In Re FACEBOOK INTERNET TRACKING LITIGATION

Filing 179

NOTICE OF APPEAL to the 9th Circuit Court of Appeals filed by Perrin Aikens Davis, Brian K. Lentz, Cynthia D. Quinn, Matthew J. Vickery. Appeal of Order #175 , Order on Motion to Dismiss, Order on Motion for Protective Order, Order on Motion to Compel #148 , Order on Motion to Dismiss, #87 , Order on Motion to Dismiss #174 (Appeal fee of $505 receipt number 0971-11952369 paid.) (Attachments: #1 Exhibit A, #2 Exhibit B, #3 Exhibit C, #4 Exhibit D, #5 Representation Statement)(Straite, David) (Filed on 12/14/2017)

Download PDF
Exhibit B Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 1 of 14 1 2 3 4 5 6 UNITED STATES DISTRICT COURT 7 NORTHERN DISTRICT OF CALIFORNIA 8 SAN JOSE DIVISION 9 In re Facebook Internet Tracking Litigation 10 ORDER GRANTING DEFENDANT’S MOTION TO DISMISS 11 United States District Court Northern District of California Case No. 5:12-md-02314-EJD 12 Re: Dkt. No. 101 13 14 15 Plaintiffs allege that Defendant Facebook, Inc. violated their privacy by tracking their 16 17 browsing activity on third-party websites. This Court previously granted Facebook’s motion to 18 dismiss, with leave to amend, for lack of standing and failure to state a claim. Plaintiffs filed an 19 amended complaint, and Facebook now moves to dismiss. Facebook’s motion will be GRANTED. 20 I. BACKGROUND Facebook operates a social networking website.1 Second Am. Consolidated Class Action 21 22 Compl. (“SAC”) ¶ 16, Dkt. No. 93. Third-party websites can embed Facebook “like” buttons to let 23 users share content on Facebook—for instance, CNN can embed “like” buttons on news articles 24 that it publishes on http://www.cnn.com/ to let users share content with their Facebook friends. 25 Id. ¶ 49. To make the “like” button appear on the page, CNN embeds a small code snippet that 26 27 28 1 For a more detailed discussion of Plaintiffs’ factual allegations, see this Court’s order granting Facebook’s previous motion to dismiss, Dkt. No. 87 at 2–6. 1 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 2 of 14 1 Facebook provides. Id. That code snippet causes the user’s browser to send a background request 2 to Facebook’s servers. Id. That request includes the URL of the page where the “like” button is 3 embedded, as well as the contents of “cookies”—small text files—that Facebook has stored on 4 that user’s browser. Id. ¶¶ 3, 52. 5 Plaintiffs allege that Facebook uses “like” buttons to track Plaintiffs’ web browsing 6 activity. Id. ¶¶ 3–5. Because URLs are transmitted to Facebook each time a user visits a page that 7 contains a “like” button, Plaintiffs allege that Facebook violated various privacy laws by collecting 8 detailed records of Plaintiffs’ private web browsing history. Id. Plaintiffs allege that Facebook’s 9 cookies enable it to uniquely identify users and correlate their identities with their browsing activity, even when users are logged out of Facebook. Id. ¶¶ 48–49. As discussed below, Plaintiffs 11 United States District Court Northern District of California 10 also allege that Facebook circumvented certain privacy settings of the Internet Explorer web 12 browser. Id. ¶¶ 85–101. 13 Plaintiffs’ initial class-action complaint alleged various statutory and common-law privacy 14 violations. Dkt. No. 35. Facebook moved to dismiss. Dkt. No. 44. This Court granted Facebook’s 15 motion to dismiss, with leave to amend, on the grounds that Plaintiffs failed to establish Article III 16 standing with respect to some of their claims, and that Plaintiffs failed to state a claim with respect 17 to the rest. Order Granting Def.’s Mot. to Dismiss (“MTD Order”), Dkt. No. 87. Plaintiffs filed an 18 amended complaint alleging violations of the federal Wiretap Act, 18 U.S.C. § 2510 et seq. (SAC 19 ¶¶ 179–92); violations of the federal Stored Communications Act (“SCA”), 18 U.S.C. § 2701 et 20 seq. (SAC ¶¶ 193–208); violations of the California Invasion of Privacy Act (“CIPA”), Cal. Crim. 21 Code §§ 631, 632 (SAC ¶¶ 209–19); invasion of privacy under the California Constitution (SAC 22 ¶¶ 220–31); intrusion upon seclusion (SAC ¶¶ 232–41); breach of contract (SAC ¶¶ 242–52); 23 breach of the duty of good faith and fair dealing (SAC ¶¶ 253–61); fraud, Cal. Civ. Code §§ 1572, 24 1573 (SAC ¶¶ 262–69); trespass to chattels (SAC ¶¶ 270–73); violations of the California 25 Comprehensive Computer Data Access and Fraud Act (“CDAFA”), Cal. Penal Code § 502 (SAC 26 27 28 2 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 3 of 14 1 ¶¶ 274–85); and larceny, Cal. Penal Code §§ 484, 496 (SAC ¶¶ 286–95).2 Facebook now moves to 2 dismiss the SAC under Fed. R. Civ. P. 12(b)(1) and 12(b)(6). Def.’s Mot. to Dismiss (“MTD”), 3 Dkt. No. 101. 