Opinion
3:23-cv-02258-RBM-MSB
08-19-2024
ORDER GRANTING DEFENDANT'S MOTION TO DISMISS [DOC. 6]
HON. RUTH BERMUDEZ MONTENEGRO UNITED STATES DISTRICT JUDGE
Pending before the Court is Defendant SelectQuote Insurance Services' (“Defendant”) Motion to Dismiss Plaintiffs A.S., D.G., M.F., and T.M.'s (“Plaintiffs”) Class Action Complaint (“Motion”), which was filed on February 12, 2024. (Doc. 6.) On March 25, 2024, Plaintiffs filed an Opposition to Defendant's Motion (“Opposition”). (Doc. 7.) On April 1, 2024, Defendant filed a Reply Brief in Support of Defendant's Motion (“Reply”). (Doc. 8.)
The Court finds this matter suitable for determination without oral argument pursuant to Civil Local Rule 7.1(d)(1). For the reasons set forth below, Defendant's Motion is GRANTED .
I. BACKGROUND
A. Plaintiffs' Complaint
On December 11, 2023, Plaintiffs filed a Class Action Complaint (“Complaint”) against Defendant, alleging causes of action for (1) violations of the California Invasion of Privacy Act (“CIPA”), California Penal Code § 631 (Count I); (2) violations of the CIPA, California Penal Code § 632 (Count II); (3) violations of the Maryland Wiretapping and Electronic Surveillance Act, Maryland Code, Courts and Judicial Proceedings § 10-401, et seq. (Count III); (4) violations of the Massachusetts Wiretapping Statute, Massachusetts General Laws chapter 272 § 99 (Count IV); (5) violations of the Massachusetts Unfair and Deceptive Business Practices Act, Massachusetts General Laws chapter 93A, et seq. (Count V); and (6) violations of the Florida Security of Communications Act, Florida Statute § 934.01, et seq. (Count VI). (Doc. 1 (“Compl.”) ¶¶ 46-110.)
In their Opposition, Plaintiffs withdraw their claim for violations of the Massachusetts Unfair and Deceptive Business Practices Act (Count V). (Doc. 7 at 9 n.2.) Therefore, the Court DISMISSES this claim WITHOUT LEAVE TO AMEND.
B. General Allegations
In their Complaint, Plaintiffs allege that “[t]his is a class action suit brought on behalf of all persons who [visited Defendant's website] and received a quote for a life insurance policy.” (Compl. ¶ 1.) Plaintiffs allege that Defendant lets prospective customers receive a life insurance quote by completing a questionnaire that asks for sensitive information, including personal identifying information (e.g., name, email, mailing address, zip code, and phone number), demographic information (e.g., date of birth, gender, state of residency), medical diagnoses and conditions (e.g., cancer, high blood pressure, and diabetes), social habits (e.g., smoking), height, weight, family health history, and financial information (e.g., annual individual income). (Id. ¶¶ 3, 5, 16, 18, 20-24.) Prospective customers communicate their answer by inputting the information and then pressing “next.” (Id. ¶ 26.) Plaintiffs allege that Defendant's website promises that its site and these entries are “100% secure” and that it will “never sell your information.” (Id. ¶¶ 3, 26.)
Plaintiffs then allege that Defendant has “built its website to allow third parties to surreptitiously intercept the information they input.” (Id. ¶ 16.) Plaintiffs also allege that “[Defendant] assists third parties with intercepting every[ ]one of those communications” (id. ¶ 27); that “Defendant shares highly sensitive information with several third parties” (id. ¶ 4); that Defendant “commoditizes and trades” Plaintiffs' health information (id. ¶ 6); and that “[Defendant] aided, agreed with, and conspired with third parties to track and intercept Plaintiffs' and Class member's internet communications while receiving a quote through [Defendant] website” (id. ¶ 51). Plaintiffs appear to allege that the third parties, including LeadID and Facebook, use computer codes, programs, web, ad-servers, and/or tracking technology to intercept Plaintiffs' communications. (Id. ¶¶ 53, 85, 110.) In support of these allegations, Plaintiffs purport to attached figures showing “network traffic to Facebook and LeadID when a user clicks the button on Defendant's website indicating that they have issues with alcohol or substance abuse[.]” (Id. ¶ 28.) Plaintiffs then allege that “Facebook and LeadID then leverage this information to target advertisements.” (Id. ¶ 29.)
Plaintiffs allege that Facebook allows companies like Defendant to integrate software into their websites that track user activity, like the buttons they click or the forms they complete. (Id. ¶ 30.) The software then relays the information to Facebook, who “assimilates it into existing datasets that Defendant can then use to target advertisements.” (Id.) Likewise, Plaintiffs allege that LeadID is an “interactive direct marketing company,” touting its ability to “target audience[s] effectively.” (Id. ¶ 31 (citations omitted.) “Once LeadID intercepts Plaintiffs' communications, the company assimilates that information into audiences that Defendant then uses to run advertisements.” (Id.)
Plaintiffs allege that they have suffered broken promises, intrusions into their privacy, violations of their rights of privacy, and the loss of value in their personally identifiable information. (Id. ¶¶ 7, 54, 72.) Plaintiffs seek an injunction preventing Defendant from perpetrating these abuses on future unsuspecting consumers. (Id. ¶ 7.)
Although Plaintiffs suggest that they are requesting a preliminary injunction in the introduction of their Complaint, they do not include any cause of action for preliminary injunction and do not allege any facts in support of such a request. Plaintiffs also have not filed a motion for preliminary injunction. Therefore, the Court will not address Plaintiffs' request for an injunction below.
C. Subclass-Specific Allegations
1. Plaintiff A.S. and the California Subclass (Counts I and II)
“Plaintiff A.S. seeks to represent a subclass of all Class members in California who accessed [Defendant's website] and received a quote for life insurance (the ‘California Subclass').” (Id. ¶ 36.) “Plaintiff A.S. is domiciled in Sylmar, California. While in California, in November 2022, Plaintiff applied for life insurance through [Defendant's] website. While applying for life insurance, Plaintiff provided [Defendant] with his name, date of birth, gender, and email address. Plaintiff also provided [Defendant] with health information, including that he was diagnosed with depression and anxiety. Unbeknownst to Plaintiff, [Defendant] assisted third parties with intercepting this sensitive information.” (Id. ¶ 10.)
