Opinion
C 20-04929 WHA
02-07-2022
ORDER RE MOTION TO AMEND
WILLIAM ALSUP, UNITED STATES DISTRICT JUDGE
INTRODUCTION
In this putative class action by data-breach victims, plaintiffs move for leave to file a third amended complaint. For the reasons that follow, and to the extent stated, the motion is Granted.
STATEMENT
A prior order detailed the facts (Dkt. No. 93). In brief, plaintiffs Juan Flores-Mendez and Amber Collins used defendant Zoosk, Inc.'s online dating platform. Zoosk offered a free service. It also offered a premium subscription service for a fee. As alleged, all customers provided their personal information to Zoosk upon joining. Zoosk's website posted its privacy policy, which allegedly contained the company's data-security-related representations. Plaintiffs allege injury from a massive data breach in May 2020, which allegedly occurred because Zoosk failed adequately to protect plaintiffs' personal information (Proposed Third Amd. Compl. ¶¶ 49-52).
An order dated January 30, 2021, granted in part and denied in part Zoosk's motion to dismiss, noting that plaintiffs' first amended complaint had not alleged a right by either Collins or Flores-Mendez to sue under California Business & Professions Code Section 17200 (Dkt. No. 61). Plaintiffs subsequently filed a motion for leave to amend, which attached a second amended complaint. It alleged that before the announcement of the data breach, plaintiff Flores-Mendez and other subscription customers had paid for a premium subscription service (putatively, the subscription class). By contrast, Collins and others did not pay for Zoosk services (Sec. Amd. Compl. ¶¶ 3, 13, 27). Zoosk opposed the motion to amend and cross-moved to dismiss the Section 17200 claim (Dkt. Nos. 79, 80). An order filed on October 5, 2021, granted plaintiffs' motion for leave to amend and granted Zoosk's motion to dismiss, all as to the Section 17200 claim. The same order invited plaintiffs again to move for leave to amend their complaint with respect to their Section 17200 claim, while “plead[ing] their best case” (Dkt. No. 93).
Plaintiffs now file a proposed third amended complaint concurrently with a motion for leave to amend (Dkt. No. 95). The proposed third amended complaint has revised the Section 17200 claim, which now applies only to Flores-Mendez and members of a putative subscription class. It also now details Zoosk's then-current privacy policy. It has also added allegations about the personal information provided by Flores-Mendez to Zoosk. Flores-Mendez now alleges he would have stopped using Zoosk, stopped providing his personal information, and stopped paying for Zoosk's services had Zoosk properly notified him that its security was inadequate and that it was not complying with its privacy policy. This order follows full briefing and a hearing held telephonically. At the hearing, Zoosk was offered an opportunity to file a supplemental brief in response to an issue raised for the first time on reply. Zoosk did so timely (Dkt. No. 123; Proposed Third Amd. Comp. ¶¶ 100-10, 35-45, 46-47).
ANALYSIS
FRCP 15(a)(2) permits a party to amend its pleadings with the court's leave. The rule is a lenient standard dictating that leave to amend shall be freely given when justice requires it. See DCD Programs, Ltd. v. Leighton, 833 F.2d 183, 185-186 (9th Cir. 1987). In so determining, a district court considers: (1) bad faith; (2) undue delay; (3) prejudice to the opposing party; (4) futility of amendment; and (5) whether the plaintiff has previously amended the complaint. See Johnson v. Buckley, 356 F.3d 1067, 1077 (9th Cir. 2004). Prejudice “carries the greatest weight” in this analysis. Eminence Cap., LLC v. Aspeon, Inc., 316 F.3d 1048, 1052 (9th Cir. 2003). For purposes of assessing futility on this motion, the legal standard is the same as it would be on a motion to dismiss under FRCP 12(b)(6). See Miller v. Rykoff-Sexton, Inc., 845 F.2d 209, 214 (9th Cir. 1988).
This order finds (1) no sign of bad faith; (2) minimal undue delay; and (3) no significant prejudice to Zoosk. As for (5), plaintiffs have had prior - but not yet excessive - opportunities to amend.
