Opinion
Case No. 2:23-cv-08002-SPG-E
2023-12-26
Anne HEITING, Plaintiff, v. TARO PHARMACEUTICALS USA, INC., a New York Corporation; and Does 1 through 25, inclusive, Defendants.
Robert Tauler, Betsy Tauler, Wendy L.R. Miele, Tauler Smith LLP, Los Angeles, CA, for Plaintiff. Ryan H. Weinstein, Ropes and Gray LLP, Los Angeles, CA, for Defendant Taro Pharmaceuticals U.S.A., Inc.
Robert Tauler, Betsy Tauler, Wendy L.R. Miele, Tauler Smith LLP, Los Angeles, CA, for Plaintiff.
Ryan H. Weinstein, Ropes and Gray LLP, Los Angeles, CA, for Defendant Taro Pharmaceuticals U.S.A., Inc. ORDER GRANTING DEFENDANT'S MOTION TO DISMISS [ECF NO. 14]
SHERILYN PEACE GARNETT, UNITED STATES DISTRICT JUDGE.
Plaintiff Anne Heiting ("Plaintiff") brings this lawsuit against Defendant Taro Pharmaceuticals USA ("Defendant"), alleging violations of the California Invasion of Privacy Act ("CIPA") and the California Unauthorized Access to Computer Data Act ("CDAFA"). (ECF No. 1-1). Before the Court is Defendant's Motion to Dismiss Plaintiff's complaint in its entirety. (ECF No. 14). Having considered the parties' submissions, oral argument, the relevant law, and the record in this case, the Court finds this matter suitable for resolution without a hearing, and GRANTS Defendant's Motion.
I. BACKGROUND
A. Factual Background
The following facts are alleged in Plaintiff's Complaint:
Defendant is the proprietor of proactive.com, an online platform selling skin products. (ECF No. 1-1 ("Compl.") ¶ 8). Defendant's website includes a code that embeds content from another website, Genesys, which serves to intercept inquiries customers believe are sent directly to Defendant, and divert them to genesys.com. (Id. ¶ 9). Genesys "stores [user information] for its own purposes." (Id. ¶ 10). Genesys also shares the data with Defendant who adds it to existing profiles it has "surreptitiously collected from its users." (Id. ¶ 11). The information collected includes personal identifiers, device identifiers, commercial information, electronic and sensory information, browser information, operating system information, and may include demographic details like gender. (Id.). Plaintiff alleges that Genesys eavesdrops in real time on conversations users believe are only with Defendant. (Id. ¶ 12). Plaintiff also alleges that users would be shocked to know that Defendant is collecting personal information from the chat box. (Id.).
At some point within the past year, Plaintiff utilized a chat box feature on Defendant's website. (Id. ¶ 13). She was not informed that her conversations were being recorded and used for commercial surveillance purposes without her consent. (Id. ¶¶ 13-14).
B. Procedural History
Plaintiff filed her Complaint in this action on August 18, 2023. (ECF No. 1-1). On September 25, 2023, Defendant removed the action to this Court. (ECF No. 1). After stipulating to an extension of time to respond to the Complaint, Defendant filed the instant Motion to Dismiss on November 1, 2023. (ECF No. 14 ("Mot.")). Plaintiff opposed and Defendant timely replied. (ECF No. 15 ("Opp.")); (ECF No. 16 ("Reply")).
Both parties also asked the Court to take judicial notice of other non-precedential, recent, district court decisions on similar issues. While the Court declines to take such notice at this time, finding it unnecessary to reach its decision, the parties can be assured that the Court has reviewed the relevant law, to include recent decisions by its peers.
