Opinion
21-cv-00757-JD
09-23-2024
ERICA FRASCO, et al., Plaintiffs, v. FLO HEALTH, INC., et al., Defendants.
ORDER RE SUMMARY JUDGMENT
JAMES DONATO UNITED STATES DISTRICT JUDGE
In this putative class action, named plaintiffs Erica Frasco, Sarah Wellman, Justine Pietrzyk, Jennifer Chen, Tesha Gamino, Leah Ridgway, Autumn Meigs, and Madeline Kiss sued Flo Health, Inc. (Flo) and Google LLC (Google), among others, over Flo's use of Google's analytics services in connection with the Flo Period & Ovulation Tracker app for women (Flo App). See Dkt. No. 64 (first amended complaint). Plaintiffs alleged a panoply of federal- and state-law privacy claims and claims of unfair competition under California law, against Google. See id. at 77-87. After the close of fact discovery, Google moved for summary judgment. See Dkt. Nos. 338-39. Plaintiffs timely opposed. See Dkt. Nos. 348-49, 51. The parties' familiarity with the record is assumed, and summary judgment is granted in part.
DISCUSSION
I. STANDING
The parties' briefs indicate a misunderstanding about a prior order with respect to Article III standing to sue. The Court dismissed the claims against defendant AppsFlyers on the ground that plaintiffs had “not adequately alleged a concrete and particularized injury caused by AppsFlyer” because “AppsFlyer [was] not said to have used the data collected from the Flo App for advertising and marketing purposes.” Dkt. No. 158 at 1-2. Google wants to run with this to ask for summary judgment on all plaintiffs' claims on the grounds that there is no evidence it “receive[d] any sensitive health information from Flo” or “use[d] the data it received from the Flo App for research, development, marketing, or advertising purposes.” Dkt. No. 339-3 at 15-16.
Google goes too far. Plaintiffs' claims are premised on the allegation that Google violated their privacy rights by obtaining and storing, without plaintiffs' knowledge or consent, sensitive personal information from the Flo App via the Google software developer kit (SDK). See Dkt. No. 64 at 77-87. Violations of the right to privacy, which “encompass[es] the individual's control of information concerning his or her person,” “have long been actionable at common law.” In re Facebook, Inc. Internet Tracking Litigation (Facebook Tracking), 956 F.3d 589, 598 (9th Cir. 2020) (alteration in original) (quoting Eichenberger v. ESPN, Inc., 876 F.3d 979, 983 (9th Cir. 2017), and Patel v. Facebook, 932 F.3d 1264, 1272 (9th Cir. 2019)). The statutory and commonlaw causes of action that plaintiffs allege protect “substantive right[s] to privacy, the violation of which gives rise to a concrete injury sufficient to confer standing.” Id.; see also Campbell v. Facebook, Inc., 951 F.3d 1106, 1117-19 (9th Cir. 2020). Consequently, plaintiffs need not adduce evidence that the private information was “used” or further disclosed by Google. See Campbell, 951 F.3d at 1118; Eichenberger, 876 F.3d at 983; In re Facebook Tracking, 956 F.3d at 598-99.
There are genuine disputes of material fact bearing on whether plaintiffs have suffered an injury in fact from Google having collected their private health information. For example, the parties hotly disagree whether the information Google obtained via the SDK contains private health information. See, e.g., Dkt. Nos. 338-14 at 125:2-8; 351-15; 351-16; 351-17. Similar disputes of fact abound with respect to whether plaintiffs' alleged injury is traceable to Google. The record indicates that Google provided the SDK for free to obtain data from third-party apps, among other reasons, see, e.g., Dkt. Nos. 338-4 at 2; 348-10 at 2; 351-31 at 2-5; 351-5 at 2, and that the disclosure of the Flo App data was made possible by Google's SDK, see, e.g., Dkt. Nos. 351-5 at 2-8; 351-31 at 2-5; 348-10 at 2-3. The parties dispute whether Google actively solicited Flo's business to obtain sensitive health data and adhered to its own privacy policies in connection with the Flo App. See Dkt. Nos. 351-42; 338-1 ¶ 6; 351-45 at ECF 2; 338-30 at 11:2-25, 12:1-20; 351-61 at ECF 2-3. These are questions of fact a jury will need to decide.
