Opinion
23-cv-01033-RS
07-15-2024
IN RE BETTERHELP, INC. DATA DISCLOSURE CASES
ORDER GRANTING IN PART AND DENYING IN PART MOTION TO DISMISS CONSOLIDATED CLASS ACTION COMPLAINT
RICHARD SEEBORG CHIEF UNITED STATES DISTRICT JUDGE
These putative class actions-now consolidated-arose following the announcement by the Federal Trade Commission (“FTC”) of an investigation into the business practices of defendant BetterHelp, Inc., which resulted in the entry of a consent decree. BetterHelp operates an online counseling service that matches users with therapists and then facilitates counseling via its websites and apps. BetterHelp offers its service under several names, each of which has its own website and app.
The primary website and app, named “BetterHelp,” serves general audiences and has been in operation since 2013. In more recent years, BetterHelp has started several additional websites aimed at serving specific groups, such as Christians, couples, teens, and the LGBTQ community.
The Consolidated Complaint adopts allegations from the FTC complaint that BetterHelp, “delegated most decision-making authority over its use of Facebook's advertising services to a Junior Marketing Analyst who was a recent college graduate, had never worked in marketing, and had no experience and little training in safeguarding consumers' health information when using that information for advertising. In doing so, [BetterHelp] gave the Junior Marketing Analyst carte blanche to decide which Visitors' and Users' health information to upload to Facebook and how to use that information.” Consolidated Complaint, para. 71.
Despite having numerous privacy assurances on its website and in its interactive forms, BetterHelp allegedly failed to keep its customers' information confidential. Among other things, BetterHelp allegedly disclosed the email addresses of thousands of its customers and potential customers to various third parties for advertising purposes and the third parties' own purposes, thereby revealing to the third parties that the customers were seeking and/or receiving mental health treatment through BetterHelp's websites. See Consolidated Complaint paras. 62-69.
BetterHelp now seeks dismissal of the Consolidated Complaint. In its motion, BetterHelp characterizes the Consolidated Complaint as alleging nothing more than that “that BetterHelp, like nearly all companies that use websites or mobile applications, used third-party tracking technologies to operationalize and market its services.” BetterHelp then insists its use of these technologies to collect a limited amount of anonymized data from its users was disclosed in BetterHelp's privacy policy and was in no way unlawful or harmful.
BetterHelp's criticism of the complaint as a “grab-bag” and a “scattershot approach” has some merit, as not all of the fifteen claims for relief are adequately pleaded, and at least some of them do not appear well-suited for these factual circumstances. BetterHelp's insistence that it did nothing wrong and that there can be no viable claim here, however, is not tenable, at least at the pleading stage. The complaint will be dismissed, with leave to amend, as set out below.
A. Standing issues
1. Standing to Seek Injunctive and Declaratory Relief
BetterHelp argues plaintiffs lack standing to pursue injunctive and declaratory relief because they fail to show “a sufficient likelihood that [they] will again be wronged in a similar way” by BetterHelp absent injunctive relief. See Williams v. Apple, Inc., 449 F.Supp.3d 892, 906 (N.D. Cal. 2020) (quotation omitted). BetterHelp insists the complaint does not suggest plaintiffs' previously collected and disclosed information will be disclosed by BetterHelp again, and because they do not allege they are still using BetterHelp, there is nothing to suggest that more information will be collected from them and disclosed in the future.
Plaintiffs respond that some of them are still receiving targeted ads, which indicates third parties continue to use the information that was collected. Plaintiffs have not shown, however, that any risk of ongoing or future harm from third parties' continued use of the information supports standing to seek injunctive or declaratory relief against any ongoing or future wrongdoing by BetterHelp. The claims for injunctive and declaratory relief therefore must be dismissed. Plaintiffs will be permitted leave to amend in the event they can in good faith assert a claim to such relief against BetterHelp, arising from some right or duty on its part to control the conduct of third parties. Any amended claims for such relief must also include a sufficient factual basis to show the requisite ongoing or future harm exists notwithstanding the existence of the injunctive relief obtained by the FTC.
