Gerber v. Twitter, Inc.
Filing
106
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANT'S MOTION TO DISMISS PLAINTIFFS' SECOND AMENDED CLASS ACTION COMPLAINT by Magistrate Judge Kandis A. Westmore granting in part and denying in part 89 Motion to Dismiss. Answer due by 1/8/2025. (kc, COURT STAFF) (Filed on 12/18/2024)
<![CDATA[
1
2
3
4
UNITED STATES DISTRICT COURT
5
NORTHERN DISTRICT OF CALIFORNIA
6
7
STEPHEN GERBER, et al.,
Plaintiffs,
8
9
10
ORDER GRANTING IN PART AND
DENYING IN PART DEFENDANT'S
MOTION TO DISMISS PLAINTIFFS'
SECOND AMENDED CLASS ACTION
COMPLAINT
v.
TWITTER, INC., et al.,
Defendants.
11
United States District Court
Northern District of California
Case No. 4:23-cv-00186-KAW
Re: Dkt. No. 89
12
13
On June 12, 2024, Defendant X Corp., as successor in interest to Twitter, Inc. (collectively
14
“Twitter”), filed a motion to dismiss Plaintiffs’ second amended consolidated class action
15
complaint.
16
Upon review of the moving papers, the Court finds this matter suitable for resolution
17
without oral argument pursuant to Civil Local Rule 7-1(b), and, for the reasons set forth below,
18
GRANTS IN PART AND DENIES IN PART Defendant’s motion to dismiss.
19
I.
BACKGROUND
20
Twitter is a social media platform where users can post and engage with short-form
21
commentary, called “Tweets,” which may include text, images, or video. (Consolidated Second
22
Am. Class Action Compl., “CCAC,” Dkt. No. 72 ¶¶ 4, 33-35.) Each user must create a username
23
and display name, which are displayed publicly and associate the user with their activity on the
24
Twitter platform. (CCAC ¶ 37.) Twitter invites users to operate on its platform by using
25
pseudonymous user and display names, thereby allowing users to share and access information
26
and engage freely and anonymously. (CCAC ¶¶ 77-79.) While Twitter does not charge its users, it
27
realizes billions of dollars in annual revenues from the highly valuable data generated by its users.
28
(CCAC ¶ 36.)
United States District Court
Northern District of California
1
In order to sign up for an account on the Twitter platform, a prospective user is required to:
2
(1) enter into a User Agreement, and (2) provide certain personal information, including name,
3
email address, phone number, and date of birth (collectively, “PII”). (CCAC ¶¶ 37-38.) The User
4
Agreement, includes the Terms of Service (“TOS”), the Privacy Policy, the Twitter Rules and
5
Policies, and all incorporated policies. (See CCAC ¶¶ 38.) As a result, prior to accessing the
6
Twitter platform and using Twitter’s services, Plaintiffs entered into the User Agreement with
7
Twitter, including the Privacy Policy, and provided Twitter with their PII, as requested by Twitter
8
and subject to Twitter’s representations set forth in the Privacy Policy. (CCAC ¶¶ 38-41, 139.)
9
The Privacy Policy states in detail how user data, including PII, will be used and who will have
10
access to that data. (CCAC ¶¶ 38-40.)
11
From around June 2021 through January 2022, a defect in Twitter’s application
12
programming interface (“API”) allowed threat actors to access and obtain PII associated with an
13
estimated 200 million Twitter users. (CCAC ¶¶ 82.) It is unclear from publicly available
14
information whether the person(s) that took advantage of the API vulnerability were external
15
threat actors or had internal access at Twitter. (CCAC ¶¶ 82, 114(b), 114(g), 122, 138.) The
16
information extracted through the API defect consists of information associated with users’
17
Twitter account (username, display name, and account creation data), together with the users’ PII
18
(email address and phone number). (CCAC ¶ 82.) This data was offered for sale, on more than
19
one occasion, and/or leaked on the dark web between August 2022 and January 2023, which is
20
referred to as the “Data Breach.” Id.
21
Twitter claims to have learned of the API defect from a third party, rather than through its
22
own diligence. (CCAC ¶¶98-103.) And, after learning of the defect, Twitter claims that it failed
23
entirely to ascertain that a threat actor may have taken advantage of the defect to obtain access to
24
user PII, and that extensive data obtained in a Twitter hack was for sale on the dark web. Id.
25
Plaintiffs allege that Twitter has taken no remedial action to recover the data or mitigate the
26
damage. (CCAC ¶ 110.)
27
Plaintiffs contend that the Data Breach does not represent an isolated incident, but, rather,
28
was the foreseeable result of the reckless way that Twitter has chosen to operate its business. As
2
United States District Court
Northern District of California
1
early as 2010, Twitter came under scrutiny from the Federal Trade Commission (“FTC”) for its
2
data privacy failures, resulting in the entry of a 2011 consent order (the “FTC Order”), which
3
Twitter has continued to violate for more than a decade, including with respect to the Data Breach.
4
(CCAC ¶¶ 9, 125-132.) Peiter Zatko, who was Twitter’s Head of Security from 2020 to 2022,
5
filed a whistleblower complaint and testified before Congress regarding the dangerous and
6
pervasive lack of both internal and external data security at Twitter. (CCAC ¶¶ 112-119.) Zatko
7
provided comprehensive reports to the Twitter Board of Directors and executives regarding his
8
data security concerns, but Twitter allegedly failed and refused to implement even the most basic
9
and cost-effective measures. (CCAC ¶¶ 116-118, 120.) At the very same time, the events giving
10
rise to the Data Breach occurred. (CCAC ¶¶ 82, 112.)
