Tittle v. VTech Electronics North America, LLC
Filing
87
MEMORANDUM Opinion and Order. Signed by the Honorable Manish S. Shah on 7/5/2017: VTech's motion to dismiss, 61 , is granted. The complaint is dismissed without prejudice for failure to state a claim. Status hearing is set for 7/14/17 at 9:30 a.m. [For further detail see attached order.] Notices mailed. (psm, )
<![CDATA[
UNITED STATES DISTRICT COURT
FOR THE NORTHERN DISTRICT OF ILLINOIS
EASTERN DIVISION
IN RE VTECH DATA BREACH LITIGATION
No. 15 CV 10889,
No. 15 CV 10891,
No. 15 CV 11620, and
No. 15 CV 11885
Judge Manish S. Shah
MEMORANDUM OPINION AND ORDER
Plaintiffs bought children’s toys made by an affiliate of defendant VTech
Electronics North America, LLC. Those toys featured access to an online library of
educational
software,
games,
and
other
content,
and
some
provided
a
communication platform through which parents and their children could send each
other messages. Using those online features required the submission of plaintiffs’
personally identifiable information, which was stored on servers operated by VTech.
Due to VTech’s inadequate security, a hacker was able to access those servers and
copied plaintiffs’ data. Plaintiffs seek to represent a class of consumers and filed
this suit alleging both present and future harm resulting from the data breach and
VTech’s response to that breach. VTech moves to dismiss for lack of subject-matter
jurisdiction and for failure to state a claim. For the following reasons, the motion is
granted.
I.
Legal Standards
A court must dismiss an action if it determines, at any time, it lacks subject-
matter jurisdiction, Fed. R. Civ. P. 12(h)(3), and a defendant may move to dismiss
an action for lack of subject-matter jurisdiction. Fed. R. Civ. P. 12(b)(1). The
plaintiff bears the burden of proving that jurisdiction is proper. Transit Express,
Inc. v. Ettinger, 246 F.3d 1018, 1022 (7th Cir. 2001) (citation omitted). One
component of subject-matter jurisdiction is Article III standing—the requirement
that plaintiffs present an actual case or controversy. See Silha v. ACT, Inc., 807
F.3d 169, 172–73 (7th Cir. 2015). “[A] plaintiff need only show the existence of facts
that could, consistent with the complaint’s allegations, establish standing.” Apex
Digital, Inc. v. Sears, Roebuck & Co., 572 F.3d 440, 443 (7th Cir. 2009) (citations
omitted).
To survive a motion to dismiss under Rule 12(b)(6), a complaint must contain
factual allegations that plausibly suggest a right to relief. Virnich v. Vorwald, 664
F.3d 206, 212 (7th Cir. 2011) (quoting Bell Atl. Corp. v. Twombly, 550 U.S. 554, 558
(2009)). “The purpose of a motion to dismiss is to test the sufficiency of the
complaint, not to decide the merits.” Triad Assocs., Inc. v. Chicago Hous. Auth., 892
F.2d 583, 586 (7th Cir. 1989). With a 12(b)(6) motion, a court may only consider
allegations in the complaint, documents attached to the complaint, and documents
that are both referred to in the complaint and central to its claims. Levenstein v.
Salafsky, 164 F.3d 345, 347 (7th Cir. 1998). The court must construe all factual
allegations as true and draw all reasonable inferences in the plaintiff’s favor, but
2
the court need not accept legal conclusions or conclusory allegations. Virnich, 664
F.3d at 212 (citing Ashcroft v. Iqbal, 556 U.S. 662, 680–82 (2009)).
II.
Facts1
Defendant VTech Electronics North America, LLC marketed and distributed
digital learning toys for preschool and grade school children.2 [44] ¶ 2. VTech
designed these toys, including tablets, smartphones, and other handheld touchsensitive products, to connect to its online application store, the Learning Lodge,
and touted that connectivity as an important feature of the products in their
marketing. [44] ¶¶ 2, 3, 8, 10. The Learning Lodge allowed customers to purchase
and download content like educational games, books, music, and videos. [44] ¶¶ 2, 3,
7, 10. Customers could buy applications stored on physical cartridges, as well, but
those cartridges often required software updates from the Learning Lodge to work.
[44] ¶ 11. VTech priced its products at a premium in part due to their ability to
access the Learning Lodge. [44] ¶ 8. Some of VTech’s higher-priced toys also
supported its Kid Connect service, which allowed parents and their children to
communicate by text message using the Kid Connect-enabled device and a cell
phone. [44] ¶¶ 3, 14–15. And for an additional fee, customers could purchase
Premium Kid Connect service, which enabled communication in the form of picture
Bracketed numbers refer to entries on the district court docket. The facts are largely
taken from the operative complaint, [44].
1
Plaintiffs also named as defendants VTech Holdings, Ltd. and VTech Electronics, Ltd.,
which designed and manufactured the toys, but the parties stipulated to the dismissal of
those defendants. See [59].
2
3
and voice messages (in addition to text messages) and provided access to group
bulletin boards. [44] ¶ 15.
To access those online services, or to receive software updates for the toys,
customers had to affirmatively agree to certain terms and conditions and register
for online accounts with VTech.3 [44] ¶¶ 9, 16, 22. Registration required the
submission of personally identifying information, including parents’ names, home
addresses, email addresses, passwords, and credit or debit card information. [44]
¶ 16. Once a parent activated an account, VTech allowed the parent to create a user
profile for the child by providing VTech with the child’s name, password, birthdates,
gender, and photographs. [44] ¶ 17. VTech stored that information, as well as the
content of any messages exchanged over the Kid Connect platform, on its servers.