This order focuses on (4), futility. As described below, the proposed amendment to the Section 17200 claim has cured the failure to allege economic injury required for statutory standing, rendering the motion not futile. Here follow the relevant new or revised paragraphs alleged in the third amended complaint, as this order understands them (Proposed Third Amd. Comp. ¶¶ 35, 42, 45, 46 (emphasis added)). (Plaintiffs failed to note any specific paragraph, instead arguing that the “Proposed Third Amended Complaint at ¶¶xx ” “remedied” the “deficiencies” (Br. 7).)
35. When Plaintiff Flores-Mendez signed up for his account with Zoosk in or about 2015 or 2016, Zoosk's then-current Privacy Policy explained, in relevant part “how information about [consumers] or associated with [consumers]' (‘Personal Information') is collected, used and disclosed by Zoosk, ” including when Plaintiff Flores-Mendez and other users “use[d Zoosk's] services through [Zoosk's] websites linked to th[e Privacy] Policy, as well as [Zoosk's] products and applications (including Zoosk's mobile applications, downloadable products and applications and pages operated by Zoosk on social networking sites and other platforms) (collectively, the ‘Services.'”[)]
* * *
42. Zoosk bound all parties, including Plaintiffs and Class Members alike, to the Privacy Policy, stating that “ By registering, using or subscribing to the Services, you confirm that you have read and consent to” the portions of the Privacy Policy described, supra ¶¶ 36-41. . . .
* * *
45. Because Zoosk's then-current Privacy Policy presumed that any consumer who used Zoosk's Services read the Privacy Policy, and also compelled consent of those consumers through use of the Services, Zoosk was bound by those promises to Plaintiffs and Class Members.
46. With these binding terms in place, Plaintiff Flores-Mendez continued to pay for Zoosk's Services, and also continued to provide his PII . . . .
Flores-Mendez advances several theories of economic standing. First, he argues for standing via a “benefit-of-the-bargain” theory of economic damages under Section 17200. This putative class allegedly lost money because Zoosk's misrepresentations in the privacy policy caused the subscription subclass to pay at all or to pay more than they would have otherwise for Zoosk's premium subscription. Second, he argues that the paying subscribers lost money because the privacy policy constituted a contract to which Zoosk bound all consumers. Thus, Zoosk's failure to abide by its policy constituted a breach of contract for the subscription subclass. The latter breach-of-contract point plaintiffs raised for the first time on reply, but Zoosk has since addressed it in a supplemental filing (Dkt. No. 123).
Here are the rulings.
1. Standing.
The proposed third amended complaint this time adequately alleges reliance. For a Section 17200 claim theorizing that plaintiffs read and considered alleged misrepresentations, the claim generally must plead “actual reliance.” In re Tobacco II Cases, 46 Cal.4th 298, 324- 26 (2009) (excepting cases with massive advertising campaigns). Both sides appear to agree on this point (Rep. Br. 3; Opp. 4). Plaintiffs' proposed third amended complaint has now successfully pleaded when and how plaintiffs encountered Zoosk's allegedly misleading statements or omissions in the privacy policy (cf. Dkt. No. 93 at 6-7; Opp. Br. 4-5). Zoosk disagrees, in effect claiming both that Flores-Mendez “confirm[ed] that [he] ha[s] read and consent[ed] to” the relevant privacy policies on the website and, simultaneously, that Flores-Mendez has not read them (Third Amd. Compl. ¶ 42). This is “nonsensical” (Opp. Br. 4).
To state reliance, a complaint must allege the unfair conduct “was an immediate cause” of the economic loss. In re Tobacco, 46 Cal.4th at 328. That is, it must plead that the data-privacy assurances mattered to Flores-Mendez (and putative subscription class members) when he (they) decided to purchase a subscription. Even, as here, when Flores-Mendez does not hook his Section 17200 claim on fraud, the logic applies. In re Tobacco addressed standing, and its reasoning did not depend upon the substantive theory of liability (there, fraud). Rather, In re Tobacco simply explained reliance on misrepresentations as one way in which plaintiffs may allege that economic loss came “as a result of the unfair competition.” Cal. Bus. & Prof. Code § 17204; see also In re Yahoo! Inc. Customer Data Sec. Breach Litig., 2017 WL 3727318, at *20 (N.D. Cal. Aug. 30, 2017) (Judge Lucy H. Koh).