II. LEGAL STANDARD
Rule 8(a)(2) of the Federal Rules of Civil Procedure requires a complaint to include "a short and plain statement of the claim showing that the pleader is entitled to relief." A complaint that fails to meet this standard may be dismissed pursuant to Federal Rule of Civil Procedure 12(b)(6). "Dismissal under Rule 12(b)(6) is proper when the complaint either (1) lacks
a cognizable legal theory or (2) fails to allege sufficient facts to support a cognizable legal theory." Somers v. Apple, Inc., 729 F.3d 953, 959 (9th Cir. 2013). To survive a 12(b)(6) motion, the plaintiff must allege "enough facts to state a claim to relief that is plausible on its face." Bell Atlantic Corp. v. Twombly, 550 U.S. 544, 556, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009). "The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant has acted unlawfully." Id. (internal quotation marks omitted). When ruling on a Rule 12(b)(6) motion, the Court "accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party." Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008). "[D]ismissal is affirmed only if it appears beyond doubt that [the] plaintiff can prove no set of facts in support of its claims which would entitle it to relief." City of Almaty v. Khrapunov, 956 F.3d 1129, 1131 (9th Cir. 2020) (internal citation and quotation marks omitted). However, the Court is "not required to accept as true allegations that contradict exhibits attached to the Complaint or matters properly subject to judicial notice, or allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences." Seven Arts Filmed Ent., Ltd. v. Content Media Corp. PLC, 733 F.3d 1251, 1254 (9th Cir. 2013) (citing Daniels-Hall v. Nat'l Educ. Ass'n, 629 F.3d 992, 998 (9th Cir. 2010)).
III. DISCUSSION
Defendant challenges the adequacy of Plaintiffs claims for violations of both section 631(a) of the CIPA and the CDAFA. See generally (Mot.). Plaintiff opposes, arguing she has plausibly alleged both causes of action. (Opp.). The Court examines the sufficiency of each cause of action in turn.
A. Plaintiff's Claim under CIPA § 631(a)
California courts interpret section 631(a) as several different clauses covering "three distinct and mutually independent patterns of conduct." Tavernetti v. Superior Ct., 22 Cal. 3d 187, 192, 148 Cal.Rptr. 883, 583 P.2d 737 (1978). Cal. Penal Code § 631(a). The first clause creates a violation if a person "by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps or makes any unauthorized connection with any telegraph or telephone wire, line, cable, or instrument...." Swarts v. The Home Depot, Inc., No. 23-cv-0995-JST, 689 F.Supp.3d 732, 743 (N.D. Cal. Aug. 30, 2023) (quoting Cal. Penal Code § 631(a)). The second clause creates a violation where a person "willfully and without consent of all parties to the communication, or in any unauthorized manner reads or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit." Id. The third clause creates a violation where a person "uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained" as outlined in the first two clauses. Id. Finally, in addition to these three clauses, section 631 also contains an aiding and abetting provision, which imposes liability on anyone who "aids, agrees with, employs, or conspires with any person or persons to unlawfully
do, or permit, or cause to be done any of the acts or things mentioned above." Id.
Here, Plaintiff does not make clear in her complaint which of the specific clauses she alleges Defendant violated. Defendant challenges both this lack of clarity, which it characterizes as improper "shotgun pleading," and Plaintiffs ability to allege a cause of action under any of the clauses. In opposition Plaintiff emphasizes her ability to at least bring a claim under the fourth clause of § 631. At oral argument, Plaintiff affirmed that she seeks primarily to bring a claim under the aiding and abetting provision. However, for the sake of clarity and based on the allegations in the Complaint, the Court will analyze whether Plaintiff has stated a claim under the other three clauses, as well.
See Martin v. Sephora USA, Inc., No. 1:22-cv-01355-JLT-SAB, 2023 WL 2717636, at *13 (E.D. Cal. Mar. 30, 2023) ("Shotgun pleading occurs when one party pleads that multiple parties did an act, without identifying which party did what specifically; or when one party pleads multiple claims, and does not identify which specific facts are allocated to which claim.") (internal citation omitted).
1. Clause 1 of Section 631(a)
As outlined above, the first clause of section 631(a) prohibits "any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps or makes an unauthorized connection ... with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system." Cal. Penal Code § 631(a). As numerous courts have recognized, this first clause is the only clause in section 631(a) to expressly reference unauthorized connections "with any telegraph or telephone wire...." Id. Therefore, courts have repeatedly found that this clause applies only to eavesdropping on "telegraph and telephone" wires, lines, cables, or instruments, and not to any eavesdropping that is alleged to have occurred as to communications over the internet. See, e.g., Licea v. Cinmar, LLC, 659 F. Supp. 3d 1096, 1104-1105 (C.D. Cal. 2023) (finding clause one applies only to communications over telephones and not through the internet); In re Google Assist. Priv. Litig., 457 F. Supp. 3d 797, 825-26 (N.D. Cal. 2020) (finding the first clause "expressly requires that the unauthorized connection be made with any telegraph or telephone wire, line, cable, or instrument") (internal citation omitted). This Court agrees with the analysis of its peers that the statutory language found in the first clause of § 631(a) indicates a meaningful limitation on its applicability, particularly when compared with the remaining two provisions of the statutory section. Therefore, here, because Plaintiff alleges interception of a chat communication on Defendant's website, instead of over the phone, Plaintiff cannot state a claim under the first clause of section 631(a).