[44] ¶¶ 15, 71.
Plaintiffs are eight adults who purchased VTech’s Learning Lodge-enabled
products, and fourteen children who used those products. [44] ¶¶ 56, 63, 71, 80, 88,
95, 103–04, 113, 121–22, 125–26. Most of plaintiffs’ products also supported the Kid
Connect service, and one plaintiff paid for the Premium Kid Connect service. Id. All
plaintiffs created online accounts and user profiles and submitted personally
identifiable information to VTech. Id.
The complaint includes only an excerpt of the terms and conditions to which plaintiffs
agreed, but VTech submitted copies of the Terms and Conditions of Learning Lodge, [62-1],
the Terms and Conditions of VTech Kid Connect, [62-2], and the VTech Privacy Policy, [623], which is incorporated by reference into each of the first two documents. Plaintiffs do not
object to the introduction of those exhibits, and refer to them in their response brief.
Because the terms are referred to in the complaint and central to plaintiffs’ claims, VTech’s
exhibits will be considered on this motion.
3
4
Plaintiffs allege that VTech’s handling of their data was governed by the
terms and conditions to which they agreed prior to registration—i.e., before they
submitted their personal information and before they formally accepted the terms of
online service. [44] ¶ 22. Plaintiffs do not specify which set of terms and conditions
they are referring to—the Terms and Conditions of Learning Lodge, the Terms and
Conditions of VTech Kid Connect, or both. But it makes little difference, since both
documents incorporate by reference VTech’s Privacy Policy, which lies at the heart
of plaintiffs’ claims. [44] ¶ 22; [62-1]; [62-2]. The Privacy Policy informed them that:
The security of your personal information is important to VTech, and
VTech is committed to handling your information carefully. In most
cases, if you submit your PII to VTech directly through the Web
Services it will be transmitted encrypted to protect your privacy using
HTTPS encryption technology. Any Registration Data submitted in
conjunction with encrypted PII will also be transmitted encrypted.
Further, VTech stores your PII and Registration Data in a database
that is not accessible over the Internet.
[44] ¶ 22. The Privacy Policy also said that any submitted information about
children “is treated and handled in the same manner as the information we collect
about you.” Id. Despite these promises, VTech neither used encryption when
transmitting customers’ data nor stored that data in a place inaccessible from the
internet, putting it at risk of theft. [44] ¶¶ 5, 32, 33.
In November 2015, a hacker infiltrated VTech’s servers and downloaded
personally identifiable information relating to 4.8 million adult accounts and 6.3
million child profiles. [44] ¶¶ 4, 25. The hacker reached out to a journalist, who
shared the data with a data security consultant and notified VTech. [44] ¶¶ 37, 51.
Once it was alerted, VTech confirmed to the public that customer data had been
5
exposed, and clarified a few days later that the data included parents’ names, email
and mailing addresses, IP addresses, download and purchase histories, passwords,
and the secret questions and answers used for password retrieval. [44] ¶¶ 26–27.
The data also included children’s names, genders, birthdates, photos, and Kid
Connect communications, including text, image, and audio recordings, between the
children and their parents. [44] ¶¶ 26–27. The children’s home addresses can be
easily determined by anyone with access to the data. [44] ¶¶ 18, 26. As a result of
the data breach, plaintiffs fear that they are exposed to an increased risk of identity
theft and will be for years to come. [44] ¶¶ 52, 53. They also fear that harm may
befall the children if predators gain access to their information. [44] ¶ 49.
In response to the Data Breach, VTech suspended all access to its online
services for nearly two months while it investigated the breach and changed its data
security protocols. [44] ¶¶ 6, 41. Access to the Learning Lodge has since been
restored for certain products, but the Kid Connect service remains disabled. [44]
¶ 6. And although VTech insists that its system is now secure, plaintiffs believe that
it is still plagued by fundamental security flaws. [44] ¶¶ 42, 44.
Plaintiffs allege that, had they known of VTech’s inadequate data security
measures, or that VTech would suspend access to the online services for an
extended period of time, they would have paid less for the products or would not
have purchased them at all. [44] ¶ 24. They also allege that inadequate security
makes the products worth less than the products that plaintiffs were promised. [44]
¶ 44. Plaintiffs bring claims for breach of contract, breach of the implied covenant of
6
good faith and fair dealing, breach of the implied warranty of merchantability, and
violation of the Illinois Consumer Fraud and Deceptive Business Practices Act.4
And they bring a separate cause of action for declaratory relief.
III.
Analysis
A.
Article III Standing
VTech seeks dismissal of the complaint for lack of Article III standing. To
establish standing under Article III, a plaintiff must show that they have “(1)
suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the
defendant, and (3) that is likely to be redressed by a favorable judicial decision.”
Spokeo, Inc. v. Robins, 136 S.Ct. 1540, 1547 (2016) (citing Lujan v. Defs. of Wildlife,
504 U.S. 555, 560–61 (1992)). The parties focus on the injury-in-fact requirement. A
plaintiff must have “suffered ‘an invasion of a legally protected interest’ that is
‘concrete and particularized’ and ‘actual or imminent, not conjectural or
hypothetical.’” Spokeo, 136 S.Ct. at 1548 (quoting Lujan, 504 U.S. at 560). Plaintiffs
argue that they suffered injuries in the form of (1) future harm and the time and
expense of protecting themselves from that harm, (2) economic loss due to
purchasing a product that turned out to be less valuable than it was held out to be,
and (3) the emotional distress resulting from the public exposure of sensitive data
concerning their children.