2. Plaintiff D.G. and the Maryland Subclass
“Plaintiff D.G. seeks to represent a subclass of all Class members in Maryland who accessed [Defendant's website] and received a quote for life insurance (the ‘Maryland Subclass').” (Id. ¶ 33.) “Plaintiff D.G. is domiciled in Elkridge, Maryland. While in Maryland, in August 2023, Plaintiff applied for life insurance through [Defendant's] website. While applying for life insurance, Plaintiff provided [Defendant] with his name, date of birth, gender, and email address. Plaintiff also provided [Defendant] with health information, including that he has been diagnosed with cancer, diabetes, and high blood pressure. Unbeknownst to Plaintiff, [Defendant] assisted third parties with intercepting this sensitive information.” (Id. ¶ 8.)
3. Plaintiff M.F. and the Massachusetts Subclass
“Plaintiff M.F. seeks to represent a subclass of all Class members in Massachusetts who accessed [Defendant's website] and received a quote for life insurance (the ‘Massachusetts Subclass').” (Id. ¶ 34.) “Plaintiff M.F. is domiciled in Winthrop, Massachusetts. While in Massachusetts, in or around February 2023, Plaintiff accessed [Defendant's] website to complete an application for life insurance. While applying for life insurance, Plaintiff provided [Defendant] with her name, date of birth, gender, and email address. Plaintiff also provided [Defendant] with health information, including that she has been diagnosed with diabetes. Unbeknownst to Plaintiff, [Defendant] assisted third parties with intercepting this sensitive information.” (Id. ¶ 9.)
4. Plaintiff T.M. and the Florida Subclass
“Plaintiff T.M. seeks to represent a subclass of all Class members in Florida who accessed [Defendant's website] and received a quote for life insurance (the ‘Florida Subclass').” (Id. ¶ 35.) “Plaintiff T.M. is domiciled in Orlando, Florida. While in Florida, in or around April 2023, Plaintiff applied for life insurance through [Defendant's] website. While applying for life insurance, Plaintiff provided [Defendant] with his name, date of birth, gender, and email address. Plaintiff also provided [Defendant] with health information, including that he has high blood pressure. Unbeknownst to Plaintiff, [Defendant] assisted third parties with intercepting this sensitive information.” (Id. ¶ 11.)
II. DISCUSSION
A. Defendant's Privacy Policy
In its Motion, Defendant explains that “[i]ncluded on each page of the [Defendant's website] is a hyperlink to [Defendant's] Privacy Policy to inform visitors that: (1) by using the Site and submitting information to obtain a life insurance policy quote, the user thus ‘explicitly agree[s] to the terms and conditions of the Privacy Policy;' (2) information users provide to the Site is voluntary and is only collected if a user agrees to voluntarily provide it, such as through the ‘Get Your Free Quote' or similar pages; and (3) information collected includes personal information.” (Doc. 6-1 at 9-10.) Defendant contends that “[t]he Privacy Policy clearly informs visitors that [Defendant] uses analytics technologies to collect users' information ... [and] ... further informs customers that their information may be shared with third parties for various purposes, including marketing services.” (Id. at 10.) Defendant then argues that “[g]iven the Complaint repeatedly references and relies on [Defendant's] website as the basis for the claims, going so far as to include purported screen shots from the website, it is entirely appropriate that the Court consider the website as a whole, including [Defendant's] Privacy Policy.” (Id. (citing Copeland v. Techtronics Indus. Co., Ltd., 95 F.Supp.3d 1230, 1236-37 (S.D. Cal. 2015)).)
In their Opposition, Plaintiffs respond that Defendant's Privacy Policy is not properly before the Court. (Doc. 7 at 8 (citing Copeland, 95 F.Supp.3d at 1236-37).) Plaintiffs contend that they “are aware of several changes made to [Defendant's] [w]ebsite since the filing of this lawsuit” and that they “cannot be sure that changes were not also made to Defendant's [P]rivacy [P]olicy.” (Id.) Plaintiffs also assert that the Court cannot assume the facts contained in the Privacy Policy are true. (Id. at 8-9 (citing Watkins v. MGA Ent., Inc., 550 F.Supp.3d 815, 829 (N.D. Cal. 2021)).)
Defendant replies that case law “amply supports” the consideration of Defendant's privacy policy. (Doc. 8 at 3.)
The Court construes Defendant's arguments regarding its privacy policy as a request for incorporation by reference or, alternatively, a request for judicial notice. (See Doc. 61 at 10 n.2.)
Defendant then argues that “[c]onsent is a complete defense to Plaintiffs' Wiretapping Acts claims” and that “[a] reasonable website user would have been aware of the [webs]ite's Privacy Policy[] and understood that by entering information on the [webs]ite, . such information may be shared with third parties.” (Id. at 27.) Plaintiffs respond that Defendant's privacy policy was not “sufficient to put consumers on notice of the disclosures at issue.” (Doc. 7 at 14-15 (citing Nguyen v. Barnes & Noble Inc., 763 F.3d 1171, 1179 (9th Cir. 2014).)
The Court addresses each issue in turn.
1. Incorporation by Reference
“Generally, courts may not consider material outside the complaint when ruling on a motion to dismiss” unless the material is incorporated into the complaint by reference or is subject to judicial notice under Federal Rule of Evidence 201. Copelan v. Techtronics Indus. Co., 95 F.Supp.3d 1230, 1236 (S.D. Cal. 2015) (citing Hal Roach Studios, Inc. v. Richard Feiner & Co., Inc., 896 F.2d 1542, 1555 n.19 (9th Cir. 1990) and Branch v. Tunnell, 14 F.3d 449, 453 (9th Cir. 1994)); see also D'Angelo v. FCA US, LLC, Case No. 3:23-cv-00982-WQH-MMP, 2024 WL 1625771, at *4 (S.D. Cal. Mar. 28, 2024) (“Generally, district courts may not consider material outside the pleadings when assessing the sufficiency of a complaint under Rule 12(b)(6) of the Federal Rules of Civil Procedure. ... [T]here are two exceptions to this rule: the incorporation-by-reference doctrine, and judicial notice under Federal Rule of Evidence 201.”) (internal quotation marks and citations omitted). Under the incorporation-by-reference doctrine, “‘material which is properly submitted as part of the complaint may be considered.'” Copelan, 95 F.Supp.3d at 1236 (quoting Hal Roach Studios, Inc., 896 F.2d at 1555, n.19). “Documents specifically identified in the complaint whose authenticity is not questioned by the parties may also be considered.” Id. at 1236-37 (citing Fecht v. Price Co., 70 F.3d 1078, 1080 n.1 (9th Cir. 1995)). “Such documents may be considered, so long as they are referenced in the complaint, even if they are not physically attached to the pleading.” Id. (citations omitted). “Moreover, the court may consider the full text of those documents even when the complaint quotes only selected portions.” Id. (citation omitted). In other words, “‘[t]he [incorporation-by-reference] doctrine prevents plaintiffs from selecting only portions of documents that support their claims, while omitting portions of those very documents that weaken-or doom-their claims.'” Stark v. Patreon, Inc., 635 F.Supp.3d 841, 850 (N.D. Cal. 2022) (quoting Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1002 (9th Cir. 2018)).