11
Plaintiffs allege that had they known that Twitter failed to implement reasonable and
12
adequate data security measures, they would not have created Twitter accounts or would not have
13
provided their PII that was disclosed in the Data Breach to Twitter. (CCAC ¶¶ 24, 28, 31.)
14
Plaintiff Weitzman alleges that she has spent time monitoring her various accounts to detect and
15
prevent any misuses of her PII, which she would not have had to expend if not for the Data
16
Breach. (CACC ¶ 31.) Plaintiff Weitzman also claims to have hired a social media specialist to
17
monitor her accounts at an additional weekly cost to deal with the increased spamming and
18
spoofing she suffered as a result of the Data Breach. Id. Plaintiffs further contend that the Data
19
Breach has also caused specific and unique harm to Twitter’s impacted users that accepted its
20
invitation to operate on its platform anonymously through the use of pseudonyms, such as
21
Plaintiffs Gerber and Cohen, as the data available as a result enables any person with access to it
22
to readily ascertain the identity of the person associated with a pseudonymous Twitter account and
23
their related activity on the platform. (CCAC ¶¶ 85, 104, 147.)
24
On April 19, 2024, Plaintiffs filed the second amended consolidated class action complaint
25
alleging seven causes of action for breach of contract, breach of implied contract, negligence,
26
gross negligence, unjust enrichment, violation of California Unfair Competition Law (Cal. Bus. &
27
Prof. Code § 17200), and declaratory judgment. On June 12, 2024, Defendant filed a motion to
28
dismiss. (Def.’s Mot., Dkt. No. 89.) On July 29, 2024, Plaintiffs filed an opposition. (Pls.’ Opp’n,
3
1
Dkt. No. 96.) On September 8, 2024, Defendant filed a reply. (Def.’s Reply, Dkt. No. 101.)
II.
United States District Court
Northern District of California
2
LEGAL STANDARD
3
A.
4
Under Federal Rule of Civil Procedure 12(b)(6), a party may file a motion to dismiss based
Motion to Dismiss
5
on the failure to state a claim upon which relief may be granted. A motion to dismiss under Rule
6
12(b)(6) tests the legal sufficiency of the claims asserted in the complaint. Navarro v. Block, 250
7
F.3d 729, 732 (9th Cir. 2001).
8
In considering such a motion, a court must “accept as true all of the factual allegations
9
contained in the complaint,” Erickson v. Pardus, 551 U.S. 89, 94 (2007) (per curiam) (citation
10
omitted), and may dismiss the case or a claim “only where there is no cognizable legal theory” or
11
there is an absence of “sufficient factual matter to state a facially plausible claim to relief.”
12
Shroyer v. New Cingular Wireless Servs., Inc., 622 F.3d 1035, 1041 (9th Cir. 2010) (citing
13
Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009); Navarro, 250 F.3d at 732) (internal quotation
14
marks omitted).
15
A claim is plausible on its face when a plaintiff “pleads factual content that allows the
16
court to draw the reasonable inference that the defendant is liable for the misconduct alleged.”
17
Iqbal, 556 U.S. at 678 (citation omitted). In other words, the facts alleged must demonstrate “more
18
than labels and conclusions, and a formulaic recitation of the elements of a cause of action will not
19
do.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 555 (2007). “Threadbare recitals of the elements of
20
a cause of action” and “conclusory statements” are inadequate. Iqbal, 556 U.S. at 678; see also
21
Epstein v. Wash. Energy Co., 83 F.3d 1136, 1140 (9th Cir. 1996) (“[C]onclusory allegations of
22
law and unwarranted inferences are insufficient to defeat a motion to dismiss for failure to state a
23
claim.”). “The plausibility standard is not akin to a probability requirement, but it asks for more
24
than a sheer possibility that a defendant has acted unlawfully . . . When a complaint pleads facts
25
that are merely consistent with a defendant's liability, it stops short of the line between possibility
26
and plausibility of entitlement to relief.” Iqbal, 556 U.S. at 678 (quoting Twombly, 550 U.S. at
27
557) (internal citations omitted).
28
Generally, if the court grants a motion to dismiss, it should grant leave to amend even if no
4
United States District Court
Northern District of California
1
request to amend is made “unless it determines that the pleading could not possibly be cured by
2
the allegation of other facts.” Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000) (citations
3
omitted).
4
B.
5
As a general rule, a district court may not consider any material beyond the pleadings in
Request for Judicial Notice
6
ruling on a motion to dismiss for failure to state a claim. Lee v. City of Los Angeles, 250 F.3d 668,
7
688 (9th Cir. 2001). A district court may take notice of facts not subject to reasonable dispute that
8
are “capable of accurate and ready determination by resort to sources whose accuracy cannot
9
reasonably be questioned.” Fed. R. Evid. 201(b); United States v. Bernal–Obeso, 989 F.2d 331,
10
333 (9th Cir. 1993). “[A] court may take judicial notice of ‘matters of public record,’” Lee, 250
11
F.3d at 689 (citing Mack v. S. Bay Beer Distrib., 798 F.2d 1279, 1282 (9th Cir. 1986)), and may
12
also consider “documents whose contents are alleged in a complaint and whose authenticity no
13
party questions, but which are not physically attached to the pleading” without converting a
14
motion to dismiss under Rule 12(b)(6) into a motion for summary judgment. Branch v. Tunnell,
15
14 F.3d 449, 454 (9th Cir. 1994), overruled on other grounds by Galbraith v. Cnty. of Santa Clara,
16
307 F.3d 1119 (9th Cir. 2002). The court need not accept as true allegations that contradict facts
17
which may be judicially noticed. See Mullis v. United States Bankruptcy Ct., 828 F.2d 1385, 1388
18
(9th Cir. 1987).
