Opinion
Case No. 23-cv-00059-WHO
2024-01-17
Jane DOE, Plaintiff, v. FULLSTORY, INC., et al., Defendants.
Jae K. Kim, Lynch Carpenter, LLP, Pasadena, CA, Amanda Grace Fiorilla, Pro Hac Vice, Christian Levis, Pro Hac Vice, Rachel Isabel Kesten, Pro Hac Vice, Lowey Dannenberg, P.C., White Plains, NY, Tiffine Malamphy, Lynch Carpenter, LLP, Del Mar, CA, for Plaintiff. Cortlin Hall Lannin, Matthew Quinn Verdin, Covington & Burling LLP, San Francisco, CA, Emily Johnson Henn, Covington & Burling LLP, Palo Alto, CA, for Defendant FullStory, Inc. Michael Graham Rhodes, Caroline A. Lebel, Kyle Wong, Cooley LLP, San Francisco, CA, Abigail Augus Barrera, Elizabeth Katharine McCloskey, Gibson, Dunn & Crutcher LLP, San Francisco, CA, Andrew M. Kasabian, Gibson, Dunn & Crutcher LLP, Irvine, CA, Darcy Caitlyn Harris, Pro Hac Vice, Lauren R. Goldman, Pro Hac Vice, Gibson, Dunn & Crutcher LLP, New York, NY, for Defendant Meta Platforms, Inc. Anthony J. Weibell, Mayer Brown LLP, Palo Alto, CA, Sophia Morris Mancall-Bitel, Victor Jih, Wilson Sonsini Goodrich & Rosati, Los Angeles, CA, Thomas Robert Wakefield, Wilson Sonsini Goodrich Rosati, San Francisco, CA, for Defendants Tik-Tok, Inc., ByteDance Inc.
Jae K. Kim, Lynch Carpenter, LLP, Pasadena, CA, Amanda Grace Fiorilla, Pro Hac Vice, Christian Levis, Pro Hac Vice, Rachel Isabel Kesten, Pro Hac Vice, Lowey Dannenberg, P.C., White Plains, NY, Tiffine Malamphy, Lynch Carpenter, LLP, Del Mar, CA, for Plaintiff.
Cortlin Hall Lannin, Matthew Quinn Verdin, Covington & Burling LLP, San Francisco, CA, Emily Johnson Henn, Covington & Burling LLP, Palo Alto, CA, for Defendant FullStory, Inc.
Michael Graham Rhodes, Caroline A. Lebel, Kyle Wong, Cooley LLP, San Francisco, CA, Abigail Augus Barrera, Elizabeth Katharine McCloskey, Gibson, Dunn & Crutcher LLP, San Francisco, CA, Andrew M. Kasabian, Gibson, Dunn & Crutcher LLP, Irvine, CA, Darcy Caitlyn Harris, Pro Hac Vice, Lauren R. Goldman, Pro Hac Vice, Gibson, Dunn & Crutcher LLP, New York, NY, for Defendant Meta Platforms, Inc.
Anthony J. Weibell, Mayer Brown LLP, Palo Alto, CA, Sophia Morris Mancall-Bitel, Victor Jih, Wilson Sonsini Goodrich & Rosati, Los Angeles, CA, Thomas Robert Wakefield, Wilson Sonsini Goodrich Rosati, San Francisco, CA, for Defendants Tik-Tok, Inc., ByteDance Inc.
ORDER GRANTING IN PART AND DENYING IN PART MOTIONS TO DISMISS
Re: Dkt. Nos. 88, 90, 91, 109
William H. Orrick, United States District Judge
The three remaining defendants in this case Meta Platforms, Inc., TikTok, Inc., and FullStory, Inc. move to dismiss the claims asserted against them. For the reasons discussed below, except for the claim that plaintiff agrees should be dismissed, Meta's and TikTok's motions are DENIED, but FullStory's motion is GRANTED for lack of personal jurisdiction.
BACKGROUND
Plaintiff is a former user of a telemedicine company, Hey Favor, Inc. ("Favor") (formerly the "Pill Club") a:
combination telemedicine company and direct-to-consumer pharmacy that prescribes its patients birth control, emergency contraception (e.g., morning-after-pills), STI test kits, acne medicine, and prescription-strength retinol. Users can also purchase directly from Favor other menstrual care and sexual wellness products, like condoms, lubrication, and pregnancy tests, and learn from medical information it provides on health and wellness topics, like periods, skin conditions, and birth control. Visitors access these services and products through Favor's website at www.heyfavor.com and/or through its mobile app (collectively, "the Favor Platform").
AC ¶ 1. Favor is alleged to have provided services through: "(1) its 'Medical Team,' consisting of doctors and nurse practitioners who review users' health history, evaluate their needs, prescribe medications, and answer medical questions; (2) its 'Pharmacy Team,' comprised of pharmacists and technicians who review and process medication orders; and (3) its 'Patient Care Team,' who assist patients and personalize their care." AC ¶ 3.
Plaintiff sued Favor (who was subsequently dismissed because it filed for bankruptcy, Dkt. No. 84) and three additional
sets of defendants; FullStory, Inc. ("FullStory"), Meta Platforms, Inc. (f/k/a Facebook, Inc.) ("Meta"), TikTok, Inc. (f/k/a Musically, Inc.) and ByteDance Inc. (collectively with TikTok, Inc., "TikTok"). She alleges that these defendants intentionally integrated their technologies on Favor's platform in order to secure "personally identifiable information" ("PII") of plaintiff and other class members, including their names, email addresses, dates of birth, places of residence, payment information, health insurance information, health data and other highly sensitive information, including prescription information, answers to health questions, medication information, allergies, age, and weight. AC ¶ 13.
Meta, by use of its "SDK and Meta Pixel," AC ¶ 27; TikTok through its "TikTok Pixel," id. ¶ 40; and FullStory through its "session replay software." Id. ¶ 46.
