Opinion
3:23-cv-01931-JSC
12-22-2023
CONRAD JAMES, Plaintiff, v. ALLSTATE INSURANCE COMPANY, et al., Defendants.
ORDER RE: MOTIONS TO DISMISS
RE: DKT. NOS. 37, 38
JACQUELINE SCOTT CORLEY, UNITED STATES DISTRICT JUDGE
Conrad James brings this putative class action against Allstate, an insurance company, and Heap, a software service provider, for violations of the California Invasion of Privacy Act (“CIPA”) §§ 631, 632.7, California's Unfair Competition Law (“UCL”), Cal. Bus. & Prof. Code § 17200 et seq., and the California Constitution's right to privacy. Defendants move to dismiss under Federal Rule of Civil Procedure 12(b)(6). (Dkt. Nos. 37, 38.) After carefully reviewing the papers submitted and having had the benefit of oral argument on December 21, 2023, the Court GRANTS Defendants' motions to dismiss. Drawing all reasonable inferences from the amended complaint's allegations in Plaintiff's favor, Plaintiff does not plausibly allege Defendants' liability.
Record citations are to material in the Electronic Case File (“ECF”); pinpoint citations are to the ECF-generated page numbers at the top of the documents.
BACKGROUND
In November and December 2022, Plaintiff, while in California, used his computer and mobile phone to access Allstate's website and search for an insurance quote. (Dkt. No. 34 at ¶¶ 48, 49.) Plaintiff's electronic communications were recorded in real time “to attempt to learn the identity, email address, zip code, age, height, weight, use of prescription medications and tobacco products, and other [Personally Identifiable Information] PII and [Personal Health Information] PHI of Plaintiff while he sought an insurance quote.” (Id. at ¶ 50.) Plaintiff was not aware “his keystrokes, mouse clicks, and other electronic communications, including the information described above, were being intercepted in real time” and disclosed to a third party, Heap; “nor did Plaintiff consent to share his private information with Heap.” (Id. at ¶ 51.)
Heap is a software as a service company that “provides software which monitors and records a website user's activity on a webpage.” (Id. at ¶ 20.) “To obtain a quote on an Allstate insurance plan, consumers fill out a form online at Allstate.com” by clicking the “get a quote” button. (Id. at ¶ 30.) Allstate uses Heap's JavaScript and when customers click the “get a quote” button and answer questions about their medical health, the “responses are automatically sent to Heap.” (Id. at ¶¶ 31-32.) “Heap provides data retention to its customers and charges a fee for storing and retaining its customers' data.” (Id. at ¶ 26.) “Users who visit Allstate's website to get an insurance quote are not put on notice of its Privacy Statement, the Terms of Use, or provided with any other notification that the sensitive information they are submitting is being recorded by Allstate or Heap or shared by Allstate with Heap or any other third party.” (Id. at ¶ 35.)
Plaintiff filed this putative class action in the San Francisco County Superior Court bringing claims under California Penal Code § 631, California's Unfair Competition Law, and for invasion of privacy under the California Constitution. (Dkt. No. 1-1.) Defendants removed the action to federal court under the Class Action Fairness Act, 28 U.S.C. § 1332(d). (Dkt. No. 1.) Shortly thereafter, Defendants separately moved to dismiss for failure to state a claim under Federal Rule of Civil Procedure 12(b)(6). (Dkt. Nos. 28, 29.) The parties stipulated to Plaintiff filing an amended complaint adding a claim under California Penal Code § 632.7. (Dkt. No. 32.) Plaintiff then filed his Amended Complaint and Defendants again moved to dismiss. (Dkt. Nos. 34, 37, 38.)
DISCUSSION
This case is one of many throughout district courts in California challenging the use of third-party software to record website visitors' activity without their knowledge. Plaintiff alleges Defendants' actions constitute unlawful wiretapping under the California Invasion of Privacy Act (“CIPA”), California Penal Code Section 631 et seq., and an invasion of privacy under the California Constitution.
I. Section 631
Section 631(a) of the California Penal Code penalizes:
Any person who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state;
or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained,
or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section[.]
Cal. Penal Code § 631(a) (line breaks added). The statute “prescribes . . . penalties for three distinct and mutually independent patterns of conduct: intentional wiretapping, willfully attempting to learn the contents or meaning of a communication in transit over a wire, and attempting to use or communicate information obtained as a result of engaging in either of the two previous activities.” Tavernetti v. Super. Ct., 22 Cal.3d 187, 192 (1978).