True, other decisions have found that clicking through and certifying that one had read certain representations did not adequately allege that one had relied thereon. See In re iPhone Application Litig., 6 F.Supp.3d 1004, 1025 (N.D. Cal. 2013) (Judge Lucy H. Koh) (having to “scroll through” and click “agree” to a privacy policy didn't indicate that the consumers “underst[ood]” the policy). In another decision, In re Yahoo! Inc. Customer Data Sec. Breach Litig., the same court likewise found that allegations of consumers scrolling and clicking to assent did not establish that they “actually read” the misrepresentations, absent further allegations. 2017 WL 3727318, at *28. Notwithstanding these decisions, this order holds that our facts warrant a different outcome.
Zoosk's own terms prove that that plaintiffs consented to the privacy policy. Read and consented to means understood. And, Flores-Mendez has alleged that he would have cancelled his subscription had Zoosk disclosed its true data-security practices (Proposed Third Amd. Compl. ¶ 47). See Kwikset Corp. v. Superior Ct., 51 Cal.4th 310, 330 (2011) (alleging the plaintiff “would not have bought the product but for” the unfair business practice). Our allegedly misleading statements, which relate to data security, feature centrally in the privacy policy as a whole. For both of these reasons, a presumption arises that average subscribers would find them important enough to affect their decision to purchase. Note that it does not matter that all customers were presumed to agree to the policy upon sign up, but that Flores-Mendez subsequently decided to purchase the subscription. Critically, at the time of purchase, it's alleged that Zoosk had already presumed that Flores-Mendez knew of and consented to the privacy policy. Thus, Flores-Mendez has sufficiently alleged a loss of money or property as a result of the alleged Section 17200 violation.
Zoosk argues against following the logic of McCoy v. Alphabet, Inc., 2021 WL 405816 (N.D. Cal. Feb. 2, 2021) (Judge Susan Van Keulen). That decision found standing adequate when the complaint alleged simply that defendant “claims to obtain [consumers'] ‘consent'” to various allegedly misleading statements “during the Android setup process.” Complaint, 20-cv-05427, ECF No. 1 ¶¶ 33 (emphasis added), see also ¶¶ 128, 133, 134, 154. The McCoy complaint therefore alleged solely that the company had presumed that plaintiffs consented to the policies. Having found knowledge of the statements adequately alleged and crediting as true the allegation that the plaintiff would not have purchased the product had he known the truth, McCoy found benefit-of-the-bargain standing. Zoosk contends that McCoy does not apply because Flores-Mendez here “falsely confirmed that he had read the statement in question, ” and that McCoy does not provide that “standing can be founded on a loss resulting from a purportedly misleading statement that the plaintiff in fact never even actually saw” (Opp. Br. 5, emphasis added; see also Supp. Br. n. 4). Zoosk apparently concludes that Flores-Mendez is lying by alleging that he “read” the statements simply because Flores-Mendez fails affirmatively to allege that he personally read them. This does not follow. Many explanations, including litigation strategy, could have prompted the decision not to plead that Flores-Mendez personally read the statement (id. 4).
In all, the proposed third amended complaint adequately alleges that Flores-Mendez “actually bargained” for a Zoosk dating service with reasonable security practices. McGee v. S-L Snacks Nat'l, 982 F.3d 700, 706 (9th Cir. 2020) (emphasis in the original). He provided his money and his PII, in consideration of which he expected to receive the adequate data security practices that Zoosk's representations described. (For the same reasons, the proposed amended complaint likewise also adequately alleges an overpayment theory. See ibid.)