4 II. 5 LEGAL STANDARD A. Rule 12(b)(1) Dismissal under Fed. R. Civ. P. 12(b)(1) is appropriate if the complaint fails to allege facts 6 7 sufficient to establish subject-matter jurisdiction. Savage v. Glendale Union High Sch., 343 F.3d 8 1036, 1039 n.2 (9th Cir. 2003). The Court “is not restricted to the face of the pleadings, but may 9 review any evidence, such as affidavits and testimony, to resolve factual disputes concerning the existence of jurisdiction.” McCarthy v. United States, 850 F.2d 558, 560 (9th Cir. 1988). The 11 United States District Court Northern District of California 10 nonmoving party bears the burden of establishing jurisdiction. Chandler v. State Farm Mut. Auto. 12 Ins. Co., 598 F.3d 1115, 1122 (9th Cir. 2010). 13 B. Rule 12(b)(6) A motion to dismiss under Fed. R. Civ. P. 12(b)(6) tests the legal sufficiency of claims 14 15 alleged in the complaint. Parks Sch. of Bus., Inc. v. Symington, 51 F.3d 1480, 1484 (9th Cir. 16 1995). Dismissal “is proper only where there is no cognizable legal theory or an absence of 17 sufficient facts alleged to support a cognizable legal theory.” Navarro v. Block, 250 F.3d 729, 732 18 (9th Cir. 2001). The complaint “must contain sufficient factual matter, accepted as true, to ‘state a 19 claim to relief that is plausible on its face.’ ” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (quoting 20 Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007)). 21 III. 22 A. Standing To establish Article III standing, a plaintiff must have “(1) suffered an injury in fact, (2) 23 24 DISCUSSION that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be 25 26 27 28 2 Plaintiffs dropped their claims for conversion and violations of the Computer Fraud and Abuse Act, the California Unfair Competition Law, and the California Consumer Legal Remedies Act. Plaintiffs added claims for fraud, larceny, breach of contract, and breach of the duty of good faith and fair dealing. 3 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 4 of 14 1 redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1547 (2016). 2 The plaintiff bears the burden of proving these elements. Id. 3 The plaintiff’s injury must be “particularized” and “concrete.” Id. at 1548. To be particularized, it “must affect the plaintiff in a personal and individual way.” Id. To be concrete, it 5 must be real, not abstract. Id. at 1548–49. A concrete injury can be tangible or intangible. Id. A 6 plaintiff cannot “allege a bare procedural violation, divorced from any concrete harm, and satisfy 7 the injury-in-fact requirements of Article III.” Id. at 1549. A plaintiff does not “automatically 8 satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and 9 purports to authorize that person to sue to vindicate that right.” Id. However, a statutory violation 10 can confer standing when the “alleged intangible harm has a close relationship to a harm that has 11 United States District Court Northern District of California 4 traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. 12 “In determining whether an intangible harm constitutes injury in fact, both history and the 13 judgment of Congress play important roles.” Id. If a plaintiff lacks Article III standing to pursue a 14 claim, then the claim must be dismissed for lack of subject-matter jurisdiction. Steel Co. v. 15 Citizens for a Better Env’t, 523 U.S. 83, 101–02 (1998). 