Summary
In Tiny Lab, the State of New Mexico brought COPPA, state common law, and state statutory claims against a game developer whose "cartoonish" offerings attracted child players.
Summary of this case from H.K. v. Google LLCOpinion
No. 18-854 MV/JFR
2020-04-29
Brian E. McMath, Cholla Khoury, New Mexico Office of the Attorney General, Santa Fe, NM, David F. Slade, James Allen Carney, Joseph H. Bates, Carney Bates & Pulliam, PLLC, Little Rock, AK, Michael Sobol, Pro Hac Vice, Lieff Cabraser Heimann & Bernstein, LLP, San Francisco, CA, Nicholas Diamand, Pro Hac Vice, Lieff Cabraser Heimann & Bernstein, LLP, New York, NY, for Plaintiff. Anthony Weibell, Pro Hac Vice, Wilson Sonsini Goodrich & Rosati, PC, Palo Alto, CA, Richard L. Alvidrez, Miller Stratvert PA, Albuquerque, NM, for Defendants. Tiny Lab Productions, pro se.
Brian E. McMath, Cholla Khoury, New Mexico Office of the Attorney General, Santa Fe, NM, David F. Slade, James Allen Carney, Joseph H. Bates, Carney Bates & Pulliam, PLLC, Little Rock, AK, Michael Sobol, Pro Hac Vice, Lieff Cabraser Heimann & Bernstein, LLP, San Francisco, CA, Nicholas Diamand, Pro Hac Vice, Lieff Cabraser Heimann & Bernstein, LLP, New York, NY, for Plaintiff.
Anthony Weibell, Pro Hac Vice, Wilson Sonsini Goodrich & Rosati, PC, Palo Alto, CA, Richard L. Alvidrez, Miller Stratvert PA, Albuquerque, NM, for Defendants.
Tiny Lab Productions, pro se.
MEMORANDUM OPINION AND ORDER
MARTHA VÁZQUEZ, United States District Judge
THIS MATTER comes before the Court on the SDK Defendants’ Motion to Dismiss the Complaint for Failure to State a Claim ("SDK Defendants’ Motion") [Doc. 47] and Defendant Google's Motion to Dismiss ("Google's Motion") [Doc. 50]. The Court, having considered the motions and relevant law, finds that the SDK Defendants’ Motion is well-taken and will be granted, and that Google's Motion is well-taken in part and will be granted in part and denied in part.
The "SDK Defendants" are Twitter Inc., MoPub, Inc., AerServ LLC, InMobi PTE Ltd., Applovin Corp., and ironSource USA, Inc.
"Defendant Google" is Google LLC and AdMob Google Inc.
BACKGROUND
I. Introduction
Though catchy television commercial jingles may no longer be ubiquitous in contemporary society, advertising is still alive and well in this computer age. In exchange for free access to "apps" on our many mobile devices, we are often required to (im)patiently view ads that pop up before, after, or while we play, watch, or otherwise enjoy those apps. Those ads often seem tailor-made to match our interests. That is no accident. There are companies – matchmakers of the digital age – that design computer programs to match app users with the ads most suited to them.
This is how it works, in a nutshell. Ad exchanges, or "networks," sell coding known as software development kits, or "SDKs," to app developers to embed into their apps. When an app is in use, data signals from the SDKs collect information about the app users. Based on that information, the networks’ sophisticated algorithms allow the instantaneous, automated buying and selling of advertisements, and the instantaneous, automated service of those advertisements back to the app users. In this way, the ad networks provide "monetization platforms" that mediate between app developers and third-party advertisers, maximizing the effectiveness of mobile app advertising and the resulting revenue that an app developer can earn from selling advertising space on its free apps.
Sometimes, and perhaps more often than some parents would like, app users are children, just as susceptible (if not more so) to targeted advertising than adult app users. As a general rule, a federal statute known as the Children's Online Privacy Protection Act ("COPPA") prohibits app developers and ad networks from collecting certain personal information from app users who are children without first taking certain precautions. This opinion addresses what appears to be an issue of first impression, namely, under what circumstances ad networks may be held liable under COPPA for their collection of personal information from app users who are children, in addition to how issues of preemption and state law come into play.
II. The Facts
Tiny Lab Productions ("Tiny Lab"), a Lithuanian company, is a developer of child-directed, mobile game apps including Fun Kid Racing, Candy Land Racing, Baby Toilet Race: Cleanup Fun, and GummyBear and Friends Speed Racing. Doc. 1 ¶ 3. Tiny Labs apps are "fun, free, kid-focused games" that have a "cartoonish design and subject matter," and Tiny Lab represents that the "children love" their games, that the "levels are designed specifically for children," that the games are "for kids," and will keep them "entertained for months," and that the "games are expressly to be played by [ ] children." Id. ¶¶ 100, 30-31.
During the relevant time period, Tiny Lab's apps were available for download in the Google Play Store, operated by Google. Id. ¶ 12. "[T]he majority of Tiny Lab's Gaming Apps were submitted to Google as family friendly, child-directed and appropriate for inclusion in Google's Designed for Family section on Google Play." Id. ¶ 109.
Google/AdMob, Twitter/MoPub, InMobi/AerServ, Applovin, and ironSource (collectively, the "Ad Networks") sold their proprietary SDKs to Tiny Lab for installation and use in its gaming apps. Id. ¶ 13. When a Tiny Lab app is downloaded onto a child's device in New Mexico, the Ad Networks’ SDKs are also installed as app components. Id. ¶ 5. Once so embedded, while a child in New Mexico plays one of the apps, the Ad Networks’ SDK collects personal information about that child and tracks the child's online behavior to profile the child for targeted advertising. Id. ¶¶ 43-46. This activity is invisible to the child and her parents, who simply see the given app's game interface, and occurs "without (1) reasonable and meaningful notice to parents, or (2) verifiable parental consent." Id. ¶¶ 46, 55, 66, 74.
Specifically, as soon as a child in New Mexico opens up a Tiny Lab app on her device and it connects to the internet, the app connects to servers, including the Ad Networks’ servers. Id. ¶ 55. The embedded SDKs then begin sending data about the child to the Ad Networks’ respective servers. Id. As the child plays the app, the SDKs continue to communicate with the servers, sending requests, or "calls" for advertisements targeted to the child playing the app. Id. ¶ 56. With each request from the embedded software, the child's personal information, including her location in New Mexico, is transmitted to the Ad Networks’ servers. Id. The Ad Networks take and analyze this data "for purposes of profiling the child and serving her age-based, behavioral advertising targeted to children." Id. ¶ 108. Advertisements served to users of the apps include those for "cartoonish games very similar in content and cartoonish presentation to the Tiny Lab Gaming Apps." Id. The Ad Networks further use the data they collect "to trigger events – both within the app and across the Internet – that will encourage [the child] to play the app more often and for longer periods." Id. ¶ 153.
The Ad Networks’ servers also store and analyze the child's information "to enable continued tracking of [that] child, such as what ads she has already seen, what actions she took in response to those ads, other online behavior, and additional demographic data." Id. ¶ 56. "This way, each [Advertising Network] (and other affiliated entities) can generally monitor, profile, and track her over time, across devices, and across the Internet." Id.
The data that the Ad Networks take from children's devices are called ‘persistent identifiers,’ " which are "a set of unique data points" that "can link one specific individual to all of the apps on her device and her activity on those apps." Id. ¶ 50. These persistent identifiers include "device fingerprint data," which in turn includes the name and developer of the app that the child is operating. Id. ¶¶ 51-53, 63, 71, 79, 86, 93. In addition, some of the Ad Networks, namely, Twitter/MoPub, Google/AdMob, and InMobi/AerServ, "can receive the GPS location of the child's device, with a street-level granular accuracy." Id. ¶¶ 61, 69, 77.
While "[v]iewed in isolation, a persistent identifier is merely a string of numbers uniquely identifying a child," when "linked to other data points about the same child such as app usage, geographic location (including likely domicile), and Internet navigation, it discloses a personal profile that can be exploited in a commercial context." Id. ¶ 123. The Ad Networks "aggregate this data, and also buy it from and sell it to other third-parties," and, linking it with the child's geolocation, create "an increasingly sophisticated profile of how, when, and why a child uses her mobile device." Id. ¶¶ 124-126.