Google says that plaintiffs could not have suffered a privacy injury because any information it collected “was not tied to Plaintiffs' GAIA IDs or any identifying information.” Dkt. No. 339-3 at 17. But it is not at all clear that the collection of information about a woman's menstruation cycles and fertility goals without consent is permissible just because Google says it didn't connect the information to a particular person. Google certainly did not cite any case law to that effect, and Ninth Circuit precedent suggests otherwise. See Campbell, 951 F.3d at 1119, 1119 n.9 (stating that Facebook's argument that plaintiffs “suffered no concrete harm from the ‘use of anonymized and aggregated data'” was “beside the point” because Facebook “identifies and collects the contents of users' individual private messages” and “Plaintiffs' position [was that] this was done without consent” (emphasis in original)). In addition, plaintiffs have adduced evidence to establish a material dispute of fact with respect to whether the information collected was or could be tied to identifying information, see Dkt. Nos. 351-22 at ECF 2; 351-12 at 18-20; 351-24 at ECF 4; 351-20 at ECF 13.
Google says that the record demonstrates that Google “could not find[] any data associated with Plaintiffs.” Dkt. No. 360 at 10. While that is a creative interpretation of Google's own evidence, see Dkt. No. 338-16 at ECF 7 (“Based on Google's investigation to date, there is no Flo App Data tied to Named Plaintiffs' Gmail Accounts or GAIA IDs.” (emphasis added)), that representation does not establish an absence of triable issues on this question.
II. CONSENT
For present purposes, Google hangs its hat for the defense of consent solely on plaintiffs' acceptance of Flo's privacy policies. See Dkt. No. 339-3 at 12-13, 18-19. Consent may be a defense when it is “actual,” and it “is only effective if the person alleging harm consented ‘to the particular conduct, or to substantially the same conduct' and if the alleged tortfeasor did not exceed the scope of that consent.” Calhoun v. Google, LLC, ___ F.4th ___, No. 22-16993, 2024 WL 3869446, at *5 (9th Cir. Aug. 20, 2024) (quotations omitted).
As these principles indicate, consent is typically a fact-bound inquiry, and the record before the Court demonstrates a number of factual disputes that preclude summary judgment on this score. As discussed herein, there are disputes of fact about the scope of the information that Google obtained from the Flo App, and the uses of that data, if any. The parties also highlight different portions of various privacy policies over the years to disagree about the scope of plaintiffs' consent to sharing data with Google. See, e.g., Dkt. Nos. 339-3 at 9-10; 351-3 at 13-14, 22-23. Consequently, the Court cannot assess whether a “reasonable user reading [the Flo App's privacy policies] would [have thought] that he or she was consenting” to Google's collection practices until a jury resolves those factual disputes. See Calhoun, --- F.4th at ---, 2024 WL 6869446, at *6.
III. STATUTORY STANDING FOR UCL AND CDAFA
Counts Nine, Ten, and Fourteen of the operative complaint allege that Google violated the California Unfair Competition Law (UCL), Cal. Bus. & Prof. Code § 17200 et seq.; aided and abetted Flo's violation of the UCL; and violated the California Comprehensive Computer Data Access and Fraud Act (CDAFA), Cal. Penal Code § 502. See Dkt. No. 64 at 77-80, 85-87. Google says that plaintiffs lack statutory standing under the UCL and CDAFA and so these claims should be dismissed. See Dkt. No. 339-3 at 20-21.
Summary judgment is granted in Google's favor on the UCL and UCL-based aiding-and-abetting claims because plaintiffs abandoned the defense of their UCL claims. See Dkt. No. 351-3 at 17-18, 17 n.18. It is denied as to the CDAFA claim because Google did not carry its burden for summary judgement.
CDAFA is the California state law analog of the federal Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 et seq. Like the CFAA, CDAFA provides a private cause of action against any person who “[k]knowingly accesses and without permission uses or causes to be used computer services” or “accesses or causes to be accessed any computer, computer system, or computer network.” Cal. Pen. Code §§ 502(c)(3), (7) & (e)(1). To sue under CDAFA, a plaintiff must have suffered “damage or loss by reason of a [CDAFA] violation.” Cal. Pen. Code § 502(e)(1). Google's main contention on summary judgment is that an “intangible invasion of privacy” without a loss of income or other “actual” injury is not “damage or loss” as contemplated by CDAFA. See Dkt. No. 339-3 at 21 (citing Williams v. Facebook, Inc., 384 F.Supp.3d 1043, 1050 (N.D. Cal. 2018)).
The point is not well taken. The plain language of CDAFA is not as definitive as Google urges. See Cal. Pen. Code § 502(a) (“The Legislature further finds and declares that protection of . . . lawfully created computers, computer systems, and computer data is vital to the protection of the privacy of individuals”). In addition, even giving Google's interpretation the benefit of the doubt, plaintiffs have adduced evidence from which a reasonable jury could conclude that the information obtained by Google “carried financial value” that amounts to damage or loss suffered by plaintiffs. See Dkt. Nos. 359-75 at ECF 10-11, 14-19; 359-31 at ECF 3; 359-5 at ECF 2; 35961 at ECF 2-3. Summary judgment is denied on the CDAFA claim.