19
III.
DISCUSSION
20
A.
21
As a preliminary matter, Defendant asks that the Court take judicial notice of six
22
documents in support of its motion to dismiss that were not previously judicially noticed. (Def.’s
23
Req. for Judicial Notice, “RJN,” Dkt. No. 41.) The documents are purportedly true and correct
24
copies of: 1) A Twitter Help Center page titled “About your email and phone number
25
discoverability privacy settings,” available at https://help.x.com/en/safety-and-security/email-
26
andphone-discoverability-settings (last visited June 12, 2024); 2) A Twitter Help Center page
27
titled “How to upload and manage your contacts,” available at https://help.twitter.com/en/using-
28
twitter/upload-your-contacts-to-search-for-friends (last visited June 12, 2024); 3) A Twitter Help
Request for Judicial Notice
5
United States District Court
Northern District of California
1
Center page titled “About X’ account suggestions,” available at https://help.twitter.com/en/using-
2
twitter/account-suggestions (last visited June 12, 2024), which is central to the plausibility of
3
Plaintiffs’ claims; 4) The Ernst & Young Independent Assessor’s Transmittal Letter on Twitter’s
4
Information Security Program for the Period September 13, 2019, to September 12, 2021,
5
available at https://www.ftc.gov/system/files/ftc_gov/pdf/twitter-assessment-2019-2021.pdf (last
6
visited June 12, 2024); 5) Order on Motion to Dismiss, Price v. Twitter, Inc., No. 22-cv-03173-SK
7
(N.D. Cal. Dec. 6, 2022), ECF No. 50; 6) Order on Twitter’s Demurrer to Plaintiffs’ Class Action
8
Complaint and Motion to Strike, Yeh v. Twitter, Inc., No. CGC-23-605100 (Cal. Sup. Ct., S.F.
9
Cnty., May 31, 2024). (RJN at i-ii; Decl. of John MacGregor, “MacGregor Decl.,” Dkt. No. 89-1,
10
Exs. 1-6)1
11
Additionally, Defendant asks that the Court take judicial notice of the eight documents it
12
took notice of in the prior motion to dismiss: 1) Twitter’s Privacy Policy effective June 18, 2020,
13
available at https://twitter.com/en/privacy/previous/version_16; 2) Twitter’s Privacy Policy
14
effective August 19, 2021, available at https://twitter.com/en/privacy/previous/version_17; 3)
15
Twitter’s Privacy Policy effective June 10, 2022, available at
16
https://twitter.com/en/privacy/previous/version-18; 4) Twitter’s Terms of Service effective June
17
18, 2020, available at https://twitter.com/en/tos/previous/version_15; 5) Twitter’s Terms of
18
Service effective as of August 19, 2021, available at
19
https://twitter.com/en/tos/previous/version_16; 6) Twitter’s Terms of Service effective June 10,
20
2022, available at https://twitter.com/en/tos/previous/version-17; 7) a blog post published on the
21
Twitter Privacy Center on August 5, 2022, titled “An incident impacting some accounts and
22
private information on Twitter,” available at https://privacy.twitter.com/en/blog/2022/an-issue-
23
affecting-some-anonymous-accounts; 8) a blog post published on the Twitter Privacy Center on
24
January 11, 2023, titled “Update about an alleged incident regarding Twitter user data being sold
25
online,” available at https://privacy.twitter.com/en/blog/2023/update-about-an-alleged-incident-
26
regarding-twitter-user-data-being-sold-online. (RJN at ii; Decl. of Stephen A. Broome, Dkt. No.
27
28
1
For ease, all exhibits will be referred to by “RJN, Ex. __.”
6
United States District Court
Northern District of California
1
40-1, Exs. 1-8.)2
2
Plaintiffs oppose the request to judicial notice as it pertains to the MacGregor Exhibit Nos.
3
1-4, because Defendant is seeking to establish the truth of the documents’ contents to dispute the
4
well-pleaded facts in the complaint. (Pl.’s RJN Opp’n, Dkt. No. 98 at 1.)
5
The Court denied Defendant’s prior request to judicially notice Exhibits 1-3, which
6
Defendant acknowledges in its resubmission, but Twitter claims that the exhibits are necessary to
7
resolve Twitter’s argument that Plaintiffs’ negligence claims should be dismissed for failure to
8
plausibly plead proximate causation. (RJN at i n. 1.) The Court disagrees and again denies the
9
request for judicial notice as to these three exhibits, because Defendant is attempting to challenge
10
Plaintiffs’ well plead factual allegations on a motion to dismiss, which is inherently improper.