Plaintiff seeks relief on behalf of a "nationwide class" consisting of: "All natural persons in the United States who used the Favor Platform and whose communications and/or data were intercepted by Defendants." AC ¶ 152. She asserts claims against each set of remaining defendants for: (1) violation of Common Law Invasion of Privacy — Intrusion Upon Seclusion; (2) Unjust Enrichment; (3) violation of California Confidentiality of Medical Information Act ("CMIA") Cal. Civil Code § 56.36; (4) violation of California Invasion of Privacy Act ("CIPA") Cal. Penal Code § 631; and (5) violation of CIPA, Cal. Penal Code § 632.
Defendants moved to dismiss the CMIA claim. In opposition, plaintiff expressly agreed to dismiss the CMIA claims against Meta and TikTok. See Dkt. No. 92 at 1 n.4; Dkt. No. 93 at 1 n.2. She did not address FullStory's arguments in support of dismissal. Her CMIA claims are DISMISSED with prejudice as to each defendant.
The defendants filed a joint Request for Judicial Notice ("RJN"), Dkt No. 90-1, for the Pill Club's Privacy Policies (Exs. 4-7) and two public entity reports (Exhibits 10-11). Dkt. No. 90-1. Plaintiff does not oppose the request (Dkt. No. 94) and it is GRANTED. Defendants also asked me to take judicial notice of Meta's Terms of Service, Business Tools, and Commercial Terms. Dkt. No. 90-1, Exs. 1-3 but then withdrew its request, acknowledging that my September 2023 Order in In re Meta Pixel Healthcare Litigation obviates it. Dkt. No. 96. Finally, defendants ask me to take judicial notice of two articles published by The Markup in June and December 2022. Dkt. No. 90-1, Exs. 8 & 9. Plaintiff opposes, arguing (1) that they are not incorporated by reference in the AC, (2) because plaintiff only mentioned them briefly and in passing in two paragraphs of her Complaint and, more substantively, (3) because TikTok attempts to rely on those articles to prove at the pleading stage that it did not intercept confidential healthcare information. At most, these articles could go to notice (for purposes of determining the timeliness of plaintiff's claims). I will limit my judicial notice of them to that purpose.
LEGAL STANDARD
Under Federal Rule of Civil Procedure 12(b)(6), a district court must dismiss a complaint if it fails to state a claim upon which relief can be granted. To survive a Rule 12(b)(6) motion to dismiss, the plaintiff must allege "enough facts to state a claim to relief that is plausible on its face." Bell Atl. Corp. v. Twombly, 550 U.S. 544, 570, 127 S.Ct. 1955, 167 L.Ed.2d 929 (2007). A claim is facially plausible when the plaintiff pleads facts that "allow the court to draw the reasonable inference that the defendant is liable for the misconduct alleged." Ashcroft v. Iqbal, 556 U.S. 662, 678, 129 S.Ct. 1937, 173 L.Ed.2d 868 (2009) (citation omitted). There must be "more than a sheer possibility that a defendant has acted unlawfully." Id. While courts do not require "heightened fact pleading of specifics," a plaintiff must allege facts sufficient to "raise a right to
relief above the speculative level." Twombly, 550 U.S. at 555, 570, 127 S.Ct. 1955.
In deciding whether the plaintiff has stated a claim upon which relief can be granted, the court accepts the plaintiff's allegations as true and draws all reasonable inferences in favor of the plaintiff. See Usher v. City of Los Angeles, 828 F.2d 556, 561 (9th Cir. 1987). However, the court is not required to accept as true "allegations that are merely conclusory, unwarranted deductions of fact, or unreasonable inferences." In re Gilead Scis. Sec. Litig., 536 F.3d 1049, 1055 (9th Cir. 2008). If the court dismisses the complaint, it "should grant leave to amend even if no request to amend the pleading was made, unless it determines that the pleading could not possibly be cured by the allegation of other facts." Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000). In making this determination, the court should consider factors such as "the presence or absence of undue delay, bad faith, dilatory motive, repeated failure to cure deficiencies by previous amendments, undue prejudice to the opposing party and futility of the proposed amendment." Moore v. Kayport Package Express, 885 F.2d 531, 538 (9th Cir. 1989).
DISCUSSION
Each defendant moves to dismiss. After the motions were filed, I issued my ruling on Meta's motion to dismiss the Consolidated Class Action Complaint in the In re Pixel Healthcare Litigation. See Case No. 22-cv-3580, Dkt. No. 316 (September 2023 Order). In that Order, involving similar allegations based on Meta's Pixel technology and addressing similar claims, I concluded that intent under the CIPA was adequately alleged against Meta, Meta's Pixel qualified as a device under CIPA, and the "sent from/to" California allegations required for CIPA were adequate against Meta. See September 2023, Order. I will not revisit those conclusions regarding Meta, or as applicable to the other defendants, in this Order. I also rejected dismissal of the unjust enrichment claim. Id. at 19. I adopt that analysis here: the motions to dismiss the unjust enrichment claims are DENIED. I address the remaining challenges below.
Meta recognizes that ruling and decided not to "reiterate" its arguments here. See Meta Reply at [Dkt. No. 99] at 3 n.2.
I. META MOTION TO DISMISS
A. Consent to Hey Favor Privacy Policy
Meta, joined by the other defendants, argues that the challenged practices — the collection of personal information by third parties from persons using Favor's platform — was disclosed to plaintiff, and that by using Flavor's platform, she consented to the data collection. On a motion to dismiss, the burden of proof to show consent rests with defendants. See Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 690 F.Supp.3d 1064, 1077-78 (N.D. Cal. Sept. 7, 2023) (addressing consent argument under the ECPA).
Defendants rely on Favor's Policy Privacy that plaintiff cites in the AC. See RJN Exs. 4-7 (Pill Club Privacy Policy); see also AC ¶ 130 ("Favor repeats these assurances throughout its privacy policy, stating that it is 'required by law to make sure that medical information which identifies [users] is kept private (with certain exceptions).' These 'exceptions' include the disclosure of users' information for things like treatment and law enforcement needs and do not include the disclosure of users' information for marketing, advertising,
tracking, or analytics purposes to companies like Defendants.").