2. Statutory Standing for UCL, FAL, and CLRA Claims (Counts IX, X, and XV)
“To establish standing to bring a claim under these statutes [the Unfair Competition Law (“UCL”), False Advertising Law (“FAL”), and Consumers Legal Remedy Act (“CLRA”)], plaintiffs must meet an economic injury-in-fact requirement ....” Reid v. Johnson & Johnson, 780 F.3d 952, 958 (9th Cir. 2015) (emphasis added). Although some cases support the notion that taking of personal information without consent can constitute economic injury, “[t]he weight of the authority in the district and the state . . . points in the opposite direction: that the ‘mere misappropriation of personal information' does not establish compensable damages.” Katz-Lacabe v. Oracle Am., Inc., 668 F.Supp.3d 928, 943. (N.D. Cal. 2023). While Katz-Lacabe addressed only the UCL, its reasoning equally dooms the FAL and CLRA claims. Because plaintiffs contend their economic injury lies in the taking and unauthorized dissemination of their personal information, they lack statutory standing to pursue these claims, and they must be dismissed. Plaintiffs will be permitted to amend to assert any other basis they may have to support the requisite economic injury.
BetterHelp's additional challenges to the adequacy of the pleading of the UCL and FAL claims would not independently support dismissal. As to the CLRA claim, plaintiffs failed to respond to BetterHelp's point that no pre-suit demand was alleged, as required by the statute. Any amended CLRA claim should address that issue.
B. Other pleading adequacy issues
1. Common Law and Constitutional Privacy (Counts II and XI)
Count II is a common law claim for invasion of privacy. Count XI, brought on behalf of the four California Plaintiffs and a California sub-class alleges violation of the right of privacy enshrined in the California Constitution.
“The right to privacy in the California Constitution sets standards similar to the common law tort of intrusion.” Hernandez v. Hillsides, Inc., 211 P.3d 1063, 1073 (Cal. 2009). Because of this similarity, “courts consider the claims together and ask whether: (1) there exists a reasonable expectation of privacy, and (2) the intrusion was highly offensive.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020).
As to both the constitutional and common law claim, BetterHelp's primary argument is that the element of an “intrusion” on privacy is lacking, because the plaintiffs all voluntarily provided the information in dispute. While BetterHelp's contention that the label does not quite “fit” the wrongdoing is somewhat persuasive, where a defendant has disseminated a plaintiff's private information without consent or authority to do so, even if the defendant came by the information lawfully, it impacts privacy in substantially the same way as where the defendant comes by the information wrongfully. In either situation, the loss of privacy-the intrusion on the plaintiff's seclusion-arises when the information reaches someone who is not supposed to have it.
BetterHelp's further argument that plaintiffs fail to plead any “highly offensive” or “egregious” conduct sufficient to state a claim for invasion of privacy is unpersuasive. The allegations are that BetterHelp collected information from its clients and prospective clients regarding the highly personal issue of their interest in seeking counseling or therapy, with assurances that the information would not be shared, and then turned around and shared that information. There is no basis to conclude as a matter of law that such alleged conduct is neither highly offensive nor egregious.
Finally, although it is far from clear that damages are available under the constitutional claim, it does not materially expand the scope of potential liability or the factual issues presented in this action. While it must be dismissed to the extent it seeks injunctive relief for the reasons discussed at the outset, it will not be dismissed at this juncture on the additional grounds that damages are unavailable or that it is otherwise duplicative of the common law claim.
2. The CMIA (Count XII)
California's Confidentiality of Medical Information Act (“CMIA”) prohibits the unauthorized disclosure and negligent maintenance or preservation of medical information by a provider of healthcare. Cal. Civ. Code § 56.101. BetterHelp argues plaintiffs' claim fails because (1) BetterHelp is not a “provider of healthcare”; (2) BetterHelp did not disclose plaintiffs' “medical information”; and (3) no third party improperly viewed their “medical information.” See Sutter Health v. Super. Ct., 174 Cal.Rptr.3d 653, 661 (Cal.Ct.App. 2014).
