Opinion
C23-0718-JCC
12-19-2023
ORDER
JOHN C. COUGHENOUR UNITED STATES DISTRICT JUDGE
This matter comes before the Court on motions to dismiss by Defendants Qualtrics International Inc. and Qualtrics LLC (together “Qualtrics”) and Defendant Microsoft Corporation (Dkt. Nos. 37, 43). Having thoroughly considered the parties' briefing and the relevant record, the Court finds oral argument unnecessary and hereby GRANTS in part and DENIES in part the motions for the reasons explained herein.
I. BACKGROUND
Plaintiff is a California resident who obtains healthcare from Kaiser Permanente (“Kaiser”). (Dkt. No. 1 at 2-3.) She has been a Kaiser member for at least 10 years and has used its website throughout her membership. (Id. at 3.) Unbeknownst to Plaintiff, code within the Kaiser website includes software development kits (“SDKs”) offered by Defendants Qualtrics and Microsoft. (Id. at 9.) Plaintiff alleges that Qualtrics and Microsoft, through these SDKs, “repeatedly and systematically [] violated [her and other Kaiser members'] legally-protected privacy interest by extracting private healthcare and other information from Kaiser Members' communications with the Kaiser Website.” (Id. at 2.) This includes Kaiser members' “medical conditions, immunizations, prescriptions, physician information, and other private data, including healthcare search terms, videos watched, and links accessed.” (Id.) Plaintiff further alleges that Defendants used this data together with unique identifiers to identify the Kaiser member associated with the data. (Id. at 2, 9.) According to Plaintiff, Kaiser members had no indication this information is transmitted to Defendants. (Id. at 9.)
Plaintiff brings nine causes of action against both Qualtrics and Microsoft: (1) violations of the California Invasion of Privacy Act (“CIPA”) (two counts); (2) violation of the right to privacy under the California Constitution; (3) intrusion upon seclusion under California law; (4) violation of the U.S. Computer Fraud and Abuse Act (“CFAA”), 18 U.S.C. § 1030, et seq.; (5) unjust enrichment; (6) violation of the California Unfair Competition Law (“UCL”); (7) statutory larceny; and (8) conversion under California law. (Dkt. No. 1 at 33-46.) In response, Qualtrics and Microsoft each move to dismiss the complaint (Dkt. Nos. 37, 43) and, in doing so, seek judicial notice of several exhibits (Dkt. Nos. 38 at 3-5; 43 at 9, 12-13, 24).
II. DISCUSSION
A. Judicial Notice
As an initial matter, Qualtrics asks the Court to consider four exhibits under either the doctrine of judicial notice or the doctrine of incorporation: (1) a Qualtrics webpage titled “How to collect website feedback” (Exhibit 1); (2) a Qualtrics webpage titled “Step 4: Setting Up Your Intercept” (Exhibit 2); (3) Kaiser's log-in page (Exhibit 3); and (4) Kaiser's privacy statement (Exhibit 4). (Dkt. No. 38 at 4.) Microsoft similarly asks the Court to take judicial notice of (1) Microsoft's advertising agreement (Exhibit A), (2) Microsoft's privacy statement (Exhibit B), (3) Kaiser's privacy statement (Exhibit C), (4) a Microsoft webpage titled “Universal Event Tracking” (Exhibit E),and (5) a bulletin on the U.S. Health & Human Services website titled, “Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates” (Exhibit F). (Dkt. No. 43 at 9, 12-13, 24.)
Microsoft's motion (Dkt. No. 43) appears to incorrectly refer to this as Exhibit D.
Generally, courts may not consider material outside of the pleadings when ruling on a motion to dismiss. Lee v. City of Los Angeles, 250 F.3d 668, 688 (9th Cir. 2001). There are two exceptions to this rule. First, incorporation-by-reference allows courts to treat certain documents as though they are part of the complaint itself. Khoja v. Orexigen Therapeutics, Inc., 899 F.3d 988, 1002 (9th Cir. 2018). Second, courts may take judicial notice of facts that are “not subject to reasonable dispute because [they] . . . can be accurately and readily determined from sources whose accuracy cannot reasonably be questioned.” U.S. v. Ritchie, 342 F.3d 903, 908-09 (9th Cir. 2003) (citing Fed.R.Evid. 201(b)). Judicial notice should be taken with reserve, however, as its function is to deprive a party of the opportunity to attack opposing evidence through rebuttal and cross-examination. Rivera v. Philip Morris, Inc., 395 F.3d 1142, 1151 (9th Cir. 2005). Furthermore, “[j]ust because the document itself is susceptible to judicial notice does not mean that every assertion of fact within that document is judicially noticeable for its truth.” Khoja, 899 F.3d at 999. The same is true for websites, which may be judicially noticed for their existence and content, but not for the content's truth. Threshold Enterprises Ltd. v. Pressed Juicery, Inc., 445 F.Supp.3d 139, 146 (N.D. Cal. 2020); see 2Die4Kourt v. Hillair Cap. Mgmt., LLC, 2016 WL 4487895, slip op. at 1 n.1 (C.D. Cal. 2016) (taking judicial notice of thirty-four online news articles and social media posts “solely for their existence and content, and not for the truth of any statements in the documents”).
Here, judicial notice is appropriate with respect to Qualtrics' Exhibit 3 and Microsoft's Exhibits E and F. Exhibit 3 is Kaiser's log-in page, and there is no reasonable dispute as to its authenticity or accuracy. (See generally Dkt. Nos. 52, 55.) Exhibits E and F are public webpages, and Plaintiff does not oppose Microsoft's request that they be judicially noticed. (See generally Dkt. No. 55.) Furthermore, the complaint incorporates Exhibit F by reference. (See Dkt. No. 1 at 6.) For those reasons, the Court GRANTS Defendants' requests for judicial notice with respect to Exhibits 3, E, and F.
Judicial notice is also appropriate with respect to Qualtrics' Exhibits 1 and 4, and Microsoft Exhibits A, B, and C. Public terms of service and privacy policies are proper subjects of judicial notice. See, e.g., In re Zoom Video Commc'ns Inc. Priv. Litig., 525 F.Supp.3d 1017, 1026 (N.D. Cal. 2021); Coffee v. Google, LLC, 2021 WL 493387, slip op. at 3-4 (N.D. Cal. 2021); Matera v. Google Inc., 2016 WL 8200619, slip op. at 5 (N.D. Cal. 2016). Furthermore, Plaintiff does not meaningfully dispute the authenticity or accuracy of these exhibits. (See generally Dkt. Nos. 52, 55.) Accordingly, the Court GRANTS Defendants' requests for judicial notice with respect to Exhibits 1, 4, A, B, and C.