11
Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1014 (9th Cir. 2018) (“The incorporation-by-
12
reference doctrine does not override the fundamental rule that courts must interpret the allegations
13
and factual disputes in favor of the plaintiff at the pleading stage.”) see also Katz-Lacabe v. Oracle
14
Am., Inc., 668 F. Supp. 3d 928, 939 (N.D. Cal. 2023)(“[J]udicially noticing all of the information
15
contained on Oracle's own webpages is improper and unnecessary, as it would serve no purpose
16
other than exactly what the Ninth Circuit warned against: crafting an alternative version of
17
events.”)
Plaintiffs also oppose MacGregor Exhibit 4, the “Ernst & Young Independent Assessor’s
18
19
Transmittal Letter on Twitter’s Information Security Program,” on the grounds that it is a self-
20
serving document being used to challenged Plaintiff’s factual allegations. (Pl.’s RJN Opp’n at 3.)
21
The Court agrees for the same reasons discussed above.
22
The court “is not required to incorporate documents by reference.” Davis v. HSBC Bank
23
Nev., N.A., 691 F.3d 1152, 1159 (9th Cir. 2012). The remaining MacGregor Exhibits are court
24
orders issued in other cases, which are irrelevant, so the Court declines to incorporate them by
25
reference.3
26
27
28
Since these have the same exhibit numbers, these exhibits will be referred to by “RJN, Ex. _-2.”)
In the future Defendant is responsible for addressing all exhibits in connection with a pending
motion, because the Court is not required nor inclined to scour the docket for prior filings.
3
While these are nonbinding court orders, Defendant may cite to them absent judicial notice.
7
2
1
2
notice of true and correct copies of Twitter account sign-up pages, available at
3
http://twitter.com/signup, at various points during the relevant time period. (Def.’s Reply RJN,
4
Dkt. 102; Decl. of John MacGregor ISO Reply, “MacGregor Reply Decl.,” Dkt. No. 101-1 at 1,
5
Ex. 1.) The Court denies this request, because the exhibit should have been presented in
6
conjunction with the original motion.
7
Accordingly, Defendant’s request for judicial notice is GRANTED IN PART AND
8
DENIED IN PART. The motion is granted only as to the previously judicially noticed Broome
9
Exhibits and denied as to all of the MacGregor exhibits.
10
11
United States District Court
Northern District of California
Finally, in connection with its reply brief, Defendant asks that the Court take judicial
B.
Motion to Dismiss
i.
Terms of Service
12
As an initial matter, Defendant argues that the first five causes of action for breach of
13
contract, breach of implied contract, negligence, gross negligence, and unjust enrichment are
14
barred by the Terms of Service (“TOS”) disclaimer and the limitation of liability clauses. (Def.’s
15
Mot. at 5.) The Court notes that, in connection with the first motion to dismiss, Defendant
16
conceded that California law forbids limiting liability for gross negligence, so it is unclear why
17
Defendant would raise this argument here. (See 3/29/24 Order, Dkt. No. 69 at 8 (citing In re
18
Facebook, Inc., Consumer Priv. User Profile Litig., 402 F. Supp. 3d 767, 800 (N.D. Cal. 2019).)
19
Nonetheless, the Court finds that the TOS cannot limit liability for gross negligence, so the TOS
20
can only potentially bar the other four causes of action.
21
Section 6 of the TOS provides that California law governs both the terms and any claim
22
that may arise between the consumer and Twitter. (RJN, Ex. 6-2 at 9-10.) “With respect to claims
23
for breach of contract, limitation of liability clauses are enforceable unless they are
24
unconscionable, that is, the improper result of unequal bargaining power or contrary to public
25
policy.” Food Safety Net Servs. v. Eco Safe Sys. USA, Inc., 209 Cal. App. 4th 1118, 1126 (2012).
26
Specifically, Section 5 of the TOS contained disclaimers and limitations of liability. First, users
27
were advised that the services were being made available “AS-IS”:
28
Your access to and use of the Services or any Content are at your own
8
risk. . . . [T]he Services are provided to you on an “AS IS” . . . basis.
The Twitter Entities make no warranty or representation and disclaim
all responsibility and liability for: (i) the . . security or reliability of
the Services or any Content; (ii) any harm to your computer system,
loss of data, or other harm that results from your access to or use of
the Services or any content; . . . and (iv) whether the Services will
meet your requirements or be available on an uninterrupted, secure,
or error-free basis.
1
2
3
4
5
(RJN, Ex. 6-2 at 8) (emphasis added). Next, the limitation of liability clause was as follows:
6
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE
LAW, THE TWITTER ENTITIES SHALL NOT BE LIABLE FOR
ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL
OR PUNITIVE DAMAGES, OR ANY LOSS OF PROFITS OR
REVENUES, WHETHER INCURRED DIRECTLY OR
INDIRECTLY, OR ANY LOSS OF DATA . . . OR OTHER
INTANGIBLE LOSSES, RESULTING FROM (i) YOUR ACCESS
TO OR USE OF OR INABILITY TO ACCESS OR USE THE
SERVICES; (ii) ANY CONDUCT OR CONTENT OF ANY THIRD
PARTY ON THE SERVICES, INCLUDING WITHOUT
LIMITATION, ANY DEFAMATORY, OFFENSIVE OR ILLEGAL
CONDUCT OF OTHER USERS OR THIRD PARTIES; (iii) ANY
CONTENT OBTAINED FROM THE SERVICES; OR (iv)
UNAUTHORIZED ACCESS, USE OR ALTERATION OF YOUR
TRANSMISSIONS OR CONTENT… THE LIMITATIONS OF
THIS SUBSECTION SHALL APPLY TO ANY THEORY OF
LIABILITY,
WHETHER
BASED
ON
WARRANTY,
CONTRACT, STATUTE, TORT (INCLUDING NEGLIGENCE)
OR OTHERWISE….