Jurisdiction arises under the Class Action Fairness Act, because minimal diversity existed
between the parties at the time the complaint was filed (plaintiffs are citizens of California,
Georgia, Illinois, Massachusetts, New York, and Washington, and dismissed defendant
VTech Electronics Limited is a citizen of China); the total number of members of the class is
greater than 100; and the amount in controversy exceeds $5,000,000. See 28 U.S.C.
§ 1332(d)(2)(A), (C). The citizenship of the only remaining defendant, VTech Electronics
North America, LLC, is not yet properly alleged.
4
7
1.
Future Harm and Mitigation Expenses
Allegations showing a “substantial risk” of future harm can establish Article
III standing. Remijas v. Neiman Marcus Grp., LLC, 794 F.3d 688, 693 (7th Cir.
2015) (citing Clapper v. Amnesty Int’l USA, 568 U.S. 398, 133 S.Ct. 1138, 1150 n.5
(2013)). When that harm is imminent, mitigation expenses qualify as actual injuries
that support Article III standing. Remijas, 794 F.3d at 694. Plaintiffs argue that,
because a hacker breached VTech’s network and stole their personally identifiable
information, they faced a threat of future harm sufficient to confer standing. And
while they suggest that that threat relates to multiple types of harm, they do not
specifically address anything other than identity theft. They also argue that they
would have acted reasonably in protecting themselves from identity theft by
expending time and money to monitor their financial statements and credit reports.
Plaintiffs rely on Monsanto Co. v. Geertson Seed Farms, 561 U.S. 139 (2010), in
which a substantial risk of harm (that might not have occurred in fact) would
impose mitigation costs, thereby satisfying the injury-in-fact requirement. Id. at
155. But plaintiffs do not explain how the data breach subjected them to a
substantial risk of identity theft and corresponding mitigation costs.
In certain situations, a data breach can result in an increased risk of identity
theft sufficient to confer standing. See, e.g., Lewert v. P.F. Chang’s China Bistro,
Inc., 819 F.3d 963, 967 (7th Cir. 2016); Remijas, 794 F.3d at 693. In both Lewert and
Remijas, the plaintiffs alleged the theft of their payment-card information, and that
the theft resulted in some of them finding fraudulent charges on their financial
8
statements. In Lewert, the court held that a substantial risk of harm from the data
breach could be plausibly inferred, “because a primary incentive for hackers is
‘sooner or later[ ] to make fraudulent charges or assume those consumers’
identities[.]’” Lewert, 819 F.3d at 967 (quoting Remijas, 794 F.3d at 693). The court
also held that the time and money the plaintiffs spent protecting themselves
against future identity theft and fraudulent charges also qualified as injuries for
the purposes of Article III. Id. at 967; see also Remijas, 794 F.3d at 694 (“An affected
customer, having been notified by Neiman Marcus that her card is at risk, might
think it necessary to subscribe to a service that offers monthly credit monitoring.”).
Plaintiffs here fail to make the connection between the data breach they
allege and the identity theft they fear. Specifically, plaintiffs do not explain how the
stolen data would be used to perpetrate identity theft. Unlike the data breaches in
Lewert and Remijas, the data stolen here did not include credit-card or debit-card
information, or any other information that could easily be used in fraudulent
transactions. See Lewert, 819 F.3d at 967 (“We recognized in Remijas that the
information stolen from payment cards can be used to open new cards in the
consumer’s name.”). It is unclear how the disclosure of plaintiffs’ names, addresses,
birthdates, and VTech account information would increase the risk of fraudulent
transactions on plaintiffs’ credit cards or fraudulent accounts being opened in their
names. Plaintiffs say the dissemination of their VTech usernames, passwords, and
secret questions and answers could compromise their other online accounts, such as
with eBay or PayPal. But again, they do not provide a logical explanation as to how
9
the disclosure of their VTech login credentials would make fraudulent charges or
identity theft likely. Perhaps plaintiffs used the same username and password for
all of their online accounts, and knowledge of their VTech account credentials gave
the hacker access to their PayPal accounts. This is speculation, and plaintiffs do not
make such allegations. Plaintiffs have not shown an increased risk of identity theft
due to a data breach because they do not allege how the stolen data would aid
identity thieves in their efforts.
VTech also notes that plaintiffs do not allege that any fraudulent
transactions occurred, or that the personal information was stolen by individuals
who intended to misuse it. In Lewert and Remijas, the data breach had already
resulted in fraudulent charges for some plaintiffs, making it more likely that other
plaintiffs would eventually suffer the same harm. But plaintiffs have alleged no
such fallout from the VTech breach. And plaintiffs do not show any other indication
that their risk of identity theft increased due to the data breach. The Seventh
Circuit assumed in Remijas that hackers steal consumers’ private information to
make fraudulent charges or assume those consumers’ identities, but an article cited
in this complaint calls that assumption into question for purposes of this litigation.