However, the Court only takes “judicial notice of the fact that these documents exist, ‘not whether, for example, the documents are valid or binding [].'” Opperman v. Path, Inc., 84 F.Supp.3d 962, 975 (N.D. Cal. 2015) (quoting Datel Holdings Ltd. v. Microsoft Corp., 712 F.Supp.2d 974, 984 (N.D. Cal. 2010)). The Court further notes that while these disclosures appear to be the most recent terms and policies, there is no indication that they existed throughout the last 10 years (during which Plaintiff allegedly used the Kaiser website).
With respect to Qualtrics' Exhibit 2, Qualtrics appears to be asking the Court to take judicial notice of the truth of its contents, not merely its existence. (See Dkt. No. 37 at 2) (citing Exhibit 2 for the assertion that “[t]he Site Intercept function does not ‘intercept' anything . . .”). Such a request is not appropriate under Federal Rule of Evidence 201. See Ang v. Bimbo Bakeries USA, Inc., 2013 WL 5407039, slip op. at 6 (N.D. Cal. 2013) (declining to take judicial notice of American Heart Association website pages because the defendant requested judicial notice of the truth of the contents of those pages). Accordingly, the Court DENIES Qualtrics' request for judicial notice with respect to Exhibit 2.
B. Standing
In general, to establish standing, “a plaintiff must show (i) that [s]he suffered an injury in fact that is concrete, particularized, and actual or imminent; (ii) that the injury was likely caused by the defendant; and (iii) that the injury would likely be redressed by judicial relief.” TransUnion LLC v. Ramirez, 141 S.Ct. 2190, 2203 (2021). This must be shown “for each claim that they press and for each form of relief that they seek.” Id. at 2208. At the pleading stage, “general factual allegations of injury resulting from the defendant's conduct may suffice.” Lujan v. Defenders of Wildlife, 504U.S. 555, 561 (1992) (internal citations omitted). This is not an onerous burden, though, “for on a motion to dismiss we presum[e] that general allegations embrace those specific facts that are necessary to support the claim.” Id.
Qualtrics contends that Plaintiff lacks standing because (a) she relies on group allegations, rather than alleging conduct traceable to Qualtrics (versus Microsoft); (b) she fails to allege the collected data is identifying of her (rather than anonymized), thereby failing to allege an injury in fact for her privacy claims (counts I-IV); and (c) she fails to allege any economic loss, as required to assert her remaining claims (counts V-IX). (Dkt. No. 37 at 14-17.) None of these arguments are persuasive.
First, Plaintiff adequately alleges conduct traceable to Qualtrics. Indeed, the complaint specifically identifies how Qualtrics' SDK intercepts Kaiser members' private data and the types of data it intercepts. (See Dkt. No. 1 at 9, 16-23.)This is sufficient to allege conduct traceable to Qualtrics. See In re Static Random Access Memory (SRAM) Antitrust Litig., 580 F.Supp.2d 896, 904 (N.D. Cal. 2008) (“Although Plaintiffs will need to provide evidence of each Defendants' participation in any conspiracy, they now only need to make allegations that plausibly suggest that each Defendant participated in the alleged conspiracy.”). That the complaint also alleges conduct equally traceable to Microsoft does not render those allegations improper “group allegations.” See Tivoli LLC v. Sankey, 2015 WL 12683801, slip op. at 3 (C.D. Cal. 2015) (“Group pleading is not fatal to a complaint if the complaint still gives defendants fair notice of the claims against them.”).
Separately, the complaint also discusses Microsoft's allegedly unlawful conduct. (See id. at 916).
Second, Plaintiff repeatedly alleges that “the unique user identifiers allow Qualtrics to link” a Kaiser member's private data “to a specific user and identify the user.” (Dkt. No. 1 at 1723) (emphasis added). Construing the complaint liberally, as the Court must, this is sufficient to allege that Qualtrics collects non-anonymized data, thereby giving rise to an injury in fact. See Warth v. Seldin, 422 U.S. 490, 501 (1975) (“For purposes of ruling on a motion to dismiss for want of standing, [courts] must accept as true all material allegations of the complaint and must construe the complaint in favor of the complaining party.”).
Relatedly, Microsoft notified this Court of a recent decision in Adams v. PSP Group, LLC, 2023 WL 5951784 (E.D. Mo. 2023), asserting that it addresses various issues raised in Microsoft's motion to dismiss. (Dkt. No. 59.) In Adams, the court dismissed a case challenging the use of Microsoft session replay software for failure to plead a concrete injury sufficient to confer Article III standing. 2023 WL 5951784, slip op. at 1. But this case is clearly distinguishable. Whereas the plaintiff in Adams “[did] not allege or describe what information Plaintiff provided to Defendant while she was visiting its website,” (id. at 16), Plaintiff here does so extensively. (See Dkt. No. 1 at 9-16) (alleging that Microsoft collected Kaiser members' search terms, visited webpages, viewed videos, prescriptions, medical conditions, immunization records, and allergies to link each member to a specific user and identify the user). Accordingly, Adams does not change the Court's conclusion.
Third and finally, Plaintiff alleges economic loss in two ways: (a) the unlawful taking and use of her private data, which is inherently valuable; and (b) the diminution of the value of that data. (See Dkt. No. 1 at 25, 28, 42, 45.) Qualtrics argues that such losses are insufficient to confer standing, and that Plaintiff must instead allege that she planned to sell her data, or that her data was made less valuable due to Qualtrics' use of it. (Dkt. No. 37 at 16-17.) Although the Court disagrees, this argument merits further discussion.
“[S]tate law can create interests that support standing in federal courts.” Cantrell v. City of Long Beach, 241 F.3d 674, 684 (9th Cir. 2001). As relevant here, California law recognizes a right to disgorgement of profits resulting from unjust enrichment, even where an individual has not suffered a corresponding loss. In re Facebook, Inc. Internet Tracking Litig., 956 F.3d 589, 599 (9th Cir. 2020) [hereinafter Facebook Tracking]. Thus, to establish standing, Plaintiff must allege she retains a stake in the profits garnered from her personal data because “the circumstances are such that, as between the two [parties], it is unjust for [Qualtrics] to retain it.” Id. at 600 (citing McBride v. Boughton, 20 Cal.Rptr.3d 115, 122 (2004)) (emphasis in original).