The Ad Networks engage in these actions "despite widespread awareness that children are more vulnerable to deception by advertisers because they are easily influenced by its content, lack the cognitive skills to understand the intention of advertisers, and can struggle to distinguish between advertisements and other content." Id. ¶ 141. Further, "[p]arents are increasingly concerned about their children's mobile device usage," as increased usage is associated "with negative consequences for children," including "increasing rates of ADHD, depression, anxiety, and reduced focus in the classroom." Id. ¶ 158. Similarly, sources such as legislative enactments, scholarly literature, and comments by self-regulatory agencies manifest "society's deep revulsion" toward the sort of "collecting and accessing of personal information for tracking and profiling purposes" in which the Ad Networks engage. Id. ¶ 180.
III. The Instant Case
The State of New Mexico ("Plaintiff") commenced this action, asserting a federal statutory claim against Tiny Lab and the Ad Networks for violation of COPPA, along with a state statutory claim against Tiny Lab and the Ad Networks for violations of the New Mexico Unfair Practices Act ("UPA"), a state common law claim against Tiny Lab and the Ad Networks for intrusion on seclusion, and a state statutory claim against Google for an additional violation of the UPA in connection with its operation of Google Play. Id. ¶¶ 207-248. Thereafter, all of the Ad Networks other than Google/AdMob (collectively, the "SDK Defendants") together filed one motion to dismiss, in which Google/AdMob joined. Additionally, Google filed its own motion to dismiss on behalf of Google as the operator of Google Play and Google/AdMob. The State objects to both motions.
STANDARD
Under Rule 12(b)(6), a Court may dismiss a complaint for "failure to state a claim upon which relief can be granted." Fed. R. Civ. P. 12(b)(6). "The nature of a Rule 12(b)(6) motion tests the sufficiency of the allegations within the four corners of the complaint." Mobley v. McCormick , 40 F.3d 337, 340 (10th Cir. 1994). When considering a Rule 12(b)(6) motion, the Court must accept as true all well-pleaded factual allegations in the complaint, view those allegations in the light most favorable to the plaintiff, and draw all reasonable inferences in the plaintiff's favor. Smith v. United States , 561 F.3d 1090, 1097 (10th Cir. 2009), cert. denied , 558 U.S. 1148, 130 S. Ct. 1142, 175 L.Ed.2d 973 (2010).
"To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim to relief that is plausible on its face." Ashcroft v. Iqbal , 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citations omitted). "A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Id. "Where a complaint pleads facts that are ‘merely consistent with’ a defendant's liability, it ‘stops short of the line between possibility and plausibility of entitlement to relief.’ " Id. (quoting Bell Atl. Corp. v. Twombly , 550 U.S. 544, 557, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007) ).
The Court in Iqbal identified "two working principles" in the context of a motion to dismiss. Id. First, "the tenet that a court must accept as true all of the allegations contained in a complaint is inapplicable to legal conclusions. Threadbare recitals of the elements of a cause of action, supported by mere conclusory statements, do not suffice." Id. Accordingly, Rule 8 "does not unlock the doors of discovery for a plaintiff armed with nothing more than conclusions." Id. at 678-79, 129 S.Ct. 1937. "Second, only a complaint that states a plausible claim for relief survives a motion to dismiss." Id. at 679, 129 S.Ct. 1937 ; see Twombly , 550 U.S. at 570, 127 S.Ct. 1955 (holding that a plaintiff must "nudge" her claims "across the line from conceivable to plausible"). Accordingly, "where the well-pleaded facts do not permit the court to infer more than the mere possibility of misconduct, the complaint has alleged – but it has not shown – that the pleader is entitled to relief." Id. (citation omitted).
In keeping with these two principles, the Court explained,
a court considering a motion to dismiss can choose to begin by identifying pleadings that, because they are no more than conclusions, are not entitled to the assumption of truth. When there are well-pleaded factual allegations, a court should assume their veracity and then determine whether they plausibly give rise to an entitlement to relief."
Id. at 679, 129 S.Ct. 1937.
DISCUSSION
In their Motions to Dismiss, the SDK Defendants and Google argue that: (1) Plaintiff has failed to adequately allege that the Ad Networks violated COPPA; (2) as a result, Plaintiff's state law claims against the Ad Networks are preempted by COPPA; and (3) even if the state law claims were not preempted, Plaintiff has failed to adequately allege claims against the Ad Networks under either the UPA or common law. In its Motion to Dismiss, Google further argues that Plaintiff has failed to adequately allege that it violated the UPA in connection with its operation of Google Play.
I. The COPPA Claims
COPPA, codified at 15 U.S.C. § 6501, et seq., "prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet." 16 C.F.R. § 312.1. Specifically, COPPA makes it "unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the [relevant] regulations" (collectively codified as the "COPPA Rule") prescribed by the Federal Trade Commission (the "Commission"). 15 U.S.C. § 6502(a)(1). In turn, the COPPA Rule provides in relevant part that, subject to certain exceptions, an operator must provide notice and "[o]btain verifiable parental consent prior to any collection, use, and/or disclosure of personal information from children." 16 C.F.R. §§ 312.3(b), 312.4(a).
COPPA thus addresses the "collection of personal information" from child app users. This includes "passively tracking" both "persistent identifiers" and "geolocation information," which is what Plaintiff alleges Tiny Lab and the Ad Networks did here. 16 C.F.R. § 312.2. COPPA distinguishes between the app developers, who create the content of the apps – such as Tiny Lab – and the "plug-ins" or "ad networks" – such as Defendant Ad Networks – who provide software to collect information from app users. Specifically, app developers whose content is directed to children are strictly liable under COPPA if personal information is collected, in a manner that violates the COPPA Rule, from children using their apps. In contrast, ad networks may be held liable for the collection of personal information from child app users only if they have "actual knowledge" that the apps in which their SDKs are embedded are directed to children. See 16 C.F.R. § 312.2.
Unsurprisingly then, the parties disagree as to whether the Complaint adequately alleges that the Ad Networks had "actual knowledge" that the Tiny Lab apps were directed to children. In their motion, the SDK Defendants’ first and most persuasive argument is that the allegations in the Complaint, if proven, would fail to establish that they had "actual knowledge" that the Tiny Lab apps were "directed to children." The SDK Defendants also argue, less convincingly, that the Complaint fails to allege that they collected personal information from children in a manner that violates the COPPA Rule. Google joins in both of these arguments, makes further not so persuasive points regarding the actual knowledge requirement, and makes the additional unavailing argument that it was entitled "as a matter of law" to rely on Tiny Lab's obligation to ensure COPPA compliance.
A. Actual Knowledge That Tiny Lab's Apps Were Child-Directed
Neither COPPA (the statute) nor the COPPA Rule defines "actual knowledge." The commonly accepted legal definition of "knowledge" is "[a]n awareness or understanding of a fact or circumstance; a state of mind in which a person has no substantial doubt about the existence of a fact." Black's Law Dictionary (11th ed. 2019). Further, the definition of "actual knowledge," which is "[d]irect and clear knowledge," specifically distinguishes it from "constructive knowledge," which is "[k]nowledge that one using reasonable care or diligence should have, and therefore that is attributed by law to a given person." Id. Thus, the COPPA Rule reserves liability only for those ad networks with a direct and clear awareness, as opposed to an awareness attributed to them based on what they reasonably should have known, that the apps in which their SDKs are embedded are directed to children.
According to Plaintiff, through communications between the Ad Networks’ SDKs and their servers, all of the Ad Networks learned that Tiny Lab's apps were directed to children. Also according to Plaintiff, Google (and Google alone) further gained actual knowledge of the child-directed nature of Tiny Lab's apps through its own review of those apps. As discussed herein, the Court concludes that the Complaint does not plausibly allege actual knowledge on the part of the Ad Networks by virtue of the communications between their SDKs and their servers, but does plead factual content that allows the Court to draw the reasonable inference that Google had actual knowledge of the child-directed nature of Tiny Lab's apps.
1. The Complaint Fails to Allege that the Ad Networks Acquired Actual Knowledge of the Child-Directed Nature of Tiny Lab's Apps Via Communications Between Their SDKs and Their Servers.