According to the article, the hacker told the article’s author that he did not intend to
sell or publish the data. [44] ¶ 34. Plaintiffs directly quote the hacker as saying,
“Frankly, it makes me sick that I was able to get all of this stuff.” [44] ¶ 36. To the
extent that plaintiffs are worried that other hackers may have accessed their data
in a different data breach, that is the sort of speculative harm that cannot meet the
10
injury-in-fact requirement. See Clapper, 133 S. Ct. at 1155 (rejecting standing
theory based on a speculative chain of events). With respect to this data breach,
plaintiffs have not plausibly alleged a substantial risk of harm sufficient to confer
standing.5
Neither the complaint nor plaintiffs’ brief makes clear that plaintiffs actually
engaged in mitigation efforts, such as reviewing financial statements or purchasing
credit-monitoring services, to protect against identity theft. But without imminent
harm, mitigation expenses do not meet the injury-in-fact requirement, anyway. Id.
To the extent plaintiffs allege a nonzero amount of time or money spent to protect
themselves from future harm, those efforts do not qualify as actual injuries and do
not support Article III standing.
2.
Economic Injury
Plaintiffs allege present injury in the form of benefit-of-the-bargain damages
resulting from their breach of contract claim, because the products they received
were worth less than the products they were promised. “[F]inancial injury in the
form of an overcharge can support Article III standing.” Remijas, 794 F.3d at 694–
95 (citing In re Aqua Dots Products Liab. Litig., 654 F.3d 748, 751 (7th Cir. 2011)).
The court in Remijas noted that many of the cases applying that principle involve
products liability claims against defective or dangerous products, where a consumer
While they do not discuss it in their brief, plaintiffs also allege in the complaint a threat of
future harm to the children from predators. But again, plaintiffs do not allege that the
hacker is a predator, or that the hacker disseminated the information broadly, to predators
or anyone else who would harm the children. Harm need not be literally certain to confer
standing, but allegations of future harm based on poor data security, without allegations to
support an inference that someone with potentially malicious intent will access the data, is
too speculative to confer standing.
5
11
would not have paid a premium price for a product had he known of the defect or
dangerous condition. Id. at 695. Plaintiffs rely in part on In re Aqua Dots, which
involved such a products liability claim, but they explicitly argue that their claims
are not rooted in products liability or tort law, but rather contract law. And they
focus on cases that do not address Article III standing. For example, they cite to
McManus v. Fleetwood Enterprises, 320 F.3d 545 (5th Cir. 2003), a case addressing
class certification, which held that a plaintiff may be entitled to benefit-of-thebargain damages in a breach of implied warranty of merchantability action under
Texas law, where the defendant represented that a product had a capability that it
did not in fact have. They also refer to International Brotherhood of Teamsters,
Local 734 Health & Welfare Trust Fund v. Philip Morris Inc., 196 F.3d 818 (7th Cir.
1999), which explained that consumers’ economic loss due to inflated pricing or
lowered product quality resulting from antitrust violations conferred prudential
standing under antitrust laws. Id. at 823 (citing Reiter v. Sonotone Corp., 442 U.S.
330 (1979)). Neither of those cases directly supports plaintiffs’ argument, but that
argument has merit nonetheless. Economic injury can result from being given a
different, less valuable product than the one that was promised and paid for, and
such an injury meets Article III’s injury-in-fact requirement. See Carlsen v.
GameStop, Inc., 833 F.3d 903, 909–10 (8th Cir. 2016) (holding that the difference in
value between a subscription to an online magazine that plaintiff paid for and the
subscription he received—a subscription with inadequate privacy protection—
constituted an injury-in-fact for purposes of Article III). Whether the complaint
12
plausibly states a claim that would entitle plaintiffs to recover damages is a
separate question. See, e.g., Bd. of Educ. of Oak Park & River Forest H.S. Dist. No.
200 v. Kelly E., 207 F.3d 931, 934 (7th Cir. 1999) (rejecting a challenge to standing
and noting that “a party’s failure to establish a claim for relief differs from a
deficiency in subject-matter jurisdiction”). Plaintiffs’ allegations of overpayment
present a concrete and particularized injury sufficient to confer Article III
standing.6
B.
Breach of Contract
To state a claim for breach of contract, plaintiffs must allege: “(1) the
existence of a valid and enforceable contract; (2) substantial performance by the
plaintiff; (3) a breach by the defendant; and (4) resultant damages.” Reger Dev., LLC
v. Nat’l City Bank, 592 F.3d 759, 764 (7th Cir. 2010) (quoting W.W. Vincent & Co. v.
First Colony Life Ins. Co., 351 Ill.App.3d 752, 759 (1st Dist. 2004)). Plaintiffs allege
that they entered into a contractual relationship with VTech when they purchased
the toys, receiving in return for the purchase price 1) effective and industrystandard data security measures, and 2) access to and use of the online services
without meaningful interruptions. They further allege that the children who used
the toys are entitled to relief as third-party beneficiaries to the contracts. Plaintiffs
Plaintiffs also argue, in a footnote, that the emotional distress caused by the release of
their children’s data meets the injury-in-fact requirement. Where only an unspecified risk
of future financial harm is alleged, emotional distress in the wake of a data security breach
is insufficient to establish standing. See Reilly v. Ceridian Corp., 664 F.3d 38, 44 (3d Cir.
2011). Plaintiffs do not provide any authority or explanation that supports a different
conclusion when the emotional distress results from non-imminent physical harm to
children. Because plaintiffs have Article III standing on other grounds, whether their
emotional distress confers standing need not be addressed.