Plaintiff contends Heap is directly liable under the first and second clauses (patterns of conduct), and Allstate is liable under fourth clause based on aiding, agreeing with, and conspiring with Heap to violate Section 631(a).
While Plaintiff alleges Allstate directly violated clause one, (Dkt. No. 34 ¶ 79), Plaintiff appears to have abandoned this theory in his opposition. (Dkt. No. 47 at 10.) Even if he had not, the claim would fail as matter of law. CIPA protects speakers from “eavesdropping” by “third parties.” Ribas v. Clark, 38 Cal.3d 355, 359 (1985). Plaintiff intended to communicate with Allstate. (Dkt. No. 34 at ¶ 48.) So, Allstate is not a third-party eavesdropper.
A. Section 631(a)-Clause One
Heap insists Plaintiff's claim under the first clause of Section 631(a) fails because it only protects communications that are made over a “wire, line, or cable”-not communications over a smartphone or computer as alleged here. Indeed, the plain text of the statute “expressly requires that the unauthorized ‘connection' be made with ‘any telegraph or telephone wire, line, cable, or instrument.'” In re Google Assistant Priv. Litig., 457 F.Supp.3d 797, 825 (N.D. Cal. 2020) (quoting Cal. Penal Code § 631(a)). Plaintiff's reliance on Javier v. Assurance IQ, LLC, No. 2116351, 2022 WL 1744107, at *1 (9th Cir. May 31, 2022), is unpersuasive. Javier stated:
Though written in terms of wiretapping, Section 631(a) applies to Internet communications. It makes liable anyone who “reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication.” Cal. Penal Code § 631(a). The district court held that consent under Section 631(a) is valid even if it is given after the communication has taken place. We disagree.Id. In stating 631(a) applies to the internet, Javier was discussing and quoting from the second clause: “reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication.” As only the second clause contains that language, including any “consent” requirement, and as each clause is “distinct” and “independent,” Tavernetti, 22 Cal.3d at 192, Javier says nothing about whether clause one applies to the internet despite its plain language to the contrary. See In re Google Inc., No. 13-MD-02430-LHK, 2013 WL 5423918, at *20 (N.D. Cal. Sept. 26, 2013) (concluding clause two applies to internet communications because, unlike clause one, clause two is not limited to telegraphic and telephone wires and the Legislature intended the two clauses to apply to different technologies).
Because Section 631(a)'s plain text does not prohibit the non-telephone wire, line, cable or instrument conduct described here, Plaintiff does not state a claim under clause one.
B. Section 631(a)-Clause Two
Clause two applies if the third-party “willfully and without consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state[.]” Cal. Penal Code § 631(a). Defendants insist Plaintiff's Section 631 claim under clause two fails because Heap is an extension of Allstate and merely enabled Allstate to record its own communications. See In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 607 (9th Cir. 2020) (citing Warden v. Kahn, 99 Cal.App.3d 805, 811 (1979) (“[S]ection 631 ... has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.”)). Plaintiff responds his allegation that Heap has “the capability to use its record of the interaction for [another] purpose” is sufficient to plausibly allege it is a third party. (Dkt. No. 47 at 14 (quoting Javier v. Assurance IQ, LLC,. No. 20-cv-02860-CRB, 2023 WL 114225 (N.D. Cal. Jan. 5, 2023) (emphasis in original)).
But even if Plaintiff plausibly alleges Heap is capable of using the recording for its own purpose, Plaintiff has not plausibly alleged a different clause two requirement: Heap has “read, or attempt[ed] to read, or to learn the contents or meaning of” the communication while the communication is in transit to Heap. See Williams v. DDR Media, LLC, No. 22-CV-03789-SI, 2023 WL 5352896, at *4 (N.D. Cal. Aug. 18, 2023). In Williams, the court concluded because the second clause “penalizes anyone who ‘reads, or attempts to read, or to learn the contents or meaning of' the communication,” clause two does not cover a software company that “merely recorded the communication for retrieval by a party to the same communication.” Id. at *4 (quoting Cal. Penal Code § 631(a)). Plaintiff has similarly not alleged Heap read, attempted to read, or to learn the meaning of his communications with Allstate; rather, he merely alleges Heap recorded the data and stores it on its servers. (Dkt. No. 34 at ¶ 26.) Plaintiff's allegation that “this data is stored or can be accessed by Heap” is insufficient to support a plausible interference Heap attempted to read or learn the contents of the communication while in transit. See Oklevueha Native Am. Church of Hawaii, Inc. v. Holder, 676 F.3d 829, 834 (9th Cir. 2012) (“[C]onclusory allegations and unwarranted inferences are insufficient to defeat a motion to dismiss.”). Accordingly, Plaintiff's allegations are insufficient to demonstrate Heap is liable under Section 631(a), clause two. Plaintiff's Section 631(a) claim is therefore dismissed in its entirety.