This order does not hold that the who-what-where-when-how of the Rule 9(b) pleading standard is required for a benefit-of-the-bargain theory of standing. Cf. Kearns v. Ford Motor Co., 567 F.3d 1120, 1125 (9th Cir. 2009) (applying Rule 9(b) to fraud-based allegations of Section 17200 liability). Nonetheless, the proposed third amended complaint satisfies Rule 9(b): it names the statements; how they allegedly misled; how Flores-Mendez and subscription users encountered them; and how the statements would have mattered to Flores-Mendez at purchase.
Analogy to substantive Section 17200 fraud also supports Flores-Mendez's argument for standing. The alleged misrepresentations here concerned data security for a dating website. Dating sites implicate data about users' romantic lives and sexual preferences, which are particularly reputationally sensitive, as our prior order held (Dkt. No. 61 at 6). The misrepresentations also implicated a risk of run-of-the-mill identity theft (see ibid.). Zoosk's customers' privacy featured “central[ly]” in the service's function, so as to lend persuasive support for the proposition that a reasonable consumer would rely upon statements assuring them of data security. Hodson v. Mars, Inc., 891 F.3d 857, 864 (9th Cir. 2018) (when alleged omissions concern a product's “central function” and meet several other factors, the omissions may warrant a presumption of reliance).
Since this order has found standing adequately alleged, it does not reach the dispute over whether a complaint alleging a breach-of-contract theory of standing also requires proof of reliance on an alleged misrepresentation in that contract. See Cappello v. Walmart Inc., 394 F.Supp.3d 1015, 1020 (N.D. Cal. Aug. 26, 2019) (Judge Richard Seeborg).
2. Section 17200 Liability.
Section 17200 prohibits acts or practices that are (1) unlawful, (2) unfair, or (3) fraudulent. Each of the foregoing prongs permits a separate theory of relief. See Davis v. HSBC Bank Nevada, N.A., 691 F.3d 1152, 1168 (9th Cir. 2012). “[A] breach of contract may form the predicate for a section 17200 claim, provided it also constitutes conduct that is unlawful, or unfair, or fraudulent.” Sybersound Records, Inc. v. UAV Corp., 517 F.3d 1137, 1152 (9th Cir. 2008) (cleaned up). Plaintiffs here have pleaded unfairness and unlawfulness (Proposed Third Amd. Compl. ¶¶ 35-47, 100-02). Plaintiffs now argue that the third amended complaint incorporates their allegation of a violation of Section 5 of the Federal Trade Commission (FTC) Act. Plaintiffs do not contend in the instant motion that a violation of the California Consumer Privacy Act (CCPA) supports an “unlawful” theory of Section 17200 liability (but do argue that it supports “unfairness” under the tethering test (Rep. Br. 6)). See Kaar v. Wells Fargo Bank, N.A., 2016 WL 3068396, at *2 (N.D. Cal. June 1, 2016).
As stated above, a presumption of reliance has been pleaded adequately for standing and therefore also for liability (regardless of whether required). Also as stated, the pleading has satisfied the heightened requirements of Rule 9(b), if indeed a heightened standard must be met. As next discussed, the proposed third amended complaint adequately alleges a theory of liability under the unfairness prong but fails to do so under the unlawfulness prong.
A. Unfair.
Pending further instruction from the California Supreme Court, our court of appeals has approved the use of either a balancing test or a tethering test when it comes to defining unfair conduct against consumers. See Lozano v. AT&T Wireless Servs., Inc., 504 F.3d 718, 735-36 (9th Cir. 2007). The balancing test assesses the harm to the consumer against the utility of a defendant's allegedly unfair practice. See South Bay Chevrolet v. General Motors Acceptance Corp., 72 Cal.App.4th 861, 886 (1999). “In general, the unfairness prong has been used to enjoin deceptive or sharp practices. . . .” Id. at 887 (cleaned up). The tethering prong states that conduct is unfair under Section 17200 when it offends an established public policy that is “tethered to specific constitutional, statutory, or regulatory provisions.” Bardin v. Daimler Chrysler Corp., 136 Cal.App.4th 1255, 1261 (2006).