Defendants note that the Policy discloses, under the section "Cookies, Web Beacons and Other Technologies," that "'Web Beacons' (also known as Web bugs, pixel tags or clear GIFs) are tiny graphics with a unique identifier that may be included on our Website, App and Service for several purposes, including to deliver or communicate with cookies, to track and measure the performance of our Website, App and Service, to monitor how many visitors view our site, App and Service, and to monitor the effectiveness of our advertising." RJN, Ex. 4 at 2-3.
Defendants also rely on the "Website Analytics" section, which notifies users that:
We may also partner with selected third-party vendors, such as Google Analytics and others, to allow tracking technologies and remarketing services on the Website and our mobile application through the use of first party cookies and third-party cookies, to, among other things, analyze and track users' use of the Services, determine the popularity of certain content and better understand online activity. By accessing the Services you consent to the collection and use of your information by these third-party vendors. You are encouraged to review their privacy policy and contact them directly for responses to your question. We do not transfer personal information to these third-party vendors. However, if you do not want any information to be collected and used by tracking technologies, you can visit the third-party vendor or the Network Advertising Initiative Opt-Out Tool or Digital Advertising Opt-Out Tool.
Id. at 3.
Plaintiff points out that this section disclaims that third parties will have access to "personal information" — the exact type of information she contends was intercepted by Meta and the other defendants. She also points to the first paragraph of the Privacy Policy, explaining that it "does not cover personal health information submitted by you in the course of using our Service. Which is covered by The Pill Club Notice of Privacy Practices (the Notice of Privacy Practices). Any conflict between this Privacy Policy and Notice of Privacy Practices with respect to such submitted personal health information shall be resolved in favor of the Notice of Privacy Practices." Ex. 4 at 1. Plaintiffs Amended Complaint also cites to other "disclosures" made by Favor, including Favor's assertion that it takes the privacy of her healthcare information seriously, that its privacy policies are stricter than HIPAA and CMIA, and that Favor would not sell or market consumers personal information. AC ¶¶ 127-129.
While Favor's Privacy Policy disclosed some use of some tracking features, there are other express disclosures in the Privacy Policy and other assertions Favor made in its Notice of Privacy Practices or elsewhere governing "personal information." Those more specific disclosures and assertions indicate that Favor would not disclose (or sell or use for marketing) users' personal information.
At this point, the contents of each applicable policy or other binding representation made by Favor regarding treatment of personal or healthcare information has not been established as a matter of law. The data each of the defendant's tools intercepted has not been determined. How reasonable persons would interpret the totality of the disclosures has not been decided. Accordingly, the claims will not be dismissed for any defendant based on consent. B. CIPA
1. Untimely
Meta, and the other defendants, also move to dismiss plaintiff's CIPA claims, arguing that they fall outside the one year statute of limitations given that plaintiff used Favor's platform in the summer of 2021 but did not file this suit until 2023. AC ¶¶ 118, 202. Plaintiff responds that under both the discovery rule and fraudulent concealment doctrine, her claims against each defendant did not accrue until shortly before her Complaint was filed because despite her due diligence, she did not learn that defendants' proprietary technology was intercepting her personal and healthcare information until shortly before the complaint was filed. AC ¶ 142 ("Defendants' software was secretly incorporated into the Favor Platform, providing no indication to users that they were interacting with sites that shared their data, including PII and medical information, with third parties"), ¶ 143 ("Defendants had exclusive knowledge that the Favor Platform incorporated its software, yet failed to disclose that fact to users, or that by interacting with the Favor Platform, Plaintiff's and Class members' sensitive data, including PII and health data, would be intercepted by third parties"), ¶ 144 ("Plaintiff and Class members could not with due diligence have discovered the full scope of Defendants' conduct, including because it is highly technical and there were no disclosures or other indication that would inform a reasonable consumer that third parties, including Defendants, were intercepting, data from the Favor Platform"), ¶ 145 ("The earliest Plaintiff and Class members could have known about Defendants' conduct was shortly before the filing of this Complaint").
See Brodsky v. Apple Inc., No. 19-CV-00712-LHK, 2019 WL 4141936, at *11 (N.D. Cal. Aug. 30, 2019) (citing Ion Equip. Corp. v. Nelson, 110 Cal. App. 3d 868, 880, 168 Cal. Rptr. 361 (1980)).
The discovery rule "postpones accrual of a cause of action until the plaintiff discovers, or has reason to discover, the cause of action." Fox v. Ethicon Endo-Surgery, Inc., 35 Cal. 4th 797, 807, 27 Cal.Rptr.3d 661, 110 P.3d 914 (2005). A "plaintiff has reason to discover a cause of action when he or she 'has reason at least to suspect a factual basis for its elements.' [] In so using the term 'elements,' we do not take a hypertechnical approach to the application of the discovery rule. Rather than examining whether the plaintiffs suspect facts supporting each specific legal element of a particular cause of action, we look to whether the plaintiffs have reason to at least suspect that a type of wrongdoing has injured them." Id. (internal citations omitted). In order to adequately plead a basis for the discovery rule, a plaintiff must "plead facts to show (1) the time and manner of discovery and (2) the inability to have made earlier discovery despite reasonable diligence." Id. at 808, 27 Cal.Rptr.3d 661, 110 P.3d 914 (internal quotation omitted).
While defendants argue that plaintiff cannot invoke the discovery rule unless she alleges the specific "time and manner" of her discovery, that argument is not persuasive given the type of case this is — based on defendants' use of highly technical proprietary software — and given plaintiffs clear statement that "the earliest" plaintiff could have known of her injury was shortly before filing. Id. ¶ 145. That is sufficient for now.