16 i. Wiretap Act, SCA, and CIPA 17 This Court previously found that Plaintiffs had established standing for their Wiretap Act, 18 SCA, and CIPA claims. MTD Order 13–15. Economic injury is not required to establish standing 19 under any of those three statutes. See In re Google Inc. Gmail Litig., No. 13-md-02430-LHK, 20 2013 WL 5423918, at *16 (N.D. Cal. Sept. 26, 2013) (“courts in this district have found that 21 allegations of a Wiretap Act violation are sufficient to establish standing”); In re iPhone 22 Application Litig., 844 F. Supp. 2d 1040, 1055 (N.D. Cal. 2012) (“Other courts in this district 23 have recognized that a violation of the Wiretap Act or the Stored Communications Act may serve 24 as a concrete injury for the purposes of Article III injury analysis.”); Gaos v. Google, Inc., No. 10- 25 cv-4809-EJD, 2012 WL 1094646, at *3 (N.D. Cal. Mar. 29, 2012) (“a violation of one’s statutory 26 rights under the SCA is a concrete injury”); Cal. Penal Code § 637.2 (“It is not a necessary 27 prerequisite to an action pursuant to this section that the plaintiff has suffered, or be threatened 28 4 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 5 of 14 1 with, actual damages.”); In re Google Inc. Gmail Litig., 2013 WL 5423918, at *17 (“the Court 2 finds that CIPA and the Wiretap Act are not distinguishable for the purposes of standing”). 3 Plaintiffs allege that Facebook “intercepts” and “tracks” their internet communications in 4 violation of all three statutes. SAC ¶¶ 179–219. These allegations are sufficient to confer standing 5 for Plaintiffs’ Wiretap Act, SCA, and CIPA claims. 6 ii. Trespass to Chattels, CDAFA, Fraud, and Larceny 7 This Court previously found that Plaintiffs did not establish standing for their claims for 8 trespass to chattels and violations of the CDAFA. MTD Order 8–11. Unlike the statutory claims 9 discussed above, claims for trespass to chattels and CDAFA violations require a showing of economic harm or loss. To prevail on a claim for trespass to chattels based on access to a 11 United States District Court Northern District of California 10 computer system, a plaintiff must establish that (1) the defendant intentionally and without 12 authorization interfered with the plaintiff’s possessory interest in the computer system and (2) the 13 defendant’s unauthorized used proximately caused damage to the plaintiff. eBay, Inc. v. Bidder’s 14 Edge, Inc., 100 F. Supp. 2d 1058, 1069–70 (N.D. Cal. 2000). The property owner “may recover 15 only the actual damages suffered by reason of the impairment of the property or the loss of its 16 use.” Id. at 1070 (quoting Itano v. Colonial Yacht Anchorage, 267 Cal. App. 2d 84, 90 (1968)). 17 Likewise, to prevail on a CDAFA claim, “Plaintiffs must allege they suffered damage or loss by 18 reason of a violation of Section 502(c).” In re Google Android Consumer Privacy Litig., No. 11- 19 MD-02264-JSW, 2013 WL 1283236, at *5, *11 (N.D. Cal. Mar. 26, 2013) (finding that the 20 plaintiffs had standing to pursue a CDAFA claim where they alleged that the defendant’s conduct 21 drained the batteries of their mobile devices). 22 In their SAC, Plaintiffs have added claims for fraud (Cal. Civ. Code § 1572), constructive 23 fraud (Cal. Civ. Code § 1573), and larceny (Cal. Penal Code §§ 484, 496). SAC ¶¶ 262–69, 286– 24 95. As with claims for trespass to chattels and violations of the CDAFA, Plaintiffs’ fraud claims 25 require a showing of actual damage. See Rodriguez v. JP Morgan Chase & Co., 809 F. Supp. 2d 26 1291, 1296 (S.D. Cal. 2011) (noting that a § 1572 claim requires (1) misrepresentation, (2) 27 knowledge of falsity, (3) intent to defraud, (4) reliance, and (5) resulting damage); Dealertrack, 28 5 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 6 of 14 1 Inc. v. Huber, 460 F. Supp. 2d 1177, 1183 (C.D. Cal. 2006) (noting that a § 1573 claim requires 2 (1) a fiduciary or confidential relationship, (2) an act, omission, or concealment involving a breach 3 of that duty, (3) reliance, and (4) resulting damage). And Plaintiffs’ larceny claim requires a 4 showing of “an intent to permanently deprive an individual of his property.” Castillo-Cruz v. 5 Holder, 581 F.3d 1154, 1160–61 (9th Cir. 2009). 6 This Court previously found that Plaintiffs have not established a “realistic economic harm 7 or loss that is attributable to Facebook’s alleged conduct.” MTD Order 10. Although Plaintiffs’ 8 personal web browsing information might have “some degree of intrinsic value,” this Court held 9 that Plaintiffs failed to show, “for the purposes of Article III standing, that they personally lost the opportunity to sell their information or that the value of their information was somehow 11 United States District Court Northern District of California 10 diminished after it was collected by Facebook.” Id. The SAC contains no new facts that establish 12 economic harm or loss. Nor does the SAC establish that Facebook intended to permanently 13 deprive Plaintiffs of property of any sort. As such, Plaintiffs lack Article III standing to pursue 14 their claims for trespass to chattels, violations of the CDAFA, fraud, and larceny. These claims 15 must be dismissed under Fed. R. Civ. P. 12(b)(1) for lack of subject-matter jurisdiction. 