This order finds that the proposed third amended complaint adequately alleges a violation of Section 17200 as to Flores-Mendez using the balancing test because it details misleading statements coupled with Zoosk's failure to disclose its “inadequate” data-security practices. It also alleges that Zoosk failed to apply subscription customers' funds to data-security practices despite Flores-Mendez's expectations to the contrary (Proposed Third Amd. Compl. ¶¶ 104- 106; Opp. Br. 13-14). As for harm, Flores-Mendez “allege[s] . . . loss of time, risk of embarrassment, and enlarged risk of identity theft, ” which harms are adequately pleaded to justify taking discovery (Dkt. No. 61 at 5). The proposed third amended complaint also adequately alleges financial loss based on Flores-Mendez's benefit of the bargain (id. at 7). Zoosk argues that Flores-Mendez has not adequately pled a duty to disclose anything about its practices and has not specifically named “the costs Zoosk would have had to incur in order to avoid” the “harm[s]” to subscription users. We have already found misrepresentations adequately alleged. True, Flores-Mendez does not explain what benefits Zoosk might have gained from failing to provide adequate security practices. But, Zoosk fails itself to offer some legitimate interest to weigh against the alleged harm to paying subscribers (see Opp. Br. 14). This order joins numerous other data-breach decisions that have found the balancing test “not suitable for resolution on a motion to dismiss.” See Grace v. Apple Inc., 2017 WL 3232464, at *15 (N.D. Cal. July 28, 2017) (Judge Lucy H. Koh) (collecting cases). A fulsome record will assist the finder of fact at summary judgment (see id. at 7).
Breach of contract does not, however, support Flores-Mendez's argument for unfairness. On this point, he asks that this order follow Cappello v. Walmart Inc., 394 F.Supp.3d at 1020 (Rep. Br. 2); see also Amended Complaint, ECF No. 41 ¶ 60, Cappello v. Walmart Inc., No. 18-06678-RS (N.D. Cal. Apr. 25, 2019) (emphasis added) (“Walmart violated the UCL's unlawful prong by violating its Privacy Policy knowingly and willfully or, in the alternative, negligently and materially in violation of Cal[ifornia] Bus[iness] & Prof[essions] Code [Section] 22576.”); see also ECF No. 41 ¶¶ 21, 22. Unlike the Cappello plaintiffs, our proposed third amended complaint has not sufficiently alleged a contractual relationship between Flores-Mendez and Zoosk. The proposed third amended complaint simply pleads that Zoosk's privacy policy presumed Zoosk subscribers read the policy and that the policy “confirm[ed]” their affirmation, which “bound” Zoosk (Proposed Third Amd. Comp. ¶ 42; see also ¶¶ 45, 46). The notice requirement of FRCP 8 does not require magic words. But, without something more to indicate the express theory to a reader, this order cannot presume that Zoosk could have divined the breach-of-contract liability theory. This order therefore does not reach whether, or not, a breach of contract alone can support a claim for liability under Section 17200 (see Supp. Br. 2).
This order need not reach the tethering test for unfairness, except to say that substantial questions remain whether statutory violations have been properly alleged as part of plaintiffs' Section 17200 claim or whether they can furnish the substance of the tethering approach to the unfairness prong. See 15 U.S.C.A. § 45; Cel-Tech Commc'ns, Inc. v. Los Angeles Cellular Tel. Co., 20 Cal.4th 163, 185 (1999) (Proposed Third Amd. Compl. ¶ 100 (incorporating ¶¶ 1- 84); ¶¶ 101-10 (Section 17200 claim); see also id. ¶¶ 96-97 (pleading other statutory violations within a negligence claim)).