Here, Plaintiff adequately pleads an entitlement to Qualtrics' profits from users' personal data. Specifically, she alleges that her personal data carries financial value and cites to numerous articles and studies describing the growing market for personal data, including personal health data. (Dkt. No. 1 at 23-28.) Furthermore, Plaintiff alleges that Qualtrics profited from this data and, in fact, used the data for targeted advertising, generating revenue and profits. (Id. at 42-45.) And according to Plaintiff, Qualtrics' actions diminished the value of her data. (Id. at 28.) Combined, these allegations are sufficient to confer standing under Facebook Tracking. See Ji v. Naver Corp., 2023 WL 6466211, slip op. at 6 (N.D. Cal. 2023) (finding the plaintiffs' “diminution of value” theory of economic injury sufficient to confer standing).
Accordingly, the Court FINDS that Plaintiff has sufficiently pleaded an injury to support standing for the relief sought.
C. Failure to State a Claim
Next, Defendants challenge the factual sufficiency of the complaint as a whole, as well as each of Plaintiff's individual claims. The Court considers each in turn.
1. Legal Standard
Dismissal is proper when a plaintiff “fails to state a claim upon which relief can be granted.” Fed.R.Civ.P. 12(b)(6). To survive a motion to dismiss, a complaint must contain sufficient factual matter, accepted as true, to state a claim for relief that is plausible on its face. Ashcroft v. Iqbal, 556 U.S. 662, 677-78 (2009). A plaintiff is obligated to provide grounds for their entitlement to relief that amount to more than labels and conclusions or a formulaic recitation of the elements of a cause of action. Bell Atl. Corp. v. Twombly, 550 U.S. 544, 545 (2007). A claim has facial plausibility when the plaintiff pleads factual contentthat allows the court to draw the reasonable inference that the defendant is liable for the misconduct alleged. Iqbal, 556 U.S. at 678. “[T]he pleading standard Rule 8 announces does not require ‘detailed factual allegations,' but it demands more than an unadorned, the-defendant-unlawfully-harmed-me accusation.” Id. (citing Twombly, 550 U.S. at 555). Dismissal under Rule 12(b)(6) “can [also] be based on the lack of a cognizable legal theory.” Balistreri v. Pacifica Police Dep't, 901 F.2d 696, 699 (9th Cir. 1988).
Although the Court must accept as true a complaint's well-pleaded facts, conclusory allegations of law and unwarranted inferences will not defeat an otherwise proper Rule 12(b)(6) motion. See, e.g., Vasquez v. Los Angeles Cnty., 487 F.3d 1246, 1249 (9th Cir. 2007); Sprewell v. Golden State Warriors, 266 F.3d 979, 988 (9th Cir. 2001).
2. Factual Sufficiency
Qualtrics and Microsoft challenge the adequacy of the complaint's factual allegations under Rule 8. Specifically, Qualtrics argues that Plaintiff fails to plead when she used the Kaiser website and thus was exposed to Qualtrics' alleged data collection. (Dkt. No. 37 at 18.) Microsoft similarly argues that Plaintiff fails to allege facts plausibly showing she was personally affected by Microsoft's alleged conduct, including the dates she used the Kaiser website and facts showing Kaiser disclosed her data in a manner that allowed Microsoft to identify her personally. (Dkt. No. 43 at 15-16.) Neither argument is convincing.
Rule 8 requires that a complaint “contain sufficient allegations of underlying facts to give fair notice and to enable the opposing party to defend itself effectively.” Starr v. Baca, 652 F.3d 1202, 1216 (9th Cir. 2011). Courts do at times “dismiss claims under Rule 8 when plaintiffs fail to allege approximately when the actionable misconduct occurred.” Brodsky v. Apple Inc., 445 F.Supp.3d 110, 135 (N.D. Cal. 2020). But “a failure to plead when any alleged misconduct occurred will not necessarily be fatal under Rule 8.” Id. Instead, a plaintiff's “repeated failure to plead the approximate date of alleged misconduct fails to satisfy Rule 8” in certain circumstances, such as “where . . . an applicable statute of limitations defense has been raised and is non-frivolous” Id.
Here, Plaintiff alleges she “has been a Kaiser Member for at least 10 years and has used the Kaiser Website throughout her membership.” (Dkt. No. 1 at 3, 28.) She claims that while logged into that account, “she used the search function; accessed immunization and medical records; made appointments; reviewed physical information; reviewed medical conditions; and watched videos,” and that when she did, “Defendants unlawfully intercepted and collected such data along with her personal identifiers.” (Id.) This is sufficient under Rule 8, particularly in light of Defendants' failure to raise a non-frivolous statute of limitations defense. Accordingly, the Court DENIES Defendants' motions on these grounds.
In arguing factual insufficiency under Rule 8, Qualtrics raises the possibility of a statute of limitations defense. (Dkt. No. 37 at 18.) Generally, the statute of limitations commences when a cause of action “accrues.” Bernson v. Browning-Ferris Indus., 871 P.2d 613, 615 (Cal. 1994). But under the common law “discovery rule,” the accrual date may be “delayed until the plaintiff is aware of her injury.” Id. (citation omitted). A plaintiff is held to her actual knowledge as well as knowledge that could reasonably be discovered through investigation of sources open to her. Jolly v. Eli Lilly & Co., 751 P.2d 923, 927 (Cal. 1988). Here, Plaintiff alleges that she and class members “could not with due diligence have discovered the full scope of Defendants' conduct” because Defendants' SDKs were highly technical and there was no indication that would alert a reasonable consumer of Defendants' data collection and interception. (Dkt. No. 1 at 29.) According to the complaint, “[t]he earliest Plaintiff and Class Members could have known about Defendants' conduct was shortly before the filing of this Complaint.” (Id.) Accepting Plaintiff's allegations as true, the delayed discovery rule tolls the statute of limitations, making the specific timing of alleged misconduct irrelevant to the analysis.
As for Microsoft's argument that Plaintiff fails to allege facts showing Microsoft could identify her personally: this is another iteration of Qualtrics' standing argument, and the Court denies it for the same reasons. See supra Part II.B.
3. Consent
Qualtrics next argues Plaintiff's claims must be dismissed because she consented to Qualtrics' collection of her data. (Dkt. No. 37 at 19-20.) Consent “can be explicit or implied, but any consent must be actual.” Calhoun v. Google LLC, 526 F.Supp.3d 605, 620 (N.D. Cal. 2021). For consent to be actual, the disclosures must “explicitly notify” users of the practice at issue. Id.; see also Campbell v. Facebook, Inc., 77 F.Supp.3d 836, 847-48 (N.D. Cal. 2014) (explaining that, for a finding of consent, the disclosures must have given users notice of the “specific practice” at issue). And the disclosures must have only one plausible interpretation. In re Facebook, Inc., Consumer Privacy User Profile Litig., 402 F.Supp.3d 767, 794 (N.D. Cal. 2019).Finally, Qualtrics bears the burden of showing consent. See Calhoun, 526 F.Supp.3d at 620.