7
8
9
10
United States District Court
Northern District of California
11
12
13
14
15
16
(RJN, Ex. 6-2 at 9) (emphasis added).
Courts in this district have found liability limitation provisions to be generally enforceable
17
18
for similar services. See, e.g., Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1038 (N.D. Cal.
19
2019) (contract claims barred by TOS). Broad provisions such as these, however, have also been
20
found to be unconscionable because they “are overly one-sided and bar any effective relief.” In re
21
Yahoo! Inc. Customer Data Sec. Breach Litig., 313 F. Supp. 3d 1113, 1137 (N.D. Cal. 2018).
22
Unconscionability requires the plaintiff to allege facts “showing that the term is both procedurally
23
and substantively unconscionable.” Id. at 1136. Substantive and procedural unconscionability are
24
comparatively assessed on a “sliding scale” – i.e., “the more substantively oppressive the contract
25
term, the less evidence of procedural unconscionability is required to come to the conclusion that
26
the term is unenforceable, and vice versa.” Sanchez v. Valencia Holding Co., LLC, 61 Cal. 4th
27
899, 910 (Cal. 2015).
28
//
9
1
2
Plaintiffs allege that the As-Is Limitation and Liability clauses are procedurally
3
unconscionable, because they “suffer[] from both oppression and surprise.” (CCAC ¶ 157.)
4
United States District Court
Northern District of California
a. Procedural Unconscionability
Defendant argues that there is no procedural unconscionability. (Def.’s Mot. at 6.) First,
5
Twitter contends that there is no rule that an adhesion contract is per se unconscionable. Id. (citing
6
Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1038 (N.D. Cal. 2019)). While true, that does not
7
mean that there is no procedural unconscionability. In fact, the Ninth Circuit has indicated that, at
8
the very least, the degree of procedural unconscionability in an adhesive contract is low when a
9
customer has “reasonably available” alternative sources of supply from which to obtain the desired
10
service. Darnaa, LLC v. Google LLC, 756 F. App'x 674, 676 (9th Cir. 2018) (quoting Lennar
11
Homes of Cal., Inc. v. Stephens, 232 Cal. App. 4th 673, 181 Cal.Rptr.3d 638, 651-52 (2014)).
12
In opposition, Plaintiffs argue that, since Darnaa, the California Court of Appeal has
13
clarified that the existence of market alternatives do not preclude procedural unconscionability
14
when surprise is alleged. (Pls.’ Opp’n at 8, n. 8 (citing Fisher v. MoneyGram Int'l, Inc., 66 Cal.
15
App. 5th 1084, 1096 (2021).) In Fisher, the Court of Appeal found that the “‘meaningful choice’
16
rationale is employed only where surprise is not seriously in issue, and the plaintiff relies solely on
17
the defendant’s use of an adhesion contract to show procedural unconscionability.” 66 Cal. App.
18
5th at 1096. This rationale makes sense, because if the oppression is not apparent, a user cannot
19
be expected to fully understand the TOS.
20
Even so, Defendant argues that Plaintiffs cannot claim “surprise” because “these clauses
21
appear under a bolded header in 30-point font on pages nine and ten of the TOS—which are only
22
12 pages long.” (Def.’s Mot. at 7 (citing CCAC ¶ 161).) Moreover, Defendant contends that
23
Plaintiffs’ allegations that “the contested provisions do not appear on Twitter’s ‘landing page’ and
24
that numerous ‘click[s]’ are supposedly required to navigate to the provisions… ignore the fact
25
that Twitter alerted Plaintiffs in advance each time Twitter changed the TOS, either via email or
26
an in-app prompt.” (Def.’s Mot. at 8 (citing CCAC ¶¶ 159-161; RJN, Exs. 4-2 at 10–11, Ex. 5-2 at
27
11, Ex. 6-2 at 10–11.) Furthermore, Defendant argues that “the TOS were accessible on Twitter’s
28
public website at all relevant times.” (Def.’s Mot. at 8 (citing CCAC ¶¶ 159–160).)
10
1
In opposition, Plaintiffs contend that this ignores the fact that these terms were buried in
2
lengthy forms drafted by the party who wished to enforce them. (Pls.’ Opp’n at 8 (citing Yahoo!,
3
313 F. Supp. 3d at 1137 (liability limitation was near end of 12-page, adhesive TOS)).) The Court
4
agrees and finds that the TOS was at least somewhat procedurally unconscionable.
5
United States District Court
Northern District of California
6
b. Substantive Unconscionability
Defendant argues that the TOS is not substantively unconscionable, and that similar terms
7
that include limiting the language “to the maximum extent permitted by applicable law” are
8
frequently not invalidated on unconscionability grounds. (Def.’s Mot. at 9 (citing Adkins v.
9
Facebook, Inc., No. C 18-05982 WHA, 2019 WL 3767455, at *2-3 (N.D. Cal. Aug. 9, 2019)).)