Because the claim is dismissed, the Court need not reach Defendants' other arguments as to the to Section 631(a) claim. Liability under clause four only arises based on liability under clause two.
II. Section 632.7
Under Section 632.7,
[e]very person who, without the consent of all parties to a communication, intercepts or receives and intentionally records ... a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone, shall be [guilty of a crime.]
Cal. Penal Code § 632.7(a). As discussed above, Plaintiff does not allege Defendants received the communication on a “cellular radio telephone,” a “landline telephone,” or a “cordless telephone.” Cal. Penal Code § 632.7(a). Instead, Plaintiff contends that because he alleges he communicated with Defendant using smartphones which he characterizes as “sophisticated cellular radio telephones” “and/or devices enabled by cellular or landline telephony,” the communications were “transmitted via a combination of landline telephony and cellular telephony.” (Dkt. No. 34 at ¶¶ 87-88.) Plaintiff's attempt to fit his internet communication within the confines of Section 632.7(a)'s telephone-based communication is unavailing.
When interpreting California statutes, the Court begins with “the words themselves.” Herrera v. Zumiez, Inc., 953 F.3d 1063, 1071 (9th Cir. 2020). As this Court has previously noted, “§ 632.7 unambiguously limits its reach to communications between various types of telephones.” Valenzuela v. Keurig Green Mountain, Inc., No. 22-CV-09042-JSC, 2023 WL 3707181, at *6 (N.D. Cal. May 24, 2023) (rejecting plaintiff's invitation to rewrite section 632.7 for the internet era). As in Valenzuela, Plaintiff “makes no persuasive argument the statute contemplates internet communications between a smart phone and an unspecified device on Defendants['] end.” Id. Plaintiff's argument that this case, unlike Valenzuela, involves smartphones, is unavailing as Plaintiff alleges his cellphone communication occurred with Allstate on Allstate.com-that is, at best, the communication was between a cellphone and the internet, not for example, over a phone call or text message. Plaintiff has not alleged either Defendant used telephone technology to receive the communication so the statute does not apply. And, such an allegation would in any event be implausible as Plaintiff alleges to have communicated with Allstate via its website on the internet.
Plaintiff's reliance on Byars v. Goodyear Tire & Rubber Co., 2023 WL 1788553, at *5 (C.D. Cal. Feb. 3, 2023), is likewise availing. The Court finds that case unpersuasive for the reasons stated in Byars v. Hot Topic, Inc., 2023 WL 2026994, at *11-12 (C.D. Cal. Feb. 14, 2023).
Accordingly, Defendants' motions to dismiss Plaintiffs' Section 632.7 claim are granted.
III. Invasion of Privacy
To bring a claim for invasion of privacy under the California Constitution, plaintiffs must allege “(1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is so serious ... as to constitute an egregious breach of the social norms such that the breach is highly offensive.” In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020) (cleaned up).
To the extent Plaintiff contends in his opposition brief that his invasion of privacy claim is also based on a violation of the Federal Wiretap Act, 18 U.S.C. § 2510.3, no such claim is alleged in the Amended Complaint. Rather, the invasion of privacy claim is alleged based on “California Constitution, Art. 1, § 1.” (Dkt. No. 34 at 20.)
A. Legally Protected Privacy Interest and Reasonable Expectation of Privacy
“Whether a legally recognized privacy interest is present in a given case is a question of law to be decided by the court.” Hill v. Nat'l Collegiate Athletic Assn., 7 Cal.4th 1, 40 (1994). Courts generally recognize two types of privacy interests: (1) informational interests which preclude the dissemination or misuse of sensitive confidential information; and (2) autonomy interests “in making intimate personal decisions or conducting personal activities without observation, intrusion, or interference.” Id. at 35.