“[I]f a reasonable . . . user could have plausibly interpreted the contract language as not disclosing that [the defendant] would engage in particular conduct, then [the defendant] cannot obtain dismissal of a claim about that conduct (at least not based on the issue of consent).” Id. at 789-90.
Qualtrics asserts the Kaiser website “advises users that by logging in, they accept Kaiser's Term & Conditions and Privacy Statement.” (Dkt. No. 37 at 19.) The privacy statement, in turn, informs users that Kaiser may “disclose your personal information to third parties who provide services on our behalf to help with our business activities,” and that Kaiser and its “service providers may place Internet ‘cookies' or similar technologies . . . on the computer hard drives of visitors to the Site.” (Id. at 19-20.) This, according to Qualtrics, shows that any logged-in Kaiser user consented to the data collection at issue in this case. (Id. at 20.)
But Plaintiffs' claims do not hinge on a Kaiser user being logged in to her account, as Plaintiff expressly alleges that Qualtrics collects certain categories of data “regardless of whether the user is logged in to her Kaiser Account.” (Dkt. No. 1 at 19.) Thus, even if Kaiser's disclosures at log-in indicate consent to some of the allegedly unlawful data collection, they do not indicate consent to all of it.
Moreover, the Court is skeptical that a reasonable user who viewed Kaiser's policies would have understood that Qualtrics was collecting protected health information. In In re Meta Pixel Healthcare Lit., for example, the court found no consent where Meta's policies indicated that Meta collects users' personal data, but “do not . . . specifically indicate that Meta may acquire health data obtained from Facebook users' interactions with their medical providers' websites.” 647 F.Supp.3d 778, 793 (N.D. Cal. 2022) (emphasis in original). Such notice, the court concluded, was too generalized to establish consent. Id. The same holds true here. Although Kaiser informed users that it may disclose “personal information to third parties,” a reasonable user would not have understood this to include personal health information. (See Dkt. No. 37 at 19.) That this case involves Kaiser (a health care provider) rather than Meta (a tech company) does not persuade the Court otherwise, particularly in light of the sensitive nature of the data at issue (which includes Plaintiff's prescriptions, medical conditions, immunizations, allergies, search queries, and unique identifiers). (See Dkt. No. 1 at 16-23.)
Accordingly, Qualtrics' motion to dismiss based on consent is DENIED.
D. Privacy Claims
1. California Invasion of Privacy Act
Plaintiff claims Defendants violated two provisions of CIPA: § 631(a) (the wiretapping provision) and § 632 (the recording provision).
a. Section 631(a)
CIPA § 631(a) prohibits “three distinct and mutually independent patterns of conduct”: (1) intentional wiretapping; (2) willfully attempting to learn the contents or meaning of a communication in transit over a wire; and (3) attempting to use or communicate information obtained as a result of engaging in either of the two previous activities. Mastel v. Miniclip SA, 549 F.Supp.3d 1129, 1134 (E.D. Cal. 2021). Under the participant exception, however, parties to a communication are exempt from liability. Facebook Tracking, 956 F.3d at 607; see also Warden v. Kahn, 160 Cal.Rptr. 471, 475 (1979) (“[S]ection 631 . . . has been held to apply only to eavesdropping by a third party and not to recording by a participant to a conversation.”).
Qualtrics argues it acted merely as an extension of Kaiser, and therefore, was a participant rather than an eavesdropper. (Dkt. No 37 at 20-22.) Lower courts are split as to whether a software provider falls within the party exception. Compare Revitch v. New Moosejaw, LLC, 2019 WL 5485330, slip op. at 1 (N.D. Cal. 2019) (holding that defendant “acted as a third party” for CIPA purposes), with Graham v. Noom, 533 F.Supp.3d 823, 832 (N.D. Cal. 2021) (holding that software vendors are extensions of the websites that employ them, and thus not third parties for CIPA purposes).But even if the Court were to adopt the Graham approach, as Qualtrics urges, Plaintiff adequately alleges that Qualtrics used her data for its own benefit. (Dkt. No. 1 at 42-43) (“[Defendants'] benefits include . . . the revenue and profits resulting from the targeted advertising and other uses of such data by Defendants.”). Accordingly, Qualtrics' argument that it is a mere “extension” of Kaiser does not provide a basis for dismissal at this stage.
Although in Graham, Judge Beeler distinguished the Moosejaw line of cases, explaining that those involved third parties who allegedly used the data for their own benefit (rather than for the sole benefit of the party to the communication). Id. But as Judge Breyer later explained in Javier v. Assurance IQ, LLC, “reading a use requirement into the second prong would add requirements that are not present (and swallow the third prong in the process).” 649 F.Supp.3d 891, 900 (N.D. Cal. 2023).
Microsoft argues Plaintiff's § 631(a) claim fails because she does not claim Microsoft tapped or intercepted her communications with “any telegraph or telephone wire, line, cable, or instrument.” (Dkt. No. 43 at 20-21); see Cal. Penal Code § 631(a). To the extent Plaintiff alleges intentional wiretapping under the first clause of § 631(a), the Court agrees. As Microsoft correctly notes, courts have strictly construed the “telegraph or telephone” component of § 631(a)'s intentional wiretapping clause. See, e.g., In re Google Assistant Privacy Litig., 457 F.Supp.3d 797, 825 (N.D. Cal. 2020) (“The first clause expressly requires that the unauthorized connection be made with any telegraph or telephone wire, line, cable, or instrument.”) (quotations omitted); Matera v. Google Inc., 2016 WL 8200619, slip op. at 18 (N.D. Cal. 2016) (same). Here, Plaintiff does not suggest that Defendants tapped her communications using telegraph or telephone wires, besides a conclusory statement that “Defendants . . . intercept[ed] [her] Private Data . . . while the same was in transit or passing over any wire, line, or cable ....” (Dkt. No. 1 at 34.)
Thus, Plaintiff fails to state a § 631(a) claim against both Defendants, but only to the extent she bases her claim on intentional wiretapping.
b. Section 632
CIPA § 632 imposes liability on “[a] person who, intentionally and without the consent of all parties to a confidential communication, uses an electronic amplifying or recording device to eavesdrop upon or record the confidential communication” of another. Cal. Penal Code § 632(a). Defendants each argue for dismissal of Plaintiff's § 632(a) claim.