2. Clause 2 of Section 631(a)
The second clause of section 631(a) does not contain the same limiting language and therefore may apply to communications made over the internet. See, e.g., Licea v. American Eagle Outfitters, Inc., 659 F. Supp. 3d 1072, 1081-82 (C.D. Cal. 2023). However, there is generally a "party exception" to all the clauses of Section 631. See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 607-08 (9th Cir. 2020); see also Warden v. Kahn, 99 Cal. App. 3d 805, 811, 160 Cal.Rptr. 471 (1979) ("Section 631 ... has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation."). Here, Defendant argues that, to the extent Plaintiff seeks to
hold Defendant directly liable under the second clause for eavesdropping on the chat conversation, the party exception should apply. The Court agrees. Plaintiff alleges that she used the chat feature on Defendant's website believing that she was chatting with Defendant. Therefore, any recording by Defendant directly, as opposed to vicariously through Genesys, would fall squarely within the party exception. See Williams v. What If Holdings, LLC, No. CV 22-03780 WHA, 2022 WL 17869275, at *2 (N.D. Cal. Dec. 22, 2022) ("As the website owner, [defendant] was the intended recipient of plaintiffs communication" and therefore cannot have eavesdropped on its own conversation).
3. Clause 3 of Section 631(a)
The third clause of section 631 prohibits using, or attempting to use, information gained in violation of the first or second clause "in any manner, or for any purpose." Cal. Penal Code § 631(a). However, as with Plaintiff's allegations regarding Defendant's recording under the second clause, Defendant is shielded from direct liability under the third clause by the party exception to Section 631(a). See Warden, 99 Cal. App. 3d at 811, 160 Cal. Rptr. 471; see also Valenzuela v. Nationwide Mut. Ins., No. 2:22-cv-06177-MEMF-SK, 686 F.Supp.3d 969, 982-83 (C.D. Cal. Aug. 14, 2023) (finding third party exception shielded website owner from direct liability for recording or later use of the recording where person using the chat believed they were chatting with the website owner). Therefore, as Plaintiff acknowledged during oral argument, this leaves only the possibility of a cause of action for aiding and abetting a third-party's violations of 631(a).
4. Aiding a Third-Party Under Section 631(a)
Section 631(a) imposes liability on anyone who "aids" another in violating the statutory section. See Cal. Penal Code § 631(a). Here, Plaintiff argues that Defendant aided Genesys, a third-party not named as a Defendant in this suit, with its violations of section 631(a). Defendant responds that the Court should find Plaintiff has not adequately alleged either a violation by Genesys or that Defendant aided Genesys in any such violation. However, courts in this circuit have split on how to apply the aiding provision of the statute in the context of suits against website owners who use third-party codes on their websites to record customer data. Therefore, the Court will start with an examination of the two key California cases that frame the determination.