The Complaint alleges that, while a Tiny Lab app was in use, the Ad Networks’ SDKs communicated to their servers the app user's persistent identifiers, which included device fingerprint data. In turn, the device fingerprint data included "the bundle ID," which contains "the name of the developer" and "the child-directed app title." Doc. 1 ¶ 107. In the example provided in the Complaint, the developer name is "Tiny Lab" and the app title is "Fun Kid Racing" – information that Plaintiff alleges "manifestly indicate[d] the child-directed nature of the Gaming App and its content." Id. The Complaint further alleges that the Ad Networks’ service of "age-based, behavioral advertising targeted to children" in response to the SDKs’ calls requesting ad placements demonstrates the Ad Networks’ knowledge that the app users were children. Id. ¶ 108. This must be so, Plaintiff argues, because if the Ad Networks did not know that the app users were children, they would be unable to fulfill their very function, namely, to match ads with app users. See Doc. 66 at 16; Doc. 65 at 9-10.
Compelling though this argument may seem at first glance, the Court is not convinced. First, the nature of the information exchange at issue involves the automated transmission of data signals from embedded coding to computer servers and back again, not the communication of comprehensible information from which a sentient being might ascertain the child-directed content of Tiny Lab apps. The automated transmission of data signals is not an equal substitute for the communication of information in a format that plausibly could impart a direct and clear understanding of that information to the recipient.
The automated and instantaneous service of targeted advertising in response to the SDKs’ calls is equally a function of computer coding and sophisticated algorithms. The Complaint does not allege, and it would hardly be plausible if it did, that any sentient being at the Ad Networks had contemporaneous knowledge of who was using the apps in which the SDKs were embedded, and based on that knowledge, was able to instantaneously send ads to those users. There thus is no factual basis to draw the inference that the Ad Networks’ ability to serve targeted advertising back to its SDKs demonstrates the Ad Networks’ awareness of the identity of Tiny Lab app users. To the contrary, it is clear from the Complaint that the Ad Networks are able to send targeted advertising not because they are aware of who is using the apps, but rather because their servers were designed to process the data collected from the app users and match it with advertising data. The only knowledge that this functionality reveals is the knowledge of the coding-savvy individuals who designed the Ad Networks’ computer programs in the first instance.
Indeed, the automated transmission of data signals between the Ad Networks’ SDKs and their servers appears from the Complaint to be the modus operandi of all of the ad networks that mediate between app developers and third-party advertisers; this is simply how the process of their matchmaking works. If, without something more, the transmission from an ad network's SDKs to its servers is deemed sufficient to impart actual knowledge of the child-directed nature of an app to an ad network, then all ad networks whose SDKs are embedded in child-directed apps would be equally subject to COPPA. If the Commission had intended for all ad networks who collect personal information from users of child-directed apps to be subject to COPPA, there would have been no reason to include language that, on its face, restricts liability to only certain of those ad networks. In contrast to its treatment of developers of child-directed apps, who are strictly liable for the collection of personal information from children, the plain language of the COPPA Rule holds ad networks liable for the same conduct only where they have actual knowledge that the apps are child-directed. Holding that the facts alleged here are sufficient to establish actual knowledge would effectively read the actual knowledge limitation on ad network liability out of the COPPA Rule, thereby eliminating the distinction between the standard to which content developers and ad networks each are held.
Further, even if the Court were to find the transmission of data signals sufficient to bestow actual knowledge in the sense envisioned by the COPPA Rule, the Complaint falls short of alleging that the Ad Networks had actual knowledge from those data signals that the Tiny Lab apps were child-directed. What Plaintiff alleges the Ad Networks actually knew is the name of the app developer (Tiny Lab) and the name of the app being used (for example, Fun Car Racing). Although Plaintiff argues that this information "manifestly indicate[d] the child-directed nature of the Gaming App and its content," implicit in this argument is that a reasonable person should have drawn the conclusion that the apps were child-directed from the name of the developer and the app. In other words, the Complaint alleges that the information available to the Ad Networks gives them constructive knowledge of the child-directed nature of the apps. Because the standard here is actual, rather constructive knowledge, these allegations are insufficient.
Moreover, it is not clear that this information – the name of the developer and the app – would be sufficient to provide even constructive knowledge of the child-directed nature of the app. The factors identified in the COPPA Rule for evaluating whether an app is directed or targeted to children do not include the name of either the developer or the app, but rather focus on the substance of the app itself. In particular, the enumerated factors include the app's subject matter, language, visual, music, or audio content, use of animated characters or child-oriented activities and incentives, and use of child-directed ads, in addition to the age of models appearing on the app and the presence of child celebrities or celebrities who appeal to children on the app. 16 C.F.R. § 312.2. The COPPA Rule further indicates that "competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience" may also be considered. Id.
The Complaint nowhere alleges that any of these characteristics of Tiny Lab's apps was conveyed to the Ad Networks by their SDKs. Plaintiff alleges that the fact that the Ad Networks served child-directed ads to the users of the apps demonstrates that the Ad Networks knew both that the apps used child-directed ads and that the app audience was comprised of children, factors relevant to the consideration of whether apps are child-directed. As discussed above, however, the fact that the Ad Networks were able to send child-directed ads does not allow the reasonable inference that they "knew" that the app users were children. And for purposes of determining what knowledge was conveyed to the Ad Networks by their SDKs’ communications, Plaintiff's allegations are limited to the transmission of only the name of the developer and the app being used. To consider the Ad Networks’ service of child-directed ads after receipt of these transmissions would turn the inquiry on its head.
In support of their respective arguments as to whether the Complaint sufficiently alleges actual knowledge, both sides rely upon the official Statement of Basis and Purpose published by the Commission with the amended COPPA Rule. After observing that "[k]nowledge, by its very nature, is a highly fact-specific inquiry," the Commission stated its belief that "the actual knowledge standard" it was adopting "will likely be met in most cases when: (1) A child-directed content provider (who will be strictly liable for any collection) directly communicates the child-directed nature of its content to the other online service; or (2) a representative of the online service recognizes the child-directed nature of the content." Federal Trade Commission, Children's Online Privacy Protection Rule, Final Rule Amendments and Statement of Basis and Purpose, 78 Fed. Reg. 3972, 3978 (Jan. 17, 2013). The Commission further explained that it did "not rule out that an accumulation of other facts would be sufficient to establish actual knowledge," and noted that "those facts would need to be analyzed carefully on a case-by-case basis." Id.
"The Statement of Basis and Purpose is not a rule." Lozada v. Dale Baker Oldsmobile, Inc. , 91 F. Supp. 2d 1087, 1094 (W.D. Mich. 2000). Instead, it provides an "explanation of the history and reasoning for implementation of the [COPPA Rule]." Id. Accordingly, the "Statement is not on the same footing as the language of the regulation itself." Id. To the extent that it is nonetheless permissible to look at the commentary in determining the meaning of the "actual knowledge" language in the COPPA Rule, that commentary reaffirms the Court's conclusion that the Complaint's allegations are insufficient.
Plaintiff argues that the actual knowledge standard set forth in the Statement is met here because the Complaint both "describe[s] direct communications to the [Ad Networks] from Tiny Lab itself about the Apps’ child-directed status," and because "responses to those communications show[ ] the [Ad Networks’] recognition that the Tiny Lab Apps were child-directed." Doc. 65 at 8. But the Complaint alleges no "direct communications" from Tiny Lab, the "child-directed content provider" here. Rather, the only "direct communications" alleged are between the Ad Networks’ own SDKs and servers. Thus, the first scenario envisioned by the Commission as meeting the actual knowledge standard is not adequately alleged here.
Similarly, there are no allegations in the Complaint that "a representative" of any of the Ad Networks recognized the child-directed nature of Tiny Lab's apps. Allegations that the Ad Networks’ servers sent targeted ads in response to their SDKs’ data signals, if proven, would establish no more than that their servers – as opposed to any of their representatives – recognized the data that they received. The Commission's use of the word "representative" suggests that, in order to meet the second factual scenario, Plaintiff must allege that a person who works for the Ad Networks recognized the child-directed nature of Tiny Lab's apps. Indeed, the commonly accepted legal definition of "representative" is "someone who stands for or acts on behalf of another." Black's Law Dictionary (11th ed. 2019) (emphasis added). That the Commission intended "representative" to mean a person is reflected in its response to a question from an ad network about application of the actual knowledge standard, which was included in an online publication of "Frequently Asked Questions" about COPPA. Specifically, the Commission stated:
Under the second scenario, whether a particular individual can obtain actual knowledge on behalf of your business depends on the facts. Prominently disclosing on your site or service methods by which individuals can contact your business with COPPA information – such as: 1) contact information for designated individuals, 2) a specific phone number, and/or 3) an online form or email address – will reduce the likelihood that you would be deemed to have gained actual knowledge through other employees.