Here, Plaintiffs reference Defendant's website throughout their Complaint. (See e.g., Compl. ¶¶ 3, 8-12, 16.) In fact, Plaintiffs incorporate numerous screen shots from Defendant's website into their Complaint. (See id. ¶¶ 17-26.) As stated above, the Court is permitted to consider “[d]ocuments specifically identified in the complaint whose authenticity is not questioned by the parties[,]” including a website's privacy policy when the website is referenced in the complaint. Copelan, 95 F.Supp.3d at 1236-37; see also Stark v. Patreon, Inc., 656 F.Supp.3d 1018, 1023 (N.D. Cal. 2023) (incorporating privacy policy by reference for the purpose of showing what the defendant's website disclosed to its users); Yoon v. Lululemon USA, Inc., 549 F.Supp.3d 1073, 1079 (C.D. Cal. 2021) (taking judicial notice of privacy policy in privacy case because the amended complaint discussed it extensively); In re Adobe Sys., Inc. Priv. Litig., 66 F.Supp.3d 1197, 1207 (N.D. Cal. 2014) (incorporating privacy policy referenced in the plaintiffs' complaint). Therefore, the Court will incorporate Defendant's privacy policy by reference.
Plaintiffs attempt to dispute the authenticity of the privacy policy by claiming that Defendant has made several changes to its website since the filing of this lawsuit and that “Plaintiffs cannot be sure that changes were not also made to Defendant's privacy policy.” (Doc. 7 at 8.) However, Plaintiffs do not submit any evidence supporting this theory, and the privacy policy itself states that its effective date is May 26, 2020, years before the filing of this action. (See Doc. 6-1 at 10 n.2.)
2. Judicial Notice
Courts are also permitted to take judicial notice of privacy policies that appear on publicly available websites because their authenticity cannot reasonably be questioned. See e.g., D'Angelo v. FCA US, LLC, 2024 WL 1625771, at *4 (taking judicial notice of privacy policy); Brown v. Google, LLC, 525 F.Supp.3d 1049, 1061 (N.D. Cal. 2021) (taking judicial notice of a Google's privacy policies because they are publicly available on websites); Calhoun v. Google LLC, 526 F.Supp.3d 605, 617 (N.D. Cal. 2021) (finding that privacy policies that appear on publicly available websites and are proper subjects for judicial notice); Javier v. Assurance IQ, LLC, Case No. 4:20-cv-02860-JSW, 2021 WL 940319, at *2 (N.D. Cal. Mar. 9, 2021) (taking judicial notice of privacy policy publicly disclosed on defendant's website); Opperman v. Path, Inc., 205 F.Supp.3d 1064, 1068 n.3 (N.D. Cal. 2016) (taking judicial notice of Yelp's privacy policy publicly disclosed on their website); In re Toll Roads Litig., Case No. SACV 16-00262 AG (JCGx), 2018 WL 6131178, at *2 (C.D. Cal. Jan. 12, 2018) (taking judicial notice of privacy policy publicly available on website). Here, Defendant's privacy policy is publicly available on its website. (See Doc. 6-1 at 10 n.2.) Thus, even if the Court could not incorporate the privacy policy by reference, the Court could still take judicial notice of Defendant's privacy policy.
3. Consent
As stated above, Defendant contends that “[i]ncluded on each page of the [Defendant's website] is a hyperlink to [Defendant's] Privacy Policy” and “[t]he Privacy Policy clearly informs visitors that [Defendant] uses analytics technologies to collect users' information ... [and] ... further informs customers that their information may be shared with third parties for various purposes, including marketing services.” (Doc. 6-1 at 9-10.) However, “[t]he Ninth Circuit has held ... that such privacy policies do not bind users: ‘where a website makes its terms of use available via a conspicuous hyperlink on every page of the website but otherwise provides no notice to users nor prompts them to take any affirmative action to demonstrate assent, even close proximity of the hyperlink to relevant buttons users must click on-without more-is insufficient to give rise to constructive notice.'” Yoon, 549 F.Supp.3d at 1081 (quoting Nguyen, 763 F.3d at 1178-79); see also James v. Allstate Ins. Co., Case No. 3:23-cv-01931-JSC, 2023 WL 8879246, at *5-6 (N.D. Cal. Dec. 22, 2023) (“[E]ven if the Court were to consider the Privacy Policy under the incorporation by reference doctrine, drawing all inferences in Plaintiff's favor, the website hyperlink failed to disclose a third party's capture of the Personally Identifiable Information and Personal Health Information. To conclude otherwise would improperly draw inferences in Defendants' favor.”) (citations omitted); Valenzuela v. Keurig Green Mountain, Inc., 674 F.Supp.3d 751, 757 (N.D. Cal. 2023) (“Defendant cites no case in which merely hyperlinking to a privacy policy at the bottom of a webpage is sufficient to establish consent under CIPA.”). Additionally, Plaintiffs have alleged Defendant's website also promises that its site and these entries are “100% secure” and that it will “never sell your information.” (Compl. ¶¶ 3, 26.) Therefore, the Court finds that there is conflicting evidence establishing a question of fact that cannot be resolved at this stage.
