also discusses the importance of articulating particularized harm. It highlights that if allegations are too conjectural, as in the case where no actual theft occurred, standing may not be established. Ultimately, it is noted that Nisenbaum alleges he would not have purchased a new phone but for a policy change, indicating a personal stake in the outcome of the controversy.
Mr. Nisenbaum claims his injury is directly linked to Google, as he relied on the company's prior policies when purchasing an Android phone. For a motion to dismiss based on standing, courts must accept all material allegations as true and favor the plaintiff's interpretation of the complaint. The California Consumers Legal Remedies Act (CLRA) specifies that claims based solely on software do not qualify for protection, as the definition of 'goods' under the CLRA pertains to tangible products. Furthermore, a manufacturer’s responsibility is confined to warranty obligations unless there is an affirmative misrepresentation or safety concern. However, if a plaintiff can show that the manufacturer had exclusive knowledge of a defect, the CLRA protections can extend to the manufacturer even without a direct transaction. Additionally, a CLRA claim can be established without a contractual relationship between the parties. Mr. Nisenbaum asserts that Google’s privacy policy assurances were false as the company had already decided not to comply with those terms by May 2010.
The excerpt analyzes the interpretation of "as a result of" in the context of section 17204 of the California Unfair Competition Law (UCL), which permits private enforcement actions only for individuals who have suffered actual injury and loss due to unfair competition. In the case of Lanovaz v. Twinings North America, the plaintiff's claims are based on fraud or misrepresentation, necessitating proof of reliance on the misleading information to succeed. The excerpt references various cases, including In re Google AdWords, which involved omission of material facts rather than misrepresentation, and Collins v. eMachines, which dealt with active concealment of defects.
Further, it notes that the 2009 Mobile Policy is irrelevant as it is not mentioned in the operative complaint. Google contends that the claims under the Consumers Legal Remedies Act (CLRA) are also deficient based on Federal Rule of Civil Procedure 9(b), highlighting that the specifics of the purchase do not adequately inform Google for defense purposes. Additionally, it discusses the implications of a plaintiff’s knowledge on purchasing decisions as demonstrated in Lozano v. AT&T Wireless Services.
The text clarifies that "fraudulent" under the UCL does not align with common law fraud but indicates that practices must be likely to deceive the public. It outlines criteria for assessing "unfair" practices, which may violate established public policy or be substantially injurious to consumers, and presents two legal tests for determining unfair business practices, referencing relevant case law for both.
A third test for user injury establishes three criteria: 1) the injury must be substantial; 2) it must not be outweighed by any benefits to users or competition; and 3) it must be an injury that users could not reasonably avoid. Relevant case law includes Drum v. San Fernando Valley Bar Ass’n, McDonald v. Coldwell Banker, and Wilson v. Hynek, among others. In In re Tobacco II Cases, it was determined that plaintiffs must allege reliance on misrepresentation for recovery under the fraudulent prong of the Unfair Competition Law (UCL). A claim alleging violation of the unfair prong of the UCL is noted, focusing on deceptive practices regarding privacy and opt-out difficulties. Several cases, including Hill v. Nat'l Collegiate Athletic Ass’n and In re iPhone Application Litigation, illustrate the court's stance on privacy rights, often ruling that privacy violations did not occur when personal data was shared with third parties. The document references a breach of contract claim for appellate preservation and discusses various policies related to Google Wallet and privacy. The concept of "fraudulent" under the statute requires a showing that the public is likely to be deceived, rather than meeting the common law tort definition of fraud. The document cites numerous cases and docket numbers to support its claims and arguments.