Complying with COPPA: Frequently Asked Questions – A Guide for Business and Parents and Small Entity Compliance Guide (Mar. 20, 2015), FAQ D. 10, https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions. Accordingly, the second scenario envisioned by the Commission as meeting the actual knowledge standard is not adequately alleged here.
In the Statement, the Commission did not foreclose that "an accumulation of other facts would be sufficient to establish actual knowledge," and noted that "those facts would need to be analyzed carefully on a case-by-case basis." Id. In its above discussion, the Court undertook just such an analysis of the facts alleged in this case. And as explained above, based on this analysis, the Court has determined that the Complaint's allegations regarding communications between the Ad Network's SDKs and their servers neither state nor give rise to the reasonable inference that the Ad Networks had actual knowledge of the child-directed nature of Tiny Lab's apps.
Because the allegations regarding communications between the Ad Networks’ SDKs and their servers are the only allegations with which Plaintiff attempts to plead actual knowledge on the part of the SDK Defendants, the Complaint fails to state a COPPA violation as to the SDK Defendants. Plaintiff's COPPA claim, set forth in Count I of the Complaint, thus will be dismissed as to the SDK Defendants. As discussed in the next section, however, additional allegations in the Complaint relating solely to Google tell a different story and result in a different outcome on Google's motion to dismiss.
2. The Allegations in the Complaint Give Rise to the Reasonable Inference that Google Acquired Actual Knowledge of the Child-Directed Nature of Tiny Lab's Apps Via Its Review of Those Apps.
Google runs not only AdMob, its advertising network, but also Google Play, a "service" that allows a user to "browse, locate, view, stream, or download Content for [his or her] mobile, computer, tv, watch, or other supported device." Doc. 50-4. Google Play has a program called "Designed for Families," "which allows [app] developers to designate their apps and games as family-friendly." Doc. 67-2. Google markets AdMob for use in conjunction with apps that participate in the Designed for Families program. Doc. 50-6.
App "developers can opt [ ] their app or game [into the Designed for Families program] through the Google Play Developer Console." Doc. 67-2. Google represents that, once developers opt into the Designed for Families program, "[f]rom there, our [Google's] team will review the submission to verify that it meets the Designed for Families program requirements." Id. Those program requirements include that all participating apps "be relevant for children under the age of 13." Doc. 67-3. Google similarly represents that to participate in the Designed for Families program, there are "specific guidelines and policies" that the developers’ apps "need to meet, which are assessed in the app content review." Id.
The Complaint alleges that "the majority" of Tiny Lab's apps were submitted to and accepted by Google for its Designed for Families Program, where the apps were available for download. The Complaint describes Tiny Lab's apps as "fun, free, kid-focused games" with a "cartoonish design and subject matter," with "levels [ ] designed specifically for children." Doc. 1 ¶¶ 100, 30-31. The games are "for kids," will keep them "entertained for months," and "are expressly to be played by [ ] children." Id. For example, one of Tiny Lab's apps, called "Fun Kid Racing," gives players "an assortment of cartoonish cars" to race along to a "child-friendly soundtrack," and is designed for children aged 2 through 10, with "levels" and "controls" that "even a toddler" can use "without any problem." Id. ¶ 31. Thus, the subject matter, visual content, use of animated characters, and child-oriented activities (namely, racing cartoonish cars at levels designed for young children) – all relevant factors in considering whether an app is directed to children – demonstrate the child-directed nature of Tiny Lab's apps.
In the spring of 2018, security researchers at the University of California, Berkeley, notified Google that 84 Tiny Lab apps participating in the Designed for Families program were "potentially incorrectly listed as directed to ‘mixed audiences’ " rather than being listed, as they should have been, as "primarily directed to children." Id. ¶ 114. In response, Google conducted "a thorough investigation of each of the apps that [the researchers] highlighted in [their] research paper." Id. ¶ 118.
Putting it all together, these facts state that: Google reviews the content of apps submitted to its Designed for Families program with a particular eye toward whether the apps are relevant for children; Tiny Lab's apps, replete with characteristics revealing their child-directed content, were submitted to and accepted by Google into that program; and, after being contacted by concerned researchers, Google reviewed the content of Tiny Lab's apps with the specific goal of determining whether they were primarily directed to children. The reasonable inference to be drawn from these facts is that Google conducted not one but two reviews of the content of Tiny Lab's apps, during which Google gained (and gained again) a first-hand awareness or understanding of the child-directed nature of those apps. The Complaint thus plausibly claims that, first through its review process in connection with the submission of Tiny Lab's apps to its Designed for Families program and again through its investigation of those apps to determine whether they were primarily child-directed, Google obtained actual knowledge that Tiny Lab's apps are directed to children. Rather than addressing the reasonableness of the inferences to be drawn from the well-pled factual allegations in the Complaint, Google instead points to a provision in the COPPA Rule that states that "[a] website or online service that is directed to children ... but that does not target children as its primary audience" will "not be deemed directed to children if it (1) "does not collect personal information from any visitor prior to collecting age information"; and (2) "prevents the collection, use or disclosure of personal information from visitors who identify themselves as under age 13 without first complying with the notice and parental consent provisions" of the COPPA Rule." 16 C.F.R. § 312.2. In responding to a question from a child-directed app developer, the Commission explained that this "age-screen provision" allows an app developer "to employ an age screen in order to provide COPPA's protections to only those visitors who indicate they are under age 13" in "circumstances where the children are not the primary audience of [the app developer's] child-directed service." Complying with COPPA: Frequently Asked Questions – A Guide for Business and Parents and Small Entity Compliance Guide (Mar. 20, 2015), FAQ D. 4, https://www.ftc.gov/tips-advice/business-center/guidance/complying-coppa-frequently-asked-questions.
According to Google, under the age-screen provision, "the only possible basis for liability ... would be an allegation that Google had ‘actual knowledge’ that the Tiny Lab Apps were ‘primarily’ directed to children, rather than directed to a mixed audience of children, teen, and/or adults." Doc. 50 at 18. Specifically, Google's argument continues, "there is no allegation that Google collected or used information in violation of COPPA from apps that were declared by Tiny Lab to be primarily child-directed or that Google determined should be treated as primarily child-directed." Id.
The Court cannot agree with Google's reading of the age-screen provision and its effect on the instant inquiry. Nothing in the statute, the COPPA Rule, or the Commission's commentary suggests that this "age gate" provision alters the test plainly set forth in the COPPA Rule as to when an ad network such as Google will be deemed directed to children. Nor does this provision, or any other provision of the COPPA rule, impose liability on an ad network only where that ad network collected information in the face of a "declaration" by the app developer or a determination by the advertising network that the app was "primarily child-directed." Accordingly, Plaintiff's allegations regarding Google's actual knowledge that Tiny Lab's apps were directed to children are sufficient to survive the instant motion to dismiss without additional allegations addressing the distinction between apps "primarily directed to children" and those "directed to a mixed audience of children, teen, and/or adults," a distinction that is not relevant here.
Plaintiff thus has pled factual content that allows the Court to draw the reasonable inference that Google had actual knowledge that Tiny Lab's apps were child-directed. As a result, Plaintiff's COPPA claim as to Google will not be dismissed for failure to adequately allege actual knowledge.
B. The Operational Support Exception to COPPA's Consent Requirement
In their motion, the SDK Defendants make an additional argument as to why Plaintiff's COPPA claim fails. Having determined that the Complaint fails to adequately allege actual knowledge on the part of the SDK Defendants, the Court need not reach the SDK Defendants’ additional argument as to them. However, Google joined the SDK Defendants’ motion, and since the Court has determined that the Complaint adequately alleges actual knowledge on the part of Google, the Court will consider this additional argument as it relates to Google.
The argument is as follows. Neither an app developer nor an ad network needs to obtain parental consent if it "collects a persistent identifier and no other personal information and such identifier is used for the sole purpose of providing support for the internal operations of the Web site or online service." 16 C.F.R. § 312.5(c)(7). Such operational support includes, inter alia , activities necessary to "[s]erve contextual advertising." 16 C.F.R. § 312.2. According to the SDK Defendants, Plaintiff's allegations, if proven, would establish that the Ad Networks collected persistent identifiers only for purposes that fall into this "internal operations" exception, and thus they did not need to obtain parental consent. The SDK Defendants argue first that "the only ‘personal information’ Plaintiff plausibly alleges that the SDK Defendants collect are several types of persistent identifiers," and second that "Plaintiff does not allege any use of such personal information that is impermissible without parental consent." Doc. 47 at 13.