10
In opposition, Plaintiffs argue that the limitations are substantively unconscionable,
11
because Defendant seeks to “disclaim any duty to ‘secure [users’] personal information’ based on
12
a broad provision stating that its services are provided on an ‘AS IS’ basis” and it “makes no
13
‘warranty or representation and disclaim[s] all responsibility and liability for’ broad categories of
14
harm encompassing virtually any harm that could arise from use of its services.” (Pls.’ Opp’n at 8
15
(citing CCAC ¶163) (emphasis in original).) Plaintiffs also argue that there is no reasonable
16
commercial justification for limiting Plaintiffs’ ability to pursue claims and remedies, because
17
Twitter is already required by law to maintain reasonable data security systems. (Pls.’ Opp’n at 9
18
(citing CCAC ¶¶ 268-270).) The Court agrees. As Plaintiffs argue, Twitter, as a large technology
19
company, “provided the services at issue on the premise that user data would be safe, and Twitter
20
is in a far superior position than its users to address and manage the risk of data security matters.”
21
(Pls.’ Opp’n at 10.) In Yahoo!, the district court found that the limitations’ allocation of risk was
22
unreasonable because technology giants are better equipped to bear the risk of data security than
23
individual users, particularly when the companies are obligated to maintain acceptable levels of
24
data security under state and federal law. In re Yahoo! Inc. Customer Data Sec. Breach Litig., 313
25
F. Supp. 3d 1113, 1138 (N.D. Cal. 2018). As a result, the district court found that the plaintiffs
26
adequately pled that the limitations of liability were substantively unconscionable by pleading that
27
“Defendants took minimal action despite knowing about their inadequate security measures.” Id.
28
Similarly, in Bass v. Facebook, Inc., despite ultimately finding that the TOS bars the plaintiff’s
11
1
claims, the district court found that “Facebook’s mere failure to discover the vulnerability might
2
be barred by the clause, but if it had acquiesced to, or known of the vulnerability, the claim would
3
certainly be allowed through.” 394 F. Supp. 3d 1024, 1038 (N.D. Cal. 2019). Here, Plaintiffs
4
clearly allege that Twitter knew of the vulnerability and declined to address it.
5
Additionally, Plaintiffs contend that California Civil Code § 1668 renders the disclaimers
6
unenforceable. (Pls.’ Opp’n at 10.) California Civil Code Section 1668 “invalidates limitations on
7
liability per public policy for three categories of claims: fraud, willful injury, and violations of a
8
statute.” Adkins v. Facebook, Inc., No. 18-cv-05982 WHA, 2019 WL 3767455, at *2 (N.D. Cal.
9
Aug. 9, 2019).
United States District Court
Northern District of California
10
In reply, Defendant argues that § 1668 is limited to violations of statute, and cites Adkins,
11
2019 WL 3767455, at *2, for the proposition that the TOS is only invalidated if it exempted
12
Twitter from “violations of statute.” (Def.’s Reply at 8.) Defendant contends that it is not seeking
13
to bar a statutory violation; rather, the clauses merely bar Plaintiffs’ claims for breach of contract,
14
negligence, and unjust enrichment. Id.
15
Other district courts, however, have invoked § 1668 to invalidate liability limitations when
16
intentional conduct is alleged. See Doe v. Meta Platforms, Inc., 690 F. Supp. 3d 1064, 1084 (N.D.
17
Cal. 2023), motion to certify appeal denied, No. 22-CV-03580-WHO, 2024 WL 4375776 (N.D.
18
Cal. Oct. 2, 2024) (“defendants acted intentionally by refusing to stop the data transfer or employ
19
a stronger filter mechanism”). Here, Plaintiffs allege that Defendant is obligated by law to
20
maintain reasonable data security systems. (CCAC ¶ 165.) Despite this obligation, Twitter
21
allegedly “took minimal action despite knowing about its inadequate security measures. …
22
Twitter’s security regime was woefully insufficient (and Twitter was callously ignoring dangerous
23
vulnerabilities in its data security apparatus at the very time it was purportedly disclaiming any
24
liability for these vulnerabilities), rendering the disclaimer and limitation clauses unconscionable.”
25
(CCAC ¶ 166.)
26
Thus, in light of Plaintiffs’ allegations of intentional conduct, the Court finds that the TOS
27
is unconscionable, such that the negligence and contract claims are actionable. The Court further
28
finds that the clauses are unenforceable under California Civil Code § 1668. As was the case in
12
1
Doe v. Meta Platforms, Inc., Defendant may move to limit the damages available “on summary
2
judgment or at another appropriate juncture.” 690 F. Supp. 3d at 1085.
3
4
5
ii.
Plaintiffs first, second, and fifth causes of action are for breach of contract, breach of
implied contract, and unjust enrichment. (CCAC ¶¶ 176-215, 244-254.)
6
United States District Court
Northern District of California
7
First, Second, and Fifth Causes of Action: Contract Claims
a. Unjust Enrichment
As an initial matter, Defendant briefly moves to separately dismiss the unjust enrichment
8
claim due to the existence of the TOS, which is a valid contract. (Def.’s Mot. at 25.) Unjust
9
enrichment is considered to be quasi-contract claim, which may be pled in the alternative at this
10
juncture. See Doe v. Meta Platforms, Inc., 690 F. Supp. 3d at 1086. Thus, the Court denies the
11
motion as to the unjust enrichment claim.