B. Standing
1. Parties' Arguments
Defendant argues that Plaintiffs cannot establish standing. (Doc. 6-1 at 17-18.) Specifically, Defendant argues that “Plaintiffs' FSCA, MACPA, MAWS, and CIPA ... claims do not hint at injury beyond a mere statutory violation,” which is insufficient to establish injury-in-fact. (Id. at 13-14 (citing TransUnion LLC v. Ramirez, 594 U.S. 413, 427 (2021)).) Defendant explains that intangible harms, like the loss of privacy Plaintiffs allege here, only rise to the level of Article III injury if they bear a close relationship to harms traditionally recognized by American courts. (Id. at 16.) Defendant then asserts that Plaintiffs' allegations regarding loss of privacy are not comparable to the common law torts of intrusion upon seclusion because there is no reasonable expectation of privacy when you transmit information over the internet. (Id. at 16-17.)
Plaintiffs respond that they have standing because Defendant captured their highly sensitive personal information. (Doc. 7 at 10.) Plaintiffs assert that, prior to the Supreme Court's decision in TransUnion, the prevailing view was that a plaintiff need not allege harm beyond the invasion of a privacy right conferred by statute. (Id. at 11-12 (citing In re Facebook, Inc., Internet Tracking Litig., 956 F.3d 589, 598 (9th Cir. 2020) (“In re Facebook”)).) Plaintiffs also assert that recent courts applying TransUnion have held that wiretapping is sufficient to establish Article III standing so long as the communications contain private or personal information. (Id. (citing Lightoller v. Jetblue Airways Corp., Case No. 23-cv-00361-H-KSC, 2023 WL 3963823, at *4 (S.D. Cal. June 12, 2023)).)
2. Legal Standard-Federal Rule of Civil Procedure 12(b)(1)
“The Court evaluates challenges to Article III standing under Rule 12(b)(1), which governs motions to dismiss for lack of subject matter jurisdiction.” I.C. v. Zynga, Inc., 600 F.Supp.3d 1034, 1046 (N.D. Cal. 2022) (citing Maya v. Centex Corp., 658 F.3d 1060, 1067 (9th Cir. 2011)). “Rule 12(b)(1) motions may be either facial, where the inquiry is confined to the allegations in the complaint, or factual, where the court is permitted to look beyond the complaint to extrinsic evidence.” Id. (citing Leite v. Crane Co., 749 F.3d 1117, 1121 (9th Cir. 2014) and Safe Air For Everyone v. Meyer, 373 F.3d 1035, 1039 (9th Cir. 2004)).
“When a defendant challenges jurisdiction ‘facially,' all material allegations in the complaint are assumed true, and the court determines whether the factual allegations are sufficient to invoke the court's subject matter jurisdiction. When a defendant makes a factual challenge ‘by presenting affidavits or other evidence properly brought before the court, the party opposing the motion must furnish affidavits or other evidence necessary to satisfy its burden of establishing subject matter jurisdiction.' The court need not presume the truthfulness of the plaintiff's allegations under a factual attack. The plaintiff must show by a preponderance of the evidence each requirement for subject-matter jurisdiction ....” Id. (internal citations omitted).
Additionally, “[i]n a class action, at least one named plaintiff must have standing.” Id. at 1046 (citing Frank v. Gaos, 586 U.S. 485, 492 (2019) and Ollier v. Sweetwater Union High Dist., 768 F.3d 843, 865 (9th Cir. 2014)). “Thus, ‘if none of the named plaintiffs purporting to represent a class establishes the requisite of a case or controversy with the defendant[], none may seek relief on behalf of himself or any other member of the class.'” Id. at 1046-47 (quoting O'Shea v. Littleton, 414 U.S. 488, 494 (1974)). “Moreover, standing must be established ‘for each claim that they press and for each form of relief that they seek (for example, injunctive relief and damages).'” Id. at 1047 (quoting TransUnion LLC, 594 U.S. at 431). Plaintiffs bear the burden of establishing standing. Id. (citations omitted). In the absence of standing, there is no subject matter jurisdiction. Id. (citations omitted).
Here, Defendant appears to pose a facial attack on Article III standing. Therefore, the Court accepts all the allegations alleged in Plaintiffs' Complaint as true. See I.C., 600 F.Supp.3d at 1046.
3. Case Law
To establish Article III standing, Plaintiffs “must have (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision.” Spokeo, Inc. v. Robins, 578 U.S. 330, 338 (2016). “[Plaintiffs], as the party invoking federal jurisdiction, bear[] the burden of establishing these elements.” Id. “Where, as here, a case is at the pleading stage, the plaintiff must ‘clearly ... allege facts demonstrating' each element.” Id. (quoting Warth v. Seldin, 422 U.S. 490, 518 (1975)). Here, Defendants' arguments concern the “injury in fact” element, the “first and foremost” of standing's three elements. Id. at 338-39 (quotation omitted).
“Injury in fact is a constitutional requirement, and ‘it is settled that Congress cannot erase Article III's standing requirements by statutorily granting the right to sue to a plaintiff who would not otherwise have standing.'” Id. at 339 (quoting Raines v. Byrd, 521 U.S. 811, 820 n.3 (1997)) (additional citations omitted). “To establish injury in fact, a plaintiff must show that he or she suffered ‘an invasion of a legally protected interest' that is ‘concrete and particularized' and ‘actual or imminent, not conjectural or hypothetical.'” Id. (quoting Lujan v. Defs. of Wildlife, 504 U.S. 555, 560 (1992)). Thus, “an injury in fact must be both concrete and particularized.” Id. at 340. This case concerns the “concrete” aspect of injury in fact.
“A ‘concrete' injury must be ‘de facto'; that is, it must actually exist. When we have used the adjective ‘concrete,' we have meant to convey the usual meaning of the term ‘real,' and not ‘abstract.'” Id. (dictionary citations omitted). “‘Concrete' is not, however, necessarily synonymous with ‘tangible.' Although tangible injuries are perhaps easier to recognize, we have confirmed in many of our previous cases that intangible injuries can nevertheless be concrete.” Id. (citations omitted).
In Spokeo, the Supreme Court explained, “[i]n determining whether an intangible harm constitutes injury in fact ... it is instructive to consider whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. at 340-341 (citation omitted). “In addition, because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important.” Id. at 341. However, “Congress' role in identifying and elevating intangible harms does not mean that a plaintiff automatically satisfies the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation.” Id. “[A plaintiff] could not, for example, allege a bare procedural violation, divorced from any concrete harm, and satisfy the injury-in-fact requirement of Article III.” Id. (citations omitted).