The Court is not persuaded. The Complaint consistently alleges that the Ad Networks, including Google/AdMob, collected personal information from each Tiny Lab app user for the purpose of "profiling" that user "and serving her age-based, behavioral advertising targeted to children." Doc. 1 ¶¶ 108; see also id. ¶¶ 43-46. Indeed, the Complaint specifically alleges that the Ad Networks "engage in targeted advertising (as opposed to contextual advertising, which is permitted under COPPA)." Id. ¶ 104. Moreover, the Complaint alleges that Google/AdMob not only collected persistent identifiers but also "can receive the GPS location of the child's device, with a street-level granular accuracy." Id. ¶ 71. These allegations are neither vague nor conclusory and, if proven, would establish that Google/AdMob collected personal information from Tiny Lab app users under circumstances that required parental consent. Accordingly, the operational use exception to the COPPA Rule provides no basis to dismiss Plaintiff's COPPA claim against Google.
C. Reliance on Tiny Lab's Representations
Google's final argument as to why Plaintiff's COPPA claim against it fails is that it relied on Tiny Lab's promises to ensure COPPA compliance. According to Google, "[i]n order to offer apps to users through Google Play, an app developer must agree to certain terms, including that their apps ‘will comply with all applicable laws.’ " Doc. 50 at 6. Further, "[i]n order to submit an app to the [Designed for Families] program, an app developer must, among other requirements, warrant that its app is ‘appropriate for children and compliant with COPPA and other relevant laws." Id. at 6. Google argues that, based on these requirements, it "was entitled, as a matter of law, to rely on Tiny Lab's contractual promises to obtain parental notice and consent when required by COPPA." Id. at 20.
Perhaps in tacit acknowledgement that there is no legal authority – in the statute, the COPPA Rule, the commentary, or anywhere else – for this proposition, Google supports its argument with the inapposite observation that "[n]othing in COPPA prohibits a third-party advertising service from contracting with an app developer to have the app developer fulfill any notice and consent obligations associated with the app." Id. That COPPA allows an advertising network to contract out to an app developer the task of providing the required notice and obtaining the required consent has no bearing on whether an advertising network will be absolved from COPPA liability in the event that the app developer fails to live up to its promises. Nor does the Commission's observation that the app developer is "in the best position to give notice and obtain consent from parents" lead to the conclusion that Google wishes the Court to draw, namely, that an advertising network can contract its way out of COPPA liability. Id. (quoting Federal Trade Commission, Children's Online Privacy Protection Rule, Final Rule Amendments and Statement of Basis and Purpose, 78 Fed. Reg. 3972, 3977 (Jan. 17, 2013) ). The Court declines to read into COPPA or the COPPA Rule an exception that would provide Google such absolution.
Google's final argument provides no basis to dismiss Plaintiff's COPPA claim against it. As none of the arguments in support of dismissing Plaintiff's COPPA claim against Google is availing, that claim, set forth in Count I of the Complaint, remains viable.
II. The State Law Claims Against the Ad Networks
Plaintiff's state law claims against the Ad Networks are premised on the same alleged conduct as that on which its COPPA claims are premised, namely, the collection of personal information from children using Tiny Lab's child-directed apps without the requisite parental consent. COPPA explicitly prohibits any "State or local government" from imposing "any liability for commercial activities or actions by operators," including ad networks, "in connection with an activity or action" covered by COPPA "that is inconsistent with the treatment of those activities or actions under this section." 15 U.S.C. § 6502(d). The SDK Defendants argue, and Google agrees, that Plaintiff's state law claims are preempted by this provision. Specifically, their argument goes, because the Ad Networks’ activities do not amount to a COPPA violation, allowing Plaintiff to pursue its state law claims against them for those same activities would amount to imposing liability inconsistent with their treatment under COPPA.
"The Supremacy Clause of the Constitution, art. VI, cl. 2, invalidates state laws that interfere with, or are contrary to laws of Congress, made in pursuance of the Constitution." United States v. City & Cty. of Denver , 100 F.3d 1509, 1512 (10th Cir. 1996) (citation omitted). Preemption "may be express or implied," and is "compelled whether Congress’ command is explicitly stated in the statute's language or implicitly contained in its structure and purpose." Fidelity Fed. Sav. & Loan Ass'n v. de la Cuesta , 458 U.S. 141, 152-53, 102 S.Ct. 3014, 73 L.Ed.2d 664 (1982). Federal law expressly preempts state law when "the language of the federal statute reveals an express congressional intent to do so." City & Cty. of Denver , 100 F.3d at 1512. Implicit preemption occurs "where the federal scheme of regulation is so pervasive that Congress must have intended to leave no room for the States to supplement it" ("field preemption") or "where it is impossible to comply with both the federal and state laws, or the state law stands as an obstacle to the accomplishment of Congress's objectives" ("conflict preemption"). Id.
The Court agrees that under the principle of express preemption, Plaintiff's state law claims are preempted as to the SDK Defendants by the plain language of COPPA. As discussed above, Plaintiff has not pled that the SDK Defendants had actual knowledge that they were collecting personal information from users of child-directed apps. It would be inconsistent with COPPA's imposition of an actual knowledge standard on ad networks to hold the SDK Defendants liable under state law for their collection of personal information from app users in the absence of allegations that the SDK Defendants actually knew that the users were using child-directed apps. In other words, because Plaintiff's COPPA claim fails as to the SDK Defendants for lack of actual knowledge, and because COPPA preempts state law that treats like conduct differently, Plaintiff's state law claims equally must fail for lack of actual knowledge. Indeed, even Plaintiff appears to concede that the issue of preemption turns on whether the Complaint alleges actual knowledge on the part of the Ad Networks. See Doc. 65 at 12. And because the Complaint does not adequately allege actual knowledge on the part of the SDK Defendants, Plaintiff's state law claims under the UPA and the common law tort of intrusion on seclusion, set forth in Counts II and III of the Complaint, respectively, thus will be dismissed as to the SDK Defendants.
As to Google, however, again the story is different. As discussed above, the Complaint allows for the reasonable inference that Google had actual knowledge that Google/Admob was collecting personal information from users of child-directed apps, and thus adequately alleges a COPPA claim. Accordingly, to allow Plaintiff's state law claims against Google to proceed would result in the imposition of liability only for conduct that violates COPPA, and thus would not run afoul of COPPA's express preemption provision. None of the Defendants suggest, and the Court does not find, that COPPA is "so pervasive that Congress must have intended to leave no room for the States to supplement it," resulting in field preemption. Further, it is possible "to comply with both" COPPA and the state laws at issue here, namely the UPA and the common law prohibiting intrusion on seclusion, and there is no indication that these state laws "stand[ ] as an obstacle to the accomplishment of Congress's objectives"; thus there is no conflict preemption. The Court thus will continue on to consider whether the Complaint adequately states a UPA and/or a common law claim of intrusion on seclusion as to Google/AdMob.
A. The Complaint Fails to Adequately Allege a UPA Claim as to Google/AdMob.
The UPA provides that "[u]nfair or deceptive trade practices and unconscionable trade practices in the conduct of any trade are unlawful." N.M. Stat. Ann. 57-12-3 (1978). The Complaint alleges that the Ad Networks (including Google/AdMob) violated the UPA by violating COPPA and by making "material misrepresentations and omissions" through "public-facing documents" related to their "privacy- and COPPA-violative conduct." Doc. 1 ¶¶ 218-227. The SDK Defendants (joined by Google) argue that this claim fails for a variety of reasons; the Court need address only one, as it finds dispositive the fact that none of the unfair, deceptive, or unconscionable practices alleged here were done "in connection with the sale, lease, rental, or loan of goods or services" as required by the UPA. See Doc. 47 at 17.
In order to state a claim under the UPA, a plaintiff must allege that the defendant knowingly made a false or misleading representation or unfairly took advantage of the lack of knowledge, ability, experience, or capacity of a person "in connection with the sale, lease, rental, or loan of any goods or services." N.M. Stat. Ann. § 57-12-2 (1978). It is undisputed that the Tiny Lab apps at issue here are free to download. See Doc. 65 at 15 n.16. Accordingly, none of the app users in whose interest the State brings this action purchased, leased, rented, or borrowed anything in connection with their use of Tiny Lab's apps.