Plaintiff has adequately alleged an informational privacy interest in his “email address, zip code, age, height, weight, use of prescription medications and tobacco products, and other PII and PHI.” (Dkt. No. 34 at ¶ 50.) See Norman-Bloodsaw v. Lawrence Berkeley Lab'y, 135 F.3d 1260, 1269 (9th Cir. 1998) (recognizing a “constitutionally protected privacy interest in avoiding disclosure of personal matters clearly encompasses medical information and its confidentiality.”). Plaintiff has likewise adequately alleged a reasonable expectation of the privacy of this information which was “intercepted in real time and [] disclosed to Heap (a third party) while he sought an insurance quote” from Allstate without his consent. (Dkt. No. 34 at ¶ 51.) See Facebook Tracking, 956 F.3d at 601-02 (holding “[a] reasonable expectation of privacy exists where a defendant gains “unwanted access to data by electronic or other covert means, in violation of the law or social norms.”).
Allstate's insistence Plaintiff had no cognizable privacy interest or reasonable expectation of privacy because the data was collected while he was interacting with its website is unavailing. First, the data collected in the cases upon which Allstate relies-browsing history-is not the same as the Personally Identifiable Information (PII) and Personal Health Information (PHI) collected here. See, e.g., Yoon v. Lululemon USA, Inc., 549 F.Supp.3d 1073, 1086 (C.D. Cal. 2021) (holding no privacy interest in browsing data collected while on the defendant's website); In re Google Location Hist. Litig., 428 F.Supp.3d 185, 198 (N.D. Cal. 2019) (holding no privacy interest when Google “only tracked and collected data during use of Google services”).
Second, Allstate's argument ignores the allegations that form the basis for the claim- although Plaintiff voluntarily disclosed the information to Allstate, he was not aware Heap was recording his keystrokes and information provided. (Dkt. No. 34 at ¶ 51.) Allstate's reliance on its Privacy Policy is misplaced. Generally, “district courts may not consider material outside the pleadings when assessing the sufficiency of a complaint under Rule 12(b)(6).” Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 998 (9th Cir. 2018). There are, however, “two exceptions to this rule: the incorporation-by-reference doctrine, and judicial notice under Federal Rule of Evidence 201.” Id. While Plaintiff alleges Allstate's website includes a “hyperlink [to the Privacy Policy] that is located, among a multitude of links, in small letters at the very bottom of the page,” he also alleges this link is insufficient to put Plaintiff and other users on notice of the Privacy Policy. (Dkt. No. 34 as ¶¶ 40-41.) Further, Plaintiff alleges he himself did not receive notice of the Privacy Policy prior to the interception. (Id. at ¶ 53.) Thus, even if the Court were to consider the Privacy Policy under the incorporation by reference doctrine, drawing all inferences in Plaintiff's favor, the website hyperlink failed to disclose a third party's capture of the Personally Identifiable Information and Personal Health Information. To conclude otherwise would improperly draw inferences in Defendants' favor. See Khoja, 899 F.3d at 999 (“If defendants are permitted to present their own version of the facts at the pleading stage-and district courts accept those facts as uncontroverted and true-it becomes near impossible for even the most aggrieved plaintiff to demonstrate a sufficiently ‘plausible' claim for relief.”). So, the Privacy Policy does not defeat the allegations supporting a reasonable expectation of privacy.
Accordingly, Plaintiff has adequately alleged a legally protected privacy interest and reasonable expectation of privacy in his sensitive personal information.
B. Highly Offensive Conduct
“Actionable invasions of privacy must be sufficiently serious in their nature, scope, and actual or potential impact to constitute an egregious breach of the social norms underlying the privacy right.” Hill, 7 Cal.4th at 37. “While analysis of a reasonable expectation of privacy primarily focuses on the nature of the intrusion, the highly offensive analysis focuses on the degree to which the intrusion is unacceptable as a matter of public policy.” Facebook Tracking, 956 F.3d at 606. Defendants insist Plaintiff's allegations do not satisfy the highly offensive standard because he “only alleges Defendants collected limited and routine information that Plaintiff himself voluntarily provided in the course of applying for an insurance quote.” (Dkt. No. 49 at 12.)
Plaintiff's response relies entirely on Hazel v. Prudential Fin., Inc., No. 22-CV-07465-CRB, 2023 WL 3933073 (N.D. Cal. June 9, 2023), insisting that because Hazel found similar allegations sufficiently alleged highly offensive conduct so too here. (Dkt. No. 47 at 18.) The Court is unpersuaded. Hazel's allegations go well beyond those here. In particular, Hazel relied upon the allegation the software provider who stored the information analyzed the “[p]laintiffs' data to ‘certify' them as ‘leads' for buyers” which “exceed[ed] Plaintiffs' reasonable expectations of what their information would be used for.” Id. at *5. Ultimately, the court concluded “even if it is a close question whether such use is highly offensive or mere ‘routine commercial behavior,'” in light of “the Ninth Circuit's instruction that whether an intrusion is highly offensive is not typically a question that should be resolved at the pleading stage” it would deny the motion to dismiss. Id. (citing In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 606 (9th Cir. 2020); see also Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118, at *7 (N.D. Cal. Apr. 6, 2023) (denying motion to dismiss where it was a similarly “close question”).