Meta and the other defendants also argue that plaintiff cannot show "reasonable diligence" because the Privacy Policy and various "public articles" disclosed the use of pixel and other tracking technology on Favor's platform. However, as discussed above, Favor's policies indicate that the type of personal and healthcare information at issue here would not be shared with third parties. The Favor platform's Privacy
Policy cannot, as a matter of law, preclude application of the discovery rule. With respect to "public articles," defendants identify no articles other than June and December 2022 articles in The Markup referenced in the Amended Complaint in passing as investigating the Meta Pixel and finding Meta's purported "filtering" system failed to discard URLs (AC ¶ 33), and the second December 13, 2022 article that highlighted the TikTok Pixel's presence on the Favor Platform. AC ¶ 41. Even assuming that judicial notice of both articles is appropriate, despite only passing reference to them for issues not central to plaintiff's claims, the articles do not undermine plaintiff's allegations of delayed discovery as a matter of law. The articles were published only months before plaintiff's complaint was filed. The first discussed Meta Pixel's tracking of data from crisis pregnancy centers and the second generally discussed "telecare startups" sharing health information with "big tech" companies and mentioned Favor only once in a chart. Neither article is so central to the conduct of Favor in allegedly disclosing use of defendants' tracking technology (that extends beyond mere URL addresses) to put plaintiff on inquiry notice.
Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1003 (9th Cir. 2018) (rejecting judicial notice where a quotation of only a few lines out of a 67-page complaint did not amount to "extensive" reliance by plaintiffs much less reliance in a way that was central to the claims); DalPoggetto v. Wirecard AG, No. CV 19-0986 FMO (SKX), 2020 WL 2374948, at *1 (C.D. Cal. Apr. 15, 2020)(rejecting judicial notice of a press release cited in only two paragraphs of plaintiffs' FAC).
Defendants' reliance on cases rejecting application of the discovery rule where plaintiff knows or reasonably should have known of injury but did not yet know of the identity of the third-party defendant who facilitated their injury are inapposite. See, e.g., Javier v. Assurance IQ, LLC, 649 F. Supp. 3d 891, 903 (N.D. Cal. 2023 (plaintiff "states that he was aware that Assurance was collecting his information in January 2019 despite alleging a direct Section 631 injury, and had constructive notice that a third party may be aiding it in that process, Javier does not plausibly plead that he was unable to discover Assurance's use of [a different defendant's] software despite reasonable diligence."). Here, plaintiff did not know or, on matters I can judicially notice, have cause to know of her injury from the interception and use of her personal and healthcare information because of her use of the Favor platform.
On fraudulent concealment, plaintiff argues that Meta and Favor both disclosed in their Terms of Service and Policies that they both tracked some data, yet both purportedly disclaimed interception or tracking of the healthcare or other personal data at issue here. She says that is exactly the sort of conduct that supports fraudulent concealment. As Meta points out, plaintiff does not allege facts with respect to Meta's terms of service or policies being the source of Meta's alleged fraudulent concealment. She is given leave to do so.
To plead fraudulent concealment, a plaintiff must allege that "(1) the defendant took affirmative acts to mislead the plaintiff; (2) the plaintiff did not have 'actual or constructive knowledge of the facts giving rise to its claim'; and (3) the plaintiff acted diligently in trying to uncover the facts giving rise to its claim." See Brown v. Google LLC, 525 F. Supp. 3d 1049, 1070 (N.D. Cal. 2021).
2. Section 632(a) Confidential Recording
Recognizing that Meta's initial arguments regarding plaintiff's section 632(a) claim are foreclosed by my September 2023 Order in In re Meta Pixel Healthcare Litigation, Meta makes one final challenge to the section 632(a) claim in its Reply: plaintiff cannot allege a recording of a "confidential communication" because she "accepted" the Favor Privacy
Policy that allows for the challenged conduct. Reply at 8. That argument fails for the reasons discussed above with respect to purported "consent."
3. Extraterritoriality
Meta moves to dismiss the CIPA claim because CIPA does not protect plaintiff, a resident of Arkansas. I addressed and rejected a similar argument in the September 2023 Order in In re Meta Pixel Healthcare Litigation because: (1) it was arguably premature, and better determined on class certification or summary judgment; (2) plaintiffs there, like plaintiff here, plausibly alleged that the conduct at issue, in terms of the design and marketing of the Meta Pixel technology and development and implementation of Meta's Terms of Service, occurred in California; and (3) Facebook's Terms of Service specify that California law applies to disputes between Facebook and its users. Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 690 F.Supp.3d 1064, 1078-79 (N.D. Cal. Sept. 7, 2023). Meta provides no new justification to consider reaching a different conclusion here.
C. Intrusion on Seclusion
An invasion of privacy, intrusion on seclusion claim under the California law requires a reasonable expectation of privacy and an intrusion that was "highly offensive." See Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 601 (9th Cir. 2020).
In reply, Meta argues that an intrusion on seclusion claim cannot survive here because plaintiff could not have had a reasonable expectation of privacy, given her agreement to the disclosure of the information at issue in agreeing to Favor's Privacy Policy. This is a gloss on the consent argument addressed above and it is rejected for the same reasons.
Meta separately argues that plaintiff fails to allege that the intrusion was "highly offensive" because she acknowledges Meta's attempts to filter out sensitive data received from its Pixel, see AC ¶ 32, and that acknowledgment shows that Meta's did not intend to infringe on privacy rights. Plaintiff's allegations of surreptitious capturing of healthcare information are sufficient to state this claim. See Katz-Lacabe v. Oracle Am., Inc., No. 22-CV-04792-RS, 668 F.Supp.3d 928, 941-42 (N.D. Cal. Apr. 6, 2023). What steps Meta has taken to attempt to filter out sensitive data, as well as the efficacy of those steps and Meta's intent, are better determined on an evidentiary record. See Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 690 F.Supp.3d 1064, 1081 & n.4 (N.D. Cal. Sept. 7, 2023).
Meta's motion to dismiss is DENIED, except that plaintiff is given leave to allege further facts in support of her fraudulent concealment allegation for statute of limitations purposes related to her CIPA claim.