Two seminal cases frame the recent jurisprudence on section 631: Ribas v. Clark, 38 Cal. 3d 355, 212 Cal.Rptr. 143, 696 P.2d 637 (1985) and Rogers v. Ulrich, 52 Cal. App. 3d 894, 125 Cal.Rptr. 306 (1975). First, in Ribas, the plaintiff and his wife were going through divorce proceedings when the wife asked a friend to listen in on a phone call between the plaintiff and the wife. Ribas v. Clark, 38 Cal. 3d 355, 358, 212 Cal.Rptr. 143, 696 P.2d 637 (1985). During that call, while the third-party friend listened in, the husband informed his wife of details of a conversation with a lawyer. Id. The husband then sued the friend for eavesdropping in violation of section 631. Id. The California Supreme Court found that the friend's listening-in violated section 631 because the friend was "an unannounced second auditor" who listened to the contents of the conversation simultaneously with their transmission. Id. at 361, 212 Cal.Rptr. 143, 696 P.2d 637. The court found that "the secondhand repetition of the contents of a conversation and its simultaneous dissemination to an unnamed second auditor, whether that auditor be a person or mechanical device"
violated section 681(a). Id. However, in Rogers, the defendant used a tape recorder to record a conversation with the plaintiff without the plaintiff's knowledge. Rogers v. Ulrich, 52 Cal. App. 3d 894, 897, 125 Cal.Rptr. 306 (1975). The California Court of Appeal found that the defendant had not violated section 631(a) because he was a party to the conversation and therefore could not be found to have eavesdropped on his own conversation. Id. at 899, 125 Cal.Rptr. 306. In the wake of these decisions, courts are asked to determine whether a third party who intercepts a communication is "more akin to the tape recorder in Rogers ... or the friend in Ribas." Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 898 (N.D. Cal. 2023); see also Yoon v. Lululemon USA, Inc., 549 F. Supp. 3d 1073, 1081 (C.D. Cal. 2021) (making similar inquiry).
Despite widespread agreement among courts in this Circuit as to the nature of the general inquiry, courts have split on how the party exception applies in the context of third-party software, as well as how stringently pleading standards should be applied. For example, one set of cases has found that third-party software services that capture data from consumers who visit websites are more like a tape recorder than a friend listening in. See e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823, 832 (N.D. Cal. 2021); see also Licea, 659 F. Supp. 3d at 1083 (finding third party chat software provider was covered by party exception because software functioned more like a tape recorder, given it was not alleged to have harvested data for its own use). In reaching this determination, these courts have credited a lack of allegations that the third-party "intercepted and used the data itself." Graham, 533 F. Supp. 3d at 832. However, another set of courts has focused not on whether plaintiffs allege use of the data by the third-party but, instead, whether plaintiffs have alleged that the third-party had the capability to use the communications for any other purpose. See, e.g., Yockey v. Salesforce, Inc., 688 F.Supp.3d 962, 972-73 (N.D. Cal. Aug. 25, 2023) (finding that a plaintiff may state a claim for aiding liability against a defendant if the plaintiff adequately alleges that the third party software provider had the capability to use the intercepted communications for any purpose other than providing them to defendant); see also Javier, 649 F.Supp.3d at 900-01 (finding that the third party's actual use of the intercepted communications was irrelevant to the inquiry under the second prong of the statute).
This Court agrees with the latter set of cases, and finds that a plaintiff must have plausibly alleged that the third-party software provider had the capability to use the communications for another purpose. This comports with both the statutory language, which mentions use of communications in just one of its three main clauses, and with the interpretations of California courts as set forth in Ribas and Rogers. When a third-party software provider possesses only the capability to record and store the contents of an online chat for the website owner, its technical function is akin to that of a tape recorder. However, when the software provider could put that information to other uses on its own accord, it functions more like a person, listening in on a conversation, as in Rogers. However, the disagreement between courts in this circuit does not end here.
Instead, there is a further question of just how much a Plaintiff must allege to plausibly plead that the third-party software has such capabilities. For instance, in Yockey, the court found that a plaintiff who alleged that the third-party software
company ran the chat function from their web servers, could view transcripts in real time, and would analyze the customer-support agent interactions in real time to create live transcripts of communications, did not support "a reasonable inference that [third-party company] has the capability to use these communications for any purpose other than furnishing them to [Defendant]." Yockey, 688 F.Supp.3d at 973. However, in Valenzuela v. Nationwide Mut. Ins ., the court was persuaded the plaintiff had adequately alleged the third-party violated section 631 where the plaintiff expressly pled that the third-party's business model was to harvest data from communications made on the defendant's website. See Valenzuela, 686 F.Supp.3d at 975-79. This Court agrees with some aspects of each of these cases and finds that, at least as applied to the facts alleged in the instant action, the cases can be reconciled.