BetterHelp has shown it does not meet any applicable statutory definition of “provider of health care.” Plaintiffs invoke the definitions in Cal. Civ. Code §§ 56.06(a), (b), (d), and 56.13. Section 56.06(a) does not apply because there are no allegations that BetterHelp is “organized for the purpose of maintaining medical information.” Section 56.06(b) does not apply because BetterHelp does not “offer software or hardware to consumers . . . designed to maintain medical information.”
While the Section 56.06(d) definition of a “mental health digital service,” might very well apply now, it did not become effective until January 1, 2023, well after the complained-of conduct occurred. Plaintiffs have not rebutted BetterHelp's argument that it cannot be applied retroactively.
Finally, Section 56.13 does not apply because plaintiffs do not allege that BetterHelp received any medical information through a CMIA authorization or from a provider of health care for one of the purposes set out in the statute. Accordingly, even if the allegations could be construed to support a claim that BetterHelp disclosed “medical information” that was viewed by others within the meaning of the statute, dismissal of this claim for relief is warranted. Plaintiffs may amend if they have a good faith basis to present facts placing BetterHelp within the statutory definitions.
3. The CIPA (Count VIII)
Section 631 of the California Invasion of Privacy Act (“CIPA”) makes actionable “three distinct” “patterns of conduct: [1] intentional wiretapping, [2] willfully attempting to learn the contents or meaning of a communication in transit over a wire, and [3] attempting to use or communicate information obtained as a result of engaging in either of the previous two activities.” Tavernetti v. Super. Ct., 583 P.2d 737, 741 (Cal. 1978). It also imposes liability upon “anyone ‘who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the' . . . three bases for liability.” Mastel v. Miniclip SA, 549 F.Supp.3d 1129, 1134 (E.D. Cal. 2021) (quoting Cal. Penal Code § 631(a)).
BetterHelp asserts, and plaintiffs do not contend otherwise, that any liability here is for “aiding and abetting,” as BetterHelp cannot “eavesdrop” on its own communications with the plaintiffs. BetterHelp then argues it cannot be liable for aiding and abetting where the third parties were acting as its own vendors for purposes of collecting and analyzing user data, and to the extent the third parties may have used the information for their own purposes, BetterHelp lacked knowledge or involvement in such conduct. These arguments are insufficient to defeat the claim, particularly at the pleading stage, where the allegations are that BetterHelp allegedly participated in the conduct of the third parties in intercepting the information.
BetterHelp's further arguments that CIPA does not, or should not, apply to internet communications, and as to whether communications were intercepted “in transit” or not, are not persuasive. Its contention that CIPA cannot be applied to non-California plaintiffs may be addressed at the class certification stage, but does not support dismissal now, particularly because the claim would survive as to the California subclass in any event.
4. The ECPA (Count VII)
The Electronic Communications Privacy Act (“ECPA”) is a federal counterpart to CIPA, and prohibits the intentional “interception” of electronic communications, 18 U.S.C. § 2511(1)(a). Unlike CIPA, however, ECPA is a one-party consent statute, pursuant to 18 U.S.C. § 2511(2)(d). BetterHelp's choice to deploy the tracking on its websites, means “one of the parties to the communication”-BetterHelp-gave “prior consent to such interception.” Id.; see also Rodriguez v. Google LLC, No. 20-cv-04688-RS, 2021 WL 2026726, at *6 (N.D. Cal. May 21, 2021); In re Yahoo Mail Litig., 7 F.Supp.3d 1016, 1026 (N.D. Cal. 2014) (“[T]he consent of one party is a complete defense to a Wiretap Act claim.”).
Plaintiffs invoke the crime-tort exception, which requires them to plead sufficient facts to show that “the primary motivation or a determining factor in the interceptor's actions has been to injure plaintiffs tortiously.” The plaintiffs in Katz-Lacabe failed to qualify for the exception because the defendant's “purpose has plainly not been to perpetuate torts on millions of Internet users, but to make money.” Rodriguez, 2021 WL 2026726 at *6 n.8 (citing In re Google Inc. Gmail Litigation, No. 13-MD-02430-LHK, 2014 WL 1102660, at *18 n.13 (N.D. Cal. Mar. 18, 2014)).