Microsoft argues the claim fails because Plaintiff does not allege that Microsoft used any “electronic amplifying or recording device” to record her information. (Dkt. No. 43 at 21-22.) The Court agrees, to some extent. “Software like Google Maps, Chrome, etc. are not ‘devices' within the meaning of CIPA because they are not ‘equipment.'” In re Google Location Hist. Litig., 428 F.Supp.3d 185, 193 (N.D. Cal. 2019) (citing Moreno v. San Francisco Bay Area Rapid Transit Dist., 2017 WL 6387764, slip op. at 5 (N.D. Cal. 2017)). But servers are distinct. See, e.g., Brown v. Google LLC, 525 F.Supp.3d 1049, 1064, 1073-74 (N.D. Cal. 2021). And although Plaintiff asserts that “Defendants violated CIPA by using their SDKs and receiving servers,” the complaint alleges that only Qualtrics used such servers (whereas Microsoft used software). (Dkt. No. 1 at 17-18.)Because software does not constitute a “device” under the CIPA, Plaintiff's § 632 claim against Microsoft is deficient.
The Court has permitted Plaintiff's references to “Defendants” rather than Microsoft and Qualtrics individually throughout the complaint, see supra Part II.B. However, it will not go as far as to assume such allegations apply to both Defendants equally where the factual allegations specific to Microsoft and Qualtrics diverge. Here, only the “Qualtrics” section of the complaint contains an explicit reference to “servers” (Dkt. No. 1 at 17-18), whereas the “Microsoft” section refers only to “software” (Id. at 9). Accordingly, the Court interprets this to mean only Qualtrics is alleged to have used a server.
Qualtrics argues Plaintiff's § 632 claim fails because (i) it was Kaiser (not Qualtrics) that “used” the recording device, and (ii) Qualtrics did not intend to record confidential communications without consent. (Dkt. No. 37 at 22-23.) The first argument is unpersuasive because Plaintiff adequately pleads Qualtrics' use of a recording device. (See Dkt. No. 1 at 17-18) (detailing Qualtrics' use of servers to collect user data).As for the second argument, Qualtrics' reliance on Federated Univ. Police Officers' Ass'n v. Regents of the Univ. of Cal. is inapposite. 2015 WL 13273308 (C.D. Cal. 2015). There, the court dismissed a CIPA claim against a retailer that did little more than “sell and install [a] recording system” at a police department. Id. at 10. Such minimal involvement, the court held, was insufficient to suggest the retailer “acted intentionally in eavesdropping ....” Id. In contrast, Plaintiff here alleges far more involvement by Qualtrics, including that Qualtrics' SDK collected and forwarded Plaintiff's personal health information to Qualtrics' servers. (Dkt. No. 1 at 17-18.) This is sufficient to show intent to record confidential communications at the dismissal stage.
Notably, “[Qualtrics] identif[ies] no authority suggesting that [it] cannot be held liable for eavesdropping because a third party . . . participated in the installation of [Qualtrics'] code that sends information to [Qualtrics].” Griffith v. Tiktok, Inc., 2023 WL 7107262, slip op. at 7 (C.D. Cal. 2023).
c. Microsoft's Remaining CIPA Arguments
Finally, Microsoft argues both of Plaintiff's CIPA claims fail because she does not allege facts showing Microsoft intercepted the contents of her communications with Kaiser, as is required under CIPA. (Dkt. No. 43 at 17-19.) Microsoft points to In re Zynga Privacy Litigation, where the Ninth Circuit found that URLs which merely included basic identification and address information did not constitute contents of a communication. 750 F.3d 1098, 1109 (9th Cir. 2014).But Zynga itself distinguishes such URLs from those that disclose contents because they “show[] the specific search terms the user had communicated ....” Id. at 1108-09. And here, Plaintiff alleges Microsoft collects URLs containing search queries that could divulge a user's medical conditions, allergies, and immunizations. (Dkt. No. 1 at 10, 13-16.) Accordingly, Plaintiff has adequately pled that Microsoft intercepted the contents of her communication with Kaiser for purposes of CIPA.
Although Zynga analyzed communication under the federal Wiretap Act, 18 U.S.C. § 2511(3), the same analysis applies under CIPA. See Cline v. Reetz-Laiolo, 329 F.Supp.3d 1000, 1051 (N.D. Cal. 2018).
Separately, Microsoft asks the Court to dismiss Plaintiff's CIPA, UCL, and unjust enrichment claims as to non-California residents, arguing these claims do not apply extraterritorially and the alleged conduct occurred outside of California. (Dkt. No. 43 at 22, 29.) Because this request is premature, the Court will not address it at this juncture. Clancy v. The Bromley Tea Co., 308 F.R.D. 564, 572 (N.D. Cal. 2013) (“[A] detailed choice-of-law analysis is not appropriate at this stage of litigation. Rather, such a fact-heavy inquiry should occur during the class certification stage, after discovery.”).
In summary, the Court DISMISSES Plaintiff's CIPA § 632 claim against Microsoft, as well as her CIPA § 631(a) claim against both Defendants (but only to the extent she bases thon intentional wiretapping. Plaintiff's remaining CIPA claims survive.
2. California Constitution & Common Law Intrusion Upon Seclusion
To state a claim for intrusion upon seclusion under California common law, a plaintiff must plead that (1) the defendant intentionally intruded into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy, and (2) the intrusion occurred in a manner highly offensive to a reasonable person. Facebook Tracking, 956 F.3d at 601 (citing Hernandez v. Hillsides, Inc., 211 P.3d 1063, 1072 (2009)). A claim for invasion of privacy under the California Constitution involves similar elements: a plaintiff must show that (1) they possess a legally protected privacy interest, (2) they maintain a reasonable expectation of privacy, and (3) the intrusion is “so serious . . . as to constitute an egregious breach of the social norms” such that the breach is “highly offensive.” Id. Because the tests are similar, courts typically consider the claims together and ask (1) whether there exists a reasonable expectation of privacy, and (2) whether the intrusion was highly offensive. Id. Qualtrics and Microsoft raise various arguments in support of their motions to dismiss each claim, which the Court discusses in turn.
a. Qualtrics
Two of Qualtrics' arguments are foreclosed by the rulings above. First, Qualtrics asserts that Plaintiff's invasion of privacy and intrusion upon seclusion claims fail “because Qualtrics is merely an extension of Kaiser.” (Dkt. No. 37 at 24, 26.) The Court has already rejected this argument and will not readdress it here. See supra Part II.D(1)(a). Second, Qualtrics argues Plaintiff lacked a reasonable expectation of privacy “because she consented to Kaiser's Privacy Policy, which disclosed that data is shared with third-party partners ....” (Dkt. No. 37 at 24, 26.) Again, the Court has rejected this consent-based argument. See supra Part II.C(3).