II. TIKTOK MOTION TO DISMISS
TikTok moves to dismiss plaintiff's intrusion on seclusion, CMIA, CIPA, and unjust enrichment claims. TikTok Motion. Dkt. No. 91. As discussed above, plaintiff agrees to the dismissal of her CMIA claim. And as indicated, TikTok's motion to dismiss the unjust enrichment claim is denied. I will now address the other issues.
A. Sensitive Health Data
TikTok's first overall challenge is based on plaintiff's alleged failure to identify with requisite specificity what sensitive information TikTok allegedly received through its Pixel. TikTok argues that given her failure to identify what specific
health data or sensitive information she shared with Favor and that TikTok allegedly received from Favor, she cannot state her intrusion or CIPA claims.
In Doe v. Meta Platforms, Inc., No. 22-CV-03580-WHO, 690 F.Supp.3d 1064 (N.D. Cal. Sept. 7, 2023), I addressed a similar issue and found that plaintiffs there had failed to adequately allege facts regarding the specific types of sensitive information they each alleged were captured by the Meta Pixel. I explained:
plaintiffs do not dispute this or identify any particular categories of information that they shared with their healthcare providers that they reasonably believe was captured by Meta. Instead, they rely on In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589 (9th Cir. 2020) to argue they do not need to disclose the specific information they contend Meta received. But in that case, there was no dispute that Facebook collected "a full-string detailed URL, which contains the name of a website, folder and sub-folders on the web-server, and the name of the precise file requested," when it operated. Id. at 605. Here, as Meta repeatedly points out and plaintiffs admit, there is information collected by the Pixel software that does not constitute sensitive, personal information.
Given the nature of this case — where plaintiffs allege that both unprotected and constitutionally protected information was captured by Meta's Pixel — plaintiffs are required to amend to describe the types or categories of sensitive health information that they provided through their devices to their healthcare providers. That basic amendment (which can be general enough to protect plaintiffs' specific privacy interests) will allow these privacy claims to go forward.
Id. at 1081. Here, however, plaintiff provides the information that was missing in the other case. She alleges that she provided her information to Favor in connection with obtaining prescriptions for birth control, emergency contraceptives, and condoms. AC ¶ 15. She identifies the types of questions she answered on the Favor platform to secure those services. AC ¶¶ 18-22. That is sufficient.
TikTok also argues that plaintiff's claims based on interception of "sensitive" data are foreclosed by plaintiff's reliance a December 13, 2022 article by The Markup. AC ¶ 41 ("TikTok's Pixel has come under intense scrutiny recently for its interception and collection of health data. A December 13, 2022 article by The Markup detailed these concerns, specifically highlighting the TikTok Pixel's presence on the Favor Platform as an example."). TikTok asks me to take judicial notice of the full content of The Markup article, arguing that I should accept the authors' conclusion that TikTok Pixel collected only routine URLs and not sensitive information. TikTok Mot. [Dkt. No. 91] at 6-9; TikTok Reply [Dkt. No. 98] at 2-3. Plaintiff opposes, arguing judicial notice of the full article is inappropriate and even if appropriate, the testing discussed in the article was limited and does not disprove plaintiff's contention that TikTok received sensitive information beyond routine URLs. TikTok Oppo. at 6-7. As noted in footnote 3, I will not take judicial notice of the full content of The Markup article or otherwise rely on it to foreclose plaintiff from bringing her claims based on TikTok's receipt of her sensitive, non-routine information from Favor.
TikTok next argues that disclosure of the mere URLs visited by plaintiff (or others) cannot as a matter of law be considered as disclosing anything other than
routine information and cannot form the basis of an intrusion or CIPA claim. But the cases TikTok relies on do not concern sites that specialize in provision of healthcare information, prescriptions, or other sensitive services. For example, TikTok relies extensively on Hammerling v. Google LLC, No. 21-cv-09004-CRB, 2022 WL 17365255, at **8-9 (N.D. Cal. Dec. 1, 2022). As I explained in Doe v. Regents of Univ. of California, No. 23-CV-00598-WHO, 672 F.Supp.3d 813, 820-21 (N.D. Cal. May 8, 2023):
That case is inapposite here. Personal medical information is understood to be among the most sensitive information that could be collected about a person, and I see no reason to deviate from that norm. See, e.g., Doe v. Beard, 63 F. Supp. 3d 1159, 1169-70 (C.D. Cal. 2014).
Id. at 820. Plaintiff has alleged facts showing what information beyond "routine" information she disclosed on the Favor platform that she reasonably alleges was collected by TikTok's Pixel about her prescriptions, her efforts to secure related health care products, and other sensitive information.
TikTok also relies on cases holding that people who visit public places — like adult bookstores or strip clubs — cannot have a reasonable expectation of privacy in those visits, and analogizes that to plaintiff's visiting particular websites like Favor. TikTok Reply at 5. Those cases are not persuasive for obvious reasons. Plaintiff is complaining not simply that TikTok knew plaintiff visited Favor's platform — which itself may not be sensitive enough to be protected — but that TikTok knows that plaintiff sought specific healthcare products and services while on Favor's site. That is fundamentally different. At this juncture, in the absence of discovery how the TikTok Pixels actually work and what information was tracked, it would be premature to hold that TikTok's alleged tracking of the various pages that plaintiff may have visited within Favor's platform when seeking healthcare services cannot constitute an invasion of privacy.
TikTok's reliance on United States v. Matish, 193 F. Supp. 3d 585, 616 (E.D. Va. 2016) is particularly unhelpful, and its parenthetical with that case arguably misleading. The only conclusion reached by the court was not that there is "no expectation of privacy while visiting a public pornography site." TikTok Reply at 5. It was, instead, that there is no objectively reasonable expectation in privacy in an IP address even for those who use the Tor network to mask the IP address. Id. at 616-617.
TikTok relies on Doe I v. Sutter Health, No. 34201900258072CUBTGD, 2020 WL 1331948, at *9 (Cal. Super. Jan. 29, 2020). After reasonably finding that information that simply discloses someone is a patient of a particular healthcare organization — as a result of tracking websites visited — is not a sufficient basis for a common law intrusion upon seclusion claim, the court went further and without citation to relevant authority held that "[s]earching for general health information on Sutter's public website is similar to searching for health information on Webmd.com or google.com. The Court finds Plaintiffs do not have an objectively reasonable expectation of privacy in such disclosures." I do not find that case persuasive; its conclusion lacks support.