12
13
b. Express Contract Claim
In regard to the express contract claim, the parties agree that the User Agreement consists
14
of the TOS, Privacy Policy, “Rules and Policies,” and “incorporated policies.” (CCAC ¶ 38; Def.’s
15
Mot. at 10.)
16
Defendant argues that the express breach of contract claim should be dismissed because
17
Plaintiffs fail to identify a single promise in the User Agreement that Twitter breached. (Def.’s
18
Mot. at 10.)
19
In opposition, Plaintiffs contend that blog posts and website statements are also
20
incorporated into the User Agreement and are actionable representations that further evidence the
21
promises Twitter made to users. (Pls.’ Opp’n at 11; see also CCAC ¶¶ 177-178, 182. 193-197.)
22
Thus, Plaintiffs contend that “Twitter’s representations and promises made on its website and
23
public blog related to Twitter’s Privacy Policy, regarding the safety and security of PII and were
24
also incorporated into Twitter’s User Agreement with Plaintiffs and the Class.” (CCAC ¶ 178.)
25
The Court disagrees. Nowhere in the User Agreement are these statements referenced or
26
cited. In fact, the portion of the Privacy Policy Plaintiffs appear to cite is a list of links below the
27
end of the document. (See RJN, Ex. 4-2 at 10-11.) As a result, the user is not guided to the other
28
documents as part of the User Agreement itself, but, rather, these are merely links that appear at
13
United States District Court
Northern District of California
1
the bottom of the same webpage, rather than in the body of the Agreement. But see Brown v.
2
Google LLC, 685 F. Supp. 3d 909, 929-30 (N.D. Cal. 2023) (quoting Shaw v. Regents of
3
University of California, 58 Cal.App.4th 44, 54, 67 Cal.Rptr.2d 850 (1997)) (found certain
4
documents were incorporated due to embedded hyperlinks in the body of the privacy policy).
5
Moreover, Plaintiffs conflate the Privacy Policy’s promise of not disclosing users’
6
information to third parties without their consent with a promise to maintain adequate data
7
security measures. (See Pls.’ Opp’n at 12 (citing CCAC ¶¶ 184-185.) This is simply not the same,
8
as “disclosure” is tantamount to selling user information. See Bass v. Facebook, Inc., 394 F. Supp.
9
3d 1024, 1038 (N.D. Cal. 2019) (Using social media is not “cost-free,” because “[t]he user incurs
10
the cost of having his information mined and shared.”) Thus, there are no express promises made
11
in the User Agreement regarding data security.
12
Accordingly, the Court finds that the statements and blog posts are not incorporated into
13
the User Agreement, which requires that the first cause of action for breach of contract be
14
dismissed with prejudice.
15
16
c. Implied Contract Claim
Without providing any analysis or cogent argument, Defendant moves to dismiss the
17
implied contract claim presumably based on the same rationale as the express contract claim—
18
namely that Plaintiffs fail to identify a single promise in the User Agreement that Twitter
19
breached. (See Def.’s Mot. at 10.)
20
In opposition, Plaintiffs argue that Defendant failed to analyze Plaintiffs’ allegations under
21
an implied contract standard, which does not require a single express written promise or contract,
22
but can be inferred through a series of documents, statements, and website representations. (Pl.’s
23
Opp’n at 11 (citing In re Pepperdine Univ. Tuition & Fees COVID-19 Refund Litig., 659 F. Supp.
24
3d 1086, 1094 (C.D. Cal. 2023)).) While the Court agrees that Defendant has waived any
25
argument in reply by failing to address this issue in the initial motion, California law supports the
26
existence of an implied contract so long as the implied terms do not vary from the express terms.
27
In re Pepperdine, 659 F. Supp. 3d at 1093.
28
“California courts look to the parties’ ‘reasonable expectation’ at the time of contracting to
14
1
‘give effect to the mutual intention of the parties as it existed at the time the contract was
2
executed.’” In re Pepperdine, 659 F. Supp. 3d at 1094 (quoting Kashmiri v. Regents of Univ. of
3
California, 156 Cal. App. 4th 809, 831-832 (2007), as modified (Nov. 15, 2007), as modified
4
(Nov. 28, 2007)). In In re Pepperdine, the court found that a reasonable jury could find, based on
5
Pepperdine’s representations on its website and academic catalogs, that the parties intended to
6
contract for in-person classes. In re Pepperdine, 659 F. Supp. 3d at 1094. There, Pepperdine
7
offered online-only degrees, and some of those programs did not allow online-only students to
8
register for in-person classes and vice versa. Id.
United States District Court
Northern District of California
9
Here, Twitter’s User Agreement provides how Defendant would or would not use
10
Plaintiffs’ user data and how Plaintiffs could control their data’s disclosure. On its website,
11
Twitter made numerous representations regarding the security and privacy of Plaintiffs’ user data,
12
including its representation that it is “committed to protecting the information you share with us”
13
on its Security and Privacy Webpage; representing that its “security procedures strictly limit
14
access to and use of users’ personal information and require that each of us take measures to
15
protect user data from unauthorized access” in its Code of Business Conduct and Ethics; and
16
representing that “[p]rotecting and defending user privacy is at the heart of our work.” (CCAC ¶¶
17
43, 56, 70, 192.) Plaintiffs, therefore, signed up for Twitter with the understanding that Twitter
18
would protect their PII, and they trusted the company to so. At the pleadings stage, these promises
19
to protect users’ PII are sufficient to establish the existence of an implied contract, and Twitter’s
20
alleged failure to safeguard that information is sufficient to state a claim for its breach.