Qualtrics also argues Plaintiff had no legally protected privacy interest “where defendant has only collected browsing data from one site, as opposed to across the Internet.” (Dkt. No. 37 at 24.) But the cases Qualtrics cites for this proposition are inapposite. Those courts' refusal to find a privacy interest did not hinge on the defendants collecting data from only a single site; rather, it hinged on the defendants' role as operators of the site through which they allegedly collected data. See Yoon v. Lululemon USA, Inc., 549 F.Supp.3d 1073, 1086 (C.D. Cal. 2021); In re Google Location Hist. Litig., 428 F.Supp.3d 185, 198 (N.D. Cal. 2019). As the Yoon court explained, “courts have been less willing to find that users have a cognizable privacy interest in browsing data collected only while users interact with the website of the defendant company.” 549 F.Supp.3d at 1086 (emphasis added). And here, Qualtrics is not the website owner; Kaiser is. Accordingly, the Court rejects this argument.
Had Plaintiff brought this suit against Kaiser, the cited cases may have been more persuasive.
Qualtrics next argues that the data collection at issue was not highly offensive because (i) it involved only anonymized data, (ii) it was merely routine, and (iii) there was no improper use of the data. (Dkt. No. 37 at 25-26) (citing Folgelstrom v. Lamps Plus, Inc., 125 Cal.Rptr.3d 260 (2011)). The Court has already concluded that Plaintiff adequately alleges non-anonymized data collection, see supra Part II.B, and Qualtrics' remaining arguments are unpersuasive. Qualtrics' relies on Folgestrom, a case that other courts have distinguished where “the data at issue [] is more private than a person's mailing address and this kind of intrusion is not routine commercial behavior.” Opperman v. Path, Inc., 205 F.Supp.3d 1064, 1078 (N.D. Cal. 2016). And here, the data at issue is Plaintiff's personal health information. Fundamentally, “[t]he ultimate question of whether [Defendants'] tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” Facebook Tracking, 956 F.3d at 606.
b. Microsoft
Microsoft's first argumentputs at issue the contents of Plaintiff's communications. (See Dkt. No. 43 at 17-19.) This is a regurgitation of its prior argument, which the Court rejects for the same reasons it did above. See supra Part II.D(1).
Microsoft also contends Plaintiff's claims lack specificity and are set in conclusory terms. (Dkt. No. 43 at 23-24.) But the Ninth Circuit has not required more than Plaintiff has alleged. See Facebook Tracking, 956 F.3d at 603 (rejecting Facebook's claim that “Plaintiffs need to identify specific, sensitive information that Facebook collected, and that their more general allegation that Facebook acquired ‘an enormous amount of individualized data' is insufficient”). The Court therefore rejects that argument.
Microsoft next argues Plaintiff lacked a reasonable expectation of privacy before logging into the Kaiser website (because the data collected is not protected health information) and after logging in (because Kaiser's Privacy Statement discloses data collection). (Dkt. No. 43 at 24.) As previously stated, the Court is not convinced that Kaiser's Privacy Statement indicates full consent to Defendants' alleged data collection. See supra Part II.C(3).
Because Plaintiff plausibly alleges a constitutional violation and intrusion upon seclusion, it is unnecessary for the Court to decide at the pleading stage whether Plaintiff had a reasonable expectation of privacy prior to logging into the Kaiser website. Rule 12(b)(6) “does not provide a mechanism for dismissing only a portion of a claim.” Franklin v. Midwest Recovery Sys., LLC, 2020 WL 3213676, slip op. at 1 (C.D. Cal. 2020) (collecting cases).
Finally, Microsoft argues Plaintiff's claims fail because she “does not allege that any privacy invasion was ‘sufficiently serious'” such that it evidences an “intent of committing theft,” nor does she plead “facts showing Microsoft used the data in a highly offensive manner.” (Dkt. No. 43 at 24-25.) Again, the Court is unpersuaded. First, Microsoft's cited legal authority does not support its assertion that Plaintiff must plead Microsoft “intended to steal her data.” See generally, Razuki v. Caliber Home Loans, Inc., 2018 WL 2761818, slip op. at 2 (S.D. Cal. 2018). Second, “[t]he ultimate question of whether [Defendants'] tracking and collection practices could highly offend a reasonable individual is an issue that cannot be resolved at the pleading stage.” Facebook Tracking, 956 F.3d at 606. At this stage, Plaintiff's allegations that Defendants intercepted and collected Plaintiff's protected health information and personally identifiable information are sufficient to survive dismissal.
In sum, Plaintiff has sufficiently pleaded the “reasonable expectation of privacy” and “highly offensive” elements necessary to state a claim for intrusion upon seclusion and invasion of privacy. The Court thus DENIES Defendants' motions to dismiss these claims.
3. CFAA
“[T]he CFAA is an anti-hacking statute, not an expansive misappropriation statute.” Andrews v. Sirius XM Radio Inc., 932 F.3d 1253, 1263 (9th Cir. 2019) (quotations omitted). The statute makes it unlawful to, among other things, “intentionally access[] a computer without authorization” and obtain “information from any protected computer.” 18 U.S.C. § 1030(a)(2). For civil liability to attach, a plaintiff must allege a violation involving one of the five factors listed in § 1030(a)(5)(B). Id. § 1030(g). Here, Plaintiff relies on two of the factors: that the offense caused “loss to 1 or more persons during any 1-year period . . . aggregating at least $5,000 in value,” see id. § 1030(a)(4)(A)(i)(I), and that the offense caused “a threat to public health or safety,” see id. § 1030(a)(4)(A)(i)(IV). (Dkt. No. 1 at 42).
Defendants argue that Plaintiff has not alleged sufficient loss to maintain her CFAA claim under the first factor. (Dkt. Nos. 37 at 28-29, 43 at 26-27.) The Court agrees. A “loss” under the CFAA is “any reasonable cost to any victim, including the cost of responding to an offense, conducting a damage assessment, and restoring the data, program, system, or information to its condition prior to the offense, and any revenue lost, cost incurred, or other consequential damages incurred because of interruption of service.” 18 U.S.C. § 1030(e)(11). Here, Plaintiff's sole alleged loss is based on “diminution in value” of her private data. (Dkt. No. 1 at 42.) This is insufficient under the CFAA, which “clearly limits [‘loss'] to harms caused by computer intrusions, not general injuries unrelated to the hacking itself.” Andrews, 932 F.3d at 1263; see Cottle v. Plaid, Inc., 536 F.Supp.3d 461, 486 (N.D. Cal. 2021) (concluding that Andrews forecloses the diminution of value theory for CFAA claims). Furthermore, Plaintiff's reference to the “damage” she allegedly suffered is misplaced, as § 1030(a)(4)(A)(i)(I) refers only to “loss” (which is distinct from “damage” under the CFAA). Compare 18 U.S.C. § 1030(e)(8) (defining “damage”), with 18 U.S.C. § 1030(e)(11) (defining “loss”). Accordingly, Plaintiff fails to state a CFAA claim based on the first factor.