6
13
say that VTech breached its contractual obligations in two ways: 1) by failing to
implement industry-standard data security measures to protect plaintiffs’
information, and 2) by suspending access to the online services. VTech counters that
the children cannot assert claims for breach of contract, that agreed-upon
contractual provisions expressly authorized its conduct, and that the complaint does
not plausibly allege actual damages.
1.
The Minor Plaintiffs
“Illinois follows the ‘intent to benefit’ rule; that is, third-party beneficiary
status is a matter of divining whether the contracting parties intended to confer a
benefit upon a nonparty to their agreement.” XL Disposal Corp. v. John Sexton
Contractors Co., 168 Ill.2d 355, 361 (1995). But “there is a strong presumption that
parties to a contract intend that the contract’s provisions apply to only them and not
to third parties.” Quinn v. McGraw-Hill Cos., Inc., 168 F.3d 331, 334 (7th Cir. 1999)
(quoting 155 Harbor Drive Condominium Ass’n v. Harbor Point, Inc., 209 Ill.App.3d
631, 647 (1st Dist. 1991)) (emphasis in original). Only express language in a
contract identifying the third-party beneficiary or “an implied showing where ‘the
implication that the contract applies to third parties [is] so strong as to be
practically an express declaration’” will suffice. Id.
Plaintiffs argue that the fact that the contracts relate to children’s toys
reflects an intent to benefit those children. Plaintiffs also point out that the
Learning Lodge terms acknowledge that children will use the Learning Lodge when
it states, “These terms and conditions create an agreement between VTech and an
14
adult parent/guardian of any minor child who uses the Learning Lodge.” [62-1]
§ 1.1. But in other areas of the agreements, the terms expressly, and repeatedly,
state that the contracts are between VTech and adults, and that the online services
are intended for adult use. See [62-1] § 1.1; [62-2] § 2.2; [62-3] § 7.1. In light of the
presumption against a contract’s application to third-parties, combined with the
contractual language limiting the contracts’ application to VTech and adults, the
children who used VTech’s products are not third-party beneficiaries of the
contracts. Thus, they may not recover under plaintiffs’ breach of contract claims.
2.
Breach
Plaintiffs allege that VTech breached its contractual obligations to implement
particular data security measures. The complaint does not identify the source of
VTech’s alleged promises, but in their response brief, plaintiffs clarify that the
relevant provisions relating to data security appear in the Learning Lodge terms
and in the Privacy Policy. Specifically, they argue that VTech breached express
promises to store personally identifiable information offline, to use encryption when
transmitting data, and to take reasonable precautions to keep data safe. The parties
do not agree on the interpretation and scope of some of those promises, but VTech
does not deny that the Learning Lodge terms and the Privacy Policy included data
security provisions, and that the complaint alleges that VTech breached those
provisions.
Plaintiffs’ other theory of breach relates to the temporary (and in some cases
ongoing or permanent) suspension of the Learning Lodge and Kid Connect services.
15
Plaintiffs argue that VTech made express, contractual promises to provide those
services. VTech denies that it made such promises, and indeed, plaintiffs do not
identify any provision in the Learning Lodge terms, Kid Connect terms, or Privacy
Policy in support of their argument. Further, VTech argues that its conduct cannot
constitute breach, because the Learning Lodge terms expressly authorized it to
suspend access to the online services. The document states, in capital letters:
“VTech reserves the right to alter or remove the Learning Lodge or suspend or
terminate your use in any way, at any time, for any reason, without prior
notification, and will not be liable in any way for possible consequences of such
changes.” [62-1] § 2.7.
Instead of identifying a provision in the online services agreements, plaintiffs
base their breach of contract theory on pictures of the packaging of two of the
products, which lists the Learning Lodge and Kid Connect services and an
“Extensive Learning Software Library” among the product’s features.7 VTech notes
that the complaint neither includes those pictures nor alleges reliance on product
packaging in relation to the provision of online services. Plaintiffs may not amend
the complaint in their briefing on a motion to dismiss, see, e.g., Bissessur v. Indiana
University Board of Trustees, 581 F.3d 599, 603 (7th Cir. 2009), so the pictures will
be disregarded. But the complaint does suggest that VTech’s alleged promise to
Plaintiffs also attach to their brief the user manual for a VTech toy that promotes the use
of the Learning Lodge service and offers free content from its software library. See [73-1] at
2, 17. VTech objects to the document’s consideration on a motion to dismiss, because the
complaint makes no mention of it. VTech’s objection makes no practical difference, because
the document’s references to the Learning Lodge are not, as plaintiffs suggest, express
promises that VTech will provide access to the online services. Thus, the document does not
support plaintiffs’ argument. But the objection is proper, and I disregard the document.
7
16
provide functional online services became a basis of plaintiffs’ bargains due to
VTech’s marketing campaign, which promoted the toys’ access to the Learning
Lodge as an important feature. See [44] ¶ 8. The complaint explicitly alleges that
the toys were “priced at a premium in part due to their ability to access the
Learning Lodge,” [44] ¶ 8, that plaintiffs purchased “an indivisible ecosystem of
goods and services,” [44] ¶ 20, and that VTech agreed to provide, in exchange for the
purchase price, both the physical toy and the toys’ access to the Learning Lodge and
Kid Connect services. [44] ¶¶ 156, 160. According to plaintiffs, they paid for access
to and use of the Learning Lodge and Kid Connect services when they bought the
toys (and before they expressly accepted the terms during online registration).