16 17 iii. Invasion of Privacy and Intrusion upon Seclusion Plaintiffs allege that Facebook committed privacy tort violations by collecting URLs of 18 pages that Plaintiffs visited and by using persistent cookies to associate Plaintiffs’ identities with 19 their web browsing histories. SAC ¶¶ 68–78. Unlike the claims discussed in the previous section, a 20 plaintiff need not show actual loss to establish standing for common-law claims of invasion of 21 privacy and intrusion upon seclusion. See, e.g., Van Patten v. Vertical Fitness Grp., LLC, 847 F.3d 22 1037, 1043 (9th Cir. 2017) (noting that “[a]ctions to remedy defendants’ invasions of privacy, 23 intrusion upon seclusion, and nuisance have long been heard by American courts,” and finding 24 that the plaintiffs had Article III standing to pursue their privacy claim); In re Google Inc. Cookie 25 Placement Consumer Privacy Litig., 806 F.3d 125, 134 (3d Cir. 2015) (noting that “the Supreme 26 Court itself has permitted a plaintiff to bring suit for violations of federal privacy law absent any 27 indication of pecuniary harm,” and finding that the plaintiffs had Article III standing to pursue 28 6 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 7 of 14 1 privacy tort claims arising from the defendant’s web tracking activity). The Court finds that 2 Plaintiffs’ alleged privacy violations are sufficient to establish standing for Plaintiffs’ privacy tort 3 claims. 4 5 iv. Breach of Contract and Breach of the Duty of Good Faith and Fair Dealing In the SAC, Plaintiffs add claims for breach of contract and breach of the duty of good 6 faith and fair dealing. Actual damages are not required to establish standing for contractual claims. 7 In re Facebook Privacy Litig., 192 F. Supp. 3d 1053, 1060–62 (N.D. Cal. 2016) (holding that 8 Article III standing exists where a plaintiff seeks to “recover nominal damages for breach of 9 contract even in the absence of actual damages” because the contractual claim alleges “a legal wrong that is fully distinct from the actual damages” (quoting Sweet v. Johnson, 169 Cal. App. 2d 11 United States District Court Northern District of California 10 630, 632 (1959)). The Court finds that Plaintiffs have standing to pursue their claims for breach of 12 contract and breach of the duty of good faith and fair dealing. 13 14 15 B. Sufficiency of Allegations i. Wiretap Act and CIPA A claim under the Wiretap Act requires a showing that the defendant “(1) intentionally (2) 16 intercepted, endeavored to intercept or procured another person to intercept or endeavor to 17 intercept (3) the contents of (4) an electronic communication, (5) using a device.” Google Cookie 18 Placement, 806 F.3d at 135 (citing 18 U.S.C. § 2510 et seq.). 19 Facebook contends that it did not “intercept” Plaintiffs’ communications within the 20 meaning of the Wiretap Act. The Court agrees. The Wiretap Act provides that, with some 21 exceptions, “[i]t shall not be unlawful . . . for a person not acting under color of law to intercept a 22 wire, oral, or electronic communication where such person is a party to the communication.” 18 23 U.S.C. § 2511(2)(d) (emphasis added). Plaintiffs argue that Facebook’s acquisition of URL data 24 constitutes an “interception” of Plaintiffs’ communications with websites they visit. Pls.’ Opp’n to 25 Def.’s Mot. to Dismiss 13–14, Dkt. No. 104-3. But Plaintiffs’ argument misstates the means by 26 which Facebook receives that data. As Facebook points out, two separate communications occur 27 when someone visits a page where a Facebook “like” button is embedded. MTD 12–13. First, the 28 7 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 8 of 14 user’s browser sends a GET request to the server where the page is hosted. Second, as the page 2 loads, the code snippet for the Facebook button triggers a second, independent GET request to 3 Facebook’s servers. That second request contains the URL of the page where the “like” button is 4 embedded, as well as the contents of cookies that Facebook has previously set on that user’s 5 computer. The parties to the first transaction are the web user (e.g., one of the Plaintiffs) and the 6 server where the page is located (e.g., the server that handles requests for http://www.cnn.com/). 