B. Unlawful.
This order finds that the proposed third amended complaint has not adequately alleged a violation of Section 17200 under the unlawfulness prong. The failure to disclose inadequate security practices does not, alone, constitute a violation of a statute or common-law regime, since something more must give rise to a duty to disclose in the first place to make the claim “actionable.” Cel-Tech Commc'ns, Inc., 20 Cal.4th at 180. Likewise, for the reasons stated above, a breach of contract has not been adequately alleged and no statutory violation related to breach of contract has, either. As for other alleged statutory violations, the second amended complaint had alleged under the header, “Violation of California's Unfair Competition Law:”
90. Defendant engaged in business acts and practices deemed “unlawful” under the UCL, because . . . Defendant violated the FTC Act and failed to protect Plaintiffs' and Class Members' PII(Dkt. No. 84-1 ¶ 90). The proposed third amended complaint deletes the above paragraph 90 from its Section 17200 claim - Count 2 - and instead states as to unlawfulness (color in the original, emphasis added):
91.102. Defendant engaged in business acts and practices deemed “unlawful” under the UCL, because, as alleged above, Defendant unlawfully failed to disclose the inadequate nature of the security of its computer systems and networks that stored Plaintiff's and the Subscription Subclass members' sensitive PII.
Flores-Mendez now argues for the first time on reply that the proposed third amended complaint “alleged violations of Section 5 of the Federal Trade Commission Act, 15 U.S.C. § 45. TAC, ¶¶ 50, 51” (Rep. Br. 4). As to what the relevant paragraphs “above” mean, the relevant paragraphs are 50 and 51 of the body of the proposed third amended complaint, which provide (emphasis added):
39.50. . . . Defendant also had a legal duty to take reasonable steps to protect customers' PII under applicable federal and state statutes, including Section 5 of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 45, which is further defined by federal and state guidelines and industry norms.
40.51. Defendant breached its duties by failing to implement reasonable safeguards to ensure Plaintiffs' and Class members' PII was adequately protected. As a direct and proximate result of this breach of duty, the Data Breach occurred, and Plaintiffs and Class members were harmed. Plaintiffs and Class members did not consent to having their PII disclosed to any third-party, much less a malicious hacker who would sell it on the dark web.
A specific reference to the FTC Act repeats in Count 1 (negligence), but not in Count 2 of the proposed third amended complaint.
Do these allegations about the FTC Act Section 5 suffice to “give the defendant fair notice of what the claim is and the grounds upon which it rests”? Bell Atl Corp. v. Twombly, 550 U.S. 544, 555 (2007) (cleaned up).
No. The proposed third amended complaint's Count 2, at paragraph 100, states, “89.100. Plaintiff Flores-Mendezs re-alleges and incorporates by reference herein all of the allegations contained in paragraphs 1 through [[8472]] above.” Thus, Zoosk correctly notes that Count 2 does incorporate the paragraphs describing the FTC Act in paragraphs 50 and 51 but does not incorporate the paragraphs in Count 1 that discuss the FTC Act and other statutes (id. ¶¶ 91- 97). As a result, the only explicit reference to Section 5 incorporated into Count 2 appears in paragraph 50 (paragraph 51 appears to continue discussion of the FTC Act but does not mention it by name).
Does the language of the “unlawful” allegation in Count 2 match the language describing the FTC Act violation? Also no. The former alleges that Zoosk “unlawfully failed to disclose the inadequate nature of the security, ” whereas the FTC Act allegation provides that Zoosk “fail[ed] to implement reasonable safeguards” on data security (id. ¶¶ 102, 51, emphasis added). In other words, one concerns disclosures while the other concerns required safeguards.
The proposed complaint might have put Zoosk on adequate notice that it was predicating an unlawful-prong Section 17200 claim on the FTC Act Section 5 if an FTC Act violation had been the only statutory violation elsewhere alleged in the body of the complaint. But the proposed third amended complaint also discusses the CCPA (id. ¶¶ 10, 13, 19). (Another paragraph under the negligence banner alleges a violation of California Civil Code Section 1798.81.5 but is not incorporated by reference into Count 2 (id. ¶ 95).)