As an alternative theory, Plaintiff also asserts she and class members “suffered loss of at least $5,000 in the form of retaining a technical expert to investigate Microsoft's surreptitious interception and collection of their data in order to ‘respond[] to an offense' and to ‘to restor[e] the data . . . to its condition prior to the offense.” (Dkt. Nos. 54 at 26-27, 55 at 24.) There are two problems with this theory. First, Plaintiff failed to raise it in the complaint. (See generally Dkt. No. 1.) Second, even if Plaintiff had included it in the complaint, the Court is not convinced that this theory would meet the CFAA's “loss” requirement. As the Supreme Court explained in Van Buren v. United States, 141 S.Ct. 1648, 1659-60 (2021), “the statutory definition[] of . . . ‘loss' [] focus[es] on technological harms-such as the corruption of files-of the type unauthorized users cause to computer systems and data.” Plaintiff's hiring of a “technical expert” for investigation purposes does not fit this definition.
As to the second factor, Plaintiff makes a conclusory allegation that Defendants' conduct “constitutes ‘a threat to public health or safety' under 18 U.S.C. § 1030(c)(4)(A)(i)(IV),” but fails to include specific factual allegations to support that theory of CFAA liability.
Because Plaintiff has not plausibly alleged a “loss” under the CFAA, Defendants' motions to dismiss these claims are GRANTED.
E. Remaining Claims
1. Unjust Enrichment
Californiacourts are divided as to whether a plaintiff can assert unjust enrichment as a standalone cause of action (as opposed to an alternative mechanism for relief). ESG Cap. Partners, LP v. Stratos, 828 F.3d 1023, 1038 (9th Cir. 2016) (comparing cases); see also Grausz v. Hershey Co., 2023 WL 6206449, slip op. at 8 (S.D. Cal. 2023) (collecting Ninth Circuit decisions demonstrating the uncertainty). However, the most recently published Ninth Circuit case on the issue noted that an unjust enrichment claim may proceed “as an independent cause of action or as a quasi-contract claim for restitution.” ESG Cap. Partners, 828 F.3d at 1038. To allege unjust enrichment as an independent cause of action, a plaintiff must show the defendant received and unjustly retained a benefit at the plaintiff's expense. Id. at 1038-39 (citing Lectrodryer v. SeoulBank, 91 Cal.Rptr.2d 881, 883 (2000)). Here, Plaintiff alleges Defendants intercepted and collected her private data without her consent, that Defendants benefitted from the “revenues and profits resulting from targeted advertising and other uses of such data,” and that this “diminished the value of that Private Data.” (Dkt. No. 1 at 28, 42-43.) This is sufficient to plead that Defendants received and unjustly retained a benefit at Plaintiff's expense.
Because the complaint asserts that “California substantive law applies to every member of the Class,” (Dkt. No. 1 at 32), the Court treats the unjust enrichment claim as one brought under California common law.
Accordingly, Defendants' motions to dismiss Plaintiff's unjust enrichment claim are DENIED.
Defendants further argue Plaintiff's unjust enrichment claim fails because she has not pled an inadequate remedy at law. (See Dkt. Nos. 37 at 31, 43 at 28.) The Court rejects this argument in light of “clearly established circuit practice allowing plaintiffs to plead in the alternative at the earliest stages of litigation.” Haas v. Travelex Ins. Servs. Inc., 555 F.Supp.3d 970, 980 (C.D. Cal. 2021); see also Cabrales v. Castle & Cooke Mortg., LLC, 2015 WL 3731552, slip op. at 3 (E.D. Cal. 2015) (collecting cases and noting the “ampl[e] support[]” for this proposition in the Ninth Circuit).
2. UCL
The UCL prohibits “any unlawful, unfair or fraudulent business act or practice.” Cal. Bus. & Prof. Code § 17200. Each of the three UCL prongs provides a “separate and distinct theory of liability” and an independent basis for relief. Rubio v. Capital One Bank, 613 F.3d 1195, 1203 (9th Cir. 2010) (internal quotation marks and citations omitted). Plaintiff asserts Defendants' conduct violates the “unlawful” and “unfair” prongs. (Dkt. No. 1 at 44-45.) Defendants respond that Plaintiff lacks standing to assert a UCL claim, or alternatively, that the claim fails on the merits. (Dkt. Nos. 37 at 29-30, 43 at 28-29.) The Court disagrees.
To have standing to assert a UCL claim, a plaintiff needs to have “suffered injury in fact and . . . lost money or property as a result of the unfair competition.” Rubio, 613 F.3d at 1203. “To show that they have lost money or property, Plaintiff[] must demonstrate some form of economic injury, which is itself a classic form of injury in fact.” Brown v. Google LLC, 2021 WL 6064009, slip op. at 15 (N.D. Cal. 2021) (citing Kwikset Corp. v. Superior Court, 246 P.3d 877, 886 (Cal. 2011)) (internal quotations omitted). Thus, because federal standing “may be predicated on a broader range of injuries,” the effect of the “lost money or property” requirement is to “render[] standing under [the UCL] substantially narrower than federal standing.” Id.
Here, Plaintiff asserts she has “suffered an injury in fact, including lost consideration for provision of access to [her private data] and diminished value of that data.” (Dkt. No. 1 at 45.) “[S]everal courts have held that the unauthorized release of ‘personal information' does not constitute a loss of money or property for purposes of establishing standing under the UCL.” Fraley v. Facebook, Inc., 830 F.Supp.2d 785, 811 (N.D. Cal. 2011) (collecting cases). However, “the growing trend across courts . . . is to recognize the lost property value of this information.” In re Marriott Int'l, Inc., Cust. Data Sec. Breach Litig., 440 F.Supp.3d 447, 461 (D. Md. 2020); see also Brown, 2021 WL 6064009, slip op. at 15 (plaintiffs had UCL standing where they alleged the “cash value” of the data which Google collected “can be quantified” and “there is an active market for such data”); Calhoun v. Google LLC, 526 F.Supp.3d 605, 636 (N.D. Cal. 2021) (“[T]he Ninth Circuit and a number of district courts . . . have concluded that plaintiffs who suffered a loss of their personal information suffered economic injury and had standing.”). Like in Brown, Plaintiff cites several studies and reports showing an active market for users' private data. (See Dkt. No. 1 at 23-28.) Given this allegation, as well as the increasing recognition of the value of private data, the Court concludes Plaintiff has asserted an injury in fact and a loss of money or property sufficient to state a UCL claim. See Klein v. Facebook, Inc., 580 F.Supp.3d 743, 803 (N.D. Cal. 2022) (“[N]umerous courts have recognized that plaintiffs who lose personal information have suffered an economic injury.”) (collecting cases).
