Summary
holding that a defendant's access to a plaintiff's website by using information voluntarily supplied by authorized users was "without permission" and a violation of the CDAFA
Summary of this case from Synopsys, Inc. v. AtoptechOpinion
Case No. C 07-01389 RS.
May 21, 2007
ORDER GRANTING IN PART AND DENYING IN PART DEFENDANTS' MOTION TO DISMISS
I. INTRODUCTION
Plaintiff Facebook, Inc. contends that defendant ConnectU, Inc. engaged in common law misappropriation and violated numerous statutes when it allegedly collected email addresses of Facebook's registered users posted on its website and then sent commercial email to those persons. Pursuant to Federal Rule of Civil Procedure 12(b)(6), ConnectU moves to dismiss portions of the complaint. The motion was fully briefed and heard by the Court on May 2, 2007. Based on all papers filed to date, as well as on the oral argument of all the parties, the Court grants the motion in part and denies it in part.
ConnectU apparently was originally formed as an LLC, but is now known as ConnectU, Inc.
II. BACKGROUND
This action was removed from Santa Clara Superior Court when Facebook filed an amended complaint containing claims giving rise to federal question jurisdiction. Facebook and ConnectU operate competing social networking websites on the Internet. Facebook contends that ConnectU accessed the Facebook website to collect "millions" of email addresses of Facebook, and then sent emails to those users soliciting their patronage. Specifically, Facebook alleges ConnectU hired defendant Pacific Northwest Software and defendant Winston Williams to write software for accessing Facebook's website and collecting information including email addresses available to registered users of the website but not generally made available to the public. First Amended Complaint ("FAC"), ¶¶ 17-19. Facebook further alleges that ConnectU distributed solicitation emails to members of Facebook using the email addresses it obtained. FAC ¶ 22.The complaint asserts seven causes of action. ConnectU moves to dismiss five of those: (1) the First Cause of Action — Violation of California Penal Code § 502(c); (2) the Second Cause of Action — Common law misappropriation; (3) the Fourth Cause of Action — Violation of California Business and Professional Code § 17529.4; (4) the Fifth Cause of Action — Violation of California Business and Professional Code § 17538.45; and (5) the Sixth Cause of Action — Violation of 15 U.S.C. § 7701, et seq.
Because the First Amended Complaint was filed in state court, it uses the nomenclature "cause of action" rather than "claim for relief" or "count."
III. STANDARDS
A motion to dismiss under Federal Rule of Civil Procedure 12(b)(6) tests the legal sufficiency of the claims alleged in the complaint. See Parks Sch. of Business v. Symington, 51 F.3d 1480, 1484 (9th Cir. 1995). Dismissal under FRCP 12(b)(6) may be based either on the "lack of a cognizable legal theory" or on "the absence of sufficient facts alleged under a cognizable legal theory." Balistreri v. Pacifica Police Dept., 901 F.2d 696, 699 (9th Cir. 1988). Hence, the issue on a motion to dismiss for failure to state a claim is not whether the claimant will ultimately prevail but whether the claimant is entitled to offer evidence to support the claims asserted. Gilligan v. Jamco Development Corp., 108 F.3d 246, 249 (9th Cir. 1997). When evaluating such a motion, the court must accept all material allegations in the complaint as true and construe them in the light most favorable to the non-moving party. Cahill v. Liberty Mut. Ins. Co., 80 F.3d 336, 340 (9th Cir. 1996). "[C]onclusory allegations of law and unwarranted inferences," however, "are insufficient to defeat a motion to dismiss for failure to state a claim." Epstein v. Washington Energy Co., 83 F.3d 1136, 1140 (9th Cir. 1996).
IV. DISCUSSION
A. State Court Demurrer
In opposing this motion to dismiss, Facebook argues that the state court previously overruled a demurrer based on some of the same grounds advanced in this motion, and that ConnectU has shown nothing that would warrant a departure by this Court from rulings made prior to the removal. As ConnectU points out, however, there technically is no state court ruling as to the sufficiency of the amended complaint. Had this matter not been removed, ConnectU would have been free to renew on demurrer the same arguments it makes here. To be sure, the state court likely would not have reached a different result upon being presented with those arguments again, but Facebook has not shown that consideration of the arguments would have been foreclosed there. In federal court, where distinct standards apply, there is even less reason to bar ConnectU from raising the points again. That said, the motion to dismiss will be denied on the same points as the state court demurrer was overruled, rendering unnecessary further consideration of the extent to which the prior ruling should be considered binding or even persuasive.