TikTok's motion to dismiss based on an alleged failure to adequately allege tracking of sensitive healthcare information is DENIED.
B. CIPA
TikTok, like Meta, moves to dismiss the CIPA claims based on consent under Favor's Privacy Policy and as barred by the statute of limitations. Those arguments are rejected for the reasons already discussed.
1. Interception in California
TikTok separately notes that Section 631 of CIPA only covers interception
of a communication while "in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state." Cal. Penal Code § 631(a). It contends that plaintiff, who lives in Arkansas, has not plausibly alleged that her information was intercepted in California, noting the "intercepted in California" requirement "codified the basic presumption against the extraterritorial application of statutes." TikTok Mot. at 14-15.
Plaintiff alleges the following regarding TikTok:
Plaintiff's claims occurred in this State, including TikTok's and ByteDance's collection of Plaintiff's sensitive health data from the Favor Platform and use of that data for commercial purposes.
AC ¶ 56.
Defendants Meta and TikTok maintain their principal places of business in California, where they designed, contrived, agreed, conspired, effectuated, and/or received the interception and use of the contents of Plaintiff's and Class members' communications.
AC ¶ 199.
Defendants, willfully and without the consent of Plaintiff and Class members, reads or attempt to reads, or learn the contents or meaning of Plaintiff's and Class members' communications to Favor while the communications are in transit or passing over any wire, line or cable, or were being received at any place within California when it intercepted Plaintiffs and Class members' communications and data with Favor, who is headquartered in California, in real time.
AC ¶ 202.
For present purposes, in light of plaintiff's allegations regarding the practice, the interception, and the use of the data in California by TikTok, which is based in California, the interception element is plausibly pleaded. These assertions can be tested through discovery.
That plaintiff also alleges that "[t]he TikTok Pixel intercepts these communications immediately after they are sent and before they are received by" Favor does not undermine the adequacy or plausibility of plaintiff's allegation given the more specific allegations regarding TikTok's operations in California.
2. No Interception — Sections 631 & 632
TikTok also argues that both the Section 631 and 632 claims must be dismissed because plaintiff fails to adequately allege TikTok willfully intercepted communications as required by Section 631 and that TikTok "used" the Pixel to record "contents" of communications, much less confidential communications as required by Section 632. That plaintiff alleges Favor decided to install and configure the TikTok Pixel on its site (AC ¶¶ 43, 81) does not mean that plaintiff cannot allege the requisite interception and use by TikTok. She has plausibly alleged that TikTok designed and provided its Pixel to sites like Favor in order to intercept the information that she alleges TikTok received. AC ¶¶ 43, 81, 85-86; see also Lopez v. Apple, Inc., 519 F. Supp. 3d 672, 690 (N.D. Cal. 2021) (plaintiffs satisfied the not stringent requirement by alleging that "Apple used the devices by programming Siri software to intercept communications when no hot word was spoken," despite defendant's assertion that plaintiffs control their iPhones). That is sufficient. TikTok also alleges that the claims fail because plaintiff fails to allege TikTok collected "contents of communications" (required under both Sections 631 and 632) or that the contents were confidential (required under Section 632 only). TikTok notes that she alleges that the contents of her communications on the Favor platform submitted in connection with securing prescriptions and birth control products were captured by the TikTok Pixel. AC ¶ 87 ("As a result, information Plaintiff Jane Doe provided to Favor to obtain birth control, emergency contraception, and condoms was intercepted by TikTok."). TikTok wants her to allege more, arguing that she must allege facts concerning how the TikTok Pixel captures and transmits not just routine information (like anonymous device identifiers, cookies, and URLs) but the confidential information she asserts TikTok captures. The actual mechanics of how TikTok's Pixel operates and whether TikTok received only routine, unprotected information or protected, sensitive information will be shown through discovery. At this stage, plaintiff has met her burden to plausibly plead facts in support of her CIPA claims.
TikTok relies on Griffith v. TikTok et al., 23-CV-00964-SB-E, 697 F.Supp.3d 963, 972-73 (C.D. Cal. Oct. 6, 2023). But there the court rejected TikTok's similar argument that the Section 632 claim must be dismissed, explaining that "Defendants identify no authority suggesting that they cannot be held liable for eavesdropping because a third party, acting on Defendants' recommendation, participated in the installation of Defendants' code that sends information to Defendants.... At the pleading stage, the Court is unable to resolve the parties' factual dispute about whether the websites' decisions break the causal chain from Defendants' acts such that Defendants are insulated from liability for their dissemination of the TikTok SDK and their collection of the data they receive from it."
TikTok's motion to dismiss is DENIED, except for the CMIA claim that plaintiff agrees should be dismissed.
III. FULLSTORY MOTION TO DISMISS
Unlike the claims against Meta and TikTok, which are based on those defendants' pixel technology, the claims against FullStory — a Delaware corporation with its principal place of business in Georgia — are based on FullStory's "tracking technology, including its session replay software." AC ¶¶ 45-46. Plaintiff alleges that FullStory's software "intercepts highly sensitive data... when used on a website or application like the Favor Platform." Id. ¶ 50. Its software is installed on sites, like Favor's platform. AC ¶ 122. The software collects data on how customers use those sites, transmitting that data back to FullStory. AC ¶¶117-118. It compiles that data and allows customers to access it through its "dashboard." Id. ¶¶ 119-120. Plaintiff alleges that while FullStory claims that it "requires" customers to block sensitive information from being recorded, it does not have the capability to do so or to enforce that policy. Id. ¶ 121.
A. Personal Jurisdiction over FullStory
FullStory first challenges whether this court has jurisdiction over it. Plaintiff contends that there is specific personal jurisdiction over FullStory based on FullStory's conduct: (i) marketing and selling its software to Favor and "other companies" based in California; (ii) "collecting health information" from the Favor platform users, including users in California; and (iii) "using" that data to provide analytics and services to Favor for money. AC ¶¶ 57, 118-123.