At the pleading stage, a plaintiff need only plausibly allege facts demonstrating that the third-party software company functions less like a tape recorder and more like an independent entity capable of using the recorded information for some other means. To ask a plaintiff to plead with great particularity exactly what a third-party software company is capable of doing with data gathered from defendant's website sets the pleading bar too high. Such information appears more likely to be learned in discovery. However, a plaintiff still must have at least pled some non-conclusory factual allegations to support the use capabilities of the third-party software company involved. Here, Plaintiff has alleged the code from Genesys "intercepts the inquiries that consumers believe are being sent directly to Taro and diverts them to genesys.com." (Compl. ¶ 9). Plaintiff also alleges that once Genesys "gains access to the user's information, it stores it for its own purposes." (Id. ¶ 10). In addition to storing the data for some later unspecified use of its own, Plaintiff alleges that Genesys "shares the data it collects and stores with Taro." (Id. ¶ 11). Many of these allegations are conclusory and do not allow for the inference that Genesys has the capability to use, as opposed to store, data for its own business model. Instead, the Complaint alleges that Genesys merely stores and then shares the data it collects with Defendant, who is a party to this action. Therefore, Plaintiff has not adequately pled factual allegations to support Genesys's capabilities to function as anything other than a tape recorder, storing data for a party to this action.
While the Court finds that Plaintiff has not plausibly alleged Genesys is not covered by the party exception to section 631, Defendant's challenge to its alleged aiding and abetting liability does not end there. Instead, Defendant also challenges the adequacy of Plaintiff's pleading as to remaining elements of any violation by Genesys and Defendant's involvement. Specifically, Defendant challenges whether Plaintiff has adequately alleged that: (1) protected contents of communications were shared with Defendant and Genesys; (2) any interception by Genesys was "in transit," as required under the statute; and (3) Defendant willfully or knowingly aided and abetted Genesys's alleged violation. For the sake of completeness, the Court briefly examines each challenge in turn.
a) Protected Contents of Communications
CIPA borrows the definition of protected "contents" from the federal Wiretap Act, and therefore only "any information concerning the substance, purpose, or meaning of [a] communication" is protected. See Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 517 (C.D. Cal. 2021). In
other words, the term "contents" "refers to the intended message conveyed by the communication, and does not include record information regarding the characteristics of the message that is generated in the course of the communication." Graf v. Zynga Game Network, Inc. (In re Zynga Privacy Litig.), 750 F.3d 1098, 1107 (9th Cir. 2014). Generally, record information that does not fall under the category of protected contents therefore includes, among other things, "the name, address, and subscriber number or identity of a subscriber or customer." Saleh, 562 F. Supp. 3d at 517 (citing Zynga Privacy Litig., 750 F.3d at 1107). However, these boundaries are not firm, and courts must determine, based on the circumstances of each case, whether the information captured was "the intended message conveyed by the communications" and therefore protected contents, or merely unprotected "information regarding the characteristics of the message." In re Zynga, 750 F.3d at 1106.
Here, Defendant asks the Court to find that Plaintiff has alleged Genesys recorded only unprotected information, as opposed to protectable contents under the statute. Plaintiff argues in response that she "alleges that she communicated with Taro" and that, "if she communicated the communications must have had some content." (Opp. at 17). The Court agrees with Defendant that this argument asks for too great an inference in Plaintiff's favor. The Court will not assume out of whole cloth what the contents of any communications were. The Complaint alleges that Defendant generally collects personal information from website users, including personal identifiers, device identifiers, commercial information, electronic and sensory data, browser information, operating system information, and may deduce additional demographic details." (Compl. ¶ 11). However, the Complaint does not allege that Genesys collected this data, nor does it allege any substantive communications by Plaintiff that she believes Genesys intercepted. Therefore, Plaintiff has failed to allege that Genesys eavesdropped on protected contents under section 631(a).
b) Interception of a Communication "In Transit"
The second clause of section 631(a) requires that messages be intercepted while in transit. See Licea, 659 F. Supp. 3d at 1084-85; see also Cal. Penal Code § 631(a). To determine the meaning of "in transit" in the statute, courts routinely look to the similar requirement outlined in the federal Wiretap Act. See Id.; see also NovelPoster v. Javitch Canfield Grp., 140 F. Supp. 3d 938, 954 (N.D. Cal. 2014) (applying federal wiretap in transit analysis to CIPA claim). Under the federal Wiretap Act, a party must have intercepted the communication during its transmission, rather than once it was placed in electronic storage. Konop v. Hawaiian Airlines, Inc., 302 F.3d 868, 876 (9th Cir. 2002).