In general, of course, the notice pleading standards in federal court are, if anything, less stringent than those in California courts.
B. First Cause of Action-California Penal Code Section 502(c)
California Penal Code Section 502 is entitled "Unauthorized Access to Computers, Computer Systems and Computer Data" (emphasis added). Focusing on that title and on other provisions within the section relating to accessing computer systems, ConnectU argues that nothing in the FAC suggests its access to the Facebook website was "unauthorized" or undertaken "without permission." Apparently ConnectU accessed information on the Facebook website that ordinarily would be accessible only to registered users by using log-in information voluntarily supplied by registered users. Thus, ConnectU contends, it did not engage in "hacking" or other "unauthorized" access of a type prohibited by the statute, and Facebook has not alleged otherwise. ConnectU argues that Facebook may have a claim for breach of contract against the registered users who supplied ConnectU with the login information, but that Facebook's "terms and conditions of use" have no applicability to ConnectU itself, which never registered as a user or agreed to those terms and conditions.
ConnectU's argument does not adequately address subdivision (c) of the statute, which makes it a "public offense" if a person:
(2) Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system or computer network.
(Emphasis added.)
The FAC sufficiently alleges that ConnectU "knowingly" accessed Facebook's website and that it took, copied, or made use of data it found thereon "without permission." ConnectU's argument that a private party cannot define what is or is not a criminal offense by unilateral imposition of terms and conditions of use is not persuasive. The statute defines the criminal offense: taking, copying, or using data "without permission." The fact that private parties are free to set the conditions on which they will grant such permission does not mean that private parties are defining what is criminal and what is not.
Thus, notwithstanding the reference in the title to "unauthorized access," Penal Code section 502 prohibits knowing access, followed by unauthorized (i.e., "without permission") taking, copying, or use of data. As the FAC alleges facts showing that ConnectU knowingly accessed Facebook's website to collect, copy, and use data found thereon in a manner not authorized or permitted by Facebook, the motion to dismiss will be denied as to this claim.
ConnectU also argues that no one held a reasonable expectation of privacy in the information it collected and that, to the contrary, Facebook users voluntarily disclosed their email addresses knowing that others would see them and be able to use them. ConnectU points to various language suggesting that one purpose the Legislature had in enacting Penal Code section 502 was to protect confidential information. Not only does this argument appear to discount unduly the right of Facebook users to disclose their email addresses for selective purposes, nothing in section 502(c) limits its applicability to confidential information. ConnectU is attempting to import limitations from other portions of the statute into the subdivision at issue here.
C. Second Cause of Action-Common Law Misappropriation
ConnectU contends that Facebook's common law misappropriation claim is preempted by the federal Copyright Act. There is no dispute that all state law causes of action falling within the scope of the federal Copyright Act are subject to preemption. Laws v. Sony Music Entertainment, Inc., 448 F.3d 1134, 1137 (9th Cir. 2006). Section 301 of the Copyright Act sets forth two conditions that must be satisfied for preemption of a right under state law: 1) the work in which the right is asserted must come within the subject matter of copyright as defined in sections 102 and 103 of the Copyright Act, and 2) the right that the authors seeks to protect must be equivalent to any of the exclusive rights within the general scope of copyright as specified by section 106 of the Copyright Act. 17 U.S.C. § 301(a) (2006). See Laws, 448 F.3d at 1137.
Facebook contends ConnectU waived its right to argue preemption by failing to raise it in its original demurrer in state court. Because preemption would appear to deprive the Court of subject matter jurisdiction, the argument likely is not subject to waiver. In view of the conclusion that there is no preemption, however, the Court need not consider the waiver issue.
Section 102 of the Copyright Act extends copyright protection to "original works of authorship fixed in any tangible medium of expression," including: 1) literary works; 2) musical works, including any accompanying words; 3) dramatic works, including any accompanying music; 4) pantomimes and choreographic works; 5) pictorial, graphic, and sculptural works; 6) motion pictures and other audiovisual works; 7) sound recordings; and 8) architectural works. 17 U.S.C. § 102(a) (2006). Section 103 provides that "compilations and derivative works" fall within the subject matter of copyright. 17 U.S.C. § 103 (2006).