Furthermore, the proposed third amended complaint does not allege a stand-alone violation of the FTC Act (and could not, for the FTC Act provides no private right of action). In contrast, Patel v. 7-Eleven, Incorporated found a California Franchise Relations Act (CFRA) claim had adequately grounded an unlawful-prong Section 17200 claim even though it was not mentioned in the Section 17200 count, because the complaint separately stated a CFRA violation as a standalone count. The Section 17200 count, the decision found, was “derivative of” the CFRA count. 2014 WL 12772077, at *3 (C.D. Cal. Nov. 12, 2014) (Judge Philip S. Gutierrez). See also Gorlick Distribution Centers, LLC v. Car Sound Exhaust Sys., Inc., 2009 WL 10676068, at *5 (W.D. Wash. Mar. 30, 2009) (Judge Richard A. Jones) (same); Compl., No. 07-1076-RAJ, ECF. No. 1 (July 11, 2007).
Additionally, the inclusion of the FTC Act referenced in the Section 17200 count of the second amended complaint, contrasted with its omission in the proposed third amended complaint, implies that the latter no longer advances an FTC Act basis for its theory of unlawfulness under Section 17200. The third amended complaint would have to be quite clear from the “as alleged above” that the paragraph meant the FTC Act violation (id. ¶ 102). For the reasons stated, it is not clear.
This order finds that plaintiffs have not adequately put Zoosk on notice of their intent to show that Zoosk violated Section 5 of the FTC Act in order to prove that Zoosk violated Section 17200.
Additional problems may prohibit relief on an “unlawful” prong. Substantial questions remain whether the FTC Act Section 5 can support the “unlawful” prong of a Section 17200 claim, or whether it can furnish the substance of the tethering approach to the unfairness prong. See 15 U.S.C.A. § 45; Cel-Tech Commc'ns, Inc., 20 Cal.4th at 166 (pointing to the “parallel” Section 17200 and FTC Act Section 5, which both broadly define “unfairness”). Since the proposed third amended complaint has not adequately alleged a predicate violation of any statute to support the Section 17200 count, this order does not reach the adequacy (or not) of the pleadings as to the elements of any statute pleaded. Any future motion pleadings must be sure to adequately allege all elements of any statutory violation and to address, in detail, all issues raised herein or raised by Zoosk (whether or not an order re-raised those issues) (see Dkt. No. 51 at 7-9; Supp. Br. 4-5).
3.Relief.
Finally, Flores-Mendez has stated claims for restitution and injunctive relief, as permitted under Section 17203. Just as our prior order held, it is reasonable to infer from these amended pleadings that Zoosk failed to use subscribers' money to fund data security, as plaintiffs would have expected (id. ¶¶ 46, 47; Dkt. No. 93 at 7). Alleging, as Zoosk insists Flores-Mendez must, what portion of “profits” Zoosk made from the allegedly deceptive practice would be impossible at this stage, and, anyway, plaintiffs have alleged an “ownership interest” in some proportion of the funds given to Zoosk for the subscription. Yahoo!, 2017 WL 3727318, at *31 (see Opp. Br. 14-15). As for an injunction, the proposed pleading alleges that Zoosk's touted changes to its privacy policies are not enough. The complaint has pleaded that Zoosk's “investigation remains ongoing” and customers “face an imminent and ongoing risk of identity theft” (Proposed Third Amd. Compl. ¶¶ 16, 18, 19). This adequately alleges that the data security problems have not yet been solved.
CONCLUSION
For the foregoing reasons and to the extent stated, plaintiffs' motion for leave to amend as to the unfairness theory of Section 17200 liability is Granted. The motion for leave to amend is Denied Without Prejudice solely on the theory of an unlawfulness-prong violation of Section 17200. All other amendments are Denied With Prejudice. Any further motion for leave to amend as to the unlawfulness prong of Section 17200 will be the final opportunity to move for leave to amend: any opening brief is due February 17 and is limited to ten pages. The third amended complaint or any proposed fourth amended complaint must be filed by February 17, regardless of any motion. Any opposition is due February 28 and is also limited to ten pages. Any reply is due March 7 and is limited to five pages. Any arguments raised for the first time on reply will be disregarded. If a motion is filed, the Court will decide whether (or not) to set a hearing.
IT IS SO ORDERED.