Part of the disconnect between the parties are their competing views of which
contract or contracts are at issue. VTech views each plaintiff’s initial purchase
transaction as relating to the fully-functioning, physical toy itself, rather than a
combination of the physical product and online services, and writes off the mention
of online services in its product marketing as mere puffery, citing Carlson v. The
Gillette Co., No. CV 14-14201-FDS, 2015 WL 6453147, at *6 (D. Mass. Oct. 23,
2015). VTech’s claim of puffery is unpersuasive, but VTech is right that there is a
difference between selling a product that combines both a physical toy and a
service, and selling a physical toy whose features may be supplemented by a
separate service that VTech provided for free. VTech sees the Learning Lodge and
Kid Connect services as additional, optional services that VTech offered to plaintiffs
after they purchased the toys, and it sees the Learning Lodge and Kid Connect
17
terms as contracts unrelated to the original purchase transactions. As noted above,
plaintiffs believe they purchased both the toys and the online services together, and
that the contracts between the parties that were formed at the time of purchase
incorporate the terms and conditions that plaintiffs later agreed to upon registering
for the online services. See [73] at 21, [78] at 4, Tr. at 4:3–7.
There are a variety of ways to form a contract, and purchase contracts
sometimes incorporate terms that a consumer reads after payment. See Hill v.
Gateway 2000, Inc., 105 F.3d 1147, 1149 (7th Cir. 1997). But this is not such a case.
The complaint does not allege facts sufficient to show that the initial purchase
transaction included both the toy and VTech’s furnishing of online services. VTech
argues that users who registered for online services did not pay any more than
those who did not. That argument is inconclusive, as people are free to pay for
things that they do not use, and it cannot be inferred from the complaint that the
online services were also available to people who did not pay anything at all.
Nevertheless, the online services agreements on their face do not suggest that
plaintiffs purchased VTech’s services, or that the parties intended the terms to be
incorporated into the purchase contract. Both the Learning Lodge terms and the
Kid Connect terms say that they govern the use of the Learning Lodge and Kid
Connect services, respectively, and that in the event a user does not accept the
terms, she may not use the services. Neither agreement demands a return of the toy
in such a scenario or offers a refund or partial refund of any purchase price. The
Learning Lodge terms refer to the purchase of a “compatible VTech product,” [62-1]
18
§ 2.1, but make no mention of a purchase of the online services. Plaintiffs seem to
acknowledge that they paid for only the physical toys when they argue that “this
action ultimately remains about—and Plaintiffs are suing to recover the money they
paid for—the Toys themselves.” [73] at 28–29.
The complaint does not allege facts showing that both parties understood
that a portion of the purchase price was allocated to the provision of the online
services. The complaint does allege that VTech priced its products based in part on
their online capabilities, but that is not enough to show that plaintiffs purchased
uninterrupted access to the Learning Lodge or Kid Connect services. VTech is right
in that registration for online services is a separate and distinct event, unrelated to
the purchase of the toys, and the online services agreements are likewise separate
and distinct from the contract made at the point of purchase. Because plaintiffs did
not enter into an online services contract at the time of purchase, the complaint
does not plausibly allege that VTech breached a contractual obligation to provide
those services.
Moreover, plaintiffs affirmatively agreed to a provision in the Learning Lodge
terms giving VTech the right to suspend or terminate the online services. Plaintiffs
argue that that provision is both procedurally and substantively unconscionable,
because it allows VTech to market the toys as having specific features and then
remove those features after purchase. But that argument is unpersuasive.
Procedural unconscionability exists when a contractual term “is so difficult to find,
read, or understand that the plaintiff cannot fairly be said to have been aware he
19
was agreeing to it, and also takes into account a lack of bargaining power.” Razor v.
Hyundai Motor Am., 222 Ill.2d 75, 100 (2006) (citing Frank’s Maintenance &
Engineering, Inc. v. C.A. Roberts Co., 86 Ill.App.3d 980, 989 (1st Dist. 1980)).
“Substantive unconscionability refers to those terms which are inordinately onesided in one party’s favor.” Razor, 222 Ill.2d at 100 (citing Rosen v. SCIL, LLC, 343
Ill.App.3d 1075, 1081 (1st Dist. 2003)). Plaintiffs are right to suggest that a term
that was unavailable to a consumer until after she purchased a product might be
unconscionable, especially if she was not given an opportunity to review and reject
that term by returning the product without incurring financial loss. See Razor, 222
Ill.2d at 100–01 (holding that a warranty disclaiming consequential damages was
ineffective because the purchaser did not have the opportunity to see it until after
she entered into the contract to purchase the product). Plaintiffs cite to Razor, but
its holding applies only if the term in question is intended to govern the product
purchased. Therefore, plaintiffs’ theory of unconscionability depends on the
contention that they purchased the online services together with the toy.
The provision upon which VTech relies is not unconscionable because, as
explained above, what is pled is insufficient to establish that online services are
part of the purchase transaction. The termination provision and online services
agreement do not govern the purchase of the toy. They instead govern the use of a
separate service, which may be removed without changing the nature of the
bargained-for toy. Plaintiffs had the option of enjoying (or returning) the toys
without the use of the online services. And when they did enter into an agreement
20
for the use of those services, the governing terms, including the provision at issue,
were made available to them. That provision is enforceable, and VTech was within
its rights to suspend the online services.