Following Spokeo, the Ninth Circuit held that the violation of statutory provisions codifying the substantive right to privacy gives rise to a concrete injury sufficient to confer standing. See In re Facebook, 956 F.3d 589, 598 (9th Cir. 2020). The Ninth Circuit reasoned that the “‘[v]iolations of the right to privacy have long been actionable at common law[,]'” id. (quoting Patel v. Facebook, 932 F.3d 1264, 1272 (9th Cir. 2019)), and “[a] right to privacy ‘encompasses the individual's control of information concerning his or her person[,]'” id. (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017)).
Shortly thereafter, in TransUnion, the Supreme Court elaborated that “[v]arious intangible harms can also be concrete. Chief among them are injuries with a close relationship to harms traditionally recognized as providing a basis for lawsuits in American courts. Those include, for example, reputational harms, disclosure of private information, and intrusion upon seclusion.” TransUnion LLC, 594 U.S. at 425 (citation omitted) (emphasis added). “Spokeo does not require an exact duplicate in American history and tradition. But Spokeo is not an open-ended invitation for federal courts to loosen Article III based on contemporary, evolving beliefs about what kinds of suits should be heard in federal courts.” Id. at 424-25. “Congress's creation of a statutory prohibition or obligation and a cause of action does not relieve courts of their responsibility to independently decide whether a plaintiff has suffered a concrete harm under Article III ....” Id. at 426. “[W]e cannot treat an injury as ‘concrete' for Article III purposes based only on Congress's say-so.” Id. (quotation omitted). “Congress may enact legal prohibitions and obligations. And Congress may create causes of action for plaintiffs to sue defendants who violate those legal prohibitions or obligations. But under Article III, an injury in law is not an injury in fact. Only those plaintiffs who have been concretely harmed by a defendant's statutory violation may sue that private defendant over that violation in federal court.” Id. at 42627.
The question now facing California district courts handling class action lawsuits similar to the present case is whether the Supreme Court's decision in TransUnion overruled the Ninth Circuit's holding in In re Facebook. District courts are split as to whether a plaintiff needs to allege the interception of personal or sensitive information to establish injury-in-fact or whether a violation of CIPA, which codifies the substantive right to privacy, is sufficient.
For example, in Lightoller v. Jetblue Airways Corp., the plaintiff alleged that the defendants procured and embedded code in its website to track and analyze her interactions with the website. Case No. 23-cv-00361-H-KSC, 2023 WL 3963823, at *1 (S.D. Cal. June 12, 2023). The plaintiff alleged that she visited the defendant's website to obtain information on flight pricing, but, during her visit, her communications were captured and sent to various software providers. Id. The plaintiff asserted that the defendant's conduct violated CIPA and constituted the tort of invasion of privacy rights and intrusion upon seclusion. Id. In deciding whether the plaintiff had standing, the district court found that standing based solely on a violation of CIPA was “untenable in light of the Supreme Court's holding in TransUnion[.]” Id. at *3. The court found that the plaintiff's allegations were “insufficient to allege a concrete harm that bears a close relationship to the substantive right of privacy (i.e., an individual's right to control information concerning his or her person)” because the plaintiff did “not allege that she disclosed any personal information when she visited the website.” Id. at *4; see also Byars v. Sterling Jewelers, Inc., No. 5:22-CV-01456-SB-SP, 2023 WL 2996686, at *3 (C.D. Cal. Apr. 5, 2023) (“Plaintiff does not allege that she disclosed any sensitive information to Defendant, much less identify any specific personal information she disclosed that implicates a protectable privacy interest. She therefore has not identified any harm to her privacy.”); I.C., 600 F.Supp.3d at 104950 (finding the disclosure of basic contact information, e.g., email address, phone number, and username, inadequate to establish Article III standing). Thus, applying the first line of cases, whether Plaintiffs have adequately alleged facts establishing standing hinges on whether plaintiff has alleged the interception of personal or sensitive information.
Conversely, in D'Angelo v. FCA US, LLC, the class plaintiffs alleged that the defendant allowed third parties to wiretap and eavesdrop on the chat conversations of all its website visitors by embedding a third-party's code into its chat feature that records and creates transcripts of all such conversations. Case No. 3:23-cv-00982-WQH-MMP, 2024 WL 1625771, at *1 (S.D. Cal. Mar. 28, 2024). The plaintiff alleged that one such third party collected certain data about users and their chat messages, including the user's account name, the duration of the chat, the user's geographic location, the user's network provider, the number of messages sent, the site the user was on before they came to the website, and the amount of time between messages. Id. In deciding whether the class plaintiffs had standing, the district court recognized “that there is a disagreement in this District about whether TransUnion undermined In re Facebook's holding that a violation of CIPA is sufficient to allege an injury-in-fact.” Id. at *7. However, the district court found that, in the absence of further indication that In re Facebook is overruled, TransUnion did not undermine the Ninth Circuit's holding in Facebook. Id.; see also Garcia v. Build.com, Inc., Case No. 22-cv-01985-DMS-KSC, 2023 WL 4535531, at *3 (S.D. Cal. July 13, 2023) (finding that, unlike a bare procedural violation, a CIPA violation is a violation of substantive privacy rights); id. (reasoning that TransUnion's holding was not new; it was a reiteration of the Supreme Court's holding in Spokeo, decided in 2016, before In re Facebook); Licea v. Am. Eagle Outfitters, Inc., 659 F.Supp.3d 1072, 1078 (C.D. Cal. 2023) (same). Thus, applying the second line of cases, Plaintiffs need not allege that the information intercepted was of a personal or sensitive nature.
4. Analysis
The question now before the Court is whether each named plaintiff suffered an injury-in-fact sufficient to establish Article III standing for his or her subclass. See I.C., 600 F.Supp.3d at 1046. Because each named plaintiff has alleged the interception of personal or sensitive information, including his or her name, date of birth, gender, email address, and health information, under either avenue of decision, the class plaintiffs have alleged facts sufficient to establish standing at this stage. In other words, even under the more stringent requirements set forth in Lightoller, Plaintiffs have established standing, and the Court need not decide whether Plaintiffs need to allege the interception of personal or sensitive information to establish injury-in-fact at this time.
In their Motion, Defendant also requests that discovery in this case be stayed until the Court finds that Plaintiffs can proceed with their claims. (Doc. 6 at 2.) Having founds that Plaintiffs have standing to proceed with their claims, Plaintiffs' request is now moot.