Section 106 of the Copyright Act provides that the owner of the copyright has the exclusive rights to do and to authorize any of the following: 1) to reproduce the copyrighted work in copies or phonorecords; 2) to prepare derivative works based upon the copyrighted work; 3) to distribute copies or phonorecords of the copyrighted work to the public by sale or other transfer or ownership, or by rental, lease, or lending; 4) in case of literary, musical, dramatic, and choreographic works, pantomimes, and motion pictures and other audiovisual works, to perform the copyrighted work publicly; 5) in case of literary, musical, dramatic, and choreographic works, pantomimes, and pictorial, graphic, or sculptural works, including the individual images of a motion picture or other audiovisual work, to display the copyrighted work publicly; and 6) in case of sound recordings, to perform the copyrighted work publicly by means of a digital audio transmission. 17 U.S.C. § 106 (2006).
The initial question is whether the subject matter of Facebook's misappropriation claim is within the subject matter of the Copyright Act. The parties agree that the data ConnectU allegedly misappropriated is not subject to copyright protection per se. See ConnectU's Reply Brief at 5; see also Sefton v. Jew, 201 F.Supp.2d 730 (W.D. Tex. 2001) (stating that e-mail names, e-mail addresses, and service marks are not copyrightable material even if used to identify a copyrighted work). The inquiry does not end there, however, because preemption does not turn on whether the copied elements are protectible under the Copyright Act, but on whether the subject matter is generally within the "scope" of the Copyright Act. See National Basketball Association v. Motorola, Inc., 105 F.3d 841, 849 (2nd Cir. 1997) ("Copyrightable material often contains uncopyrightable elements within it, but Section 301 preemption bars state law misappropriation claims with respect to uncopyrightable as well as copyrightable elements.")
Nevertheless, ConnectU has not shown that under a fair reading of the FAC it is alleged to have misappropriated uncopyrightable "elements" of a work of authorship otherwise within the scope of the Copyright Act. It seems likely, if not certain, that the Facebook website includes material that would constitute "original works of authorship." Indeed, the site presumably includes such works created by Facebook's users as well as by Facebook itself. The fact that the Facebook website may contain works of authorship, however, does not automatically mean that the entire site is a work of authorship within the subject matter of the Copyright Act.
The email addresses at issue undisputedly are not works of authorship or protectible under copyright law at all. ConnectU's preemption theory, therefore, turns on the premise that those addresses are merely "elements" of some larger work of authorship that is within the scope of copyright law. ConnectU has not shown, however, that the allegations of the FAC support such a conclusion. Rather, to use a pre-Internet analogy, it appears that Facebook's website is in a sense similar to a community billboard, on which any number of individuals might post information. Some of those postings might very well be "works of authorship" — the most obvious example arising if a member of the community posted a copy of a poem or short story he or she had written. The organization that owned the bulletin board might also claim authorship in any general notices it posted thereon. None of that, however, would necessarily make the bulletin board as a whole a work of authorship or give rise to copyright preemption with respect to a claim for missappropriation of some uncopyrightable facts posted on it.
In short, nothing in the FAC suggests that Facebook is seeking to protect through a common law missappropriation claim uncopyrightable elements of some larger work of authorship that is protectible only to the extent provided by the Copyright Act. Accordingly, the claim is not preempted and this prong of the motion to dismiss will be denied.
There may be instances where an entire website consists of a work of authorship. From Facebook's description of how it operates as alleged in the FAC, however, this does not appear to be such an instance.
In view of the conclusion that the allegedly misappropriated material does not fall within the scope of copyright protection, the Court need not reach the question of whether the state law claim contains an "extra element" such as a breach of fiduciary duty that would avoid preemption. As noted at the hearing, however, that analysis would turn on the elements of the claim and not on whether Facebook has pleaded additional facts, beyond those required by the common law to state a claim for misappropriation.
C. Fourth and Fifth Causes of Action — Cal. B P Code § 17529.4 and § 17538.45
California Business and Professions Code sections 17529.4 and 17538.45 proscribe conduct of the very nature that ConnectU is alleged to have engaged in here. ConnectU contends, however, that these California statute are preempted by 15 U.S.C § 7707(b)(1), a provision of the so-called "CAN-SPAM Act." That section provides:
This chapter supersedes any statute, regulation, or rule of a State or political subdivision of a State that expressly regulates the use of electronic mail to send commercial messages, except to the extent that any such statute, regulation, or rule prohibits falsity or deception in any portion of a commercial electronic mail message or information attached thereto.
Facebook first argues that there is no preemption because the use of the term "supercedes" in the CAN-SPAM Act should be understood as reflecting an Congressional intent only to preempt then-existing state laws. Although Facebook points to other statutes that arguably more clearly preempt both existing and later-enacted state laws, it cites no authority for the novel proposition that a provision of federal law that expressly "supercedes" state law is ineffective to reach later-enacted state laws.