VTech also points to several exculpatory provisions in the Learning Lodge
terms that disclaim liability for loss or damage relating to the use or inability to use
the Learning Lodge or software downloaded through the Learning Lodge. See [62-1]
§§ 2.4, 3.2, 5, 6. The Kid Connect terms contain similar provisions disclaiming
liability due to unauthorized access to VTech’s servers or damages relating to the
use of the service. See [62-2] §§ 11.1, 12.2, 12.3. And VTech refers to a disclaimer in
the Privacy Policy that says that “VTech is not responsible for the actions of others.”
[62-3] § 14. VTech believes that these exculpatory provisions are fatal to plaintiffs’
claim. Plaintiffs correctly point out that warranty disclaimers that are inconsistent
with an express warranty are ineffective. See Clemons v. Nissan N. Am., Inc., 2013
IL App (4th) 120943, ¶ 45; see also Jewelers Mut. Ins. Co. v. Firstar Bank Illinois,
213 Ill.2d 58, 65 (2004) (“A party cannot promise to act in a certain manner in one
portion of a contract and then exculpate itself from liability for breach of that very
promise in another part of the contract.”). But plaintiffs do not identify any
conflicting express warranty that they relied upon in purchasing the toy. They do,
however, allege breach of the data security provisions in the online services
agreements. To the extent that plaintiffs’ claim is based on the breach of the data
security provisions, the exculpatory provisions do not preclude recovery. To the
extent it is based on the suspension of online services, the exculpatory provisions
21
are enforceable and VTech adequately disclaims liability. The motion to dismiss is
granted with respect to the breach of contract claim. 8
C.
Breach of Implied Covenant of Good Faith and Fair Dealing
VTech argues that plaintiffs’ claim of breach of implied covenant of good faith
and fair dealing is duplicative of their breach of contract claim and should be
dismissed. Plaintiffs respond by saying they plead this claim in the alternative to
their breach of contract claim. “[U]nder Illinois law the covenant of good faith and
fair dealing is not an independent source of duties for the parties to a contract.”
Baxter Healthcare Corp. v. O.R. Concepts, 69 F.3d 785, 792 (7th Cir. 1995) (citations
and quotation marks omitted). The implied covenant is used to interpret a contract.
Martin v. Federal Life Ins. Co., 109 Ill.App.3d 596, (1st Dist. 1982). Plaintiffs may
not plead this claim in the alternative to their breach of contract claim, because “[a]
breach of the duty of good faith and fair dealing is a breach of contract.” Unit
Trainship, Inc. v. Soo Line R. Co., 905 F.2d 160, 163 (7th Cir. 1990). The claim is
therefore dismissed.
D.
Breach of Implied Warranty of Merchantability
To state a claim for breach of implied warranty of merchantability under the
UCC, plaintiffs must allege “(1) a sale of goods (2) by a merchant of those goods, and
(3) the goods were not of merchantable quality.” Brandt v. Boston Scientific Corp.,
The parties do not explicitly discuss the suspension of the Kid Connect service, but a fair
reading of the complaint suggests that users must agree to the Learning Lodge terms
before they can access the Kid Connect service, and VTech’s right to suspend access to the
Learning Lodge necessarily gives it the right to suspend access to Kid Connect. The parties
also leave the Premium Kid Connect service out of their discussion, even though one
plaintiff paid an additional fee for that service. Nevertheless, the complaint does not allege
that different terms apply to the Premium Kid Connect service.
8
22
204 Ill.2d 640, 645 (2003); 810 ILCS 5/2–314. To be merchantable, the goods must
be, among other things, fit for the ordinary purpose for which such goods are used.
810 ILCS 5/2–314(2)(c). “Goods” are defined as “all things, including specially
manufactured goods, which are movable at the time of identification to the contract
for sale.” Brandt, 204 Ill.2d at 645 (quoting 810 ILCS 5/2–105(1)). If the sales
contract involved a mix of goods and services, a plaintiff bringing this claim must
show that the “predominant thrust of the transaction was for goods and only
incidentally for services.” Ogden Martin Sys. of Indianapolis, Inc. v. Whiting Corp.,
179 F.3d 523, 530 (7th Cir. 1999). Plaintiffs explicitly allege that the toys were not
merchantable due to inadequate data security and the suspension of the online
services.
The parties first dispute whether the claim involves a sale of goods, a sale of
services, or a mix of both. As discussed above, two transactions occurred: one for the
toy and one for the online services. VTech argues that plaintiffs’ claim is based on
alleged failures related to the online services, not the toys themselves, while
plaintiffs insist that the online services were necessary to the full functioning of the
toys. The allegations of the complaint make clear that the toys function without the
online services. That is, the online services are a useful feature, but not an essential
feature. For example, plaintiffs argue that access to the online services was
required for the toys to function, but the complaint alleges that access was only
“effectively required,” because customers could not obtain software and hardware
updates to the products without it. [44] ¶ 9. Plaintiffs do not allege, however, that
23
those software and hardware updates were necessary to the functioning of the toy.
Plaintiffs also allege that, though the Learning Lodge was not the only source for
new content, certain applications purchased in the form of physical cartridges
“routinely” required a software update from the Learning Lodge, and thus
registration, before they could be played. [44] ¶ 11. But it is unclear how many
applications were restricted in this way, and how many remained available with or
without access to the online services. Plaintiffs allege repeatedly that many
important features of the toys required access to the online services, but do not
allege that removal of those features stopped plaintiffs from playing games or
otherwise using their products. Instead, plaintiffs allege that their children were
unable to use certain features or services (not that the children could not use the
toys at all). [44] at ¶¶ 60, 65, 74, 116. Plaintiffs may subjectively value the features
of the toys afforded by the online services highly, but the complaint does not
establish that those features were central to the toys’ functionality, or that
plaintiffs’ use of the toys was substantially limited by the loss of those features.