7 The parties to the second transaction are that same web user and a Facebook server—but not 8 cnn.com. As to the second transaction, Facebook has not “intercepted” the communication within 9 the meaning of the Wiretap Act because it is “a party to the communication” under 18 U.S.C. § 10 2511(2)(d). Facebook is not a party to the first communication (between the user and cnn.com), 11 United States District Court Northern District of California 1 and it does not intercept any data that those parties exchange. The fact that a user’s web browser 12 automatically sends the same information to both parties does not establish that one party 13 intercepted the user’s communication with the other. As such, the Court finds that Plaintiffs have 14 failed to state a claim under the Wiretap Act. 15 Plaintiffs’ CIPA claims (under Cal. Crim. Code §§ 631 and 632) fail for the same reason. 16 See Google Cookie Placement, 806 F.3d at 152 (finding that eavesdropping claims under the 17 CIPA were properly dismissed for the same reason that those claims were dismissed under the 18 Wiretap Act). § 631 “broadly proscribes third party access to ongoing communications.” Powell v. 19 Union Pac. R. Co., 864 F. Supp. 2d 949, 955 (E.D. Cal. 2012) (emphasis added). “California 20 courts interpret ‘eavesdrop,’ as used in § 632, to refer to a third party secretly listening to a 21 conversation between two other parties.” Thomasson v. GC Servs. Ltd. P’ship, 321 F. App’x 557, 22 559 (9th Cir. 2008) (emphasis added). Because Facebook did not intercept or eavesdrop on 23 communications to which it was not a party, Plaintiffs’ CIPA claims must be dismissed. 24 25 ii. SCA To state a claim under the SCA, a plaintiff must show that the defendant “(1) intentionally 26 accesses without authorization a facility through which an electronic communication service is 27 provided; or (2) intentionally exceeds an authorization to access that facility.” 18 U.S.C. 28 8 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 9 of 14 1 § 2701(a). The SCA defines “electronic storage” as “(A) any temporary, intermediate storage of a 2 wire or electronic communication incidental to the electronic transmission thereof; and (B) any 3 storage of such communication by an electronic communication service for the purpose of backup 4 protection of such communication.” 18 U.S.C. § 2510(17)(A), (B). 5 In their initial complaint, Plaintiffs argued that Facebook’s persistent cookies were in 6 “electronic storage” because they permanently resided in Plaintiffs’ web browsers. MTD Order 7 16–17. This Court rejected Plaintiffs’ argument because Facebook’s cookies were not in 8 “temporary, intermediate storage.” MTD Order 16–17. 9 In their SAC, Plaintiffs now allege that URLs are in “electronic storage” because they reside “in the toolbar” and “in [the] browsing history” of Plaintiffs’ web browsers. SAC ¶¶ 206– 11 United States District Court Northern District of California 10 07. Plaintiffs’ new allegations fare no better. The SCA “is specifically targeted at communications 12 temporarily stored by electronic services incident to their transmission.” In re DoubleClick Inc. 13 Privacy Litig., 154 F. Supp. 2d 497, 511–12 (S.D.N.Y. 2001) (emphasis added). The SCA “only 14 protects electronic communications stored ‘for a limited time’ in the ‘middle’ of a transmission, 15 i.e. when an electronic communication service temporarily stores a communication while waiting 16 to deliver it.” Id. at 512; see also Google Cookie Placement, 806 F.3d at 146 (finding that storage 17 in a web browser on a personal computer is not “[t]emporary storage incidental to transmission” 18 within the meaning of the SCA). URLs stored in a web browser’s toolbar or browsing history are 19 not stored “in the middle of a transmission.” Rather, they are stored locally on the user’s personal 20 computer for the user’s convenience. For instance, a user might look through her browsing history 21 to find a website she visited in the past. Similarly, the “toolbar” (or address bar) displays the URL 22 of the page that the user is currently viewing, but the URL is stored independently of the 23 transmission between a user’s browser and a remote web server. Plaintiffs’ claim fails because the 24 SCA applies to information that is temporarily stored “incident to [the] transmission” of a 25 communication; it does not apply to information in local storage on a user’s computer. 