"Since the UPA constitutes remedial legislation," courts are instructed to "interpret [its] provisions ... liberally to facilitate and accomplish its purposes and intent [to protect innocent customers]." State ex rel. King v. B&B Inv. Grp., Inc. , 329 P.3d 658, 675 (N.M. 2014). In accord with this precept, in Lohman v. Daimler-Chrysler Corp , where the plaintiff brought a UPA claim against a seatbelt manufacturer for its representations to a distributor that facilitated car sales to customers," the New Mexico Court of Appeals held that, notwithstanding the indirect relationship between the manufacturer and the consumers, the provisions of the UPA were "arguably[ ] broad enough to encompass misrepresentations which bear on downstream sales by and between third parties." 142 N.M. 437, 166 P.3d 1091, 1097 (N.M. Ct. App. 2007). Accordingly, the Court concluded, "both the plain language of the UPA and the underlying policies suggest that a commercial transaction between a claimant and a defendant need not be alleged in order to sustain a UPA claim." Id. at 1098.
After Lohman , however, the New Mexico Court of Appeals specifically held that the UPA's scope is not equally "so broad as to encompass claimants who did not actually purchase anything." Vigil v. Taintor , ––– P.3d ––––, –––– – ––––, 2019 WL 6768676, at *8-9 (N.M. Ct. App. Dec. 11, 2019). In Vigil , back in 2010, a corporation owned by the defendant began manufacturing and selling several products, including magnets, flasks, and cards, bearing the plaintiff's image with the caption, "I'm going to be the most popular girl in rehab!" Id. at ––––, 2019 WL 6768676 at *1. The defendant did not have the plaintiff's permission to use her image, and this went unnoticed by the plaintiff until 2013, when her daughter purchased a flask bearing the plaintiff's image and gave it to the plaintiff. Id. In 2014, the plaintiff brought suit against the defendant alleging, inter alia , a claim under the UPA based on the unauthorized use of her image. Id.
The district court found that the plaintiff did not have standing to bring her UPA claim, "as she did not purchase anything." Id. at ––––, 2019 WL 6768676 at *7. In affirming, the Court of Appeals rejected the plaintiff's reliance on Lohman because the defendants in the case before it were arguing that "Plaintiff must have purchased the flask from someone, an argument that Lohman did not address." Id. at ––––, 2019 WL 6768676 at *8. Ultimately, the Court found no basis in the UPA or in the case law interpreting the UPA to support the plaintiff's theory that "her claim – which [was] not connected to any goods or services she purchased – [fell] within the purview of the UPA." Id. at ––––, 2019 WL 6768676 at *9.
Just as in Vigil , there are no allegations here that any New Mexico users of Tiny Lab apps purchased anything. Accordingly, Plaintiff's UPA claim "is not connected to any goods or services" that anyone purchased. Id. Under Vigil , Plaintiff's UPA claims thus do not fall "within the purview of the UPA." Id.
In an attempt to avoid this conclusion, Plaintiff argues that the Tiny Lab apps are "grants of temporary use (here, categorized as licenses), and their use is expressly limited to customers, making clear that the download and use of Gaming Aps are transactions contemplated by the UPA." Doc. 65 at 15 n.16. In Nanodetex Corp. v. Sandia Corp. , No. 05-cv-1041, 2007 WL 4356154 (D.N.M. July 2007), another Court in this District considered and rejected an analogous argument. As part of the transaction at issue in Nanodetex , the defendant licensed to the plaintiff "the right to use technology," for which the plaintiff agreed "to pay an annual licensing fee." Id. at *4. The Court held that "[s]uch a license of technology is a different type of transaction than a sale, lease, rental or loan," and thus was "not the type of transaction to which the UPA applies." Id. at *3 (citing Grogan v. New Mexico Tax. & Rev. Dep't , 133 N.M. 354, 62 P.3d 1236, 1243 (N.M. Ct. App. 2002) (distinguishing between a license and a lease)). The Court concluded that "[t]he agreement, involving a license of technology rather than a sale or lease of technology, is simply not the type of transaction the New Mexico Legislature intended to cover when it enacted the UPA." Id. at *4 (citing Stevenson v. Louis Dreyfus Corp. , 112 N.M. 97, 811 P.2d 1308, 1311 (1991) (UPA mainly governs misleading trade identification, or false and deceptive advertising); Santa Fe Custom Shutters & Doors, Inc. v. Home Depot U.S.A., Inc. , 137 N.M. 524, 113 P.3d 347, 353 (N.M. Ct. App. 2005) (UPA's purpose is to serve as consumer protection legislation, and UPA therefore gives standing only to buyers of goods and services)).
Nanodetex is directly on point, and its reasoning is persuasive. Plaintiff characterizes the transaction at issue here as a "temporary grant of use," or a "license" to use certain technology, namely, the Tiny Lab apps offered for download on Google Play. Just as in Nanodetex , this "temporary grant of use" or "license" is "merely a promise" by Google and Tiny Labs "not to sue the [app users] for use of the [apps]." Id. Indeed, the transaction here is even less like a sale, lease, rental, or loan than was that in Nanodex , where the plaintiff had to pay an annual licensing fee; here, there are no costs involved, as the apps are downloadable for free. The Court thus concludes that the download and use of Tiny Lab's apps involves only a license of technology rather than a sale, lease, rental, or loan of technology, and thus is "not the type of transaction the New Mexico Legislature intended to cover when it enacted the UPA." Id. ; see also In re Facebook Privacy Litig. , 572 F. App'x 494 (9th Cir. 2014) (affirming dismissal of claims under California's Consumer Legal Remedies Act "because plaintiffs failed to allege that they obtained anything from Facebook ‘by purchase,’ or by a ‘consumer transaction’ ").
Accordingly, the Complaint fails to allege an essential element of an unfair, deceptive, or unconscionable trade practice, namely that such practice was undertaken in connection with the sale, lease, rental, or loan of any goods or services. For this reason, the Complaint fails to state a UPA claim against Google/AdMob. Plaintiff's UPA claim, set forth in Count II of the Complaint, thus will be dismissed as to Google/AdMob.
B. The Complaint Adequately Alleges a Common Law Claim of Intrusion on Seclusion as to Google/AdMob.
Intrusion on seclusion, one of the "four categories" of the tort of invasion of privacy recognized by New Mexico law, "involves an invasion of the plaintiff's ‘private’ space or solitude – eavesdropping on private conversations or peeping through the bedroom window, for example." Moore v. Sun Pub. Corp. , 118 N.M. 375, 881 P.2d 735, 743 (N.M. Ct. App. 1994). "Intrusion on seclusion appears to be based on the manner in which a defendant obtains information, and not what a defendant later does with the information, which is covered by the public-disclosure-of-private-facts branch." Alvarado v. KOB-TV, L.L.C. , 493 F.3d 1210, 1217 (10th Cir. 2007) (quoting Fernandez-Wells v. Beauvais , 127 N.M. 487, 983 P.2d 1006, 1010 (N.M. Ct. App. 1999) ). Because "New Mexico has not outlined the specific contours of this particular tort," the Court "follow[s] the lead of New Mexico courts defining privacy torts generally ... and thus look[s] for guidance to ... the Restatement (Second) of Torts." Id. In turn, the Restatement "suggest[s] that the tort of intrusion becomes actionable only when it is deemed ‘highly offensive to a reasonable person." Id. (quoting Restatement (Second) of Torts § 652B ).
The Complaint alleges that the Ad Networks (including Google/AdMob) committed the tort of intrusion on seclusion by "intentionally designing the ... embedded SDKs to surreptitiously obtain, improperly gain knowledge of, review, and/or retain New Mexico citizens’ activities." Doc. 1 ¶ 246. The SDK Defendants (joined by Google) argue that this claim fails for two reasons: first, Plaintiff lacks standing, and second, the Complaint fails as a matter of law to allege an intrusion that is highly offensive to a reasonable person. Doc. 47 at 19-25. The Court disagrees as to both arguments.
Defendants base their lack of standing argument on the inapposite point that a privacy claim "does not survive the death of the party whose privacy was invaded." Gruschus v. Curtis Pub. Co. , 342 F.2d 775, 776 (10th Cir. 1965). That "relatives of a decedent" do not generally have "a cause of action for invasion of privacy arising from disclosures about the decedent," Smith v. City of Artesia , 108 N.M. 339, 772 P.2d 373, 375 (N.M. Ct. App. 1989), has no bearing on the issue of whether the State, in its parens patriae capacity, has standing to bring the instant intrusion on seclusion claim.