IV. AIDING AND ABETTING
Summary judgment is granted in favor of Google on the claim that it aided and abetted Flo's intrusion upon plaintiffs' seclusion. Under California law, aiding and abetting “necessarily requires a defendant to reach a conscious decision to participate in tortious activity for the purpose of assisting another in performing a wrongful act.” Howard v. Superior Court, 2 Cal.App.4th 745, 749 (1992). California courts have concluded that ordinary business transactions may “satisfy the substantial assistance element of an aiding and abetting claim if the [commercial vendor] actually knew those transactions were assisting the customer in committing a specific tort.” Casey v. U.S. Bank Nat'l Ass'n, 127 Cal.App.4th 1138, 1145 (2005). Consequently, Google might be liable for aiding and abetting by providing the SDK to Flo only if there were evidence that Google had actual knowledge of Flo's deceptive disclosure practices with respect to plaintiffs' private health information.
The record presented to the Court is devoid of such facts. Plaintiffs did not identify “with reasonable particularity” a non-speculative basis in the record from which a jury could conclude that Google had the requisite knowledge. Metro. Life Ins. Co. v. Oyedele, No. 21-cv-04607, 2014 WL 6985079, at *3 (N.D. Cal. Dec. 10, 2014) (citing Keenan v. Allan, 91 F.3d 1275, 1279 (9th Cir. 1996)). Plaintiffs' suggestion that Google could have used data obtained by Flo, see Dkt. No. 351-3 at 7-8, does not fill in the gap. So too for whether Google used the data for its machinelearning programs and products. See Dkt. Nos. 351-31 at ECF 3-4; 351-34 at ECF 66; 351-61 at ECF 2. These are all after-the-fact events that do not establish that Google knew it was assisting Flo in committing a tort. Plaintiffs point to business meetings and pitches between Flo and Google, see, e.g., Dkt. Nos. 351-45 at 35:2-25; 351-46; 351-42, but these entirely generic events also do not provide non-speculative evidence that Google knew of Flo's tortious conduct. The same goes for evidence indicating that Google helped Flo advertise to women who were pregnant or trying to get pregnant. That was the whole point of Flo's fertility app and does not in itself indicate an aiding-and-abetting scheme. See Dkt. Nos. 351-47 at ECF 3; 351-48 at ECF 3 (email about “launch[ing] a campaign or an ad group to work [the] particular group” of “get pregnant” from a Flo employee in “Lead User Acquisition”).
Plaintiffs' reliance on emails after the putative class period is equally misplaced. It may be that Flo and Google employees exchanged emails about Google Ad campaigns targeting Flo users who were “TTC” (trying to conceive, according to plaintiffs), see Dkt. No. 351-50 at ECF 2, but that is not a basis from which a reasonable jury could find aiding-and-abetting knowledge. The cases on which plaintiffs rely concerned the plausibility of inferring knowledge from allegations in the operative complaint. See Sihler v. Fulfillment Lab, Inc., No. 20-cv-01528, 2021 WL 1293839, at *7 (S.D. Cal. Apr. 7, 2021) (concluding that it was “plausible” that the entity assisting with advertising would have “knowledge of the content of the advertisements and the nature of the campaign”); Opperman v. Path, Inc., 84 F.Supp.3d 962, 986 (N.D. Cal. 2015). At summary judgment, the relevant question is not the plausibility of knowledge but the existence of evidence tending to show it.
V. CIPA AND WIRETAP ACT CLAIMS
Summary judgment is denied on plaintiffs' claims under the Federal Wiretap Act, 18 U.S.C. § 2511, and the California Invasion of Privacy Act (CIPA), Cal. Pen. Code § 630 et seq. Google says that: (1) the alleged interception was not purposeful; (2) Google was acting only as a “vendor”; and (3) any asserted recording was performed by Flo, not Google. See Dkt. No. 339-3 at 23-25.
The Court assumes for present purposes that a private cause of action lies under the Wiretap Act in these circumstances.
Disputes of fact about these issues preclude summary judgment. Google concedes that the analysis for a violation of CIPA tracks the analysis under the federal Wiretap Act, which the Court will accept as true for present purposes. See Dkt. No. 339-3 at 24. For the Wiretap Act, “the operative question under § 2511 is whether the defendant acted consciously and deliberately with the goal of intercepting wire communications.” United States v. Christensen, 828 F.3d 763, 775 (9th Cir. 2015). The factual disputes that barred summary judgment with respect to the alleged transmission of data via Google's SDK, and its subsequent use vel non, apply here to the same end.
CONCLUSION
Summary judgment is granted in favor of Google on plaintiffs' UCL and aiding-and-abetting claims. It is denied in all other respects.
IT IS SO ORDERED.