C. Failure to State a Claim
1. Legal Standard-Federal Rule of Civil Procedure 12(b)(6)
Pursuant to Rule 12(b)(6), an action may be dismissed for failure to allege “enough facts to state a claim to relief that is plausible on its face.” Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570 (2007). “A claim has facial plausibility when the plaintiff pleads factual content that allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. The plausibility standard is not akin to a probability requirement, but it asks for more than a sheer possibility that a defendant acted unlawfully.” Ashcroft v. Iqbal, 556 U.S. 662, 678 (2009) (internal quotation marks and citations omitted). For purposes of ruling on a Rule 12(b)(6) motion, the Court “accept[s] factual allegations in the complaint as true and construe[s] the pleadings in the light most favorable to the nonmoving party.” Manzarek v. St. Paul Fire & Marine Ins. Co., 519 F.3d 1025, 1031 (9th Cir. 2008).
However, the Court is “not bound to accept as true a legal conclusion couched as a factual allegation.” Ashcroft, 556 U.S. at 678 (quoting Twombly, 550 U.S. at 555). Nor is the Court “required to accept as true allegations that contradict exhibits attached to the Complaint or matters properly subject to judicial notice, or allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences.” Daniels-Hall v. Nat'l Educ. Ass'n, 629 F.3d 992, 998 (9th Cir. 2010). “In sum, for a complaint to survive a motion to dismiss, the non-conclusory factual content, and reasonable inferences from that content, must be plausibly suggestive of a claim entitling the plaintiff to relief.” Moss v. U.S. Secret Serv., 572 F.3d 962, 969 (9th Cir. 2009) (quotation marks omitted).
When a Rule 12(b)(6) motion is granted, “a district court should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts.” Cook, Perkiss & Liehe v. N. Cal. Collection Serv., 911 F.2d 242, 247 (9th Cir. 1990) (citations omitted).
2. Parties' Arguments
Defendant argues that Plaintiffs have failed to state claims under the wiretapping acts referenced in Plaintiffs' Complaint-CIPA, the Maryland Wiretapping and Electronic Surveillance Act (“MWESA”), the Massachusetts Wiretapping Statute, and the Florida Security of Communications Act (“FSCA”)-which have similar elements and can be addressed together. (Doc. 6-1 at 19-20.) Specifically, Defendant argues that Plaintiffs have not adequately alleged the “interception” of communication, the interception of the “contents” of communications, and that a “device” was used to intercept their communications. (Id. at 21-27.) Plaintiffs respond that they have adequately alleged the “interception” of the “contents” of communications using a “device.” (Doc. 7 at 15-19.)
As a preliminary matter, the Court does not agree with Defendants that each statute, which have distinct elements and interpretations thereof, can be addressed together.Therefore, the Court will address each cause of action in turn.
The Court is also not persuaded by the parties' frequent citations to Pennsylvania law when Plaintiffs have not asserted Pennsylvania state claims.
3. CIPA Section 631 (Count I)
CIPA section 631(a) states:
any person...
[1] who, by means of any machine, instrument, or contrivance, or in any other manner, intentionally taps, or makes any unauthorized connection, whether physically, electrically, acoustically, inductively, or otherwise, with any telegraph or telephone wire, line, cable, or instrument, including the wire, line, cable, or instrument of any internal telephonic communication system, or
[2] who willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state;
[3] or who uses, or attempts to use, in any manner, or for any purpose, or to communicate in any way, any information so obtained,
[4] or who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the acts or things mentioned above in this section,
is punishable by a fine..Cal. Pen. Code § 631(a) (number and line breaks added). “The California Supreme Court has explained that this lengthy provision contains three operative clauses covering ‘three distinct and mutually independent patterns of conduct': (1) ‘intentional wiretapping,' (2) ‘willfully attempting to learn the contents or meaning of a communication in transit over a wire,' [i.e., eavesdropping] and (3) ‘attempting to use or communicate information obtained as a result of engaging in either of the two previous activities.'” Mastel v. Miniclip SA, 549 F.Supp.3d 1129, 1134 (E.D. Cal. 2021) (quoting Tavernetti v. Superior Court, 22 Cal.3d 187, 192 (1978)) (citing In re Google Inc., Case No. 13-MD-02430-LHK, 2013 WL 5423918, at *15 (N.D. Cal. Sept. 26, 2013)). In addition, “Section 631(a) ... contains a fourth basis for liability, for anyone ‘who aids, agrees with, employs, or conspires with any person or persons to unlawfully do, or permit, or cause to be done any of the' other three bases for liability.” Id. (quoting Cal. Pen. Code § 631(a)).
The Court construes Plaintiffs' allegations against Defendant as a claim for “aiding and abetting” a third party's violation of one or all of the first three clauses in violation of the fourth operative clause. (See Compl. ¶ 49 (emphasizing “who aids, agrees with, employs, or conspires”); id. ¶¶ 51-52.) Therefore, “[t]o state a claim under [the fourth] clause, Plaintiff[s] must allege [that a third party] has violated one of the first three clauses of section 631(a), and that Defendant aided, agreed with, employed, or conspired with that person or entity to commit those unlawful acts.” Esparza v. UAG Escondido A1 Inc., Case No. 23cv0102 DMS(KSC), 2024 WL 559241, at *2 (S.D. Cal. Feb. 12, 2024). The Court finds that Plaintiffs have failed to state such a claim for the reasons set forth below.
First, Plaintiffs allege that Defendant assists and allows “several third parties,” including LeadID and Facebook, to intercept Plaintiffs' sensitive personal information. (See Compl. ¶¶ 8-11, 16, 27.) In support of these allegations, Plaintiffs include two figures purportedly showing network traffic from Defendant's website to LeadID and Facebook. (See Compl. ¶ 28.) However, the text of these figures does not indicate any connection to LeadID or Facebook. (See id.) In fact, the figures appear to show that the “destination” is Defendant's website. (Id.) Without further support or explanation, the Court finds that Plaintiffs' conclusory allegation that Defendant assists and allows “several third parties,” including LeadID and Facebook, to “intercept” Plaintiffs' sensitive personal information is unsupported by sufficient factual allegations. See Ashcroft, 556 U.S. at 678 (The Court is “not bound to accept as true a legal conclusion couched as a factual allegation.”); Daniels-Hall, 629 F.3d at 998 (The Court is not “required to accept as true...allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences ....”).