1. Legal Standard
Under Rule 12(b)(2) of the Federal Rules of Civil Procedure, a defendant may move to dismiss for lack of personal jurisdiction. The plaintiff then bears the burden of demonstrating that jurisdiction exists. Schwarzenegger v. Fred Martin
Motor Co., 374 F.3d 797, 800 (9th Cir. 2004). The plaintiff "need only demonstrate facts that if true would support jurisdiction over the defendant." Ballard v. Savage, 65 F.3d 1495, 1498 (9th Cir. 1995); Fields v. Sedgwick Assoc. Risks, Ltd., 796 F.2d 299, 301 (9th Cir. 1986). "Although the plaintiff cannot simply rest on the bare allegations of its complaint, uncontroverted allegations in the complaint must be taken as true." Schwarzenegger, 374 F.3d at 800 (citations omitted). Conflicts in the evidence must be resolved in the plaintiff's favor. Id. "Where, as here, the motion is based on written materials rather than an evidentiary hearing, the plaintiff need only make a prima facie showing of jurisdictional facts. In such cases, we only inquire into whether [the plaintiff's] pleadings and affidavits make a prima facie showing of personal jurisdiction." Caruth v. International Psychoanalytical Ass'n, 59 F.3d 126, 128 (9th Cir. 1995) (internal punctuation and citation omitted).
Where there is no applicable federal statute governing personal jurisdiction, the law of the state in which the district court sits applies." Core-Vent Corp. v. Novel Indus. AB, 11 F.3d 1482, 1484 (9th Cir. 1993) (citation omitted). "California's long-arm statute allows courts to exercise personal jurisdiction over defendants to the extent permitted by the Due Process Clause of the United States Constitution." Id.; Cal. Civ. Proc. Code. § 410.10. "Because California's long-arm jurisdictional statute is coextensive with federal due process requirements, the jurisdictional analyses under state law and federal due process are the same." Schwarzenegger, 374 F.3d at 800-01.
Specific jurisdiction arises when a defendant's specific contacts with the forum give rise to the claim in question. Helicoptoros Nacionales de Columbia S.A. v. Hall, 466 U.S. 408, 414-16, 104 S.Ct. 1868, 80 L.Ed.2d 404 (1984). "A court exercises specific jurisdiction where the cause of action arises out of or has a substantial connection to the defendant's conduct with the forum." Glencore Grain Rotterdam BV v. Shivnath Rai Harnarain Co., 284 F.3d 1114, 1123 (9th Cir. 2002). The Ninth Circuit employs a three-part test to determine whether there is specific jurisdiction over a defendant: (1) the nonresident defendant must purposefully direct his activities or consummate some transaction with the forum or resident thereof; or perform some act by which he purposefully avails himself of the privilege of conducting activities in the forum, thereby invoking the benefits and protections of its laws; (2) the claim must be one which arises out of or relates to the defendant's forum-related activities; and (3) the exercise of jurisdiction must comport with fair play and substantial justice, i.e., it must be reasonable. Williams v. Yamaha Motor Co. Ltd., 851 F.3d 1015, 1023 (9th Cir. 2017).
The first prong may be satisfied by "purposeful availment of the privilege of doing business in the forum; by purposeful direction of activities at the forum; or by some combination thereof." Yahoo! Inc. v. La Ligue Contre Le Racisme Et L'Antisemitisme, 433 F.3d 1199, 1206 (9th Cir. 2006). In tort cases, courts typically inquire whether a defendant "purposefully directs his activities at the forum state, applying an 'effects' test that focuses on the forum in which the defendant's actions were felt, whether or not the actions themselves occurred within the forum." Id. In contrast, in contract cases, courts typically inquire whether a defendant "purposefully avails itself of the privilege of conducting activities or consummates a transaction in the forum, focusing on activities such as delivering goods or executing a contract." Id. (citation and internal
punctuation omitted). In the Ninth Circuit courts "generally apply the purposeful availment test when the underlying claims arise from a contract, and the purposeful direction test when they arise from alleged tortious conduct." Morrill v. Scott Fin. Corp., 873 F.3d 1136, 1142 (9th Cir. 2017).
With regard to the second prong, courts "measure this requirement in terms of 'but for' causation." Bancroft & Masters, Inc. v. Augusta Nat'l Inc., 223 F.3d 1082, 1088 (9th Cir. 2000). The plaintiff bears the burden of satisfying the first two prongs of the test. Schwarzenegger, 374 F.3d at 802. If the plaintiff succeeds in satisfying both of the first two prongs, the burden then shifts to the defendant to "present a compelling case" that the exercise of jurisdiction would not be reasonable." Id. If the plaintiff cannot satisfy either of the first two prongs, personal jurisdiction is not established in the forum state. Id.
2. Purposeful Direction
The parties initially dispute whether purposeful availment or purposeful direction applies to this case. I agree with FullStory that the CIPA and intrusion claims both sound in tort. Therefore, the purposeful direction test applies. That test "requires that the defendant ... have (1) committed an intentional act, (2) expressly aimed at the forum state, (3) causing harm that the defendant knows is likely to be suffered in the forum state." Schwarzenegger, 374 F.3d at 803; see also Briskin v. Shopify, Inc., 87 F.4th 404, 412 (9th Cir. 2023) (claims based on data privacy "sound classically in tort and are most naturally analyzed under the purposeful direction framework").
a. Intentional Act
Plaintiff argues that she has alleged a sufficient intentional act by alleging that FullStory intentionally provided its session replay software to Favor in California, that it "assisted" Favor with incorporating its technology on Favor's California-based platform, and that the operation of that technology invaded the privacy of plaintiff and California class members. AC ¶ 57 ("relating to Favor's implementing of its session replay technology, and FullStory purposefully availed itself of the forum by, among other things, marketing and selling the session replay technology at issue in this case to Favor and other technology companies headquartered in this State"), ¶ 122 ("FullStory's session replay software is incorporated on the Favor Platform. As a result, FullStory intercepted each of its users' interactions on the Favor Platform along with a unique ID that can individually identify the user").