21
22
23
24
25
26
Accordingly, the motion is denied as to the second cause of action for breach of implied
contract.
iii.
Third and Fourth Causes of Action: Negligence claims
Plaintiffs’ third and fourth causes of action are for negligence and gross negligence.
(CCAC ¶¶ 216-243.)
In the prior order, the Court found that Plaintiffs sufficiently alleged a claim for gross
27
negligence and found that the negligence claim would similarly survive “should Plaintiffs
28
sufficiently allege that the TOS is unconscionable.” (3/29/24 Order at 10.)
15
1
2
3
prior order as if set forth fully herein, and denies the motion as to the negligence claims.
iv.
Sixth Cause of Action: Unfair Competition Law, Bus. & Prof. Code § 17200
4
In order to establish standing for the UCL Claim, plaintiffs must show that they personally
5
lost money or property “as a result of the unfair competition.” CAL. BUS. & PROF. CODE § 17204;
6
10
Kwikset Corp. v. Superior Court, 51 Cal. 4th 310, 330 (2011). Under California law:
[t]here are innumerable ways in which economic injury from unfair
competition may be shown. A plaintiff may (1) surrender in a
transaction more, or acquire in a transaction less, than he or she
otherwise would have; (2) have a present or future property interest
diminished; (3) be deprived of money or property to which he or she
has a cognizable claim; (4) be required to enter into a transaction,
costing money or property, that would otherwise have been
unnecessary.
11
Kwikset, 51 Cal. 4th at 323.
7
8
9
United States District Court
Northern District of California
Since the TOS is unenforceable for unconscionability reasons, the Court incorporates the
12
Here, Plaintiffs allege that they failed to receive the benefit of their bargain with Twitter.
13
(CCAC ¶ 272.) If either harm is plausibly alleged, Plaintiffs would satisfy the standing
14
requirement for this cause of action. Bass v. Facebook, Inc., 394 F. Supp. 3d 1024, 1040 (N.D.
15
Cal. 2019).
16
Plaintiffs allege economic injury based on “benefit of the bargain.” (See Pls.’ Opp’n at 20-
17
21.) Business and Professions Code § 22576 prohibits “an operator of a commercial website” that
18
collects PII from consumers from violating “its posted privacy policy.” Plaintiffs argue that they
19
have UCL standing based on a breach of the contractual privacy protections governing the sales in
20
violation of Section 22576. (Id.; see also CCAC ¶¶ 270, 272.) Thus, Plaintiffs have standing so
21
long as they have adequately alleged that Defendant breached the terms of its privacy agreement.
22
See In re Anthem, Inc. Data Breach Litig., No. 15-md-2617-LHK, 2016 WL 3029783, at *13, *30
23
(N.D. Cal. 2016) (finding defendant’s breach of privacy policies incorporated into customers’
24
insurance contracts deprived plaintiffs of the benefit of their bargain and caused economic injury
25
sufficient to establish UCL standing). As discussed above, Plaintiffs’ express breach of contract
26
claim for violations of the privacy policy is not actionable, which does not satisfy the harm
27
requirement for the UCL claim. See discussion, supra, Part III.B.ii.b.
28
Plaintiffs further allege that Plaintiff Weitzman was required to spend money on credit
16
1
monitoring that would not otherwise been unnecessary if not for the Data Breach. (Pl.’s Opp’n at
2
21 (citing CCAC ¶ 273.) Courts have found that such allegations are sufficient to establishing
3
standing to pursue a UCL claim. See In re Yahoo! Inc. Customer Data Sec. Breach Litig., No. 16-
4
MD-02752-LHK, 2017 WL 3727318, at *22 (N.D. Cal. Aug. 30, 2017).
5
Thus, the motion is denied as to the sixth cause of action.
United States District Court
Northern District of California
6
v.
Seventh Cause of Action: Declaratory Judgment
7
The seventh cause of action is for declaratory judgment. (CCAC ¶¶ 275-284.)
8
Specifically, Plaintiffs allege that Twitter’s data security measures remain inadequate, and they
9
seek a declaratory judgment that Twitter owes a legal duty to secure consumers’ PII and to timely
10
notify them of a data breach, and that it continues to breach that duty by failing to employ
11
reasonable measures to secure consumers’ PII. (CCAC ¶¶ 277-280.)
12
Defendant acknowledges that this cause of action merely requires a predicate claim.
13
(Def.’s Mot. at 25.) Several of Plaintiffs’ claim are sufficiently pled. Furthermore, a dispute
14
exists as to the continued risk Plaintiffs and similarly situated users face, rendering the dismissal
15
of the declaratory judgment claim premature. See Bass v. Facebook, Inc., 394 F. Supp. 3d 1024,
16
1040 (N.D. Cal. 2019).
17
Accordingly, the motion to dismiss is denied as to the seventh cause of action.
18
19
IV.
CONCLUSION
For the reasons set forth above, Defendant’s motion to dismiss is GRANTED IN PART
20
AND DENIED IN PART. The motion is granted with prejudice as to the first cause of action for
21
breach of contract. It is denied in all other respects.
22
Defendant shall file an answer within 21 days.
23
IT IS SO ORDERED.
24
Dated: December 18, 2024
__________________________________
KANDIS A. WESTMORE
United States Magistrate Judge
25
26
27
28
17
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