Instead, the state has a "recognized" right to bring an action "as parens patriae to prevent or repair harm to its ‘quasi-sovereign’ interests." Satsky v. Paramount Comm'ns, Inc. , 7 F.3d 1464, 1469 (10th Cir. 1993) (citation omitted). Thus, "[w]here the health and comfort of the inhabitants of a State are threatened, the State is the proper party to represent and defend them." New Mexico v. General Elec. Co. , 335 F. Supp. 2d 1185, 1258 (D.N.M. 2004). This is particularly true where the inhabitants whose welfare is at stake are children. Oldfield v. Benavidez , 116 N.M. 785, 867 P.2d 1167, 1173 (1994) (citing Santosky v. Kramer , 455 U.S. 745, 766, 102 S.Ct. 1388, 71 L.Ed.2d 599 (1982) (state has parens patriae interest in the welfare of children)).
In the Complaint, Plaintiff alleges that the health and welfare of New Mexico children are negatively impacted by the Ad Networks’ collection of their personal information and subsequent monitoring, profiling, and tracking of them over time, across devices, and across the Internet. Doc. 1 ¶¶ 56, Indeed, Plaintiff alleges "widespread awareness that children" are vulnerable to advertising, that there is "increasing concern about children's mobile device usage" and its "negative consequences," and that government and academic sources demonstrate "society's deep revulsion" of the collection of personal information from app-users. Id. ¶¶ 141, 158, 180. Plaintiff thus adequately articulates a quasi-sovereign interest in the health and welfare of the children of New Mexico and, in turn, its right to bring an intrusion on seclusion claim in its parens patriae capacity against Google/AdMob.
Defendants assert that "[t]here is no precedent for a sovereign to pursue privacy torts under the parens patriae doctrine." This is not accurate. See State ex rel. Hatch v. Cross Country Bank, Inc. , 703 N.W.2d 562, 569-70 (Minn. Ct. App. 2005) (holding that state had standing to assert tort of intrusion on seclusion under parens patriae doctrine against bank that issued credit cards and company that collected payments on the cards; state was "pursuing its claim, not with the purpose of obtaining relief for particular victims, but to vindicate a "quasi-sovereign" interest: protecting the privacy of its citizens"). Nor does the authority cited by Defendants suggest that the State will not fully vindicate the rights of its citizens; to the contrary, that very authority explicitly states that "[t]here is a presumption that the state will adequately represent the position of its citizens." Alaska Sport Fishing Ass'n v. Exxon Corp. , 34 F.3d 769, 773 (9th Cir. 1994) ; United States v. Olin Corp. , 606 F. Supp. 1301, 1305 (N.D. Ala. 1985). In short, Defendants have provided no applicable or well-reasoned basis for the Court to find that Plaintiff lacks standing to bring its intrusion on seclusion claim.
Next, Defendants argue that the Complaint's allegations regarding the Ad Networks’ collection of persistent identifiers, which they describe as "anonymized device-based information that is not linked to any person's identity," fail as a matter of law to meet "the high standard for offensiveness." Doc. 47 at 21. Plaintiff disagrees, asserts that it has extensively alleged the Ad Networks’ "egregious violations of longstanding social norms through the use of mobile technology," and argues that whether those violations are highly offensive is a question better left for a jury than decided on a motion to dismiss. Doc. 65 at 18-21.
New Mexico courts have not had occasion to consider whether the circumstances under which the Ad Networks are alleged to have intruded on app users’ seclusion would be deemed highly offensive to a reasonable person. Courts in other jurisdictions, however, have considered whether allegations of electronic information collection are sufficient to state an intrusion on seclusion claim, to differing results. Compare, e.g., Manigault-Johnson v. Google, LLC , No. 18-cv-1032, 2019 WL 3006646 (D.S.C. Mar. 31, 2019) (finding allegations analogous to those here insufficient to allege offensiveness element of intrusion on seclusion claim), Yunker v. Pandora Media , 11-cv-3113, 2013 WL 1282980 (N.D. Cal. Mar. 26, 2013) (finding allegations that Pandora obtained plaintiff's personally identifiable information and provided that information to advertising libraries for marketing purposes insufficient "to allege that Pandora's conduct constitutes an egregious breach of social norms"), and In re iPhone App. Litig. , 844 F. Supp. 2d 1040 (N.D. Cal. 2012) (holding that information allegedly disclosed to third parties, including unique device identifier number, personal data, and geolocation information from plaintiff's iDevices, did not "constitute an egregious breach of social norms"), with McDonald v. Kiloo ApS , 385 F. Supp. 3d 1022 (N.D. Cal. 2019) (finding allegations virtually identical to those here adequate to allege offensiveness element of intrusion on seclusion claim), Opperman v. Path , 87 F. Supp. 3d 1018 (N.D. Cal. 2014) (in declining to conclude as a matter of law that defendants’ copying of plaintiffs’ address books was not highly offensive, noting that "while the court recognizes that attitudes toward privacy are evolving in the age of the Internet, smartphones, and social networks, the Court does not believe that the surreptitious theft of personal contact information ... has come to be qualified as ‘routine commercial behavior’ "), and In re: Vizio, Inc., Consumer Privacy Litig. , 238 F. Supp. 3d 1204 (C.D. Cal. 2017) (finding that plaintiffs plausibly alleged that defendant's collection of plaintiffs’ video viewing history "amount[ed] to a highly offensive intrusion"). Mindful both that neither line of cases is controlling and that this Court's task is to "attempt to predict what the [New Mexico's] highest court would do," Wade v. EMCASCO Ins. Co., 483 F.3d 657, 665–66 (10th Cir. 2007), the Court concludes that allowing Plaintiff's intrusion on seclusion claim to proceed as to Google/AdMob is the appropriate course.
The Court finds the decision in McDonald to be particularly instructive. In that case, plaintiffs brought several related actions alleging, inter alia , intrusion on seclusion under California law against advertising networks based on actions identical to those allegedly taken by the Ad Networks here. 385 F. Supp. 3d at 1027-28. The Court found that the plaintiffs "adequately alleged an intrusion upon seclusion claim and the offensiveness element in particular," which, as is true in this case, was "the only element of the intrusion claim that defendants squarely challenge[d]." Id. at 1034. Just as does Plaintiff here, the McDonald plaintiffs "state[d] in detail what data was secretly collected, how the collection was done, and how the harvested data was used," in addition to specifically alleging "why these intrusions would have been highly offensive to the reasonable person on the basis of multiple sources, including reports, studies, surveys, case law and secondary legal materials." Id. at 1035. Noting observations by the California Supreme Court "about the context-specific nature of the privacy inquiry, and that social norms on privacy are not static," the Court stated:
Current privacy expectations are developing, to say the least, with respect to a key issue raised in these cases – whether the data subject owns and controls his or her personal information, and whether a commercial entity that secretly harvests it commits a highly offensive or egregious act. The Court cannot say that the answers are so patently obvious that plaintiffs’ allegations are implausible or inadequate as a matter of law.
Id.
In reaching its decision, the Court found unavailing two cases cited by the defendants therein, which Defendants herein similarly cite in support of their argument for dismissal, and which are unavailing here for the reasons set forth in McDonald . First, the Court considered Folgelstrom v. Lamps Plus, Inc. , 195 Cal. App. 4th 986, 125 Cal.Rptr.3d 260 (2011), in which the California Court of Appeals affirmed the dismissal of a constitutional privacy claim because "the supposed invasion of privacy essentially consisted of Lamps Plus obtaining plaintiff's address without his knowledge or permission, and using it to mail him coupons and other advertisements." 385 F. Supp. 3d at 1036. The Folgelstrom court found that "[t]his conduct is not an egregious breach of social norms, but routine commercial behavior," and similarly affirmed the dismissal of the intrusion tort claim because "the conduct of which [plaintiff] complains does not meet the standard of ‘highly offensive.’ " 195 Cal. App. 4th at 992-93, 125 Cal.Rptr.3d 260.
The McDonald Court found that "the same [did] not hold" in the case before it, where, as does Plaintiff here, plaintiffs "alleged that defendants harvested much more information about users than just their mailing address." 385 F. Supp. 3d at 1035. In contrast to merely sending coupons and other advertisements as the defendants allegedly did in Folgelstrom , the McDonald plaintiffs alleged, as does Plaintiff here, that:
[the] defendants surreptitiously gathered user-specific information; they continue to gather information and track individual users in real time; they share (and buy and sell) this information with other third-party companies; and all of this results in the minor users being shown targeted advertisements and in the users continuing to be traced after being shown the advertisements to see if they take actions in response to the ads.