Second, it is not apparent to the Court whether the interceptor-whether it be Facebook, LeadID, or some other third party-is alleged to have violated clauses one, two, three, or some combination thereof. Plaintiffs appear to include allegations pertaining to clause one (see id. ¶ 53), but, at the same time, Plaintiffs do not quote the entirety of clause one in their Complaint (see id. ¶ 49). The Court also notes that California district courts have held that clause one does not apply to internet communications like the ones alleged here. See also UAG Escondido A1 Inc., 2024 WL 559241, at *2 (“[C]lause one does not apply to internet connections.”); Esparza v. Gen Digital Inc., Case No. CV 23-8223-KK-AGRx, 2024 WL 655986, at *3 (C.D. Cal. Jan. 16, 2024) (“[B]ecause Section 631(a) concerns telephonic wiretapping, it does not apply to the context of the internet[.]”) (internal quotation marks and citation omitted); Heiting v. Taro Pharms. USA, Inc., Case No. 2:23-cv-08002-SPG-E, 2023 WL 9319049, at *2 (C.D. Cal. Dec. 26, 2023) (“[B]ecause Plaintiff alleges interception of a chat communication on Defendant's website, instead of over the phone, Plaintiff cannot state a claim under the first clause of section 631(a).”).
Relatedly, as written, it is not apparent to the Court whether the alleged software, code, or tracking technology is owned and operated by Facebook or LeadID, or whether a third-party software provider “relays” the sensitive personal information to Facebook or LeadID. (See Compl. ¶ 30 (“Facebook allows those companies to integrate software into their websites, software that tracks user activity, like the buttons they click or the forms they complete. That software then relays that information to Facebook, and once that information is received, the social media site assimilates it into existing databases that Defendant can then use to target advertisements.”).) This distinction informs whether Facebook or LeadID is alleged to have violated clause two or clause three.
Because Plaintiffs have not adequately alleged that any third party unlawfully wiretapped or eavesdropped on Plaintiffs' communications in violation of CIPA section 631(a)-whether it be clause one, clause two, or clause three-the Court cannot find that Plaintiffs adequately alleged that Defendant aided and abetted any such violation. See UAG Escondido A1 Inc., 2024 WL 559241, at *2. Thus, Plaintiffs' claim for violations of CIPA section 631(a) is DISMISSED WITH LEAVE TO AMEND .
4. CIPA Section 632 (Count II)
Section 632.7(a) prohibits the interception or recording of communications between two phones:
Every person who, without the consent of all of the parties to a communication, intercepts or receives and intentionally records, or assists in the interception or reception and intentional recordation of, a communication transmitted between two cellular radio telephones, a cellular radio telephone and a landline telephone, two cordless telephones, a cordless telephone and a landline telephone, or a cordless telephone and a cellular radio telephone, shall be punished by a fine . . ., or by imprisonment in a county jail ....Cal. Pen Code § 632.7(a) (emphasis added). The majority of district courts addressing this issue have held that section 632.7(a) applies only to communications between two telephones and not to internet communications. See e.g., Keurig Green Mountain, Inc., 674 F.Supp.3d at 760 (“[Section] 632.7 unambiguously limits its reach to communications between various types of telephones.”); Am. Eagle Outfitters, Inc., 659 F.Supp.3d at 1112 (“The Court determines that section 632.7 only applies to the five types of calls enumerated ...”); Byars v. Hot Topic, Inc., 656 F.Supp.3d 1051, 1069 (C.D. Cal. 2023) (“The unambiguous meaning of the statute is thus that it only applies to communications involving two telephones. Plaintiff's allegations all relate to text-based web communications regarding a chat feature on a website, which virtually by definition cannot involve two telephones.”); Build.com, Inc., Case No. 22-cv-01985-DMS-KSC, 2023 WL 4535531, at *6 (S.D. Cal. July 13, 2023) (“A plain reading of the text makes clear that the statute only applies to communications transmitted by telephone, not internet. Plaintiffs seem to argue that Defendant's conduct violated Section 632.7 because Plaintiffs' communications with Defendant through the website chat function on her smart phone amounted to ‘communication ... transmitted via telephony.' This stretches the statutory language too far.”); Martin v. Sephora USA, Inc., Case No. 1:22-cv-01355-JLT-SAB, 2023 WL 2717636, at *17 (E.D. Cal. Mar. 30, 2023) (“[T]he Court concludes that § 632.7 only applies to the five types of calls previously enumerated.”); but see Licea v. Old Navy, LLC, 669 F.Supp.3d 941, 947 (C.D. Cal. 2023) (finding that only one party need be using a telephone to bring it in the purview of section 632.7 and that smartphones fall within the cellular phone category); Byars v. Goodyear Tire & Rubber Co., 654 F.Supp.3d 1020, 1027-28 (C.D. Cal. 2023) (same).
The Court joins the majority of California district courts in finding that section 632 does not apply to internet communications. See Rodriguez v. Ford Motor Co., Case No. 3:23-cv-00598-RBM-JLB, 2024 WL 1223485, at *17 (S.D. Cal. Mar. 21, 2024) (R. Montenegro). Therefore, Plaintiffs have not adequately alleged violations of CIPA section 632. Because amendment would be futile, the Court DISMISSES this claim WITHOUT LEAVE TO AMEND. See Cook, Perkiss & Liehe, 911 F.2d at 247.
5. Maryland Wiretapping and Electronic Surveillance Act
“[I]t is unlawful for any person to: (1) Willfully intercept, endeavor to intercept, or procure any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication; (2) Willfully disclose, or endeavor to disclose, to any other person the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subtitle; or (3) Willfully use, or endeavor to use, the contents of any wire, oral, or electronic communication, knowing or having reason to know that the information was obtained through the interception of a wire, oral, or electronic communication in violation of this subtitle.” Md. Code Ann., Cts. & Jud. Proc. § 10-402. Maryland federal courts have had limited opportunity to apply MWESA to internet communications like the ones alleged here. See e.g., Curd v. Papa John's Int'l, Inc., 692 F.Supp.3d 525, 531 (D. Md. 2023) (“Even if Plaintiff's use of Papa John's website creates a potential cause of action ... Plaintiff fails to allege facts that support this court's exercise of personal jurisdiction over Papa John's.”). Nevertheless, it is clear from the statute's text that violations of MWESA depend upon the “willful” “interception” of “any wire, oral, or electronic communication[.]” See Md. Code Ann., Cts. & Jud. Proc. § 10-402.