Because the claim is based on a defective service, not a good, the complaint fails to
state a claim for breach of the implied warranty of merchantability.9
VTech also argues that the claim does not meet the privity requirement. “In
order for a plaintiff to file a claim for economic damages under the UCC for the
breach of an implied warranty, he or she must be in vertical privity of contract with
the seller.” Mekertichian v. Mercedes-Benz U.S.A., L.L.C., 347 Ill.App.3d 828, 832
VTech also invokes a provision in the Kid Connect terms that explicitly disclaims liability
for any implied warranty, but that disclaimer applies to only the Kid Connect service.
9
24
(1st Dist. 2004). The cause of action is only available to a buyer “against his
immediate seller.” Rothe v. Maloney Cadillac, Inc., 119 Ill.2d 288, 292 (1988).
Plaintiffs do not allege that they bought the products directly from VTech, but they
argue that their claim fits the “direct relationship” exception to the privity
requirement that was discussed in In re Rust-Oleum Restore Marketing, Sales
Practices & Products Liability Litigation, 155 F.Supp.3d 772, 806–07 (N.D.Ill.
2016). In that case, the court noted that the complaint contained detailed
allegations of the defendant’s direct marketing campaign to consumers, including
explicit statements from brochures and product packaging, and the plaintiffs’
reliance on explicit representations made in the defendant’s advertisements to
justify giving plaintiffs an opportunity to establish privity through discovery. Id.
Here, the complaint makes only vague references to VTech’s marketing of the
products, and does not explicitly allege that plaintiffs relied on that marketing.
That is insufficient to establish an exception to the privity requirement. As a result,
the motion to dismiss is granted with respect to the claim of breach of the implied
warranty of merchantability.
E.
Illinois Consumer Fraud and Deceptive Business Practices Act
To state a claim under the Illinois Consumer Fraud and Deceptive Business
Practices Act, a plaintiff must allege “(1) a deceptive act or practice by the
defendant, (2) the defendant’s intent that the plaintiff rely on the deception, (3) the
occurrence of the deception in the course of conduct involving trade or commerce,
and (4) actual damage to the plaintiff (5) proximately caused by the deception.”
25
Avery v. State Farm Mut. Auto. Ins. Co., 216 Ill.2d 100, 180 (2005). “Recovery may
be had for unfair as well as deceptive conduct.” Robinson v. Toyota Motor Credit
Corp., 201 Ill.2d 403, 417 (2002).
VTech invokes Federal Rule of Civil Procedure 9(b), and argues that the
complaint does not satisfy that rule’s heightened pleading requirements. Rule 9(b)
applies to the claim if the alleged practices constitute fraudulent activity. See Pirelli
Armstrong Tire Corp. Retiree Med. Benefits Trust v. Walgreen Co., 631 F.3d 436, 447
(7th Cir. 2011). And to meet Rule 9(b)’s requirement, the complaint must describe
the “who, what, when, where, and how” of the fraud. United States ex rel. Lusby v.
Rolls–Royce Corp., 570 F.3d 849, 854 (7th Cir. 2009). Plaintiffs argue that the
complaint meets this standard, because it alleges that VTech misrepresented the
online services as offering reasonable data security and lied about the specific
precautions VTech would take. But plaintiffs do not allege any mention of data
security being made at the point of purchase or in any of VTech’s marketing or
advertising efforts, and it is too much of a stretch to infer that any representations
of data security were implicit when buying the product, or that VTech’s inadequate
data security constitutes a material omission at the point of purchase. The
consumer-fraud claim is dismissed, and to the extent this claim is based on
representations of data security made in the Privacy Policy, it is duplicative of the
breach of contract claim and dismissed for that reason as well. See Avery, 216 Ill.2d
26
at 169 (“A breach of contractual promise, without more, is not actionable under the
Consumer Fraud Act.”).10
F.
Declaratory Judgment
Plaintiffs seek a declaration that VTech’s data security measures are still
inadequate, and that VTech must undertake certain steps to strengthen its data
security and avoid future injury. As VTech notes, to the extent this claim seeks a
remedy for a present injury, it seeks the same relief as plaintiffs’ other claims. And
as explained above, the complaint fails to state a claim for breach of contract based
on a breach of VTech’s data security obligations. Therefore, I decline to declare the
adequacy of VTech’s data security measures—such a declaration would not settle
the legal relations between the parties.
IV.
Conclusion
VTech’s motion to dismiss, [61], is granted. The complaint is dismissed
without prejudice for failure to state a claim.11
ENTER:
___________________________
Manish S. Shah
United States District Judge
Date: July 5, 2017
Plaintiffs also argue that the complaint alleges unfair practices in addition to deceptive
acts. That is incorrect. Their claim is based on alleged misrepresentations and fraudulent
and deceptive acts, not unfair practices.
10
“District courts routinely do not terminate a case at the same time that they grant a
defendant's motion to dismiss; rather, they generally dismiss the plaintiff's complaint
without prejudice and give the plaintiff at least one opportunity to amend her complaint.”
Foster v. DeLuca, 545 F.3d 582, 584 (7th Cir. 2008).
11
27
]]>
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?