Id.
Next, the Court considered In re Nickelodeon Consumer Privacy Litig. , in which the Third Circuit affirmed the dismissal of Google because "courts have long understood that tracking cookies can serve legitimate commercial purposes." 827 F.3d 262, 294 (3d Cir. 2016). The McDonald Court found that, accepting this principle as true for argument's sake, "it does not necessarily fit the scope of the behavioral tracking that the mobile applications here are alleged to have practiced." 385 F. Supp. 3d at 1036. The Court continued: "The persistent identifiers and other data harvested to track users on [cell phones and mobile devices] involve collection practices that exceed those of the cookies in Nickelodeon , and without a ‘long’ understanding suggesting that that is okay to do." Id.
Finally, the Court in McDonald noted that, just as do Defendants here, the defendants therein sought "to downplay plaintiffs’ complaints as alleging only the ‘collection of anonymous digital user data’ and as lacking non-conclusory allegations of subsequent misuse." Id. The Court rejected these contentions, explaining that defendants did not fairly characterize the plaintiffs’ "detailed and lengthy complaints." Id.
This Court agrees that "each case must be taken on its facts on the question of offensiveness," and that this is not a case where the alleged facts, if proven, would show "an insubstantial impact on privacy interests." Id. As did the plaintiffs in McDonald , Plaintiff's allegations "more than adequately allege that the collected data was used to serve plaintiffs with targeted advertising while using the apps," and this is "enough to let the [Complaint] go forward." Id. Plaintiff thus is "entitled to the development of an adequate factual record to more properly test [its] claim[ ]." Id. at 1036. Accordingly, Plaintiff's intrusion on seclusion claim, set forth in Count IV of the Complaint, remains viable as to Google/AdMob.
III. State Law Claim Against Google/Google Play
In addition to its claims against the Ad Networks, Plaintiff asserts a separate, additional UPA claim against Google, in connection with its operation of Google Play. Specifically, the Complaint alleges that, by representing that Tiny Lab's apps were compliant with its Designed for Families program and "suitable and safe for children," Google engaged in unfair, deceptive, and unconscionable trade practices that "may have, tend[ed] to, or actually have deceived or misled New Mexico consumers" and that took "advantage of the lack of knowledge, ability, experience, or capacity of New Mexico consumers" to their detriment. Doc. 1 ¶¶ 232, 234, 236.
In order to state a claim under the UPA, a plaintiff must allege that (1) the defendant made some kind of "representation" that "was false or misleading"; (2) the representation "was knowingly made in connection with the sale ... of goods or services in the regular course of the defendant's business"; and (3) "the representation was of the type that may, tends to, or does deceive or mislead any person." Vigil , ––– P.3d at ––––, 2019 WL 6768676, at * 8. Google argues that Plaintiff's UPA claim against it fails for several reasons; the reason that carries the day is that the Complaint fails to allege any representation regarding Tiny Lab apps made by Google "in connection with" its provision of a platform for New Mexico consumers (or any other consumers) to download those apps, and thus necessarily was not "of the type that may, tends to, or does deceive or mislead" any New Mexico consumer; accordingly, the Complaint fails to adequately allege either the second or the third element of a UPA claim.
The Complaint does not identify any representations made by Google to anyone with regard to Tiny Lab's apps. Nor does it identify any representations made to consumers who use Google Play to download apps. Rather, Plaintiff cites to a myriad of statements made by Google to app developers in connection with marketing its Designed for Families program to those developers and advising them of the requirements for inclusion therein – none of which represent the COPPA-complaint or child suitable nature of any apps available for download on Google Play. See, e.g. , Doc. 1 ¶ 199 (explaining that being included in the family section of the Google Play Store "expands the visibility of your family content on Google Play, helping parents easily find your family-friendly apps and games throughout the store"); Id. ¶ 121 (explaining that "Google Play offers a rich platform for developers to showcase trusted, high-quality and age appropriate content for the whole family," and instructing app developers "before submitting an app to the Designed for Families program," to "ensure your app is appropriate for children and compliant with COPPA and other relevant laws"); Id. ¶ 200 n.150 (explaining that "[o]nly apps and games that are part of the Designed for Families program will show up in searches initiated from the Family section in Apps Home."); Id. ¶ 201 (requiring app developers to confirm that, "[i]f your Designed for Families app displays ads, you comply with applicable legal obligations relating to advertising to children").
These statements, which were not made to consumers of Google Play and did not mention Tiny Lab apps, fail to support Plaintiff's claim that Google marketed Tiny Lab apps to consumers of Google Play as compliant with its Designed for Families program or "suitable and safe for children." In fact, rather than vouch for the content of Tiny Lab's or any other apps available for download on Google Play, Google's representations to consumers expressly disavow its responsibility for the content of those apps. See, e.g. , Doc. 50-4 ("Google is not responsible for and does not endorse any Content made available through Google Play that originates from a source other than Google."); Doc. 50-5 ("Our Services display some content that is not Google's. This content is the sole responsibility of the entity that makes it available.... "[P]lease don't assume that we [review content]."); Id. ("We don't make any commitments about the content within the services, the specific functions of the services, or their reliability, availability, or ability to meet your needs. We provide the services ‘as is.’ ").
The Court thus agrees with Google that there is "no plausible allegation that Google knowingly misrepresented to consumers that the Tiny Lab Apps were COPPA-compliant." Doc. 50 at 24. In the absence of allegations regarding representations made to consumers of Google Play, let alone representations to those consumers regarding Tiny Lab's apps, the Complaint fails to adequately allege a UPA claim against Google. Count III of the Complaint thus must be dismissed.
IV. Amendment of the Complaint
Plaintiff asks the Court to grant leave to amend its Complaint to the extent that any of its claims are dismissed. "While Rule 15 provides that leave to amend a complaint shall be freely given when justice so requires, a district court may refuse to allow amendment if it would be futile." Full Life Hospice, LLC v. Sebelius , 709 F.3d 1012, 1018 (10th Cir. 2013). "A proposed amendment is futile if the complaint, as amended, would be subject to dismissal." Id.
Here, the Court is dismissing Plaintiff's COPPA and state law claims against the SDK Defendants, in addition to Plaintiff's UPA claims against Google/AdMob and Google, not because Plaintiff merely recited the elements of those claims or set forth conclusory statements that, if amended, might be fleshed out so as to provide factual support for Plaintiff's otherwise viable claims. Rather, those claims are being dismissed because the well-pleaded facts, as a matter of law, do not allege a plausible claim for relief. Accordingly, those claims, even if amended, would not survive a Rule 12(b)(6) motion to dismiss. Because amendment thus would be futile, the Court will not grant Plaintiff leave to amend.
CONCLUSION
Plaintiff's COPPA claim against the SDK Defendants is subject to dismissal because Plaintiff fails to adequately allege that the SDK Defendants had actual knowledge that Tiny Lab's apps were child-directed. Because Plaintiff's COPPA claim against the SDK Defendants fails, Plaintiff's state law claims against the SDK Defendants are preempted. Plaintiff's COPPA claim against Google remains viable because Plaintiff adequately alleges that Google had actual knowledge that Tiny Lab's apps were child-directed. Plaintiff's UPA claims as to Google/AdMob and Google as the operator of Google Play both fail to allege essential elements of a UPA claim and thus are subject to dismissal. Plaintiff has adequately alleged an intrusion on seclusion claim as to Google/AdMob and that claim thus remains viable.
IT IS THEREFORE ORDERED that the SDK Defendants’ Motion to Dismiss the Complaint for Failure to State a Claim [Doc. 47] is GRANTED in its entirety, as follows: Plaintiff's claims against the SDK Defendants, which are set forth in Counts I, II, and IV of the Complaint, are dismissed with prejudice as to the SDK Defendants.
IT IS FURTHER ORDERED that Defendant Google's Motion to Dismiss [Doc. 50] is GRANTED IN PART AND DENIED IN PART , as follows: Plaintiff's COPPA claim and intrusion on seclusion claims, set forth in Counts I and IV of the Complaint, respectively, remain viable as to Google/AdMob; Plaintiff's UPA claim against Google Ad/Mob, set forth in Count II of the Complaint, and Plaintiff's UPA claim against Google, set forth in Count III of the Complaint, are dismissed with prejudice.