With this standard in mind, Defendant asks the Court to find that Plaintiff has failed to plead Genesys intercepted her communication while it was still in transit. Instead, Defendant asks the Court to find that either Plaintiff's claim is too conclusory or that, taken to its logical end, it pleads that the communication was already in storage when intercepted. The Court agrees in part. The Court declines to find, at this early stage, that the Complaint alleges the communications were already in storage when Genesys intercepted them. This would ask the Court to weigh in on exactly how the software code embedded on Defendant's website works, which is not the Court's task at this stage. However, the Court is concerned with the
generality with which Plaintiff has pled the interception. Plaintiff's only allegation regarding the timing or means of interception is that a code implanted on Defendant's website "intercepts the inquiries that consumers believe are being sent directly to Taro and diverts them to genesys.com." (Compl. ¶ 9). Courts in this circuit have repeatedly found such general and conclusory allegations insufficient. (See, e.g., Licea, 659 F. Supp. 3d at 1085) (finding Plaintiffs general pleading regarding real time interception using chat box software insufficient to state a claim); Valenzuela v. Keurig Green Mountain, Inc., 674 F.Supp.3d 751, 758 (N.D. Cal. 2023) (finding allegation that Defendant's code allowed third party to "secretly intercept in real time, eavesdrop upon and store transcripts of chat communications was insufficient to plead the in transit requirement). Indeed, where courts have found a plaintiff plausibly alleged that the plaintiff's communication was intercepted while in transit, greater details about the nature of the interception have been alleged. See Campbell v. Facebook Inc., 77 F. Supp. 3d 836, 848 (N.D. Cal. 2014) (finding in transit requirement adequately pled where plaintiff alleged defendant scanned the content of private messages and reacted right away to the finding of the scan, demonstrating it had been intercepted while in transit); see also Valenzuela v. Nationwide, 686 F.Supp.3d at 977-79 (finding plaintiff plausibly alleged in transit interception where she alleged both how the interception occurred, through code embedded on defendant's website, and that the third party made statements regarding its ability to create "real time insights" and to collect data "as it happens"). Here, Plaintiff has alleged, in general terms, how the interception occurs: through the code embedded on Defendant's website. However, Plaintiff has not added any additional factual details to make clear when the interception occurred. Merely parroting the statutory requirement that it occurred in transit is insufficient.
c) Willful or Knowing Aiding and Abetting
Finally, Defendant argues that Plaintiff has not adequately alleged that Defendant knowingly or willfully abetted or aided Genesys's eavesdropping. In support of this argument, Defendant points to the California Consumer Privacy Act and argues that Genesys was prohibited from using or retaining customer data, other than for the purposes outlined in its contract with Defendant. (Reply at 14-15). The Court agrees. While the Complaint alleges that Defendant paid Genesys to intercept messages, it does not allege facts demonstrating Defendant acted with the requisite knowledge or intent to aid and abet Genesys's purported CIPA violation. Therefore, the Court finds that Plaintiff has not plausibly alleged scienter under the statute. However, the Court dismisses Plaintiff's claim under CIPA with leave to amend.
B. Plaintiff's Claim under the CDAFA
California's Comprehensive Computer Data and Access Fraud Act ("CDAFA") creates a private cause of action against any person who: (1) "[k]nowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data;" or (2) "[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or take[s] or
copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network." Cal. Penal Code § 502(c)(1)-(2); Cal. Penal Code § 502(e)(1).
Here, Defendant argues that Plaintiff has not alleged a claim under the CDAFA because she has failed to sufficiently allege: (1) access, without permission, that caused (2) cognizable damage or loss under the statute. Plaintiff opposes each argument. The Court considers each argument in turn.