26 Plaintiffs’ claim also fail because personal computers are not “facilities” under the SCA. 27 See id. (“an individual’s personal computing device is not a ‘facility’ through which an electronic 28 9 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 10 of 14 1 communications service is provided . . . . a home computer of an end user is not protected by the 2 [SCA]” (quoting Garcia v. City of Laredo, Tex., 702 F.3d 788, 793 (5th Cir. 2012))). Moreover, 3 Plaintiffs’ computers are not “electronic communication service” providers. See, e.g., In re Zynga, 4 750 F.3d at 1104 (holding that the SCA “covers access to electronic information stored in third 5 party computers”) (emphasis added); In re DoubleClick, 154 F. Supp. 2d at 511 (“Clearly, the 6 cookies’ residence on plaintiffs’ computers does not fall into § 2510(17)(B) because plaintiffs are 7 not ‘electronic communication service’ providers.”). 8 9 10 Plaintiffs’ SCA claim must be dismissed. iii. Invasion of Privacy and Intrusion upon Seclusion To state a claim for intrusion upon seclusion, a plaintiff must show (1) that the defendant United States District Court Northern District of California 11 intentionally intruded into a place, conversation, or matter as to which the plaintiff had a 12 reasonable expectation of privacy and (2) that the intrusion was “highly offensive” to a reasonable 13 person. Hernandez v. Hillsdale, 47 Cal. 4th 272, 285 (2009). To state a claim for invasion of 14 privacy under the California Constitution, a plaintiff must establish (1) a specific, legally protected 15 privacy interest, (2) a reasonable expectation of privacy, and (3) a “sufficiently serious” intrusion 16 by the defendant. In re Vizio, Inc., Consumer Privacy Litig., No. 8:16-ml-02693-JLS-KES, 2017 17 WL 1836366, at *17 (C.D. Cal. Mar. 2, 2017) (quoting Hill v. Nat’l Collegiate Athletic Ass’n, 7 18 Cal. 4th 1, 26 (1994)). When both claims are present, courts conduct a combined inquiry that 19 considers “(1) the nature of any intrusion upon reasonable expectations of privacy, and (2) the 20 offensiveness or seriousness of the intrusion, including any justification and other relevant 21 interests.” Hernandez, 47 Cal. 4th at 287. 22 Here, Plaintiffs have not established that they have a reasonable expectation of privacy in 23 the URLs of the pages they visit. Plaintiffs could have taken steps to keep their browsing histories 24 private. For instance, as Facebook explained in its privacy policy, “[y]ou can remove or block 25 cookies using the settings in your browser.” MTD 6. Similarly, users can “take simple steps to 26 block data transmissions from their browsers to third parties,” such as “using their browsers in 27 ‘incognito’ mode” or “install[ing] plugin browser enhancements.” In re Hulu Privacy Litig., No. C 28 10 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 11 of 14 1 11-03764 LB, 2014 WL 2758598, at *8 (N.D. Cal. June 17, 2014). Facebook’s intrusion could 2 have been easily blocked, but Plaintiffs chose not to do so. In addition, websites routinely embed 3 content from third-party servers in the form of videos, images, and other media, as well as through 4 their use of analytics tools, advertising networks, code libraries and other utilities. Each tool 5 transmits to third parties the same data that Plaintiffs claim is highly sensitive. Since these 6 requests are part of routine internet functionality and can be easily blocked, the Court finds that 7 they are not a “highly offensive” invasion of Plaintiffs’ privacy interests. See Low v. LinkedIn 8 Corp., 900 F. Supp. 2d 1010, 2015 (N.D. Cal. 2012) (finding that LinkedIn did not commit a 9 “highly offensive” invasion of users’ privacy by disclosing users’ browsing histories to third parties); In re Google, Inc. Privacy Policy Litig., 58 F. Supp. 3d 968, 988 (N.D. Cal. 2014) 11 United States District Court Northern District of California 10 (finding that Google’s collection and disclosure of users’ data, including their browsing histories, 12 “do not plausibly rise to the level of intrusion necessary to establish an intrusion claim”); In re 13 Nickelodeon Consumer Privacy Litig., No. 12-07829, 2014 WL 3012873, at *19 (D.N.J. July 2, 14 2014) (dismissing plaintiffs’ invasion-of-privacy claim because plaintiffs failed to show that 15 defendants’ “collection and monetization of online information,” including users’ browsing 16 histories, “would be offensive to the reasonable person, let alone exceedingly so”). 