A number of California district court cases have ruled that where a plaintiff adequately alleges a CIPA or intrusion-based claim, tortious conduct can satisfy the "intentional act" requirement for specific jurisdiction. See, e.g., Graham v. Noom, Inc., 533 F. Supp. 3d 823, 838 (N.D. Cal. 2021) (recognizing case law finding that "the 'intentional act' standard is easily satisfied where plaintiff alleges wiretapping claims," but granting motion to dismiss because plaintiffs "did not plausibly plead wiretapping, the plaintiffs have not met their prima facie burden to establish specific personal jurisdiction."); Saleh v. Nike, Inc., 562 F. Supp. 3d 503, 513 (C.D. Cal. 2021) (allegations regarding FullStory's session replay software supporting CIPA and invasion of privacy claims sufficient to support "intentional act"); see also Briskin v. Shopify, Inc., 87 F.4th 404, 412 (9th Cir. 2023) ("[b]y generating payment forms, executing code on consumers' devices, creating consumer profiles, processing consumer information,
installing cookies, and sharing payment information, Shopify has committed intentional acts").
Unlike in those cases, however, plaintiff is not a resident of California nor was her data collected when she was in California; she is a resident of Arkansas.
b. Expressly Aimed at California
Assuming plaintiff plausibly pleads a sufficient intentional act, she faces a second hurdle; satisfying the express aiming requirement. Plaintiff argues that FullStory knew that it was invading the privacy rights of Favor's users and expressly aiming that conduct to California because FullStory "processed and analyzed" the intercepted data, including data collected from Class Members in California, and returned that data in the form "insights and analytics back to Favor," who FullStory knew was based in California.
This argument is foreclosed by a recent Ninth Circuit case. In Briskin v. Shopify, Inc., 87 F.4th 404 (9th Cir. 2023), the Ninth Circuit held, "when analyzing whether a court has personal jurisdiction over a web-based payment processor in a suit alleging the unlawful extraction, retention, and sharing of consumer data, the legal framework and principles that should be brought to bear" requires a plaintiff to allege that the defendant platform has a "forum-specific focus." Id. 419-420. Under Briskin, the requisite "forum-specific" focus for a "broadly accessible web platform" like FullStory cannot be established solely by allegations that FullStory knew it was processing the data of California-based consumers for a California-based merchant, here Favor. Something more is required.
FullStory's motion for leave to file its notice of this decision as supplemental authority [Dkt. No. 109] is GRANTED.
See Briskin, 87 F.4th at 423 ("But that California is a large market does not answer the purposeful direction question because a defendant foreseeably profiting from persons making online purchases in California does not demonstrate express aiming.... And while Shopify does have a sizeable merchant base in California, its extraction and retention of consumer data depends on the actions of third-party merchants who are engaged in independent transactions that themselves do not depend on consumers being present in California.").
Id. at 419-420 (examples of "something more" include evidence that the platform actively appealed to or specifically targeted consumers in a specific state, that the platform altered its data collection activities based on the location of given online purchasers, or that the platform otherwise prioritized consumers from the target state).
That something more is missing from the Amended Complaint. FullStory's motion to dismiss for lack of personal jurisdiction is GRANTED. Because Briskin clarified the nature of the personal jurisdiction test to be applied to a data processing platform like FullStory, plaintiff is given leave to amend to attempt to allege the something more that is required to satisfy the express aiming prong of the specific jurisdiction test. B. CIPA & Intrusion
In light of this conclusion, I need not address FullStory's argument that plaintiff has not alleged that it knew harm was "likely to be suffered" in California. Schwarzenegger, 374 F.3d at 803. However, if plaintiff intends to pursue her claims against FullStory on amendment, she shall allege facts to plausibly establish that FullStory knew that the harm complained of was likely to occur in California based on its acts with respect to Favor's data (e.g., facts regarding FullStory's knowledge of how many Favor customers were based in California or other relevant facts). Similarly, I do not reach FullStory's argument regarding whether plaintiff's harm arises out of or relates to its conduct in California or whether it would be fair and reasonable to exercise jurisdiction over it in this forum. But if amending against FullStory, plaintiff should allege additional facts regarding what actions FullStory took with respect to the Favor data; e.g., whether FullStory stores the users' data on its servers, whether FullStory independently analyzes or manipulates the consumers' data, or whether it just provides tools that allowed Favor to do so.
FullStory raises a number of additional challenges to plaintiff's claims that were not made by Meta and TikTok and/or were not addressed my September 2023 Order in In re Pixel Healthcare Litigation because unlike Meta or TikTok, FullStory does not independently use the data surreptitiously secured from end-users. The challenges include a squarely raised choice of law argument, given plaintiff's residence in Arkansas and FullStory's residence in Georgia as well as the absence of allegations regarding terms of service that would impose California law on plaintiff's claims. The challenges also include arguments that liability under CIPA or for intrusion on seclusion have not been plausibly alleged, given that FullStory is a session replay vendor who is not alleged to have the ability to manipulate or use the captured, substantive data for its own ends. If plaintiff amends to pursue claims against FullStory in this case, she shall add plausible facts to support application of California law to her claims and facts regarding FullStory's control of or possible use of end-users' captured data.
CONCLUSION
Meta and TikTok's motions to dismiss are DENIED, except for the CMIA claim that plaintiff agrees should be dismissed. Plaintiff is given leave to allege further facts in support of her fraudulent concealment allegation for statute of limitations purposes for her CIPA claim against Meta. FullStory's motion to dismiss for lack of personal jurisdiction is GRANTED with leave to amend.
If plaintiff wishes to amend to preserve her fraudulent concealment tolling argument or pursue her claims against FullStory, she shall file a further amended complaint within twenty (20) days of the date of this Order.
IT IS SO ORDERED.