Qualtrics and Microsoft further argue that because Plaintiff's UCL claim rests on statutory claims that fail, the “unlawful” UCL claim also fails. (Dkt. Nos. 37 at 29, 43 at 29.) But since Plaintiff has successfully stated claims under CIPA and the California Constitution, see supra Part II.D(1)-(2), Defendants' argument fails.
Accordingly, Defendants' motions to dismiss Plaintiff's UCL claim are DENIED.
3. Statutory Larceny
Three elements are required to show a violation of California Penal Code § 496(a): that “(i) property was stolen or obtained in a manner constituting theft, (ii) [that] the defendant knew the property was so stolen or obtained, and (iii) [that] the defendant received or had possession of the stolen property.” Switzer v. Wood, 247 Cal.Rptr.3d 114, 121 (2019), as modified (May 10, 2019); see also Cal. Penal Code § 496(c) (authorizing a civil action for treble damages, costs, and fees for those injured by a violation of subdivision (a)). California Penal Code § 484(a), in turn, provides that a person is guilty of theft if they “feloniously steal, take, carry, lead, or drive away the personal property of another,” or obtain property “by any false or fraudulent representation or pretense.” Qualtrics and Microsoft argue, among other things, that Plaintiff fails to show the first element: that Defendants stole or obtained Plaintiff's property in a manner constituting theft. (Dkt. Nos. 37 at 30, 43 at 30.) The Court agrees.
In her response, Plaintiff asserts Defendants obtained her data through misrepresentation (i.e., in a manner constituting theft under § 496(a)). (Dkt. No. 55 at 30.) Specifically, she points to the Kaiser Privacy Statement and states that it “misrepresents that third parties will not be able to identify individuals by their data,” and that “she lacked notice of the collection of her personal information.” (Id.) But the complaint lacks any allegation of misrepresentation. (See generally Dkt. No. 1.) Moreover, the Kaiser Privacy Statement is a representation made by Kaiser, not by Qualtrics or Microsoft. Accordingly, it cannot serve as the basis for a statutory larceny claim against Qualtrics or Microsoft.
For those reasons, the Court DISMISSES Plaintiff's statutory larceny claim.
4. Conversion
California law defines conversion as “any act of dominion wrongfully asserted over another's personal property in denial of or inconsistent with his rights therein.” In re Bailey, 197 F.3d 997, 1000 (9th Cir. 1999). To establish conversion, a plaintiff must show “ownership or right to possession of property, wrongful disposition of the property right and damages.” Kremen v. Cohen, 337 F.3d 1024, 1029 (9th Cir. 2003). Courts apply a three-part test to determine whether a property right exists for these purposes: “First, there must be an interest capable of precise definition; second, it must be capable of exclusive possession or control; and third, the putative owner must have established a legitimate claim to exclusivity.” Id. at 1030. Here, Plaintiff fails to assert that her interest in the collected data is capable of exclusive possession or control. See Taylor v. Google LLC, 2021 WL 4503459, slip op. at 7 (N.D. Cal. 2021) (dismissing conversion claim where plaintiffs fail to allege “facts demonstrating that their cellular data allowances are ‘personal property' capable of exclusive possession or control”).
Accordingly, the Court DISMISSES Plaintiff's conversion claim.
5. Punitive Damages
Finally, Microsoft asks the Court to dismiss Plaintiff's request for punitive damages because Plaintiff fails to allege facts showing “Microsoft is guilty of ‘oppression, fraud, or malice,' or “evil motive' against her,” as is required to obtain punitive damages under California law. (Dkt. No. 43 at 31) (citing Grieves v. Sup. Court, 203 Cal.Rptr. 556, 560 (1984); Scott v. Phoenix Schools, Inc., 96 Cal.Rptr.3d 159, 170 (2009)). In response, Plaintiff contends that a “request for punitive damages is not a ‘claim' and is not the proper subject of a motion to dismiss under Fed.R.Civ.P. 12(b)(6).” (Dkt. No. 55 at 31) (quoting Shimy v. Wright Med. Tech., Inc., 2014 WL 3694140, slip op. at 4 (C.D. Cal. 2014)). But as Microsoft correctly notes, numerous courts have found a motion to dismiss to be the proper vehicle for removing punitive damages from a complaint. (Dkt. No. 56 at 17) (citing Panoyan v. Regalo Int'l LLC, 2019 WL 8758897, slip op. at 3-4 (C.D. Cal. 2019); Agape Family Worship Center, Inc. v. Gridiron, 2016 WL 633864, slip op. at 6 (C.D. Cal. 2016)). Furthermore, the Court agrees that Plaintiff fails to allege any facts showing Microsoft is guilty of oppression, fraud, or malice. (See generally Dkt. No. 1.) Therefore, the Court DISMISSES Plaintiff's request for punitive damages without prejudice and with leave to amend.
III. CONCLUSION
For the foregoing reasons, the Court GRANTS in part and DENIES in part Defendants' motions to dismiss (Dkt. Nos. 37, 43) and GRANTS in part and DENIES in part Qualtrics' motion for judicial notice (Dkt. No. 38). Specifically, the following claims are dismissed with prejudice:
Given the deficiencies described above, the Court finds that further amendment would not save these claims. See Lopez v. Smith, 203 F.3d 1122, 1127 (9th Cir. 2000).
• Plaintiff's CFAA claim against both Defendants; and
• Plaintiff's statutory larceny claim against both Defendants.
The following claims are dismissed without prejudice:
If Plaintiff seeks leave to amend the pleading deficiencies described above for these claims, she shall so move pursuant to Rule 15.
• Plaintiff's CIPA § 631(a) claim against both Defendants (but only to the extent she bases her claim on intentional wiretapping);
• Plaintiff's CIPA § 632 claim against Microsoft; and
• Plaintiff's conversion claim against both Defendants.
All remaining claims survive.