Defendant argues that Plaintiffs have not plausibly alleged “interception” of a communication, an essential element under each wiretapping act. (Id. at 21-23.) Specifically, Defendant argues that Plaintiffs allege “interception” “in conclusory terms that do not satisfy Iqbal or Twombly” and that using the word “intercept” throughout the Complaint is not enough without the addition of specific facts supporting Plaintiffs' theory that Defendant is “intercepting” Plaintiffs' data. (Id. at 21-22.) Defendant also contends that Plaintiffs' passing references to “tracking technologies” and “software” is insufficient to explain how Defendant is allegedly intercepting Plaintiffs' data. (Id. at 22.)
Plaintiffs respond that they have adequately alleged that Defendant allows third parties, like LeadID and Facebook, to intercept Plaintiffs' electronic communications, such as the buttons that they click and the forms they complete. (Doc. 7 at 16.) Plaintiffs contend that they illustrate the interceptions occurring in real time by providing an example showing network traffic to Facebook and LeadID when a website user clicks the button on Defendant's website indicating that they have issues with alcohol or substance abuse. (Id.) Plaintiffs contend that “[s]uch interceptions occur for every communication with the website.”
Defendant's Reply re-states its position that Plaintiffs do not adequately allege “interception.”
For the same reasons set forth above (see Section II.C.2.a), the Court agrees with Defendants that, without further support or explanation, Plaintiffs' conclusory allegations regarding “interception” are insufficient at this stage. See Ashcroft, 556 U.S. at 678; Daniels-Hall, 629 F.3d at 998. Thus, Plaintiffs have not stated a claim under MWESA, and the Court DISMISSES this claim WITH LEAVE TO AMEND .
a) Massachusetts Wiretapping Statute
“[A]ny person who-willfully commits an interception, attempts to commit an interception, or procures any other person to commit an interception or to attempt to commit an interception of any wire or oral communication shall be fined not more than ten thousand dollars, or imprisoned in the state prison for not more than five years, or imprisoned in a jail or house of correction for not more than two and one half years, or both so fined and given one such imprisonment.” Mass. Gen. Laws Ann. ch. 272, § 99. “The term ‘interception' means to secretly hear, secretly record, or aid another to secretly hear or secretly record the contents of any wire or oral communication through the use of any intercepting device by any person other than a person given prior authority by all parties to such communication[.]” Id. As in Maryland, Massachusetts federal courts have had limited opportunity to apply the Massachusetts Wiretapping Statute to internet communications. See e.g., Rosenthal v. Bloomingdale's, Inc., 686 F.Supp.3d 36, 40 (D. Mass. 2023) (dismissing similar case for lack of personal jurisdiction); Alves v. Goodyear Tire & Rubber Co., 683 F.Supp.3d 111, 120 (D. Mass. 2023) (same). However, it is clear from the statutory text that, at a minimum, Plaintiffs must allege the “willful” “interception of any wire or oral communication[.]” Mass. Gen. Laws Ann. ch. 272, § 99.
For the same reasons set forth above (see Section II.C.2.a), the Court agrees with Defendants that, without further support or explanation, Plaintiffs' conclusory allegations regarding “interception” are insufficient at this stage. See Ashcroft, 556 U.S. at 678; Daniels-Hall, 629 F.3d at 998. Thus, Plaintiffs have not stated a claim under the Massachusetts Wiretapping Statute, and the Court DISMISSES this claim WITH LEAVE TO AMEND .
b) Florida Security of Communications Act
“Any person whose wire, oral, or electronic communication is intercepted, disclosed, or used in violation of ss. 934.03-934.09 shall have a civil cause of action against any person or entity who intercepts, discloses, or uses, or procures any other person or entity to intercept, disclose, or use, such communications ....” Fla. Stat. Ann. § 934.10. Put simply, “[t]he FSCA provides a cause of action against parties that intercept or use private communications without the speaker's consent.” Goldstein v. Costco Wholesale Corp., 559 F.Supp.3d 1318, 1319-20 (S.D. Fla. 2021). Thus, for the same reasons set forth above (see Section II.C.2.a), the Court agrees with Defendants that, without further support or explanation, Plaintiffs' conclusory allegations regarding “interception” are insufficient at this stage. See Ashcroft, 556 U.S. at 678; Daniels-Hall, 629 F.3d at 998.
Further, Florida district courts have found that the FSCA does not apply to session replay software, software that records a website users' mouse clicks, keystrokes, search terms, and information inputted into the website. See Cardoso v. Whirlpool Corp., Case No. 21-CV-60784-WPD, 2021 WL 2820822, at *2 (S.D. Fla. July 6, 2021) (finding that FSCA does not apply to the plaintiff's claims regarding session replay technology software on a commercial website and that, even so, the plaintiff failed to adequately allege sufficient facts supporting the elements of an FSCA violation); Goldstein v. Luxottica of Am., Inc., Case No. 21-80546-CIV-CANNON/REINHART, 2021 WL 4093295, at *3 (S.D. Fla. Aug. 23, 2021) (“[T]he FSCA does not extend to the session replay software.”); Swiggum v. EAN Servs., LLC, Case No. 8:21-cv-493-TPB-CPT, 2021 WL 3022735, at *2 (M.D. Fla. July 16, 2021) (“Because the Court has concluded that the FSCA does not apply to Plaintiff's session replay technology claims, it appears that amendment is futile. However, in an abundance of caution, the Court will grant leave for Plaintiff to file an amended complaint, if she may do so in good faith.”). This session replay software appears similar in kind to the software, code, or tracking technology Plaintiffs allege here. (See Compl. ¶ 30 (alleging “software that tracks user activity, like the buttons they click”).) Therefore, Plaintiffs have failed to state a claim under FSCA, and the Court DISMISSES this claim WITH LEAVE TO AMEND .
III. CONCLUSION
Based on the foregoing, Defendant's Motion to Dismiss is GRANTED. Plaintiffs may file an amended complaint on or before September 2, 2024.
IT IS SO ORDERED.