While the Court is mindful of the Ninth Circuit's caution in Facebook that the question of whether a defendant's conduct “could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage,” the plaintiffs there had alleged “surreptitious data collection when individuals were not using Facebook” which the court found “sufficient to survive a dismissal motion.” In re Facebook, 956 F.3d at 606. Plaintiff here has not alleged similar conduct. Rather, “Plaintiff voluntarily provided information to [Allstate]; to the extent that information was provided to a third party, plaintiff alleges no use by the third party other than storing that information for [Allstate] to refer back to.” Williams v. DDR Media, LLC, No. 22-CV-03789-SI, 2023 WL 5352896, at *7 (N.D. Cal. Aug. 18, 2023). Such alleged conduct is not highly offensive as a matter of law. Accordingly, Defendants' motions to dismiss Plaintiff's invasion of privacy claim are granted.
IV. The UCL
Defendants urge Plaintiff lacks statutory standing to bring a UCL claim for injunctive relief because he has not alleged economic loss. “While the substantive reach of [the UCL] remains expansive,” to establish statutory standing to enforce the UCL's provisions, a plaintiff must “(1) establish a loss or deprivation of money or property sufficient to qualify as injury in fact, i.e., economic injury, and (2) show that that economic injury was the result of, i.e., caused by, the unfair business practice or false advertising that is the gravamen of the claim.” Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 322 (2011) (emphasis in original); see also Cal. Bus. & Prof. Code § 17204 (“Actions for relief pursuant to this chapter shall be prosecuted exclusively in a court of competent jurisdiction ... by a person who has suffered an injury in fact and has lost money or property as a result of the unfair competition.”).
Plaintiff insists he has statutory standing because he “was caused to engage in a transaction he otherwise would not have where Defendants gained financial benefits.” (Dkt. No. 47 at 20.) This allegation, however, is not in the Amended Complaint. The Amended Complaint alleges Defendants knowingly wiretapped Plaintiff's “communications of their private personal information without their consent.” (Dkt. No. 34 at ¶ 98.) While Plaintiff also alleges “both Heap and Allstate benefit financially from Allstate's use of Heap's software and service” (Id. at ¶ 29), this allegations does not support an inference Plaintiff “lost money or property” as a result. See, e.g., 2023 WL 3933073, at *6 (“just because Plaintiffs' data is valuable in the abstract, and because ActiveProspect might have made money from it, does not mean that Plaintiffs have ‘lost money or property' as a result”); Bass v. Facebook, Inc., 394 F.Supp.3d 1024, 1040 (N.D. Cal. 2019) (“That the information has external value, but no economic value to plaintiff, cannot serve to establish that plaintiff has personally lost money or property.”); In re Facebook, Inc., Consumer Priv. User Profile Litig., 402 F.Supp.3d 767, 804 (N.D. Cal. 2019) (“Facebook may have gained money through its sharing or use of the plaintiffs' information, but that's different from saying the plaintiffs lost money.”).
Plaintiff's reliance on Brown v. Google LLC, No. 20-CV-03664-LHK, 2021 WL 6064009, at *15 (N.D. Cal. Dec. 22, 2021), is misplaced as the plaintiff there alleged a specific cash value was attached to the allegedly misappropriated data and identified a market for the data. Plaintiff's allegations here do not include sufficient information from which the Court can plausibly infer the data allegedly misappropriated likewise had an economic value of which he was deprived as a result of Defendants' actions. “The weight of the authority in the district and the state, however, point in the opposite direction [from cases like Brown]: that “the ‘mere misappropriation of personal information' does not establish compensable damages.” Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 2023 WL 2838118, at *8 (N.D. Cal. Apr. 6, 2023) (quoting Pruchnicki v. Envision Healthcare Corp., 845 Fed.Appx. 613, 615 (9th Cir. 2021) (citations omitted)).
Accordingly, Plaintiff's UCL claim is dismissed for lack of statutory standing.
CONCLUSION
For the reasons set forth above, the Court grants Defendants' motions to dismiss with leave to amend. Any amended complaint shall be filed by February 5, 2024 unless the parties stipulate to another deadline.
This Order disposes of Docket Nos. 37 and 38.
IT IS SO ORDERED.