Here, while the third-party interceptors presumably were only trying to make money, BetterHelp itself arguably was committing the tort/crime of disclosing its customer's sensitive mental health-related information in violation of HIPAA. This distinction from Katz-Lacabe, which did not implicate HIPAA, is sufficient to permit the claim to go forward.
5. The CCPA (Count XIII)
The California Consumer Privacy Act (“CCPA”) confers a private right of action for “Personal Information Security Breaches.” Cal. Civ. Code § 1798.150 (emphasis added). BetterHelp insists the facts here do not constitute a “security breach” as that term is commonly understood. The statute, however, allows for statutory damages where “nonencrypted and nonredacted personal information . . . [was] subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” Cal. Civ. Code § 1798.150(a)(1).
The information here allegedly was “subject to . . . [a] disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” It was disclosed because BetterHelp affirmatively allowed the tracking software on its websites-which can reasonably be argued was not an appropriate security procedure or practice, given the nature of the information. This claim may go forward.
6. The CDAFA (Count XIV)
The California plaintiffs bring this claim under the Computer Data Access and Fraud Act (“CDAFA”), which “is a state law counterpart to the” federal Computer Fraud and Abuse Act (“CFAA”), and courts routinely analyze them together. Meta Platforms, Inc. v. BrandTotal Ltd., 605 F.Supp.3d 1218, 1260 (N.D. Cal. 2022). Here, plaintiffs have not advanced a federal CFAA claim.
Both the CDAFA and the CFAA were “enacted to prevent intentional intrusion onto someone else's computer-specifically, computer hacking.” hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1196 (9th Cir. 2022). BetterHelp argues the CDAFA claim must be dismissed because (1) the statute addresses computer hacking, not data disclosure; (2) plaintiffs fail to allege “loss” or “damage” within the meaning of the statute; and (3) BetterHelp had permission to access the computer systems at issue.
In this instance, the allegations of wrongdoing cannot be shoehorned into a violation of this statute. While dismissal will be with leave to amend, plaintiffs should only do so if they can articulate a factual and legal basis for application of this statute under the circumstances.
7. Breach of Confidence (Count V)
The common law claim for breach of confidence protects novel ideas that are offered in confidence. See Faris v. Engberg, 158 Cal.Rptr. 704, 712 (Cal.Ct.App. 1979) (“An actionable breach of confidence will arise when an idea, whether or not protectable, is offered to another in confidence.”). It typically arises when a would-be inventor is peddling some new invention, or a writer is shopping an idea for a screenplay, and the like. The alleged facts here simply do not implicate the common law tort. Again, plaintiffs will be given leave to amend, but should carefully consider whether there is a valid basis to do so.
8. Breach of Contract (Counts III and IV) and Negligence (Count I)
The Consolidated Complaint alleges, in essence, that plaintiffs entered into contractual relationships with BetterHelp, and that BetterHelp's various promises of confidentiality were terms of those contracts. The allegations regarding how and when the contracts were formed, and what provisions became express or implied terms of those contracts, are not as specific and clear as they should be, even assuming they might survive dismissal if that was the only issue with the pleading. Any amended complaint, therefore, should specifically and concisely identify the facts showing how the contracts were formed, the alleged contractual terms, and the facts plaintiffs contend establish breach.
Because plaintiffs' relationship with BetterHelp appears to have arisen in contract, it is not clear the alleged circumstances support a negligence claim. Any amended complaint asserting a count for negligence should specifically and concisely identify the facts supporting a claim for non-economic damages.
9. Unjust Enrichment (Count XIII)
BetterHelp's challenge to the unjust enrichment claim rests on its contention that plaintiffs cannot pursue such claims and express contract claims simultaneously. Although the claims ultimately may be incompatible, plaintiffs will not be put to an election at this stage.
The Consolidated Complaint is dismissed to the extent set forth above. Plaintiffs may file an amended complaint within 20 days of the date of this order.
IT IS SO ORDERED.