17 Plaintiffs raise specific allegations with respect to a subclass of people who used the 18 Internet Explorer web browser (the “IE Subclass”). Under a protocol called the Platform for 19 Privacy Preferences Project (or “P3P”), a website can publish a policy containing a machine- 20 readable version of the website’s privacy policy. SAC ¶¶ 86–88. Plaintiffs allege that, by default, 21 Internet Explorer blocked cookies from websites that did not publish P3P policies, or from sites 22 with policies that conflict with a user’s browser privacy settings. Id. ¶ 91. However, Internet 23 Explorer allowed cookies from websites that published policies that did not conform to the syntax 24 of the P3P protocol. Id. ¶ 94. During the class period, Plaintiffs allege that Facebook’s P3P policy 25 contained “the tokens DSP and LAW, indicating that the Facebook privacy policy references a law 26 that may determine remedies for breaches of their privacy policy and that there are ways to resolve 27 privacy-related disputes.” Id. ¶ 95. Plaintiffs allege that this policy did not accurately reflect 28 11 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 12 of 14 1 Facebook’s cookie policies. Facebook later changed its P3P policy to a string that stated: 2 “Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p.” Id. ¶¶ 97–100. This 3 second policy does not conform to the P3P syntax. As a result, Internet Explorer allowed 4 Facebook to set cookies on users’ computers. 5 Plaintiffs allege that Facebook adopted an “affirmatively false” P3P policy in order to trick 6 Internet Explorer into allowing Facebook’s cookies to be stored on users’ browsers. Id. ¶¶ 93–98. 7 Facebook responds that it “did not circumvent technical barriers,” and in any event, Plaintiffs have 8 not alleged that any Plaintiff actually used the versions of Internet Explorer that implemented P3P. 9 MTD 27 n.15. 10 Plaintiffs’ argument would compel Facebook to adopt the P3P protocol and publish a United States District Court Northern District of California 11 policy with specific contents. But adoption of P3P is voluntary: Facebook can choose to publish a 12 machine-readable version of its privacy policy, but it has no legal duty to do so. Similarly, browser 13 manufacturers can choose to support the P3P protocol, but they have no power to require websites 14 to publish P3P policies, or to dictate the contents of those policies. In this respect, the facts are 15 different from the scenario underlying the Third Circuit’s decision in Google Cookie Placement. 16 There, the Plaintiffs alleged that Google deliberately circumvented cookie-blocking settings in 17 users’ browsers, while claiming that it respected users’ decisions to “[set] your browser to refuse 18 all cookies.” 806 F.3d at 150. “Characterized by deceit and disregard,” the court held, “the alleged 19 conduct raises different issues than tracking or disclosure alone.” Id. On that basis, the court found 20 that the plaintiffs had stated claims for intrusion upon seclusion and invasion of privacy under the 21 California Constitution. Id. at 151. The claims here are different. Unlike the allegations in Google 22 Cookie Placement, Facebook never promised to adopt the P3P protocol. Rather, Facebook 23 publicly stated that it “does not have a P3P policy.” SAC ¶ 100; see also id. ¶ 99 (quoting a public 24 statement in which Facebook indicated that it chose not to adopt P3P because the protocol does 25 not “allow a rich enough description to accurately represent our privacy policy”). Because 26 Facebook had no obligation to adopt P3P, the Court finds that Plaintiffs have not stated claims for 27 privacy tort violations as to the IE subclass. 