1. Unauthorized Access
The CDAFA defines "access" to mean "cause output from" the "logical, arithmetical, or memory function resources of a computer." Cal. Penal Code § 502(b)(1). Furthermore, the statute requires that such access be "without permission." Cal. Penal Code § 502(c)(1)-(2). Defendant argues that Plaintiff has not alleged any such access in her Complaint. This Court agrees. The CDAFA was originally enacted to combat "computer crime" and hacking. See Cal. Penal Code § 502(a). While it has been extended by some district courts outside of the traditional hacking realm, those courts have still required allegations that a defendant in some way caused output from the function of a computer, without the owner's permission. See, e.g., Brown v. Google LLC, No. 4:20-cv-3664-YGR, 685 F.Supp.3d 909, 938-40 (N.D. Cal. Aug. 7, 2023) (applying statute to collection of user information using browser extensions); see also Meta Platforms, Inc. v. BrandTotal Ltd., 605 F. Supp. 3d 1218, 1260-62 (N.D. Cal. 2022) (finding "reactive data collection" not within the scope of the CDAFA). Here, Plaintiff has not alleged that Defendant accessed her computer or network without permission. Instead, she alleges that she engaged in a chat with Defendant on Defendant's website. While she does allege that her data was collected without her consent, she does not allege, as she argues in opposition to the instant motion, that Defendant implanted anything on her computer. Instead, as alleged, all of the interactions took place on Defendant's web network, and her allegations do not make clear how any "access" took place. See e.g., Perkins v. LinkedIn Corp., 53 F. Supp. 3d 1190, 1217 (N.D. Cal. 2014) ("individuals may only be subjected to liability for acting 'without permission' under Section 502 if they access or use a computer, computer network, or website in a manner that overcomes technical or code-based barriers.") (internal citations omitted).
2. Cognizable Damage or Loss
To bring a private civil cause of action under section 502, which is otherwise a criminal statute, a plaintiff must plead that she "suffers damage or loss" due to the criminal violation. Cal. Penal Code § 502(e). It is undisputed between the parties that the only damage or loss Plaintiff has alleged is a loss of some of her data, to include IP address information and other identifying information. The parties dispute, instead, whether such data loss qualifies as a "damage or loss" under the statute, a question over which courts have disagreed. The majority of courts to consider the issue appear to find that such alleged privacy invasions do not qualify under the statute. See Doe v. Meta Platforms, Inc., No. 22-cv-03580-WHO, 690 F.Supp.3d 1064, 1081-83 (N.D. Cal. Sept. 7, 2023) (finding allegations that protected information was diminished in value did not qualify as damage or loss under CDAFA); Cottle v. Plaid Inc., 536 F. Supp. 3d 461, 488 (N.D. Cal. 2021) (finding damage or loss under CDAFA did not include "loss of the right to control [Plaintiffs'] own data, the loss of the value of their data, and the loss of the right to protection
of the data"); Pratt v. Higgins, No. 22-cv-04228-HSG, 2023 WL 4564551, at *9 (N.D. Cal. July 17, 2023) (finding access to communications, notes, and medical information did not create the type of loss contemplated by the CDAFA's private civil cause of action). One court has rejected this view and found that plaintiffs may allege damage or loss under the CDAFA by alleging a loss in value of misappropriated data. See Brown, 685 F.Supp.3d at 939-42 (finding economic injury could be sustained by loss in control over data).
While the Court agrees with the Brown court that a loss of control over personal data may constitute an economic injury, the Court disagrees that such an injury is contemplated by the CDAFA. Instead, the Court agrees with the majority of courts to consider the issue, and finds that the CDAFA's private right of action contemplates some damage to the computer system, network, program, or data contained on that computer, as opposed to data generated by a plaintiff while engaging with a defendant's website. See Cal. Penal Code § 502(e)(1) ("Compensatory damages shall include any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network, computer program, or data was or was not altered, damaged, or deleted by the access."). Therefore, Plaintiff has not adequately alleged qualifying damage or loss under the statute.
C. Leave to Amend
Leave to amend should be "freely give[n] ... when justice so requires." Fed. R. Civ. P. 15(a)(2). Additionally, in the Ninth Circuit, this "policy of favoring amendments to pleadings should be applied with extreme liberty." DCD Programs, Ltd. v. Leighton, 833 F.2d 183, 186 (9th Cir. 1987) (internal quotation omitted). Therefore, "dismissal without leave to amend is improper unless it is clear that the complaint could not be saved by any amendment." Jackson v. Carey, 353 F.3d 750, 758 (9th Cir. 2003).
Here, Defendant asks the Court to deny leave to amend based on the futility of any such amendment. However, a finding of futility would be premature at this stage. Therefore, the Court will grant leave to amend.
IV. CONCLUSION
For the foregoing reasons, the Court GRANTS Defendant's Motion to Dismiss. Plaintiff shall file an amended complaint in compliance with this Order, if any, within twenty-one (21) calendar days of the date of this order.