Facebook also contends that Business and Professions Code section 17529.4 falls outside the scope of CAN-SPAM preemption because it "primarily" regulates the collection of email addresses, whereas the preemption clause refers only to state statutes regulating the sending of commercial email. The section makes it unlawful "for any person or entity to collect electronic mail addresses posted on the Internet if the purpose of the collection is for the electronic mail addresses to be used to . . . [i]nitiate or advertise in an unsolicited commercial e-mail advertisement. . . ." Facebook argues, therefore, that it is possible to violate section 17529.4 even if emails are never actually sent, as long as the intent to do so exists. Facebook may be correct that technically a violation of section 17529.4 could arise prior to any emails actually being sent, but it plainly still "regulates the use of electronic mail to send commercial messages" within the preemptive effect of the CAN-SPAM Act.
Finally, Facebook contends that both section 17529.4 and section 17538.45 fall within the exclusion from preemption provided in the CAN-SPAM Act for state laws that "prohibit[] falsity or deception." In making this argument, Facebook contends that ConnectU's alleged conduct was "deceptive." Whether or not Facebook has alleged or could allege deceptive or fraudulent conduct on the part of ConnectU is beside the point, however. Neither section 17529.4 nor section 17538.45 purport to regulate false or deceptive email, or require such falsity or deception as an element of the statutory violation. Accordingly, the statutes are preempted and Facebook's claims based thereon must be dismissed. In light of this conclusion, the Court need not reach ConnectU's further contention that Facebook lacks standing under these statutes to pursue a private cause of action.
At the hearing, ConnectU conceded that Facebook should be given leave to amend these claims. Accordingly, such leave is granted. Because preemption appears to arise from the language of the statutes and not as a result of the fact Facebook has or has not pleaded, however, a good faith attempt to re-plead may well be problematic.
D. Sixth Cause of Action-the CAN-SPAM Act
The CAN-SPAM Act authorizes any "provider of Internet access service adversely affected" by certain violations of the Act to bring a civil action. 15 U.S.C. § 7706(g). By reference to 47 U.S.C. § 231(e)(4), the CAN-SPAM Act defines "internet access service" as "a service that enables users to access content, information, electronic mail, or other services offered over the Internet, and may also include access to proprietary content, information, and other services as part of a package of services offered to consumers." 15 U.S.C. § 7702(11). Although this definition appears primarily to contemplate services that provide consumers their initial connection point to the Internet, the language is broad enough to encompass entities such as Facebook that provide further access to content and communications between users for persons who may initially access the Internet through a conventional "internet service provider." Accordingly, ConnectU's contention that Facebook lacks standing to pursue this claim fails.
As Facebook freely acknowledges, however, to state a claim under CAN-SPAM it must allege that ConnectU sent email containing "materially false or materially misleading" header information. 15 U.S.C § 7704(a)(1). The statute defines false or materially misleading headers to include "information that is technically accurate but includes an originating electronic mail address, domain name, or Internet Protocol address the access to which for purposes of initiating the message was obtained by means of false or fraudulent pretenses or representations. . . ." (Emphasis added.) In its opposition, Facebook contends its has sufficiently alleged deception in connection with the manner in which ConnectU gathered the destination email addresses. Even assuming that conduct was deceptive or fraudulent, however, nothing in the complaint suggests that emails subsequently sent to those addresses included headers that were misleading or false as to the source from which they originated, or in any other manner.
The "Congressional findings and policy" of the CAN-SPAM Act include an observation that, "[m]any senders of bulk unsolicited commercial electronic mail use computer programs to gather large numbers of electronic mail addresses on an automated basis from Internet websites or online services where users must post their addresses in order to make full use of the website or service." 15 U.S.C. § 7701(10). Facebook has pointed to no provision in the Act, however, that forbids that practice in and of itself.
At the hearing, Facebook asserted that it can truthfully allege that at least some of the emails sent by ConnectU did contain false or misleading header information. Accordingly, this claim will be dismissed with leave to amend.
IV. CONCLUSION
For the reasons set forth above the motion to dismiss the First and Second Causes of Action is denied. The motion to dismiss the Fourth, Fifth, and Sixth Causes of Action is granted, with leave to amend. Any amended complaint shall be filed within 20 days of the date of this order.
IT IS SO ORDERED.