28 12 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 13 of 14 1 2 iv. Breach of Contract and Breach of the Duty of Good Faith and Fair Dealing Plaintiffs allege that Facebook “breached its contract with Plaintiffs and each of the Class 3 members by tracking and intercepting” their communications with third-party websites. SAC 4 ¶ 250. The relevant contract during the class period was Facebook’s “Statement of Rights and 5 Responsibilities” (“SRR”). Id. ¶ 17. Plaintiffs allege that Facebook’s privacy policy was 6 incorporated by reference into the SRR, and that some of Facebook’s “help pages” were also 7 incorporated by reference. Id. ¶ 20, 23. According to Plaintiffs, “[o]ne help page entry provided 8 more detail related to Facebook’s use of cookies,” and Facebook “represented in the social plug-in 9 discussion that ‘when you log out of Facebook, we remove the cookies that identify your 10 United States District Court Northern District of California 11 particular account.’ ” Id. ¶ 23. Other than general references to “help pages” and a “social plug-in discussion,” Plaintiffs 12 fail to explain where or when these statements appeared. Plaintiffs also fail to explain how these 13 statements were incorporated into the binding SRR, other than by reference in the complaint to a 14 “layered approach” through which Facebook made its policies easier to understand by 15 “summarizing our practices on the front page and then allowing people to click through the Policy 16 for more details.” Id. ¶ 22. Plaintiffs do not, for instance, identify a trail of links leading from the 17 SRR to the statements it identifies. 18 “In an action for breach of a written contract, a plaintiff must allege the specific provisions 19 in the contract creating the obligation the defendant is said to have breached.” Woods v. Google 20 Inc., No. 05:11-cv-1263-JF, 2011 WL 3501403, at *3 (N.D. Cal. Aug. 10, 2011). Statements 21 “spread across a variety of pages in a variety of formats make it difficult to identify the terms of 22 any actual and unambiguous contractual obligations.” Id. at *4. Because Plaintiffs have not 23 identified the specific contractual provisions they allege were breached, Plaintiffs’ breach-of- 24 contract claim will be dismissed with leave to amend. 25 Plaintiffs’ claim for breach of the duty of good faith and fair dealing also fails. “[T]he 26 implied covenant of good faith and fair dealing ‘cannot impose substantive duties or limits on the 27 contracting parties beyond those incorporated in the specific terms of their agreement.’ ” 28 13 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS Case 5:12-md-02314-EJD Document 148 Filed 06/30/17 Page 14 of 14 1 Rosenfeld v. JPMorgan Chase Bank, N.A., 732 F. Supp. 2d 952, 968 (N.D. Cal. 2010) (quoting 2 Agosta v. Astor, 120 Cal. App. 4th 596, 607 (2004)). Plaintiffs have not identified the terms of the 3 agreement that imposed a duty on Facebook not to engage in the tracking activity at issue. As 4 such, Plaintiffs’ breach-of-duty claim will also be dismissed with leave to amend. 5 IV. CONCLUSION 6 The Court orders as follows: 7 1. Facebook’s motion to dismiss Plaintiffs’ claims for trespass to chattels (SAC ¶¶ 8 270–73), violations of the CDAFA (SAC ¶¶ 274–85), fraud (SAC ¶¶ 262–69), and larceny (SAC 9 ¶¶ 286–95) is GRANTED without leave to amend for lack of standing under Fed. R. Civ. P. 12(b)(1). 11 United States District Court Northern District of California 10 2. Facebook’s motion to dismiss Plaintiffs’ claims for violations of the Wiretap Act 12 (SAC ¶¶ 179–92), violations of the SCA (SAC ¶¶ 193–208), violations of the CIPA (SAC ¶¶ 209– 13 19), invasion of privacy (SAC ¶¶ 220–31), and intrusion upon seclusion (SAC ¶¶ 232–41) is 14 GRANTED without leave to amend for failure to state a claim under Fed. R. Civ. P. 12(b)(6). 15 3. Facebook’s motion to dismiss Plaintiffs’ claims for breach of contract (SAC 16 ¶¶ 242–52) and breach of the duty of good faith and fair dealing (SAC ¶¶ 253–61) is GRANTED 17 with leave to amend. 18 19 20 21 4. Facebook’s motion for a protective order temporarily staying further discovery (Dkt. No. 108) is DENIED. 5. Plaintiffs’ motion to compel discovery (Dkt. No. 110) is TERMINATED and may be refiled in accordance with the procedures of the assigned magistrate judge. 22 23 24 25 26 IT IS SO ORDERED. Dated: June 30, 2017 ______________________________________ EDWARD J. DAVILA United States District Judge 27 28 14 Case No.: 5:12-md-02314-EJD ORDER GRANTING DEFENDANT’S MOTION TO DISMISS

Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.


Why Is My Information Online?